BCOS Monero Village - Inside Monero
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Serientitel | ||
| Anzahl der Teile | 322 | |
| Autor | ||
| Lizenz | CC-Namensnennung 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/39795 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | |
| Genre |
00:00
p-BlockSoftwareCodeDatenbankProgrammiergerätOpen SourceDebuggingComputersicherheitBinder <Informatik>SoftwareentwicklerReelle ZahlZeitrichtungMathematikMessage-PassingInternetworkingProjektive EbeneUltraviolett-PhotoelektronenspektroskopieOrbit <Mathematik>BitQuellcodeBenutzerbeteiligungHackerProtokoll <Datenverarbeitungssystem>MaschinenschreibenKugelkappeMereologieKernel <Informatik>Formale SpracheWort <Informatik>Physikalisches SystemZeitumkehrTransaktionÜbersetzer <Informatik>Notebook-ComputerMultiplikationsoperatorTreiber <Programm>Kette <Mathematik>CompilerSpeicherabzugBesprechung/Interview
05:28
Rechter WinkelCodeDifferenteMultiplikationsoperatorp-BlockGruppenoperationKette <Mathematik>App <Programm>TransaktionKryptologieFortsetzung <Mathematik>Elektronische UnterschriftDatenbankStapeldateiNormalvektorElektronische PublikationRegulärer GraphHash-AlgorithmusDigitaltechnikPlastikkarteDatensatzBesprechung/Interview
08:12
Data MiningMultiplikationsoperatorÄhnlichkeitsgeometrieRechenbuchKonditionszahlSoftwareBitGewicht <Ausgleichsrechnung>Kette <Mathematik>Grenzschichtablösungp-BlockHash-AlgorithmusBeweistheorieTransaktionComputersicherheitPeer-to-Peer-NetzQuick-SortMereologieProzess <Informatik>WiderspruchsfreiheitDatenbankElektronische UnterschriftPhysikalisches System
10:52
PunktIdeal <Mathematik>Physikalisches SystemZentralisatorMaßerweiterungAggregatzustandSoftwareMultiplikationsoperatorLeistung <Physik>DigitalisierungKategorie <Mathematik>Rechter WinkelMinkowski-MetrikRechenschieberTeilbarkeitDisjunktion <Logik>EntscheidungstheorieGamecontrollerVollständigkeitData MiningAdressraumRegulator <Mathematik>DistributionenraumKontextbezogenes SystemElement <Gruppentheorie>
16:09
StatistikDistributionenraumSoftwareQuellcodePerspektiveData MiningBeweistheoriePunktCharakteristisches PolynomTransaktionKonstanteElement <Gruppentheorie>Inverser LimesZentralisatorp-BlockDatenbankAdressraumBitKurvenanpassungPaarvergleichSoftwareentwicklerCASE <Informatik>GeradeEinsDifferenteRegulärer GraphPhysikalisches SystemDatenmissbrauchMultiplikationsoperatorReelle ZahlZahlenbereichRechter WinkelProgrammfehlerCodeEreignishorizontExistenzsatzGrenzschichtablösungDigitalisierungZeichenketteStochastische AbhängigkeitTotal <Mathematik>PlastikkarteAlgorithmusPerpetuum mobileZweiBesprechung/Interview
25:09
DatenmissbrauchHash-AlgorithmusTransaktionSpannweite <Stochastik>Element <Gruppentheorie>AdressraumSoftwareWahlfreier ZugriffResultanteElektronische UnterschriftEinfacher RingZahlenbereichPaarvergleichPublic-Key-KryptosystemRechter WinkelNetzadresseBeweistheorieData MiningBitIdentitätsverwaltungCachingMessage-PassingGüte der AnpassungProjektive EbeneBildgebendes VerfahrenEin-AusgabeFunktion <Mathematik>ZeichenketteProtokoll <Datenverarbeitungssystem>NP-hartes ProblemEinsCASE <Informatik>ExistenzsatzBinärcodeHalbleiterspeicherInternetworkingSummierbarkeitHardwareVerschlingungKryptologieRandomisierungAlgorithmusDigitalisierungZentralisatorAggregatzustandSchlüsselverwaltungGraphikprozessorVererbungshierarchieJensen-MaßBitrateHinterlegungsverfahren <Kryptologie>Folge <Mathematik>Ordnung <Mathematik>SoftwareentwicklerHyperbelverfahrenVorlesung/KonferenzBesprechung/Interview
34:09
p-BlockZweiKette <Mathematik>MultiplikationsoperatorSkalierbarkeitTransaktionProgrammverifikationHalbleiterspeicherBeweistheorieElement <Gruppentheorie>Zentrische StreckungSoftwaretestDatenbankStatistikBefehlsprozessorAlgorithmusImplementierungRechter WinkelMedianwertNP-hartes ProblemProgrammfehlerRandomisierungDatenmissbrauchNeuroinformatikGanze FunktionDatenstrukturEnergiedichteZweiunddreißig BitAuflösung <Mathematik>AdressraumGraphikprozessorKanalkapazitätInverser LimesProjektive EbeneSoftwareProgrammiergerätGenerator <Informatik>ComputersicherheitSynchronisierungPunktDisjunktion <Logik>InformationZeitrichtungRotationsflächeCodeEvoluteProgrammierungHardwareBesprechung/Interview
43:08
Elektronische PublikationMathematikMultiplikationMAPTransaktionDatenbankRechter WinkelEndliche ModelltheorieSystemzusammenbruchFolge <Mathematik>Virtuelle MaschineGüte der AnpassungMultiplikationsoperatorNichtlinearer OperatorSoftwareInzidenzalgebraOrdinalzahlElement <Gruppentheorie>TeilbarkeitZahlenbereichAggregatzustandInformationsspeicherungKette <Mathematik>PropagatorFunktion <Mathematik>BitrateBeweistheorieEinfache GenauigkeitBesprechung/Interview
47:46
TransaktionSoftwareVHDSLZentrische StreckungBesprechung/Interview
48:30
MultiplikationsoperatorDatenbankRichtungMAPp-BlockInformationsspeicherungCoprozessorMereologieDifferenteTransaktionPunktApp <Programm>MomentenproblemRechter WinkelElektronische UnterschriftHecke-OperatorBildgebendes VerfahrenCodeSoftwareChiffrierungEinfacher RingKryptologieHilfesystemBesprechung/Interview
Transkript: Englisch(automatisch erzeugt)
00:00
For those of you who don't know me, my name is Howard Chu. I'm a founder and CTO of this company, Simos Corporation. We're kind of based in the U.S. We were founded in Los Angeles, but now everybody is scattered to different parts of the world. Like, I took off to Ireland and people are in France, wherever. I personally have been writing open source software since the
00:24
1980s. I actually did write a lot of the code that runs the Internet. Diego wasn't kidding about that. I've also worked on a lot of the developer tools that most programmers still use today.
00:41
Almost all of the GNU compiler tools, GNU make, the linker, the debugger, I've been a personal policy that I do not use software that I haven't touched myself. All right. So everything
01:01
that like this Android distro that I'm running on this phone is one that I built. Everything on my laptop, you know, the Linux systems, you know, I contribute drivers to the kernel and basically, yeah, I won't touch anything that's closed source. You know, if I can't get my hands
01:21
inside it, I won't use it. I did a few years working for NASA at the Jet Propulsion Laboratory in Pasadena. I worked on the space shuttle for three years. That was good fun. So I actually do have software that's been in orbit and never crashed. Okay. More recently,
01:47
I've been working on database technology. This database engine I developed in 2011 has turned out to be the world's fastest, smallest and most reliable transactional database. That's kind of
02:00
interesting because Monero uses it now, so that's kind of cool. I've been working on the OpenLDAP project for almost 20 years and, you know, we turned that from a small research piece of code into production quality code that today is the world's fastest distributed
02:22
database. So lots of other stuff. And I've actually been working in security software for quite a long time. A lot of the, again, a lot of the foundational defensive software that you see on Unix systems that came out of work that I did, she's back at JPL. I've also spent
02:49
some time reverse engineering, hacking on proprietary protocols like the stuff that Adobe used. And these things are still out there on the web. You can still find RTMP dump on
03:04
GitHub and the FFmpeg project. Okay. So topic for this talk, what is Monero? I mean, you got kind of a flavor of that with Diego's introduction, but I'll get a little bit more
03:22
comprehensive about that. Now this talk is not going to be, you know, diving deep into the math or the real details of technology. The Monero research lab guys will cover that more through this weekend, but you'll get a nice overview, right? So first of all, what is Monero?
03:46
We talked about this. It's a totally private cryptocurrency, but it's still built on a public blockchain, all right? It's still built on a blockchain that anybody can participate in. The thing about it that's special though is all the transactions that show up in the
04:02
blockchain are still opaque. That means you can see the details of what's going on inside each transaction, but you can see that the transaction happened. Okay. And where does this name, Monero, come from? Well, it's actually just a simple word for money. It comes from
04:21
the Esperanto language. How many of you guys are familiar with Esperanto? Okay. It's a hacker crowd. That's obviously an easy question. Okay. This project started in 2014, so it's only just barely four years old now. Here's a snapshot from CoinMarketCap.
04:42
It's kind of hard to read, but the basic message here is that about a year ago, Monero was worth $22 per coin. I updated this last night. It's about $98, somewhere around 100 bucks. Back in January, it reached a peak of $400-some, so it's had its ups and
05:04
downs. Okay. So, first of all, a really basic definition. What is a cryptocurrency? And the one I posted up here is literally just copied out of Wikipedia. Most of the
05:24
cryptocurrencies that exist today, and there's at least a thousand of them now, most of them are forks of the Bitcoin code, and the Bitcoin codebase was released in 2009. The main feature that makes some cryptocurrencies, that makes some
05:44
cryptographic, the cryptography is just used to create what's called artificial scarcity. All right. Because normally when you've got digital technologies, you can copy them at will, right? You've got a file, you can create as many copies of it as you want. And obviously in a currency, you
06:04
need things to be rare or actually unique. You know, if I have a $10 coin, I shouldn't be able to make infinite copies of that $10 coin and keep spending them. If you did that, you wouldn't have a working currency. So the
06:21
trick with cryptocurrencies is the cryptography is used to ensure scarcity. Every transaction that occurs in one of these cryptocurrencies is recorded on what's called a blockchain, and basically a blockchain is just a public distributed record, right? A distributed ledger. So blockchains, they're basically
06:50
a distributed database, okay? It's a distributed database with what we call group commit, which means you batch a whole bunch of transactions into a single group and you commit them into the database all at once, right? This
07:05
terminology helps me because I come here from a distributed database background. I don't know if it helps you so much, but that's where we are. So transactions are grouped into blocks and they get committed at one time, and typically there's a very high commit latency, all right? That means
07:23
blocks don't happen very frequently, okay? For example, in Bitcoin, a block is committed on average about once every ten minutes, okay? And in normal databases, like SQL, whatever, you would expect commits to happen within a
07:41
few milliseconds. So this is a really stark defining difference between blockchain and regular databases, right? In Monero, the block time is two minutes, so it's a little more frequent, but still it's much slower than you're used to in the database world. And the other thing about blockchain that makes
08:03
it a chain is that every block carries a signature of the preceding block, a hash, cryptographic hash. And as each block chains back with the hash of its previous one, you can start from the tail and work towards the head and
08:20
know that every block is valid because every block has the correct hash. If you run across a block that doesn't have the correct hash of its preceding one, then you know that something is broken on your blockchain, somebody's been tampering, or that sort of thing. Now, again, in these
08:40
cryptocurrencies, the blocks and the transactions are broadcast, basically. They're transmitted across peer-to-peer networks. So everybody who wants to use the currency generally has to participate in this network. So every node in the network actually validates every single block. They validate the
09:02
signatures for each one. This kind of processing is extremely redundant. That means you've got a network of a million nodes and a million of nodes are doing the exact same calculation each time. It's highly redundant, but that's intentional because when everybody is doing the
09:21
same calculation, they should all get the same answer. If any one of them gets a different answer, you know that something is broken somewhere in your blocks, compiling them together is called mining. And mining is, again, it's
09:43
extremely compute intensive based on proof-of-work. I'm not talking about proof of stake. That's a completely different system. So we're just talking about how Bitcoin, Monero, and several other similar coins operate. The cost of mining is actually an essential part of the security of the
10:01
system. Because it costs significant resources to perform mining, that means it's very expensive to attack the network and try to forge data. Again, mining is a bit of a competition. It's a race. So the miner that
10:24
generates the next block first gets a reward for doing so. Now race conditions do occur frequently where multiple miners could produce different blocks at about the same time. So in the database world we call this
10:41
eventual consistency. The chain doesn't always agree with itself all the time, but eventually it'll converge to a single longest chain. So I reference Bitcoin a lot because it was the first digital currency that's really been
11:05
successful to any extent. And their aim was to be trustless and permissionless and a decentralized system. Now you have to understand the context of the world when Bitcoin was created. You know, this was in 2008-2009 just after the
11:22
last global recession. And the creation of Bitcoin was a direct reaction to the mismanagement of the world's funds by the global banks, central banks, all right. So you get people who see, gee, the global banks just screwed us all. How
11:42
can we create a money system that doesn't have that as a factor, as an element in how the system works? So this is what led to the creation of Bitcoin. And they realized that a successful money system may have some very essential properties, right. It must be trustless. The system should operate
12:01
without any trusted third party. The banks were the trusted third parties and they broke their trust. You know, they screwed a lot of people. There was a lot of corruption going on, a lot of false accounting going on. And so when you place your value in a trusted third party, that
12:27
third party isn't worthy of your trust. You're totally screwed, right. So you want a system that doesn't require a trusted third party. They wanted the system to be permissionless so that anybody can use it and nobody can
12:42
deny you use of that, right. Again, if you look at the modern banking system, you know, a simple example here in the US, marijuana is legal in many states in the country now, right. But a lot of businesses can't actually deal in
13:03
marijuana and have bank accounts because the banking regulations say they're not allowed to do this. So again, when you've got this centralized trusted third party that decides who can and can't use the money system, you know, it leads to unfair discrimination and exclusion. So
13:24
again, you know, if you're going to build a new system, you want it to have properties that allow everybody to use it equally and fairly, right. And then this leads to the last point of decentralization. The only way you can guarantee that nobody is going to lock people out is if there's no
13:44
central point of control. If there's no central decision-maker who can say, oh, I like this guy using my coin but I don't want this guy using the coin. You have to have the power diffused enough that no single entity can make
14:00
arbitrary decisions like that. Okay, so what's that? That's what this slide says right here. So, you know, Bitcoin has all these great ideals but in fact it fails in multiple ways, all right. It is not
14:21
actually permissionless, okay. We already have documented examples of users and accounts being banned or, you know, shut off from access, coins being blacklisted based on their usage history, all right. So it is a fact that people can
14:41
control who gets access to the Bitcoin network. It is not decentralized, okay. If you look at the distribution of mining power on the Bitcoin network, you know, it's like 80% of that is based in a couple small cities in China and the rest of the world doesn't even amount to 15%. There's a strong
15:03
centralization happening here. It also, it doesn't actually behave like cash, all right. It doesn't behave like money. When you spend a coin, when you send a coin to a vendor, you know, you're giving the vendor your complete
15:23
financial history and actually you're seeing the vendor's complete financial history at the same time. You see each other's wallet address and you suddenly know everything there is to know about their spending habits. So this, I mean, this, it's insane to even think of it as money, right. If you
15:44
think like, okay, I've got a 50 cent coin in my pocket and I give it to this guy and he tosses it into a coin jar, all right. Nobody can look at that coin jar and say, oh yeah, Howard put 50 cents in there. There's no way to know
16:02
that, all right. And if you're looking, you know, if the guy with the coin jar is there, he can't tell, oh yeah, Howard still has $2 in his pocket. You know, there's no way to know that in a regular exchange of real money. But in Bitcoin, these things are all revealed and revealing these things is
16:25
detrimental, you know, if you're running a business, if you're trying to buy a surprise gift for something, all of these things are totally legitimate use cases for regular money, but it can't be achieved on a public
16:42
blockchain like Bitcoin. So it fails as a currency. It also fails just as a technology, okay. The Bitcoin network today is claimed to support seven transactions per second, okay. If you look at the statistics, it never actually
17:04
gets faster than three and a half transactions per second, okay. And, you know, put that in perspective, a credit card processing network will handle thousands of transactions per second. So you're talking about this global
17:21
currency and proclaiming it can be used for everything, but it can't even manage, you know, a hundredth of what a typical existing currency network already does. The other problems, I mean, technology-wise, you know, the code in
17:44
Bitcoin is loaded with hard coded constants that constrain how it behaves and these constants tend to be a source of great controversy in the Bitcoin developer community. You know, this one megabyte block size limit has
18:02
been there and has been a source of great controversy for at least three years. The other thing, you know, the Bitcoin coin distribution, it's set to have a fixed coin supply, and so eventually the last coin will be
18:24
issued in mining, and nobody actually knows if the mining network will continue to operate after that event, right, because they're trusting that miners will still want to mine based on transaction fees in each block, but
18:41
there's actually no incentive for them when the main block reward goes to zero. So Monero, in a lot of ways you can think of Monero as Bitcoin 2.0, all right, it's a system that people designed four years
19:04
after Bitcoin existed, so they've observed a lot of the problems that exist in the Bitcoin technology, and they've come up with solutions to most of these, all right, maybe not all of them, but all right, it is actually permissionless, all right, coins are fungible, so they can't be banned, they
19:23
can't be censored, coins don't have any history, so you can't choose to ban them. It is actually fairly decentralized in comparison to Bitcoin, it's much more decentralized, and the proof-of-work algorithm makes centralization more difficult, okay, now in the past six months we've had some
19:45
examples that would challenge this assertion, but I'll get into that later. It actually does behave like cash, all right, when you spend a Monero, that doesn't reveal anything about what's left in your wallet, and it doesn't reveal anything to the buyer or the seller about each other's
20:05
holdings, so it actually does behave like money. The technology is dynamically scalable, all right, there aren't really any hard-coded constants in the code base that limit its performance. It has a perpetual tail emission, Diego
20:26
mentioned this earlier this morning, so at the beginning, all right, you've got a large amount of coins being emitted, and then the number of coins tails off to a small value, but it never drops below 0.3 coins per
20:41
minute, 0.6 per block. The code base is based on something called Cryptonote, which is a completely separate independent code base from Bitcoin, so it doesn't inherit any of Bitcoin's bugs, but it also, I mean,
21:00
there's a downside, which is we don't inherit any of Bitcoin's adoption, so just to give you some insight into how the number of coins will progress over time, the blue line here is the Bitcoin coin emission curve, and you can
21:25
see it will max out eventually at 22 million or whatever the value is, and right around the year 2040, the Monero curve will cross the Bitcoin curve, and it will continue growing from that point. Okay, so how
21:50
does all of this actually work, right? How does Monero ensure that it remains permissionless? And to be permissionless requires you to be
22:02
uncensorable, and to be uncensorable requires fungibility. Diego talked a little bit about that this morning. This is probably one of the most important characteristics that makes money what it is and makes it usable, right? So again, one coin equals any other coin, 1x mark equals 1x mark.
22:23
Every coin is indistinguishable from every other coin, and to get that, you have to have privacy and anonymity for all of your transactions, right? Once you've established that any coin is completely private, that means it has no
22:46
individual history that can be traced, right? And once you have no history, then there's nothing for, you know, a controlling entity to try and ban, right? Again, compared to Bitcoin and pretty much every other coin that's based on
23:03
Bitcoin, you know, the sender address and the receiver address are both public. They're both recorded forever in the blockchain, right? The transaction amount is public, and any particular coin can be traced all the way back to its date of creation, so you can see everybody who's held it
23:25
from any point in time. So you cannot have fungibility without total privacy and anonymity for every transaction. Now there are some
23:42
cryptocurrencies out there that provide optimal privacy, okay? Or they only obscure one or two elements of a transaction, but because the use of privacy is optional, the majority of transactions are still transparent, and
24:01
the ones that aren't transparent actually stick out, right? They become noteworthy, and once they become noteworthy and distinguishable, they're traceable. The other problem is, in practice, when privacy is optional, the majority of people won't actually use it, right? They won't even know, they may not
24:21
even be aware that they need to choose to use it. Okay, so there are, you know, there are a bunch of different elements of a transaction that will show up on a blockchain, you know? How are we protecting each of these elements?
24:42
First of all, your wallet address, you know, the long string of digits that identifies your wallet never actually appears in the blockchain, you know? The addresses that you talk about and give to each other when you say, hey, send me money to this address, those never appear in the blockchain. Instead, we
25:03
use stealth addresses, right? And the stealth address is randomly generated, and it's a one-time use. So since it's randomly generated, it can't actually be associated back to any actual wallet address. So everything that's recorded in
25:23
the blockchain stands on its own, it can't be linked back to any original wallet. So that protects recipients. Now, how do we protect the identity of the sender, right? We have something called a ring signature. So instead of a
25:46
transaction containing just one coin that a sender is sending out, it actually contains multiple decoys, right? And currently, the narrow ring size is set
26:01
at seven, which means there's one real coin and six decoys. There's another trick to using ring signatures. The ones we use are called traceable, which means we can generate a key image that goes with each ring signature, and that key image is unique, that's uniquely associated with the coin
26:23
that's being spent, so we can identify if a double spend attempt is being made. So if you're familiar with public key cryptography, you know there's always a key pair, right? There's a public key and a private key. If you encrypt a
26:44
message with the public key, you can only decrypt it with a private key and vice versa. If you encrypt a message with a private key, you can only decrypt it with a public key, right? So that's a standard single key signature. In a ring signature, you actually associate multiple private keys with a message, and
27:09
anybody can observe this and verify that all of the participants in that ring signature had a valid key, but you cannot identify which one is the
27:21
original sender. A more recent improvement in Monero, this was deployed January 2017, it's called ring confidential transactions, and so prior to this, prior
27:42
to January 2017, the transaction amounts were published, right? But with confidential transactions, the transaction amounts are also hidden. And the funny thing about CT is this technology was developed by a Bitcoin developer for use in Bitcoin, and they still haven't deployed it. I mean, this was
28:03
developed three or four years ago, and actually, Monero was the first to deploy it. And the technology underlying confidential transactions is also based on ring signatures. So there's an ongoing theme there. So I'll give you
28:26
the basics of how this works. I'm not going to go into great depth here because that's somebody else's talk. But the idea is, you store a transaction amount in what's called a Peterson commitment, and you are
28:42
committing to the actual value, right? So you don't actually show $10 or whatever. You generate a hash of the actual value, and it's a special kind of a hash. These hashes can actually be added to each other, and the result is
29:04
still a valid sum. So the sum of two hashes is equal to the hash of the final value. And that means you can independently verify that the inputs and the output are exactly what they claim to be, even though you don't know the
29:21
numbers inside. Now, there's a problem, which is that if you can't see the values inside, it's possible for somebody to put negative numbers in or
29:45
whatever, right? So we also require a range proof that asserts that the values are actually within a valid range. Values have to be within, you know, 2 to the 64 minus 1. And so this range proof is basically, it says, in our
30:07
case, we break a value up into binary. We represent it as a string of binary digits, and we just construct a ring signature for each digit. It says, oh yeah, this digit could be 0 or 1. The next digit could be 0 or 2, could be
30:22
0 or 4, or 0 or 8, and we OR all of these together to create the final value. And as Diego mentioned, a rate is quite large. It's something like 1200 bytes for proof. So this has a bit of a cost on our network. We're working to
30:46
reduce that cost, and we introduce bulletproofs later this year. Another element of privacy that, you know, some people talk about is hiding the
31:00
network address when you actually create a transaction, right? So we've been working with something called the I2P invisible internet protocol. It's very similar to Tor, or it's comparable in its purpose, and it'll hide the actual internet addresses of all the participating network nodes. The project
31:25
that's working on I2P is called Cauvery, and they actually had their first alpha release just about a week ago. So that's moving right along, and Anonimal is here this weekend, and he'll be talking more about Cauvery as well. Okay, so decentralization. This has been a pretty hot topic in the
31:49
past couple of months. The proof-of-work algorithm that the miners execute is called Kryptonite, and it was designed to be memory-hard, which
32:01
means it uses a lot of RAM, and it depends on the slowness of RAM to make it hard work. It actually uses multiple crypto algorithms, you know, it uses AES-256, it uses Kesak, Blake, and Bresl, and a bunch of other crypto hash
32:20
algorithms. It is, I mean, it was resistant to ASIC implementation, primarily due to the cost of putting a lot of RAM on a chip. Okay, that's really the main protection it depended on. It's kind of difficult to implement on GPUs because it uses a large number of random accesses into
32:46
memory, so it uses a large amount of memory, and it uses it in random order. GPUs are optimized to access memory in sequential order, so there were some considerations to how to make this memory hard, but I'll get more into that
33:04
later. In comparison, the Bitcoin mining hash is based on SHA-256, which is a cryptographic hash that's been around for a few years, and it was designed intentionally to be very efficient and very easy to implement.
33:21
All right, so the Bitcoin hash is actually quite trivial to put into hardware in silicon, and that's kind of what has led to Bitcoin's problems today, right? There are a couple of chip manufacturers in China that can make super optimized SHA-256 chips, and they keep them all for themselves.
33:44
Now, kryptonite, it was a good idea for 2013 when it was designed, all right, but there are actually kryptonite ASICs in existence today. I'm wearing some actually. These are ASICs. I love them, but the thing you have to realize is
34:08
memory hardness is not a good idea, because memory is a fast-moving target, all right? Every three years, memory capacity doubles, all right? Capacity doubles and the speeds increase, okay? So to base your entire
34:25
defense on memory hardness, to me that was stupid, okay? And now I wasn't around in 2013, so I couldn't tell these guys then, but yes, today I'm going to say that memory hardness is a stupid feature for a proof-of-work problem, right?
34:41
It's not adequate, and you know, I've proposed a new algorithm. It's called RandomJS. There's actually two projects out there now. One of them is called Programmable POW. I helped design that as well. That's aimed more at GPUs
35:01
and RandomJS is aimed more at CPUs, but I would say, you know, there's nothing exclusive in those designs. They could work on either. So the main idea here is you want a proof-of-work algorithm that
35:22
actually exploits the features of a general-purpose CPU, all right? The... It was made to be easy to build in hardware. I mean, that was its purpose,
35:41
was to be very fast and very efficient, and if you want proof-of-work, you want the work to actually be hard. It should actually take some time, it should take energy, and it should take difficult computations. So that's the idea behind the random program proof-of-work. And these are... I mean, the proof-of-concept
36:06
has been out for a couple months, and a more final implementation exists today, and it's just undergoing testing now. So as opposed to Bitcoin
36:21
with its fixed block size and its three-and-a-half transaction per second, in Monero, the block size is dynamic. It's based on the median block size of the previous hundred blocks, and the limit... I mean, the only reason to limit
36:42
the block size is because we're afraid of spam, all right? We're afraid of somebody who's going to generate hundreds or thousands of dummy transactions just to clog the network. So with a fixed or with a limited block size, the fee goes up as you start raising the block size. So
37:05
somebody who's trying to generate thousands of spam transactions, it gets very expensive for them to keep that up. Also, the transaction fee is calculated based on the transaction size and the block size, so all of this
37:22
feeds together and says, if you're generating a lot of this stuff, you're going to pay more. Now, the fee is also dynamic in that as legitimate usage increases, the fee will decrease. And again, that's based on a median of the previous hundred blocks. There's another element of scalability which is
37:46
simply the size of the blockchain data, all right? And this is actually where my involvement in Monero begins, okay? The original Monero code kept all of its blockchain in memory, in RAM, and so if you're working with a
38:05
PC that's only got a 32-bit processor, you can't use more than two or four gigs of RAM, and then you're done. So the Monero project, I kind of realized they're running into a brick wall. They needed to move the blockchain from RAM into a database. So just some stats, January 2015, the blockchain was five
38:28
gigabytes in size. When they put it into the LMDB database, suddenly the RAM usage dropped to only 10 megabytes. And just not only was using
38:44
LMDB saving memory for them, it actually saved time, right? Even with their memory only database, which you would expect a memory only data structure should be super fast, right? It should be a zillion times faster than disk. But in reality, maybe because that code just wasn't all that
39:00
great, it was much slower, all right? So even with only 585,000 blocks, it took 4.2 hours to sync that whole chain. Whereas with LMDB, at a million blocks, it took only 10 minutes, right? So using LMDB was a huge step in ensuring scalability for this blockchain. I just measured this a couple
39:29
weeks ago. I've got a first-generation Raspberry Pi. It can sync the whole blockchain. It will take a couple of months, but it can be done. Okay, so one of the
39:49
things that bugs me a lot, all right, because I mean I come to software from an efficiency standpoint, okay, primarily. I mean I've also worked in security, and I understand the trade-offs there, but you have to
40:02
understand that these two needs, these two demands, are completely opposed to each other, all right? To get network privacy and anonymity, you have to slow down network performance a whole lot, because you're sending traffic through multiple hops instead of just sending it by the most direct
40:21
path. To get unchained privacy and anonymity, you're sacrificing a lot of performance and efficiency, because your transactions are so much larger now to carry this extra data that obscures the original amounts and the original addresses, all right? There's a tension here that I don't see a
40:47
time, all right? If you look at these money supply emission curves, you see that they draw these things out to the year 2050, okay? The Bitcoin guys
41:01
believed that Bitcoin would be the money of the future, and everybody would be using it, you know, 30 years later, and I don't think that's really a valid viewpoint. If you listen to some people, you know, they're saying we're gonna have colonies on Mars by 2030, okay? Now, if that's true, it could
41:27
happen, you know, Elon Musk is going to Mars. If that happens, that means the currency of the future must work at interplanetary scale, and Bitcoin won't do it. Monero actually won't do it either, right? So what we have today is
41:44
only the rough beginnings, all right? None of the technology that we use today is still going to be viable 10 or 20 years from now. It's going to be completely different, you know? We may still call it Monero, but it's not going to be based on the same code as we're running today, all
42:01
right? All right, so the final takeaways, right? Monero is the world's first cryptocurrency that actually behaves like currency. It actually behaves like money. You know, it's fungible, it's private, it's anonymous. When you spend it, you don't give away any extra information about yourself. The design of
42:23
Monero didn't come out of nowhere, all right? It did benefit from observing Bitcoin, studying Bitcoin, and seeing all of its flaws, and saying, hey look, we know how to fix these. And it does work today, but, you know, it's only one
42:41
step. There's a long evolution ahead of us. Yeah, yes. The blacklist
43:02
exists because of those other funky forks, all right? Basically, you know, it's not the same as we talked about a Bitcoin blacklist. Basically, we're saying here are a couple of outputs that have been used on another chain,
43:25
that fork in the Monero chain, and for you to use them could be, or for you to use them as decoys in a valid transaction, would be dangerous. Yeah.
44:02
Does the Bitcoin blockchain is stored in Google level DB, and that sucks? Okay, as an actual answer, all right, in LMDB, right, the design is it's fully transactional, which means every right is actually atomic, okay? Level DB is not
44:25
a transactional database. You know, they say that they support atomic rights, but that's not actually true, okay? So I actually have very little respect for level DB for a number of reasons, but mostly because they lie, they misrepresent its capabilities, okay? Here's the thing, like, LMDB
44:46
stores all this data in a single file, okay? Within a single file, it is possible for you to do a sequence of operations that shows up in one atomic instant. Level DB stores its data in multiple files, okay? It is
45:04
actually impossible for you to update multiple files and have that become visible in one atomic instant. There are always multiple intervals of time where you can see intermediate states, okay? And it's those intermediate states
45:20
that trip you up. If the machine crashes while it's in the middle of updating a sequence of files, the database gets corrupted because there's no atomic update. Yeah, yeah. Earlier you mentioned, there's no
45:42
speaker, earlier you mentioned Bitcoin had trouble changing, you know, something as simple as a hard-coded value. How do you see Monero, you're talking about even changing proof of work in Monero, which seems like a much grander change, how do you see governance playing into that and do you see an eventual Bitcoinification of the governance where, you know, you
46:03
kind of move into a comfortable state, it's worth too much money, you can't make these changes without having big problems or worrisome problems? That's a good question and I'm not sure I know the answer to that. I would say eventually it probably will get to that point, okay? But we're not there yet. Right now, everybody understands this is an experiment, everybody
46:24
understands we upgrade every six months, okay? So that's just, you sign up for that kind of turn when you participate, you know, every six months this is going to change. Eventually we may slow that down and say, okay, every one year this is going to change and then it may slow down even
46:41
further after that, but we're not there yet. Yeah. Why are they so slow? There's a lot of factors that feed into that, okay?
47:10
Database performance is an element, all right? They're using a slow database. Bitcoin transactions are slow for network propagation reasons, all right?
47:24
You know, they're trying to throttle the transaction rate so that the single transaction has time to propagate to the entire network, all right? It's a large network, that's going to be slow. There's a lot of factors.
47:49
Okay, would Monero have the same issues with slow transaction speed? Maybe, all right? You know, my personal belief is that we cannot have a single
48:02
global cryptocurrency, all right? The example with colonies on Mars should prove that to you. We actually need some kind of sharding or fractional networks, right? That's really the only way to keep performance up and cover large scale. Yeah. Well, you know, we have work going underway to support
48:42
crooning for the blockchain, so that'll, you know, reduce the size in the future. Does that answer your question or was it a different question?
49:08
Yeah. The Monero network itself is not working on storing arbitrary data,
49:22
all right? We want to store financial transactions and nothing else, but there are other, you know, sidechains that could do that in the future. Yeah. Does blackballing constitute an attack on fungibility?
49:55
But creating the transactions that needed to be blackballed? Yeah. Forking is
50:04
certainly a threat. You know, I mean, otherwise we wouldn't have had to go to the step of blackballing, you know, and we had to warn people, look, if you're using, you know, XMC or XMO or XMV, whatever the heck they all were, if
50:21
you're using these things with your existing Monero wallet, with your existing coins, you know, you're going to be putting all of the networks at risk. And the other, yeah. Yeah. What can we do to help adoption of
51:02
Covry? Yeah. Start writing code, start integrating it to the apps that you care about. You know, all of this is volunteer work, so whenever somebody says, I want this to happen, they just do it, or it won't happen. Yeah.
51:50
Since every ring signature has a key image, you can actually detect that. Yeah. Yeah, okay. So at one point in time, for a glorious eight months,
52:17
I had a company called Monero Direct that allowed you to purchase
52:21
Monero using dollars, euros, pounds, whatever. All right. We've shuttered that company for the moment because our payment processor got acquired by another company, and that other company had weird policies towards cryptocurrency, so we couldn't continue with them. Now, in the meantime, you know, I personally still use Kraken.com. All right.
52:46
And, I mean, I use them because I can buy directly with euros.
53:01
One more. One more. What am I working on next? At the moment, I'm actually trying to get LMDB 1.0 out the door, and one of the interesting features that we've added in 1.0 is database level encryption, and part of the reason that feature exists is so that we
53:23
can start moving the Monero wallet into LMDB and keep all the data encrypted.