+CT is a tool for improving privacy and <a href="http://diyhpl.us/wiki/transcripts/scalingbitcoin/milan/fungibility-overview/">fungibility</a> in a system like bitcoin. Why is this important? If you look at traditional systems, like banking systems, they provide a level of privacy in their systems. And when you usually use your bank account, your neighbors don't know what you're doing with your bank account. Your bank might know, but your neighbors don't. Your counterparties know, other people generally don't know. This is important to people, both for personal reasons as well as for commercial reasons. In a business, you don't want your competition to know who is supplying your parts. You don't want to necessarily share who is getting paid what. You don't want your competition to have insight into your big sales or who your customers are and all that. There is a long list of commercial reasons as to why this kind of privacy is important.

+In bitcoin, we have this fundamental conflict where we have built this decentralized distributed network, and it's security is based on this concept of public verification: you know bitcoin is correct because your own computer running software that you or someone you trust has audited, has verified all of this history of it, and has verified that it all adds up. That all the signatures match, that all the values match and it's all good to go. It uses conspicuous transparency in order to obtain security. Many people look at this and say ah there's a conflict we can't both have strong privacy and have this public verification needed for a decentralized system. But this apparent conflict is not true. If you think about the idea of a <a href="https://en.wikipedia.org/wiki/Digital_signature">digital signature</a>, that is a scheme that lets you sign a message and show that a person who knows the private key knows the message, we use this every day in bitcoin, you can use this to verify a digital signature without ever knowing your private key but they can verify that you knew it. So a digital signature showing that, you can build a system that can be publicly verified but without giving up your secrets. This shows that it is possible.

+There have been many past proposals to improve privacy in the bitcoin space. Many people have recognized there's a problem here. People have done things like, proposals to combine <a href="https://bitcointalk.org/index.php?topic=279249.0">coinjoin</a> and <a href="https://bitcointalk.org/index.php?topic=321228.0">coinswap</a>, which are completely compatible with the existing bitcoin system and use some smart contracting protocol trickery to increase user privacy. People have also used things like centralized servers where you trust a third-party, you give them the money, they make the payments for you, and that can at times improve your privacy except at the central server which usually destroys your privacy along the way. There have been cryptographic proposals, there's a proposal called zerocoin which is distinct from the zerocash stuff that exists today, which had poor scalability but interesting privacy properties. There's an interesting not-well-known proposal called <a href="https://bitcointalk.org/index.php?topic=290971.0">one-way aggregatable signatures (OWAS)</a> which showed up on bitcointalk from an anonymous author who vanished (<a href="https://bitcointalk.org/index.php?topic=1377298.0">follow-up</a>). It's a pretty interesting approach. There's the traceable ring signatures that were used in bytecoin, monero and more recently in zerocash system which is now showing up as an altcoin. The compatible things-- like coinjoin-- have mostly suffered from not having as much privacy as you would expect, due to transaction amount tracing. The idea behind coinjoin is that multiple parties come together and they jointly author a single transaction that spends all of their money and pays out to a set of addresses, and by doing that, an observer can't determine which outputs match with which inputs so that the users gain privacy from doing this, but if all the users are putting in and taking out different amounts then you can easily unravel the coinjoin and the requirement to make the amounts match to prevent the unraveling would make coinjoin hard to be usable. And then, prior to confidential transactions as a proposal, the cryptographic solutions that people proposed have broken the pruning process in bitcoin. They really have harmed the scalability of the system causing the state to balloon up forever. Today you can run a bitcoin node with something like 2 GB of space on a system, and that's all it needs in order to validate new incoming blocks and that's with all the validation and all the rules no trusting third parties. And if not for pruning, then that number would be 120 gigabytes and rapidly growing. Many of these cryptographic privacy tools have basically broken this pruning and have hurt scaling... the exception being the more recent <a href="http://diyhpl.us/~bryan/papers2/bitcoin/TumbleBit:%20An%20untrusted%20bitcoin-compatible%20anonymous%20payment%20hub%20-%202016.pdf">tumblebit</a> proposal, and <a href="http://diyhpl.us/wiki/transcripts/scalingbitcoin/milan/tumblebit/">tumblebit</a> is a proposal like coinswap that allows two users to swap ownership of coins in a secure way without network observer being able to tell that they did this. Tumblebit improves the privacy of that by making the users themselves not able to tell who the other users were, and tumblebit doesn't break scalability, but because it only does these swaps and a few other things, it's not as flexible as many of the other options.

+So this system has the benefits of CT but it also has the disadvantages of the ring signature and there's a forever-growing spent coins list. Monero today isn't unconditionally sound, but it could be, just like CT it could be upgraded to unconditional soundness. The crypto assumptions are the same as CT but they use the <a href="https://ed25519.cr.yp.to/">ed25519 curve</a> but otherwise it's the same crypto assumptions.

+A big risk is that if you look at any of these other cryptosystems that the consensus part of it is itself a cryptosystem just like RSA or AES or whatever. The whole thing has to work exactly right, and if one part is wrong then it doesn't give the properties you think, and if you get it wrong, everything breaks. Complexity is the enemy of integrity, it's hard to verify it. It makes the system more complex. I'm currently aware of three and a half devastating failures in privacy improvement attempts... There's an altcoin based on the original zcoin proposal, where they had an <a href="http://www.businessinsider.com/typo-bitcoin-rival-zcoin-attacker-steals-400000-2017-2">inflation incident</a> where it had more or less like a typo made it possible for people to mint coins out of nothing. They let their system keep running, the coins inflated, then they said well OK now there's more coins. The loss was effectively socialized. Because this was caught fortunately due to some of the privacy limitations in the approach of exploiting it, the loss was found to be sort of small and it was possible to socialize it, but if they (the attacker) had printed billions and billions of coins, then that might not have been salvageable.

+So I should mention about patents. I have <a href="http://diyhpl.us/~bryan/papers2/bitcoin/patent%20-%20WO2016200885%20-%20Cryptographically%20concealing%20amounts%20transacted%20on%20a%20ledger%20while%20preserving%20a%20network's%20ability%20to%20verify%20the%20transaction%20-%202016.pdf">patented</a> many of the techniques and optimizations in confidential transactions with the explicit intention and very loudly stated goal of using these patents to prevent other people from patent this stuff, and to commit to a patent nonaggression licensing scheme where anyone can use my patents as long as they commit not to sue each other into oblivion.

+A: It'll be interesting. You know, I think it's cool that it gets used more, but I already knew it would get used somewhere-- maybe I'm deluded. In litecoin there's some interesting challenges with miners and there's some large vested interest in making segwit have problems. The size and scale in litecoin, it will get over the problems, it might be bumpy, I'll be happy to help out. I <a href="https://www.reddit.com/r/litecoin/comments/67rqqf/buckle_your_seatbelts_there_may_be_some_minor/">pointed out on litecoin's subreddit the other day</a> about potential turbulence and there's some good things to know about and to mitigate. It would be cool to get segwit activated on litecoin. I am happy about it. You are going to have bitcoin developers working on litecoin eventually, because nobody really doing protocol development in bitcoin wants to do script enhancement without segwit because it makes it so much easier. The idea of trying to do script enhancement without it is just not interesting...

+So mimblewimble transactions have inputs just like in bitcoin transactions. The inputs are <a href="http://diyhpl.us/wiki/transcripts/gmaxwell-confidential-transactions/">confidential transactions</a>, rather than bitcoin inputs. They are homomorphically-encrypted vaues. What you can do with confidential transactions is you can add up all the output values, subtract the input values as elliptic curve points. You can check whether they add up to zero. You can't check anything else. There's a priviledged zeropoint in elliptic curve groups. Everything else looks as a uniformly random elliptic curve points. There are no features to these. As far as fungibility is concerned, this is pretty cool that every output looks like a random number. There's an annoying feature of confidential transactions where it's in principle possible to encrypt negative values, so I can create an output with a positive million bitcoins and a negative million bitcoins... I might throw that away and have a million bitcoin. The way that confidential transactions solves this is with a range proof. In elements alpha, we use a range proof developed by Greg Maxwell, which proves that.... you can make it whatever range you wat. As long as it is much less than 2^256, you can have any value you want, and it proves it's in the range. It's proofs of knowledge of the blinding key of the output.