+AP: Confidential transactions use pedersen commitments which hide the amount, but still allow people to add commitments together and check that they sum. These are range proofs too. As long as the amounts are equal on the inputs and outputs, then the transaction balances. This was originally created by Greg Maxwell for a project we had been working on for a few years called Blockstream Liquid. It's not an altcoin, it's just a fork of Bitcoin Core and the primary token you can use on Liquid is a proxy of bitcoin, it's pegged 1-to-1 with bitcoin by a cryptographic peg. When coins are in the Liquid network, they are custodied by a consortium of many different exchanges. I believe the majority of the federation members are exchanges, and they all have joint custody of the coins in the network. You need 11 of 15 to sign off on any transaction moving bitcoin back to the bitcoin blockchain. Inside the network, there is confidential transactions and confidential assets. Our fear in 2014 was that- we were very excited about confidential transactions- we thought this would really improve the privacy story for bitcoin and make bitcoin private, but we were very worried that exchanges would hate this and say making bitcoin more private makes it more criminal or something. But what we actually found, when we started pitching it to people, was that real participants in the financial ecosystem got very excited about this. They said wow this is really amazing, and now we can solve a problem of people frontrunning transactions when they see money being transferred between exchanges. This undermines liquidity because it reveals our positions and balances and impacts trading. So my experience as a technology provider for exchanges, is that they are really excited about privacy.

+

+BG: I think exchanges are aware of this, I am not sure if regulators are aware of this... but in the vast majority of the cases where you talk about cryptocurrency transactions, someone buys some coins from an exchange, and the vendor then goes cashes it out for dollars after they purchase something. So you have end-to-end KYC, especially if it's the same exchange, the exchange has all of the information necessary even if you're using zcash or monero to deanonymize you. So KYC exchanges are looking at their intenral information with perfect information. They have a hard time with looking outside their system. Convincing a regulator that an exchange using KYC already has all the information needed to comply with KYC laws has been challenging. In the regulatory space, they want to be able to see past 1 hop in a private sequence of cryptocurrency transactions. But if I withdrew money to Wells Fargo and sent it somewhere else with a wire transfer, they might know which bank it went to, but what happened after that they have no reasonable idea. It's unreasonable to ask Wells Fargo to file a suspicious activity report for that. On the other hand with cryptocurrency, they seem to want to be able to see beyond one more hop. This is an unreasonable demand and doesn't even apply in the current banking system. I think users and exchanges are excited about privacy, and regulators just don't know what they are doing. I don't want to say regulators don't know what they're doing, but they don't.

+

+AM: We have time for one more question. What is mimblewimble and what are some of the projects?

+

+AP: What is mimblewimble? Hmm.

+

+BG: I describe mimblewimble to people, as a former math teacher, it's a sequence of telescoping sums. You add one, subtract one, add one and subtract one and you keep doing that and then all the interior additions and usbtractions cnacel out. That's how I imagine mimblewimble. It's a sequence of schnorr signatures, and you add up all the ones on the interior and they all just disappear.

+

+AP: That's a good way to put it. I can add a little bit more extra detail to that. Mimblewimble is confidential transactions in its purest form. You take a confidential transaction chain in liquid or monero and you have a bunch of other things-- then you remove all the scripting, all the ring signatures, and now, you say, rather than having these blinded commitments to your amounts, just represent a hidden amount, take that blinding data and say it's pretending to be a secret key in a complicated definition of "pretends" that works in practice but is difficult to describe. I can own two coins in mimblewimble without owning either one individually. It would be interesting to see that tried in court actually. But because confidential transactions are homomorphic commitments, you can add and subtract and you can add our two transactions together. In mimblewimble, you can do to that to the entire blockchain.

+

+BG: Does that include verification from scratch? Like if I start mining tomorrow, and it's time to sync up, can I just add up all the blockchain transactions and be good?

+

+AP: Almost. You need to learn all the coins that have been unspent. You also need something called the kernels, associated with every transaction. This is a single public key and a signature used to ensure verifiers that the transactions were not created to cancel out other transactions. You do need to download and check the signatures on every single one of those.

+

+AM: Alright, we're out of time. Thank you for joining us.

+

+