WBD132 Audio Transcription 

WBD131+-+Interview+with+Alan+Lane+(Banner).png

Pieter Wuille on Building Bitcoin

Interview date: Monday 22nd July 2019

Note: the following is a transcription of my interview with Peter Wuille from Blockstream. I have reviewed the transcription but if you find any mistakes, please feel free to email me. You can listen to the original recording here.

In this interview, we hear how Pieter first heard about Bitcoin in 2010, entering the world of mining and selling thousands of Bitcoin for $0.20. I also find out what he thinks of Bitcoin in 2019 and what he argues is the threat to its future.


“My priorities are driven by what is cool to work on.”

— Pieter Wuille

Interview Transcription

Peter McCormack: So I'm the opposite of you. I'm like the complete opposite of you for Bitcoin, but what people have enjoyed with my show is that when technical people come on, I try and get them to explain things so they can understand. So we're going to try and do that today.

Pieter Wuille: Okay!

Peter McCormack: So I think the starting point needs to be why do you keep misspelling our name?

Pieter Wuille: I don't know, I guess we both have hard names to spell! I don't think yours is that hard.

Peter McCormack: Why have you added an "i" into Peter?

Pieter Wuille: Because in Dutch, if it didn't have an "i", you would pronounce it "Perta". While I was living in Zurich where people speak German or something that some people call German, I would go into a Starbucks, people would ask me what name is in English and I'd say "Peter", because they think I'm speaking English, so they write down PETER and then afterwards they'd call out "Pater", which is how you pronounce that in German!

Peter McCormack: But we're the same basically?

Pieter Wuille: Yeah, there are some differences, I guess.

Peter McCormack: Let's just deny that little selfish "i". How do you pronounce your surname? Because I've discussed you in interviews before and I've got your name wrong. Then even other people, I think it was even Andrew said, "well I'm actually not sure." How is it?

Pieter Wuille: Wuille!

Peter McCormack: Not one person I've interviewed has ever said that!

Pieter Wuille: Yeah at Scaling Bitcoin in Hong Kong, right before I presented the Segregated Witness proposal, Neha introduced me as, I don't know, Peter Willy or something. So I started my talk with, "hi, I'm Peter Willy apparently!" Then later there was some thread on Reddit, where people were discussing how to pronounce my last name and then someone linked to that, as evidence about how it should be pronounced. So I made a historical mistake there.

Peter McCormack: So not one person I've met has pronounced it like that. So now I know, now I can correct people. All right, well look, thank you for coming on. I know you don't do many interviews. I only found two. I found the one that was like a radio show you were part of and I found a Coindesk written interview.

Pieter Wuille: That's right, I did one with Alyssa.

Peter McCormack: So I'm glad to get you on, because I've read quite a few bits about you. I've talked to a few people about you. A lot of people highly compliment you and you apparently, I think it was Nicolas Dorier, he said that you have the most complete knowledge of the Bitcoin source code, of anyone.

Pieter Wuille: I doubt that's still the case!

Peter McCormack: At some point?

Pieter Wuille: Perhaps.

Peter McCormack: Alright, so we're going to dig into a few things, but in that article, there was a lot written about the fact that you're actually quite, I don't want to say quiet, but you keep out a lot of the drama and the politics...

Pieter Wuille: I try to.

Peter McCormack: ... And it came up with that quote I've read many times, that "cypherpunks write code".

Pieter Wuille: I agree with that! I don't know, I think it's better to try to make progress with things than picking fights.

Peter McCormack: Are you a cypherpunk? Would you consider yourself one?

Pieter Wuille: I like writing code.

Peter McCormack: So do you identify with it? Do you identify with the history of cypherpunks?

Pieter Wuille: I like the idea of how cryptography can... No I can't say anything useful about that really!

Peter McCormack: You just like writing code and you're still a hands on coder at Blockstream. You haven't got into middle management now, doing HR reviews!

Pieter Wuille: Sometimes I interview people, but no, I'm really happy how a very large part of my job is research and development into Bitcoin.

Peter McCormack: And you fundamentally love the challenge of writing code?

Pieter Wuille: Writing code is one part, but a lot of my time the past years has been going into bigger proposals, like SegWit was one of them, Taproot is one. There's a number of other things I'm working on that aren't so much about the code, as it is about proposals and ideas for development.

Peter McCormack: Okay, well I think if you don't do many interviews, it would be good to just do a little bit of digging into the past and the history to let people know a little bit. So in as much detail as you want to give, can you tell me the journey up until the Hal Finney puzzle?

Pieter Wuille: Up until the Hal Finney puzzle okay.

Peter McCormack: Because that was your kind of starting point with Bitcoin, right?

Pieter Wuille: Right, that is what got me to look at the source code for the first time, or maybe not even... So I think I discovered Bitcoin when people were discussing it on an IRC channel on Freenode. It was the haskell-blah IRC channel, which is a channel for enthusiasts of the programming language haskell, but in a split off channel where it is not allowed to talk about haskell and someone brought it up there in late 2010. It was a very appealing idea that just a piece of software could define a currency.

But reading back the logs of that, I had absolutely no clue how it worked, it's embarrassing. Then I think I discovered though the software that existed, I had a GPU in my desktop at the time, which I had bought with the intention of playing some video games, which I never got around to really, but apparently could mine quite a bit of Bitcoin. It was, by the way, 20 cents per Bitcoin at the time. Pretty sure I sold all of those.

Peter McCormack: Oh no! Do how many you sold? You're going to tell me something like thousands?

Pieter Wuille: Yeah!

Peter McCormack: Who would know though, right? I mean, I doubt you sat there... Well you obviously didn't sit there and think, "well that's going to go to $20,000."

Pieter Wuille: I didn't think you would go to $1. I didn't think it would go to $10. I didn't think it would go to $1,000 and I certainly didn't think it would go to $10,000.

Peter McCormack: So here we are, we're at $10,000 at the moment. But it's not going to go $100,000 isn't it?

Pieter Wuille: No, definitely not. So anyway, at the time, so that was interesting. I started talking to all my friends about it and they were like, "yeah, go play with your monopoly money" or something. Then I think together with a friend of mine, we built a few machines to do mining, this was in early 2011 and very small scale.

I think we had six GPUs or something, but it was a lot of fun to play around with the half broken software that existed for this at the time. I think we expected to break even in three months, when we started this, maybe in February 2011 and I remember we succeeded to the day, in three months we broke, even except the hash rate had gone up, like a factor of three faster than we expected, but so had the exchange rates.

It was pure coincidence really! Our guess was completely off, but it turned out to be... A couple months later we just sold the hardware because electricity costs in Belgium aren't that low, so it just wasn't worth it anymore.

Peter McCormack: When did the Hal puzzle come into play?

Pieter Wuille: Hmm, yeah that must've been around the same time, somewhere in first months of 2011.

Peter McCormack: What was the puzzle? I read about it, but...

Pieter Wuille: Oh, it was Hal Finney posting, "here's a private key with disassociated address. It has 5 Bitcoin on it" or something, which was not much at a time. This was on the Bitcointalk Forum, which I think at the time, was still hosted on bitcoin.org. Yeah, the challenge was if you can take the coins, they're yours and given that at the time, really the only published Bitcoin software was the original client at the time, just called "Bitcoin", what later became Bitcoin Core and it didn't have any functionality for importing or exporting private keys.

So I had already been looking at the code a bit. There was this discussion once about how to speed up block generation, I think it was Slush, who was wondering about that. So I had been looking into that for a bit. That was probably before that puzzle. Then I started writing this patch for importing keys and I ran into a number of challenges, things I needed some re-factorings in the code.

Peter McCormack: You never solved the puzzle though?

Pieter Wuille: No, Mike Hearn solved it first and I think he sent the coins back to Hal Finney.

Peter McCormack: What a good guy!

Pieter Wuille: He was already working on Bitcoin at the time, so yeah, I guess

Peter McCormack: I guess it was a gradual process, but you obviously started to tinker more and more with Bitcoin and learn more about it. When was the transition where you kind of started to realize, "okay, this is all I'm going to be doing." Can you even pinpoint it?

Pieter Wuille: Well, yes. I guess the day I joined Blockstream, but before that... So I discovered Bitcoin, all of this was when I was working on my PhD and it started taking a significant portion of my free time looking at Bitcoin things and I had to dial that down when I was writing my dissertation. But then after I got my degree, I didn't quite know what to do.

Bitcoin was super interesting, so I spent a couple of months really just doing Bitcoin things. I wasn't quite sure what I wanted to do after. Then I joined Google, but I found the appeal of working on open source software and contributing to Bitcoin much more interesting than my job there. Then when the opportunity came to join Blockstream, that was I guess, the right thing to do.

Peter McCormack: Obviously, we all, when we first discover Bitcoin, we all have that moment where we're like, "hmm, this can't really be real" or "I can't really take this seriously", but over time you start to accept it, you start to see some of the beauty of it. At what point did you realize this isn't just silly monopoly money or are you still not there?

Pieter Wuille: No, I think I've come to terms that it's a bit more than that. When was that? I don't think I can pinpoint an exact point in time. It was a gradual...

Peter McCormack: You've got no doubt now though?

Pieter Wuille: [Laughs]

Peter McCormack: I mean, you can have doubts about survival, but I don't believe you've got any doubts about whether it should survive and what its benefits are?

Pieter Wuille: No, of course not. But I don't know, I try to keep a realistic... I think it is better for the ecosystem if we treat Bitcoin as something that is still fragile and might not make it. I mean it all depends on what your success conditions are, but to me at least, they include usefulness over a long period of time in the future and that's far from guaranteed to be the case. But the technology is so interesting, I'm going to try everything I can to make it do.

Peter McCormack: What do you think the biggest threats are to it, for you as a say developer? As a coder?

Pieter Wuille: Isn't so much as a developer, but I think if it turns out that the only way to use Bitcoin is in a very regulated environment where only businesses with and clear and open books and KYC/AML everywhere are able to interact with it, then I fear it won't achieve the best of its potential and that's possibly a worse scenario, that's worse than it just dying off and being replaced with something else.

Peter McCormack: But I can still send you Bitcoin today, you can send it back to me without KYC.

Pieter Wuille: Yep, absolutely.

Peter McCormack: And that would be very hard to enforce. You can force it on the, I guess on the exchange level pretty well, but at a wallet level it's very hard.

Pieter Wuille: Yes and I think that is fine. My hope is that as a bigger internal Bitcoin economy grows at some point where, businesses accept Bitcoin, people accept Bitcoin and they keep it in Bitcoin for extended periods of time, rather than converting to fiat at every stage, even if exchanges are regulated in such an environment.

Peter McCormack: I guess it's the on ramp and off ramp, which is gives them exposure to KYC?

Pieter Wuille: Yes and at a high level, I think a goal for Bitcoin should be avoiding the need for regulation. By that I mean and regardless of your opinion on what kind of regulation is necessary and how much is necessary, its goal is protecting customers, protecting businesses or whatever it's trying to protect. If we can, using cryptography and computer science, build solutions that remove the need for those things, that would be a very good scenario.

If say things like provable reserves, even for completely centralized sites, if there was a way to integrate proofs of reserve, that would alleviate the need for certain kinds of audits and I think that would be a great advantage on its own. Clearly I would prefer not to have centralized custodials, that poses a systemic risk. But there are smaller goals that are fairly interesting that you can do just because a currency is purely digital, there are things you can do with that, that doesn’t otherwise exists.

I cannot prove to you, in what's called a transferrable proof, that I have a certain number of dollars in reserve for you. There's no way I can prove that, except by trying to show you a bank statement and hoping you trust my bank and I trust my bank and whatever. But with Bitcoin I can do this. They're just data, so you can make statements about it and you can prove things and I think that's really cool. I haven't seen that much use for this, but maybe we'll see that.

Peter McCormack: But the encroachment of regulators to the point that it, I guess removes all anonymity, just loses its excitement and removes its kind of sexiness.

Pieter Wuille: It does. For currency to be useful, it needs to be fungible and if the only way to use it as always by revealing your identity, then this property goes away.

Peter McCormack: But again, as we said, that's a problem on the on and off ramp with exchanges. We don't have it wallet to wallet right now. Hopefully with Lightning we will have even more anonymity.

Pieter Wuille: Certain types of anonymity, yes.

Peter McCormack: One of the questions I had for you, is how do you prioritize what you're working on? I guess like any job, I've got a to do list with a hundred things on; shows I want to record, people I want to speak to, other things I want to do. I'm sure you've got a to do list of hundreds of things you want to do. How do you choose what you want to work on?

Pieter Wuille: The answer to that is pretty much driven by what is cool to work on and it's hard because I feel I'm continuously not making blocking things or not making progress for things that should be priorities, but there's just this really cool project I'm working on. Somehow I get absorbed into that and work on that and then I switch over to something else.

Peter McCormack: What is cool to you?

Pieter Wuille: Oh, it depends! There's so many different things I work on. So right now, a lot of my time is going to a project called Miniscript, which is about making the Bitcoin scripting language more accessible. In short, the Bitcoin scripting language is, A, hard to analyze and it you'll find few people who do non-trivial things with it. Part of that is because there just isn't all that much you can do with it. It's pretty much combinations of sets of keys that need to sign off or timeouts, lock times and hash logs and a couple other things.

But even if for a particular application, you have a use for a particular script or a certain policy which you're encoding as a script, that doesn't make it easy to use. You'll still need to write custom software to sign for these things, to have a protocol on agreeing with multiple participants to decide on what this transaction is going to be.

With Miniscript, we essentially define an analyzable subset of the Bitcoin scripting language that can do pretty much everything, but given such a script, it is obvious what its doing and what's more, anyone who understands Miniscript will be able to sign for any Miniscripts. So one of the things that this could potentially enable as well, you have say, Lightning.

Lightning uses custom scripts that they have developed, but now I want to use a multisig wallet with that. In the traditional approach and I'm not all that involved in Lightning development, but my understanding is that this would pretty much require rewriting a whole bunch of BOLTS and redoing a lot of the development work on the protocols around it.

But if this was done with Miniscript, you could just take the policy that Lightning requires and plug in the multisig policy, like replace one of the keys with a multisig policy and everything would still work.

So I think this is something that's been overlooked for a long time in development, that smart contracts as people call them, isn't just about the functionality that you have in the Blockchain consensus rules itself, but also all the software around it to make use of it. So this is something I'm working on currently, I hope to publish something more about soon.

Peter McCormack: How much of the work do you do? How much of the work do other people do to support you? Are you the big ideas guy and you outsource it to this guy?

Pieter Wuille: So Miniscript we're I guess now three people, Andrew Poelstra, Sanket Kanjalkar and me. This project started about a year ago with a desire to be able to integrate much larger sets of multisig in the scripting language, which is obviously possible, but nobody does it because the only standard construction that everyone uses only supports up to 15 keys.

So yeah, it's a collaboration. A whole lot of time has gone and back and forth in incremental improvements and complete rewrites and designs of the system over the past couple of months. I think we have it now fleshed out and saying it's working. Sanket and Andrew are working on the Rust implementation, I'm working on a C++ implementation for integration in Bitcoin core. Yeah, it's a team effort!

Peter McCormack: Okay. When and how will that be implemented? Does that require soft fork?

Pieter Wuille: No, not at all. This is just about using the existing scripting language as it exists today. So this would interact with PSBT, the transaction decision and signing interchange format that Andrew Chow developed last year. What this would allow is you... It depends on how people do things, but it could be possible that just one of the participants in a transaction understands the full policy and now he just adds information to a PSBT file, "I understand this. This means you need to sign and you need to sign." "Okay" and then gets into the file, you give it to those participants.

Their software doesn't even understand Miniscript or doesn't even understand what the policy involved is, there's some complications with change detection there, but ignoring that, they just sign, get it back to the guy who understands the thing and he constructs the transaction based on it.

My hope is that if this gets integrated into a couple pieces of software, this will be a long time thing because it's a different way of interacting with transactions, but that would enable the this composability, where you have, "oh this application requires this kind of policy, but I have this kind of wallet which actually has a policy on its own." Maybe it's a two of three 2FA based wallet. 

Things like Blockstream Green wallet, which is a 2-of-2 or 2-of-3, with a timeout and a two 2FA surface, that on itself is a very useful policy. For example, you have a company whose cold storage is protected by a 4-of-5 of some of the executives of the company or something, don't know if people do that, but it's a fairly reasonable thing to do.

But now one of those executives actually has decent but relatively complex 2FA set up. Why is he restricted? Why can't he use that policy inside the protection of those funds? If things were Miniscript enabled, this would be trivial. You just plug in the one policy into the other policy and all software would know how to, like wouldn't even care about the fact that this is now not a standard multisig construction anymore.

Peter McCormack: Are there any dangers when you build something like this, that some kind of unknown bug could do something catastrophic?

Pieter Wuille: Of course! That's what we have review for and many eyes. Sorry to talk about something that we haven't published that much about.

Peter McCormack: Do you worry though?

Pieter Wuille: Not really. There's no need to rush things. Things should be adopted when people feel comfortable with the level of review and analysis they've gotten and I think the design of Miniscript, makes it very easy to reason about some of its properties. Language, it involves a simple programming language itself actually. 

Then there's automated reasoning you do about, "oh, this kind of expression has these properties", like for example, this one will always put a 1 on the stack and not just a non-zero number and then there's this other construction that requires such an input. So as a result we can reason that it's correct or something like that.

Peter McCormack: Slow and steady!

Pieter Wuille: Yeah, exactly. I think for a lot of the things we work on, we try not to have actual deadlines. You work on a project and you make progress, but then something else takes over and that's okay.

Something else, it goes into the background and a couple of months later, you have better ideas and you get new eyes on it and you iterate again and you've learned so much more. By not having a desire to publish things before they are done, you I think, achieve much better quality.

Of course it also takes a lot more time, but I don't know, it's a kind of design approach that has worked well where you, I guess sort of overkill part of the engineering, like where you don't just design for good enough, but make it the best they can be. Now some of the concerns are just completely off the table, you've completely solved that problem, well to an extent.

Peter McCormack: It's a strange position as well, whereby whilst your employed for Blockstream and you could spend all your time building Blockstream products, because they are a company, you are also really spending most of your time working on Bitcoin? It's a very strange, unusual thing though. You don't see this in most of life.

Pieter Wuille: No you don't, but it's fairly common in open source development I think where, I think the Linux kernel is a perfect example, where many of the contributors to the Linux kernel, are people who are employed by companies, but their job is contributing to the Linux kernel.

I think this is a very good model, where companies that have an interest in the success of this technology, pay people to contribute to it on a fairly standalone, autonomous way. I think we're starting to see or have been seeing the same thing in Bitcoin for a while now. There is a bunch of companies who are just like, "yep, one or two developers that will pay."

Peter McCormack: And you all talk to each other? And you talk to Chaincode, right?

Pieter Wuille: Of course. There's Anthony Towns works for Xapo, a bunch of people at Chain Code, a number of people at DG, a number of people I have no idea who they work for, that's fine too. Ideas should be valued, based on their merits.

Peter McCormack: Another question I often ask people, and it came originally from an Adam Back interview that he did, there's always interesting answers and I should have done it at the start. But it's so simple, what is Bitcoin? Because every answer is different.

Pieter Wuille: What is Bitcoin? It's the currency of the Internet.

Peter McCormack: You went easy! But you don't actually just need the internet, right?

Pieter Wuille: That's true.

Peter McCormack: It's the currency of space with your new satellite?

Pieter Wuille: One of the design decisions in Bitcoin is that the participants in it with censorship rights, which we call miners, should be a permissionless set. Anyone should be able to... That is Bitcoin's answer to the need for a decision party and any sort of distributed system needs a way to tie break between conflicting transactions and they can be a central party or you can have time-based systems or whatever if you add assumptions or you have a federation where a super majority needs to sign off, but Bitcoin instead does not pick a fixed set of trusted parties.

Instead it defines this group of miners, that anyone can join. You literally don't have to talk to anyone to become a miner. There may be economic reasons why that that's not that easy and this is unfortunate, but still, you can mine anonymously and that's the whole point. If it wasn't possible to mine anonymously, then that kind of design has failed. Unfortunately, this brings in some restrictions because when you mine, you want to be close enough, in terms of propagation delay, to other miners.

If you're too far away, you're going to be disadvantaged because the rate of block production is a distributed process. So it's actually quite likely to have very short blocks or the time between two blocks is occasionally very low, in the order of seconds, it happens all the time. So if block B comes two seconds after block A, but the miner who created block B is more than two seconds of delay after the miner who created block A, then clearly these blocks are going to conflict rather than build on top of each other and this is a waste.

This is a waste for that miner, in terms of their hash rate has now been wasted for the time they were working on the block they didn't know about. But it's also a loss of security for the network because those... If say 5% of all hash rates in general is being spent on not knowing the last block actually yet, that actually gives a direct 5% cost reduction to a 51% attacker, because a 51% attacker only builds on top of his own blocks where there is no delay.

So all of this, where I'm getting at, is you really can't mine from space! Well unless you introduce super luminal communication speed or something, but inherently, the 10 minute block delay, puts in practice a limit on how far away from each other miners can be.

Peter McCormack: Right, so we can't be mining on Mars?

Pieter Wuille: Correct!

Peter McCormack: So within a couple hundred years, the next Pieter Wuille, will have to be working on a BIP to propagate between planets!

Pieter Wuille: Yeah, but our current understanding of physics doesn't allow communication faster than the speed of light.

Peter McCormack: Have you even thought about that? Like what you would do if just say, we have a moon base and we want Bitcoin on the moon, have you thought about that?

Pieter Wuille: The moon isn't that far away. I think communication back and forth to the moon is like, what two seconds? So that's probably still doable though. That's already nontrivial.

Peter McCormack: But we could send Bitcoin back and forth, say to Mars, but perhaps not mine in both locations, if propagation is the problem.

Pieter Wuille: Oh, sure.

Peter McCormack: But if somebody did, just say hypothetically, if someone just started mining on Mars, would that cause a whole bunch of problems on the network, that you couldn't stop them from causing? If they solved a block?

Pieter Wuille: So unless there is a very large portion of the hash rate there immediately, they're going to be severely disadvantaged, so it probably just wouldn't happen. But I am right, the time to Mars and back would be, well depending on where Mars is of course, but that's going to be in the several minutes.

Say there was actually 50% of the hash rate on earth and 50% of the hash rate on Mars, that would be really bad for the network, because we'd see big chains of orphans, if we're badly positioned then it's more than a couple minutes apart and you're going to have a series of blocks found on one and at the same time, a series of blocks on the other and they just haven't heard about each other. So this would reduce the meaning of confirmations. You need much longer confirmation times.

Peter McCormack: All right, so it's probably not a problem for a few decades.

Pieter Wuille: A couple hundred years maybe! Possibly, we'll have bigger problems then!

Peter McCormack: All right, so is Bitcoin for everyone on the planet? Is it for all 7 billion people? Will all 7 billion people be able to use it?

Pieter Wuille: I hope one day it is.

Peter McCormack: That's the goal!

Pieter Wuille: Well everyone's goal can be different. But I think to the extent that it's trying to be a neutral form of money that isn't subject to banking decisions, I'd like as many people as possible to benefit from that.

Peter McCormack: What are the key steps to that, ignoring kind of like marketing and adoption and rollout? Technically, is this primarily on Lightning?

Pieter Wuille: I don't like to think of Lightning as a silver bullet, because it's certainly an amazing innovation and I think it has... The invention of technology like this, I think has changed my perspective on what is possible with Bitcoin. But that doesn't mean that I expect Lightning itself, to be the one thing that will bring it to everyone on Earth.

There will be other developments of similar or very different kinds, but the fact that technology was invented that introduces such wildly different tradeoffs, without really giving up any of the essential properties, is an enormous innovation. But we also shouldn't bet everything on one technology. There will be more things that people invent and that's great.

Peter McCormack: Have you worked much on Lightning at all?

Pieter Wuille: Not at all. I don't really know how it works!

Peter McCormack: You don't know how it works? That's surprising and interesting. Have you used it?

Pieter Wuille: Yeah, I passed the Lightning torch, so I had to set up a node and everything. It was a very educational experience I'd say.

Peter McCormack: Do you remember who you said your torch to?

Pieter Wuille: Yeah, Alexander Leishman, who runs the Socratic seminar at BitcoinDevs.

Peter McCormack: Ah interesting! I did mine, on a plane, to somebody else, on a plane!

Pieter Wuille: Yeah, I found it a very interesting initiative. It was a way to get a whole bunch of people involved and excited. I think it probably actually showed some of the limits of the technology and routing problems that appeared. Not so much about things that developers learned, but the wider community learned.

Peter McCormack: But you'll just focus on the base chain then?

Pieter Wuille: Yeah, there's already so much to do there and I already have not enough time to do all the things I want to do.

Peter McCormack: Well I appreciate you making some time for me then! Look, there's a couple other things I did want to ask you about though. Obviously you announced a couple of months back now 2 BIPS for Taproot and Schnorr. How's that all going?

Pieter Wuille: Pretty well. My impression is that a lot of people are excited and just want to see it happen. I haven't heard much criticism at all about the decision whether we want it or not, which is encouraging. There has been a bit of feedback and some ideas about improvements. I plan to cycle back through those things soon, make some adjustments and yeah, I expect it to happen.

Peter McCormack: How are decisions made? When you say you've had some feedback, how do you choose who to listen to? Who to ignore? Is it just personal choice?

Pieter Wuille: Yes and no. Ultimately this is a proposal and it's a proposal from a few people that we worked on this proposal with. At some point the decision will be up to the community whether to accept the proposal or not and that's of course a vague thing.

Peter McCormack: But it's not controversial, like SegWit?

Pieter Wuille: Well no, at least from what I've seen, not at all, which I found a bit surprising actually. I mean there was a bunch of stuff in there and I expect it to happen, so I don't want to speak for...

Peter McCormack: What other stuff are you were working on? I mean, it's quite a lot! So you've got your Miniscript, you've got Taproot, you've got Mast, you've got Schnorr, anything else?

Pieter Wuille: Well Schnorr, Taproot and Mast are all integrated into one proposal. There's Miniscript and I'm also thinking about things, what after Taproot?

Peter McCormack: What's coming? Come on, what do you really want to do?

Pieter Wuille: So we have some ideas about how to generalize Taproot. Anthony Towns came up with Graftroot, which is a generalized Taproot that lets you do some of the things that it does, but generalizes them. Of course, there's the big thing; cross-input signature aggregation. So this is been a bit of an unfortunate sequence of events where... The primary thing that got me excited about doing Schnorr signatures, was the fact that they permit things like cross-input aggregation.

It's actually not quite Schnorr, you need a bit more advanced scheme, but still, the idea of being able to reduce the total number of signatures in a transaction to one, regardless of the complexity or size of the transaction was really appealing. But then, as we got into development and I see myself more as an applied cryptographer than a theoretical cryptographer.

So as we learned more and more and then talked to people who actually know what they're talking about, about these things, we learned that there's a whole bunch of pitfalls and also engineering challenges in doing this. Then Taproot came along and Taproot is really cool on its own. In short, it means every output will look identical, so you won't have P2SH and Pay-to-PubKey Hash things anymore, there's just one type of output.

As long as you don't reuse keys, they will all look indistinguishably random from each other. Then every Taproot output can also be spent with a single key, but due to Schnorr, that single key can actually represent multiple keys at the same time and all of those also look identical. So you can't tell anymore when a Taproot output is spent and it is spent cooperatively, so where most or all of the participants just agreed to spend it.

You never reveal what the actual script was on the chain and I think this is a really great fungibility improvement, because now you don't leak on the network anymore, what kind of software you're using or this awesome wallet, which has a 4-of-7 multisig and it's the only service that has 4-of-7 multisig. Well, you can't tell anymore now on the chain, in most cases, that that particular output was from awesome wallet.

So that's a really exciting idea on its own, so we focused on that for a bit with Taproot and set cross-input aggregation aside. But obviously the cross-input aggregation has to happen sometime. So with generalizing Taproot, that seems like it actually becomes easier. So that's something I'm excited about! But that's steps ahead.

Peter McCormack: Do you ever think we'll ever get to full anonymity in Bitcoin? Do you think that's even a good thing?

Pieter Wuille: All other things aside, I think it would be a good thing. But it seems that in practice, even ignoring how to integrate it in Bitcoin, but all technologies that enable it come with serious drawbacks at the same time. They come with either a trusted set up or they come with ever-growing data sets, like Bitcoin has UTXO sets and if the number of UTXOs goes down over time, then the size of the UTXO set goes down as well.

But in designs where you can't see exactly which coin is being spent by which inputs, you can't delete the old coin. Instead, many of these things work with, this is true for Zash and Monero for example, they work with a set of spent coins, rather than a set of unspent coins. Unfortunately, the set of spent coins is always growing. So that's a drawback, with computational costs, there's bandwidth costs that also are involved.

I think that if you disregard these ever-growing data sets, the best I know that we can do, is confidential transactions, which really just hide the amounts involved. But even there, there are serious challenges in bringing it to Bitcoin, because they're much larger and there are questions about auditability, which seems something that many Bitcoiners care deeply about. You can just sum all the values in your UTXO set and see that it's less than 21 million. Of course the system is designed such that this limit cannot be exceeded.

But even if there was a bug in all the logic that prevents this, you can still see it hasn't happened. If you make this logic more complicated, as it is with confidential transactions, even if you pick a design where it is theoretically guaranteed that it is impossible to inflate, if there is a bug in this logic, you can't tell anymore.

Peter McCormack: That's the main argument against that I've heard.

Pieter Wuille: It's one of them. So another one is a big question in confidential transactions, is that there is this principle that's very foundational, that because you need some form of zero knowledge proof, as you need to prove to the network that your transaction is valid. These proofs have two properties that you try to achieve. A, is that someone cannot create a proof unless the statement is actually true, which is called soundness.

The other is of course the zero knowledge part of it; are you not revealing anything more than the statements? There's this very fundamental property that you cannot make both of them perfect at the same time. So you can design a system that if the cryptographic assumptions underlying it break down, either because elliptic curves are broken or a quantum computer comes along of sufficient size and whatever.

There are always assumptions you make and if those assumptions are broken, you can choose a design where either the privacy breaks down or the soundness breaks down, but you cannot have something where neither breaks down. So it's a question, okay, say everybody wants confidential transactions and we're fine with the computational trade offs and whatever, which one do you pick? I've heard good arguments for both.

One of them is, well our inflation limit in Bitcoin is such an important constitution thing for Bitcoin, that we cannot permit even a break of the elliptic curve discrete logarithm problem to change that. Thus we have to pick a design that is unconditionally sound. On the other hand, there's the argument that well, if you're doing that and that implies privacy is broken, but not just the privacy in the future is broken, but of all past transactions, they get retroactively de-anonymized as well.

Maybe that is a worse scenario than just saying, "well, if our assumption breaks down, we're done for anyway, we need to move to a different system" and it would be better to prefer something, where the past isn't de-anonymized. So instead you should pick unconditional privacy. I don't know, these are hard questions. I don't have an answer!

Peter McCormack: Not today. Maybe in the future! All right, well listen, I'm conscious of time and I'm conscious how busy you are. We did our hour, so thank you for doing this, I appreciate you allowing me to come over here. I also need to pick up my Core cheque that I get every month, for supporting Bitcoin Core over Bitcoin Cash! But no, thank you Peter, this has been great, I've really enjoyed it. How do people follow your work? What you're doing? How do they follow you?

Pieter Wuille: I don't know, maybe you know better than I!

Peter McCormack: Well usually this is the point where you go "follow me on Twitter."

Pieter Wuille: I'm here, I'm on Twitter.

Peter McCormack: I'll share that out in the show notes. Do you want to say a quick hello? Do you want to come on and say a quick hello, answer a couple of questions? You want to jump over the other side, while you're here.

Sanket Sanjalkar: We haven't met, no.

Peter McCormack: Are you the intern?

Sanket Sanjalkar: Yes, I'm the intern.

Peter McCormack: How long have you been here?

Sanket Sanjalkar: I've been here for about two months now. I'm Sanket, I'm working with Pieter and Andrew on Miniscript.

Peter McCormack: Okay, are you from India?

Sanket Sanjalkar: Yeah, I'm from India.

Peter McCormack: I can pick the accent out. Did you come here for this or were you here already?

Sanket Sanjalkar: No, I'm a student at University of Illinois, Urbana-Champaign. After my first year, this is my internship, so I go back to school again this fall.

Peter McCormack: So how long are you here for, just the summer?

Sanket Sanjalkar: Yes, maybe one more month.

Peter McCormack: How did you discover the internship?

Sanket Sanjalkar: I was aware of Bitcoin and I knew the place existed. Some of my friends work at Blockstream, so they referred me.

Peter McCormack: So that was pretty cool to come and work here!

Sanket Sanjalkar: Of course!

Peter McCormack: You love it here now?

Sanket Sanjalkar: Yes, I get to hang out with Pieter every day. We discuss several awesome things!

Peter McCormack: And all the other people coming in and out?

Sanket Sanjalkar: Yes!

Peter McCormack: You get to do your first podcast interview. How's it working on Miniscript?

Sanket Sanjalkar: So it's back and forth. We come up with something and then we undo it again. Then we come up with something again, then we undo it. But every time it gets better, like we cover whiteboards with some things, scrap some ideas and go out again.

The cool part is that as Pieter mentioned, we don't have any, compared to my university or other jobs, I think we don't have any set deadlines. So the quality of work, as I see, has improved significantly over the last couple of months.

Peter McCormack: And were you doing work on Bitcoin before you came here?

Sanket Sanjalkar: I did not. So my thesis is on... My masters, I worked with Andrew Miller, who again is a Professor who is on the Zcash Foundation and he's also friends with Andrew Poelstra and Pieter, so he kind of referred me here and I'm working on Lightning related things or some other cryptocurrency projects out there.

Peter McCormack: You've been working on lightning as well? Pieter doesn't do that!

Sanket Sanjalkar: Yeah, kind of playing around with things. Pieter knows a lot of Lightning.

Peter McCormack: You can see in your face how much you're loving this. Is it actually going to suck to go back to college afterwards?

Sanket Sanjalkar: Yes, it's going to suck! I mean I'm enjoying it, I look forward to it. Every like lunch or dinner I have with Pieter, we are discussing some new ideas.

Peter McCormack: I mean I'm not going to list all the technology people who dropped out halfway through their universities to build things.

Sanket Sanjalkar: I just have one more year to go. Hopefully I will complete it!

Peter McCormack: No you should, I'm only teasing. So one more year to go and then what, hopefully back here?

Sanket Sanjalkar: We'll see!

Peter McCormack: Bitcoin's for you though right? What's the deal with Bitcoin for you? Why do you love it?

Sanket Sanjalkar: It's hard to pinpoint something. It's just something I've found interesting. I don't have any philosophical or any good answer to behind it, just something which I discovered quite late. I got in late 2016/17 and I had some interest in cryptography, so I started diving into it and some of the culture, the politics, I just fell one way down the other and yeah, it's just cool! I don't have any libertarian or philosophical reason to say it. But yeah, it's just cool and I want to know more about it. So I just started going into it.

Peter McCormack: I always think that's the best answer. It is just cool! The fact that you can just send money around like that is cool. The fact that money has come from nothing is just cool. Well listen, great to meet you. Good luck with this man. I expect maybe in a year or so, you'll be coming back on the podcast in your own right, telling me about your work. We'll see man, take care and good luck with it all!