1 00:00:00,640 --> 00:00:02,980 The following content is provided under a Creative 2 00:00:02,980 --> 00:00:04,370 Commons license. 3 00:00:04,370 --> 00:00:06,580 Your support will help MIT OpenCourseWare 4 00:00:06,580 --> 00:00:10,670 continue to offer high quality educational resources for free. 5 00:00:10,670 --> 00:00:13,240 To make a donation or to view additional materials 6 00:00:13,240 --> 00:00:17,200 from hundreds of MIT courses, visit MIT OpenCourseWare 7 00:00:17,200 --> 00:00:18,086 at ocw.mit.edu. 8 00:00:22,923 --> 00:00:23,590 TADGE DRYJA: OK. 9 00:00:23,590 --> 00:00:29,260 So today, Discreet Log Contracts which is very linked 10 00:00:29,260 --> 00:00:30,260 to Lightning Networks. 11 00:00:30,260 --> 00:00:35,740 So if you didn't get the last two lectures, 12 00:00:35,740 --> 00:00:37,730 this might not make that much sense. 13 00:00:37,730 --> 00:00:39,730 So I hope-- but I think everyone here is like up 14 00:00:39,730 --> 00:00:41,020 to date on these things. 15 00:00:41,020 --> 00:00:44,140 So today, I'm going to talk about Discreet Log Contracts, 16 00:00:44,140 --> 00:00:46,860 which is a paper I wrote last summer, 17 00:00:46,860 --> 00:00:48,610 but it's evolved out of Lightning Network. 18 00:00:48,610 --> 00:00:51,500 And I'll try to sort of explain how it-- 19 00:00:51,500 --> 00:00:54,220 hopefully, you'll see the connections and how you 20 00:00:54,220 --> 00:00:56,030 can get from one to the other. 21 00:00:56,030 --> 00:00:59,200 We'll talk about oracles, talk about anticipated signatures, 22 00:00:59,200 --> 00:01:02,703 which has some fun math things, and talk 23 00:01:02,703 --> 00:01:04,870 about building the Discreet Log Contracts themselves 24 00:01:04,870 --> 00:01:07,410 and how that'll work. 25 00:01:07,410 --> 00:01:11,560 OK, so conditional payments, I guess 26 00:01:11,560 --> 00:01:13,900 you could call this smart contracts. 27 00:01:13,900 --> 00:01:16,840 Smart contracts is a pretty vague term, 28 00:01:16,840 --> 00:01:21,260 and it's used a lot in this sort of Bitcoin, blockchain, 29 00:01:21,260 --> 00:01:22,510 Ethereum world. 30 00:01:22,510 --> 00:01:24,460 And usually, it's pretty-- 31 00:01:24,460 --> 00:01:27,300 like, a lot of times, they use it as a buzzword 32 00:01:27,300 --> 00:01:31,170 and it's like, oh, I'll put my land title in a smart contract 33 00:01:31,170 --> 00:01:33,910 and then I can buy a house. 34 00:01:33,910 --> 00:01:35,850 And a lot of times, it's used in ways 35 00:01:35,850 --> 00:01:39,870 that make it seem as though you don't need a government anymore 36 00:01:39,870 --> 00:01:42,600 or a judicial system anymore to enforce these contracts. 37 00:01:42,600 --> 00:01:44,975 And in the case of something like Discreet Log Contracts, 38 00:01:44,975 --> 00:01:46,560 that's kind of true. 39 00:01:46,560 --> 00:01:49,650 Because what Bitcoin did and what 40 00:01:49,650 --> 00:01:51,780 made people pretty impressed was that, hey, 41 00:01:51,780 --> 00:01:55,260 you don't need a government to enforce 42 00:01:55,260 --> 00:01:59,702 the scarcity of the currency that's being created. 43 00:01:59,702 --> 00:02:00,660 So that's kind of cool. 44 00:02:00,660 --> 00:02:03,570 But it doesn't mean that you can now use blockchain technology 45 00:02:03,570 --> 00:02:06,300 to not need a government to enforce, say, rights 46 00:02:06,300 --> 00:02:08,550 to property. 47 00:02:08,550 --> 00:02:10,842 If you say, hey, this is my land and I've 48 00:02:10,842 --> 00:02:13,050 got a smart contract that says my land is-- you know, 49 00:02:13,050 --> 00:02:15,120 this is my land on the blockchain, 50 00:02:15,120 --> 00:02:18,777 and then an army comes and says, well, we're taking your farm, 51 00:02:18,777 --> 00:02:20,610 and you're like, no, it's on the blockchain, 52 00:02:20,610 --> 00:02:23,570 and they don't really care. 53 00:02:23,570 --> 00:02:25,830 So it's hard-- like, another way to think 54 00:02:25,830 --> 00:02:28,890 about it is the only thing the Bitcoin network can do 55 00:02:28,890 --> 00:02:30,660 is move Bitcoin, and the only thing 56 00:02:30,660 --> 00:02:34,320 the Ethereum network can do is move Ethereum, to some extent. 57 00:02:34,320 --> 00:02:37,500 It doesn't extend out to like, you know, 58 00:02:37,500 --> 00:02:40,050 autonomous drones to shoot you if you trespass 59 00:02:40,050 --> 00:02:43,090 or anything like that yet. 60 00:02:43,090 --> 00:02:45,060 OK, so the simplest and, I think, 61 00:02:45,060 --> 00:02:47,940 most straightforward and maybe the most useful type 62 00:02:47,940 --> 00:02:50,550 of smart contract is a conditional payment where 63 00:02:50,550 --> 00:02:52,050 it's basically, I'm going to pay you 64 00:02:52,050 --> 00:02:54,010 based on some external data. 65 00:02:54,010 --> 00:02:56,130 So I'm going to use the example of Alice and Bob 66 00:02:56,130 --> 00:02:57,840 betting on tomorrow's weather. 67 00:02:57,840 --> 00:02:59,370 If it rains, Alice gets a coin. 68 00:02:59,370 --> 00:03:01,260 If it's sunny, Bob gets a coin. 69 00:03:01,260 --> 00:03:05,520 And we need some kind of way to get this data, right. 70 00:03:05,520 --> 00:03:09,180 OP_WEATHER is not in Bitcoin. 71 00:03:09,180 --> 00:03:12,760 And I think, yeah, bet is a word that-- 72 00:03:12,760 --> 00:03:13,260 it's weird. 73 00:03:13,260 --> 00:03:16,620 Like, when I'll meet with fancy rich people, 74 00:03:16,620 --> 00:03:20,512 like who are in companies that come to the Media Lab-- 75 00:03:20,512 --> 00:03:21,720 no, I still use the word bet. 76 00:03:21,720 --> 00:03:24,510 Like, to me, everything's a bet, right? 77 00:03:24,510 --> 00:03:25,620 Insurance is a bet. 78 00:03:25,620 --> 00:03:30,520 Like, if I buy car insurance, I'm betting GEICO or whatever. 79 00:03:30,520 --> 00:03:31,830 Bet I'm going to crash my car. 80 00:03:31,830 --> 00:03:33,010 And they're like, I bet you won't. 81 00:03:33,010 --> 00:03:35,177 And then if I crash my car, they're like, aw, shoot, 82 00:03:35,177 --> 00:03:37,030 and then they give you the money. 83 00:03:37,030 --> 00:03:38,740 And if I get health insurance, I'm like, 84 00:03:38,740 --> 00:03:39,640 I bet I'm going to get cancer. 85 00:03:39,640 --> 00:03:41,182 And then they're like, bet you won't. 86 00:03:41,182 --> 00:03:43,140 And then if I get cancer, I win and I 87 00:03:43,140 --> 00:03:46,000 get a whole bunch of money. 88 00:03:46,000 --> 00:03:46,500 Right. 89 00:03:46,500 --> 00:03:49,370 Well, so they're offset by the fact 90 00:03:49,370 --> 00:03:51,120 that you don't actually want to get cancer 91 00:03:51,120 --> 00:03:52,900 and you don't want to crash your car. 92 00:03:52,900 --> 00:03:55,192 And so the fact that you're betting that you will do it 93 00:03:55,192 --> 00:03:57,330 means that, in the case that something bad happens, 94 00:03:57,330 --> 00:03:59,950 you get a bunch of money to defer this cost. 95 00:03:59,950 --> 00:04:02,820 But fundamentally, from the insurance company's perspective 96 00:04:02,820 --> 00:04:06,060 and your perspective in this insurance contract, 97 00:04:06,060 --> 00:04:10,300 it's a bet about whether you're going to do this or not. 98 00:04:10,300 --> 00:04:12,300 And like almost all the financial contracts, 99 00:04:12,300 --> 00:04:15,930 you can look at as bets, like derivatives and futures 100 00:04:15,930 --> 00:04:17,180 and all those kinds of things. 101 00:04:17,180 --> 00:04:19,630 OK, so to keep it simple for the example, 102 00:04:19,630 --> 00:04:22,240 there's a very limited set of outcomes. 103 00:04:22,240 --> 00:04:22,740 Right? 104 00:04:22,740 --> 00:04:24,510 It's either rainy or sunny tomorrow, 105 00:04:24,510 --> 00:04:26,220 and we don't know that it's going to-- what the weather is 106 00:04:26,220 --> 00:04:28,850 going to be tomorrow yet, and we're going to bet the coin. 107 00:04:28,850 --> 00:04:29,460 OK. 108 00:04:29,460 --> 00:04:33,870 So yeah, we need oracles. 109 00:04:33,870 --> 00:04:36,420 And I would argue that the Lightning Network 110 00:04:36,420 --> 00:04:38,690 script is essentially a smart contract, right, 111 00:04:38,690 --> 00:04:43,860 the this key now or this other key later. 112 00:04:43,860 --> 00:04:46,600 In Lightning, however, we don't have external state. 113 00:04:46,600 --> 00:04:47,100 Right? 114 00:04:47,100 --> 00:04:50,098 There's no need to query a third party. 115 00:04:50,098 --> 00:04:51,890 There's no need to query the outside world. 116 00:04:51,890 --> 00:04:54,960 And all the data that is used in the channel 117 00:04:54,960 --> 00:04:57,730 is generated by the participants of the channel themselves. 118 00:04:57,730 --> 00:04:58,230 Right? 119 00:04:58,230 --> 00:05:00,660 They're making up random keys, throwing them-- you know, 120 00:05:00,660 --> 00:05:04,290 sending them to each other just so that they can negotiate over 121 00:05:04,290 --> 00:05:06,660 the balances in that channel. 122 00:05:06,660 --> 00:05:09,885 That said, they're probably exchanging something outside 123 00:05:09,885 --> 00:05:11,010 of the scope of the system. 124 00:05:11,010 --> 00:05:11,510 Right? 125 00:05:11,510 --> 00:05:13,200 They're probably trading, you know, 126 00:05:13,200 --> 00:05:15,930 I'll give you a little bit of Bitcoin for some cookies, 127 00:05:15,930 --> 00:05:17,388 or something like that, and there's 128 00:05:17,388 --> 00:05:21,420 some delivery of goods or services that's not in Bitcoin. 129 00:05:21,420 --> 00:05:24,593 But for the state itself, it's all internal. 130 00:05:24,593 --> 00:05:26,010 If we want external state, we need 131 00:05:26,010 --> 00:05:29,400 some way to get that external state into our system. 132 00:05:29,400 --> 00:05:32,160 Usually, this is called an oracle. 133 00:05:32,160 --> 00:05:35,130 OK, so the simplest oracle would be two of three multisig, 134 00:05:35,130 --> 00:05:36,690 and there are places that do this. 135 00:05:36,690 --> 00:05:40,312 And it's not-- I don't want to say it's like a stupid idea. 136 00:05:40,312 --> 00:05:41,520 It's actually quite powerful. 137 00:05:41,520 --> 00:05:45,030 And Bitcoin enables it in ways that you couldn't necessarily 138 00:05:45,030 --> 00:05:47,490 do before, but there's problems with it. 139 00:05:47,490 --> 00:05:49,890 OK, so if you just say two of two multisig, 140 00:05:49,890 --> 00:05:52,150 where Alice and Bob both put coins into a two-- 141 00:05:52,150 --> 00:05:54,180 you know, into a channel-like structure 142 00:05:54,180 --> 00:05:57,150 where they both need to sign, and then 143 00:05:57,150 --> 00:06:01,470 they can say, OK, well, at the end of the end of tomorrow, 144 00:06:01,470 --> 00:06:03,780 whether it's sunny or rainy, we distribute the coins. 145 00:06:03,780 --> 00:06:08,020 The problem is, it gets stuck if they disagree. 146 00:06:08,020 --> 00:06:08,520 Right? 147 00:06:08,520 --> 00:06:10,650 Also, rich players are at an advantage. 148 00:06:10,650 --> 00:06:12,700 They can say, well, I think I'm right. 149 00:06:12,700 --> 00:06:16,070 I'm fine not signing to get these coins out. 150 00:06:16,070 --> 00:06:17,460 It works great with friends, sort 151 00:06:17,460 --> 00:06:20,010 of gentlemen's agreement, ladies' agreement, or shake 152 00:06:20,010 --> 00:06:20,550 hands. 153 00:06:20,550 --> 00:06:21,508 OK, yeah, you're right. 154 00:06:21,508 --> 00:06:22,950 It was sunny. 155 00:06:22,950 --> 00:06:25,680 But Bitcoin is the currency of enemies, 156 00:06:25,680 --> 00:06:30,242 so you want a third party to decide in the case of conflict. 157 00:06:30,242 --> 00:06:32,700 There's a lot of, actually, interesting sort of game theory 158 00:06:32,700 --> 00:06:35,160 things here where people have tried-- 159 00:06:35,160 --> 00:06:36,680 I've seen reports-- like, I've been 160 00:06:36,680 --> 00:06:38,430 to talks where people are like, "Yeah, you 161 00:06:38,430 --> 00:06:39,305 don't need an oracle. 162 00:06:39,305 --> 00:06:43,650 You just agree on it without any outside influence." 163 00:06:43,650 --> 00:06:45,660 And there's some fun things, some fun attacks, 164 00:06:45,660 --> 00:06:48,000 where you can basically say, OK, Alice, 165 00:06:48,000 --> 00:06:52,368 it rains, you win, but I'm not giving you the money. 166 00:06:52,368 --> 00:06:53,910 And I can't get my money back either, 167 00:06:53,910 --> 00:06:55,020 but here's what I'll do. 168 00:06:55,020 --> 00:06:57,960 I'll sign a bunch of time locked transactions, 169 00:06:57,960 --> 00:07:00,630 and if you want a little bit of your money, 170 00:07:00,630 --> 00:07:01,980 you can take it right now. 171 00:07:01,980 --> 00:07:03,522 If you want more of it, you just have 172 00:07:03,522 --> 00:07:06,000 to wait weeks, months, years. 173 00:07:06,000 --> 00:07:08,090 And then Bob can say, OK, it's up to you. 174 00:07:08,090 --> 00:07:08,700 Right? 175 00:07:08,700 --> 00:07:10,617 Like, how much of your money do you want back? 176 00:07:10,617 --> 00:07:11,440 You can wait. 177 00:07:11,440 --> 00:07:13,330 And so you're playing off the time value 178 00:07:13,330 --> 00:07:14,580 of money, kind of thing. 179 00:07:14,580 --> 00:07:17,828 Anyway, so I have seen many things where it's like, 180 00:07:17,828 --> 00:07:18,870 you don't need an oracle. 181 00:07:18,870 --> 00:07:20,287 Just have these two parties agree. 182 00:07:20,287 --> 00:07:22,380 And like game theory, hand wave. 183 00:07:22,380 --> 00:07:24,480 But I have never been convinced by them. 184 00:07:24,480 --> 00:07:27,270 Like ultimately, if we're in a bet 185 00:07:27,270 --> 00:07:29,490 and we don't trust each other, we 186 00:07:29,490 --> 00:07:33,190 need some arbitrator to decide the outcome of the bet. 187 00:07:33,190 --> 00:07:35,070 OK, so you have a third party, right. 188 00:07:35,070 --> 00:07:38,820 You say, hey, we're going to bet on this weather, 189 00:07:38,820 --> 00:07:42,725 and if there's a dispute, we nominate Jeff, over here, 190 00:07:42,725 --> 00:07:44,100 and he's going to be the one that 191 00:07:44,100 --> 00:07:46,260 decides whether it actually rained 192 00:07:46,260 --> 00:07:51,070 or was sunny in order to determine who gets the money. 193 00:07:51,070 --> 00:07:55,040 OK, so you have three keys, right? 194 00:07:55,040 --> 00:07:57,780 You've got Alice and Bob who are in the bet and you've got-- 195 00:07:57,780 --> 00:07:59,810 oh, well, that wasn't how I thought-- 196 00:07:59,810 --> 00:08:03,440 Olivia, who is the oracle. 197 00:08:03,440 --> 00:08:05,810 And if Alice and Bob are chill, they both sign 198 00:08:05,810 --> 00:08:07,460 and they don't even contact Olivia. 199 00:08:07,460 --> 00:08:09,085 Right, they're like, yep, it was rainy. 200 00:08:09,085 --> 00:08:10,580 OK, you get the coins. 201 00:08:10,580 --> 00:08:11,850 Don't even involve Olivia. 202 00:08:11,850 --> 00:08:13,580 She doesn't have to deal with anything. 203 00:08:13,580 --> 00:08:15,743 But if they fight and they're saying, you know, 204 00:08:15,743 --> 00:08:16,910 this is totally not raining. 205 00:08:16,910 --> 00:08:18,980 This is like, right now, this is not rain, right? 206 00:08:18,980 --> 00:08:19,920 This doesn't count. 207 00:08:19,920 --> 00:08:21,380 They're like, there's nothing. 208 00:08:21,380 --> 00:08:23,210 It's basically sunny. 209 00:08:23,210 --> 00:08:26,150 So if they fight about this, they can ask Olivia to sign. 210 00:08:26,150 --> 00:08:29,480 Either of them can contact Olivia and say, 211 00:08:29,480 --> 00:08:33,950 hey, my counterparty is either unresponsive or uncooperative. 212 00:08:33,950 --> 00:08:34,669 Can you sign? 213 00:08:34,669 --> 00:08:37,127 And then sign off on the fact that it is, in fact, raining. 214 00:08:37,127 --> 00:08:38,419 I get the coins. 215 00:08:38,419 --> 00:08:41,570 The problem is, let's say it's sunny, 216 00:08:41,570 --> 00:08:44,090 and then Alice tells Olivia, hey, it's out. 217 00:08:44,090 --> 00:08:45,890 Hey, it's Alice. 218 00:08:45,890 --> 00:08:48,910 Say it's raining, and I'll give you 0.8 points. 219 00:08:48,910 --> 00:08:49,550 Right. 220 00:08:49,550 --> 00:08:53,210 I'm not supposed to get anything, but give me 0.2, 221 00:08:53,210 --> 00:08:56,360 you get 0.8, win-win for both of us. 222 00:08:56,360 --> 00:09:01,780 So the oracle can be influenced and bribed. 223 00:09:01,780 --> 00:09:03,940 Right, so the problem here? 224 00:09:03,940 --> 00:09:07,180 You've got interaction between the oracle and the participants 225 00:09:07,180 --> 00:09:08,380 in the bet. 226 00:09:08,380 --> 00:09:13,080 Two of three multi sig oracles, they see every contract. 227 00:09:13,080 --> 00:09:13,580 Right? 228 00:09:13,580 --> 00:09:16,010 The contract itself is essentially 229 00:09:16,010 --> 00:09:19,550 not a smart contract, really, anymore because Olivia 230 00:09:19,550 --> 00:09:23,460 has to know like the legal-ish looking terms of the contract, 231 00:09:23,460 --> 00:09:23,960 right? 232 00:09:23,960 --> 00:09:27,140 Olivia, the oracle, has to say, OK, in what case do I 233 00:09:27,140 --> 00:09:27,817 side with Alice? 234 00:09:27,817 --> 00:09:29,150 In what case do I side with Bob? 235 00:09:29,150 --> 00:09:31,160 It could be programmatic, but it could also just 236 00:09:31,160 --> 00:09:33,230 be a sheet of paper with a bunch of text on it, 237 00:09:33,230 --> 00:09:36,040 and Olivia's an actual person and determines based on that. 238 00:09:36,040 --> 00:09:39,920 Right, so this is just sort of a custodian arbitrator 239 00:09:39,920 --> 00:09:41,160 kind of thing. 240 00:09:41,160 --> 00:09:44,750 It's not that cool, like high-tech cryptography 241 00:09:44,750 --> 00:09:47,090 kind of thing, really. 242 00:09:47,090 --> 00:09:49,490 Yeah, and they also decide individually, 243 00:09:49,490 --> 00:09:50,510 so they can equivocate. 244 00:09:50,510 --> 00:09:53,210 So if everyone's betting on the weather, 245 00:09:53,210 --> 00:09:56,810 they don't have to sign that it's sunny universally. 246 00:09:56,810 --> 00:10:00,050 They can sign to sunny on this side and rainy on that side. 247 00:10:00,050 --> 00:10:03,050 There's nothing you can do about that. 248 00:10:03,050 --> 00:10:04,940 So I think what led me to think about these, 249 00:10:04,940 --> 00:10:07,273 it'd be better if the oracle couldn't equivocate, right? 250 00:10:07,273 --> 00:10:08,960 They can't deter-- you know, they 251 00:10:08,960 --> 00:10:10,970 can't say two different things. 252 00:10:10,970 --> 00:10:14,060 And it's even better if they never see the contracts, 253 00:10:14,060 --> 00:10:15,430 but how do we do that? 254 00:10:15,430 --> 00:10:17,990 OK, so any questions about the general setup of what we're 255 00:10:17,990 --> 00:10:19,160 trying to accomplish here? 256 00:10:22,387 --> 00:10:23,526 Bets? 257 00:10:23,526 --> 00:10:25,276 And then you can have multiple-- you know, 258 00:10:25,276 --> 00:10:26,750 lots of different types of bets. 259 00:10:26,750 --> 00:10:29,310 But anyway, this is the essential problem. 260 00:10:29,310 --> 00:10:31,360 How do we do this? 261 00:10:31,360 --> 00:10:33,850 And like in Ethereum, most of the time, everything's 262 00:10:33,850 --> 00:10:34,870 on chain, right. 263 00:10:34,870 --> 00:10:37,840 The data sources are published on the Ethereum blockchain. 264 00:10:37,840 --> 00:10:40,270 So you sort of have similar problems. 265 00:10:40,270 --> 00:10:43,300 There's ideas of, OK, let's have a bunch of oracles, 266 00:10:43,300 --> 00:10:45,580 and then you sort of take the average of all oracles. 267 00:10:45,580 --> 00:10:48,640 There's different ways, but this thing 268 00:10:48,640 --> 00:10:51,470 is, OK, make the oracles never see the contracts. 269 00:10:51,470 --> 00:10:52,030 But how? 270 00:10:52,030 --> 00:10:55,270 OK, and then how is going to be kind of complicated. 271 00:10:55,270 --> 00:10:59,300 So remember these from last time? 272 00:10:59,300 --> 00:10:59,800 Right. 273 00:10:59,800 --> 00:11:04,020 These sign with this key, and you have to wait. 274 00:11:04,020 --> 00:11:06,700 Sign with these two keys, and you get it immediately. 275 00:11:06,700 --> 00:11:11,740 This kind of same exact script is like, so that will be used. 276 00:11:11,740 --> 00:11:16,450 OK, and then a think I talked about this on the third class 277 00:11:16,450 --> 00:11:18,480 about signatures, but we're going 278 00:11:18,480 --> 00:11:22,030 to go more in-depth in Schnorr signatures here. 279 00:11:22,030 --> 00:11:26,170 OK, so in Bitcoin, we've got this ECDSA elliptic curve. 280 00:11:26,170 --> 00:11:31,240 In Bitcoin, you use ECDSA, Elliptic Curve Digital 281 00:11:31,240 --> 00:11:34,510 Signature Algorithm, which is different than what 282 00:11:34,510 --> 00:11:36,230 I'm going to explain. 283 00:11:36,230 --> 00:11:38,800 But this aspect is the same, right? 284 00:11:38,800 --> 00:11:42,400 The public keys are private keys times a generator point. 285 00:11:42,400 --> 00:11:47,110 So we can do this without actually using the Bitcoin 286 00:11:47,110 --> 00:11:47,980 signature algorithm. 287 00:11:47,980 --> 00:11:50,920 We can use our own external signature algorithm, 288 00:11:50,920 --> 00:11:54,750 and then use the keys generated by that in Bitcoin itself. 289 00:11:54,750 --> 00:11:58,570 OK, so a and b lowercase, scalar. 290 00:11:58,570 --> 00:12:01,280 Big A, big B, uppercase, they're points on the curve. 291 00:12:01,280 --> 00:12:02,570 So what operations can we do? 292 00:12:02,570 --> 00:12:05,953 I think this is review, but this was like months ago. 293 00:12:05,953 --> 00:12:07,870 Regular numbers, you can do whatever you want. 294 00:12:07,870 --> 00:12:08,890 They're regular numbers. 295 00:12:08,890 --> 00:12:10,600 It's easy. 296 00:12:10,600 --> 00:12:12,820 Add, subtract, multiply, divide, it's 297 00:12:12,820 --> 00:12:16,260 literally in the software just like BigInt.add, 298 00:12:16,260 --> 00:12:18,910 and the BigInt addition and mult-- you know, the BigInt 299 00:12:18,910 --> 00:12:21,400 operations, if you actually look underneath at the code, 300 00:12:21,400 --> 00:12:22,570 they're real simple. 301 00:12:22,570 --> 00:12:24,500 You're just adding numbers. 302 00:12:24,500 --> 00:12:26,890 So you can do whatever you want with these. 303 00:12:26,890 --> 00:12:28,000 Points. 304 00:12:28,000 --> 00:12:29,110 Points are a group. 305 00:12:29,110 --> 00:12:31,810 They do not have two operations defined. 306 00:12:31,810 --> 00:12:33,490 They only have one operation defined, 307 00:12:33,490 --> 00:12:36,520 and we call that addition. 308 00:12:36,520 --> 00:12:39,728 It's sort of-- like, you could call it something else. 309 00:12:39,728 --> 00:12:41,770 Sometimes, they use a different symbol than plus, 310 00:12:41,770 --> 00:12:45,630 but addition's sort of what we call it. 311 00:12:45,630 --> 00:12:48,900 And it works the way you'd think addition would work, right? 312 00:12:48,900 --> 00:12:50,340 You add these two things. 313 00:12:50,340 --> 00:12:52,200 If you add A and B, and then subtract B, 314 00:12:52,200 --> 00:12:55,080 you get back to A, things like that. 315 00:12:55,080 --> 00:12:57,480 OK, so you can add and subtract, but you can't multiply 316 00:12:57,480 --> 00:12:58,540 or divide. 317 00:12:58,540 --> 00:12:59,040 Right? 318 00:12:59,040 --> 00:13:02,220 These are not defined. 319 00:13:02,220 --> 00:13:03,860 OK, and you can mix these things. 320 00:13:03,860 --> 00:13:08,390 So you cannot add a point and a scalar. 321 00:13:08,390 --> 00:13:09,417 That's also undefined. 322 00:13:09,417 --> 00:13:11,750 So if you have like a point here, and you want to add 5, 323 00:13:11,750 --> 00:13:13,380 it doesn't make sense. 324 00:13:13,380 --> 00:13:16,480 However, you can multiply a point by a scalar. 325 00:13:16,480 --> 00:13:19,750 And you can divide a point-- 326 00:13:19,750 --> 00:13:20,537 yeah. 327 00:13:20,537 --> 00:13:21,370 You can divide that. 328 00:13:24,020 --> 00:13:26,360 And the way you do that is you just, 329 00:13:26,360 --> 00:13:28,760 in the actual elliptic curve, you-- to double a point, 330 00:13:28,760 --> 00:13:29,870 you take the tangent. 331 00:13:29,870 --> 00:13:32,120 So instead of drawing a line between two points, 332 00:13:32,120 --> 00:13:34,850 you say, well, I'm drawing a line between this single point, 333 00:13:34,850 --> 00:13:37,280 which basically means the tangent, as you sort of like-- 334 00:13:37,280 --> 00:13:40,550 things like limit as the spacing between those two points 335 00:13:40,550 --> 00:13:42,710 goes to zero. 336 00:13:42,710 --> 00:13:45,620 And then if you can double a point, if you can add A plus A, 337 00:13:45,620 --> 00:13:48,830 then you can multiply by any arbitrary number by saying, 338 00:13:48,830 --> 00:13:51,770 OK, I'll take 2A to be a tangent. 339 00:13:51,770 --> 00:13:53,450 I'll take 4A to be the tangent of that. 340 00:13:53,450 --> 00:13:56,960 I'll take it A to A to be the tangent of that. 341 00:13:56,960 --> 00:13:59,972 And then you can add up, like you can do binary 342 00:13:59,972 --> 00:14:02,180 decomposition-- and computers are real good at that-- 343 00:14:02,180 --> 00:14:03,305 and say, OK, I'm going to-- 344 00:14:03,305 --> 00:14:07,180 I need 5A, so I'm going to take A plus 4A. 345 00:14:07,180 --> 00:14:07,680 Right. 346 00:14:10,290 --> 00:14:11,270 Now-- oop, yeah. 347 00:14:11,270 --> 00:14:14,510 So you can divide-- divide's a little annoying, 348 00:14:14,510 --> 00:14:15,680 but you can do that. 349 00:14:15,680 --> 00:14:18,170 OK, so you've got all these operations we can do. 350 00:14:18,170 --> 00:14:20,600 You can do whatever you want with the scalars. 351 00:14:20,600 --> 00:14:25,160 You can add points, subtract points, multiply these points 352 00:14:25,160 --> 00:14:27,860 by scalars. 353 00:14:27,860 --> 00:14:30,500 With this alone you can do-- and then, also, well, you 354 00:14:30,500 --> 00:14:32,795 have to throw hash functions in there 355 00:14:32,795 --> 00:14:34,670 for the stuff we're going to do, but you guys 356 00:14:34,670 --> 00:14:36,030 know all about hash functions. 357 00:14:36,030 --> 00:14:37,530 So with this and hash functions, you 358 00:14:37,530 --> 00:14:39,950 can do like ridiculous amounts of stuff. 359 00:14:39,950 --> 00:14:42,392 It's really kind of impressive. 360 00:14:42,392 --> 00:14:44,600 Also, you can-- so yeah, part of the signature system 361 00:14:44,600 --> 00:14:48,360 is you pick some random point G. Sometimes, in other systems, 362 00:14:48,360 --> 00:14:50,930 you have G and H, two other points. 363 00:14:50,930 --> 00:14:53,540 But the idea is everyone just agrees, 364 00:14:53,540 --> 00:14:58,530 we've got some point G and everyone agrees on it. 365 00:14:58,530 --> 00:15:00,950 OK, a nice property. 366 00:15:00,950 --> 00:15:04,040 You can add keys that you can-- you know, 367 00:15:04,040 --> 00:15:06,480 the addition sort of works-- 368 00:15:06,480 --> 00:15:10,410 addition in the scalar world works in the point world 369 00:15:10,410 --> 00:15:10,910 as well. 370 00:15:10,910 --> 00:15:11,410 Right? 371 00:15:11,410 --> 00:15:14,000 So if you have a times G plus b times g, 372 00:15:14,000 --> 00:15:18,020 and that's a point, that's equal to a plus b times g, 373 00:15:18,020 --> 00:15:20,210 also going to be a point. 374 00:15:20,210 --> 00:15:22,550 So that is what we're going to use. 375 00:15:26,830 --> 00:15:31,490 And you can use this to share keys. 376 00:15:31,490 --> 00:15:34,340 Right, I think I explained this last time. 377 00:15:34,340 --> 00:15:37,310 If you know little a, but you don't know little b 378 00:15:37,310 --> 00:15:38,960 you can't sign. 379 00:15:38,960 --> 00:15:42,570 But if you learn both, you can sign for this, you know, 380 00:15:42,570 --> 00:15:46,300 this summed pubkey. 381 00:15:46,300 --> 00:15:49,370 So this is a way to like share keys. 382 00:15:49,370 --> 00:15:50,993 OK. 383 00:15:50,993 --> 00:15:51,743 Yeah, [INAUDIBLE]. 384 00:15:51,743 --> 00:15:52,693 Yeah, like OK. 385 00:15:52,693 --> 00:15:54,110 Well, that's sort of out of order. 386 00:15:54,110 --> 00:15:56,180 Anyway, Schnorr signatures, which 387 00:15:56,180 --> 00:15:58,700 are going to go into Bitcoin probably 388 00:15:58,700 --> 00:16:00,500 not even this year, maybe next year, 389 00:16:00,500 --> 00:16:02,750 and there's a lot of cool things you can do with them. 390 00:16:02,750 --> 00:16:04,958 I think I'm talking about that next week in the term. 391 00:16:04,958 --> 00:16:07,790 Like, that's aggregation, right? 392 00:16:07,790 --> 00:16:10,255 But the basic idea of a Schnorr signature, you've 393 00:16:10,255 --> 00:16:12,380 got a public key that you've already told everyone. 394 00:16:12,380 --> 00:16:14,780 Right, so before anything happens, 395 00:16:14,780 --> 00:16:18,530 you pick a random private key little a, multiply it by G, 396 00:16:18,530 --> 00:16:22,190 and then compute big A and tell that to the world either by 397 00:16:22,190 --> 00:16:25,610 send-- having that as an output address in your Bitcoin script 398 00:16:25,610 --> 00:16:26,990 or publishing it on a website. 399 00:16:26,990 --> 00:16:28,640 You know, somehow, you propagate, 400 00:16:28,640 --> 00:16:29,780 hey, this is my public key. 401 00:16:29,780 --> 00:16:30,940 This is me. 402 00:16:30,940 --> 00:16:33,980 OK, and then when you sign, you come up 403 00:16:33,980 --> 00:16:36,110 with another private key, pretty much 404 00:16:36,110 --> 00:16:37,240 the exact same as little a. 405 00:16:37,240 --> 00:16:39,560 It's going to be called little k. 406 00:16:39,560 --> 00:16:43,790 And then you compute R, which is k times the generator point. 407 00:16:43,790 --> 00:16:47,480 So this R is pretty much the same idea as-- 408 00:16:47,480 --> 00:16:51,110 it's another public key, but this will only be used once. 409 00:16:51,110 --> 00:16:56,390 And then to sign, you compute s, which is k, that thing you just 410 00:16:56,390 --> 00:17:00,230 made up, minus the hash of the message the sign 411 00:17:00,230 --> 00:17:05,030 concatenated with R times your private key. 412 00:17:05,030 --> 00:17:09,589 OK, and then the signature is R and s. 413 00:17:09,589 --> 00:17:12,000 And then for someone to verify this, 414 00:17:12,000 --> 00:17:15,599 they know m, right, the message you're trying to sign. 415 00:17:15,599 --> 00:17:19,440 They know your public key, big A. They know R 416 00:17:19,440 --> 00:17:21,210 and s, your signature. 417 00:17:21,210 --> 00:17:21,960 And they try to-- 418 00:17:21,960 --> 00:17:23,835 what they do is they just multiply both sides 419 00:17:23,835 --> 00:17:25,619 of this equation by G. Right? 420 00:17:25,619 --> 00:17:27,780 So you can you can do that, same as regular math, 421 00:17:27,780 --> 00:17:29,610 multiply both sides by the same thing. 422 00:17:29,610 --> 00:17:32,110 So they can't verify this because they don't know 423 00:17:32,110 --> 00:17:34,470 little a, they don't know k. 424 00:17:34,470 --> 00:17:37,770 But if you multiply it by G, well then you get s times G 425 00:17:37,770 --> 00:17:42,420 equals k times G minus this hash times a times 426 00:17:42,420 --> 00:17:46,170 G. Well, that is just your public key, right? 427 00:17:46,170 --> 00:17:49,230 This is R. And this, you also know 428 00:17:49,230 --> 00:17:51,120 because they gave you s, so you know 429 00:17:51,120 --> 00:17:55,650 G. That is, you know s times G. So that's how you verify. 430 00:17:55,650 --> 00:17:58,267 And it's-- like, there's all sorts of proofs about why you 431 00:17:58,267 --> 00:17:59,850 can't forge these and stuff like that, 432 00:17:59,850 --> 00:18:01,270 but it sort of makes sense. 433 00:18:01,270 --> 00:18:01,770 Right? 434 00:18:01,770 --> 00:18:05,010 If you're trying to forge a signature, and you say, 435 00:18:05,010 --> 00:18:08,160 hey, I'm going to solve for s. 436 00:18:08,160 --> 00:18:12,560 Right, well, I can't solve for s directly because I don't 437 00:18:12,560 --> 00:18:16,350 know little a, I don't know k. 438 00:18:16,350 --> 00:18:18,040 The problem is, I want to-- 439 00:18:18,040 --> 00:18:20,160 OK, I want to solve for one of these things. 440 00:18:20,160 --> 00:18:21,660 I've basically got an equation where 441 00:18:21,660 --> 00:18:28,090 I've got R minus the hash of R, and I can't tear those apart. 442 00:18:28,090 --> 00:18:29,435 Right, like I need-- 443 00:18:29,435 --> 00:18:31,060 how do I-- OK, solve for R, but there's 444 00:18:31,060 --> 00:18:34,630 like the hash of R and R on the same side of the equation. 445 00:18:34,630 --> 00:18:36,340 I could try to move this so that, 446 00:18:36,340 --> 00:18:38,410 OK, R equals the hash of R? 447 00:18:38,410 --> 00:18:42,190 Like wait, how am I going to do that? 448 00:18:42,190 --> 00:18:44,020 Right, so anytime you try to solve, 449 00:18:44,020 --> 00:18:48,040 you're going to have an R and a hash of R in the same equation. 450 00:18:48,040 --> 00:18:50,840 And, like, that seems impossible, right? 451 00:18:50,840 --> 00:18:53,140 OK, so this is Schnorr signatures. 452 00:18:53,140 --> 00:18:54,430 It works great. 453 00:18:54,430 --> 00:18:57,780 It's got nice lots of nice properties. 454 00:18:57,780 --> 00:18:59,940 Actually, all of this could work in ECDSA. 455 00:18:59,940 --> 00:19:03,750 It's just that ECDSA is like really ugly and complicated. 456 00:19:03,750 --> 00:19:07,590 But anyway, so what Discreet Log Contracts uses 457 00:19:07,590 --> 00:19:09,990 is a fixed-R signature. 458 00:19:09,990 --> 00:19:14,270 It's the exact same equation, but you sort of 459 00:19:14,270 --> 00:19:16,280 move where R is considered. 460 00:19:16,280 --> 00:19:19,610 So before, you'd say, the public key is A, 461 00:19:19,610 --> 00:19:22,730 and now, my signature is R and s. 462 00:19:22,730 --> 00:19:25,160 Now, we're just going to say, OK, make the public key 463 00:19:25,160 --> 00:19:28,620 A and R, two points, and make the signature just s. 464 00:19:28,620 --> 00:19:30,690 So same equation, everything's the same. 465 00:19:30,690 --> 00:19:34,980 It's just that you generate k at the same time you're 466 00:19:34,980 --> 00:19:40,760 generating A, and publish both A and R as your public key. 467 00:19:40,760 --> 00:19:42,830 Right, no problem. 468 00:19:42,830 --> 00:19:45,030 OK, the problem is you can only sign once. 469 00:19:45,030 --> 00:19:48,760 That's why you don't usually do this. 470 00:19:48,760 --> 00:19:50,080 There's no size difference. 471 00:19:50,080 --> 00:19:52,930 Right, it's like, OK, well, your public key gets twice as big 472 00:19:52,930 --> 00:19:55,150 and your signature gets half as big. 473 00:19:55,150 --> 00:19:56,650 No net gain. 474 00:19:56,650 --> 00:19:58,755 But you can only sign once, and why? 475 00:19:58,755 --> 00:20:01,120 OK, I'm actually-- it looks kind of scary, 476 00:20:01,120 --> 00:20:02,870 but it's actually not too bad. 477 00:20:02,870 --> 00:20:05,350 So the idea is I sign. 478 00:20:05,350 --> 00:20:08,110 I have an A and an R, and those don't change. 479 00:20:08,110 --> 00:20:10,900 Right, so I have a little a and a k, and those don't change. 480 00:20:10,900 --> 00:20:13,640 But I'm signing two different messages. 481 00:20:13,640 --> 00:20:16,750 So the idea is I have signature 1, s1, which 482 00:20:16,750 --> 00:20:19,870 is k minus the hash of message 1 concatenated 483 00:20:19,870 --> 00:20:21,880 to R times my private key. 484 00:20:21,880 --> 00:20:24,970 Signature 2 is k minus the hash of message 2 485 00:20:24,970 --> 00:20:26,680 and R times my private key. 486 00:20:26,680 --> 00:20:29,320 So I publish both of these signatures. 487 00:20:29,320 --> 00:20:32,230 And then someone says, oh, I'm going to subtract these two 488 00:20:32,230 --> 00:20:33,880 signatures from each other. 489 00:20:33,880 --> 00:20:37,000 Right, so s1 minus s2, well, that 490 00:20:37,000 --> 00:20:39,550 would be this top thing minus this thing, which 491 00:20:39,550 --> 00:20:42,580 is k minus the hash of message 1 times a, 492 00:20:42,580 --> 00:20:48,385 minus k plus the hash of message 2 times a. 493 00:20:48,385 --> 00:20:50,930 The k's cancel out. 494 00:20:50,930 --> 00:20:52,330 That's the important part here. 495 00:20:52,330 --> 00:20:54,010 So k's are gone. 496 00:20:54,010 --> 00:20:56,890 Cool, now I've got this s1 minus s2, which I can compute. 497 00:20:56,890 --> 00:20:59,710 Right, s is just a scalar, s1 minus s2 498 00:20:59,710 --> 00:21:03,648 takes like a millionth of a second on my computer to do. 499 00:21:03,648 --> 00:21:05,440 Now, I've got this s-- you know, this thing 500 00:21:05,440 --> 00:21:08,720 I know, s1 minus s2 equals the hash of message 501 00:21:08,720 --> 00:21:13,225 2, R times little a, minus the hash of message 1, R, little a. 502 00:21:13,225 --> 00:21:17,920 I don't know a little a, right, so I can't figure out this. 503 00:21:17,920 --> 00:21:20,040 But I know what's on this side of the equation. 504 00:21:20,040 --> 00:21:20,540 Right? 505 00:21:20,540 --> 00:21:23,248 I know this sort of subtracted s. 506 00:21:23,248 --> 00:21:24,040 What can I do here? 507 00:21:24,040 --> 00:21:28,930 Well, I can factor out a, right, because a is multiplied 508 00:21:28,930 --> 00:21:30,305 on both sides of this. 509 00:21:30,305 --> 00:21:32,680 So now I can factor-- you know, put a little parentheses. 510 00:21:32,680 --> 00:21:36,090 OK, this hash is message 2, R minus the hash of message 1, 511 00:21:36,090 --> 00:21:40,090 R times the private key here. 512 00:21:40,090 --> 00:21:43,000 And now, I can divide. 513 00:21:43,000 --> 00:21:44,880 And well, this is the whole equation, right? 514 00:21:44,880 --> 00:21:45,670 I divide out. 515 00:21:45,670 --> 00:21:47,550 I divide by little a here. 516 00:21:47,550 --> 00:21:50,920 The thing I know divided by a thing I don't know 517 00:21:50,920 --> 00:21:52,473 equals a thing I know. 518 00:21:52,473 --> 00:21:54,640 Right, so I can move things around and say, OK, well 519 00:21:54,640 --> 00:21:58,270 then a is this thing I know, right, the difference 520 00:21:58,270 --> 00:22:02,230 between the two signatures, divided by the difference 521 00:22:02,230 --> 00:22:04,222 between these two hashes. 522 00:22:04,222 --> 00:22:05,680 And those two hashes, also, I know. 523 00:22:05,680 --> 00:22:05,980 Right? 524 00:22:05,980 --> 00:22:07,330 I know what the messages are. 525 00:22:07,330 --> 00:22:09,100 I know what the R value is. 526 00:22:09,100 --> 00:22:11,200 It works. 527 00:22:11,200 --> 00:22:14,110 So the big thing here is if you have the same k 528 00:22:14,110 --> 00:22:18,680 value and the same a value, you can find their private key. 529 00:22:18,680 --> 00:22:21,350 So normally, this is OK because k is different. 530 00:22:21,350 --> 00:22:21,850 Right? 531 00:22:21,850 --> 00:22:24,520 So you'd have k sub 1, k sub 2 here. 532 00:22:24,520 --> 00:22:26,500 And then if you build this equation, 533 00:22:26,500 --> 00:22:30,610 you've got these k's which do not cancel out 534 00:22:30,610 --> 00:22:33,700 because you don't know what they are and you don't get anywhere 535 00:22:33,700 --> 00:22:34,370 with this. 536 00:22:34,370 --> 00:22:38,950 OK, but so if you do use the same k value, 537 00:22:38,950 --> 00:22:40,420 you will lose your private key. 538 00:22:40,420 --> 00:22:43,270 Fun fact, I first learned about this in 2011 539 00:22:43,270 --> 00:22:46,960 from the PlayStation 3 code-signing thing. 540 00:22:46,960 --> 00:22:50,000 And yeah, that was when I-- 541 00:22:50,000 --> 00:22:51,970 I think, because I started to get into Bitcoin 542 00:22:51,970 --> 00:22:54,240 and, also, it was like, oh, PlayStation 3 got hacked. 543 00:22:54,240 --> 00:22:55,150 Cool. 544 00:22:55,150 --> 00:22:58,120 So Sony had a k-- like, they probably read up 545 00:22:58,120 --> 00:22:59,260 on how to do this. 546 00:22:59,260 --> 00:23:01,035 And they said, OK, k needs to be random, 547 00:23:01,035 --> 00:23:02,410 so they just made a random number 548 00:23:02,410 --> 00:23:04,465 and hardcoded it as the k that they used. 549 00:23:04,465 --> 00:23:06,340 I don't think they realized that it has to be 550 00:23:06,340 --> 00:23:08,500 random and different each time. 551 00:23:08,500 --> 00:23:11,980 So it was just a single random k. 552 00:23:11,980 --> 00:23:14,830 Yeah, there's other cases of this being a problem. 553 00:23:14,830 --> 00:23:19,570 In bitcoin-blockchain.info, I believe, a couple of years ago, 554 00:23:19,570 --> 00:23:21,850 had something where k was random, 555 00:23:21,850 --> 00:23:24,940 but it was like only four bytes of randomness or something, 556 00:23:24,940 --> 00:23:28,480 and so you'd end up getting some occasional k's that were 557 00:23:28,480 --> 00:23:29,990 the same. 558 00:23:29,990 --> 00:23:33,537 And then you could compute people's private keys. 559 00:23:33,537 --> 00:23:35,620 There's a couple other things like that where if-- 560 00:23:35,620 --> 00:23:41,430 you know, so actually in practice, now, you 561 00:23:41,430 --> 00:23:45,660 don't make k randomly in Bitcoin Core, 562 00:23:45,660 --> 00:23:47,550 in most of the Bitcoin libraries. 563 00:23:47,550 --> 00:23:51,090 You make k basically the hash of your private key 564 00:23:51,090 --> 00:23:54,062 and the message so that it changes for each message. 565 00:23:54,062 --> 00:23:55,770 And it's also got like secret information 566 00:23:55,770 --> 00:23:58,500 so no one can figure it out. 567 00:23:58,500 --> 00:24:02,670 That that's called RFC 6979, and it is safer 568 00:24:02,670 --> 00:24:07,402 because you don't keep needing new randomness each time. 569 00:24:07,402 --> 00:24:08,510 Oh, yes? 570 00:24:08,510 --> 00:24:10,660 AUDIENCE: Is this presented for history's sake, 571 00:24:10,660 --> 00:24:13,360 or are people still making this mistake? 572 00:24:13,360 --> 00:24:15,430 TADGE DRYJA: I mean, will people? 573 00:24:15,430 --> 00:24:18,910 Like, people have made it in very recent history. 574 00:24:18,910 --> 00:24:20,350 I wouldn't be surprised if people 575 00:24:20,350 --> 00:24:22,600 continue to make this mistake. 576 00:24:22,600 --> 00:24:25,000 You know, a couple, two, three years ago, Blockchain.info 577 00:24:25,000 --> 00:24:28,270 had this where the k's were the same. 578 00:24:28,270 --> 00:24:30,220 It's not immediately-- you know, you 579 00:24:30,220 --> 00:24:32,410 have to sort of look for it. 580 00:24:32,410 --> 00:24:35,980 But yeah, people still make all sorts of mistakes like this. 581 00:24:35,980 --> 00:24:39,640 There's-- elliptic curves are actually less, I think, 582 00:24:39,640 --> 00:24:42,100 of a minefield then like RSA. 583 00:24:42,100 --> 00:24:45,245 RSA has all sorts of like, I had no idea 584 00:24:45,245 --> 00:24:47,620 that would break the security of the system, but it does. 585 00:24:47,620 --> 00:24:49,330 Like, you know, in an RSA, you've 586 00:24:49,330 --> 00:24:51,280 got p and q, two big prime numbers you 587 00:24:51,280 --> 00:24:53,290 multiply to get your modulus n. 588 00:24:53,290 --> 00:24:57,850 But if p minus 1 or n minus 1 is smooth, 589 00:24:57,850 --> 00:25:01,128 which means has many small factors, 590 00:25:01,128 --> 00:25:03,170 then you can break it and find their private key. 591 00:25:03,170 --> 00:25:05,848 Like, I didn't know that until last year in a class. 592 00:25:05,848 --> 00:25:06,640 I was like, really? 593 00:25:06,640 --> 00:25:08,770 Oh, wow. 594 00:25:08,770 --> 00:25:10,908 So there's all sorts of bad things that can happen. 595 00:25:10,908 --> 00:25:12,450 In elliptic curves, it's kind of nice 596 00:25:12,450 --> 00:25:15,410 in that your random numbers can really just be random numbers. 597 00:25:15,410 --> 00:25:17,050 So it's not too-- it's not as bad. 598 00:25:17,050 --> 00:25:19,600 But you do have to watch out for some of these things. 599 00:25:19,600 --> 00:25:25,930 OK, so this new system, right, if your pubkey is A and R 600 00:25:25,930 --> 00:25:29,800 and a message m, right, you cannot compute s. 601 00:25:29,800 --> 00:25:34,910 So I know they're a public key. 602 00:25:34,910 --> 00:25:39,010 Right, I know R. I know they're probably-- like, 603 00:25:39,010 --> 00:25:40,990 I know this whole thing. 604 00:25:40,990 --> 00:25:43,220 I can't compute s, right, because s 605 00:25:43,220 --> 00:25:45,130 is in terms of k and little a. 606 00:25:45,130 --> 00:25:48,580 I can compute s times G, though, because s times G is in terms 607 00:25:48,580 --> 00:25:51,520 of R and big A, which I know. 608 00:25:51,520 --> 00:25:53,260 Right, so you can't compute little s, 609 00:25:53,260 --> 00:25:57,990 but you can compute s times G. So 610 00:25:57,990 --> 00:26:01,110 s times G is computable for any given message. 611 00:26:01,110 --> 00:26:03,750 So if someone publishes this new type of pubkey, A and R 612 00:26:03,750 --> 00:26:06,600 together, I can say, OK, well, what 613 00:26:06,600 --> 00:26:09,380 will it look like if you sign the message, sunny? 614 00:26:09,380 --> 00:26:13,650 Right, if you just take the word sunny, stick it in here, 615 00:26:13,650 --> 00:26:15,930 concatenate it with the R value you already told me, 616 00:26:15,930 --> 00:26:19,080 hash that, multiply by your pubkey, 617 00:26:19,080 --> 00:26:21,630 and then subtract that from your R value, 618 00:26:21,630 --> 00:26:23,910 I'll get a point on the curve and I can compute that. 619 00:26:23,910 --> 00:26:26,100 And I can compute that for any m I care 620 00:26:26,100 --> 00:26:28,678 to throw into this equation. 621 00:26:28,678 --> 00:26:29,970 So this is kind of neat, right? 622 00:26:29,970 --> 00:26:33,510 I can compute a point on a curve for any message 623 00:26:33,510 --> 00:26:35,610 that you have not yet signed. 624 00:26:35,610 --> 00:26:40,200 And then the signature itself would be s. 625 00:26:40,200 --> 00:26:42,780 This sort of is looking like a key pair, right? 626 00:26:42,780 --> 00:26:44,580 So this is an unknown scalar, right. 627 00:26:44,580 --> 00:26:46,380 I don't know what s is, but I can 628 00:26:46,380 --> 00:26:51,330 compute s times G. This is a public key, private key, right? 629 00:26:51,330 --> 00:26:53,670 This is the exact same setup. 630 00:26:53,670 --> 00:26:56,580 So now we can use this for a third-party oracle 631 00:26:56,580 --> 00:26:57,750 to sign messages. 632 00:26:57,750 --> 00:26:59,250 And then when they sign the message, 633 00:26:59,250 --> 00:27:01,208 they're revealing a private key to a public key 634 00:27:01,208 --> 00:27:03,770 you've already computed. 635 00:27:03,770 --> 00:27:05,400 So when I was making this, I definitely 636 00:27:05,400 --> 00:27:07,442 didn't start with Schnorr signatures and do this. 637 00:27:07,442 --> 00:27:10,590 I had my own crazy scheme, which had 638 00:27:10,590 --> 00:27:12,750 like all these different equations and, like, 639 00:27:12,750 --> 00:27:14,518 R was multiplied by this other hash 640 00:27:14,518 --> 00:27:15,810 and there was all these things. 641 00:27:15,810 --> 00:27:18,240 And then I was talking to people and eventually was like, wait, 642 00:27:18,240 --> 00:27:19,240 you don't need all this. 643 00:27:19,240 --> 00:27:22,020 This is just a Schnorr signature where I already 644 00:27:22,020 --> 00:27:24,060 know the R. So OK, this is much nicer. 645 00:27:24,060 --> 00:27:27,662 I don't have to write this whole crazy proof and stuff. 646 00:27:27,662 --> 00:27:28,620 OK, so we can use this. 647 00:27:31,290 --> 00:27:33,720 And we can use Olivia's signature, s, 648 00:27:33,720 --> 00:27:37,140 as a private key in our transactions. 649 00:27:37,140 --> 00:27:39,648 And we use s times G as a public key. 650 00:27:39,648 --> 00:27:41,190 And then we can also do the fun stuff 651 00:27:41,190 --> 00:27:44,110 where we mix with Alice and Bob's public keys. 652 00:27:44,110 --> 00:27:44,610 Right? 653 00:27:44,610 --> 00:27:50,040 So I can say that Alice's pubkey plus s times G is 654 00:27:50,040 --> 00:27:52,770 the public key for this contract. 655 00:27:52,770 --> 00:27:56,380 And Alice's private key plus s is 656 00:27:56,380 --> 00:27:58,870 going to be the private key for this contract. 657 00:27:58,870 --> 00:28:00,850 So I can say-- what we can do is we can say, 658 00:28:00,850 --> 00:28:03,550 OK, I'm going to compute an address where 659 00:28:03,550 --> 00:28:06,550 it's your pubkey plus the signature 660 00:28:06,550 --> 00:28:10,180 of this oracle signing the word sunny times g, 661 00:28:10,180 --> 00:28:13,160 and that's the pubkey for Alice's sunny pubkey. 662 00:28:13,160 --> 00:28:13,660 Right? 663 00:28:13,660 --> 00:28:17,350 Alice can only spend this if the oracle signs the word sunny 664 00:28:17,350 --> 00:28:18,980 and she has her private key. 665 00:28:18,980 --> 00:28:20,650 If the oracle signs the word rainy, 666 00:28:20,650 --> 00:28:22,192 Alice doesn't know how to-- you know, 667 00:28:22,192 --> 00:28:24,450 doesn't learn the private key. 668 00:28:24,450 --> 00:28:27,660 Any questions about that part? 669 00:28:27,660 --> 00:28:28,290 Make sense? 670 00:28:28,290 --> 00:28:29,100 OK. 671 00:28:29,100 --> 00:28:30,790 So this is kind of cool. 672 00:28:30,790 --> 00:28:34,080 So what you can do, so quick recap Lightning, 673 00:28:34,080 --> 00:28:36,810 you'd use the mechanism where you're adding these keys 674 00:28:36,810 --> 00:28:38,640 to revoke old states, right. 675 00:28:38,640 --> 00:28:42,030 You say, OK, if I give you this key, 676 00:28:42,030 --> 00:28:43,795 you can now spend it immediately. 677 00:28:43,795 --> 00:28:46,170 If I give you this key, you can now spend it immediately. 678 00:28:46,170 --> 00:28:49,852 So we enforce that with the most recent one is the OK one 679 00:28:49,852 --> 00:28:51,560 because if I broadcast on these old ones, 680 00:28:51,560 --> 00:28:52,980 you can immediately get it. 681 00:28:52,980 --> 00:28:55,250 In Discreet Log, I switch it around a bit. 682 00:28:57,870 --> 00:29:01,210 I say, well, you know, it looks like a channel. 683 00:29:01,210 --> 00:29:02,830 We both put money into here. 684 00:29:02,830 --> 00:29:07,120 And then we build three different transactions 685 00:29:07,120 --> 00:29:10,420 all at the same time, before we even do anything. 686 00:29:10,420 --> 00:29:13,990 Before we actually fund this, we build these descendant 687 00:29:13,990 --> 00:29:15,190 transactions. 688 00:29:15,190 --> 00:29:17,440 And the idea is that the public keys in here-- 689 00:29:20,100 --> 00:29:22,680 this is Bob's public key, but it's also 690 00:29:22,680 --> 00:29:25,440 got the sum, the sum of Bob's public key 691 00:29:25,440 --> 00:29:28,310 plus the oracle's signature of the word sunny. 692 00:29:28,310 --> 00:29:31,710 So if Bob broadcasts it, and the only way 693 00:29:31,710 --> 00:29:33,602 he can immediately take his funds 694 00:29:33,602 --> 00:29:35,310 is if the oracle assigned the word sunny, 695 00:29:35,310 --> 00:29:37,200 and he knows that s value. 696 00:29:37,200 --> 00:29:39,655 If he broadcasts it and then waits-- 697 00:29:39,655 --> 00:29:42,780 right, if he broadcasts it, but it's not actually sunny, 698 00:29:42,780 --> 00:29:45,260 then Alice can take the money after a little while, 699 00:29:45,260 --> 00:29:46,220 right, after a day. 700 00:29:46,220 --> 00:29:47,790 You'd use the same timeout procedure 701 00:29:47,790 --> 00:29:51,060 where, OK if I broadcast this and I know the key, 702 00:29:51,060 --> 00:29:52,688 I immediately sweep it. 703 00:29:52,688 --> 00:29:54,480 If I broadcast it and I don't know the key, 704 00:29:54,480 --> 00:29:57,705 my counterparty can take everything after a day. 705 00:29:57,705 --> 00:29:59,580 So yeah, all states are created at the start. 706 00:29:59,580 --> 00:30:02,250 The validity is determined by the non-interactive oracle 707 00:30:02,250 --> 00:30:03,090 signature. 708 00:30:03,090 --> 00:30:07,770 So the oracle signs cloudy, which is, yeah. 709 00:30:07,770 --> 00:30:10,170 And now, either party can broadcast 710 00:30:10,170 --> 00:30:14,760 the cloudy transaction and then take their money immediately. 711 00:30:14,760 --> 00:30:17,890 If anyone tries to broadcast, so if-- for example, 712 00:30:17,890 --> 00:30:21,900 if Alice tries to broadcast rainy at this point, 713 00:30:21,900 --> 00:30:23,912 the oracle has signed the word cloudy, 714 00:30:23,912 --> 00:30:25,620 they're not going to sign the word rainy. 715 00:30:25,620 --> 00:30:29,680 If they do sign the word rainy, they reveal their private key. 716 00:30:29,680 --> 00:30:31,900 So if Alice broadcasts this, her money's stuck. 717 00:30:31,900 --> 00:30:35,580 She doesn't actually have this key. 718 00:30:35,580 --> 00:30:39,570 And then Bob just waits and then takes all of Alice's money. 719 00:30:39,570 --> 00:30:42,420 So you know, from the network's perspective, 720 00:30:42,420 --> 00:30:45,253 you can broadcast any of these transactions, 721 00:30:45,253 --> 00:30:46,170 but you don't want to. 722 00:30:46,170 --> 00:30:50,920 Because you don't know the key, it's not your funds. 723 00:30:50,920 --> 00:30:52,910 OK, so yeah. 724 00:30:52,910 --> 00:30:55,700 AUDIENCE: So the wait piece, how does 725 00:30:55,700 --> 00:31:00,690 that-- so if in the case where it's cloudy, but Alice 726 00:31:00,690 --> 00:31:03,310 signs the rainy key? 727 00:31:03,310 --> 00:31:05,550 TADGE DRYJA: Alice broadcasts the rainy transaction? 728 00:31:05,550 --> 00:31:06,175 Yeah. 729 00:31:06,175 --> 00:31:08,300 AUDIENCE: Alice broadcasts [INAUDIBLE] transaction, 730 00:31:08,300 --> 00:31:11,680 but doesn't have the proper signature of the oracle. 731 00:31:11,680 --> 00:31:12,430 TADGE DRYJA: Yeah? 732 00:31:12,430 --> 00:31:15,130 Do you just wait because you know? 733 00:31:15,130 --> 00:31:17,940 Then Bob just waits because Alice's money-- 734 00:31:17,940 --> 00:31:20,580 yeah Alice, it's sending to Alice's public key 735 00:31:20,580 --> 00:31:23,770 plus the oracle's signature publicly. 736 00:31:23,770 --> 00:31:26,140 And Alice can't sign with that. 737 00:31:26,140 --> 00:31:27,670 Right, she knows her private key, 738 00:31:27,670 --> 00:31:30,620 but she doesn't know the oracle rainy private key. 739 00:31:30,620 --> 00:31:32,980 So she can't sign with this to take the money. 740 00:31:32,980 --> 00:31:35,008 So the money's just stuck here, but it's 741 00:31:35,008 --> 00:31:36,300 got that timeout period, right? 742 00:31:36,300 --> 00:31:36,790 It's-- 743 00:31:36,790 --> 00:31:38,623 AUDIENCE: OK, so before, there's no timeout? 744 00:31:38,623 --> 00:31:40,210 TADGE DRYJA: Yeah, so the-- 745 00:31:40,210 --> 00:31:41,650 wait, did I have it here? 746 00:31:41,650 --> 00:31:43,990 Yeah, it's the same script, right. 747 00:31:43,990 --> 00:31:47,440 In Lightning, it's PubR or PubT and time, right? 748 00:31:47,440 --> 00:31:50,880 There's a revocable one and a timeout one. 749 00:31:50,880 --> 00:31:53,740 Yeah, so in Lightning, it's the opposite of Lightning. 750 00:31:53,740 --> 00:31:57,270 Right, in Lightning, correct is to use the timeout. 751 00:31:57,270 --> 00:31:58,522 Right, so in Lightning-- whoa. 752 00:31:58,522 --> 00:31:59,446 What just happened? 753 00:31:59,446 --> 00:32:00,832 OK. 754 00:32:00,832 --> 00:32:05,080 In Lightning, I broadcast this. 755 00:32:05,080 --> 00:32:06,490 I have to wait, right? 756 00:32:06,490 --> 00:32:09,857 It's Alice's key that then takes a day, and then I can sweep it. 757 00:32:09,857 --> 00:32:11,440 That's the correct thing that happens. 758 00:32:11,440 --> 00:32:14,350 If I broadcast this, Bob can immediately 759 00:32:14,350 --> 00:32:18,190 take it because I've already given him the private key. 760 00:32:18,190 --> 00:32:21,340 It's the opposite in Discreet Log Contracts, 761 00:32:21,340 --> 00:32:24,688 where if I broadcast the wrong thing, it's just stuck forever. 762 00:32:24,688 --> 00:32:26,230 I'm never going to be able to get it, 763 00:32:26,230 --> 00:32:29,740 and then my counterparty can get it after a day. 764 00:32:29,740 --> 00:32:32,012 If I broadcast the right thing, my counterparty 765 00:32:32,012 --> 00:32:33,220 can still get it after a day. 766 00:32:33,220 --> 00:32:33,720 Right? 767 00:32:33,720 --> 00:32:35,740 So if Alice broadcasts this, Alice 768 00:32:35,740 --> 00:32:40,120 has to immediately spend this because, this Alice 5 Bitcoins 769 00:32:40,120 --> 00:32:43,532 is also Bob's after a day. 770 00:32:43,532 --> 00:32:45,740 So she needs to say, OK, I'm going to broadcast this, 771 00:32:45,740 --> 00:32:48,020 and then immediately sweep the funds 772 00:32:48,020 --> 00:32:50,720 to my own regular address. 773 00:32:50,720 --> 00:32:55,721 So what's nice is that's like a better timing model. 774 00:32:55,721 --> 00:32:58,670 Anyway, so in cases of fraud, the recoverable key 775 00:32:58,670 --> 00:33:00,770 can be used, half the key revealed. 776 00:33:00,770 --> 00:33:03,230 So that's in Lightning, right, and Lightning 777 00:33:03,230 --> 00:33:04,820 broadcasts the most recent. 778 00:33:04,820 --> 00:33:07,250 There is no PubR, right? 779 00:33:07,250 --> 00:33:09,747 No one can sign this because you haven't revealed it. 780 00:33:09,747 --> 00:33:11,330 And then the timing happens and sends. 781 00:33:11,330 --> 00:33:13,310 So you broadcast your most recent state. 782 00:33:13,310 --> 00:33:17,180 You wait a little while, and you don't actually have any rush. 783 00:33:17,180 --> 00:33:21,860 You know you've never given PubR away, so you can just leave it, 784 00:33:21,860 --> 00:33:23,690 and then time elapses. 785 00:33:23,690 --> 00:33:25,373 So maybe the timeout is one day. 786 00:33:25,373 --> 00:33:27,290 You don't have to spend it after that one day. 787 00:33:27,290 --> 00:33:28,940 You can leave it for a week or a month, 788 00:33:28,940 --> 00:33:30,860 and then later spend it because you're 789 00:33:30,860 --> 00:33:32,480 really sure your counterparty is never 790 00:33:32,480 --> 00:33:35,340 going to get this private key. 791 00:33:35,340 --> 00:33:38,300 So that's the way Lightning works. 792 00:33:38,300 --> 00:33:40,460 In Discreet Log Contracts, however, the timeout one 793 00:33:40,460 --> 00:33:44,200 is the incorrect one, when you publish the wrong transaction. 794 00:33:44,200 --> 00:33:47,120 Right, PubR is the oracle's signature 795 00:33:47,120 --> 00:33:50,970 plus your own private key. 796 00:33:50,970 --> 00:33:55,195 And PubT is just the other person gets it after a while. 797 00:33:55,195 --> 00:33:56,570 So you should be able-- you know, 798 00:33:56,570 --> 00:33:58,820 if you publish the right transaction, 799 00:33:58,820 --> 00:34:00,230 you can immediately spend it. 800 00:34:00,230 --> 00:34:01,772 If you publish the wrong transaction, 801 00:34:01,772 --> 00:34:05,000 you'll never be able to spend it and your counterparty will, 802 00:34:05,000 --> 00:34:07,740 tomorrow or next week. 803 00:34:07,740 --> 00:34:11,300 So it's kind of a nicer model, I think, 804 00:34:11,300 --> 00:34:14,499 because, in Lightning, you have to be watching your channels. 805 00:34:14,499 --> 00:34:17,389 In Discreet Log Contract, nothing bad 806 00:34:17,389 --> 00:34:20,219 can happen if you go offline. 807 00:34:20,219 --> 00:34:21,679 So that's really nice, right? 808 00:34:21,679 --> 00:34:24,107 In Lightning, you have to watch for fraud. 809 00:34:24,107 --> 00:34:26,440 Old states could be broadcast and you've got to grab it. 810 00:34:26,440 --> 00:34:30,060 In DLC, sweep it as soon as you want. 811 00:34:30,060 --> 00:34:30,560 It's easier. 812 00:34:30,560 --> 00:34:32,090 You have the software to do both at the same time. 813 00:34:32,090 --> 00:34:32,965 There's no surprises. 814 00:34:32,965 --> 00:34:35,663 So for example, in Lightning, this 815 00:34:35,663 --> 00:34:36,830 is the current state, right? 816 00:34:36,830 --> 00:34:38,870 Alice has nine coins. 817 00:34:38,870 --> 00:34:42,650 Bob can, at any time, broadcast this transaction, 818 00:34:42,650 --> 00:34:45,889 and Alice must respond and say, nope, that's wrong, 819 00:34:45,889 --> 00:34:47,457 I'm taking all these nine coins. 820 00:34:47,457 --> 00:34:49,790 And your software does that automatically, sure, but you 821 00:34:49,790 --> 00:34:54,770 have to be online and you have to be watching the blockchain. 822 00:34:54,770 --> 00:34:57,020 So surprises can happen. 823 00:34:57,020 --> 00:34:59,120 And you know there's software I'm 824 00:34:59,120 --> 00:35:02,510 working on called Watchtowers to anonymously outsource 825 00:35:02,510 --> 00:35:04,910 watching this to other people and things like that. 826 00:35:04,910 --> 00:35:06,680 But it's a downside, right? 827 00:35:06,680 --> 00:35:10,031 Fraud could occur if you're offline. 828 00:35:10,031 --> 00:35:13,850 In Discreet Log Contracts, fraud cannot occur. 829 00:35:13,850 --> 00:35:15,320 Eh, I don't want to say that. 830 00:35:15,320 --> 00:35:18,320 There's all sorts of things the oracle can do that's bad. 831 00:35:18,320 --> 00:35:20,550 But the idea if I go offline-- 832 00:35:20,550 --> 00:35:24,360 right, I'm Alice, I enter into this contract about the weather 833 00:35:24,360 --> 00:35:26,510 next week, but then I forget about it 834 00:35:26,510 --> 00:35:30,470 and I just don't even sign into my computer for a month, 835 00:35:30,470 --> 00:35:32,900 there's no risk that the wrong thing will happen, 836 00:35:32,900 --> 00:35:36,500 you know, assuming the oracle is signing correctly. 837 00:35:36,500 --> 00:35:38,510 Bob can't do anything bad, right? 838 00:35:38,510 --> 00:35:40,280 If this is now endorsed by the oracle 839 00:35:40,280 --> 00:35:42,710 as being the correct transaction, 840 00:35:42,710 --> 00:35:49,090 if Bob broadcasts this or this, he can never take those coins. 841 00:35:49,090 --> 00:35:49,590 Right? 842 00:35:49,590 --> 00:35:52,040 It's just indefinitely stuck here. 843 00:35:52,040 --> 00:35:55,340 Alice gets her coins with no restrictions, 844 00:35:55,340 --> 00:35:57,630 and Bob's coins are just stuck there forever. 845 00:35:57,630 --> 00:36:00,830 Right, he'll never learn this the key to sign with this. 846 00:36:00,830 --> 00:36:03,800 And so Alice can come back in a week, come back in a month, 847 00:36:03,800 --> 00:36:05,480 and say, oh, cool. 848 00:36:05,480 --> 00:36:08,420 Bob broadcast the wrong thing, and now I can take these coins 849 00:36:08,420 --> 00:36:10,040 at my leisure. 850 00:36:10,040 --> 00:36:12,140 If Bob broadcasts the right thing 851 00:36:12,140 --> 00:36:14,220 and then immediately takes his coins, 852 00:36:14,220 --> 00:36:15,470 Alice's coins are still there. 853 00:36:15,470 --> 00:36:17,120 Everything's fine. 854 00:36:17,120 --> 00:36:20,380 So this is, I think, a nicer timing model 855 00:36:20,380 --> 00:36:22,730 in that you don't have to be online quickly. 856 00:36:22,730 --> 00:36:27,330 Also, it's nicer in that in Lightning, 857 00:36:27,330 --> 00:36:30,180 if you're being honest and you broadcast 858 00:36:30,180 --> 00:36:32,970 the correct transaction, you have to wait. 859 00:36:32,970 --> 00:36:34,440 That's annoying, right? 860 00:36:34,440 --> 00:36:37,020 The timeout could be a day or a week or something. 861 00:36:37,020 --> 00:36:39,360 And maybe your counterparty-- you 862 00:36:39,360 --> 00:36:42,895 know, if your counterparty's online and co-operative, 863 00:36:42,895 --> 00:36:44,520 you don't have to use this transaction. 864 00:36:44,520 --> 00:36:46,727 You can just say, hey look, I want to close out. 865 00:36:46,727 --> 00:36:47,310 I've got nine. 866 00:36:47,310 --> 00:36:48,150 You've got one. 867 00:36:48,150 --> 00:36:50,310 Let's just build a transaction sending nine to me 868 00:36:50,310 --> 00:36:52,783 and one to you, with no weird scripts or anything. 869 00:36:52,783 --> 00:36:54,950 And then Bob can say, OK, sure, closing the channel. 870 00:36:54,950 --> 00:36:55,500 Here we go. 871 00:36:55,500 --> 00:36:56,640 And we just close it. 872 00:36:56,640 --> 00:37:00,232 But if Bob's offline, which happens, Alice says, shoot, 873 00:37:00,232 --> 00:37:01,440 I have to close this channel. 874 00:37:01,440 --> 00:37:02,750 I want my nine coins. 875 00:37:02,750 --> 00:37:04,410 I broadcast this, closing the channel, 876 00:37:04,410 --> 00:37:06,165 and then I have to wait a few days. 877 00:37:06,165 --> 00:37:07,290 And that's annoying, right? 878 00:37:07,290 --> 00:37:09,420 That's not great. 879 00:37:09,420 --> 00:37:12,750 Whereas, in Discreet Log Contracts, if you're doing 880 00:37:12,750 --> 00:37:16,600 on it, let's say, I'm Alice. 881 00:37:16,600 --> 00:37:17,610 Bob seems to be offline. 882 00:37:17,610 --> 00:37:19,380 I can't contact him. 883 00:37:19,380 --> 00:37:21,360 I'd say, OK, Bob, you're not there. 884 00:37:21,360 --> 00:37:23,130 Fine, well, it was cloudy. 885 00:37:23,130 --> 00:37:24,030 I broadcast this. 886 00:37:24,030 --> 00:37:25,530 I immediately take my five coins. 887 00:37:25,530 --> 00:37:27,405 I don't have to wait at all, and the software 888 00:37:27,405 --> 00:37:28,960 does both of those at the same time. 889 00:37:28,960 --> 00:37:33,160 So this is a nicer timing model than Lighting. 890 00:37:33,160 --> 00:37:37,300 Yeah, no surprises and no waiting. 891 00:37:37,300 --> 00:37:39,550 The only time you have to wait is if the other party-- 892 00:37:39,550 --> 00:37:45,830 you know, Alice would have to wait and if Bob broadcasts-- 893 00:37:45,830 --> 00:37:48,010 let's say, Bob broadcasts this. 894 00:37:48,010 --> 00:37:50,710 Alice gets one coin immediately and nine coins 895 00:37:50,710 --> 00:37:51,418 after a few days. 896 00:37:51,418 --> 00:37:53,418 So Alice is like, well, I have to wait a little, 897 00:37:53,418 --> 00:37:55,895 but, hey, I get all the money, even though I was only 898 00:37:55,895 --> 00:37:56,770 supposed to get half. 899 00:37:56,770 --> 00:37:58,660 Great. 900 00:37:58,660 --> 00:38:02,380 There are some attacks where, for example, 901 00:38:02,380 --> 00:38:06,270 let's say this was like zero or like 0.001, 902 00:38:06,270 --> 00:38:10,060 like basically nothing, and the actual thing that 903 00:38:10,060 --> 00:38:12,100 happened was it was raining. 904 00:38:12,100 --> 00:38:15,010 And Bob's like, shoot, I got nothing. 905 00:38:15,010 --> 00:38:15,610 right? 906 00:38:15,610 --> 00:38:18,010 Fine, I'm just going to sign this. 907 00:38:18,010 --> 00:38:18,760 You know-- sorry-- 908 00:38:18,760 --> 00:38:20,257 I'm just going to broadcast this, 909 00:38:20,257 --> 00:38:21,340 where I get all the money. 910 00:38:21,340 --> 00:38:22,690 I don't actually get all the money, right? 911 00:38:22,690 --> 00:38:24,580 Alice is going to take this after a day. 912 00:38:24,580 --> 00:38:30,610 But basically, I lost everything anyways, so fine. 913 00:38:30,610 --> 00:38:32,650 Well, so that is an attack where if there's 914 00:38:32,650 --> 00:38:35,920 almost no money on one side, Bob can be a jerk and say well 915 00:38:35,920 --> 00:38:38,860 I'm going to broadcast the invalid transaction just 916 00:38:38,860 --> 00:38:42,280 to prevent my counterparty from getting her money immediately. 917 00:38:42,280 --> 00:38:44,607 She gets it all, but maybe all is 918 00:38:44,607 --> 00:38:46,690 pretty close to what she would have gotten anyway, 919 00:38:46,690 --> 00:38:49,810 so Bob has no real loss and Alice has no real gain there. 920 00:38:49,810 --> 00:38:52,090 And then Alice has to waste some time waiting. 921 00:38:52,090 --> 00:38:53,900 So that's an attack. 922 00:38:53,900 --> 00:38:55,690 The easiest way to sort of mitigate 923 00:38:55,690 --> 00:38:58,107 that is to have this kind of construction where it's like, 924 00:38:58,107 --> 00:38:59,380 well, Bob still got one. 925 00:38:59,380 --> 00:39:02,140 Even when Bob loses, he still gets one coin back. 926 00:39:02,140 --> 00:39:05,832 Right, there's extra collateral in the contract. 927 00:39:05,832 --> 00:39:08,040 And then he doesn't want to broadcast the wrong thing 928 00:39:08,040 --> 00:39:08,930 to be a jerk. 929 00:39:08,930 --> 00:39:09,430 Yes? 930 00:39:09,430 --> 00:39:12,642 AUDIENCE: So if someone broadcasts a wrong-- 931 00:39:12,642 --> 00:39:17,432 the wrong transaction, the correct-- 932 00:39:17,432 --> 00:39:21,080 if he broadcasts the correct transaction, it doesn't matter? 933 00:39:21,080 --> 00:39:24,170 TADGE DRYJA: If-- well, from the network's perspective, 934 00:39:24,170 --> 00:39:27,050 right, so if I'm a miner looking at the Bitcoin network, 935 00:39:27,050 --> 00:39:29,440 I have no idea what these things mean. 936 00:39:29,440 --> 00:39:32,360 Right, it just says, you know, key one coin. 937 00:39:32,360 --> 00:39:33,582 Other key, nine coins. 938 00:39:33,582 --> 00:39:35,540 You know, I just see two different transactions 939 00:39:35,540 --> 00:39:37,040 spending the same output. 940 00:39:37,040 --> 00:39:43,940 So if you see Bob broadcast this transaction, 941 00:39:43,940 --> 00:39:46,910 you actually do not want to broadcast this, probably, 942 00:39:46,910 --> 00:39:49,580 because you'd rather have all the money instead of half, 943 00:39:49,580 --> 00:39:51,080 even if it takes you some time. 944 00:39:51,080 --> 00:39:54,290 But if you have-- you're saying, OK, I'm Alice. 945 00:39:54,290 --> 00:39:57,560 I broadcast this, and then Bob broadcasts this right 946 00:39:57,560 --> 00:39:59,840 after, you're like, oh shoot, that's a much 947 00:39:59,840 --> 00:40:01,280 better transaction. 948 00:40:01,280 --> 00:40:02,840 I would, you know, but you don't know 949 00:40:02,840 --> 00:40:05,240 which is going to get in because the miners have no idea what's 950 00:40:05,240 --> 00:40:05,600 going on. 951 00:40:05,600 --> 00:40:06,446 AUDIENCE: It means [INAUDIBLE] going 952 00:40:06,446 --> 00:40:07,940 to be that you get your money? 953 00:40:07,940 --> 00:40:08,100 TADGE DRYJA: What, sorry? 954 00:40:08,100 --> 00:40:09,725 AUDIENCE: It would be in the other case 955 00:40:09,725 --> 00:40:12,122 where you used the attack you just 956 00:40:12,122 --> 00:40:13,955 talked about, where people are broadcasting, 957 00:40:13,955 --> 00:40:14,840 you get the money from it? 958 00:40:14,840 --> 00:40:15,757 TADGE DRYJA: Oh, yeah. 959 00:40:15,757 --> 00:40:20,240 Yeah, so if you see that Bob is being-- the actual outcome was 960 00:40:20,240 --> 00:40:21,950 it was rainy. 961 00:40:21,950 --> 00:40:24,650 Bob sees this, and has very little money at stake, 962 00:40:24,650 --> 00:40:25,520 so Bob says, fine. 963 00:40:25,520 --> 00:40:25,820 You know what? 964 00:40:25,820 --> 00:40:26,320 Screw it. 965 00:40:26,320 --> 00:40:29,110 I'm going to broadcast this just so Alice 966 00:40:29,110 --> 00:40:31,880 gets her 0.001 right away, but has to wait 967 00:40:31,880 --> 00:40:34,578 a long time for the 9.99. 968 00:40:34,578 --> 00:40:35,870 Then Alice could say, uh uh uh. 969 00:40:35,870 --> 00:40:38,750 I'm broadcasting this, and then immediately 970 00:40:38,750 --> 00:40:40,260 try to spend it with a high fee. 971 00:40:40,260 --> 00:40:41,325 You could do that. 972 00:40:41,325 --> 00:40:42,200 AUDIENCE: If I were-- 973 00:40:42,200 --> 00:40:42,908 TADGE DRYJA: Yes? 974 00:40:42,908 --> 00:40:44,940 AUDIENCE: --to be Alice, and it's cloudy, 975 00:40:44,940 --> 00:40:50,192 then I would want to just wait, in case Bob made a mistake? 976 00:40:50,192 --> 00:40:51,150 TADGE DRYJA: You could. 977 00:40:51,150 --> 00:40:53,690 Yeah, you could hope that you're-- 978 00:40:53,690 --> 00:40:54,210 yeah. 979 00:40:54,210 --> 00:40:58,230 So there's no rush, right? 980 00:40:58,230 --> 00:41:00,630 The oracle signs it was cloudy. 981 00:41:00,630 --> 00:41:02,910 You've both got those private keys. 982 00:41:02,910 --> 00:41:05,500 You can just wait. 983 00:41:05,500 --> 00:41:08,050 You know, there's no need to immediately broadcast it. 984 00:41:08,050 --> 00:41:10,950 And once you broadcast this, you do 985 00:41:10,950 --> 00:41:13,830 need to immediately spend the part that's 986 00:41:13,830 --> 00:41:15,270 going to you because that also has 987 00:41:15,270 --> 00:41:19,020 the clause that it can go to the other guy in a week, or a day. 988 00:41:19,020 --> 00:41:21,000 So but, yeah, and you can just leave it here. 989 00:41:21,000 --> 00:41:22,000 You could just leave it. 990 00:41:22,000 --> 00:41:23,070 Don't broadcast anything. 991 00:41:23,070 --> 00:41:24,840 And you're like, well, maybe he'll 992 00:41:24,840 --> 00:41:26,792 screw up and broadcast the wrong thing 993 00:41:26,792 --> 00:41:28,125 and then I'll get all the money. 994 00:41:28,125 --> 00:41:29,792 It's probably not going to happen, but-- 995 00:41:29,792 --> 00:41:31,890 AUDIENCE: The oracle never-- 996 00:41:31,890 --> 00:41:33,653 so the oracle just goes quiet? 997 00:41:33,653 --> 00:41:34,570 TADGE DRYJA: Ah, yeah. 998 00:41:34,570 --> 00:41:35,520 So if the oracle-- 999 00:41:35,520 --> 00:41:38,570 there's all sorts of things the oracle can do that's bad. 1000 00:41:38,570 --> 00:41:41,040 So if the oracle never signs, none of these 1001 00:41:41,040 --> 00:41:42,420 will ever be valid, right? 1002 00:41:42,420 --> 00:41:44,760 So you should-- what the contract should have is 1003 00:41:44,760 --> 00:41:49,690 a timeout where if-- 1004 00:41:49,690 --> 00:41:51,530 you know, so if we're betting on the price-- 1005 00:41:51,530 --> 00:41:54,570 so we're betting on the weather tomorrow, 1006 00:41:54,570 --> 00:41:56,580 we can say, OK, well, by Monday, if the oracle 1007 00:41:56,580 --> 00:41:59,280 hasn't signed anything, we've got a time-locked transaction 1008 00:41:59,280 --> 00:42:01,380 that just gives us both back five coins. 1009 00:42:01,380 --> 00:42:04,180 Or, you know, it's a wash trade. 1010 00:42:04,180 --> 00:42:05,860 But, yeah, that can happen. 1011 00:42:05,860 --> 00:42:07,740 AUDIENCE: Set it to destroy the oracle. 1012 00:42:07,740 --> 00:42:10,300 TADGE DRYJA: Yeah, so hopefully the oracle doesn't do that. 1013 00:42:10,300 --> 00:42:11,410 OK. 1014 00:42:11,410 --> 00:42:13,440 But that's like, it's not the end of the world. 1015 00:42:13,440 --> 00:42:15,190 It's like, OK, the oracle's not there, 1016 00:42:15,190 --> 00:42:17,350 so we don't know how to execute this trade-- 1017 00:42:17,350 --> 00:42:20,220 you know, this bet, so we just get our money back. 1018 00:42:20,220 --> 00:42:24,420 It didn't work, and we wasted time. 1019 00:42:24,420 --> 00:42:27,240 Oh, OK, so some scalability fun stuff. 1020 00:42:27,240 --> 00:42:29,820 You can do Discreet Log Contracts within a channel. 1021 00:42:29,820 --> 00:42:32,400 So let's say you've got a Lightning channel, 1022 00:42:32,400 --> 00:42:36,240 and if you want to cooperate-- if both parties cooperate, 1023 00:42:36,240 --> 00:42:38,670 no transactions get broadcast to the blockchain at all. 1024 00:42:38,670 --> 00:42:40,350 This is kind of cool. 1025 00:42:40,350 --> 00:42:42,510 OK so you've got these nested contracts. 1026 00:42:42,510 --> 00:42:44,880 So this is a Lightning channel, right? 1027 00:42:44,880 --> 00:42:49,440 And it's Alice has 10 coins, Bob has 20 coins, 1028 00:42:49,440 --> 00:42:52,740 and they've been making lots of different transactions. 1029 00:42:52,740 --> 00:42:57,000 This is, let's say, the 30th, 35th state of the transaction. 1030 00:42:57,000 --> 00:42:58,920 There's all sorts of transactions before this. 1031 00:42:58,920 --> 00:43:02,133 but they've all been revoked by sharing private keys. 1032 00:43:02,133 --> 00:43:04,800 And then you say, OK, well Alice has 10 coins, Bob has 20 coins. 1033 00:43:04,800 --> 00:43:07,170 Let's build a contract. 1034 00:43:07,170 --> 00:43:11,040 So we both decrement our balances by five, 1035 00:43:11,040 --> 00:43:14,070 and then we create a third output. 1036 00:43:14,070 --> 00:43:15,180 So this is a-- 1037 00:43:15,180 --> 00:43:18,053 it's sort of like having an HTLC where you've got-- 1038 00:43:18,053 --> 00:43:20,220 you know, as this-- sorry, these arrows don't really 1039 00:43:20,220 --> 00:43:21,137 line up the right way. 1040 00:43:21,137 --> 00:43:25,513 But you've got one transaction with three outputs. 1041 00:43:25,513 --> 00:43:26,430 Alice gets five coins. 1042 00:43:26,430 --> 00:43:27,930 Bob gets 15 coins. 1043 00:43:27,930 --> 00:43:31,960 And a new two of two multisig gets 10 coins. 1044 00:43:31,960 --> 00:43:35,770 From that, you build two different-- 1045 00:43:35,770 --> 00:43:37,850 I should make colors or something. 1046 00:43:37,850 --> 00:43:40,300 Yeah, these are two different transactions. 1047 00:43:40,300 --> 00:43:44,315 This is all one transaction, sorry. 1048 00:43:44,315 --> 00:43:45,690 So from there, you say, OK, we're 1049 00:43:45,690 --> 00:43:48,330 going to build a Discreet Log Contract that's 1050 00:43:48,330 --> 00:43:52,310 an output in the channel. 1051 00:43:52,310 --> 00:43:55,393 And we don't-- you know, if we want to, we can broadcast 1052 00:43:55,393 --> 00:43:56,060 the whole thing. 1053 00:43:56,060 --> 00:43:57,560 Any of us at any time can say, OK, 1054 00:43:57,560 --> 00:44:00,950 I'm broadcasting this current state of the channel, which 1055 00:44:00,950 --> 00:44:04,760 is Alice five, Bob 15, Alice and Bob 10. 1056 00:44:04,760 --> 00:44:06,890 And then I have these transactions as well, 1057 00:44:06,890 --> 00:44:09,030 and I can broadcast either of those. 1058 00:44:09,030 --> 00:44:11,690 So if your counterparty becomes unresponsive, 1059 00:44:11,690 --> 00:44:15,320 you close the channel and close the contract. 1060 00:44:15,320 --> 00:44:18,080 But if the counterparty is cooperative, 1061 00:44:18,080 --> 00:44:20,360 then the oracle signs, OK, it was rainy. 1062 00:44:20,360 --> 00:44:21,860 This now becomes valid. 1063 00:44:21,860 --> 00:44:26,330 Both parties agree, yeah, Alice won nine coins. 1064 00:44:26,330 --> 00:44:29,553 Bob can be a jerk and just be unresponsive, 1065 00:44:29,553 --> 00:44:31,220 and then Alice is like, all right, fine. 1066 00:44:31,220 --> 00:44:32,500 Close the channel. 1067 00:44:32,500 --> 00:44:34,970 Spend-- you know, broadcast this transaction, 1068 00:44:34,970 --> 00:44:37,640 broadcast this transaction, take the nine coins. 1069 00:44:37,640 --> 00:44:41,120 Alice has to do three transactions in a row 1070 00:44:41,120 --> 00:44:42,480 to do that. 1071 00:44:42,480 --> 00:44:45,440 But if there's nine coins, you know, that's totally doable, 1072 00:44:45,440 --> 00:44:46,950 right? 1073 00:44:46,950 --> 00:44:51,500 You know, this to close, this to finalize the contract, and then 1074 00:44:51,500 --> 00:44:54,650 this the sweep the money to herself before Bob 1075 00:44:54,650 --> 00:44:57,560 tries to get it. 1076 00:44:57,560 --> 00:44:59,070 But if Bob's cooperative and says, 1077 00:44:59,070 --> 00:45:00,830 OK, yeah, you won this bet and, also, we 1078 00:45:00,830 --> 00:45:04,640 keep doing these contracts, we keep betting with each other, 1079 00:45:04,640 --> 00:45:06,472 this is the only valid one. 1080 00:45:06,472 --> 00:45:08,180 The other one I'm not going to broadcast. 1081 00:45:08,180 --> 00:45:09,760 I'll never get the money. 1082 00:45:09,760 --> 00:45:11,580 And then we say, well, Alice got nine. 1083 00:45:11,580 --> 00:45:12,560 Alice got plus nine. 1084 00:45:12,560 --> 00:45:13,850 Bob got plus one. 1085 00:45:13,850 --> 00:45:17,270 We just make a new state of the channel. 1086 00:45:17,270 --> 00:45:21,440 Right, so this was the old state, five, 15, 10. 1087 00:45:21,440 --> 00:45:24,560 We went up a level, and now the new state is Alice gets 14, 1088 00:45:24,560 --> 00:45:27,740 Bob gets 16, and then we revoke the old state. 1089 00:45:27,740 --> 00:45:32,000 So the contract was built. You know, all the different terms 1090 00:45:32,000 --> 00:45:34,580 of the contract were built. One of them 1091 00:45:34,580 --> 00:45:37,100 became known to be valid, and then 1092 00:45:37,100 --> 00:45:39,020 they basically deleted the whole thing 1093 00:45:39,020 --> 00:45:40,970 and they never touched the blockchain. 1094 00:45:40,970 --> 00:45:44,130 Right, they saw this was all descendent transactions 1095 00:45:44,130 --> 00:45:46,080 within a Lightning channel. 1096 00:45:46,080 --> 00:45:47,967 And now, we've got our new balances. 1097 00:45:47,967 --> 00:45:49,050 So we can keep doing this. 1098 00:45:49,050 --> 00:45:52,680 We can have like five of these at the same time 1099 00:45:52,680 --> 00:45:55,920 and then keep sequentially making all these contracts. 1100 00:45:55,920 --> 00:45:59,270 What's nice about this is no one ever sees anything. 1101 00:45:59,270 --> 00:46:01,080 Right, Alice and Bob know that they 1102 00:46:01,080 --> 00:46:02,460 were betting on the weather. 1103 00:46:02,460 --> 00:46:03,960 Nobody else can see that they were 1104 00:46:03,960 --> 00:46:05,280 making a bet at all, right? 1105 00:46:05,280 --> 00:46:08,790 There's no transaction that goes onto the blockchain. 1106 00:46:08,790 --> 00:46:10,770 In the worst-case scenario, a transaction 1107 00:46:10,770 --> 00:46:12,180 does go onto the blockchain. 1108 00:46:12,180 --> 00:46:16,090 And if you see this get broadcast, 1109 00:46:16,090 --> 00:46:20,190 the thing is, it's still not clear that it was a contract. 1110 00:46:20,190 --> 00:46:21,998 It could be a channel within a channel, 1111 00:46:21,998 --> 00:46:23,290 and there's reasons to do that. 1112 00:46:23,290 --> 00:46:26,410 You could say, OK, this is our cold channel 1113 00:46:26,410 --> 00:46:28,042 that we keep all the keys offline 1114 00:46:28,042 --> 00:46:29,500 and this is our hot channel that we 1115 00:46:29,500 --> 00:46:31,330 keep transacting very quickly. 1116 00:46:31,330 --> 00:46:32,830 And we can do some things like that, 1117 00:46:32,830 --> 00:46:34,848 so there's reasons to do this. 1118 00:46:34,848 --> 00:46:37,390 But the scripts themselves, if you broadcast the transaction, 1119 00:46:37,390 --> 00:46:38,848 look exactly the same as Lightning. 1120 00:46:38,848 --> 00:46:45,770 It's just key A and time or key B. So this is kind of cool, 1121 00:46:45,770 --> 00:46:47,030 I think. 1122 00:46:47,030 --> 00:46:51,670 OK, other-- oh yeah, I have [INAUDIBLE] Other cool things 1123 00:46:51,670 --> 00:46:57,220 you can do, you can split the R value 1124 00:46:57,220 --> 00:46:58,690 into an exponent and a mantissa. 1125 00:46:58,690 --> 00:47:01,240 So it's hard to explain. 1126 00:47:01,240 --> 00:47:04,870 OK, so let's say I did the example 1127 00:47:04,870 --> 00:47:07,360 with like sunny and rainy, right, but, in practice, 1128 00:47:07,360 --> 00:47:08,860 I think people are going to use this 1129 00:47:08,860 --> 00:47:12,010 for futures contracts, where there's 1130 00:47:12,010 --> 00:47:13,420 a bunch of different prices. 1131 00:47:13,420 --> 00:47:17,130 So you could say, OK, the price we'll 1132 00:47:17,130 --> 00:47:20,370 put the price on this axis. 1133 00:47:20,370 --> 00:47:25,830 Price is $1, $2, $3, $4, $5, for example. 1134 00:47:25,830 --> 00:47:28,800 And then Alice gets money here. 1135 00:47:28,800 --> 00:47:29,950 Bob gets money here. 1136 00:47:29,950 --> 00:47:33,840 And it can be like that, or something where at $1 1137 00:47:33,840 --> 00:47:37,260 Alice gets all the money; at $2, Alice gets most of it; at $3, 1138 00:47:37,260 --> 00:47:39,990 Bob gets most of it-- or half and half, things like that. 1139 00:47:42,580 --> 00:47:45,280 What might happen is that there's 1140 00:47:45,280 --> 00:47:50,590 like knock-in and knock-out, where if the price is $6 or $7 1141 00:47:50,590 --> 00:47:56,420 or something really high, well, all the money goes to Bob. 1142 00:47:56,420 --> 00:47:59,170 That's just how it is. 1143 00:47:59,170 --> 00:48:01,920 And like, you're not even sure the order of magnitude, 1144 00:48:01,920 --> 00:48:06,920 so it might actually go $1 and then $10. 1145 00:48:06,920 --> 00:48:09,235 Like, there might-- how do I do this? 1146 00:48:09,235 --> 00:48:10,860 There might be like orders of magnitude 1147 00:48:10,860 --> 00:48:13,320 where, OK, the current price of something we're betting on 1148 00:48:13,320 --> 00:48:15,550 is $20. 1149 00:48:15,550 --> 00:48:18,600 Right, so we actually only care about the range 1150 00:48:18,600 --> 00:48:21,450 from $10 to $30. 1151 00:48:21,450 --> 00:48:24,420 We only care about-- and then, like $20, it's Alice 1152 00:48:24,420 --> 00:48:28,210 and Bob get 50-50. 1153 00:48:28,210 --> 00:48:32,790 We might not care about what happens if it's $0.01 1154 00:48:32,790 --> 00:48:37,100 or what happens if it goes to $5,000. 1155 00:48:37,100 --> 00:48:38,780 We'll don't care. 1156 00:48:38,780 --> 00:48:40,960 Or we care, you know, but the thing is 1157 00:48:40,960 --> 00:48:44,620 if it goes to $30 or $5,000, the same outcome happens. 1158 00:48:44,620 --> 00:48:46,120 So what we can do is we can say, OK, 1159 00:48:46,120 --> 00:48:49,780 instead of just using one R value where the oracle signs 1160 00:48:49,780 --> 00:48:53,260 the price and we have to compute messages for all 1161 00:48:53,260 --> 00:48:55,900 the different prices and compute s times G for all 1162 00:48:55,900 --> 00:48:57,580 the different prices, they can say, 1163 00:48:57,580 --> 00:49:05,210 OK, well, we've got R exponent and R mantissa. 1164 00:49:05,210 --> 00:49:08,268 And mantissa is a weird word for the thing that's 1165 00:49:08,268 --> 00:49:09,310 behind the decimal point. 1166 00:49:12,190 --> 00:49:14,070 So then I can-- so exponent, you can 1167 00:49:14,070 --> 00:49:17,740 you say, OK, well, it's either 10 to the one or 10 1168 00:49:17,740 --> 00:49:21,360 to the two or 10 to the three or 10 to the four, 1169 00:49:21,360 --> 00:49:23,110 and I'm going to have an R value for that, 1170 00:49:23,110 --> 00:49:25,210 and I'm going to produce an s times G for that. 1171 00:49:25,210 --> 00:49:28,135 And then the mantissa could be like one, two, three, four, 1172 00:49:28,135 --> 00:49:32,420 da da da to nine, something simple like that. 1173 00:49:32,420 --> 00:49:34,160 So in some cases-- 1174 00:49:34,160 --> 00:49:38,845 so, for example, in the case of 10 to the two, 1175 00:49:38,845 --> 00:49:42,340 10 to the three, 10 to the four-- 1176 00:49:42,340 --> 00:49:44,300 we don't care about the mantissa. 1177 00:49:44,300 --> 00:49:44,800 Right? 1178 00:49:44,800 --> 00:49:49,030 If the exponent is 10 to the two, three, or four, 1179 00:49:49,030 --> 00:49:52,190 then Bob gets all the money, right away. 1180 00:49:52,190 --> 00:49:54,310 And if the exponent is 10 to the zero, 1181 00:49:54,310 --> 00:49:55,630 then Alice gets all the money. 1182 00:49:55,630 --> 00:49:57,580 We don't have to involve the mantissa at all. 1183 00:49:57,580 --> 00:50:01,990 But if the exponent is 10 to the one, then we actually care, 1184 00:50:01,990 --> 00:50:03,490 and we can just add the point. 1185 00:50:03,490 --> 00:50:17,240 So we say, OK, sG equals R 10 to the one minus the hash times A. 1186 00:50:17,240 --> 00:50:20,780 And then this is sG exponent. 1187 00:50:20,780 --> 00:50:30,310 And then, sG mantissa is R3 minus the hash times A. 1188 00:50:30,310 --> 00:50:32,060 And then we can just add these two points, 1189 00:50:32,060 --> 00:50:36,410 so we say sG exponent plus sG mantissa 1190 00:50:36,410 --> 00:50:41,630 equals the contract sG contract, and that's 1191 00:50:41,630 --> 00:50:46,410 what we put in our contract for the keys. 1192 00:50:46,410 --> 00:50:50,820 That way, we need the oracle to sign that the exponent is 1193 00:50:50,820 --> 00:50:54,090 10 to the one, and the number, you know, the base is three. 1194 00:50:54,090 --> 00:50:57,130 OK, it was $30. 1195 00:50:57,130 --> 00:51:01,000 So that way, it's a little extra data for the oracle to sign, 1196 00:51:01,000 --> 00:51:04,060 but pretty small, right, an extra 32 bytes. 1197 00:51:04,060 --> 00:51:07,600 And then we can potentially save on a lot 1198 00:51:07,600 --> 00:51:11,080 of these extra transactions out in areas that all end up being 1199 00:51:11,080 --> 00:51:13,850 the same result to us. 1200 00:51:13,850 --> 00:51:14,900 Any questions about that? 1201 00:51:14,900 --> 00:51:16,915 Does that sort of makes sense? 1202 00:51:16,915 --> 00:51:17,790 It's an optimization. 1203 00:51:17,790 --> 00:51:18,290 Right? 1204 00:51:18,290 --> 00:51:20,940 You don't have to do it, but it can lead to a lot less data. 1205 00:51:20,940 --> 00:51:21,740 Yeah? 1206 00:51:21,740 --> 00:51:24,680 AUDIENCE: So for the mantissa, the 1, 2, 3, 4? 1207 00:51:24,680 --> 00:51:25,430 TADGE DRYJA: Yeah? 1208 00:51:25,430 --> 00:51:28,980 AUDIENCE: Does that come from a specific decimal place? 1209 00:51:28,980 --> 00:51:29,730 TADGE DRYJA: Yeah. 1210 00:51:29,730 --> 00:51:35,310 Well, it's-- the idea is the actual number is going to be R 1211 00:51:35,310 --> 00:51:40,920 mantissa times Rx, you know, or 10 to the Rx, right? 1212 00:51:40,920 --> 00:51:43,770 So the actual-- so if the number was 20, 1213 00:51:43,770 --> 00:51:45,780 you say, OK, 10 to the one. 1214 00:51:45,780 --> 00:51:47,000 R exponent's 10 to the one. 1215 00:51:47,000 --> 00:51:48,480 R mantissa is two. 1216 00:51:48,480 --> 00:51:54,540 If the number was 5,000, you say, OK, 10 to the three, five. 1217 00:51:54,540 --> 00:51:56,790 And then you just release both of these. 1218 00:51:56,790 --> 00:51:58,980 And they're independent, so that the two users 1219 00:51:58,980 --> 00:52:00,810 can use them independently. 1220 00:52:00,810 --> 00:52:05,400 And the most likely case is we don't care about the mantissa, 1221 00:52:05,400 --> 00:52:07,020 we only care about the exponent. 1222 00:52:07,020 --> 00:52:10,530 So we're only-- some of our bets only deal with the magnitude 1223 00:52:10,530 --> 00:52:11,880 of the price. 1224 00:52:11,880 --> 00:52:13,857 You could also do bets where you're only 1225 00:52:13,857 --> 00:52:16,190 dealing with the mantissa, but that seems kind of silly, 1226 00:52:16,190 --> 00:52:19,770 where it's like, I don't care if it's $2 or $20 or $200. 1227 00:52:19,770 --> 00:52:22,730 But anyway, if the first digit of the price starts with two, 1228 00:52:22,730 --> 00:52:24,990 you know, is two, I win. 1229 00:52:24,990 --> 00:52:29,990 You could do that, but probably not as useful. 1230 00:52:29,990 --> 00:52:33,515 But yeah, and then in the extreme case, 1231 00:52:33,515 --> 00:52:34,890 the extreme version of this would 1232 00:52:34,890 --> 00:52:38,220 be to have bind-- you know, decompose 1233 00:52:38,220 --> 00:52:39,900 the number being signed into binary, 1234 00:52:39,900 --> 00:52:41,610 and then find every bit. 1235 00:52:41,610 --> 00:52:43,110 And then there's only two signatures 1236 00:52:43,110 --> 00:52:46,530 possible for every bit, and then the users 1237 00:52:46,530 --> 00:52:49,530 can sort of combine these things in any way they want. 1238 00:52:49,530 --> 00:52:52,710 More signature data, but it gives the users 1239 00:52:52,710 --> 00:52:55,480 a lot of flexibility. 1240 00:52:55,480 --> 00:52:57,360 OK. 1241 00:52:57,360 --> 00:52:59,070 multi-oracle, another thing you can do. 1242 00:52:59,070 --> 00:53:01,740 So the problem is, how trustworthy 1243 00:53:01,740 --> 00:53:03,270 is this are these oracles? 1244 00:53:03,270 --> 00:53:05,280 The oracles can cheat, right. 1245 00:53:05,280 --> 00:53:10,920 They can just easily sign that it's rainy when it's sunny. 1246 00:53:10,920 --> 00:53:13,710 That's publicly knowable, and if they have a reputation, 1247 00:53:13,710 --> 00:53:16,590 that hopefully hurts them. 1248 00:53:16,590 --> 00:53:20,797 But you are trusting the oracle to sign the right thing. 1249 00:53:20,797 --> 00:53:22,380 So maybe they want to use two oracles. 1250 00:53:22,380 --> 00:53:23,980 So that's totally doable. 1251 00:53:23,980 --> 00:53:29,020 Right, you have the oracle, the a oracle and the b oracle, 1252 00:53:29,020 --> 00:53:31,890 and you just add the two points that you come up with. 1253 00:53:31,890 --> 00:53:35,487 And then when they both release their s values, 1254 00:53:35,487 --> 00:53:37,070 you add those two s points, and you'll 1255 00:53:37,070 --> 00:53:40,460 get the private key, totally easy. 1256 00:53:40,460 --> 00:53:42,390 For n of m, there's no size increase. 1257 00:53:42,390 --> 00:53:42,890 Right? 1258 00:53:42,890 --> 00:53:45,170 You just-- you can pick 10 oracles, 1259 00:53:45,170 --> 00:53:46,550 add up all those things. 1260 00:53:46,550 --> 00:53:47,910 No one can tell. 1261 00:53:47,910 --> 00:53:50,660 And your transactions are still really small. 1262 00:53:50,660 --> 00:53:53,290 For n of m, it-- 1263 00:53:53,290 --> 00:53:55,020 or usually, it's called m of n, huh? 1264 00:53:55,020 --> 00:53:57,770 Well, anyway, there's a size blow up 1265 00:53:57,770 --> 00:54:00,530 because you're going to say, OK, well, I want two of three, 1266 00:54:00,530 --> 00:54:02,720 and I have to make new transactions for all 1267 00:54:02,720 --> 00:54:04,440 these different combinations. 1268 00:54:04,440 --> 00:54:06,560 And so you end up having a lot of transactions. 1269 00:54:06,560 --> 00:54:09,650 For small things, like sunny or rainy, it's totally doable. 1270 00:54:09,650 --> 00:54:11,810 For things like where you're already hitting up 1271 00:54:11,810 --> 00:54:13,185 against limits where, oh, we have 1272 00:54:13,185 --> 00:54:15,410 to sign thousands of transactions 1273 00:54:15,410 --> 00:54:17,160 for all the possible different prices, 1274 00:54:17,160 --> 00:54:19,490 then this can get very costly. 1275 00:54:19,490 --> 00:54:23,120 Another downside to this is if they signed different things, 1276 00:54:23,120 --> 00:54:24,150 you get stuck. 1277 00:54:24,150 --> 00:54:24,650 Right? 1278 00:54:24,650 --> 00:54:28,010 So if we say, OK, we're going to use Thomson Reuters oracle 1279 00:54:28,010 --> 00:54:30,100 and Bloomberg oracle and we're going 1280 00:54:30,100 --> 00:54:34,190 to use their price of oil, and then one of them signs, 1281 00:54:34,190 --> 00:54:37,420 oh, it's $50.03 and the other signs that it's $50. 1282 00:54:37,420 --> 00:54:39,230 05, shoot. 1283 00:54:39,230 --> 00:54:43,490 We can't-- you know, we just used the same value for all 1284 00:54:43,490 --> 00:54:47,930 these sG points to build all the combined points. 1285 00:54:47,930 --> 00:54:51,380 Now, we don't have a match, so we cannot build the point-- 1286 00:54:51,380 --> 00:54:53,550 the private key that we're looking for. 1287 00:54:53,550 --> 00:54:55,220 So this contract either reverts. 1288 00:54:55,220 --> 00:54:56,990 So that's another reason why you might 1289 00:54:56,990 --> 00:54:58,757 want to decompose it this way. 1290 00:54:58,757 --> 00:55:00,590 You could have a construction where you say, 1291 00:55:00,590 --> 00:55:03,110 OK, we're using Bloomberg and Thomson Reuters, 1292 00:55:03,110 --> 00:55:06,950 but for Thomson Reuters we're only using the exponent 1293 00:55:06,950 --> 00:55:09,230 and for Bloomberg we're using both. 1294 00:55:09,230 --> 00:55:13,130 So the idea is if there's a case where the exponent is 1295 00:55:13,130 --> 00:55:15,770 different between Bloomberg and Thomson Reuters, 1296 00:55:15,770 --> 00:55:17,840 our contract fails. 1297 00:55:17,840 --> 00:55:20,900 But if the case is their exponent is the same, 1298 00:55:20,900 --> 00:55:25,490 then we just go with the actual precise price from Bloomberg. 1299 00:55:25,490 --> 00:55:28,670 So in case Thomson Reuters gets hacked and they say, 1300 00:55:28,670 --> 00:55:32,000 oh, the price of oil is $50 million a barrel 1301 00:55:32,000 --> 00:55:34,160 and that could cause contracts to go the wrong way, 1302 00:55:34,160 --> 00:55:36,990 then that's sort of a safety catch on there. 1303 00:55:36,990 --> 00:55:39,170 So there's all sorts of things you can do like that. 1304 00:55:39,170 --> 00:55:41,090 I don't know how this will actually work out. 1305 00:55:41,090 --> 00:55:43,340 Will there be lots of different oracles? 1306 00:55:43,340 --> 00:55:45,710 My guess is no. 1307 00:55:45,710 --> 00:55:47,930 You kind of want them to be reputable. 1308 00:55:47,930 --> 00:55:50,750 And you can't really make money doing it. 1309 00:55:50,750 --> 00:55:54,020 And it's really scalable and cheap to be an oracle because, 1310 00:55:54,020 --> 00:55:55,873 like, all you're doing is signing things. 1311 00:55:55,873 --> 00:55:57,290 So it feels like the kind of thing 1312 00:55:57,290 --> 00:56:00,278 that once you have a-- you know, once you get some momentum, 1313 00:56:00,278 --> 00:56:01,820 you're just going to be this monopoly 1314 00:56:01,820 --> 00:56:04,490 and everyone's going to use the same oracle. 1315 00:56:04,490 --> 00:56:05,580 But who knows? 1316 00:56:08,120 --> 00:56:13,300 Yeah, oracle problems, so yeah, oracles can lie. 1317 00:56:13,300 --> 00:56:15,990 They can also-- they can they can equivocate. 1318 00:56:15,990 --> 00:56:17,740 Right, they can sign two different things, 1319 00:56:17,740 --> 00:56:19,460 but then they reveal their private key. 1320 00:56:19,460 --> 00:56:23,920 So you might want them to post coins 1321 00:56:23,920 --> 00:56:26,650 on the blockchain with their A, you know, 1322 00:56:26,650 --> 00:56:31,390 that's got their regular public key A, so that if they ever 1323 00:56:31,390 --> 00:56:34,117 do sign two of the same message, then they lose their money 1324 00:56:34,117 --> 00:56:35,450 and everyone can try to grab it. 1325 00:56:38,890 --> 00:56:40,540 Yeah, what are the other things? 1326 00:56:40,540 --> 00:56:43,220 Oh, I was going to talk about novation. 1327 00:56:43,220 --> 00:56:44,050 We have time. 1328 00:56:44,050 --> 00:56:46,540 Yeah, so another thing that people 1329 00:56:46,540 --> 00:56:48,460 like to do with these types of contracts 1330 00:56:48,460 --> 00:56:54,070 is enter into contracts and then sort of sell their position 1331 00:56:54,070 --> 00:56:54,760 in the contract. 1332 00:56:54,760 --> 00:56:59,770 So for example, if we were in a contract about the weather, 1333 00:56:59,770 --> 00:57:01,840 and I look outside, I'm like, oh, it's 1334 00:57:01,840 --> 00:57:04,970 definitely going to be rainy, so the oracle 1335 00:57:04,970 --> 00:57:08,220 is going to sign about the weather as of noon. 1336 00:57:08,220 --> 00:57:09,700 I'm like, it's 11 o'clock. 1337 00:57:09,700 --> 00:57:10,810 It's going to be rainy. 1338 00:57:10,810 --> 00:57:13,480 I want to sort of lock in my profit. 1339 00:57:13,480 --> 00:57:15,940 And it's not exactly sure yet, so there may still 1340 00:57:15,940 --> 00:57:18,220 be some value to the sunny position, 1341 00:57:18,220 --> 00:57:21,990 but it's looking pretty grim for the sunny position. 1342 00:57:21,990 --> 00:57:24,420 I might just contact my counterparty 1343 00:57:24,420 --> 00:57:26,630 and say, hey, let's close early. 1344 00:57:26,630 --> 00:57:27,240 Right? 1345 00:57:27,240 --> 00:57:30,180 I don't need the entire profit, but give me 1346 00:57:30,180 --> 00:57:33,060 90% of it because it's, you know, pretty rainy. 1347 00:57:33,060 --> 00:57:35,910 And they might agree to do that, but a better way to do it 1348 00:57:35,910 --> 00:57:37,320 would be to say, I'm going to let 1349 00:57:37,320 --> 00:57:40,260 someone else take my position. 1350 00:57:40,260 --> 00:57:41,640 So for example, if you have-- 1351 00:57:44,680 --> 00:57:51,600 so if you've got like Alice and Bob are in a contract. 1352 00:57:51,600 --> 00:57:57,180 And then there's like Alice gets nine, Bob gets one for sun. 1353 00:57:57,180 --> 00:58:03,240 And then Alice gets one, Bob gets nine for rain. 1354 00:58:03,240 --> 00:58:05,160 And then they say, OK, let's just do it early. 1355 00:58:05,160 --> 00:58:09,330 Bob might not be cooperative. 1356 00:58:09,330 --> 00:58:12,150 Alice wants to say, let's just get out of it right now, 1357 00:58:12,150 --> 00:58:13,950 at some, at one of-- 1358 00:58:13,950 --> 00:58:15,570 you know, a little bit less than this. 1359 00:58:15,570 --> 00:58:18,240 Bob says, no, I want to keep holding it through. 1360 00:58:18,240 --> 00:58:19,750 What Alice wants to do is say, look, 1361 00:58:19,750 --> 00:58:22,200 I'm going to replace myself with Carol. 1362 00:58:22,200 --> 00:58:25,470 Alice finds some other person, Carol, to now 1363 00:58:25,470 --> 00:58:29,160 have a Carol-Bob transaction where 1364 00:58:29,160 --> 00:58:33,050 it's the same exact contract. 1365 00:58:33,050 --> 00:58:38,130 So it'd be Carol nine, Bob one and Carol one, 1366 00:58:38,130 --> 00:58:41,400 Bob nine for sun and rain. 1367 00:58:43,920 --> 00:58:47,170 So what's nice about this is, from Bob's perspective, 1368 00:58:47,170 --> 00:58:51,322 nothing changes except the counterparty's public key, 1369 00:58:51,322 --> 00:58:52,530 which Bob doesn't care about. 1370 00:58:52,530 --> 00:58:54,150 Right? 1371 00:58:54,150 --> 00:58:58,440 So Alice can say, hey, Bob let's switch this transaction. 1372 00:58:58,440 --> 00:59:00,210 You have the same exact payout based 1373 00:59:00,210 --> 00:59:02,670 on the same exact signatures from the oracle, 1374 00:59:02,670 --> 00:59:04,458 so it's no change to you. 1375 00:59:04,458 --> 00:59:06,000 It's just that my public key is going 1376 00:59:06,000 --> 00:59:08,480 to change because it's actually going to be someone else. 1377 00:59:08,480 --> 00:59:10,110 And then Bob-- that way, Bob's software 1378 00:59:10,110 --> 00:59:12,000 can automatically do it. 1379 00:59:12,000 --> 00:59:15,720 This is still interactive in that Bob's keys have to sign. 1380 00:59:15,720 --> 00:59:20,550 Right, Bob needs to make a new signature spending from here 1381 00:59:20,550 --> 00:59:24,312 to go into this new two of two output, so that's new. 1382 00:59:24,312 --> 00:59:26,520 So their computer has to be on and they have to sign, 1383 00:59:26,520 --> 00:59:29,070 but you can make the computer software do it automatically 1384 00:59:29,070 --> 00:59:31,200 because there's no user interaction needed 1385 00:59:31,200 --> 00:59:34,733 in that it's like, hey, your position didn't change. 1386 00:59:34,733 --> 00:59:36,150 And then probably put in something 1387 00:59:36,150 --> 00:59:41,790 where Alice pays Bob a little extra, right. 1388 00:59:41,790 --> 00:59:45,030 Alice gives Bob a dollar or two to incentivize him to leave 1389 00:59:45,030 --> 00:59:47,285 his computer on to collect fee. 1390 00:59:47,285 --> 00:59:48,660 You know, essentially, it's like, 1391 00:59:48,660 --> 00:59:50,952 oh, if I leave my computer on and my counterparty wants 1392 00:59:50,952 --> 00:59:53,300 to novate and switch with someone else, 1393 00:59:53,300 --> 00:59:54,270 I might make a buck. 1394 00:59:54,270 --> 00:59:57,120 And my position doesn't change, so cool. 1395 00:59:57,120 --> 00:59:59,055 So that is doable. 1396 01:00:02,040 --> 01:00:03,710 I do not look forward to programming 1397 01:00:03,710 --> 01:00:07,543 that because that now has three different computers talking 1398 01:00:07,543 --> 01:00:09,460 to each other and they all have to do messages 1399 01:00:09,460 --> 01:00:12,387 in the right sequence and stuff, and that's not the most fun 1400 01:00:12,387 --> 01:00:13,220 part of programming. 1401 01:00:13,220 --> 01:00:19,340 But yeah, so anyway, so that's the idea of this. 1402 01:00:19,340 --> 01:00:21,140 What are some use cases? 1403 01:00:21,140 --> 01:00:24,890 I can think of some, but there's all sorts of other ideas. 1404 01:00:24,890 --> 01:00:26,720 I think it can be pretty useful. 1405 01:00:26,720 --> 01:00:28,170 You could do currency futures. 1406 01:00:28,170 --> 01:00:30,420 So I think one of the biggest would be dollar futures. 1407 01:00:30,420 --> 01:00:34,670 So right now, in CME, I think, or CBOT or one 1408 01:00:34,670 --> 01:00:38,630 of those Chicago kind of places, or both of them, 1409 01:00:38,630 --> 01:00:41,060 you can do Bitcoin futures which are 1410 01:00:41,060 --> 01:00:42,920 dollar-settled Bitcoin futures. 1411 01:00:42,920 --> 01:00:44,420 Right, so you get a bunch of dollars 1412 01:00:44,420 --> 01:00:46,070 based on the price of Bitcoin. 1413 01:00:48,920 --> 01:00:51,920 Yeah, so you can say, I want 10 Bitcoins 1414 01:00:51,920 --> 01:00:53,955 for delivery on next week. 1415 01:00:53,955 --> 01:00:55,580 And then you don't get the 10 Bitcoins, 1416 01:00:55,580 --> 01:00:57,890 but you get however many dollars those 10 1417 01:00:57,890 --> 01:01:01,550 Bitcoins are worth based on some exchange price 1418 01:01:01,550 --> 01:01:02,490 that they agree on. 1419 01:01:02,490 --> 01:01:04,157 You know, we're going to use the average 1420 01:01:04,157 --> 01:01:06,320 of these different exchanges and stuff. 1421 01:01:06,320 --> 01:01:09,260 With DLC, you could do sort of the inverse of that, where 1422 01:01:09,260 --> 01:01:11,630 I have Bitcoins I entered into a contract 1423 01:01:11,630 --> 01:01:14,613 where I have dollars being delivered-- 1424 01:01:14,613 --> 01:01:16,460 or, sorry, I have Bitcoins, you know, 1425 01:01:16,460 --> 01:01:18,330 the dollar value being delivered. 1426 01:01:18,330 --> 01:01:21,860 So the idea is I have $10,000 worth of Bitcoin being 1427 01:01:21,860 --> 01:01:25,640 delivered to me on Friday, so if the price of Bitcoin goes up, 1428 01:01:25,640 --> 01:01:26,492 I get fewer of them. 1429 01:01:26,492 --> 01:01:28,700 If the price of Bitcoins goes down I get more of them 1430 01:01:28,700 --> 01:01:32,060 such that the amount of Bitcoin I receive on Friday 1431 01:01:32,060 --> 01:01:35,570 has a value of $10,000. 1432 01:01:35,570 --> 01:01:38,500 And that's a pretty straightforward Discreet Log 1433 01:01:38,500 --> 01:01:39,500 Contract ability, right? 1434 01:01:39,500 --> 01:01:42,747 You just need to know the price of a-- 1435 01:01:42,747 --> 01:01:44,330 it actually ends up being a lot easier 1436 01:01:44,330 --> 01:01:46,310 to think of Bitcoin as the main currency 1437 01:01:46,310 --> 01:01:49,760 and then dollars as the asset being traded. 1438 01:01:49,760 --> 01:01:52,820 So you sort of want to know the price of a dollar in Bitcoins, 1439 01:01:52,820 --> 01:01:55,130 or how many Satoshi is a dollar's worth, 1440 01:01:55,130 --> 01:01:57,320 and then you build your contract from there. 1441 01:01:57,320 --> 01:01:59,760 And so if the price of a dollar goes up, 1442 01:01:59,760 --> 01:02:01,860 you get more of these things. 1443 01:02:01,860 --> 01:02:05,120 So one side will say, OK, I've got $10,000 worth of Bitcoin 1444 01:02:05,120 --> 01:02:06,120 coming on Friday. 1445 01:02:06,120 --> 01:02:08,450 The other side basically says, I get whatever's 1446 01:02:08,450 --> 01:02:11,660 left in this contract. 1447 01:02:11,660 --> 01:02:13,670 And that other side is essentially 1448 01:02:13,670 --> 01:02:15,740 like a more volatile Bitcoin. 1449 01:02:15,740 --> 01:02:17,810 So if the price of bitcoin goes up, great. 1450 01:02:17,810 --> 01:02:19,137 Also, you get more of them. 1451 01:02:19,137 --> 01:02:20,720 And if the price of Bitcoin goes down, 1452 01:02:20,720 --> 01:02:23,600 you're really screwed because your Bitcoin's worth less 1453 01:02:23,600 --> 01:02:26,390 and you lose most of them. 1454 01:02:26,390 --> 01:02:28,525 But I feel like people will want to do that. 1455 01:02:28,525 --> 01:02:29,900 Like there will be people who are 1456 01:02:29,900 --> 01:02:31,950 like, cool, double-volatile Bitcoin. 1457 01:02:31,950 --> 01:02:33,542 You know, where do I sign up? 1458 01:02:33,542 --> 01:02:35,000 And there's also going to be people 1459 01:02:35,000 --> 01:02:37,820 who are like, I think Bitcoin is cool, 1460 01:02:37,820 --> 01:02:41,660 but I want to anonymously and trustless-- 1461 01:02:41,660 --> 01:02:44,360 trustless, except for the oracle-- 1462 01:02:44,360 --> 01:02:48,670 you know, not so trustfully short it. 1463 01:02:48,670 --> 01:02:50,270 Right, I want to say, OK, I'm not-- 1464 01:02:50,270 --> 01:02:54,490 I sort of don't have a Bitcoin position anymore. 1465 01:02:54,490 --> 01:02:59,460 However, it's not the same in that you don't 1466 01:02:59,460 --> 01:03:01,080 know who your counterparty is. 1467 01:03:01,080 --> 01:03:03,000 It's fully collateralized at the outset, 1468 01:03:03,000 --> 01:03:05,920 so if the price of-- you know, if both parties put in 10-- you 1469 01:03:05,920 --> 01:03:08,430 know, both parties put in 10 coins, 1470 01:03:08,430 --> 01:03:11,020 20 Bitcoins is all that's ever coming out of this contract. 1471 01:03:11,020 --> 01:03:11,520 Right? 1472 01:03:11,520 --> 01:03:13,740 You can't say, hey, I want to do like a margin call. 1473 01:03:13,740 --> 01:03:16,290 You need to put like 40 more coins in this contract 1474 01:03:16,290 --> 01:03:18,120 because the price went down. 1475 01:03:18,120 --> 01:03:21,600 Your counterparty just will say, no, I'm not. 1476 01:03:21,600 --> 01:03:23,910 So there's sort of bounded loss and gain 1477 01:03:23,910 --> 01:03:26,407 for both parties at the outset. 1478 01:03:26,407 --> 01:03:28,740 Also, because you have no idea who your counterparty is, 1479 01:03:28,740 --> 01:03:31,370 right, you can do this totally anonymously. 1480 01:03:31,370 --> 01:03:33,120 It's-- I don't want to say it's trustless, 1481 01:03:33,120 --> 01:03:35,495 because you are trusting the oracle to report the correct 1482 01:03:35,495 --> 01:03:39,100 price, but your counterparty, you don't trust at all. 1483 01:03:39,100 --> 01:03:39,600 Right? 1484 01:03:39,600 --> 01:03:41,040 You have no idea who they are. 1485 01:03:41,040 --> 01:03:43,270 You assume everything they're telling you is a lie, 1486 01:03:43,270 --> 01:03:46,940 you know, like they're trying to hack you, stuff like that. 1487 01:03:46,940 --> 01:03:49,440 So I think currency futures would be a big one, where 1488 01:03:49,440 --> 01:03:51,390 people can then buy and sell. 1489 01:03:51,390 --> 01:03:53,177 Stocks might be a big one. 1490 01:03:53,177 --> 01:03:55,260 There's a lot of issues there with insider trading 1491 01:03:55,260 --> 01:03:57,360 because if you can, now, anonymously 1492 01:03:57,360 --> 01:04:01,350 trade stock futures, I don't know, 1493 01:04:01,350 --> 01:04:03,300 that's probably something people might 1494 01:04:03,300 --> 01:04:06,690 want to do who shouldn't be doing it. 1495 01:04:06,690 --> 01:04:10,260 But it's hard to enforce because these oracles have 1496 01:04:10,260 --> 01:04:12,453 no idea that anyone is actually making contracts. 1497 01:04:12,453 --> 01:04:13,870 And if you look on the blockchain, 1498 01:04:13,870 --> 01:04:15,450 you never see the contracts. 1499 01:04:15,450 --> 01:04:17,353 Or you might sort of be like, well, 1500 01:04:17,353 --> 01:04:19,770 is this a Lightning Network channel that closed or is this 1501 01:04:19,770 --> 01:04:22,380 a Discreet Log Contract that just executed? 1502 01:04:22,380 --> 01:04:24,630 It just looks like keys. 1503 01:04:24,630 --> 01:04:26,760 You can't-- oh, that's an important part. 1504 01:04:26,760 --> 01:04:30,120 Given, even if you're the oracle and you know what you signed, 1505 01:04:30,120 --> 01:04:33,510 the fact that you're adding these two points 1506 01:04:33,510 --> 01:04:39,005 means that unless you knew the original Alice key, 1507 01:04:39,005 --> 01:04:40,380 you wouldn't be able to tell, oh, 1508 01:04:40,380 --> 01:04:42,185 that's Alice's key plus my key. 1509 01:04:42,185 --> 01:04:44,310 Right, because you don't know what Alice's key was. 1510 01:04:44,310 --> 01:04:47,240 It never existed independently. 1511 01:04:47,240 --> 01:04:49,740 Or, oh, Alice and Bob knew it, but you didn't as the oracle. 1512 01:04:49,740 --> 01:04:51,330 And so no one will-- the oracles won't 1513 01:04:51,330 --> 01:04:56,970 know what contracts are being executed, even after the fact. 1514 01:04:56,970 --> 01:04:59,588 You can, however, prove that you used-- 1515 01:04:59,588 --> 01:05:00,630 you know, if you want to. 1516 01:05:00,630 --> 01:05:03,000 If you're Alice, you can say, hey, this was my contract. 1517 01:05:03,000 --> 01:05:04,208 I can show you all the terms. 1518 01:05:04,208 --> 01:05:08,040 And you can prove it by signing a message with the Alice 1519 01:05:08,040 --> 01:05:10,830 private key and then also showing that it's, you know, 1520 01:05:10,830 --> 01:05:14,305 this is my public key and I added it to the oracle's thing. 1521 01:05:14,305 --> 01:05:16,680 Yeah commodities, sports, there's all sorts of fun things 1522 01:05:16,680 --> 01:05:17,490 you can do with it. 1523 01:05:17,490 --> 01:05:19,290 It's pretty general, conditional payments 1524 01:05:19,290 --> 01:05:23,580 based on any number or element from a predetermined set. 1525 01:05:23,580 --> 01:05:25,800 Cool, so any questions about this? 1526 01:05:25,800 --> 01:05:26,970 Yes? 1527 01:05:26,970 --> 01:05:29,530 AUDIENCE: So, if the public policymakers wanted to see 1528 01:05:29,530 --> 01:05:31,305 this, they absolutely couldn't? 1529 01:05:34,224 --> 01:05:36,750 It is [INAUDIBLE] encrypted? 1530 01:05:36,750 --> 01:05:39,240 TADGE DRYJA: You could talk to the oracles 1531 01:05:39,240 --> 01:05:41,700 because they'll probably be publicly-known entities. 1532 01:05:41,700 --> 01:05:45,810 And so you could say, hey, oracles, don't sign-- 1533 01:05:45,810 --> 01:05:46,740 don't sign messages. 1534 01:05:46,740 --> 01:05:53,300 I mean, yeah, but the actual counterparties A and B, 1535 01:05:53,300 --> 01:05:55,247 if it's like OTC, if it's just Alice and Bob 1536 01:05:55,247 --> 01:05:57,830 sort of talking to each other, hey, let's build this contract. 1537 01:05:57,830 --> 01:05:59,030 We both trust Bloomberg. 1538 01:05:59,030 --> 01:06:00,880 Their prices are correct. 1539 01:06:00,880 --> 01:06:03,052 It's-- you can't see that this happened at all. 1540 01:06:03,052 --> 01:06:05,510 AUDIENCE: Does Bloomberg have to be complicit [INAUDIBLE]?? 1541 01:06:05,510 --> 01:06:06,802 TADGE DRYJA: Bloomberg has to-- 1542 01:06:06,802 --> 01:06:08,390 so some oracle, someone, somewhere, 1543 01:06:08,390 --> 01:06:13,304 has to be saying, look, I'm going to sign the price of oil. 1544 01:06:13,304 --> 01:06:14,280 That's it. 1545 01:06:14,280 --> 01:06:17,103 AUDIENCE: Even if they disagree to, right? 1546 01:06:17,103 --> 01:06:18,020 TADGE DRYJA: Oh, yeah. 1547 01:06:18,020 --> 01:06:18,140 Yeah. 1548 01:06:18,140 --> 01:06:20,557 So well, so yeah, most of these transactions never happen. 1549 01:06:20,557 --> 01:06:22,490 If Alice and Bob see that the oracle signed, 1550 01:06:22,490 --> 01:06:24,198 they don't have to actually broadcast it. 1551 01:06:24,198 --> 01:06:28,820 But they do need the oracle's public key, first, 1552 01:06:28,820 --> 01:06:31,070 to build the contract. 1553 01:06:31,070 --> 01:06:35,090 So as you could try to regulate public oracles, 1554 01:06:35,090 --> 01:06:37,240 but that seems like-- 1555 01:06:37,240 --> 01:06:39,970 AUDIENCE: Assume Bloomberg's bringing in, assume that-- 1556 01:06:39,970 --> 01:06:40,530 TADGE DRYJA: Yeah, yeah. 1557 01:06:40,530 --> 01:06:41,330 But, so the question is-- 1558 01:06:41,330 --> 01:06:42,075 AUDIENCE: --they have somebody sitting 1559 01:06:42,075 --> 01:06:45,000 in the Cayman Islands who's got a software program that 1560 01:06:45,000 --> 01:06:46,640 grabs the Bloomberg fee? 1561 01:06:46,640 --> 01:06:47,610 TADGE DRYJA: Yeah. 1562 01:06:47,610 --> 01:06:50,420 The issue there is the signatures 1563 01:06:50,420 --> 01:06:52,100 are sort of usable by anyone. 1564 01:06:52,100 --> 01:06:54,230 You could say, OK, well, Bloomberg charges money 1565 01:06:54,230 --> 01:06:56,790 to provide these signatures and these public keys. 1566 01:06:56,790 --> 01:07:00,140 But if those get out, everyone knows, oh, these 1567 01:07:00,140 --> 01:07:01,245 are Bloomberg signatures. 1568 01:07:01,245 --> 01:07:02,120 You know, these are-- 1569 01:07:02,120 --> 01:07:04,460 this is the Bloomberg data. 1570 01:07:04,460 --> 01:07:07,730 We can now execute trades using this data. 1571 01:07:07,730 --> 01:07:10,670 And we do have-- so this eliminates 1572 01:07:10,670 --> 01:07:12,170 the trust between counterparties, 1573 01:07:12,170 --> 01:07:14,733 but doesn't eliminate the oracle trust. 1574 01:07:14,733 --> 01:07:16,150 But the thing is, the oracle trust 1575 01:07:16,150 --> 01:07:17,340 is sort of the easy problem. 1576 01:07:17,340 --> 01:07:17,840 Right? 1577 01:07:17,840 --> 01:07:20,900 There's not too many cases of-- 1578 01:07:20,900 --> 01:07:23,470 you know, if you have some OTC contracts and you say, 1579 01:07:23,470 --> 01:07:25,470 oh, we're using the price according to Bloomberg 1580 01:07:25,470 --> 01:07:27,512 or the price according to the Wall Street Journal 1581 01:07:27,512 --> 01:07:30,660 or whatever, generally that works. 1582 01:07:30,660 --> 01:07:32,850 So yeah, so what you can do is, I think the place 1583 01:07:32,850 --> 01:07:37,110 that people will try to regulate is the matchmaking area where, 1584 01:07:37,110 --> 01:07:38,940 if it's OTC, and Alice just calls up 1585 01:07:38,940 --> 01:07:41,070 Bob and Alice is in the Cayman Islands 1586 01:07:41,070 --> 01:07:42,655 and Bob is in British Virgin Islands, 1587 01:07:42,655 --> 01:07:44,280 or whatever-- are those the same thing? 1588 01:07:44,280 --> 01:07:45,930 I don't know. 1589 01:07:45,930 --> 01:07:48,275 They say, hey, I want to short oil. 1590 01:07:48,275 --> 01:07:49,500 Oh, I want to go long oil. 1591 01:07:49,500 --> 01:07:52,140 OK, and we just build our contract between our two 1592 01:07:52,140 --> 01:07:54,790 computers, and Bloomberg has no idea we're doing this. 1593 01:07:54,790 --> 01:07:57,180 No one else in the world has any idea we're doing this, 1594 01:07:57,180 --> 01:08:00,180 and we have this smart contract. 1595 01:08:00,180 --> 01:08:02,190 But in most cases, people will not 1596 01:08:02,190 --> 01:08:04,110 know who they're wanting to trade with, right? 1597 01:08:04,110 --> 01:08:07,150 They want some kind of exchange where we can meet and say, hey, 1598 01:08:07,150 --> 01:08:08,870 I want to short Bitcoin. 1599 01:08:08,870 --> 01:08:09,973 You know, I want dollars. 1600 01:08:09,973 --> 01:08:12,390 And someone says, oh, cool I want double-volatile Bitcoin. 1601 01:08:12,390 --> 01:08:15,870 Let's meet, and let's make this a contract. 1602 01:08:15,870 --> 01:08:19,452 Those exchanges will probably be more regulated, I guess. 1603 01:08:19,452 --> 01:08:20,910 You could sort of say, hey, we need 1604 01:08:20,910 --> 01:08:24,210 you to KYC all your exchange participants. 1605 01:08:24,210 --> 01:08:26,319 But even then, like if you wanted, 1606 01:08:26,319 --> 01:08:29,130 so similar to Altcoin's stuff now, you could say, 1607 01:08:29,130 --> 01:08:32,790 I'm operating an exchange out of wherever. 1608 01:08:32,790 --> 01:08:36,540 And you can't operate an oracle out of wherever, really, 1609 01:08:36,540 --> 01:08:38,380 because people won't trust it. 1610 01:08:38,380 --> 01:08:41,550 But you could say, I'm operating an exchange out of Hong Kong. 1611 01:08:41,550 --> 01:08:43,510 We don't KYC anyone. 1612 01:08:43,510 --> 01:08:45,010 Maybe we'll get shut down in a year. 1613 01:08:45,010 --> 01:08:48,870 But anyway, you can use the Bloomberg data feed 1614 01:08:48,870 --> 01:08:52,290 and enter into these contracts. 1615 01:08:52,290 --> 01:08:55,520 So yeah, it makes enforcement hard. 1616 01:08:55,520 --> 01:08:56,109 Yes? 1617 01:08:56,109 --> 01:08:57,651 AUDIENCE: It strikes me that the hole 1618 01:08:57,651 --> 01:09:00,700 here, from the public policy side, 1619 01:09:00,700 --> 01:09:06,569 is that even oracles are semi-regulated, 1620 01:09:06,569 --> 01:09:09,240 and there's been tons of fraud in oracles 1621 01:09:09,240 --> 01:09:10,247 for hundreds of years. 1622 01:09:10,247 --> 01:09:11,080 TADGE DRYJA: Really? 1623 01:09:11,080 --> 01:09:12,163 AUDIENCE: Oh, and massive. 1624 01:09:12,163 --> 01:09:14,060 TADGE DRYJA: But they seem so useful. 1625 01:09:14,060 --> 01:09:16,010 AUDIENCE: You trust too much. 1626 01:09:16,010 --> 01:09:17,010 TADGE DRYJA: So people-- 1627 01:09:17,010 --> 01:09:18,990 AUDIENCE: And you're a Bitcoin Core developer. 1628 01:09:18,990 --> 01:09:19,710 TADGE DRYJA: Yeah, I just figured 1629 01:09:19,710 --> 01:09:21,502 that the financial system figured that out, 1630 01:09:21,502 --> 01:09:22,450 so it's whatever. 1631 01:09:22,450 --> 01:09:22,950 No. 1632 01:09:22,950 --> 01:09:23,825 AUDIENCE: Yeah, sure. 1633 01:09:23,825 --> 01:09:27,210 Wicked loads of fraud lots of years. 1634 01:09:27,210 --> 01:09:29,600 I used to run the Commodity Futures Trading Commission, 1635 01:09:29,600 --> 01:09:34,907 so we did gold, currency, interest rates. 1636 01:09:34,907 --> 01:09:36,990 TADGE DRYJA: So there, was it that the spot market 1637 01:09:36,990 --> 01:09:38,580 itself was being manipulated? 1638 01:09:38,580 --> 01:09:40,823 Or the spot market says the price price is $50, 1639 01:09:40,823 --> 01:09:41,865 the oracle says it's $80? 1640 01:09:41,865 --> 01:09:43,657 AUDIENCE: we would take what the oracle was 1641 01:09:43,657 --> 01:09:47,145 publishing only because you're long or short a position. 1642 01:09:47,145 --> 01:09:49,020 TADGE DRYJA: But then, wouldn't you just sort 1643 01:09:49,020 --> 01:09:51,540 of sue people and say, hey, look this oracle was wrong, 1644 01:09:51,540 --> 01:09:53,550 like obviously the spot price was this? 1645 01:09:53,550 --> 01:09:54,628 It's not as-- 1646 01:09:54,628 --> 01:09:55,920 AUDIENCE: We could [INAUDIBLE]. 1647 01:09:55,920 --> 01:09:58,038 It's often hard to say what is this spot price. 1648 01:09:58,038 --> 01:09:58,830 TADGE DRYJA: Right. 1649 01:09:58,830 --> 01:10:01,205 AUDIENCE: And sometimes, you come in at different places. 1650 01:10:01,205 --> 01:10:02,670 Besides, it seems like the holes, 1651 01:10:02,670 --> 01:10:06,340 the holes here, is not so much around the oracles, which there 1652 01:10:06,340 --> 01:10:09,270 could be big holes like, somebody could just 1653 01:10:09,270 --> 01:10:11,460 become an aggregator of the oracles 1654 01:10:11,460 --> 01:10:13,490 because the CMA takes four prices, 1655 01:10:13,490 --> 01:10:15,240 but somebody sitting in the Cayman Islands 1656 01:10:15,240 --> 01:10:18,100 could say we're going to just take the same four prices right 1657 01:10:18,100 --> 01:10:20,720 [INAUDIBLE]. 1658 01:10:20,720 --> 01:10:23,490 And being crypto, settle. 1659 01:10:23,490 --> 01:10:25,260 If it's fiat, settle. 1660 01:10:25,260 --> 01:10:28,580 Just travel more ways to get into the on-ramps and off-ramps 1661 01:10:28,580 --> 01:10:30,874 to the banking system. 1662 01:10:30,874 --> 01:10:33,660 But and that's why you're seeing a lot of exchanges having 1663 01:10:33,660 --> 01:10:39,570 a hard time getting, basically, deposit accounts in banks 1664 01:10:39,570 --> 01:10:42,150 because the banking regulators around the globe 1665 01:10:42,150 --> 01:10:44,570 are trying to regulate on-ramps and off-ramps, 1666 01:10:44,570 --> 01:10:47,160 but it's harder for crypto and crypto exchange. 1667 01:10:47,160 --> 01:10:49,530 TADGE DRYJA: Yeah, crypto crypto, start a computer. 1668 01:10:49,530 --> 01:10:50,430 Yeah, you've got it. 1669 01:10:50,430 --> 01:10:51,140 You don't have to ask. 1670 01:10:51,140 --> 01:10:51,640 Yeah. 1671 01:10:51,640 --> 01:10:53,700 AUDIENCE: And you could have it, and you know, 1672 01:10:53,700 --> 01:10:57,980 so over-the-counter Cayman Islands aggregator oracles, 1673 01:10:57,980 --> 01:11:01,310 and somebody could do single-stock futures that are 1674 01:11:01,310 --> 01:11:02,817 banned in this country, so-- 1675 01:11:02,817 --> 01:11:03,650 TADGE DRYJA: Really? 1676 01:11:03,650 --> 01:11:05,422 AUDIENCE: Single-stock futures. 1677 01:11:05,422 --> 01:11:07,130 TADGE DRYJA: Well, options aren't, right? 1678 01:11:07,130 --> 01:11:08,172 AUDIENCE: Options aren't. 1679 01:11:08,172 --> 01:11:10,760 TADGE DRYJA: So, oh, I didn't say, 1680 01:11:10,760 --> 01:11:14,150 you want to make options contracts with this, 1681 01:11:14,150 --> 01:11:16,423 you just don't give the data to one side. 1682 01:11:16,423 --> 01:11:18,590 It's basically the same construction, but like, now, 1683 01:11:18,590 --> 01:11:20,780 Alice has the option to broadcast the transaction 1684 01:11:20,780 --> 01:11:23,060 and Bob doesn't. 1685 01:11:23,060 --> 01:11:25,010 But so you can make options with this-- 1686 01:11:25,010 --> 01:11:26,452 or futures, I mean. 1687 01:11:26,452 --> 01:11:31,790 AUDIENCE: But you're not trying to subvert public policy norms. 1688 01:11:31,790 --> 01:11:33,575 This could be a gray technology, or do you 1689 01:11:33,575 --> 01:11:37,050 think that is useful for subverting public policy norms? 1690 01:11:37,050 --> 01:11:40,080 [LAUGHTER] 1691 01:11:40,080 --> 01:11:42,410 TADGE DRYJA: I think it has both use cases. 1692 01:11:42,410 --> 01:11:46,640 One of the big ones will be sort of similar to Bitcoin, where 1693 01:11:46,640 --> 01:11:49,428 it's like, hey, I can do these things that maybe I'm not-- 1694 01:11:49,428 --> 01:11:50,970 you know, people don't want me to do. 1695 01:11:50,970 --> 01:11:52,460 And in some cases, the don't want 1696 01:11:52,460 --> 01:11:56,210 me to do is just like scale in terms of like, 1697 01:11:56,210 --> 01:12:02,180 OK, I'm some guy in Thailand, and I want to go long Apple. 1698 01:12:02,180 --> 01:12:04,670 And probably, you can legally do that. 1699 01:12:04,670 --> 01:12:06,715 But if you've got like a couple hundred bucks 1700 01:12:06,715 --> 01:12:08,090 and you're in some random country 1701 01:12:08,090 --> 01:12:13,250 and you want to go long, some US equity, 1702 01:12:13,250 --> 01:12:14,400 that's not really feasible. 1703 01:12:14,400 --> 01:12:14,900 Right? 1704 01:12:14,900 --> 01:12:16,050 Maybe you can open accounts. 1705 01:12:16,050 --> 01:12:17,220 Maybe you can try to open a foreign account. 1706 01:12:17,220 --> 01:12:18,840 Like it's-- there's a lot of friction. 1707 01:12:18,840 --> 01:12:20,340 And so with this kind of thing, it's 1708 01:12:20,340 --> 01:12:21,770 like, hey, we've got a Bitcoin. 1709 01:12:21,770 --> 01:12:23,810 I trust this price oracle. 1710 01:12:23,810 --> 01:12:25,890 OK, I'll do it with like a couple hundred 1711 01:12:25,890 --> 01:12:28,980 bucks worth of bitcoin. 1712 01:12:28,980 --> 01:12:31,870 That said, there's also cases where it's like, OK, 1713 01:12:31,870 --> 01:12:34,740 I work at Foxconn in Shenzhen and I 1714 01:12:34,740 --> 01:12:36,550 think the Apple iPhone 11 is not going 1715 01:12:36,550 --> 01:12:39,210 be any good, so I'm going to short Apple 1716 01:12:39,210 --> 01:12:41,290 using this kind of technology. 1717 01:12:41,290 --> 01:12:43,920 So there will be good and bad things. 1718 01:12:43,920 --> 01:12:48,150 You could also-- it could also be useful in cases between 1719 01:12:48,150 --> 01:12:52,140 actual regular legal Wall-Streety kind of people, 1720 01:12:52,140 --> 01:12:54,174 maybe not-- where-- 1721 01:12:54,174 --> 01:12:55,787 then again, it's good where you've 1722 01:12:55,787 --> 01:12:58,120 got like not a lot of trust between your counterparties, 1723 01:12:58,120 --> 01:13:01,660 but you do trust some kind of oracle feed. 1724 01:13:01,660 --> 01:13:03,493 And the other thing is-- like, I have talked 1725 01:13:03,493 --> 01:13:04,993 to this sort of Wall-Streety people, 1726 01:13:04,993 --> 01:13:07,450 and they don't really like it because they're like, wait, 1727 01:13:07,450 --> 01:13:08,140 there's no leverage. 1728 01:13:08,140 --> 01:13:08,320 Right? 1729 01:13:08,320 --> 01:13:10,070 You have to put all the money you're going 1730 01:13:10,070 --> 01:13:12,280 to get in at the beginning. 1731 01:13:12,280 --> 01:13:14,530 And they always want to have it like super-leveraged. 1732 01:13:14,530 --> 01:13:18,020 You can crank up the slope. 1733 01:13:18,020 --> 01:13:20,680 So you can say, OK, we both put 10 Bitcoins in, 1734 01:13:20,680 --> 01:13:24,130 but a small difference in price, right, 1735 01:13:24,130 --> 01:13:26,110 so like a 5% movement in a price will 1736 01:13:26,110 --> 01:13:28,820 like make all the money go to one side or the other, 1737 01:13:28,820 --> 01:13:31,080 so we hit the knock-in and knock-out really soon. 1738 01:13:31,080 --> 01:13:33,340 So you can do that, which is kind of like leverage. 1739 01:13:33,340 --> 01:13:36,640 But fundamentally, it's only the Bitcoins that 1740 01:13:36,640 --> 01:13:39,880 go into the contract come out. 1741 01:13:39,880 --> 01:13:42,130 So yeah, I don't know how this will be regulated. 1742 01:13:42,130 --> 01:13:46,690 I'm working-- there's a company in Japan who's 1743 01:13:46,690 --> 01:13:49,740 interested in building this technology. 1744 01:13:49,740 --> 01:13:54,010 There's like-- it's a brokerage that's making this stuff. 1745 01:13:54,010 --> 01:13:57,610 I'm working on it with some other people. 1746 01:13:57,610 --> 01:13:59,050 We'll see. 1747 01:13:59,050 --> 01:14:00,940 I don't know how it will be. 1748 01:14:00,940 --> 01:14:03,400 Maybe people won't like it. 1749 01:14:03,400 --> 01:14:05,320 It's-- yeah. 1750 01:14:05,320 --> 01:14:07,780 AUDIENCE: I mean, it seems to me like that's 1751 01:14:07,780 --> 01:14:09,670 one of the big things that Bitcoin's missing. 1752 01:14:09,670 --> 01:14:12,900 So if the financial system is for distributing 1753 01:14:12,900 --> 01:14:16,520 risk and [INAUDIBLE] the risk, right now, 1754 01:14:16,520 --> 01:14:18,765 I don't really do that with Bitcoin. 1755 01:14:18,765 --> 01:14:20,500 It's kind of just a transactions channel. 1756 01:14:20,500 --> 01:14:21,250 TADGE DRYJA: Yeah. 1757 01:14:21,250 --> 01:14:22,632 AUDIENCE: So this-- 1758 01:14:22,632 --> 01:14:24,090 TADGE DRYJA: I think it'll be cool. 1759 01:14:24,090 --> 01:14:25,660 AUDIENCE: --be logically, kind of the next step. 1760 01:14:25,660 --> 01:14:27,577 TADGE DRYJA: Yeah, oh I think this'll be cool. 1761 01:14:27,577 --> 01:14:28,890 I think people would use it. 1762 01:14:28,890 --> 01:14:31,230 I just, you know, it's a lot of work to program 1763 01:14:31,230 --> 01:14:32,950 and I don't, yeah, have enough time. 1764 01:14:32,950 --> 01:14:37,138 But there's other people starting to get-- 1765 01:14:37,138 --> 01:14:38,180 I don't know, it's weird. 1766 01:14:38,180 --> 01:14:40,400 It's sort of like Lightning was like three years ago, 1767 01:14:40,400 --> 01:14:41,900 and some people were like, oh, cool. 1768 01:14:41,900 --> 01:14:44,090 And then eventually, people were like, 1769 01:14:44,090 --> 01:14:46,460 oh, this is a really big deal, and let's all work on it. 1770 01:14:46,460 --> 01:14:48,170 And it might be the same with this, 1771 01:14:48,170 --> 01:14:51,830 where like no one really cares and then, eventually, people 1772 01:14:51,830 --> 01:14:55,490 will be like, oh, hey we should build this and use it and start 1773 01:14:55,490 --> 01:14:58,110 companies and things like that. 1774 01:14:58,110 --> 01:14:59,790 So hopefully, people will get into it. 1775 01:14:59,790 --> 01:15:02,120 I think it's a pretty nice construction 1776 01:15:02,120 --> 01:15:04,130 for these kinds of things. 1777 01:15:04,130 --> 01:15:07,970 It competes-- there's things like Augur, which is-- 1778 01:15:07,970 --> 01:15:11,130 I don't think is the best idea. 1779 01:15:11,130 --> 01:15:14,670 It, like the Augur, the idea is the oracle is sort of everyone, 1780 01:15:14,670 --> 01:15:17,130 and like everyone votes on what these outcomes 1781 01:15:17,130 --> 01:15:19,710 for different things were. 1782 01:15:19,710 --> 01:15:21,645 But yeah, I don't know. 1783 01:15:21,645 --> 01:15:24,270 I don't know how far along they are in terms of their software. 1784 01:15:24,270 --> 01:15:27,880 But that was also like two or three years ago. 1785 01:15:27,880 --> 01:15:29,880 And this could be applied more broadly, 1786 01:15:29,880 --> 01:15:33,210 like where anytime you have Ethereum-type smart contracts 1787 01:15:33,210 --> 01:15:36,000 or something where you want some external oracle who 1788 01:15:36,000 --> 01:15:38,550 then can sign things. 1789 01:15:38,550 --> 01:15:41,580 And then you can use it in a way where the oracle's signature 1790 01:15:41,580 --> 01:15:43,960 doesn't show up after the fact. 1791 01:15:43,960 --> 01:15:46,990 So anyway, any questions? 1792 01:15:46,990 --> 01:15:48,381 Sounds good?