Anna (00:06):
Welcome to zero knowledge podcast, where we explore the latest in blockchain technology and the decentralized web. The show is hosted by me, Anna.

Fredrik (00:18):
And me Fredrik.

Fredrik (00:28):
In this episode, we sit down with Benedikt Bünz to deep dive into Bulletproofs and Verifiable Delay Functions.

Fredrik (00:44):
Hello and welcome to, uh, Benedikt Bünz to this episode on Bulletproofs I'm super excited about this topic. I know you work on not only Bulletproofs, but a lot of other interesting things I mean we'll get on some of that too, but maybe you can just start with a little bit of an intro of yourself and talk a little bit about what Bulletproofs are.

Benedikt Bünz (01:04):
Yeah. Cool. Thanks for having me here. And yeah, my name is Benedikt Bünz and I just finished basically the second year of my PhD at Stanford, where I work with Dan Boneh on, you know, sort of generally applied cryptography with a special focus on cryptocurrency. It's really sort of, you know, the, the technical details of, of cryptocurrencies and the, the cryptography of the things that, you know, make it secure. So my focus is on that and, and, um, you know, in recent times I've been, for example, working on Bulletproofs that I guess we're going to cover today. And then also, you know, other stuff like verifiable delay functions, you know, light clients and sort of a whole variety of topics.

Anna (01:50):
Cool. And this is actually the second time you're on this podcast. We had a very short interview with you on the Zcon 0 episode. Um, I'm really excited to get a chance to continue our sort of series on actual zero knowledge proofs since your knowledge, uh, technologies, Bulletproofs very much fits into that category. Do you want to maybe just start off by helping us understand what Bulletproofs are?

Benedikt Bünz (02:13):
Yeah, so Bulletproof is a zero knowledge proof. So, you know, there... zero knowledge proof is, is sort of the general, uh, technology. And then there's sort of many different flavors of it. Like one flavor of it is a SNARK. Another one is a STARK and yet another one is Bulletproof. And, you know, maybe as a recap, what is the zero knowledge proof like in a, in a zero knowledge proofs, I can prove you that something is true without telling you why it's true. So I can prove to you for example, that, um, I know where Waldo is without giving you any information about where Waldo is, and you will be convinced that this picture has Waldo on it. Like there's a Waldo here. Uh, but, and you, you're also convinced that I know where Waldo is, but you have no idea where it is unless, you know, you figure it out yourself.

Benedikt Bünz (03:06):
And one way that this is like used, this is used in Bitcoin, is that I can have an, a transaction which doesn't have, or in cryptocurrencies that have like a cryptographic transaction where a lot of the details are hidden, but I can still prove to you that the transaction is valid without giving you any information about why it's valid. And, um, Bulletproof is one particular zero knowledge proofs that has, uh, sort of different trade-offs to other, uh, zero knowledge crews. So the proofs are, are very short. Um, they're not quite as efficient as SNARKs, but they, SNARKs have this downside that, uh, when you use SNARKs, there's this, this sort of trusted set up, which creates toxic waste. And, um, uh, and the problem is if this is not done correctly, or if someone, you know, you need, basically, you need to trust someone to create a so-called proving key and a verification key.

Benedikt Bünz (04:05):
And if they cheat, then they can create proofs about statements that aren't true. So they can, for example, prove to you that they know where Waldo is without actually knowing where Waldo is, or without there even being a Waldo, they can prove to you that a transaction is valid, but actually they just created money out of thin air. So that is obviously not a very good thing. And, you know, there's, you can sort of try to circumvent that, but it's, it's really, really difficult sort of with SNARKs and, uh, Bulletproofs, doesn't do not have this trusted set up. So that is sort of the, the, the big benefit of them. Um, yeah.

Anna (04:42):
I want to dig into the trusted set up in more detail soon, but you just mentioned something that zkSNARKs, they generate a toxic waste. What do you mean by that? What is...

Benedikt Bünz (04:51):
This is, well, this is the trusted set setup and sort of, you know, there's the, sort of the, the, the, the terminology that Zcash uses is that the, the setup, um, this ceremony like generates, you know, toxic waste in the sense that if that toxic waste isn't discarded, if the person who, who does the trusted setup, doesn't, you know, delete that, um, then yeah, then, you know, this toxic waste can be used to create the false proof,

Anna (05:23):
The toxic waste, like software and hardware, and...

Benedikt Bünz (05:25):
it's, it's, it's, it's a secret key,

Benedikt Bünz (05:27):
A secret special key, you know, like 32 bytes key. And if you have that, then you can, um, prove whatever you want and the way that it's usually done to sort of, you know, prevent like, you know, you could trust, you know, you could get, I dunno, the Dalai Lama to do this. And, you know, everybody trust that he's a computer expert and we'll, you know, do this properly. But, uh, the, the other way to do this is to say like, you know, we'll get a bunch of people together and they have to do the trusted set up together in such a way that as long as one of them is honest. So as long as they don't all cheat or like collude together, then, uh, you know, the, the toxic waste is sort of properly discarded. Um, but you know, this is extremely complicated and, and, you know, takes a lot of time and has, has, uh, you know, it's basically costly. Um, but doable. So Zcash did this and, you know, Zcash works, uh, but you know, the sort of there's downsides to it and Bulletproofs do not have this downside.

Anna (06:34):
They don't have trusted setups. They don't produce this toxic waste. They are faster.

Benedikt Bünz (06:39):
No. So that's a very, you know, like,

Anna (06:42):
So maybe we can touch on later on, right.

Benedikt Bünz (06:45):
Uh, you know, let's sort of like a 10 dimensional question, right. And in some ways they're clearly slower. And in other ways, they're, uh, sort of, they're faster.

Anna (06:56):
We have the, we have the whole episode to kind of go into the nuances of this, but, um, maybe we start with a little bit of a history of what, where the Bulletproof idea came from.

Benedikt Bünz (07:08):
So, um, so the Bitcoin core developers, Pieter Wuille, Andrew Poelstra,, and Greg Maxwell, they sort of approached us with this problem. They had invented this thing called or Greg Maxwell had invented this thing called a confidential transaction. So what is a confidential transaction? It is... A confidential transaction looks like a bitcoin transaction with the one difference that the amounts that are being transferred are encrypted. So no one is able to see, you know, how much is being transferred. The problem now is obviously how do miners check that the transaction is valid. And, you know, now if you've listened to maybe a couple of the previous episodes, right, you should know that the solution for this is a zero knowledge proof, right? I prove to you that the transaction is valid. I prove to you that, you know, the, some of the inputs to the transaction is equal to the sum of the output.

Benedikt Bünz (08:00):
So there's no new money created. And, uh, I, I do this without giving you any additional information. The problem is that the zero knowledge proofs that they used, um, it's called, this is like a special case. And it's called a range proof. They were very, uh, sort of, they were pretty large, you know, it would mean like that every transaction is like eight kilobytes, which really isn't... and, you know, sort of limit scalability, which is another big issues in cryptocurrencies. So, you know, really would have made transactions a lot more, uh, costly and the fees would be higher. And sort of, um, the question that they came to us with is, is there a zero knowledge proofs and especially one without a trusted setup where the proofs are shorter, you know, can, can you come up with, uh, with a problem? So they approached, uh, my advisor, Dan Boneh, and me, um, and, and sort of gave us this problem.

Benedikt Bünz (08:55):
And, and I was a new PhD student sort of looking for, you know, interesting problems in that space. And, uh, then when we started working on this and when we found this, this amazing prior work by people from the University College London, Jens Groth group, um, and, uh, which had sort of, you know, gotten us, um, a lot of the way there. And then, you know, we, we sort of improved on that work and use sort of techniques from that work, um, uh, to, to, um, uh, develop Bulletproofs, which happened to work extremely well for confidential transactions, but it then turned out that, you know, this is also not just... doesn't just work for confidential transactions, but you could sort of use it for, for anything like anything where you can use this SNARK, you can use the Bulletproof instead. And, uh, that doesn't mean that you should use a Bulletproof instead, because, you know, SNARKs are, in some ways they're way more efficient. Um, but at least you can, and, and, uh, you know, so that's how sort of this started

Anna (10:02):
What? So what year was that? This is two years ago?

Benedikt Bünz (10:04):
No, no, this was like a year ago, so, well, like, you know, you work on it for a year and then a year ago we published it. So we, we, we, I think we put out the paper in like November, 2017, which is, you know, it's, it's quite cool and amazing about the space, how quickly things, you know, get deployed in practice. And, and, you know, this is not, not usually the case for academic work, that things get rolled out that quickly. You get, get that much attention that quickly. And I think, you know, this speaks to sort of the cryptocurrency space, really being, being interested and open into two new academic ideas, which I think is amazing.

Fredrik (10:44):
Yeah. And an eagerness to sort of explore new stuff and try to innovate.

Benedikt Bünz (10:50):
Yeah. Right. Yeah. And, you know.

Fredrik (10:51):
Privacy is a big issue or has been, been a big issue for blockchain. So I think everyone is sort of keen on trying to use whatever they can to, to just make it better. Yeah.

Anna (11:02):
We spoke yesterday, um, briefly about this, the naming and how that was very well thought. I don't know. Bulletproof says it's awesome sound to it. And it's like, I don't know, there's something I know this is going to sound sort of funny, but it's like, I wonder, like how did you come up with that name basically?

Benedikt Bünz (11:19):
Yeah. So, so yeah, no, I'm, I'm, I'm sure that branding is important and, you know, the it's it's, um, I think it actually is really important. So the, um, yeah. I know a friend of mine, I was like, you know, we had written the paper, I had the idea. And then, you know, I was talking to a friend of mine, uh, Shashank Agrawal, who, um, is also, uh, a crypto researcher that I work with. Um, and do you know, I was like saying like, Hey, we have this new zero knowledge proofs. Like, do you have any ideas, like, you know, spitballing ideas and, uh, for, for names. He said, yeah. Why don't you name it Bulletproofs which, because it's a short proof, you know, and then sort of it's, it's fast, I guess. And, uh, but it's also it's secure, right? Like, yeah. Um, the, you know, it doesn't have the toxic waste that the sort of the, the hole there, um, and you know, so that was sort of the name, which, you know, in some ways it's a little bit gimmicky, but, you know, in other ways it's, it's sort of, it eases up the conversation about it.

Benedikt Bünz (12:23):
Right. You know, otherwise often papers get referred to by you, you know, you take the initials of the authors and add the year, which, which makes it, you know, like GKR87 or whatever. And like, you know, if you're, if you're really into the community, you might know what that is. Um, I think GKR is later, but, uh, but you know, the, the sort of, for the general public sort of, you know, nice names like SNARKs or STARKs or Bulletproof, right. Like, you know, that, that, that definitely helps.

Fredrik (12:55):
So digging a little bit more into how Bulletproofs actually work and like what the details are. I'm just curious. I mean, if we set it in this landscape, we've talked a little bit about in the intro episode, how there's interactive zero knowledge proofs, and then non-interactive zero knowledge proofs. zkSNARKs are non-interactive so are like most other popular ones, Bulletproof is non-interactive.

Benedikt Bünz (13:19):
Yeah, it's actually interesting. It's uh, so it's, it's not, that's not 1000% true, technically because it's, it's an interactive proof that you can turn into a non-interactive one. Um, and that's actually true for a lot of the protocols. There's sort of a generic way of turning these interactive protocols into non-interactive protocol, but it seems like really, you know, that, um, non-interactive proofs, especially in the blockchain settings have a lot more advantages because the idea is right an interactive proof requires a specific person. Like it's, you know, me, uh, trying to convince someone else and they get to sort of ask questions and, you know, then I answered them, but in the blockchain setting, right. Like, you know, everybody wants to check the proof, right. It's not just one person that wants to check it. So you really need something that you can just write down, like, a proof that you can write down, and then everybody can read the proof and check it. And that's sort of what a non-interactive proof is.

Fredrik (14:21):
So zero knowledge proof, or like proving functions are built on the circuits. It's usually something like implementers of this, talk about like this circuitry and these circuits are slow or they're hard to construct or whatever, what is it in a Bulletproof that separates it from like a SNARK? Is it, is it some, some aspect of this circuit structure or is it something else.

Benedikt Bünz (14:45):
Yeah. So, so the circuit is usually the way that you express what you're trying to prove. So,

Benedikt Bünz (14:54):
So say, I want to prove that, you know, the, this transaction is valid. You know, this is sort of a very generic statement, so you need to make it more specific. And basically the way like the circuit is almost like the programming language or the almost, like it's more like the assembly, the, um, so, you know, you write down that statement in terms of like multiplications and additions, right. You know, you really break it down to the core and then you can take that circuit and then create a proof sort of, you know, the, basically the, what you do is you write down the circuit and the zero knowledge proof is I know secret inputs through the circuit that at the end of the circuit, you know, in, in, if you speak in electronics, like the light turns on or, uh, in math, right. You know, the output is one off the circuit, right.

Benedikt Bünz (15:46):
You know, it's, it's a bunch of a multiplication gates and addition gates. And then at the end, what comes out is one. And what I prove to you is that I know values through the circuit, such that the output is one. I'm not going to tell you what these values are, but I know them. And, um, so this circuit architecture, um, you know, this works for, you know, you can take the circuit and then produce a SNARK that, you know, the inputs for the circuit, or you can produce a Bulletproof. So what is different? The differences are in the properties. Like how long is the proof, how long does it take to check it? How complicated is it? Or like how long does it take to create it? Um, you know, the, there that is really where the differences are. And for example, like SNARKs are usually shorter and easier to check than Bulletproofs, but Bulletproofs are still sort of, you know, still, still very short, you know, that's the main sort of property that we're aiming for, especially compared to more like, you know, the, the solutions that were used before that didn't have a trusted set up there. They're way, way shorter.

Benedikt Bünz (16:52):
So this is sort of the key property that we were aiming for. And why do we care about short proofs? Well, you know, they sort of, in a blockchain, everybody, you know, it's, it's decentralized. So everybody is supposed to have the blockchain and read it. And if suddenly the blockchain gets bigger and bigger then, you know, everybody needs to download it and send it to each other. And that really creates bottlenecks. And that's why we care about making the, everything that is on the blockchain, so for example, the transactions and the proofs as shorter as possible.

Fredrik (17:26):
So short here, means, like few bytes,

Benedikt Bünz (17:30):
Few bytes. Yeah, that's, it literally means, you know, Bulletproofs are basically like less than, you know, one, they are one to two kilobytes is like the order of magnitude and SNARKs are like 200 bytes, you know, and talking, and

Fredrik (17:44):
That's so conceptually, it's sort of like you avoid this trusted setup by including more information in the proof. Could you say that?

Benedikt Bünz (17:51):
No, that's, I mean, it's not impossible that we could have a proof that is as short as a SNARK without a trusted setup, but you know, it just sort of, we just don't know yet how to do it. Of course, like, you know, basically a trusted set up gives the, the designer of the proof more freedom. Right. You know, this is a thing that you can do now. And, and, uh, the, the trusted set up can do some things. And like, once you remove that freedom, you make the task harder. So it, it sort of seems natural that you have to do some trade-offs there, but you know, like there's no, you know, there's no reason to say, you know, we can't get even better. Right. So we'll, we'll see sort of what, what happens.

Fredrik (18:38):
So going back to like placing this in the universe of zero knowledge proofs, how does this compare to, you know, we've talked a little bit already about SNARKs, but there are STARKs and there's, there's these other things, like, where does it live and how does it compare to these things?

Benedikt Bünz (18:55):
I would say, you know, right. Like compared to SNARKs, I would say you should sort of use a Bulletproof when you want to use a SNARK, but you don't want to do the trusted set up and it's okay. If the proofs are a little bit like bigger and, um, take longer to check. And so, for example, compared to STARKs, the proofs are a lot shorter than STARKs. So STARKs is another proof system that doesn't have a trusted set up. Um, and there, the comparison is, is a little bit more difficult because STARKs are even larger, you know, they're significantly larger, you know, and in the order of like a hundred or 200 kilobytes. And this becomes, you know, something that what you wouldn't want to do one STARK per transaction that, you know, like if every transaction is 200 kilobytes, then you know, this, this really becomes a problem, but STARKs and SNARKs have this amazing property that you can prove I'm sort of, I can prove to you that some really, really complicated statements.

Benedikt Bünz (19:57):
So for example, I can prove to you that I've checked the whole blockchain, or I've checked all of the transactions on blockchain and all of them were, were valid. And now to check the proof, this is faster than if you've even had all the transaction and check them individually. So, right. I can, I can go through all of the transactions, you know, one by one and, you know, check that they're correct. Check the signature check that, you know, the inputs and outputs are correct. And the amazing thing, the amazing property that both SNARKs and STARKs have, and Bulletproofs do not have, is that you can create a proof, that is a, uh, that is, uh, shorter than all of these transactions. That's also true for Bulletproofs, but what's even more important is that checking the proof might take a millisecond versus checking all of the transactions takes an hour.

Benedikt Bünz (20:49):
So now you have this compression property where I can, I don't even need to, I can give you sort of the blockchain, or I can give you just the, the, the, the head of the blockchain and then prove that everything before that, that you don't even need to look at was done correctly. Um, and this sort of, uh, allows for amazing, you know, cool new applications where you have, um, you have sort of clients that don't even sort of, they don't even see the whole blockchain, but they know that, you know, this, this, this one hash of the blockchain is the correct hash. So I can, you know, now you have the block, basically the whole blockchain and you checked it and it's like a 32 byte hash. And, and, um, this is really where, you know, for example, STARKs shine, and, um, SNARKs can also do that, but again, you have the trusted setup..

Fredrik (21:45):
Uh, something we've touched on a little bit on this podcast before is, uh, stateless clients. And when you start talking about stateless clients, usually some sort of zero knowledge proofs comes in in the discussion because of exactly this property, that it's sort of a compression.

Benedikt Bünz (22:00):
Exactly. So that, that is exactly what I was talking about. And the amazing thing things here you, you don't need to. So here comes another sort of technicality is that for these stateless clients, you don't even care about the zero knowledge. You care about the proof part, right? So I don't want to hide from you the rest of the blockchain. It's not that I don't want to give it to you. It just is more efficient to give you proof that was correctly, right? So you don't need sort of, all of these proofs have sort of, zero knowledge variant and a non zero knowledge variant and the for for a lot of these applications, you don't even care about the zero knowledge part of it. You just care about the, um, the compression part of it. And, uh, so Bulletproofs are not, you know, you can shrink the size, but checking the proof will still be sort of, if I give you a proof that, you know, I check the whole blockchain, then I can give you sort of checking that will be as long as, as checking the whole blockchain, or maybe even, you know, uh, maybe even longer.

Benedikt Bünz (23:08):
Um, so, so for stateless clients Bulletproofs are not a good application. Uh, they are not a good tool. Um, but for something like a transaction, you know, I want to prove to you that a transaction where I actually want to do the zero knowledge part, right. Where I want to hide the details that is where Bulletproofs are, um, really valuable.

Fredrik (23:27):
I think going back to SNARKs and STARKs. The image I have of STARKs, I'm not actually sure where I've gotten this from, but that STARK is more intended for general computation, like prove the, that this program was executed correctly. I mean, that's, that's what all of them do, but that STARKs allow for larger programs.

Benedikt Bünz (23:49):
So yeah. You know, it's, it's really hard to, you know, sort of there, you know, the, the differences are nuanced and, and I, I wouldn't necessarily say that the weird thing is that STARKs aren't necessarily sort of they aren't the only thing that worked for larger programs, right. Or doing that sort of a larger general purpose computation. Uh, it works. The thing though, is that that STARKs are fairly large, right? So they only really make sense for larger programs. It's not that they only work for that, but they sort of, this is where they sort of shine and where they make sense. So you can do that with a, and you can do that with a snark and you, you, you know, but, uh, I feel like this is sort of the reason why, why STARKs are sort of presented in that way is because this is where they shine the most. Right.

Fredrik (24:39):
That makes sense.

Benedikt Bünz (24:40):
Um, so this is sort of their distinction.

Anna (24:43):
You've mentioned, SNARKs, STARKs, Bulletproofs. Is there anything else?

Benedikt Bünz (24:47):
Yeah, that's a very good question. You know, there's a lot of other things. So for example, there's Hyrax, there's Ligero. Um, for example, you know, Hyrax like the thing is they're sort of in the more in the middle of the trade-off space. So, you know, Hyrax has like a good trade-off between, you know, the size of the proof and the verification time. And Ligero for example, is really interesting because it's, it's, uh, creating the proof is very short, right. You know, for all the other ones, uh, sort of creating the proof is, is somewhat tedious. Um, you know, there again Bulletproof's has, for example, compared to SNARKs, uh, Bulletproofs has the advantage, it takes maybe roughly the same time, but it requires a lot less memory.

Benedikt Bünz (25:35):
So you can sort of do it on a smaller machine, which, which may be nice. Um, Ligero, for example, yeah. Is fast to computer then, and, you know, this is a really hot space, so, you know, a new stuff is coming out and, and I know lots of people are working on it and the academic community and, you know, partially driven, driven by cryptocurrencies, right? Like zero knowledge proofs have been around for like, since the eighties, I think. Um, and you know, this is really being driven by, by sort of these new applications, because previously, you know, it was a cute sort of theoretic concept and, and how, you know, this can actually be used in, in, in public and secure sort of billions of dollars, which, um, yeah, it's motivating. Right. You know,

Fredrik (26:21):
I have heard of a, I was talking to a Howard Wu, and he mentioned they'd worked with a big bank. That was like, they had a zero knowledge, proof structure to, um, basically interact with on behalf of customers with other entities. So if like an insurance firm will only give you an insurance, if you have more than a million bucks in your bank accounts, then the bank can generate us their knowledge, proof that they have that without saying how much money they have.

Benedikt Bünz (26:50):
Yeah, no, there are definitely a lot of other applications too, to, um, zero knowledge proofs. And for example, one is voting is like a common one that is referred to, right. I want to prove to you that my vote is, was done correctly. And the, but I don't want to tell you what I voted for. Right. And so that's a very, uh, like sort of an application, but, you know, as you were talking about banks, so we have this paper on, on, um, how Bitcoin banks, so Bitcoin exchanges basically can prove that they're solvent without giving up any information about, you know, how much does each customer have, how much, uh, Bitcoin do they have in total, which addresses do they control all of that remains private, but they can still prove that they have more money in their Bitcoin addresses than they owe to their customers.

Benedikt Bünz (27:44):
And the cool thing is that what I really liked about this paper, um, is that this is something that you might want for your normal, like if you have bank, right. Um, but there's sort of no way, like, even, even conceptually, there's no way that they could do that because there's not like this public ledger, right, the blockchain, which you can sort of make, prove the statement against. And, um, you know, here are sort of the, the, the idea that, that Bitcoin and all these other currencies or cryptocurrencies, you know, that they have this cryptographic ledger, um, really makes this possible. And, and, uh, yeah,

Fredrik (28:20):
I have a little side question before we move on. Something that I know is like a problem in this space. And that I was fascinated about when I first found out was that, uh, we spoke a little bit about the circuits and you said like, yeah, you could design your circuit and sort of use any proving, you know, structure to, to run it kind of, uh, but there's no standardized format of how to write such a circuit. So you can't actually like define that ones and use different algorithms on it.

Benedikt Bünz (28:52):
Yeah. So I mean, the statement that I said was, it's true in theory and practice, you know, it's probably not, you know,

Fredrik (28:59):
Have you seen any work towards like trying to standardize that...

Benedikt Bünz (29:03):
Absolutely.

New Speaker (29:04):
...circuit language?

Benedikt Bünz (29:05):
So there was a, um, just a couple months ago, there was, um, a workshop in, um, in Boston and Cambridge, uh, where a lot of the people that work on zero knowledge proofs, you know, a lot of the academics and people from industry came together and the goal was to standardize zero knowledge proofs. There was exactly that sort of work on that. And, you know, all of the big names, you know, uh, Shafi Goldwasser who was, who got the Turing Award, the Nobel Prize for computer science, partially for inventing zero knowledge proofs, was there. And we, you know, we started sort of working and we've put out some documents and, and, you know, like working towards standardization, um, a little bit while I think, you know, this is a, in some ways, I think it's a good idea. And other ways I think you should be cautious because sort of, you don't want to stifle innovation.

Benedikt Bünz (29:58):
Right. And you don't want to say, you know, this is the one thing that we use and no one, you know, should, should use anything else. I think it's a little bit, it's a little bit premature, right. Because there's still, you know, there's papers still coming out, you know, there's still being developed and we don't know what, you know, what will come out in the future. So I think you have to be sort of strike a good balance. And I think, you know, a lot of work is just has to go and it's going in into sort of tooling. So, you know, application development, making it easy to use these tools, right? Like, you know, abstracting away, this, this language, I hope that, you know, in the future, right, you shouldn't write, like, spend as much time writing these circuits or these things should become, you know, right, like maybe you can write a zero knowledge proof system in Rust or whatever. And then it gets compiled down. There's some work on this, you know, taking C, but, you know, it's just not, not efficient. And, and, uh, it doesn't work as well as you would hope, but this is sort of a, I think this is still coming like a little bit more patience. Uh, but I think this is sort of really important work, making it easier to use.

Anna (31:14):
So we've been talking sort of about general Bulletproofs and where it lives in comparison to other, um, zero knowledge...actually, what do you call these, zero knowledge applications?

Benedikt Bünz (31:25):
Poofs.

Anna (31:26):
You just call it Bulletproof or zero knowledge proof.

Benedikt Bünz (31:29):
Yeah. So, uh, and then there's also like, technically it's a zero knowledge, um, argument there's like proof and argument, uh, arguments and everything sort of that you see, like, so SNARK means succinct non-interactive argument of knowledge and Bulletproof is technically also an argument. Um, but that's sort of the, it's really only a technical detail. And, uh, it doesn't matter. All of these things are zero knowledge proofs. Well, more technically there's zero knowledge proof systems, and then you can use them to create a zero knowledge proof.

Anna (32:10):
So, so far we've been talking about zero knowledge proof systems, but where, like, at what point does this apply to blockchain? And because as we've heard, there are always examples that are not blockchain. How is that interacting? How are you seeing these systems starting to interact more with blockchain?

Benedikt Bünz (32:27):
Yeah. So, so sort of you have these zero knowledge proofs systems, and then you have applications that sort of requires zero knowledge proofs. And, uh, a lot of these applications are for, um, blockchains, right? So you can prove that, you know, as I was saying, or the, um, you can prove that a transaction is valid without giving up any information about why it is valid, right. And, and, and everybody is convinced and, and, and, uh, you know, it's sort of, you know, all the miners need to check transactions, right? They need to check that a transaction as valid. They need to check the signature. Um, and in some ways a signature... so cryptographic signature is a zero knowledge, is a special kind of zero knowledge proof where you prove that, you know, you basically prove that I know the private key to this Bitcoin or this cryptocurrency address. And, but I'm not going to tell you what the key is because otherwise, you know, you could sort of create signatures yourself. You know, I don't want to give that up. And, but, but here's sort of, you know, this is this proofs you, that I know this. And also, you know, uh, and through that I can authorize the transaction.

Anna (33:45):
And that's, what was that sort of the first thinking about applying zero knowledge proofs into blockchain. Is that...

Benedikt Bünz (33:51):
You know, that's sort of just a, you know, saying that even, even blockchains that don't use zero knowledge proofs, they basically use something very, uh, that comes from zero knowledge proofs. Like, yeah, it can do it, right. These, the signatures that are used are basically zero knowledge proofs. And, uh, the other thing is, you know, once you, so in, in, in Bitcoin, a transaction is, so most cryptocurrencies, a transaction, you can see, you know, everybody says like in the beginning, everybody says, you know, Bitcoin is private or whatever, you know, it's, it has a lot of privacy, but that's actually not really true because you can see which address spends to which address and how much it's being sent. And there's been a lot of work on, you know, showing that you might not know who this address belongs to, but there's been a lot of work showing on de-anonymizing them, like, you know, showing this, this address belongs to silk road or this drug market, or this address belongs to this company, you know, Coinbase or whatever.

Benedikt Bünz (34:52):
And, um, so, and there's been lot of academic and work and also now there's companies and the FBI actually kind of likes Bitcoin for that reason, because it's able to trace the payments really well. And then, you know, say you receive in some maybe distant, maybe not so distant future, you receive your, your, uh, payment, your, your, your salary and your favorite cryptocurrency. And then that payment is, is public on the blockchain, right? So your salary is public on the blockchain, so everybody can see how much you making or say your company and you want to buy, I don't know. Um, you want to buy supplies, right? Uh, yeah. You, you say you McDonald's and you went to buy ketchup from Heinz, right? Like they probably get way cheaper price than their competitors. And, and, and, um, uh, Burger King would like to know how much they're paying, right.

Benedikt Bünz (35:44):
This is important business secret, right. That, that, that neither McDonald's nor Heinz would like to give up. But if it's done on the blockchain, everybody can basically tell how much it is. So this makes it really almost unusable sort of, uh, for, for, um, people to use the blockchain. And then there's the whole sort of, you know, if you're say a you're a political dissident, right. Or you say, you're, you know, um, you're somehow, you know, you, you don't want the government, you know, your, your, your payments, like even if, then they can, you know, they can see who you're paying to. Right. And, and you say you sending money to, to Snowden, right. And in, in Russia then, uh, you know, the US government can see that, that, that, that may be a problem because they don't like that. And, uh, for all of these reasons, we would like to hide all of this information, right.

Benedikt Bünz (36:34):
We would like to hide, who's paying whom, and, and also, you know, sometimes you don't care about hiding, who's paying whom, and then you would still like to hide how much you're paying. And I think sort of the best example for that is, as you know, there's in the US, there's the popular payment service Venmo, um, where you can pay people, which is really popular. And even there, there, you can choose whether you want to make your payment, who you're paying, whether you want to make that public, but sort of the default is like, Oh, you can't even change sort of, you, you can never sort of show how much you're paying because no one would want that. Right? Like you wouldn't want to, you know, let the public know how much, uh, you're paying your buddy for rent, right? This is just sort of, not, this seems very naturally, like we don't want this information out in the public, but in Bitcoin, and in, in, in most of the cryptocurrencies, it is. So zero knowledge proofs are sort of the workhorse here that can help us prevent this because you now want to prove, right, it's this, this is dichotomy that you want to have the transaction be private.

Benedikt Bünz (37:39):
So use, say encryption to hide some of this information, but you still want everybody to be able to check which transactions are valid and what is not. So here, this is where zero knowledge, proof systems come in. I can prove to you that the transaction is valid without telling you why.

Fredrik (37:57):
So Bulletproofs like you mentioned, it's sort of driven a little bit by the Bitcoin core developers and, uh, can be used to implement confidential transactions on Bitcoin.

Benedikt Bünz (38:08):
Yeah. And I think they were actually sort of, the main thing that they were thinking about is, is MimbleWimble, um, which is a new blockchain design, like a very sort of simple, in some ways, simple, but beautiful blockchain design, like, uh, sort of minimal, um, which also uses confidential transactions, uh, at the core of it. And, and, you know, lots of people have been, been working on that and there's been a lot of interest in that. And, uh, you know, they're, they were, MimbleWimble allows you to sort of shrink the size of the blockchain la ot, but then they were like, yeah, we can shrink all of that. But what we're left with is, is sort of these confidential transactions. And currently before Bulletproofs, they were, you know, eight or 10 kilobytes or whatever per transactions. And now with Bulletproofs, you can get that down to like, you know, less than a kilobyte. And, uh, it really depends on the parameters, right. Like, you know, it can shrink by like a factor of 10 or even more, um, and that made it a lot more feasible.

Fredrik (39:09):
Yeah. So that's what I was gonna ask is like, where do you see implementations of Bulletproofs and like, what, what do you see now and what do you expect to see in the future? Like which specific projects do you think will implement anything?

Benedikt Bünz (39:25):
Uh, right now, um, so Monero has implementable Bulletproofs, and they will sort of, uh, because they already use confidential transactions. Um, and for them, it was just a clear win, you know, it's, it's sort of faster, it's smaller than what they previously use. It will, um, lower the fees that Monero users will have to pay. Um, so they've, they're doing security audits right now. They've done security audits and, and, um, to make sure that the implementation is correct, right. There's always two things, you know, there's sort of the, the theory behind them being correct. But then you can implement it and you can screw that up, like massively. And that's where actually a lot of the problems in computer security come from, sort of bad implementations or faulty implementation. Um, so they've done, you know, a lot of work on making sure that that is, is correct. And, uh, then they will deploy it. I think they will try to deploy this year. So sort of, you know, within a year of, of, of publishing the paper, uh, uh, you know, Bulletproofs will secure, I don't know how much Monero is worth, like a billion dollars.

Fredrik (40:35):
I don't know

Anna (40:36):
About what about something like Zcash. It already has. I mean, it's all, it's built very much around zkSNARKs. Is there a way for ZK..., Like, would it make sense for Zcash to also be using Bulletproof?

Benedikt Bünz (40:48):
Yeah, so that's a, that's a very good question. So we've, um, I guess, you know, we saw each other at Zcon0 and they're presented Bulletproofs because, uh, they're certainly interested in it. Right. And, and for Zcash is, it's not as clear cut as for Monero, for Monero, it's clearly better to use Bulletproof. Cause Zcash there's a trade off. So basically using Bulletproofs would make verifying the transaction and checking their transactions, so it would make the work for the miners, uh, more difficult, but it would remove the trusted setup. So there's sort of the trade off and they are like, I think it just requires more exploration. I don't know what the answer is, you know, I think it depends on many, many different things and, but I think it's definitely worth exploring. And, you know, I've, I've, I've been in contact with them, uh, sort of, you know, exploring that idea.

Anna (41:44):
What about, you mentioned MimbleWimble. Are they also going to be using Bulletproofs or is it ... do they already have sort of enough confidentiality built into the protocol?

Benedikt Bünz (41:54):
So, um, MimbleWimble already uses, uh, a, zero knowledge proof as so-called like basically it's, it's a, it's called a Sigma protocol, um, or closely related to something called a Sigma protocol and, or the, the original design is, I mean, MimbleWimble doesn't exist yet sort of theirs. MimbleWimble was just a, uh, for a sort of historical reference. Uh, it's actually a great story. Uh, there, it was this random guy that just dropped the link on one of these, these IRC channel. It's like, you know, uh, um, a Tor network link, so a hidden link. And, um, this guy was named, what was it called? It was like the French name for, Jedusor or something. It was like the French name, uh, for Tom Riddle from Harry Potter, um, which

Anna (42:54):
We know how old this person is for sure.

Benedikt Bünz (42:56):
Yeah, exactly. Yeah. You know, and, uh, the, the, the name has to be Elvis Jedusor because right. Like Tom Riddle is like a, um, you know, you can make, I am Voldemort out of sort of these things, I don't know. And, and just, we, uh, you know, this in the french version, the name had to be different. Either way. So, uh, this is where all of this came up and this guy just, you know, anonymous, we don't know who he is. Like just like Satoshi, he just dropped sort of this, this new design of a blockchain called MimbleWimble, which is also a spell from Harry Potter. It's like all very Harry Potter themed. And so, you know, he just dropped this design, which, which turned out to, to actually be a quite neat idea. Um, and then, you know, other people like Andrew Poelstra for example, have sort of kept driving that idea forward and formalizing it. And, um, yeah, so they use zero knowledge, uh, zero knowledge proof and, um, the sort of the best one for them available is, is also Bulletproof. So they will, well, they will use, I mean, I'm pretty sure that any sort of reasonable implementation of the protocol should use is Bulletproof,

Anna (44:07):
Do they do something like take Bulletproofs and run with it, will it change? Will they change it?

Benedikt Bünz (44:12):
No, I think they should basically just, you know, take, take it and run with it. You know, you sort of, there's a, I don't know, you know, what they will do for their implementation, whether they will implement it in code themselves or whether they will take one of the existing implementations. I honestly don't know how that's going to work, but, um, you know, in general, when you, when you design sort of these systems, you just, you shouldn't, you know, it's better to not design it with like one specific, you should just design it, like to say, like here I need a zero knowledge proof. And then later, you know, you can pick the one that is best, right. It should be sort of, there's a, you, you shouldn't say, you know, Zcash, like zero cash, is based on an academic work. And they're, they also say like, you know, we use zero knowledge proof to, to, to create this. So they already had sort of this abstraction in mind. And then they say sort of the best one that we can use to make this practical is, is zkSNARKs right. But, you know, they already sort of acknowledged that you could use any zero knowledge proof to do this.

Anna (45:21):
And so this sort of speaks to something currently, like we've talked about a few different protocols, blockchains and how they're using these different zero knowledge proofs. So these different zero knowledge proof systems, but they're not necessarily tied to each other, like they're interchangeable.

Benedikt Bünz (45:38):
Yeah, exactly. Right. Like, you know, one is sort of the, this is like, like, you know, saying, you know, I think the Bitcoin Bitcoin is mostly written in C, and I think, you know, the main Ethereum client is, is like, one of them is written in Go and, you know, whatever, but like, you know, Bitcoin and C you have like, you know, that's not, you know, those are just completely orthogonals things and, and, um, Ethereum in Go or whatever, Rust or, you know, those are just, you know, one is a tool and the other one is, is sort of the application. And, uh, you know, I think, yeah, they're interchangeable, at least to some degree, right. Like, you know, it might make the most sense to use one with another and that's clearly the case, but they're sort of still, you know, I think having this, this abstraction and keeping those things separate, I think is really important and not get those things sort of conflated with each other.

Benedikt Bünz (46:31):
And, um, yeah, you were also saying sort of, I want to say one thing you were saying earlier, you know, how, uh, which projects are currently using it and which projects might be using it. I really hope that, you know, in the future sort of everyone, like right now there's privacy coins, right? There's like Monero and Zcash that sort of the focus is on privacy. I really hope that sort of, you know, that they, that privacy will become the default that sort of everyone will have at least sort of some level of privacy, at least that confidential transactions, like that should be the norm rather than the, uh, the, the exception right. Because the problem right now, if you're using Monero, Zcash. Um, to some degree, like you might get asked, like, why are you using this? Are you using this to buy drugs?

Benedikt Bünz (47:23):
Right. You know, you sort of like you make yourself almost more suspicious by just using these coins, even if you're just using them for your everyday payments, which is sort of a bad state. But if, sort of this becomes the, if privacy is the default, um, which I think in general should be the norm, then, you know, it, it, everybody benefits from it. It becomes a public good, um, where we're sort of everybody has, has the benefits of, of, you know, not being, you know, suspicious and just saying like, Hey, I'm, you know, this is sort of what happened when WhatsApp became, uh, like, you know, and, and Signal, and sort of all of these messages became end-to-end encrypted. Now you don't have to be, previously, there were alse end-to-end encrypted messengers, but suddenly as soon as you use that, you know, you probably got put on some CIA lists. I dunno, making things up here, but now it's becomes the default and everybody uses it and everybody expects it. And that's a great thing, you know? So, um, I, I hope we see that for sort of transactions also becoming private, private, um, in the future. But, you know, I think this will still take a couple of years.

Fredrik (48:29):
So at the beginning of this episode, I said, like we were talking about Bulletproofs and maybe some other things, you obviously work on a lot of other things than Bulletproofs, even though that's been the main topic here, could you give us just like the quick pitch on what other stuff you have to go?

Benedikt Bünz (48:44):
Yeah. So, so one thing that, that I focused on, we focused on sort of recently has been, uh, these things called verifiable delay functions. And this is something yeah, very, uh, technical, which has a lot of surprising applications. So what is a verifiable delay function? So in a nutshell, it's just a function that takes a long time to compute, no matter whether you're Amazon and have a bunch of like data centers or whether you have an ASIC or whether you're just on a single computer, the, the idea is that you cannot speed it up. And why can you not speed it up? Because you cannot use parallelism. It's a sort of sequential function. So you compete one step after another. And the way that, you know, ASICs speed things up by parallelizing things massively. So a verifiable delay function is a function that takes a long time to compute, but it's easy once you've done it, it's easy to check that you've computed it correctly.

Benedikt Bünz (49:46):
So, you know, sort of maybe inverting it is, is really, really fast. So why, like why would I, why would I care about this? Well, it lets you sort of, you know, it has, has a lot of applications where, um, you know, for example, I can prove to you that I, this blockchain has existed for a long, long time. Right. And the way that I do that is I just take sort of, you know, Oh, this block has existed for, you know, 10 minutes. And the way that I do this is I take the blockchain and then I compute a verifiable delay function. And if I give you averifiable delay function, that, you know, you sort of know how long it will take me to compute, you know, like it's, it's sort of almost like a clock, you know, it's not an exact clock, but it almost is like that.

Benedikt Bünz (50:35):
And if I, so sort of, if I give you verifiable delay function of it and, and, you know, you know, it took me 10 minutes to compute, then you know, that this block must've existed 10 minutes ago. So, uh, I can use this to, for example, you know, prevent in these proof of stake protocols, like there's one attack where, you know, create a sort of blockchain out of thin air from, from the beginning. I like, you know, because now suddenly it doesn't take me, it doesn't take proof of work anymore. Like, you know, it's not expensive to create a proof of stake chain, it can be...

Fredrik (51:06):
A long, long range attack.

New Speaker (51:08):
Exactly a long range attack is sort of the name and with a VDF, you know, that's one way to, for example, prevent that because you know, that, you know, I need to, if I have this VDF running on this blockchain, and I know, you know, that, okay, this blockchain must've existed a year ago, right?

Benedikt Bünz (51:26):
This must've existed two years ago, but checking, you know, computing, the function takes two years, but checking it as like milliseconds and another really, really cool application that was maybe our initial motivation is that comes from from lotteries. And so there's this idea that you can use sort of Bitcoin and it doesn't actually even have to be Bitcoin, let's say, you know, say I want to run a lottery. Okay. Um, and you should all Google this video on, I think it's a Romanian lottery where the, the, uh, you know, usually the way that we run lotteries is like, we have these public drawings, right. You know, someone draws some balls and, uh, out of, out of, you know, like whatever this, this tube or this, this, uh, spinning thing, and you can see sort of this, this, um, they they're drawing the balls and you can see that three balls have been drawn, but sort of on the, on the digital display, it shows like five balls.

Benedikt Bünz (52:22):
Right. And then, and the reporter is like really confused because she also sees that. And even though it's a lifelong drawing, and then the next two balls come sort of sort of the thing, and surprise, surprise, they're the, exactly the same balls that have been shown that they were shown on the digital thing before. So, you know, maybe they sort of rigged the system and someone got really lucky and won the lottery, you know, like really lucky. And they just sort of messed up the graphics on the thing. And how can we, you know, trust these drawings? How can, you know, you know, obviously if you shuffle cards, right, you know, there's sleight of hands and there's magicians that can do things. So the question is like, how can we run the lottery where everybody can trust the randomness, you know, without having again, a trusted party, you know, there's again where a trusted party makes the thing easy.

Benedikt Bünz (53:09):
You know, if you have a trusted party that tells you random number or that rolls, you know, the dice, and does it correctly, then, then everything's good. But maybe we don't want to trust anyone. And these lotteries, you know, they come up all the time. For example, in smart contracts, you might have sort of random, like every time, you know, randomness comes into play. And the idea was that, you know, you can, for example, take, you can take a block header and extract some randomness from it. Or you can like also take, you know, another one is you can guess on tomorrow's NBA games. Right. Um, and say like, you know, whatever, you know, I I'll, I'll, you know, the scores of the NBA games, they will sort of determine the digits of the random number. The problem is that, you know, in an NBA game, like, you know, I can bribe the players.

Benedikt Bünz (53:58):
I can bribe the refs in, in sort of a blockchain. I can bribe the miners to, you know, whenever the block header doesn't give me good randomness, they will throw it away. You know, they will sort of decide to, you know, when we say we do a billion dollar coin flip, determined on, you know, the block header, like, you know, I'll just take, you know, take up a loan of a million dollars and bribe the, the, the, uh, the miners until I get, you know, I can get heads and, and win the billion dollars. So that sort of doesn't really work. And the idea is that you can now use the verifiable delay function by sort of saying, okay, we'll take, we'll take the scores from the NBA games, or we'll take the block headers. And then on top of that, we'll, you know, compute an hour long delay or a day long delay.

Benedikt Bünz (54:47):
And then only then, and only then, you know, this will be sort of the random number. And what that means is that it's impossible. It's impossible because, you know, I don't know which numbers will be good for me because I haven't been able, I wasn't able to compute this, this VDF verifiable delay function on top of it. So how will I, um, you know, how do I know who to bribe or what to do? And, you know, I can, uh, the NBA games will be over by the time the verifiable day functions, uh, by the time how I, I know how to influence the scores, the, the sort of the game will be over and, uh, or the games will be over. So that's, that's sort of where a verified lay function can be used to run the lottery, you know, and, and this has many applications, again, in Proof-of-Stake where we're again, right? Like in a proof of stake, things are a little bit more complicated, but, but there, I basically need to pick random, you know, some random people, people randomly who are the next sort of block validators, right. You know, everybody has some, some stake and then one of them or some of them need to are the next leaders. And how do I pick them for that? I need good randomness. And here are sort of a VDF can, can help.

Fredrik (56:07):
Yeah. So in proof of stake systems, like you say, there's a problem. And the problem is not the consensus algorithm. Like you can have PBFT, that's been around for a really long time. The problem is if you have a validator set of 10,000, you can't run PBFT among 10,000 people. So you need choose some subsets. And that that's the hard problem, but you also have a bunch of other hard problems, which is essentially like Sybil resistance, which was where we were talking about before. Um, so yeah, that's, that's, uh, an aspect of it that I'm really interested in is using delay functions as a Sybil resistance mechanism.

Anna (56:41):
Maybe just to wrap up, let's go back to Bulletproof for a second. What's the future of Bulletproofs? What are you working on next?

Benedikt Bünz (56:47):
You know, I hope sort of one future will be a lot more people, uh, using it sort of also maybe, you know, people developing new libraries to make the usage of it easier. And then, you know, there's still interesting academic questions, you know, how can we make sort of the, the time to check the proof, can we sort of bring that down? You know, is there, uh, can we make the proofs even smaller? You know, so can we, you know, combine proof systems and in some crazy way to, to sort of get new properties. And so both on like the sort of side, can we improve the proof system? And can we find also new applications, you know, can we say, here is this, this problem, and now we can solve this really nicely, um, using zero knowledge proofs or using Bulletproofs. Um, so that's sort of, you know, the questions that, that I'm interested in, and I really, really hope that other people are gonna work on.

Anna (57:43):
You also mentioned that, um, there's a conference coming up that you're a little bit excited about, do you want to pitch that?

Benedikt Bünz (57:48):
Yeah, I definitely want to pitch that. So we have, um, the Stanford Blockchain Conference, uh, or formerly known as, as BPASE, um, which is, so the third edition is going to come up in, uh, I think it's January 30th and right now you can submit academic papers. So it's an academic conference on blockchain research.

Anna (58:10):
What is it called?

Benedikt Bünz (58:10):
The Stanford Blockchain Conference, just Google that, and you will find it, or I think it's cyber.stanford.edu/sbc 19. So, you know, you know, right now there's sort of the submission process of academic papers and we'll select the best papers and presentations, um, that will then get presented at the conference.

Benedikt Bünz (58:31):
And you can still, you can also attend it. Um, um, I don't know what I'm sure it's going to be cheap. Um, you know, so it's not about, you know, like sort of, it's going to be very academic and really trying to sort of push on the edge of, of research and, and sort of the cutting edge researches, hopefully going to be presented there. And this is all part of the, you know, so Stanford announced that, or the computer science department, or announced the, the, um, center for blockchain research, uh, what this basically is, is it's sort of a concerted effort into blockchain research, uh, by, you know, professors from the computer science department and also, you know, some, some, uh, lawyers, uh, from the law school. And so I think, you know, that, that they have, you know, sort of notice blockchains, which I'm excited about and sort of, uh, notice that it's interesting from an academic point of view and are trying to, you know, sort of push the cutting edge. Uh, yeah.

Anna (59:32):
Well, I think on that note, thank you so much for sitting down with us and exploring this sort of advanced zero knowledge proof system Bulletproofs and helping us get inside it. Um, I think it's been really informative.

Benedikt Bünz (59:43):
Yeah. Thanks for having me.

Fredrik (59:45):
Thank you very much.

Anna (59:46):
And to our listeners. Thanks for listening.

Fredrik (59:48):
Thanks for listening.