TRANSCRIPTION

Peter McCormack: It doesn't bother me too much though, the Facebook coin.

Tadge Dryja: Yeah, I'm not going to touch it!

Peter McCormack: But I can see why some people would. I wouldn't use it.

Tadge Dryja: It's big enough that a lot of people can get... If it hurts a lot of people's privacy, things like that. Also, I bought a place, hour and a half outside of Boston and I sort of joke, it's like a “prepper” cabin that in case Ripple/XRP takes over, I won't be able to use money, so I have to live in a cabin in the woods! Similarly with say Facebook coin, if it takes over and that's the only money in the world, I'm not going to touch it.

Peter McCormack: Yeah, I mean, if it was the only money in the world that will be quite scary, but then we got people like you trying to give us a better money!

Tadge Dryja: You never know! Trump won! Who knows what happens?

Peter McCormack: Could he win again?

Tadge Dryja: Who knows? You just don't know!

Peter McCormack: That's why we need Bitcoin, man!

Tadge Dryja: Yeah. So hopefully Bitcoin, I don't know. Although to be honest, I rarely use Bitcoin. I have a full node and I've used it like three times in this year so far. In practice I don't use it much.

Peter McCormack: It's because you're saving it for the future?

Tadge Dryja: Yeah, I mean I use it occasionally you know, if people just pay for things and get reimbursed stuff. I always ask like, "hey, I'll use Bitcoin." But it's just still not widely used.

Peter McCormack: Yeah, I found recently... I used to use it quite regularly for invoicing and paying. I'm using it more for invoicing, less for paying now, because I don't want to have to go and stock up again because it's a pain. So I'm like, "hmm, can I pay you with PayPal, but can you pay me in Bitcoin?"

Tadge Dryja: Well Gresham's law right? You'd rather get rid of the regular money. So it's funny, I got reimbursed for a conference flight and they asked, "okay, we can pay you Ether!" I'm like, "oh no, I sorry, I can't accept Ether. I could do Bitcoin or just cheque or whatever" and they're like, "okay, Bitcoin." It was interesting that they offered Ether first!

Peter McCormack: Well maybe they want to offload it? I was watching that Neha presentation this morning from the Bitcoin Expo and she was saying, "Tadge says no to everything and says everything sucks!"

Tadge Dryja: Well, I'm very skeptical about things and in general, just because the priors, right? So many of the things we look at are wrong or scams or broken that I sort of breed prejudice, you just default. You're like, "oh, here's a Blockchain white paper" and I'm like, "yeah, it's a scam" because 99% of the time it is. But there is that 1% that's like really good and really new and interesting stuff, so you do have to still sort of read it and look at it. But yeah, I definitely am guilty of prejudging things.

Peter McCormack: Are they scams or are they just shit?

Tadge Dryja: There's a spectrum. Sometimes people believe their own stuff to be true and there was a paper last night and it was not malicious. It was saying that Bitcoin mining is not a [Inaudible 08:33:] process. Actually it's funny, Neha and I had an argument a few days ago about these processes and I was like, "this is one of these processes", she's like, "technically it's not" and she posted this and the paper was wrong.

But it was sort of like infuriating because it's this whole big paper, there's all this math, but it's like fundamentally wrong! It's like that comic, someone's wrong on the internet kind of thing. But then again, there's also things where you can't be charitable, like the Bitconnect kind of stuff, where you're like, "no, come on. This is a scam. People are knowingly and willingly doing this", Paycoin or have you ever heard of Banx? It was three years ago, you could only buy it, you could never sell it so the pricing only went up! It was so obvious, but you're going to find people who buy into it. So there's a big spectrum of honest attempts that maybe people buy into their own ideas and think that's going to change the world and then it doesn't versus just outright fraudulent stuff.

Peter McCormack: So what gets in the 1%?

Tadge Dryja: Oh, there's a lot of fun stuff recently. I think a really good example is Taproot. I'm sure you've talked to Andrew Poelstra?

Peter McCormack: Yeah, I was with him in New York a few weeks ago, we covered Taproot.

Tadge Dryja: So the taproot equation, it's like one line, I think it was posted two years ago or early 2017 I believe. I don't remember exactly when, but for people who are familiar with the elliptic curve stuff and this cryptography, you look that one line, you're like, "oh yeah! Why didn't we think of that? It's so clear and you can do so many things with this!" It's just obviously right, just no one had thought of it. So things like that, where you don't even need... There's no paper about Taproot. It's just like, "hey, one line, cool."

Then other things that people are working on, the mini sketch, the set reconciliation stuff that Pieter Wuille and other people are working on, that is something that I don't quite understand, you look at it and are like, "I could try to understand this math and maybe get it, but it would take me a long time!" But it's trust. I'm like, "okay, I know these people. I think it works. I'm not going to spend the week to figure out the coding theory and stuff to understand that it works."

Peter McCormack: But this is all stuff in Bitcoin, is there anything that's in the 1% that's outside Bitcoin?

Tadge Dryja: Maybe more controversial, but I think Zcash. It's weird with the Founders Award and some things like that, transparency, yeah, maybe it's weird, but fundamentally they're trying to do research and it's legit research on how to get better privacy for things like Bitcoin. Maybe some of the research there could be applied to Bitcoin. So Monero, things like that, some of the privacy coins like Mimblewimble coins like Grin, where yeah, you could say it's an altcoin and a lot of people don't really like altcoins, sure.

But there's interesting research going there and it could benefit everyone. Even maybe to some extent some of the Ethereum stuff. I pay attention to Ethereum. I know a lot of people who work on Bitcoin are like, "oh, it's junk" and I disagree with a lot of the decisions that Ethereum makes, but I think it's a good idea to look at what happens, because of those decisions. So to some extent, scalability is the big thing in Bitcoin and all these systems.

If it were the case in like Bitcoin Cash, that they actually had a lot more users, then it would be an interesting case to look at. Okay, what happens when you do have really large blocks and you are cranking up the system and is it as bad as we were thinking? People worry, "oh if you just have unlimited block size, you're going to have all these problems in Bitcoin." But we've never tested that and Bitcoin Cash doesn't test that, because even though they have larger block limits, in practice there's much less traffic on the network.

Peter McCormack: BitcoinSV tests it; they've got Gigamegs!

Tadge Dryja: Yeah, but it's hard because it's all sort of generated via script. So yeah, I remember when SegWit was testing, I made consistent 3.7 megabyte blocks on Bitcoin testnet for days, but it wasn't real! It was a script. Whereas in Ethereum, they do have a lot harder scalability constraints than Bitcoin does and a big part of it is the design of the system, where everything can call into everything else, so there's a lot more interconnectivity.

So you can't really run it on a computer with a hard drive, not really, you can't run it at all. Even with an SSD, the resource requirements are higher and so we see problems in Ethereum that people may have worried about in Bitcoin, but we haven't seen yet. So I think it's a good idea to look at all these things. Ethereum still runs, it still works, but it's very hard to run a full node and how does that affect the network?

Peter McCormack: Therefore is it really decentralized?

Tadge Dryja: Well, yeah. To what extent that matters... So that is the argument and some people, like Luke Dashjr say it should be 300 kilobytes and they need to run it on Raspberry Pi's and stuff. I don't necessarily think that that's... I think most Bitcoin programmers don't really agree with Luke.

He's sort of on the extreme edge. Then there's other people say, "yeah, unlimited is fine, we'll figure it out." But a lot of it's sort of religious almost and there's not a lot of data. So I do think it makes sense to look at these other systems and the choices they made. What other systems have good new research? I don't know. There are some!

Peter McCormack: I mean I guess there's also benefits with these forks, again I was watching the Neha's presentation about catastrophic attacks and you have different developers finding problems in different places. I can't remember the name of... Amaurey, who found the Bitcoin inflation bug?

Tadge Dryja: Yeah, I don't remember exactly. I think he thought it was a denial of service and then reported it and then there was a little bit trickier way to make it into an inflation bug and they tried to not report that part and fix the whole thing, but then it got out.

Peter McCormack: But there is that kind of a relationship between competing coins, that if you find something, there's a process of disclosing it to each other. So I guess you get that as well.

Tadge Dryja: Yes, and that's the tricky part. You've got to sort of draw a line where, "okay, we'll report vulnerabilities to these coins, but not these other coins, because other coins are not trustworthy and they're so small. If we report it to all of them, there's hundreds of them, that's basically making it public." So it's tricky.

Peter McCormack: Right, because if you let them know, they might try and attack other coins rather than deal with it?

Tadge Dryja: Yeah or there's all these tiny little coins like, "what is this? Who is this?" It's anonymous. You could report, but it's hard to know.

Peter McCormack: It's complicated! Well listen, our first interview got some mixed feedback, but mostly good. Everyone really enjoyed it and I think people were glad to hear from you. They were definitely intrigued that you've moved away from Lightning, you're working on something new, and then you were telling me about Utreexo. You've got the paper out?

Tadge Dryja: Yep, that was a week and a half ago, so fairly recently. It's an okay paper!

Peter McCormack: I read it. I mean, I say I've read it, I've read the abstract, I've read the first two or three pages and then when you start getting into the heavy math and tech I was like, "huh, okay!"

Tadge Dryja: Well the math at the last section is a bit hand wavy and I would like to sort of firm that up and it's interesting ideas, but I sort of have no proofs or anything at the end.

Peter McCormack: I was just like, "oh well, if I'm going to talk to you, I can let you explain it then, before I read it to myself!" But I mean how does it take to write a paper like that?

Tadge Dryja: So the process with this, let's see, the general idea of like, "hey, let's not keep the whole UTXO set" is a fairly old one. But this specific case with Utreexo, I remember at Financial Crypto last year talking to Pieter Wuille, Sipa and a couple of other people. They had been working on ideas for how to use accumulators for a little while. Corey Fields also had asked about accumulators. He lives here now, moved a few weeks ago, which was cool. But he was remote for a while and we'd meet, he'd come every few months and he'd ask me about like, "hey, so this identity based encryption" and I'm like, "oh yeah, no, it's garbage. Wait, why are you reading those papers?"

He's like, "but there's so many papers and so much math!" I'm like, "yeah, but it's not useful" which is sort of a silly thing to say. There are useful mathematical constructs, but if you've ever looked at identity based encryption, the fundamental premise is sort of like, "wait, that's silly, you can't use that!" But it leads to really cool math and so there's a lot of academic papers about it, which then have led to useful things. But the sort of starting point was not... It was related to accumulators.

So at Financial Crypto, Pieter Wuille was saying, "the problem with all these accumulators is you're going to need a bridge node, that whenever you start this system you're transforming from, we keep track of all the different coins too, we don't know what the coins are and people give proofs." That does seem like a better system, because it puts the cost of maintaining all this data, onto the people who have all the coins. So if you're an exchange and you have a million UTXOs, well that million UTXOs is on my hard drive and someone else's hard drive, everyone's hard drive who's running a full node and that seems like an externality.

It seems like, okay, someone who's polluting the network, that cost is borne by everyone. Whereas in a model with an accumulator, now that person who's got the million UTXOs now needs to keep and manage the million proofs and everyone else has to just verify the proofs when the transactions happen. So that seems nicer. But Pieter was saying, "the problem is you need a bridge node. You need a node that can stick a proof onto any transaction, that basically has all the proofs", which is worse even than the current storing the whole UTXO set. In all the constructions he was looking at, it was impractical.

Not impossible, but basically impossible where you're saying, "okay, there's 60 million UTXOs right now, but that could go way up. That could be 100 million, 500 million and all of them are going to need to be updated every time a block comes in." So potentially, that's hundreds of millions of updates in every block and it can be even worse, if every transaction updates them. So you're going to have like 50 million times 5,000, which is a huge number of operations! So that sort of felt like a dead end or like a brick wall.

Then what actually happened was last summer I was working on discrete law contracts stuff and they had sort of said, "Tadge, we need to write a new paper!" They're like, "we're at MIT, we need papers. New paper, what do we write about?" It's like, okay, white boarding! I think she suggested, "what about decentralized exchanges?" I'm like, "ah, I don't know. I'm not into that" and I said, "well, what about these accumulators? There's a bunch of ideas, but it didn't seem to quite be possible, but I bet there's a way."

It went through many iterations of sparse Merkel trees, not so sparse Merkle trees, prefixed trees, all these different ideas. I ended up with a Merkle tree design that's not that far from regular old Merkle trees and it was influenced a lot by Sophia Nacubo, I'm probably pronouncing her name wrong, but she's at Boston University now, and actually even Hellmann suggested, he was like, "hey, you need to talk to Sophia.

She does really good work on accumulators." So I just met her, this was last fall and she explained her paper a bit and I was like, "oh, this is interesting." So it builds a lot off of that design, but there is a change to it and it's basically a Merkle tree based accumulator, where you can add and remove.

Peter McCormack: Is that pretty much all you've been working on since last fall or are you working on a variety of things at the same time?

Tadge Dryja: So there's a bunch of students that I work with. There's always like meetings and events and talks and things like that. But the main research focus has been that, since early this year.

Peter McCormack: Okay and how much of the time is spent writing? How much of the time is spent thinking? How much is spent coding? How do you balance this all?

Tadge Dryja: So sometimes it's just like, the thinking you have, piles of papers. The thinking part is kind of fun because you can feel smart, as you're making new things! The thing that really helped, was I wrote a program to make print outs of binary trees and that saves so much time! I was spending so much time drawing little Merkle trees on paper and I'm like, "no, write a program to print them and now I can just draw arrows between the things!" So some of it's pencil and paper, coming up with ideas and those are fun, because then you're like, "oh wait, this works!" Then you run and try to code it.

But a lot of it was coding and a lot of it was dead ends in coding, where I was like, wait, "oh no, this runs out of memory!" Then writing the paper was also quite a while and I didn't like writing the paper. I don't like making the diagrams and getting it all... I was like, "why can't I just explain it to people?" So that part was somewhat frustrating and like trying to get it to be paper, because it's never good enough. Whereas with code you're like, "ah, this is right!"

But even then it's like, "ah, this is optimal." I got it to work the best way and this is the best algorithm or this is really working well. Whereas the paper, it's a lot more diffuse and hopefully people understand it. Hopefully it's written well, but like it's not that great.

Peter McCormack: Were other people helping you? Someone like Andrew Polestra, was he helping or Pieter Wuille? Do you have people to call on for help with this or is it just pretty much a lone project?

Tadge Dryja: A little bit. This one was weird. It just became a lone thing because it was like, "okay, I'm just going to finish this" and like I talked to Corey a little bit, but it was sort of like, "well at this point, it's so much my work, that I should just finish it myself, I guess. " It was a little weird, because I sort of was like, "well maybe I should try to get a bunch of other people involved and make it..." But it was a little bit greedy, I was like, "well it's been mostly me so far. So if I'm just the only author, then I'm going to get more credit."

I don't know! But at this point now it's like, "okay, I do want to work with other people." James O'Beirne at Chaincode Labs I was talking too two weeks ago and he's working on something called assumeutxo in Bitcoin and I was sort of like, "wait, wait, wait! Utreexo can sort of fit in here!" So that might be the first place it starts to get into Bitcoin core and there's a lot of discussion where...

I eventually do want to get this Utreexo into Bitcoin core and it becomes just a option or maybe even a default in how Bitcoin works. Probably not a default, but that's a whole big process and there's a lot of software still to right there.

Peter McCormack: What's the feedback been from the team core?

Tadge Dryja: So there's a range. Some people don't think it's good idea or think, "okay, but this is not really practical" or "this isn't solving the problem that we have" and I think to some extent, like I mentioned it to Greg Maxwell on IRC and he's like, "ah, but the problem is bandwidth." So if you think that the problem with Bitcoin scalability now is you have to download too much and there's too much network traffic, then yeah, Utreexo doesn't help at all, it makes it worse.

Whereas Pieter Wuille, I think he was more enthusiastic and some other people were like, "oh this is really good", because if you think the bottleneck is hard drive space or if you need an SSD or you need a lot of hard drive space and it's very slow on hard drives, then this helps a lot. So, depending on what your bottleneck is... And it depends on your computer. So I was joking in Amsterdam that if you have a nice, new laptop and you're trying to sync Bitcoin on the airplane, Utreexo is absolutely the wrong solution.

It's sort of a joke, but you could be in a situation where you've got good computers and really crummy network access and this helps not at all, don't use it. Versus, the other extreme would be like a network router or something, where you've got plenty of bandwidth, you're plugged right into the Internet, but you've got very low resources in terms of memory and storage and stuff like that. So this would be great for that. It's nice in that it's optional. It's not even a soft fork. I don't think anyone's been like, "no, this is a bad idea, don't do it!"

The only less positive feedback has been, "I don't think this is really solving the problem we need to solve. So, okay, you can do it. I guess it's nice to have as an option, but this doesn't seem to be the critical path" versus other people who say, "no, this is what is stopping a lot of people from running full nodes."

Peter McCormack: Okay, so let's break it down. I'm not sure if you remember, but most of the people who I think listen to my podcast, aren't the most technical and won't understand everything, so we'll go into the detail. Firstly this is about optimizing nodes and hopefully more people will run nodes because you identified a lower proportion of people... So we've got an increasing amount of people running nodes, but it's a reducing percentage of those adopting Bitcoins?

Tadge Dryja: It's hard to measure. It's really noisy data. So you've got this sort of... There's 6,000 or 7,000 which is the publicly accessible Bitcoin nodes. But then there's also, I think Luke Dashjr says, "oh, I listen in and I say there's 10 times that many" but it's really hard to know and there's so many fake nodes and it's not a number you can really get a good handle on.

Peter McCormack: Luke was saying to me that he thinks we need to target having 80% of people with Bitcoin having a full node.

Tadge Dryja: Again, it's like more seems better. But where do you get the number 80%? I don't know, maybe 70%?

Peter McCormack: Well, I don't think you'd get that many people there anyway. I just don't think that many people are going to do it.

Tadge Dryja: Oh it's hard. So I have a full node, sure. But I work on this stuff. But it also depends who owns Bitcoin. So my dad has Bitcoin, but really it's just, I have them and he trusts me! I have said, "hey, you should..." And he said, "yeah, maybe once I retire, I'll try to figure this Bitcoin stuff out and I'll run my own full node. But for now, I don't know this stuff and you just take care of it for me." So there's a lot of things like that where it's scary, it's imposing.

Even at the DCI, there's people who are not programmers, but we always work on Bitcoin and there's co-workers who don't have full nodes and they've said, "yeah, I should run one. But like, I don't know man, it looks like a lot of work. It's scary. There's a lot of space!" We need to get rid of this idea that it's a really hard thing to do, because I don't think in practice, I'm probably not the best person to ask, but I think it's not as hard as people think.

Especially with pruning, even today it's, 5,10 gigabytes of storage, which isn't that bad and people have the idea, "oh it's 250 gigabytes!" The thing is, by default it is and so that's a discussion with a lot of the core developers, "hey, should default be to prune, because it's not a security problem to do so?" But there's a bunch of issues there. So maybe someday it'll be default pruned.

Peter McCormack: So do you have a choice of having downloaded the entire set or the pruned set?

Tadge Dryja: So download, no. So either way you have to download the whole thing currently with the current software, but you don't have to keep it all. So you could download 250 gigabytes but only keep 10 of them.

Peter McCormack: But does it automatically choose that for you?

Tadge Dryja: No, by default if you just download Bitcoin core, it'll keep everything.

Peter McCormack: How do you know what to get rid of then?

Tadge Dryja: Well, so you go into settings and you say, "I want to prune and only keep the last five gigabytes or something" and then the software does it for you. That's been there for years.

Peter McCormack: Why can you do that? Why do you not need the old say 230 gigabytes?

Tadge Dryja: So there's two fundamental aspects. There's the Blockchain, which is the history of everything that's happened and then a bit less known is the UTXO set, the set of who owns what. So if I paid someone five years ago, that transaction isn't actually relevant to today. All those coins are gone, everything is moved. So there is a set of who owns what and then there's a set of all the transactions that ever happened.

The way you get to who owns what, is by replaying everything that's ever happened. So the everything that ever happened is 250 gigs or so and that's the big Blockchain and that's hard. But the set of who owns what, is a lot smaller, it's about four gigabytes. There's about 60/70 million, it keeps changing, total unspent outputs, sort of total Bitcoins that can be spent, not individually Bitcoins, but individual outputs.

So the whole point of downloading the Blockchain is to get to that set and you can throw the history away once you've done so, because the only real reason to keep the history is to give it to other people. So if other people say, "hey, I downloaded Bitcoin, can you tell me the history?" You can serve it to them, but you don't need everyone to be able to do that, I guess.

Peter McCormack: Okay. What do you make of Neutrino?

Tadge Dryja: Neutrino is basically SPV. It's an improvement to the previous way of doing SPV.

Peter McCormack: I mean, I don't fully understand it, but SPV does have privacy problems, right?

Tadge Dryja: SPV has got a bunch of different problems. So the idea of a full node is you download the whole history, you can throw away the history once you've verified it, but you've checked everything. Then the idea of SPV is, "well, I'm not going to keep a UTXO set. I fundamentally don't have a set of who owns what." But what I do have is I can trust the miners to some extent and say, "well, this transaction got mined 10 blocks ago. The whole network seems to be going along with it. It's probably fine."

And in most cases that works, because if most people are running full nodes and checking, then the miners will quickly turn away from a invalid block and start building valid ones. So SPV does have that sort of, a little bit of a trust, well not a little bit, it's a significant trust assumption that the miners are mining correct blocks and that other people are validating it for you, so you don't have to validate it, which in practice works. In practice there currently are, but it is sort of risky and it feels scary because you're giving them a lot of power.

So that's one sort of security aspect and then the privacy aspect is, because you don't want to download everything and this is somewhat orthogonal, because you don't want to download everything, you have to somehow download the right thing and the things that concern you. So the simplest way to do that is to say, here are all my addresses, tell me if I gained or lost any money, but that here all my addresses part is, "I just lost all my privacy. I just linked all my addresses. I told some random person on the internet, all of my addresses!"

And the the initial way... So if you have a website, like if you're using a Block Explorer and you just paste in your address, say, "hey, do I have any money?" Well now they know your address or if you paste in all of your addresses, now they know all of them and they've linked that to your IP address, so that's privacy wise, not very good. The older way, which is that we used the bloom filters and that's from 2012 or 2013, I forget and that initially was thought to maybe have ok privacy properties.

There was still some sort of, "I don't know about this" kind of things at the time and it turned out to have very poor privacy, where you make this bloom filter, which is sort of a hash, as you swish together all your addresses and send that. The problem is the receiving end, those nodes could pretty easily figure out what your addresses were from that bloom filter and it ended up being very close to, "here's all my addresses, tell me about my transactions." Neutrino flips that a bit and instead of saying, "here's all my addresses, tell me about the transactions in this block that relate to me", not the miners, but the nodes that do have the whole block, create essentially a bloom filter, not exactly the same, but create a compact representation of the block and then you can download that.

Then you can check yourself if anything in this block looks interesting to you and sometimes you get a false positive. So sometimes you download this few kilobyte thing and say, "oh, is there anything in this block that is paying me? Because I want to know if I got money" and, "oh, it looks like there is." You download the whole block, which is megabytes something and then you see, "oh no, nothing in there actually relates to me." So there is a false positive, but that's okay, occasionally false positives.

But in most cases, you see a hit and you download the block and you're like, "oh, here's where I got some money or my money got spent." So that helps the privacy a lot, because now all the nodes see is you're occasionally downloading blocks and it's real hard for them to say, "well, he's probably got something in this block and something in that block, but they're so big that you don't really know." So it makes it less efficient in terms of download, but you gain a big privacy gain there.

So it's definitely better, but there it's still SPV. So it's sort of a help, but you're still using this SPV thing, you're still trusting the miners, you're not validating yourself. So I think Neutrino is sort of making SPV better and more secure and then Utreexo is coming from the other direction saying, "okay let's make full nodes easier to run." So running a Neutrino based SPV node, it's still lower cost and easier than running Utreexo, but we're trying to sort of come come at it from both angles I guess.

Peter McCormack: Well I guess Neutrino feels like it solves a lot of problems more from mobile devices anyway?

Tadge Dryja: Yeah, it's easier to run. You can definitely run one on a phone. The goal for something like Utreexo is, "hey, can we get it, so that you can reasonably run full nodes on a phone." That'd be really cool. We're not quite there yet, but I bet we can get there.

Peter McCormack: All right, so Utreexo. They're going to people who listen to this who might not even understand this. They might not even understand how UTXOs work themselves and how they generate.

Tadge Dryja: Yeah, they're kind of weird!

Peter McCormack: They are, but they are kind of interesting. I was looking at them recently because I was trying to track the 82.15 Bitcoin that Satoshi sent to Mike Hearn and then went back and that was one of my first times to really start looking at UTXOs and I obviously got taken back to a coinbase.

Tadge Dryja: So one of the problems is the block explorers are kind of wrong. For years they have showed addresses as where Bitcoins live and it's sort of like Bitcoin's live at addresses, is sort of what people think and what the block explorers show. So if you click on an address, it says this address has a balance and Bitcoins have come in and Bitcoins have gone out. When you see a transaction, it shows, okay from address 1350... to address 7032... but that's not how it works.

Peter McCormack: Great, so this is another day where I learn something new!

Tadge Dryja: So Bitcoins don't live at addresses. Bitcoins live at UTXOs, which are transaction outputs, which have addresses. So it lives in this box and you can slap an address on it, but the address is a property of this box. It's not that it lives in an address and has this UTXO associated with it. So you can slap the same address on a hundred different boxes. So you can have coins getting sent to a thousand different UTXOs, which all have the same address, but they are different UTXOs and you can pick which one you want to spend.

From the software's point of view, the fact that they have the same address, you never even see that. They live in these little UTXOs and that's where they live. So when you're spending, you specify these specific UTXOs that you're spending and the fact that it's this address or that address or no address, you can have UTXOs that live and there's no address at all or it's some weird non-standard thing or things like that.

So really when the block explorer says "money comes from here", it shouldn't show an address, it should show a transaction ID and the index within the transaction ID. Some explorers do show that. Sometimes it's like a little arrow, like they show both, things like that. But from the way the software works, you're spending an output.

Peter McCormack: I think for a user though, it's like a UX thing, having it in an address, it feels like the right thing.

Tadge Dryja: It feels like it's easier to understand because it's closer to what we think about with bank account balances and stuff. But it isn't how Bitcoin works and there are important differences. So Ethereum on the other end, has balances and so an address in Ethereum is where the Ether lives. So when you send, you send to this address and that's where it stays.

Then when you spend, you spend from an address and it comes out of there in decrements, but it's not in Bitcoin and that can burn people, like with paper wallets. You think, "oh there's money on this address, I'll spend some of it." No, you have to spend all of it! So people have gotten burned where if you don't spend the whole UTXO, you're like, "okay, here's 10 coins, I'll spend two of them." The 8 go to the miners, their gone. You have to spend the entire...

Peter McCormack: Oh is that what happens when you see somebody has paid a huge fee to a miner?

Tadge Dryja: Hopefully not. That's very common, but that is one of the mistakes people make, is when you're spending this... So you send to these boxes, the UTXOs, the UTXO has an address on it and an amount on it. But you can only spend the whole thing, you can't take a little bit out of the UTXO. The only thing you can do is spend all of it. So that's why in Bitcoin, you have these change addresses where you're like, "okay, I have 5 coins. I'm going to spend 2 and the remaining 3, I'll put in a new box and put my own address on that."

Peter McCormack: So if I was using something like a Trezor or a Ledger, they do that automatically for me?

Tadge Dryja: Generally yeah. Most wallets will do that automatically and also make new addresses each time. So the idea is you're making a new UTXO, you're making a new box, there's no way around that. You might as well slap a new address on it, because the addresses are free, you can make a new key. There's also BIP32, there's ways to make sort of deterministic series of keys, where you only have to keep one private key, but you can have lots of public keys and that helps privacy a bit.

So yeah, the address, it's a little counterintuitive and Satoshi certainly could have made it an account based model, the way Ethereum, that does works. But...I've been working on this now for a year. I think it's a better model because you can do stuff like Utreexo. It really lends itself towards accumulators, much more so than the account based model used in some other coins.

Peter McCormack: So what itself is an accumulator?

Tadge Dryja: Okay, so an accumulator is a set, so if you notice, a set is like a bunch of things, where you can add things to it and in this case, you can remove things from it, but it doesn't get bigger. So imagine a box where you can throw things into it, but it's sort of a bottomless box and then people can prove that you threw something into it. So you're not able to sort through it yourself. So I've got a bunch of pictures, let's say pictures from weddings, pictures from vacations. I throw them all into this box, but it's unlimited in size and then I can't get my pictures back out.

So I can't remember a wedding or what was he wearing? I can't remember. However, if someone proves to me a picture, I will be able to verify that proof. So it's sort of like, I don't remember what he was wearing, but if you show me this picture, I'll be like, "oh yeah, that was that wedding and you haven't altered this picture. He was wearing a blue suit, not a grey suit." So it's a little weird in that, to some extent, a hash can be thought of as an... This is a bit of a stretch, but if you have the hash of a file, you don't remember the whole file, the hash is very small.

But if someone presents that original file to you, you'll be like, "yep, that's it. That was the file I stored and nothing has been altered." So if you have hash functions, those in some ways, do the same thing as an accumulator. But an accumulator does many discrete objects can be sort of squished together into one accumulator and while you don't remember all of them, when someone gives you a proof, you're like, "yep, that was in there."

Peter McCormack: Okay, so are there any risks with Utreexo?

Tadge Dryja: A little bit in that it's not too bad, but you are relying on a bridge node. So what that means is, when you're saying, "hey, I need these proofs", the software right now has no idea what Utreexo is, it doesn't do these proofs, no wallets deal with that. So you're going to need some nodes on the network to generate these proofs for you and if all those nodes go away, you're stuck and you can't continue on with the network.

You don't lose your private keys and no one can deceive you, but your software stops working and you're going to have to go download the regular software and say, "oh, well we tried Utreexo and that sort of stopped working, no one liked it and now I've got to download regular Bitcoin and sync up and it's going to take me a day or two." So that's certainly inconvenient and that's certainly a denial of service vector, if you get rid of all the bridge nodes, the people using Utreexo will halt. That can be very dangerous if you're a miner.

If you're a miner running Utreexo and someone manages to sort of push you off the network, well, now you can't mine anymore. So those are dangers. I don't think they're too bad. I think the whole idea of running a bridge node shouldn't be too hard. It's like 8 or 10 gigabytes, you can run it on a laptop. If you have a bunch of them, probably you are going to be okay. But that is a risk that it can sort of hit a wall and hit a dead end if those people stop using it.

Peter McCormack: Right, so a bunch of people would have to be incentivized to run a bridge node as well, as we have people running full nodes?

Tadge Dryja: Yeah, so I'm not super enthusiastic about trying to make it like, "oh you could pay the bridge nodes." It's sort of like running an archive node right now. So running a full node, I think the incentive is, "I want to verify my payments. I don't want to trust anyone. I want to know that I'm getting Bitcoin." Running an archive node is less clear. You're storing hundreds of gigabytes, you're spewing out lots of data. So at work at MIT, I have a full node and it's like 3 terabytes a month of outgoing data, serving data to all the people who want to download Bitcoin.

I don't pay for it and MIT has good internet, so sure, but that is somewhat costly and right now there's no incentive to do it. But there's still a lot of people that do, because the cost isn't too high and it helps the network. So I think bridge nodes is going to be similar in that, it's not that hard to run, you can run it on your laptop. It is going to take some more space. It's going to take some more network traffic, but similar to running an archive node now. So I think it's okay and then going forward, you may be able to split this up.

So right now if you're running an archive node, it's kind of all or nothing. We should be able to make it split up, so you take small portions of the Blockchain and you can serve those. So there's ideas of how to do that. Similarly with bridge nodes, you can sort of chop it up, so you can run a partial bridge node. So eventually we'll probably have to program that.

Peter McCormack: Okay, so what's the next step to this now? Do you essentially have to lobby people?

Tadge Dryja: So that's sort of the debate. It's more programming. So if you present something, "hey, here's the progress, everything works. It's all tested, it's amazing!" Then that's sort of the lobbying done for you and they're like, "oh cool." But we're not there. So the current software is more of a proof of concept, sort of to get the performance numbers.

There's no real networking code yet and so start to write that and then try to sort of incrementally get some of these ideas into Bitcoin Core. I hope it's not just me. So working with maybe James, maybe Digital Garage, they said they're interested, so I might work with the team there, so to work with other people to get this code working and maybe get into Bitcoin Core.

Peter McCormack: How'd you split the work up then? How do you decide? I'm not a coder, so I don't understand how this is constructed.

Tadge Dryja: Well, so the sort of cryptographic accumulator, that's mostly working, that's not going to change. But then there's also messages between nodes to say, "hey, I need a proof." "Okay, here's the proof" and though the networking code, some people are really good at that. I have done that. I'm not as comfortable and I don't really like it as much.

I do like the cryptographic stuff more, but some people are like, "no, I like networking stuff" and so maybe they can work on the messages between nodes, to sync up the proofs and stuff like that. There's also how it hooks into Bitcoin Core, which I'm not as familiar with. The Bitcoin Core code base is kind of huge now and I look at it, but there's people who are much more familiar than I am and how it's going to sort of hook in.

Peter McCormack: So you can compartmentalize bits?

Tadge Dryja: A bit, yeah.

Peter McCormack: So how long is it going to take, to get this all coded up do you think? Is it months, is it years?

Tadge Dryja: I think getting a demonstration on test net, yeah I think you can have that this year. Getting it actually into Bitcoin Core, I don't think that'll happen this year. Bitcoin Core is very conservative and it's hard to get stuff into it.

Peter McCormack: Yeah and sensibly so.

Tadge Dryja: Sure!

Peter McCormack: But at the same time, is it a case of, does it have to be approved by people? Just to be able to say, "yeah, we agree with this, we like the code? Or can it just be a case of, "no, this won't become part of core."

Tadge Dryja: So it's not a fork. So if it's like a software changes like SegWit or it's Taproot, things like that, you really need to get everyone's approval. If it's the case that a bunch of people in Bitcoin Core said, "sorry man, it's too experimental. We think it's cool idea, but it's just too scary. We're not going to put this in core anytime soon." Then you can run a separate client. You could say, "okay, we're going to make a separate wallet", that's something like Electrum or something like its own wallet, that talks to the Utreexo network and you can do that.

I don't think that's the best idea. That's possible and I think that could be really interesting and I might do something like that sort of to test, but doing that all and making a whole wallet and making it all work and to have the assurance level that Bitcoin Core does, that's a lot of work and I think it's probably less work to just get it into Core.

But then again, like a test net version... So I do think I'm going to sort of make a test net version that just works without getting into Core and the nice part is you don't have to get approval. So if it's not going to get into Core, people can still use it. If the people who work on Electrum say, "yeah, we like this idea, we're going to put it into Electrum", you can do that or other types of wallets can start using it. So it doesn't have to get into Core.

Peter McCormack: How long have you been working on Bitcoin?

Tadge Dryja: It depends when you start consider working. So I learned about it in 2011 and then was reading about it all the time in 2012 and starting programming. But nothing that ever got in, got used, until I started working on 2013, 2014 I guess.

Peter McCormack: Okay. So you've been there pretty much since the start, like eight years.

Tadge Dryja: Yeah, it's a long time now!

Peter McCormack: What do you make of it all now? I've come a lot later, I'm not a coder, I have never been involved in any coding, I'm more of an observer and a person who goes and ask questions. But you've been there pretty much from the start and seeing what it's become, this kind of global phenomenon. What do you make of it all?

Tadge Dryja: It's not what I expected to happen, but I didn't know what I expected to happen, but it's pretty wacky. There's been a lot of like, "how is this a thing?" You're at some weird meeting in Hong Kong and there's all these miners and like weird... It's very Sci-Fi, which I think is good motivation to keep working on it, because it's so wacky and like science fiction. It's also sometimes very frustrating. So you see ICOs and all these people getting rich and you're like, "ahhh", it can be frustrating because I didn't buy a bazillion Bitcoins.

I should have, could have and so sometimes it's a little weird that... It can be frustrating that, not so much in Bitcoin, but there's all these other things where people make a ton of money and people rip each other off and it's like, "yeah, Bitcoin enabled all this." You wouldn't have had people losing all their money on these sketchy ICOs, if it weren't for Bitcoin to start this whole thing off.

Peter McCormack: No, but scammers are scammers and they tend to move from one scam to another, so I think some people would just be scammed with something else.

Tadge Dryja: Sure and from the beginning, Bitcoin has had a cast of characters. Mybitcoin.com was the first sort of web wallet and the name was very appropriate. It was mybitcoin, it was that person's Bitcoin. They just took all of the Bitcoins!

Peter McCormack: I don't know that story!

Tadge Dryja: Oh this is in 2011. So in 2011 you could download a full node, but there wasn't Electrum, there were no full nodes, there wasn't Blockchain.info, there wasn't anything.

Peter McCormack: So someone created it and just stole them all?

Tadge Dryja: Yeah, at mybitcoin.com and it was hosted, it was custodial, all the private keys were on the website. You just sort of log in and then one day they just took it all!

Peter McCormack: How many did they get away with?

Tadge Dryja: I don't remember, but thousands I believe, which wasn't that much then.

Peter McCormack: But if they Hodled?

Tadge Dryja: Sure! So there were things like that from the beginning, lots of crazy stuff from the beginning and Bitcointalk.org was sort of Mos Eisley, hive of scum and villainy for a while. I assume it still is, I don't look at it anymore because the signal to noise ratio has died a bit. That is something I worry about, is that we had this meeting in Amsterdam and it's all the core developers and people working on Bitcoin and Lightning and it's invite only, which makes sense.

You can't just let anyone come, because there's all these crazy people that'll show up and you'll never get anything done. But it is sort of a secret meeting and you're like, "oh we don't want it to be a secret meeting. It shouldn't be this closed thing." But how do you do that? How do you get openness, but keep crazy people and signal and noise and stuff like that.

Peter McCormack: Can you just video it?

Tadge Dryja: So there are open discussions as well. I think most of the stuff, like Brian Bishop wrote everything that everyone said there!

Peter McCormack: He is amazing, the way he does that it! How many people were there?

Tadge Dryja: Maybe 30?

Peter McCormack: Lucky no one took that room down, because that would be all the key Bitcoin people gone.

Tadge Dryja: I guess. It's weird, like sometimes you worry about security. So I don't think this one, but like other ones have had like security guards and stuff and I'm like, "do we really need that?" Because it's weird working on it, I don't think it's important, I don't think anyone cares about this. But at the same time it's like there's hundreds of billions of Dollars on this and like people are given death threats and crazy stuff. I've never been exposed to that, which I'm thankful for. I generally keep fairly low profile.

I don't like people. People don't think I work. So sometimes I've had to be like, I try not to be a jerk about it, but I'm like, "no, I wrote the Lightning network paper with Joseph", but sometimes people are like, "no, you didn't. You don't know what you're talking about." I'm like, "no, come on. I've been working on this!" Because people don't know me and that's generally good. There's no point in being famous about it, but it's weird because there is this sort of a disconnect where we're working on something that is worth a ton of money and people think is very important, but the people working on it, aren't exposed to that at all.

Most of the people who... The thing like Amsterdam, we're working on the new software, making Bitcoin, there's no profit in it. If you make Utreexo, you're not going to make a lot of money. If you make Lightning network, maybe the companies will spring up from it, cool. But the fundamental research, there's no connection to profit and I think that's how it should be. If Utreexo were patented and now anyone who wants to use it, has to pay me $5, well people won't use it. People will be like, "oh shoot, that sucks. That was a good idea and now we're not going to use it."

Peter McCormack: It was the same with zero knowledge proofs, wasn't it? With the Schnorr part? They're only just getting that now?

Tadge Dryja: Yep, a lot of people, patent stuff and it's just a load of toxic waste. You're like, "oh well I'm not going to even learn about that, because I can't use it."

Peter McCormack: Well Craig Wright came out, I think yesterday and he said he's going to be suing Facebook because they are infringing on his Blockchain patterns!

Tadge Dryja: That's okay, they can have fun fighting each other! But yeah, patents... General intellectual property can make sense. But I do think that software patents and especially like mathematical algorithm patents, it just goes too far, because you're really discovering things, not developing. I don't know.

Peter McCormack: Yeah, you're right because you shouldn't be able to patent math!

Tadge Dryja: I agree. In some cases patents... The goal was "hey, we want to have people innovate and share their ideas so they can have like a limited monopoly on this idea and then then it goes to the world and it's well documented." But I just think in mathematics and cryptography, it really doesn't apply.

Peter McCormack: I really like that, what you said there though, that you're not inventing things, you're discovering things, because it already exists.

Tadge Dryja: Schnorr signatures I feel like, because cause I remember with discrete law contracts, a paper I wrote two years ago, I sort of came up with a wacky signature scheme, ran it by people and they were like, "wait, is this really a new signature scheme?" Oh wait, this is just a Schnorr signature scheme that I sort of rediscovered, because the equation's very simple. It's like the simplest, most optimal way to make a discrete log based signature and yeah, but it was patented. It's not anymore!

The patent expired and that's why we sort of joke like, "should we call it Schnorr signatures?" This guy Schnorr had it patented and that's why we're stuck with ECDSA and that's why it exists, because it was patented, so people kept tweaking the algorithm and making it worse, until the lawyer said, "yeah, this doesn't infringe." But now he gets credit and that's another sort of weird thing. I'm going to call it Utreexo and I'm going to call things Lightning network.

I'm going to make cheesy names for things, because you can sort of see when they make a paper and they don't name it at all, that they're like trying to gun for like, "hey call it a Dryja signature!" That's not as bad if you try to get your name stuck on stuff, like okay fine. I don't think that's hostile the way that patents are, but still, I don't know, it's a little weird.

Peter McCormack: Yeah, I just love that thought. I've interviewed Andrew Poelstra twice now and both times it's been fascinating, hearing him talk about math and Schnorr signatures. I don't have a fucking clue what he's talking about most of the time but it's so fascinating hearing about it. But that thought of discovering things is amazing. You can't invent math!

Tadge Dryja: Well math can get creepy sometimes when you're like, "wait, someone set this up", like the Euler's formula, with E and I and Pi. If you actually learn the reasons for it, you're like, "okay, that makes sense. But how are all these things connected?" It's a little scary, like "who set this up?" Is there some deity that made math work the way it does, because it's different than science. It's not observational.

You've got proofs, you know that it is correct. So, so math gets into philosophy and stuff and it's fun! It is really fun when you get something to work and you get an applicable thing. So like I'm more on the applied side, Andrew's a bit more theoretical, but also, getting a lot of applied. So we work with a PhD student and she only hears about the theory.

She's like, "oh yeah, I guess you could use it for something. But I just like the new math." I can totally see that though, where the theoretical stuff itself, you're discovering new things about the universe.

Peter McCormack: So what else went on at the secret meeting then? What were the big topics in Amsterdam?

Tadge Dryja: It was permissioned in that you had to get invited, but it wasn't secret if people reported on it So there was talk about another soft fork. So there was talk about, "hey, what if we have a sort of clean up soft work where we just fix some bugs and then we make sure we can do a soft fork and then later we'll do the Taproot and Schnorr signature fork." Generally that wasn't something people were on board with. It seems like, "no, let's do this Schnorr and Taproot first. Then maybe after that do a cleanup fork."

Everyone was sort of hesitant. Everyone was like, "oh man, soft forks." We do have to do one again, but that's a really big mess because you're coordinating with the whole ecosystem. You can't just make improvements in the software. So there was talk about that. There was talk about a new messaging protocol, so like version two and there was a presentation about that at Breaking Bitcoin and people argued about that.

The thing is, we argue about the little things, but the general idea was, "yeah, we should do something like this", but everyone argues about the details, "wait, why is this a string? Shouldn't this be a fixed bite?" All the little things like that.

Peter McCormack: Does it get heated ever?

Tadge Dryja: No, everyone's very friendly, but people start chatting like, "oh no, don't do this, don't do that!" So generally most people are on the same page and that's what I said about soft forks. People worried a lot about, "oh, SegWit was such a mess, the next one's going to be a problem" and I said, "maybe not. Maybe the people who were very against these ideas, have left?"

If all the people who really hated SegWit and hated the core developers are now using Bitcoin Cash, well maybe it's easy to make a soft fork now, which is also a little scary! If everyone who disagrees leaves and then you just have everyone on board, then that sort of feels like it gives a lot of power to the people who are programming Bitcoin, which is also scary.

Maybe in Ethereum, it is the same thing where like, if all the people who didn't like these ideas, go to the Ethereum Classic and the only people left, like the developers and go along with anything, I don't know to what extent that's true and the developers are pretty conservative about this, but you never know.

Peter McCormack: Alright man, so what's coming next for Utreexo? You obviously said, you're going to be coding. Anything else we need to keep an eye out for?

Tadge Dryja: On GitHub I will, I don't know, answer questions about it, maybe give some talks about it. I want to sort of get people interested in it, because it is also applicable to not just Bitcoin. You could use it in other systems, other Blockchains, but maybe even other things that are not Blockchains at all.

Peter McCormack: Are you going to Riga? For the Honey Badger, the Hodl Hodl conference?

Tadge Dryja: No, I haven't heard...

Peter McCormack: It's in September. That'd be probably be a good one to present at?

Tadge Dryja: I need to figure out if I'm going to Scaling Bitcoin in Israel in September.

Peter McCormack: Yeah, because that probably suits being presented at Scaling Bitcoin as a scaling proposal!

Tadge Dryja: Yes, so I just need to figure out how to talk about it and then hopefully get other people looking at it. So part of why I'm not working on Lightning is, there's tons of people working on Lighting. So it's like, would I be helping or would I just be arguing with people and be like, "no, do it my way."

Peter McCormack: Yeah, but you said to me last time also that you don't agree you exactly with some of the decisions for Lightning?

Tadge Dryja: Sure, but it's the same thing. If I made it myself, I'm like, "no, do it this way."

Peter McCormack: Are you too close to it because you wrote the white paper?

Tadge Dryja: Yeah, so same with Utreexo. Eventually there's going to be stuff that maybe I'll argue, but it's little things, right? The general idea is there and people focus on the disagreements because that's what you disagree on, that's what you argue about. But 99% is the same ideas. So try to get other people looking at it and try to start coding with other people and get into Bitcoin and then run Bitcoin nodes on Raspberry Pi's or who knows.

Peter McCormack: All right, so how do people find out more about it and how do they stay in touch with you Tadge?

Tadge Dryja: So the paper is up on ePrints. I'm sure if you just search Utreexo and then there's also the GitHub. So MITDCI/Utreexo, where I'm writing code on it. I think there've been like two pull requests, but not a ton of people looking at it. I'm trying to clean it up so it's more readable and obvious. But if you have questions about it, ask on GitHub and I'll try to put comments or try to restructure the code so it's easier to understand or start using it.

Peter McCormack: It's a cool name as well.

Tadge Dryja: Neha really didn't like that name, she was like, "no, it's really cheesy." I think it says what's on the tin! It's like, "oh, it's UTXOs and there's a tree of them", actually a bunch of trees.

Peter McCormack: It's memorable as well!

Tadge Dryja: Yeah, it's cheesy name! I think she initially wanted to call it "Radical Nodes", because there was some street named like that, but not anymore.

Peter McCormack: No, I think you've got it right. All right man, well listen, thanks for coming on again!

Tadge Dryja: It was great, thanks!