Riccardo Spagni, the lead maintainer for Monero, describes the four pillars of Monero’s privacy, makes the case for why it would still be valuable even if BItcoin were to adopt privacy, and explains the ways in which its privacy is stronger and weaker than Zcash’s. He also discusses his new project, Tari, and how it could enable a new world of natively digital assets such as tickets, loyalty points and in-game assets, and how it will relate to Monero. He also explains his view on the fact that Monero is one of the top currencies used on the dark web and appears to have been in demand by bad state actors such as North Korea. Plus, he gives us his backstory, which includes gel-based nail polish and bikinis, and the origin of his nickname, Fluffypony.

Thank you to our sponsors!

CipherTrace: https://ciphertrace.com/unchained

Altlending: https://altlending.com

Abra: Click this special link for a free $25 in Bitcoin! https://www.abra.com/unchained

Episode links:

Riccardo Spagni: https://twitter.com/fluffypony?lang=en

Monero: https://getmonero.org

Tari: https://www.tari.com

Wired article on Monero’s traceability: https://www.wired.com/story/monero-privacy/

Laura’s listener mail episode: http://unchainedpodcast.co/listener-mail-laura-answers-your-questions-on-the-markets-velocity-privacy-and-more-ep88

Unchained episode with Zooko Wilcox of Zcash: http://unchainedpodcast.co/zcashs-zooko-wilcox-on-why-he-believes-privacy-coins-will-be-used-more-for-good-than-bad

 

Episode Transcript Below

Laura Shin:

Hi, everyone. Welcome to Unchained, your no-hype resource for all things crypto. I’m your host, Laura Shin. If you’ve been enjoying Unchained, pop onto iTunes to give us a top rating or review. That helps other listeners find the show. Here’s a pause for the ads. My guest today is Riccardo Spagni, a.k.a. Fluffy Pony, as you may know him on Twitter. He is the lead maintainer of Monero. Welcome, Riccardo.

Riccardo Spagni:

Thank you very much for having me, Laura.

Laura Shin:

You have an incredibly fascinating background. It’s one of my favorite back stories in all of crypto. Tell us what you were doing before you got into Bitcoin and how you got into it.

Riccardo Spagni:

You know, now that you’re putting me on the spot, I feel like I should change it up and be like, “I was a superhero, and then I quit my life of crimefighting to, like, get into Bitcoin.”

Laura Shin:

Well, if you did that, I would just tell everybody that that’s not true, so…why don’t you stick with the real story?

Riccardo Spagni:

Cool. So, I’ll stick with the truth then, in the absence of an interesting lie. No, I’ve been a developer for most of my life, eventually worked my way up to quite a senior position at a listed company in South Africa, and I did not enjoy that for a number of reasons. I felt that corporate just wasn’t a good fit for me, and the way we treated employees, and the way we didn’t value them really had an effect on me. So, after a couple of years at that, I quit and started an import/export business with my wife, or my girlfriend at the time, and that ended up becoming quite successful.

I wrote all of the back-end systems for that, which I think contributed, at least I hope it contributed to its success, and along the way, we took on a bunch of staff. We eventually took on a general manager to manage operations, and I found myself in a position where I was largely non-operational, and that freed me up to do other things. And I discovered Bitcoin, and this was early 2011. I read an article on Slashdot that was about a Google engineer who had, was, he was either writing or had finished writing a library for Bitcoin, and I was like, “Well, if a Google engineer thinks it’s interesting, maybe it is interesting.”

And I sort of went down the rabbit hole, started with mining Bitcoin, which I think is a journey that a lot of people take. They sort of look at mining, and they go, “Well, this is a way to earn free money,” which it isn’t, but your brain tells you that, and went from that to really poking holes in Bitcoin, because I felt that its claims as to security and robustness were not entirely valid. And so, I spent a lot of time proving it to myself, and writing, you know, sort of theorizing about Sybil attacks, and even writing tools to try and attack the network.

And through the process, I learned a lot about Nakamoto Consensus. I learned a lot about the robustness of proof of work, and eventually led, this led to me getting really interested in the ecosystem, the mining ecosystem as well as the burgeoning ecosystem as a whole. And eventually, I started a bunch of things along the way. Some of them are still going. Some of them were crazy ideas that crashed and burned, and you know, did a lot of experimentation with, like, ways for, to enable people to earn Bitcoin, and eventually in 2014 discovered Monero, just before it was launched, when it was pre-announced, and got involved with Monero from day one.

Laura Shin:

Well, so, there’s a piece in there that I feel like you left out, which is what I find so funny and interesting, but wasn’t at least a piece of the business that you ran with your wife, one of it was bikinis, and the other was gel nail polish?

Riccardo Spagni:

Yeah, good memory. So…

Laura Shin:

Well, I save my interviews. It’s not like I…

Riccardo Spagni:

Clearly.

Laura Shin:

…was working from memory, although those were such good details, that yeah, I probably did remember them.

Riccardo Spagni:

So, yeah, so, with the import/export business, our main product lines, our two biggest product lines were gel-based nail polish systems and bikinis. And I would often joke with people that, like, I know more about nail polish, gel-based nail polish in particular, than I think, like, most men on the planet. And like, with the bikinis as well, you know, like, I took a sincere interest in bikini design, which I think a lot of men would. And it is kind of weird having your wife walk in and you looking at pictures of girls in bikinis, and she’s like, “What are you doing? That’s not a design that we have.”

And you’re like, “Yes, this is a design that we want,” and she looks at it, and she’s like, “Oh, you know, this design is terrible,” and you’re like, you start having a debate about bikini design. That’s not a conversation that most couples have, so, it was interesting.

Laura Shin:

Yeah, and I mean, I feel like even if that were a conversation that most couples would have, like, you wouldn’t expect that then also they would be the same couple that would be talking about, you know, cryptography and privacy…

Riccardo Spagni:

Yeah.

Laura Shin:

…and digital currency. So, yeah, that is a piece of your story that I love. As you mentioned, you did not found Monero, which I think a lot of people think of you as the founder, but obviously, as you just mentioned, that’s not true. So, tell us how you came to be the lead maintainer for Monero.

Riccardo Spagni:

Sure. So, Monero was started by a guy called thankful_for_today, obviously not his real name, and…yeah, just in case anyone was wondering. And thankful_for_today, at the beginning, was fine. The first few weeks, he was like a benevolent dictator, everything was great, and after, like, a relatively short period of time, I mean, I’m talking, like, three, four weeks, he just started being odd and not listening to the community. So, the community would say, like, “Oh, we think that such-and-such should happen,” and he’d sort of put his foot down and be like, “No, we’re not doing it that way.”

And it culminated in a decision where he wanted Monero to be merge-mined with another coin called BiteCoin, which was like a giant scam, and the community was like, “No, we don’t want to be merge-mined with a giant scam.” And he was like, “Well, tough, that’s what’s going to happen.” And with the massive community outcry amongst all 25 members of the community at the time, it was kind of like, you know, it was do-or-die time, and myself and six others decided to fork the software, and to have a Pareto-implementation that would not, if he decided to go ahead and make Monero merge-mined, the Pareto-implementation would not have that.

And you know, to his credit, he ran his implementation for a few months, like six months, but then eventually gave up and abandoned it, and disappeared, and hasn’t been seen since late 2014, early 2015.

Laura Shin:

Interesting. I guess this is a lesson to all crypto creators who don’t listen to their communities. So, many of Monero’s developers are anonymous. How did you decide to make yourself the face of Monero?

Riccardo Spagni:

That’s a good question. I didn’t decide to make myself anything. I guess…

Laura Shin:

Well, I mean, you’re publicly known, like, people know who you are. They could recognize you in the street.

Riccardo Spagni:

Yeah. So, you know, my interest in Monero was primarily, at the time, and still is, ideological. I have a belief in privacy as a basic human right, and I was interested in this technology that could advance that, that could enable people’s privacy, especially those who were in places and in situations where their privacy was taken away from them. And I found it very interesting from that perspective, and very empowering, and I, I guess part of me felt that a privacy technology like Monero would struggle to make inroads unless there were at least some people that were not pseudonymous.

And that was a contributing factor, and another part of me just felt that, like, from an ideological stance, like, what’s the worst that can happen? You know, if a government that is anti-privacy tries to take you out, you just become a martyr. So, it’s not really in their interest to do that. That’s not to say that everyone that’s working on a privacy technology should use their real name, but I didn’t feel that it was high-risk, and I did discuss it with my wife beforehand, and she agreed with me that there were risks, but they weren’t high enough so as to worry.

Laura Shin:

That’s interesting. Yeah. I mean, if you piss off the right state actor, or the wrong, I guess you could say, state actor, then…

Riccardo Spagni:

Depends on your point of view.

Laura Shin:

…yeah, then you definitely do run a risk, but something that I find interesting is, you know, you talked about how you think privacy is so important, but do you think most people view privacy as important, because I feel like from what we see in people’s behaviors and their reaction to certain big news events, like the Edward Snowden revelations or this Facebook/Cambridge Analytica data breach, and other things, it feels like people don’t really care about it. Do you agree with that, and if so, how do you make them care about it?

Riccardo Spagni:

Yeah, I absolutely agree with that. I think that people are largely apathetic, which is sad. They’ve got this worldview where, and it’s not their fault, but they’ve been slowly suckered into believing that you can have access to a bunch of services on the internet for free, and that that’s a good thing. And what they don’t realize is that they are paying for the services, they’re just paying for the services with their data, with their information, sometimes with their intimate information. And you know, I joke about this, that people will gladly give over, like, all of their photos and all of their personal information as long as they can carry on playing Farmville.

And it’s sad, but true that people are, they just do not even realize it, and I think, like, things like the Cambridge Analytica breach and all of the breaches have, there is a growing group of people who understand why privacy is so important, but by and large, the general internet-using populace either doesn’t know or doesn’t care.

Laura Shin:

Yeah. So, this is something, yeah, I feel I am aware of, because as a journalist I’ve written about how dangerous it is if your data gets out there and in the wrong hands, but yeah, I don’t now how to make people care about it, because I literally just a few weeks ago was on this panel, and one of the other panelists said, “I don’t care about privacy. People can have my data.” And I was like, “Oh my God, like, you do not know what you’re talking about.” But anyway, one other thing that I wanted to ask about is, obviously Monero’s main distinguishing feature is the fact that it offers privacy.

But a lot of people have been talking about the potential for Bitcoin to adopt privacy, and their interest in Bitcoin adopting privacy. So, if that happens, then what would the use case be for Monero?

Riccardo Spagni:

That’s a good question. So, I guess I have two views on this. The first is the view as it pertains to Bitcoin adopting privacy. I’m a firm believer in Bitcoin’s success. I think any effort to enhance Bitcoin’s privacy is A, sorely needed, and B, will invariably, if done, you know, it’s added to the core part of the protocol, will definitely be a feat of excellent engineering. The problem is there is a significant number of Bitcoin users who believe that adding privacy to Bitcoin will be bad, that Bitcoin has only been accepted by regulators because of its transparency and traceability, and they might be right.

It could be that trying to switch it up and make Bitcoin, or enhance Bitcoin’s privacy is bad, and you know, from a regulatory perspective, and regulators are just going to use that as a reason to stomp on Bitcoin. Now, successfully or unsuccessfully, doesn’t really matter. They would still be an annoyance, and maybe even a hindrance to most people. On the flip side of things, you know, let’s assume that despite all of this, Bitcoin does add privacy, and when I say “add privacy,” I mean they add privacy in a manner where it is, like, it’s mandatory, where, maybe not initially, maybe like segued, it grows over time.

But the idea is that eventually, within a couple of years, every transaction will be private, and will have this extremely high level of privacy, such that Bitcoin is fungible, and whilst technically you might still be able to make non-fungible transactions, they will be, you know, they will be frowned upon. They will be the odd one out. If that is the case, and if this does happen, I believe that Monero’s existence is still interesting and important for two reasons. The first is that Monero has gone places and will go places that Bitcoin cannot go right now, due to the lack of privacy.

And so, Monero will have made inroads already in places like Venezuela, and in countries with oppressive regimes, and at that point where Bitcoin has added privacy, it will not necessarily be an easy switch-over for the people that are in the ecosystem. The second thing is, Monero presents a, in many ways presents almost like a back-up plan for Bitcoin. So, Monero isn’t based on Bitcoin’s code, which means that it has its own bugs, its own flaws, its own issues. It has different types of cryptography. It has a different elliptic curve, which is relevant to the cryptography that’s in use.

And I think that that’s important as a technical hedge against critical failures in Bitcoin’s design decisions, or in its cryptography choices. That’s not to say that Bitcoin couldn’t change or adjust or, you know, modify any of those, but that in the interim, whilst they are deploying such effects, there would at least be something that people could flee to as a store of value before being able to switch back later on.

Laura Shin:

To continue this kind of, like, comparison that I want to make with some of the other options out there, Zcash makes privacy optional, so that only certain of the Zcash transactions are private. Why is Monero private by default? Is it important for every transaction to be private?

Riccardo Spagni:

Yes. So, the trick with privacy is, you want to be lost in the crowd. Now, if you’re a bunch of people getting out of a bus, and there are policemen standing there, and they’re looking for the guy with the orange hat, and people get out of the bus, but there are only ten of them getting out of the bus, then it doesn’t matter, even if everyone’s wearing an orange hat. You can just arrest all ten of them, and then figure out which of the orange-hatted people is the culprit. But now, if the bus doors open and tens of thousands of people pour out, and they’re all wearing different-colored hats, now it suddenly becomes impossible.

It’s not a task that anyone can practically approach. So, Monero’s biggest advantage is in the size of its anonymity set. And so, that means that whilst in certain aspects Monero’s privacy might be weaker than Zcash’s, the fact that there are so many more users, and there is a bigger groundswell of support, means that the anonymity set is significantly larger. It also doesn’t mean that you can’t have transactions that are non-private with Monero. So, you can, for example, reveal the details of a particular transaction in order to prove that you sent money to somebody, and you can do that by revealing the details of that transaction just to a third party, so, like, to an auditor.

You could also reveal those details publicly. If somebody called into question publicly on Twitter whether you made a certain payment, you could cryptographically prove that you did without compromising the rest of your privacy. Monero also has something called a view key that lets you reveal details about your entire wallet. And again, this is something that you might reveal to an auditor, to the tax man, but you wouldn’t, you don’t want to necessarily reveal it publicly unless perhaps you’re a charity, and the view key allows you to do that.

So, there is default privacy, mandatory privacy, but it is opt-out. So, if you need to opt out of it, you can do so at any time, publicly or to a third party, with no impact on anyone else or on you, and without putting your wallet at risk for, you know, somebody being able to spend the funds.

Laura Shin:

Yeah, this is interesting. I like how you also described how it could be, or at least the view key could enable Monero to still, I guess, not be frowned upon by the government, if you’re kind of enabling others, like the tax man, as you said, or an auditor to look at transactions. So, let’s actually, at this point, dive into the technology a little bit. Why don’t we talk about all the ways in which Monero is private, like, the different types of data that are private in Monero? What are they?

Riccardo Spagni:

Sure. So, Monero focuses on four different aspects of privacy, and the first one is being able to protect the person who’s sending the money, so, being able to hide where the transaction is coming from, and it does this using something called ring signatures. Now, I mention this first because this is the only aspect of Monero’s privacy that we would generally consider weak, as respects to privacy, because the way it does this is by choosing, every transaction chooses a number of old transactions on the blockchain, and then that transaction appears to come from one of those, that group of transactions, that ring of transactions.

But you can’t figure out which one it is, ostensibly. The issue, of course, is people typically receive money and spend it quite quickly, and so, the act of choosing those decoy transactions can sometimes reveal which of them is the real transaction that’s being spent, where the money’s coming from. Over time, we’ve improved the way these are selected. The Monero Research Lab in particular has spent an inordinate amount of time thinking about ways to improve the output selection algorithm, and we’re at a point now where it is, I think, reasonably, it’s probably as good as we’re going to get.

It matches people’s spending patterns reasonably well. Transactions look pretty uniform, or the output selection looks pretty uniform, at any rate, and there’s not much more that we can do to improve that. There is, however, going to come a time where we will want to replace that with something else that truly obfuscates, truly hides where a transaction is coming from. So, that’s pillar one.

Laura Shin:

And just to…

Riccardo Spagni:

Yes?

Laura Shin:

…to have you explain a little bit further, so, when you say it’s fairly easy to pick out which other transactions is the actual one and not the decoy, is that because it’s generally the most recent?

Riccardo Spagni:

Yes. So, this was a particularly bad problem early on in Monero’s history, where the transactions were picked uniformly across the blockchain, and it was almost always the recent one. No one was spending money from, like, you know, six months ago or a year ago. So, that was an extremely naïve decision on the part of Monero’s creators. That was relatively quickly changed, and through a series of relatively rapid improvements over a few years, we’ve eventually gotten to a point where the output selection algorithm now includes a number of recent transactions.

So, it’s not as clear-cut as, “Oh, just pick the most recent one.” It is significantly harder now to perform any sort of tracing on Monero.

Laura Shin:

But an article I read about this said that, so, before it was about 90 percent of the time that they could figure out which transaction was the real one, and then, the article, this was in Wired, I’ll link to it in the show notes, it said that now it’s about 45 percent of the time they can figure out which one it is. Is that still the case? This article is, you know, not super-recent, so, I was wondering what it is now.

Riccardo Spagni:

Sure. So, the Wired article specifically focuses on transactions that were pre-Ring CT. So, Ring CT is another technology I’ll talk about in a bit that created uniformity of amounts, where before you had to mix with denominations that were the same as yours, and it was a nightmare, and would often leak a lot more information than anything else. So, by removing that and by having this uniformity of amounts, then you’re able to choose any output, and so, that drastically changed things. At this point in time, it’s anyone’s guess.

There’s no published research on modern Monero, and on how traceable the transaction graph is. That said, even the stuff that the Wired article, the period of time that the Wired article is focusing on, their 90 percent is not an absolute, it’s guesswork. So, they’re saying we can guess the correct output in 90 percent of transactions, because there is a recent one, but that obviously ignores the fact that you have plausible deniability. If someone had to somehow trace back and say, “Oh, this came from an exchange, and leads to you, and there’s, you know, the possibility is one in ten,” you can say, “Well, it’s not me. Go ask the other nine people.”

And that’s sort of where the trail ends, because there’s no cryptographic proof that it’s you. It’s merely a guess that it could be you.

Laura Shin:

Okay. All right, so, yeah, let’s move to Ring CT, Ring Confidential Transactions.

Riccardo Spagni:

Sure. So, confidential transactions, Ring CT is basically a way to hide transaction amounts. And so, this is the second pillar, and this is obviously not done through something that involves obfuscation, or guesswork, or anything like that. This is absolute. So, it uses something called cryptographic commitments, and basically, what happens is that commitment represents your amount without revealing your amount. And it is a extremely robust, extremely reliable way of doing this. Commitments are not a new type of cryptography. They’ve been around for decades, and this is an extremely strong aspect of Monero’s privacy. It absolutely hides amounts.

There is no way to try and attack that. It’s like your amount is encrypted, and no one can decrypt it unless they have the decryption key. And this is obviously enabled for all Monero transactions, and has been for several years, and that means that at the very least, Monero would obscure the amount that you’re transacting, even if everything else had to fall apart.

Laura Shin:

I think in this regard, this is maybe where it’s most similar to Zcash. Am I right in thinking that?

Riccardo Spagni:

Well, Zcash also does all of these. It also focuses on the first three pillars that Monero focuses on, and it does so in, you know, like, in terms of obscuring where transactions are going to, in terms of obscuring the transaction amount, it has the same strength, I guess, is probably the best way to describe it, when it comes to how private it is. The only aspect where it is much stronger is in the hiding the transaction graph, so, where transactions are coming from.

But it’s important to note that with Monero, where these three pillars are applied to every transaction, with Zcash they’re only applied to a special type of transaction, where you’re going from a z-address to a z-address. Otherwise, Zcash is as traceable as Bitcoin.

Laura Shin:

Yeah. I recently did a listener questions episode, so, for people who missed that, I did note that only 13 percent of transactions are shielded, and that less than one percent are shielded-to-shielded transactions. So, yes, as I told Zuko in my interview with him, I thought it sounded like a sudoku puzzle. But anyway, we’re going to keep discussing how Monero works, plus talk about Riccardo’s new project, Tari, but first I’d like to take a quick break for our fabulous sponsors. Here’s a pause for the ads.

I’m speaking with Riccardo Spagni, a.k.a. Fluffy Pony, of Monero. Let’s also talk about, well, you tell me. I wanted to maybe talk about Kovri, would that be the next piece of Monero’s privacy?

Riccardo Spagni:

Almost. Before we get there, the third thing, the third pillar that we haven’t touched on is hiding where a transaction is going to, and that Monero does using something called stealth addresses. In particular, it uses dual-key stealth addresses, and this is, again, a very strong form of privacy. There is no way for you to look at a destination for an output on the Monero blockchain and be able to somehow determine what the actual Monero address was that was getting paid.

So, this is an extremely strong part of Monero’s privacy, and it means that no one can link your Monero address to transactions in the blockchain, whereas obviously with Bitcoin, if someone has your Bitcoin address, they can go and look it up on the blockchain, and see all the transactions that have occurred. And in this case, again, you know, I mean, this is similar to, with Zcash, a z-address paying a z-address. You can’t see what that z-address is.

Laura Shin:

Okay, and then…

Riccardo Spagni:

The fourth pillar. So, the fourth pillar that you were alluding to earlier is obscuring the IP address that a transaction originates from. Now, this is something that is largely overblown, because actually figuring out the IP address that a transaction originates from is a very difficult task. It requires that you run thousands or even tens of thousands of nodes on the network, and that they’re all recording the exact time when they first saw a transaction. And then, through the process of deduction, you’ll be able to figure out that this is where the transaction originated from, because this node saw it from that IP address first.

It’s an extremely expensive attack to carry out, and it’s, you know, I mean, I can only imagine that it is potentially worthwhile to carry out against Bitcoin right now, but it’s also easily defeated, because as an example, I can use something called Push-TX, which a lot of block explorers support, and I can go visit that block explorer on the web. I can take my raw transaction that, from my Bitcoin wallet, and I can plug it into the Push-TX dialogue box, and hit Send. And then, the originating IP address is that block explorer, not my computer.

So, this attack is not only expensive and difficult to carry out, but it’s also largely useless because it is trivially mitigated by anyone with half a brain cell, and it doesn’t require any expensive tools or any fancy technology to mitigate it. You can mitigate it without even using Tor. So, it’s really, it’s totally overblown. At the same time, we obviously realize that there is a very small risk that an attacker could carry out such an attack, if they genuinely wanted to figure out where some future Monero transaction originated from. And so, the Monero community has been working on various technologies.

We’re very interested in Dandelion, which is a technology that is hopefully coming to Bitcoin, to try and reduce this risk. We’re also interested in Tor. We’re adding supports to Monero, native support to Monero for Tor, so that you can use the Tor network without, to broadcast your transactions without needing to download a whole separate thing. And then, we have the Kovri Project, which is adding I2P support to Monero. I2P is a network, hidden services network that is similar to Tor. It’s also quite old.

It’s been around for many years, and the biggest issue with I2P is that the rooting software is written in Java, which is obviously an additional dependency that we don’t want people to have to run. And so, Kovri is a project that is rewriting the I2P router in C++ specifically, for general use, but also specifically to add I2P support to Monero at some point.

Laura Shin:

And when do you think that will be completed?

Riccardo Spagni:

That’s a good question. So, native Tor support is coming pretty soon. There’s a Monero developer, contributor, Lee Clagett, who has started work on that in earnest, and I expect that he’ll probably have that buttoned up in the next couple of months. Kovri had its alpha release recently. The alpha release happened in August, I think it was, when we were at DEF CON, and it’s probably got, like, I don’t know, I’d imagine another six to 12 months before it reaches any sort of stability, and we can look at integrating it natively as well into Monero.

Laura Shin:

So, how can users of the system be sure that there isn’t double spending or counterfeiting going on?

Riccardo Spagni:

So, the same way that it’s prevented with Bitcoin. There’s validation rules in place to ensure that a transaction can only be mined once, and that an output can only be spent once. And so, for every output, when it gets spent, it produces something called a key image, and that key image is unique to the output that’s being spent, and it is, it can be validated as definitely being part of the ring signature, and it can also be validated as being unique.

You know, you can, you check the whole blockchain to make sure it hasn’t existed before, and that’s all part of the Monero software, and it’s all done automatically, to ensure that there aren’t double-spends.

Laura Shin:

And when I’m looking at a Monero block explorer, what exactly, what info does it show me, and what information does it not show me?

Riccardo Spagni:

Good question. So, when you’re looking at a Monero block explorer, you can see the structure of the data. You can see that there are blocks. Each block has a block header that contains various pieces of information about the block. Each transaction has a transaction header that contains some basic information about the transaction, such as the transaction ID. And there are inputs in the transaction, and most block explorers, in fact, all of them, really, let you see the ring signature on each input, and you can see the number of members in the ring signature, and you can see which old transaction it links back to.

On the output side as well, you can see the destination that is being paid, which, like I said before, is like an encrypted version of your Monero address, such that each one, each time is unique, and even if the same Monero address is paid multiple times in a transaction, that destination will always look different. That’s the whole stealth addressing thing. So, you will see the destinations. You will not be able to see amounts. A block explorer can show you the range proofs, if they’re interesting.

The range proofs are these things that let us confirm that the amounts are positive, that they’re greater than zero, so that we can go, “Oh, the total number of, the total commitment output’s less than total commitment inputs,” balances out, and so we know that no new Monero is being created in a transaction. Otherwise, you could use negative amounts to create magical Monero out of thin air.

Laura Shin:

You have also talked about adding MimbleWimble, which I guess is now also being called Grin, to Monero, but I’m not sure if I fully understand what this is, because Grin now is going to be its own blockchain with its own cryptocurrency. So, how would you do this when, and also, why would you do it when you already have so many privacy features?

Riccardo Spagni:

Sure, so, that’s a good question. So, MimbleWimble is a technology, has multiple implementations. Grin is one of them. There’s another one called Beam, like a beam of light, and I believe there’s some others that are interested, or that people are interested in writing. At Monero, we’re interested in MimbleWimble not as a base layer, but as a sidechain, because whilst it has weaker privacy than Monero, it has much stronger scalability, significantly better scalability.

So, a sidechain, a MimbleWimble sidechain would be advantageous, because people could go, “I need maximum privacy, I need maximum privacy, I need maximum privacy. Okay, I’m now going to do my daily spending, so I can take a bit of a hit on privacy, but I need that scalability. I need faster transactions, I need to take up less space on the blockchain for buying groceries.” And so, that’s really the idea, and this is kind of a nice segue, because there’s another MimbleWimble implementation that is being written, and that is Tari.

So, Tari Labs is writing a MimbleWimble sidechain for Monero, a merge-mine sidechain, which will allow people to do this.

Laura Shin:

And actually, before we move to Tari, I know that you guys also recently added something called Bulletproofs that make Monero more scalable. So, what are those, and how do they work, and how is that different from MimbleWimble?

Riccardo Spagni:

Sure. So, those range proofs that I spoke about earlier, that prove that a commitment in a transaction is above zero, is a positive number? Those range proofs are pretty big, physically, like, in terms of the amount of space it takes up on disk, and the amount of space it takes when broadcasting the transaction over the internet, but they’re essential. They’re an essential part of the transaction. And so, Bulletproofs is a range proof that is more compact than the ones that we were using.

And so, it just allowed us to reduce Monero’s transaction size by about 80 percent, because Bulletproofs are such a, sorry, range proofs were such a significantly large part of Monero transactions. So, Bulletproofs have given us much smaller transactions, but that’s all it’s really done from a scalability perspective. It hasn’t significantly changed Monero’s scalability properties at all.

Laura Shin:

And then, actually, one last question before we talk about Tari. I did want to ask a little bit more about the view key. You mentioned two of the ways that that might be useful, was for auditing or for tax purposes. What are some of the other reasons why the view key is important, or ways in which it could be used?

Riccardo Spagni:

Sure. So, one of the things that I often talk about with view keys is charities. So, a charity can claim that they received a hundred Monero in a year, and meanwhile, they actually received 150, and they’re skimming 50 off the top. But if they are forced to publish their view key, then there’s no way for them to lie about that. So, it’s an important, it could play an important role in transparency, and one wouldn’t normally associate transparency with Monero, but you know, there’s a way that Monero can be both private and transparent at the same time.

Similarly, it could be used, you alluded to this earlier, it could be used by a government that says, “Oh, you know, for Monero transactions above a certain value that you’re withdrawing from an exchange, we need your view key, so that we can, you know, make sure that you aren’t, that you’re not doing anything nefarious,” or whatever, “that it’s definitely going to your wallet and you’re not withdrawing it to a wallet under somebody else’s control, where they might use it for nefarious reasons, or money laundering,” or whatever.

Laura Shin:

Yeah, or to make sure that you’re paying your taxes.

Riccardo Spagni:

Yeah, absolutely. You know, is the amount of money you’ve claimed to have earned in the year the actual amount of money that you’ve earned, if you’re being paid in Monero?

Laura Shin:

Right. Yeah, which is kind of interesting, because I feel like everybody, like, when I was kind of doing some research before this episode, I did see people literally asking on places like Quora how to use Monero to evade taxes, or things like that, which is kind of funny. But anyway, so, let’s actually now talk about Tari. What is Tari?

Riccardo Spagni:

Sure. So, Tari is a decentralized, well, not is, Tari will be a decentralized assets protocol, when it is completed. We hope it will be, anyway. If it ends up being something else, if it ends up being a giraffe, then we obviously haven’t done a very good job of building it. But the aim…

Laura Shin:

But you’ve made something cute.

Riccardo Spagni:

…is for it to be a decentralized assets protocol. Yes, you know, Tari the giraffe, then we’ve done well, and we’ve learned a lot about genetic engineering along the way. Yeah, so, I guess the best way to think of Tari is as, like, it’s kind of like Counterparty. So, in some ways, we view it as, like, the spiritual sister to Counterparty. So…

Laura Shin:

Just explain what that is for people, yeah, who don’t know.

Riccardo Spagni:

Yeah, sure. So, Counterparty is built on top of Bitcoin, and it enables the creation, the transfer, and the modification of assets. So, digital assets are things like in-game assets, so, you know, you can have a game like CryptoKitties, where you have, like, digital collectibles in that game. Obviously, digital collectibles on their own can be an asset class. So, maybe somebody creates a set of trading cards, and now you can represent them in a, on this decentralized permission-less platform. Similarly, things like loyalty points, tickets, in-game currencies, security tokens, ICO tokens, utility tokens, DRM tokens.

These are all things that are natively digital assets. A digital asset is not when somebody has a physical thing and they try to represent it on some sort of chain. So, a digital asset is not something like, “Oh, I’m going to take a piece of property and cut it up into a thousand pieces, and represent that on chain, and then everyone can own a piece of my property,” because no, you still own the property. Everyone owns a piece of an entity that owns the property, maybe, but you still own the property. The same goes for people who are going, “Oh, we’re going to decentralize gold ownership by representing the ownership of gold bars on chain.”

No. The person who physically has the gold bars in their safe, they’re the ones who own the gold bars. Everyone else are suckers who bought a token that they think might represent that. So, and that’s just to, I think it’s important to clarify, because people often think of “asset” as, like, “Oh, property is an asset,” or you know, “There’s liquid assets, and there’s movable and immovable assets,” and they’ve got all these ideas on what an asset is.

But when we talk about digital assets, we mean things that are natively digital, or things that can be represented in a natively digital way without the need for a physical component, or where the physical component is merely a representation of the digital thing, not the other way around. So, yeah, that’s what Tari is, or will be, or could be.

Laura Shin:

So, there are other protocols that are doing something similar. CryptoKitties, I guess, is an obvious example, where you have these natively digital assets. So, how does Tari differentiate itself from some of the other ones, and you know, in the ICO craze there were, I know, a few ICOs that were tackling things like ticket sales. So, how are you guys different?

Riccardo Spagni:

Sure. So, Tari is very different, is that Tari is, in this case, like a base layer protocol. So, it’s not just slapping something on top of Ethereum and hoping that Ethereum’s going to solve all the scalability issues. It’s not, you know, doing anything like a very narrowly-focused technology where we’re only focused on loyalty points, and this is loyalty chain, or whatever.

This is a general-purpose decentralized assets protocol, and so, that means that it can be used for all of these different types of natively digital assets, and it is designed to be fast, and it’s designed to be scalable, and it’s designed to really speak to the needs of the digital asset issuer, because where a cryptocurrency is not issued by a, or shouldn’t be issued by a single centralized party, a digital asset is normally issued by a single centralized party. And yet, at the same time, there’s advantages to having it decentralized thereafter.

As an example, in this decentralized world, you can have an asset issuer that issues, let’s say loyalty points, so Emirates. Emirates issues loyalty points, and they give me loyalty points because I fly a bunch, and I fly with Emirates. But I don’t really care about my loyalty points, they’re a gigantic waste of money, and so I go, “Hmm, what I’m going to do is use my loyalty points for something else.” So, Emirates will let me buy, I don’t know, a massage, or a room at a hotel, neither of which is very exciting.

But what if I could sell those loyalty points to somebody else, either for money, or trade those loyalty points for something else, like, “Oh, the latest skins for ‘Fortnite,’” and now I’m able to put those loyalty points to work in a way that I could never do if I was within Emirates’ walled garden. At the same time, Emirates is still the issuer, so, you know, there’s this whole, like, from Tari’s perspective at any rate, the protocol needs to be built in such a way that it is advantageous for the issuer to use the Tari protocol, as opposed to just using a database.

Laura Shin:

Interesting. Yeah, I really like this idea. I hope someday we can do this, because I would love to take some assets that I have that I don’t particularly care for and trade them for something that I really do want. I love that idea. So, how does Tari relate to Monero?

Riccardo Spagni:

So, Tari is merge-mined with Monero. So, what that means is that we inherit Monero’s security model, and you know, I mean, I’m sure you’ve seen a lot of the hoo-hah that some of the media have made about, “Oh, Bitcoin is terrible for the environment,” and “Look at all of the trees that it’s burning with all of its terrible mining.” And so, one of the things that you get when you inherit Monero’s security model is you’re not adding to that burden. So, Monero already has a strong, stable proof-of-work network, and there’s no reason to spin up an entire other one for Tari.

We’re able to just bolt on top of Monero’s security model, and inherits all of its good security properties without needing to go and recruit miners of our own.

Laura Shin:

Interesting. I like that idea, I guess, because that also means that in the early days of Tari, then it will, you know, be pretty secure, as opposed to needing to just rely on whoever wants to join in in the early days. So, I actually want to ask you a little bit more about Monero. We have alluded to Monero being used on the dark web, or by criminals in a few different ways in the podcast, and you’ve also talked about ways in which it could be used where somebody could maintain their privacy, but then, you know, governments could still be sure that what you’re doing is okay.

However, the fact is right now that I think Monero is at least one of the cryptocurrencies of choice, if not the cryptocurrency of choice on the dark web. So, how do you feel about the fact that something that you are working on and championing could be used to fund crimes that you find reprehensible?

Riccardo Spagni:

That’s a good question. So, I guess there’s two things. The first thing is, when I was in Panama recently, I was at the Panama blockchain embassy, and I got to meet a lot of people from Venezuela. And when I look at the impact that cryptocurrencies like Bitcoin and Monero have on the Venezuelan people, and how important a privacy-enhancing cryptocurrency like Monero might end up being if the Venezuelan government starts to clamp down, I am reminded of the good that Monero does. But the second thing is, Monero is just a tool.

Monero is a tool the same way a kitchen knife is a tool, and I can’t imagine that a kitchen knife designer who designs an amazing, incredibly sharp kitchen knife, and produces them in droves, lies awake at night worrying about all the murders that are occurring with his kitchen knives. It’s a tool, you know? When a terrorist takes a car and drives into a crowd of people, the car manufacturer doesn’t release a statement about how sorry they are that they put seatbelts in the car. You know, it’s just a tool. It can be used for good, it can be used for bad.

As a person who works on the tool, you want that tool to be as good as it possibly can, not to enhance things for people who use it for nefarious reasons, but to protect the people who are relying on it, because it might mean the difference between life or death for them, and those are the people that I constantly think about.

Laura Shin:

So, I take your point in a lot of ways. You know, I do agree that, I mean, I literally, the other day I accidentally cut myself with a box cutter, which, we know that was the tool of choice in 9/11. However, I think right now, and there’s probably no way to know this, but I think right now, the balance of Monero transactions is more heavily weighted toward dark web activity, dark net activity, and also, it was reported that North Korea was doing things to obtain more Monero. North Korea is essentially this huge prison that masquerades as a country.

Like, their gulags have been compared to the Holocaust. So, you know, I mean, while there isn’t any way to know exactly for sure how much of Monero is being used for good versus bad, it does seem a lot of the time that Monero is being associated with bad activity. So, even when you think about just the balance of things between good and bad, does that make you pause?

Riccardo Spagni:

I guess the thing is, like, there’s one thing to consider, and that is, what can I do to stop it? You know, I mean, like, let’s approach this from the perspective of a developer, or of a software engineer. If I go, “Okay, I don’t want people to use my tool for bad,” then there are various steps that I can take, from a technical perspective. I can build in a process where anyone who is making a transaction above a certain value, that transaction is rejected, and it has to go through me, and I’m the decision-maker about whether this person should transact or not.

And all that really does is it just moves things from a system of law and a system of government and governance to a system of Riccardo’s will, which is not ideal. And in the absence of being able to solve this technologically, which we will never be able to do because there’s no way for a decentralized permission-less system to go into your brain and figure out whether you’re doing something that’s inherently evil, there’s really nothing that we can do, except make the system permission-less.

And I don’t know if this is true, I mean, let’s assume that the balance of Monero transactions, or the bulk of Monero transactions are used by people who are doing nefarious things. I would ask two questions of you. The first is, nefarious from whose perspective, because nefarious from my perspective might be different to nefarious from your perspective. Somebody buying cannabis in order to extract CBD oil to treat their cancer in a country where that is illegal might not be something that I find morally reprehensible.

But somebody living in that country might find it incredibly morally reprehensible. Somebody from a couple of generations back might find it incredibly morally reprehensible. So, it becomes very borderline, because I’m sure that there are some things that Monero has been used for which we can all agree are outrightly bad, they’re outrightly evil. But I think for the most part, there are lots of things that are either nefarious or evil or, not evil, but nefarious or reprehensible, but only from the perspective of some people, not from the perspective of other people.

And the reason I say this is because, I got into a big debate with someone the other day who was like, “Taxation is theft, and taxation is evil.” And so, from their perspective, anyone using Monero to evade taxes is good, and now it becomes a little bit like, you know, like, where do you stand on the taxation thing, and how do you judge someone using Monero to evade taxes? How do you judge someone using Monero to evade taxes in China, versus someone using Monero to evade taxes in the USA?

It is such a difficult thing to wrap your head around, and you know, this idea of morality and relative morality, that it is, it’s better not to even think about it, and rather to just consider the fact that Bitcoin in its infancy definitely had more illegal transactions, more nefarious transactions than ones that were used positively, but it outgrew that, and I am positive that Monero will too.

Laura Shin:

So, there’s no way to make this a good transition, but I did want my last question to you to be, why the name Fluffy Pony?

Riccardo Spagni:

Yeah, it’s like, on the note of tax evasion, why the name Fluffy Pony?

Laura Shin:

Well, no, no, no, my last question was about the gulags in North Korea. That’s really…

Riccardo Spagni:

Yes. Yeah, really. So, you know, like, why don’t I have a proper North Korean name? I mean, “Fluffy Pony” is not a very North Korean name. So, yeah, it was given to me many, many years ago by two girls that I worked with in one of my first jobs, and it was, initially it was a big joke, but when everyone’s using it every day, then it eventually just sticks. And I carried on using it after that job, and I, there was a period of time where I tried to shed it, and it did not work, and eventually I just realized I’m stuck with it.

Laura Shin:

Yeah, I would say that you’ve embraced it, but why did they nickname you “Fluffy Pony”?

Riccardo Spagni:

Because one of them was called Fluffy Puppy, and the other one was called Fluffy Bunny, and so, then I needed a fluffy nickname, I guess.

Laura Shin:

Okay. Well, so, I know that you’re critical of ICOs, but I always feel like, when I hear that, I always imagine also Vitalik’s unicorn T-shirts, so in that mind. And now, you’ve got your, shoot, what is called, Magical Crypto Friends show?

Riccardo Spagni:

Yeah, Magical Crypto Friends, you know? We’ve got a Fluffy Pony, and we’ve got a whale panda, and we’ve got a lion, and we’ve got a chicken. I mean, you can’t get away from the farmyard animals.

Laura Shin:

I need to come up with something. Like, my writing mascot basically is a goat. So, I need to think of a good adjective with goat, and that will be me. I’ll let listeners know what I’ve decided on later. Well, this has been a great conversation. Where can people learn more about you and Monero and Tari?

Riccardo Spagni:

They can learn more about me on Twitter, I’m FluffyPony on Twitter. Tari is at Tari.com, Tari, and Monero is at GetMonero.org, like, Monero.

Laura Shin:

Perfect. Well, thank you for coming on Unchained.

Riccardo Spagni:

And thank you very much for having me.

Laura Shin:

Thanks so much for joining us today. To learn more about Riccardo, check out the show notes inside your podcast player. New episodes of Unchained come out every Tuesday. If you haven’t already, rate, review, and subscribe on Apple Podcasts. If you liked this episode, share it with your friends on Facebook, Twitter, or LinkedIn, and if you’re not yet subscribed to my other podcast, Unconfirmed, I highly recommend you check it out and subscribe now. Unchained is produced by me, Laura Shin, with help from Raelene Gullapalli, Fractal Recording, Jenny Josephson, and Daniel Nuss. Thanks for listening.