Nearly every other serious cryptocurrency has at least 1, and often several cryptographers working to improve the protocol. With all of the new ZK-systems coming out (Halo, SNARKs, Lelantus, etc), it’s difficult for amateur cryptographers to determine the usefulness and advantages of each system. While Tromp and Jasper both have the math abilities needed, neither are cryptographers, and thus lack some of the context needed to understand and evaluate the increasing number of crypto solutions being developed (not to mention being already busy improving Grin in other ways).
I hereby propose we use some Grin council funds to hire a full-time cryptographer to start working on ways to implement one-sided payments, reduce transaction linkability, and increase scalability. Improving in these areas would help increase the privacy, usability, and long-term viability of Grin.
I understand that this is unlikely to be as simple as just posting a job opening, but I’m willing to do the legwork to seek out willing and capable candidates for the job.
The ones I know are Bitcoin, Ethereum, Monero, Zcash, and Zcoin. I’m guessing there’s very few others you would consider serious.
The consensus is that such a thing is impossible. The sender would not be able to produce a rangeproof for the receiver’s output as that requires knowledge of its blinding factor. So I fear you’d be paying someone to stretch the definition of “one-sided”…
This is a most worthwhile goal. Beam is pursuing a Lelantus based approach that looks promising but prevents pruning of spent outputs.
The big challenge is how do it without any downsides like harming scalability and/or decentralization. That would be one of the holy grails of MW.
But it will probably require lots of creativity. I don’t consider this a well-defined task that someone can be hired to carry out.
MW is already leading the pack in scalability. IBD remains a bottleneck with the requirement to validate all kernels in history. This could benefit from any of the proving systems that the crypto community at large is already working on.
If you pick one, then its implementation for Grin is a pretty well defined task. But picking one is the tricky part, as new systems seem to come out almost every other month. In principle that is not a problem as long as we keep our current protocol untouched, and offer the the new proofs as an optional shortcut. We may end up with multiple different proving systems, and different proof acceleration services running on top of the base layer.
I see no urgency to do this any time soon though, as IBD time is currently far from a bottleneck, and we can just wait longer to see better proving systems developed and mature.
In summary: I think hiring a cryptographer makes sense once you identify a relatively well defined task that will bring clear benefits.
But it will probably require lots of creativity. I don’t consider this a well-defined task that someone can be hired to carry out.
Lelantus wasn’t the result of a well-defined task that Aram was hired to perform. Zcoin took a risk, found a good cryptographer, and let him do his thing. Sometimes, impressive systems are designed (like Lelantus). Other times, not so much. Every breakthrough starts with R&D. I certainly don’t agree with the premise that cryptographers must be given a clear set of requirements, or that they’re only capable of implementing well-defined cryptosystems.
I see no urgency to do this any time soon though, as IBD time is currently far from a bottleneck, and we can just wait longer to see better proving systems developed and mature.
Maybe you’re right, or maybe we’re just making it harder on ourselves later (like bitcoin is). It seems like being able to aggregate bulletproofs and/or kernels now would be better than starting years later, but perhaps that’s not true.
After asking Rueben to review, I want to add some clarification.
Lelantus wasn’t the result of a well-defined task that Aram was hired to perform.
While technically correct, this is easy to misinterpret. Aram may not have been hired to perform a specific task, but he was hired to achieve a specific goal: “Get comparable anonymity or feature sets then zcash without fancy crypto or trusted setup”
And while I don’t yet know how or even if it’s possible, I still see value in Grin hiring a cryptographer with a specific goal: “Reduce transaction linkability without harming scalability and/or decentralization”
Zcash similarly has several cryptographers working on several goals, and state-of-the-art cryptography has been developed as a result (whether it’s safe to trust any of their moon math is a different question). Same with Monero. I see no reason why Grin shouldn’t follow in the footsteps of the others if we plan to be a privacy coin, because as of right now, most of the privacy Grin provides is illusionary.
While I do think “illusionary” is a bit too strongly worded, I do agree that it could be worthwhile to have a cryptographer researching Grin related topics.
Out of the things you mentioned, i think that finding a way to reduce the input and output linkability is the most pressing.
Since we obviously don’t have the budget to spin up a whole team of cryptographers, maybe we could find a way to structure it as a (post-doctora)l research grant in collaboration with a cryptography department at a university? This would allow for some senior supervision and give the person an environment to bounce ideas off of and keep up to date with related research. Just a thought, not sure if it’s a good one. It would make matters a bit more complicated for us and would maybe also be a too long of a commitment, since postdocs are usually at least a year long. And we might exclude some potential candidates who aren’t interested in doing it in this way. I also don’t know if any university would be interested in that kind of thing in the first place.
Grin is leading the pack here because of intentional obstruction for individuals to obtain the full archive blockchain. It isn’t leading the pack because privacy and the perceived degree of scalability are intrinsic properties. Privacy via obstruction of acquiring data (which could be used against us) is not something I find appropriate. Both privacy and scalability should be intrinsic properties and I think the counsel should support hiring someone capable of accelerating this end goal.
The data is retained in Bitcoin because it is necessary for validation of the chain, not because they want the data for purposes of some kind of transparency. Mimblewimble lets you validate the chain without needing all the otherwise useless (or even harmful) data.
It is harmful because of linkability. This harmful data is in the hands of many people, but not available to all people. I see that as a problem and that solving linkability should be a priority. Then there would be no issues with ensuring all the data is available to everyone… Not needing all the data is fantastic, I am not suggesting otherwise. The default sync should be the least amount of data necessary, but not the only option
I guess I have this backwards. We have “perceived privacy” and sacrifice real privacy for scalability. The “perceived privacy” is more problematic because it is via obstruction of data acquisition. Data that others have and could use against us. I would prefer transparancy and honesty to this approach. If you want it to focus on scalability then make the other data available and stop pretending it makes it more private. Or sacrifice some scalability to make it more private. Or hire someone that might be able to do both at the same time. I support hiring someone to work on a better solution/compromise.
This is a very good idea. We do not have the budget of zcash or even monero, so presenting it to students could be perfect. Benedikt still could help us float it to other Stanford students.
Yep, I agree, starting with the student route seems like a thrifty approach that should be considered. I do believe we have enough budget for a cryptographer though. Monero pays Sarang approximately 1 standard yeast unit per month, and we’ve already earmarked an extra full-time dev or two in the budget at that salary.
Can we start with students and then hopefully accumulate a solid list of ledes to then have a full time cryptographer sit down with and have a starting place? If we do one year of student “challenges/ projects” then we hire a cryptographer we would seem to get much more bang for our buck. And still be inside our 2 years of scheduled HF (which of course we can extend into the future with very little downside).
I am approaching grin funds extremely carefully. I am picturing possibility of them needing to last 50 years just to fund one major maintainer on a shoestring budget. We are living in a time of great wealth but that could change and we could end up never raising more money, and maintaining grin for world to use would still be important, maybe even more important.
Will try to catch this one. We need a research proposal (like the top three from above) and then on open call for anyone who can to share it with students and professors in math related departments. We can even call it a scholarship competition and teams that make meaningful progress can split a cash reward and we still spend less. Awesome resume builder! Would need concrete goals in that case to cdoose winners.