Anna (00:00:07): Welcome to zero knowledge, a podcast where we talk about the latest in zero knowledge research and the decentralized web. The show is hosted by me, Anna. Fredrik (00:00:16): And me Frederik Anna (00:00:27): This week, we catch up with Jordi Baylina the co-founder of Iden3 and the creator of Circom. We chat about his work in the ecosystem, building zero knowledge circuits, and the new role of project Hermes. But before we start in, I want to say thank you to this week sponsor Parity technologies. So Parity has been mentioned more than once on this show. Fredrik is currently the CTO there. And once upon a time, I worked there too. In fact, it was during that time that this the Zk podcast was born. So for this spot, the folks at parody wanted to share that they are currently looking to fill a number of jobs positions, including many on the engineering side. As an engineer at parody, you would get to write rust all day, be at the forefront of creating and shaping the decentralized web. And hopefully also dig into some cool zero knowledge crypto tech. The best way to get noticed for this role is to familiarize yourself with substrate, the platform built by parody, which makes building blockchains much, much easier. So go check out the substrate libraries and then head over to parody.io/jobs to find out more. So thank you again, Parity for sponsoring this episode. Now here is our interview with Jordi Anna (00:01:42): Today. We're going to be catching up with Jordi Baylina. Who's the co founder of Iden3, the creator of Circom, snarkJS. Welcome to the show, Jordi. Jordi (00:01:51): Thank you very much. A pleasure to be here. Anna (00:01:54): So Jordi, you've already spoken at the ZK summit and actually we'll add the link to that in the show notes where you do go into Circom in detail, but I'm so happy to have you actually joined on the podcast. This is, it's kind of crazy that this is the first time that we have you on, because I feel like we actually see, I see you around. Fredrik (00:02:12): Well, You've been on the been at the events, been all the conferences and not only in our conferences, but obviously around the space for a really long time. Jordi (00:02:21): Yes. I mean the space scenes 2016. Anna (00:02:26): Oh, wow. So this is the thing I wanted to actually start in on, because I just realized like last week I was reading sort of this description of the DAO hack and your name was in it. And I know that Griff must've mentioned this when we had him on the show, you know, two years ago talking about it, but I don't know if I knew you then and I didn't put it together until literally this week. So let's find out about kind of your beginnings in the space. You´Re, you say 2015, was it Ethereum? Was it Bitcoin? Anna (00:03:00): Where did you start? Jordi (00:03:01): Well, actually in 2013, I read the bitcoin paper. I get very excited about that. And I start,I was trying to do some smart contracts. That's actually living and what's opinion on Bitcoin. Yeah. It was a pain, that was my beginning. I realized that most of the opcodes didn't work and it was tough at that time. I also had a lot of work in my older job. So it will be that, put it in the site. And in 2015 later on, just after JavaScript conference, somebody died, I started talking about decentralized storage. I discovered at that point IPFSwell at that point, that blow my mind. I start like investigating, I don't know how I discovered Ethereum and the moment that, I just took the smart contract that I was trying to do two years ago. Jordi (00:03:51): And in two minutes I set up a blog and it was working. And for me then I was just catch it. Yeah. And, and at that point it was like an obsession, just getting all my free time, my asleep all my time, just reading, understanding, going deep and so on. And there is, at some point I, I get in the, into that DAO project, everyone was excited about that project. So I started reading the smart control that I was even writing a liquid democracy for the DAO at that point. Just learning, you know, just learning the code. And there is a, I get involved a lot at that point in there. You discover here, all this was about technical. At this point, it was all the social part of the, of the crypto space. You discover that it's not only a technology, so is when your mind start blowing a lot. And there is when the hack happened. You know, I knew a lot about the smart contract, people just asking me there and they just get involved in the rescue. That was my baptism. Jordi (00:05:01): It was in there Anna (00:05:02): Expression of that. It's like, baptism, Jordi (00:05:05): I translate, I translate from some Catalan expression. Anna (00:05:10): But I think there is an expression. Anna (00:05:14): Sounds like it was very much that. Jordi (00:05:17): It was a lot of learning. You know, I discover how to the hacker did it. I reproduce that in the Testnet. I speak with some slock.it people and send them the code. And they just, they just told me that they weren't just working, that there was a people of white hats that they were already working on saving the phones. So I just joined a call in there. I was like the last guy arriving there. It was, for me, it was like a movie. It was crazy. You know, I was in a call with a lot of people that I don't, I don't even know nobody there. And the people were moving $100 million, just focus there. And it was just there in the car listening. I couldn't believe the level. And it was interesting because at the end of the call, they rescued $96 millions out of the $100 millions, but they still did was $4 millions Stolen. And I had my chance. There is I can, I, maybe I can try to use my smart contracts there to try to rescue. And I was able to actually recover that for the last $4 million. And from there, my life just tinted. Anna (00:06:20): You just made this comment about how it was like a movie and a few years ago after we had done that interview with Griff, which by the way, I'll add in the show notes for anyone who wants to hear that sort of extended story of the DAO hack. We had just done that interview. Fredrick. I don't know if you were there that day at, okay. So we all met up with someone, a friend of mine who like he was not in crypto at all. And we were buzzing about this story, you know, kind of looking back at it, but we were so excited about it and we explained it to him. He's actually a filmmaker and it was so fun to try to explain it to someone from the outside, but it really does have the drama of like a movie. Jordi (00:07:04): Actually, I have a friend that I exactly like you explained, I explained him the story and he likes to write books and he tooks my story. Of course he change it. You know, it's just a fiction story, but took, my story as a base for a local for three months, he wrote a novel, has nothing to do with Ethereum, but it's like a, you know, he just mix them, he just put more of his side and then mix other stories. But, it was like the base for his story. It's a local writer, but yeah, I understand what you mean, it was very crazy. And for me it was very, very impact. I told you my life changed completely at that point. Fredrik (00:07:49): I have a question actually about the DAO hack specifically that I've, I guess I've never cared enough to investigate on my own, but I've had this question several times, what happened to the funds on ETC? So like there was this split because things were recovered and then ETC. It wasn't like what happened on ETC side. Jordi (00:08:11): The day of the ETC hard fork, we actually thought that the story was over, but then is when you see a pair of, so, and we just start re-synchronizing servers and so on, and we did there all the recovery. We did what we can. I think we miss some time at the beginning, but the other, there was a lot of thoughts. It was a very complex situation, but we recover like 70% or 80% of the funds in ETC. And while recovering that point, that was actually the most, I thought the most difficult part, because this was not a technical part had to return. So we'd recover. These founds we returned them to their, their own lives. But the story for returning was hard. One, we try it that first chance to convert them back to Ethereum, that's where we had all the tooling there. Jordi (00:09:03): People knew that. So we try to move them, Ethereum, but this was a mistake. We didn't realize that, but this was actually a mistake. So we, at the moment that we tried, because, you know, you need to try to convert that, but it was difficult because you need to do it in a way that's like secret in order to try to maintain the maximum value of the tokens, but at the same time public so that you can prove that actually move to, for instance, this was not. So we set up a full strategy to move at the same time. The story, I remember this was really bad because we just keep the bottom to move the founds. And I think it's most Poloniex just block us the phones. And they told us, there is some founds, something like there was some founds and from suspicious places that has to be moved. Jordi (00:09:54): Everything isn´t fancy enough, the FBI and that point. Okay. So we just took all the remaining founds. We created all the smart contracts. We paid the smart contract, what other people could withdraw their founds. And then we just flip it back with that idea. We are ready to return the founds. Please changes that you have blocked us. Please send the founds. This is more coursework so that the people can recover it back. Yeah. In less than 24 hours, they just send the money there. So, and the people just started withdrawing and everything's there. Anna (00:10:23): Did the hacker get away with something? Jordi (00:10:25): Yes. I think you get, like, at that point was something like $4 or $5 million or something like that. In ETC. Yes. Yeah. But then this is when they sit in, was that panel or something like that. So everything gets crazy at that point, but that's what I told you is that, for me, that was my baptism. I learned here a lot about the changes. I know a lot about people in the, in those scenarios. It was a huge learning for me, you know we will learn about analyzing the blockchain DLT in generating these smart contracts for returning security issues. I learned a lot, you know, for me it was a master class, was probably more than that. Anna (00:11:10): How did you go from that point to zero knowledge, proof stuff. Like what we're talking about was that was in 2016, right? When and how did you first get interested in the zero knowledge proof side of things? Jordi (00:11:25): I could not say an exact date, but when you are in this space, you, at some point I decided that I want to be here just for backwards like that. This is my life. And I want to be here. And the first thing that I realized is that this technology do not scale. So if you want to use this technology in the real world you need to think about scaling the budget. I get very obsessed on the scaling. I was studying just the state channels, side chains, some different solutions, that plasma that was at that point. And I was very pessimistic in all these solutions until the point that in some way I connect the zero knowledge in all that staff. I remember that Vitalik wrote introduction to SNARKsand I was reading there. I had to read like, ten times, you know, those posts because they are not easy and there are some unconnected parts and you need to go to step, but at the moment that you get it at the moment that you understand it, it's like, you see how, it´s like this things. Oh, it's not, it's not that hard. You know, it's maybe takes you like a month just to understand it. But once you get it, you see that you appreciate the simplicity. You appreciate that, but it's not, it's really, it's really cool. You know? And when you start seeing what the applications that we planned with privacy, a lot of applications is when you get interesting. And when you really see that this is the future of these space, or at least an important piece in the future. Anna (00:12:52): That's interesting. So it's interesting that you came to it more through the scaling side, like you must been aware of like Zcash and these other projects out there, but you, if, for you, it only really landed in your lap as a solution to scaling when, or maybe like, who first put those two ideas together. Jordi (00:13:10): I remember there was a post from Vitalik talking about zkrollups, It was rolled up on that, this idea of a splitting of separating the computation, the scaling of the computation side of the validation. So the validity part and the scaling of the data availability and splitting the problem in these two problems. This is what really blows your mind. This is actually the real piece of these blockchains can evolve. And then it's just a matter of doing numbers, you know, just making numbers, how many transactions would you do, how much it would cost to bring the proofs, how you would set up that and you start thinking, and just now I think the problem, and then you are learning and you're discovering, and yes, that's identity. You know, when this is when they start working with identity, that was his privacy part, but also the scalability part, you know, and identity system. Jordi (00:14:05): We want to build a system that everybody can, all identities can do as many claims as they want. So it's not a centralized system. It says it's a sobering, decentralized identity. So you need to scale. If you want to claim you will need to do this attestation, and you need to scale this quantity of attestation of the system can handle. And here is where comes again, the solution of the SNARKs, which is cool, because it´s the same technology, that you can use it for privacy, but at the same time for scaling and actually problem, this is, I hear from somebody that says that what really make the, the big interest of the SNARKs, is more in the skinny side, than the privacy. Nobody cares about that, which is sad, but that's the truth, in any case. It's an amazing technology. Fredrik (00:14:57): Sort of maybe related and sort of a side question really, is were you involved in the Ethereum based system that was set up and then the Spanish political kind of nightmare that was going on for a while, where there was an identity system on Ethereum for voting, for tracking where these like political groups were meeting and all this stuff. Jordi (00:15:20): I'm a Catalan, I have nothing to do with Spain. Anna (00:15:23): Ah, okay. So were you part of the Catalan Ethereum project? Jordi (00:15:29): Yes. Im a Catalan and justice working for Catalan to be an independent country. And I think that blockchain is an amazing technology that help on that. Specially, the goal in my life is Catalonia, the liquid democracy system, where Catalans decide if .I want to retire when this happens. Fredrik (00:15:49): Yeah. Did any of this work act as a precursor to item three or was it completely separate, like separate trains of thought? Jordi (00:15:58): I told you, this is my, like my long term goal. If you want my ideology goal, but in the middle, you need to, create a sort of sovereign identity. You need to scale blockchain, you need to work a lot in the technology. So at the end is you, this is a long term path, but in the short term, we need to work in the everyday's project and indemnity days here is where scaling, sorry, identity and so on. And Catalonia, is just maybe my motivation, but you know, this is a technology that works for any community in the world that can be self organized and all that together. So yeah, that's really cool. Anna (00:16:37): What is Iden3 then? So this is, is this a company Jordi (00:16:40): It's a protocol where everybody can create an identity or if you own a set of identities. So those identities can create claims mainly on other identities. And then you can prove those identities to third parties. So I then three at the end is a simple protocol where you can create identities, you can create claims and you can prove those things. And that's it. We want to try to keep it as simple as possible. This is the basic for any identity system. The goal of five and three is to define a protocol that can be used for the decentralized smother for doing that. So it's a base layer protocol. Fredrik (00:17:20): I'm curious what the claims can be like, can I claim that I'm a Swedish citizen or that I have this education? Jordi (00:17:28): Yeah, yeah. You can have this degree on this school. You can claim that you have a debt on something. You can claim that you are a nice person or that your podcast it's really cool. A claim is any statement that you do. It's like if you go to write something and you put can prove that later. So I'm doing a claim on you. And then for a typical example, I'm claiming when you're, I'm the university, you are a student in claiming to you that you have this degree, and then you can take this claim and prove to a employer that you had that degree and all that with privacy. So I don't even find the university. I don't even have to know that you are proving that to this job. Jordi (00:18:14): So when you want to keep this or this privacy in the, in the full layer, and at the same time, the scalability word here is where the challenge, the challenge come and where the zero knowledge is a key piece. So we started doing this identity system, but then we realized, actually, we realized that zero knowledge are so important. So that's also why we developed all these tooling for Zero knowledge mainly for this need. We need to build this protocol. So we need to define that. Of course, you learn a lot on that and you are doing like iterations that you could do this way. You generate the proofs, it´s not this way, how you manage identities, it starts, it's complex, but it's simple. Anna (00:19:05): So, You've explained where the zero knowledge proofs fit in. But do you feel like the CirCom and snark jazz, has that become like a bigger part of this project? Is that sort of your main focus nowadays? Or is it like still within this umbrella of identity? Jordi (00:19:23): It's bigger than that when you do this project and when you see that, when you see that many projects start using that you need to understand that then you are tracking all these tools, be not too long for you. It's a tool for the community here. It's not an, I don't know there is interesting projects. I don't know, Tornado Cash, is using that. We talk so the, this game you say it, was the name that Forest game is using that. And Semaphore is using that. So it's like a lot of projects that are using Circom. And I think that Circom brings this technology to a lot of New developers that discover the zero knowledge through these tools. Anna (00:20:09): I think we haven't actually defined what circum actually is. So what is it? Jordi (00:20:14): Circom means circle secret compiler. So it's like fancy name, Circom is a language to write programs that can be run in zero knowledge. So let me explain. So when zero knowledge, what you are doing, mainly what you're doing is you're proving that you made the computation, but we felt you to have to repeat that computation. You can verify that much faster, but how do you program what computation you want to prove in the case, the rollups, for example, this computation is about verifying all the transactions, so you verify that the signature is okay, that you're having enough founds in your account and all these typical validation. So all this process of validating that at the end, you want to summarize in a single proof that everybody can verify very fast that all this competition that can be long is proofed really fast. Jordi (00:21:12): So how do you write this process. So how do you write these programs? You cannot use regular languages. You need to write these programs in a very specific manner. So you have a lot of constraints that you need to use there. So Circom is a specific language that helps the developer to break those programs. Yeah, those circuits, we call it circuits, circuits programs. It's very much the same, but we call it circuits because the properties of these programs are very much like an electronic circuit. So imagine an electronic circuit, without a hatchet, without the latches just ands and ors and you just do the, any computation you want, but just answer, it's just, you have an input, all of ands and ors and an output. So you get the end, you need to convert whatever you want to compute with ands and ors. Jordi (00:22:04): If want with a circuit, that's why we call it the circuit. And that's converting that is that. And its a DSL language. It's a writing Circom, is very much like writing electronic hardware. You just do very small components with the addition, multiplication, you have a very like transistors, you have more complex blocks, you know, in the end, you build your program out of these blocks, you do maybe DSL you do get components that we, this gate, or the components, you do, add others, and then you do more complex operations and you are building blocks every time more complex that'd be end, you build your program out of this box. This is what for you got DSL Anna (00:22:56): When you first started on this, what was already available out there. Like, were there no languages that you could use? Like why did you feel you had to develop a new one? Jordi (00:23:05): Well, at first it was the libSNARK was the original. Anna (00:23:10): But that was a library though, right? Or Jordi (00:23:12): It's a library yet. Yes. But you know, for, for writing those languages, you need to understand a lot about C++, and was quite complex to program in that, but point there wasZocrates, I started doing some work with Socrates, but I was very disappointed, especially because you couldn't in soccer test at that point. I think, you know, that they change it and they move forward on that. But at that point, it was very difficult to use all the tricks that the circuits, can do. For example, for doing a, you cannot, you don't have a, an operation, that's a division, you have a multiplication, but you have a constraint. So actually what you do is you calculate the multiplication and then you add the constraint that the result multiply. And by time you fix that, and then there are these kind of a lot of these tricks that when you're writing circuits are very important, that it was not very well solved in other languages at that point. So I just,uI wanted to write circuits and the ones that were there didn't fit to me. And,well, I just wrote my own language. And it was, it said, you know, it's very simple. It's really, it's really cool, people like it. And it's,uit's becoming very much a standard for writing circuits. Fredrik (00:24:33): How did you approach writing your own language? I mean, you could have made an embedded TSL in something else, or did you just try it a new compiler from scratch and what did you write that compiler? Jordi (00:24:46): Yeah, I brought a new compiler from scratch and I just started there is a lexical part, and then just screw the branch. And I'm compiler expert, but I knew some, of the basic technicques of compilers. And I called the project, you know, it just starts to, it'll be like a toy and it goes growing as one right now, this language is fully written. It's a Rust or a the writing of Circom in rust. That's done by people from university that knows much more about compilers on myself. And it's doing a full rewriting of the, and we go slowly. So because this had to be like three, four months ago, and it's still a work in progress, but they are working hard on and they hope that at some point they will replace the actual JavaScript circle. That's why now what it is, but, you know, it will come whatever, the core of Circom works well. Fredrik (00:25:50): I can imagine a lot of interesting challenges though. I mean, especially on the optimization side, when you have these super complex circuits, there must be tons of optimizations that you can do to like typically in a compiler. If you have this, like you're building on building blocks, then you do things like inlining and you kind of fold a bunch of these layers together. At some point before you spit out the end result. Jordi (00:26:14): Yeah, there is a lot of things there to do. This is the idea is we are trying to keep it separated. So it's like the compiler just compute these intermediary signals on the greater constraint system. That's maybe not optimal. And then you're gonna have other intermediate stages where you can run all these optimizations. The problem of these optimizations is that they need to be updated very well because you can mess it up easily. So, yeah, exactly. So it's better to keep the language of the compiler as simple as possible. And then all these optimizations put them as plugins, at the end, or maybe even the different stages. So that's a little bit the strategy that we are following for that, but yeah, it's a it's work in progress, all that stuff. Anna (00:27:05): Does Circom work with every sort of zkSnarks scheme, or is there like a particular type of snark that it's built for? Jordi (00:27:15): Circom actually regenerates R1CS, circuits are rank one constraint system. So it regenerates a constraint system. And it also generates the code to calculate all these intermediary variables that you need to build. You want to create a proof of a specific program. You need to run that program. So you need to compute all these intermediary values. And this is, this is important for that. So this Circom does this two things. The computer generates the R1CS system and generates the code that computes these windows. So all the cryptography primitives that can take us on input R1CS system, it works, for example, here is a bulletproofs can be connected to there with some aurora. A lot of these systems they have this imput. Yeah, but Plonk it's very, very easy to adapt. It's not really an R1CS, because it can have like only two, it's not linear combination. It just have a very limited set of signals. But when you have a linear combination, convert that to many, just add them together, it's not difficult. So just a connecting Circom to Plonk. So we did, this would be done. It's in to-do list, maybe somebody doing it, but it's in the to do list, and it should not be, it's not a difficult thing to do. Anna (00:28:45): Do you feel like CirCom is really the, the kind of the tool for certain kinds of constructions and then others. Do, do you see any other languages kind of emerging to deal with some of these new schemes that are coming out like Marlin, or like maybe the vanilla Plonk that doesn't use R1CS? Jordi (00:29:03): We'll see, this is, I think that we it's very early. I see that in these circuits in these languages, there is like two sets of languages. One is more of, if you want more high level languages, languages that, that are more close to what would be a standard like Python or like Rust, or more like that looks more like a traditional language. And there is languages that are more low level. You know, these DSL language is more like a writing assembly, you know, we justyou put them the things together. So these other, the other side before it's probably not long in the long run, maybe would be less optimal. You know, they would be more constraints and it would be as optimal, but it will be maybe enough. But in the long run, probably this would be more the future. Anna (00:29:51): They would, would they have to write their own high level in a way or like, or maybe even a library that interacts with Circom, but it's optimized for this particular thing. Jordi (00:30:01): Yes, exactly. It could be that way. We'll see, hold, hold this ends up, but, you know, Circom is very good when you want to have full control exactly what you want to do in Circom. You have full control of the constraints you are writing and in Circom, for example, so there is no special library, you know, all the components in Circom are written in Circom. There is nothing like special things that you need to import them. So in Circom, you can write any language you want in Circom itself. And this is an easy way. So this is one of the coolest thing of Circom and yes, probably on top of Circom, maybe there would appear other languages just for these more high level. But if you have, I would say, if you have the mind of an electrical engineer, Circom is really good because it's just, you can do very, very, very complex circuits because at the end is just a complex circuit is the union of many,uless complex circuits and this less complex circuits are the union, Anna (00:31:08): More or less. Jordi (00:31:10): So at the end of this, you can build the full thing. And the other cool thing of Circom is that you can not fully, but you can audit, for example, a specific company, specific component there, and you can be sure that at least this piece, you can treat it as a black box and you know, that it says it's okay. You could see the connection circuit. Exactly. So if you have for electrical engineers, Circom is there, is that, Anna (00:31:36): Are you, are you actually an electrical engineer by education Jordi (00:31:40): Yeah. I'm a bit awkward, but I'm I'm yeah. My studies are, I'm a telecommunication engineer. Anna (00:31:46): Oh, perfect. Makes sense. Then seemed like the right person to be doing this Jordi (00:31:51): I mean, I've been designing, electronics for a while. Okay, cool. Anna (00:31:57): I wonder how does snarkJS fit into this? What is snarkJS then it's separate from CirCom, right? Jordi (00:32:03): Yes. Circom just generates These R1CS and snarkJS is a JavaScript library that actually implements that zkSNARK protocol. So it takes us an input. These R1CS and these witness, I it hassled all the tooling for all the set ups for ZK Snarks, for generating the proof, for verifying the proof, for generating the smart contracts that can be deployed and verified on chain. You know, that it's, it's all these cryptographic implementation of the Zika Anna (00:32:40): Okay. And that's, so the snark JS will w how do I say this? It compiles into a graph 16 curve. Like, how do I what's how would you say what's the interaction? Jordi (00:32:53): So you write the Circom, like what you compile it with Circom. So you'll have like two files, the one, the R1CS constrain system. It's just a file with all the constraints in there. And then you'll have these in general. It can be Wasm or C++, but imagine that its a Wasm file that computes a, that actually computes all these intermediary values. Okay. So this is the output of a Circom. So what it does, well, first of all, you need to run the trusted set up ceremony though. So SNARKJS first includes, all the tooling for these trusted set up includes all the Powers of Tau, which is not specific to any circuit and generates all these Powers of Tau. And just, I am sure that you... Anna (00:33:42): Yeah, we did an episode on the trusted set up, but yeah. Jordi (00:33:45): Just let me ask people, it does, please collaborate to the trust to set up ceremony. Anna (00:33:50): Oh, the perpetual powers of towel one, you mean? Yes, Jordi (00:33:52): Yeah, that's important on that, but yes, right now it's like a second. It's a second implementation of the, of these multi parties ceremonium, to be independent in certain incrimination, which is important even for the same ceremony, because at the end you ended up just trusting a simple software. Right now we have two different softwares that are covering that are doing exactly the, you know, exactly the same thing. So it's more difficult to that there is some problem in the software. Anna (00:34:22): Wait, where is this? This is in snark JS, or this is, Jordi (00:34:25): This is on Snark JS. So we have the Powers of Tau ceremony. Then will you take your specific circuit, You compute like the first key, but then you need to run these phase two, these other ceremonies, so that you have all the tooling for running your trusted, set up ceremony on top of this simple, why don't you have this setup set? So you have like a probing key and a verification key. So with the probing key, you want to prove something. So you need to, when you have an input to the circuit, you need to run the circuit, with Wasm fire that we agreed at the beginning. So you get all these intermediary signals. Okay. And with this intermediary signals and the probing key, you just create the actual proof. Jordi (00:35:17): You know, this is a very short it's like less than one K and less, less than 1000 bytes. It's like 200 bytes or 300 bytes of that's actually the proof. And then once you have this proof, then you need to verify that. So you have the verification, the verification, you put this proof, maybe you have the public inputs or outputs and with the proof and the public input or outputs, you can verify that actually you run the circuit in a way that this public input or not puts much. And with this proof, you can cryptographically verify that these was actually done that way. And, and yeah, and then you can also with as Snark JS you can take this brief verifier on uploaded to the blockchain and the, yeah, you can, have all the pulling on that. Jordi (00:36:10): And the cool thing also for Snark JS, is that fully works in the browser, which is really important. You can do all these ceremonies and you can generate the proof. You can verify the proof. You can do all these, all the tools works in the browser. It's the full tool right now. And this is the last updates it's fully written in WASM. So it's very optimal code. It's run also with workers in parallel. So it's a, of course it's not native HOS the generation of the proof, but we are getting closer to there. Maybe it's like two times, three times, four times slower, but not 100 times lower. So it just it's, and this is very important, you know, if you want to have, for example, the recent project that's doing that for, it's not for voting the voting, you probably want to do the, you want to generate that proof probably in the browser. Jordi (00:36:56): So you need to run there. So this is the importance also for Snark JS. Yes. These that you can do that in the, in the browser. Does it work with anything other than Groth16? Not currently. Yes. we will see actually in my, "to do list", I want to really get deep in plunk at some point, but right now we are, we are very busy with Hermez launch, but I hope that after Hermez launch, we can have some time to get deeper in plonk and all these new versions in all these new turboplongs and all these new adds-ons, on plunk that are very, very exciting and very interesting. And I think that they're snarkJS on Circom can be used for, for those new schemas, and maybe some, one that already has not been invented yet. Fredrik (00:37:49): I think that it's a fair trade off. I mean, if you talk about people who actually want to build applications with Snarks, most of them are still extremely skeptical to using anything other than Groth16, because basically nothing else has been used in production, like for real real value attached. And it's, it's questionable. Like we've had many conversations with cryptographers on this podcast who go like, yeah, if it was invented in the last 10 years, you probably shouldn't use it. And yeah, it's like, I don´t know, I think it's a fair trade off to say it supports Groth16 and then like one, something else has really proven that you can start building a support for that. But I mean, it's also like snarkJS is, as I understand it now, like a complete tool kit for someone who wants to build an application using Snarks right? So it's, it's the whole stack, including like deploying a verifier to, to a chain. And so you, you want that reliability there. You're not, you're targeting someone else than a researcher, basically. Jordi (00:38:51): Great. Yeah. This is when you want to create a real project for real, a project that we'll we'll hold the, I don´t, we expect millions of followers there. You need to consider very much these decisions you'll know that you need to assume some risks. I mean, you need to understand exactly what risk are you assuming, and you need to cut at some point here, for example, in Hermez we decided to launch with zkSNARKs. This is known technology is still a lot of things. The only, I would say that the point that we are risking more and here is where I leave this. If you want this point that we are moving forward is mainly Poseidon. Poseidon is a hash function inside, inside the snarks. This is a less, less used. It's not used in Zcash. They are using Pederson Hashsh. Here we are betting. Jordi (00:39:44): I know that there is other projects that are using these already in production, but here is probably the most risky primitive that we are incorporating. Yes that's we assume that we know that, but you know, at some point somebody needs to, I would say that every project needs to include something and they are so why we believe that Poseidon is very new, but we have our strong, confident that this is going to be a good hash function and maybe we are wrong and you never know, but that's, I think it's a, we can assume that, it's a, it's a bad, but yes, we what's. What's the most critical from the crypto or at least from the cryptographic perspective, what's the most critical part of Hermez project, Poseidon hash. That's the that's what gets me more scared. Anna (00:40:33): Let's actually introduce this project. You've mentioned now, Hermez, Hermez, roll up. What is this project? Exactly. Jordi (00:40:41): Hermez is a roll up very much as standard CK roll up as we understand. And a main differences here is that we want to Hermez, We designed it with decentralization in mind. Also, the other thing that we are in including is all these proof of donation. We understand that we are running on top of a layer one. So we have in some way we need to promote, we need to help. We need to display the work you there, but we need to grow together with the layer one. So this is the proof of donation. The idea of this proof of donation, it that's like 40% of all the transactions that will be collected from the Hermez will go to the layer one, the community to the community funds. Anna (00:41:27): Where are you collecting this from? Maybe you can walk us through where that collection point happens. Jordi (00:41:34): Yeah, this is solid. Holy works. They, there is hope. So here is who can be a, an operator. The operator in a roll up is the one that just collects transactions, embed them in a batch and then send a transaction in layer one, including all these,utransactions single layer, one for transation. That's the compression that's leading the, in the roll up. So here, the idea is how do you select who can be that coordinator? Okay. Uso this coordinator,uwhile one option could be just to centralized ,centralized coordinator and that's it, that's the easy part. And here we are betting for a more decentralized system. And here are the days that everybody can be a coordinator. The idea that we divide the timing in ten minutes slots, and then you beat to by these slots. So I want to buy these slot. And then there's an option, the one that... Anna (00:42:25): I bet to be a coordinator during those 10 minutes. Jordi (00:42:28): Exactly. And the winner, the one that's winning to beat, there's willing to spend more money. This is the one that really gets the chance. And during this time you need to, you can forge as many budgets as you can. So they do have a good hardware that you have a, you can collect a lot transations then looking for you and your transations, but you will have to pay your costs. So you cannot put like high value there because it needs to compensate for it's an option. So from this money that we collect, from this auction, it's a 40% is burden. A 40% goes to the community, to these, you know, this community founds in some way, we will start using this. We don't want to get very much distracted from that. So with this, we will probably at the beginning, we'll use this funding on bitcoin. Jordi (00:43:17): But at the end it would be, we would have not even decided that. So probably we'll send it maybe to the same foundation, and the foundation will send it here. So we'll go to the layer one. So we, we, this is something that's community founds. We don't, we should not be able to decide how they get spent, they need to get for the later one. So that's a, the what's the last 20%, where does that go? 20% that goes to the investors, going to be a kind of a token, but people that has this token, then we'll, we'll get this reward. Fredrik (00:43:48): What's the point of burning tokens. Jordi (00:43:51): The idea of burning is that if you send it to somebody else then you can cycle the money. It's like, I'm, I'm betting for something, but I can bet a lot of money because at the end that the recipient of this money it's myself. So it's like, and then you can, you always be in. So the days that you need to be a huge amount of this percentage, that's actually, this is like 40% is burdened directly. And 40% Maurice is in some way, we don't control that, this just goes to the community. So this 80% should be more than enough. Fredrik (00:44:22): Why not send all 80% to the community? Jordi (00:44:25): Wow. That's that would be another option. But we also are the problem of sending to the community, we also afraid that they may be some feedbacks, it could be some corrupt in some way. So I think that having 40% that's burned for sure, this, this creates but we know that at least 40 minutes. So you want to go now I lost a lot. And then we have for like 40% at the 30th, everything was okay. It's like 80% of burning. Okay. So that's, a little bit, this is a hand wavy. Yeah. It's a little bit that's that? I think that are a good starting points on what, at least where we want to wind things up and see how it works. That's Anna (00:45:06): The individual or the, this, this bid, this auction at the beginning. There's this person, this person or entity who's trying to get to be the coordinator on the batches. Is that what you called it? A coordinator I'm forgetting now. Jordi (00:45:17): Yes. Coordinator. Yeah. Sometimes. Yeah. Sometimes yeah. Operator, but it's more, it's better to call coordinator is a good name. Yeah. Okay. Anna (00:45:24): The coordinator or operator on the batches, their pain, but what do they get? Like, why would they do this? Jordi (00:45:30): Why did they get all the fees, They get all the fees section. So when you are sending a transaction, that's one section and there is a fee. So they are collecting all the fees of all the transactions they are, including in all the batches that they are see. Anna (00:45:40): And you know, that that's going to be enough that it matches Jordi (00:45:44): This is why coordinator's needs to in some way,optimize. A lot of transactions with high,utransaction fees. Then they will, maybe we'll be able to bet more and or maybe they have a good cause. You know, they have a good,systems that they can run it very cheaply and they can generate the proof very fast on the half of these competitive advantages with the other coordinators. This is actually their margins. So this is where they can, they can bet on that. Anna (00:46:17): I just realized something that maybe I'm not fully clear on with the roll up concept, but is there an actually gas on the transactions within the roll up? Because that seems like it's a new newly, but it's not related to the actual main net transaction fee in any way. Jordi (00:46:33): It's, it's not related directly, but at the end, Anna (00:46:37): There is a fee to write to change. Jordi (00:46:39): Wow. Yeah. The end, the coordinator, the coordinator needs to create a transaction on the main man. And he needs to pay for the fee for the, for the gas in the main net. So in some way they need to, yeah. What you need to include this. They need to include this, this cost in the people's transaction. But the thing is that the cost of these roll up transactions it´s gonna be like much lower, maybe, I don't know, 50 times less, or yeah, Anna (00:47:08): But you still like, so it's like the overall main net transaction fee will be smaller because it's batched. Exactly. And that has to be included in the transaction fees, in the roll up, but you still get a discount. You get a much discounted transactions. Jordi (00:47:22): Exactly. But this is important because people think that the roll up transactions are free and yeah. Gave me okay. They have not really free. So it's like, Oh, I can promote them. Okay. I can, I can make your gift. It's still going to be free for you. But actually somebody needs to pay the gas of the pool. And here is where ZK Snarks are unbeatable in the verification costs and in the proof sites. And this is parameters is very important, especially with these high gas fees in the scheme. So that's why zkSNARKs is a still, the best scheme. Zero Knowledge scheme. So you don't know wh at just came up. If you just take in account these parameter, you know, the cost of the verification on chain, it's still, it's like twice is like half cheaper than for example, a plunk or I don't know, many times cheaper than Starks or any other any other scheme on there. Jordi (00:48:24): Zksnarks is still good. Maybe it's like, it's not like the last trending in the zero knowledge space. You know, it's like every Halo and Plonk. And it's like a pairing, a lot of new things, which are cool. And, and I tell you, it's like, I, we need to get in there. It's like, it's not, not going. I'm not going to say, I know when to say that they have a little good, very good properties. You know, they they'll need be trust to set up. They can, some of them, you can use some more,unormal cryptography inside the circuits. So there is a lot of advantages of these. They have a lot of advantages of these new schemas, and I'm not gonna say that they are bad, but for the specific parameter of the verification cost in a chain,zkSNARKs are still the best. And so that's the big disadvantage. Zksnark Groth16 with the trusted setup, with a trusted set up. Yes. Fredrik (00:49:21): That's an inherent nature of the, of that structure. I know the cryptography, but also because the Ethereum doesn't support any of the other cryptography. So, I mean, if you wanted to deploy something else and there wasn't any AP for it first, then it wouldn't be a thousand times more expensive because it doesn't support the crypto. Jordi (00:49:42): Yes and no. So first there are some other, for example, plonk its supported if you are using the BN128 curve Fredrik (00:49:57): And just inherently in the, in the math. Jordi (00:50:00): Yeah. And the size of the proof. How many bites, the size have, I don't care. Just forget about the, the cost of the blocks How big is the global found? How much just takes a regular CPU to verify your proof? Fredrik (00:50:14): I have a followup question on the fees because, well, I wonder how are the fees for the, on the operator side calculated, because as you said that the operator has to pay something, which makes me think that they will have to like, be able to set some minimum fee at least, or maybe decide the fee entirely, but then you don't have the same fee structure as on Ethereum or like that the user can kind of bid with their fee, right? Like if I pay more, maybe I get included. So how are the fees actually decided? Jordi (00:50:48): Yeah, the fees are decided pretty much like any other blockchain. So at the end is the operator can select the transactions they want. And they just include them in the budgets if they are reliable, but because these gas costs and because these volume will cost, it's going to be for sure a minimum fee. There were curious, something very specific from the four for the coordinators. And the coordinators probably will have to distinguish two situations when is when they are running at full capacity. And the other is when they are running under the capacity for under the capacity, this is going to be probably easy. It's going to be just a minimum, fee that will be set up by the, by the coordinator and in full capacity is going to be very much what we know now in Ethereum or Bitcoin is like an option. You just, depending on the moment of the day, you will have to pay a little bit more or less. Fredrik (00:51:44): But there's a, there's a difficult problem where if the operator says, okay, I'm going to pay 10 and fee 10 something. And so they said, you know, I'm predicting that I'm going to get 10 transactions. So I'm going to charge each transaction a minimum fee of one, but then they only get five transactions. Do they still submit the block kind of on time, quote unquote on time? Or do they hold off until they get 10? Or yeah, that's a, it feels like a hard trade off or the office. Jordi (00:52:16): It's a, there is some optimization problem there. That's one of the things that we are working there. And it's this is one of the, one of the nicest models of Hermez that we are building, but this optimization problem. And I, let me add you on top of that. This is with we are doing that with millions of transactions. We are scaling. So the difficulty there is that's not half, a 100 transations. We have maybe I don't know what 1 milllion transactions, some we need to select, which are the right ones and make these kind of decisions. Once you, once you earn the auction and this is like a sunk cost. So at the end is as far as you are, you need to understand very much what's your variable costs, of the fees. And at the end, it's just as a decision problem is like how much transactions, what are the best transactions that I can get? How much I get on that? And is it profitable for me? So generating these transaction, or maybe I need to wipe, maybe you need to wipe, or if it's enough when you just send it there and it's, yeah, it's an optimization, this is one of the difficulties and one of the nice things that needs to be in the coordinator side writing coordinator. It's as I told you, it's a interesting engineering problem. Fredrik (00:53:33): It might also be a little bit like I'm just, we have to accept it as a variance problem. That it's a repeated game. We have to play and kind of like mining or mining. And most of the time you're not winning and that's just on cost and you're losing, but then every once in a while you win and you get enough to recoup the losses. Jordi (00:53:52): Yeah, this is, this is something that maybe the technical people is not very used to, but if you talk with business people, this is actually what they are doing all the time. At the end, it's managing the risks and evaluating the risk and decision making. And this is something that's very studied from the, in the operations. You know, if you, if you talk any operation manager or any big company, that's mainly what they are facing, or , maybe some of the unknown problem for many of the deaths that has, they don't know this subject, but it's a known problem in the industry, in, in other industries, you know, in the production industry and other manufacturing industries, Anna (00:54:33): We actually are almost a time, but I have, we're close to the end of our questions too. So we're on track. I wanted to ask, is Hermez a concept or is it a full fledged product? Like, would somebody come along and build with Hermez or on top of Hermez using Hermes as like a structure, or is it going to be a DEX of itself? Jordi (00:54:54): Hermez is going to be a public roll up. You know, it's a Hermez that everybody can use. It's a, everybody can use to make payments on top of that. It's not going to be a dex, but it can be a DEX that can be built on top of that. But you guys, aren't building that. We are not building that. The cool thing of, one of the interesting properties of Hermez is that they will include the atomic transactions and atomic transactions, you know, for, you know, for swapping one one token to another token. And this is very, very, it's an important piece for any decks. That was to be built on top of that, but just a primitive that Hermez, we were willing to, Anna (00:55:33): How does Hermez really stack up against the other roll-ups that already exists? So there's like Loopring has come out and there are these sort of offchain layer 2s, like diversify that also, you know, are using Snarks and bringing like some of these transaction data back on chain. How does it distinguish itself Jordi (00:55:52): They are different projects each one has his ways to understand the technology. And I would say when many other ways for example, if you compare with Loopring, that by the way, it's an incredible project and it's like an inspiration. Yeah. So it's a very good project on that. So it's,for example, Loopring is more,backs itself on its,more specific the concept of the central lights coordinator, which for the kind of project they are building is okay. But what, for example, we are trying to build a more decentralized coordinating system. Here we include these proof of donation stuff that I think this is something that's new and needs to be tested, and this can be used in other roll-ups, for example, maybe some optimistics roll-ups or some ways to select the coordinator. Jordi (00:56:43): So that's cool idea, I would say that that comes from Barry Whitehat. And I think that's something that can add a lot of value to the space. Also these proof of donation that you are giving back to the community to the layer 1. I hope that the other projects in layer 2, to maintain or to help maintain, to help improve the layer 1. Thing, this is important for the space that this happened and also the, you know, the strategy for promoting for launching. We are also building a wallets. We are building APIs. So at the end is we're building a project there. Anna (00:57:27): You just said there though, that idea that like contributing back to layer 1, I feel like, I mean, two years ago, I just don't, I, I did not think we'd be in the position where there's so much value on layer 2, that you actually have to think about maintenance of layer 1, but I guess that's what's happening right? Jordi (00:57:45): I think that at some point everything all the values is going to be layer 2 and layer 1, gonna be just you know, layer two, to turn these transactions of,uof operate of coordinators, that this is like an extreme, and it's going to be a process, but a layer one that do not scale and it's going to be very expensive. So,when we go to mainstream, we will need this,layers to and layer one. That's going to be just for these,uhighly valuable world transactions at the end are going to be the little tool that the transactions that come from layer two. And, you know, I don´t have a crystal ball, but I think that the blocks, the space goes in that direction. Anna (00:58:27): Like, so once if Eth2 comes out, though, what happens like, as I understood it roll-ups will probably still exist on shards when Eth2 comes out. Like it's still going to be relevant, but like, isn't it supposed to solve? Some of the things that layer 2 solves for, Jordi (00:58:42): For me roll up is very much what in Ethereum 2 is called Execution environment, at least of all of these are kind of Execution environment. So the way I see them, and maybe I'm not the right person, I'm not an expert in Ethereum 2. But how I see it is that ethereum 2 will be mainly a, data availability. So you want to do a transaction, so you will publish this data in some shard somewhere, and then you will get this data and we'll include in some execution environment, rollup. If you want to call it rollup that will be managed in some chain. So it will be, this state will be updated. So it will, you will update some, some state according to this. So this is how I see that hold the scaling will work. You know, you need data availability. Jordi (00:59:29): That's why we need all the sharding and stuff. And then you need these execution environments. If you want roll ups that can execute thousands of transactions. It's like it's as thousands of transactions, but with a very small cost for the consensus environment. And there is where it also gets important. These inter - roll up communication or interlayer communications, that's all this If into their, having your (.....) you start thinking about, sometimes they mix it with these inter shars communication, but it's like for me, seeing their entire execution environment, communication and value transfer, that's why this needs to be evolved and think very much on that. But that's how I think that the space will evolve on her. Anna (01:00:14): What'd you say, like, is Circom, I'm going to kind of go back to what we talked about earlier in the episode with Circom specifically, but do you feel like circum is in the Ethereum toolkit or could it be used by many different things? It's pretty broad, right? It's not written in solidity or anything. Jordi (01:00:29): Circom for writing circuits, and you can use the circuits wherever you for anything. I shouldn't have said writing of writing. Yeah. Anna (01:00:36): Because I know it's a language, but I'm more like, it's not, it's not deeply connected to Ethereum tooling. Jordi (01:00:42): No. The only connection point is mainly that I'm a Ethereum community member. So for me, it's like for me, I'm thinking with Ethereum mind that's, that's a very weak connection. And and the other thing is that being used in other places, yeah. Circom is used in many projects and a lot of projects, maybe they end up using lip Snarks or something else, but all is a lot of developers, just Circom, just by the fact that it's introducing so many developers to the zero knowledge space. It's so important for, just for that. Okay. So that's at least for that is there is enough value in Circom just with that. And of course you can, it's much more of that. You can really build real, for example, Hermez, one of the goals of Hermez is we are using Circom for developing all these up. All the secrets are going to be writing in Circom. And there's also,usome important milestone for Circom. Anna (01:01:45): An entire rollup built on it. But like, did Loopring, not used Circom? Jordi (01:01:48): No. Loopring I think they, well, they know Circom, they start building something Ethereum, but they are losing you as far as I know, they are using LibSnarks, as far as I know, but it's at least is this part I think is not open source. So you should ask them, Anna (01:02:03): Actually, that leads me to like, who are the people building Circom and Hermez? Like, what is this how many contributors do you consider kind of part of your team? Jordi (01:02:14): Let's see, let's see Circom is have some collaborators, but it's very much myself. You know, it's a Circom and Snark.js. I would say that I'm 90% of the gold is right by myself. The other thing is, Hermez it's the full iden3.Yes. We, we frozen a little bit the identity and we focus. So we put, we are right about 20 persons,udevelopers working there. And,uwe are at this, at this moment, we are full steampreparing Hermez. We already have like a couple of,utwo proof of concepts in ethnes. And so on. We are just, you know, adapting when some changes on the writing, the factoring, some, some models. And right now we are full steam of most of the team just working on that. And that's, you know, that's exciting, but you know, right now he's like we are in launch mode, you know, just,going versing. Anna (01:03:13): So the last question I have that I didn't get to touch on, what is the proof like? Where is the proof of donation and what is that actually? Jordi (01:03:21): Well, it's like, it's a way, instead of saying proof of burn, that's sounds like really bad. It's like at the end, it's like you are actually in order to select an operator, you need to prove that you actually made the donation. Anna (01:03:35): I see. So it's like proof of stake where you stake money, but here's proof of payment. Jordi (01:03:40): It's proof of donation. It's like, you are proving that you made a donation in this case through an action, but you are a coordinator. If, actually, if you prove that you make these a specific donation, that's where the name comes from. Anna (01:03:55): So does proof of donation have, is there like any consensus principle to it or is it just a proof as in like a hash or something? Jordi (01:04:04): So Consensus in this layer 2. It's the consensus protocol. Everything happens in layer 1. Yeah. That's a, that's a thing and proof. Yes, because there is a transaction that you can prove that with that transaction, yes. Okay. Fredrik (01:04:19): Okay. So we're at time and unfortunately in time to wrap up and, and end this in some way it's been fascinating talking about what has been done by we usually end on this this question of looking forward. What are you looking forward to? And what's exciting to you at the moment Jordi (01:04:38): Right now as I told you, I'm very, very focused in launching Hermez. I hope that in the next trimester, so in the next quarter, or this will be launched, but if you go a little bit further and for me, there are a lot of interesting things that will happen. One of the things that I'm very interested on, it's something that's very excited is. For example, all these massive migrations, that means that moving then is transferring it's massive transfers between one layer, two solution to another layer, two solution. This is something that we are start talking, having started talking about and start being a debate that is, roll-ups a communications that's really important site. Of course there is a fit into the zero. That's very important, especially for the database availability side. It's going a little slow, but I am very excited because I hope that the fit into the zero will solve these that availability. Jordi (01:05:35): And these will increase a lot though, the scalability and so on, then there is all these recursive, if you know, all these recursive snarks, it's not X where you can start you know, this there is some projects that already has started working on that, that you can have privacy inside the rollup or even smart contracts inside the roll up. That's, that's very exciting. Then the resolve the identity, that's still there. We hope that at some point we can have our full compliance roll up, just linking that with all the identity that's we want to continue on that project. That's it's not so it's, we are, we are continuing there right now. We are focused on Hermez, but identity is still there right now. My goal is Hermez, but identity is a really important project for the space. Jordi (01:06:28): And we have the commitment to continue working on that. Well, yeah, you know, just all these new protocols that are appearing like every week and, and new projects, you know, super exciting projects. I don't know. Last week there was like a couple of projects that were very, very interesting and promising, Coda and Pickles. That was interesting. All these recursive Snarks, just to verify the full chain. And I think that's a very, very cool project, or there is a lot of new projects in the space that are happening and, and the ending is my goal. My goal is at this, all this happened. So that's, you're on your way then. Anna (01:07:13): Cool. Well, thank you so much for coming on the show, Jordi, finally, I can't believe it took us a long, Jordi (01:07:21): Whenever you want Anna. Let me Know. Anna (01:07:24): Cool. Thank you very much. Jordi (01:07:27): Thank you for it, Anna (01:07:29): Listeners. Thanks for listening. Thanks for listening.