1 00:00:00,000 --> 00:00:08,300 So the reason HTTPS makes sense as an analogy is because before HTTPS, everything on the web was totally unencrypted. 2 00:00:09,040 --> 00:00:14,440 And if you and I were having this video call and say we were both on a hotel, say I was on hotel Wi-Fi. 3 00:00:14,440 --> 00:00:20,740 The hotel is a sort of third party in the middle that would be able to listen in on the stream and find all the packets. 4 00:00:21,520 --> 00:00:28,800 Once we introduced HTTPS, not that streaming was that easy back in the day, maybe it was emails instead, but assume it was. 5 00:00:28,800 --> 00:00:37,520 Once we assume HTTPS, then the ability of the third parties that are not us, the counterparties, to read that information was fixed. 6 00:00:37,860 --> 00:00:39,360 It was protected by encryption. 7 00:00:39,680 --> 00:00:49,940 PayJoin is much the same in that when I'm sending you some money with a PayJoin, you still know my inputs and I still know your address ultimately at the end of the transaction on chain. 8 00:00:50,080 --> 00:00:58,200 But without that information of my wallet or your wallet, without those additional details, the second party information, third parties don't know that with any certainty. 9 00:00:58,800 --> 00:01:03,040 Dan, welcome. 10 00:01:03,660 --> 00:01:05,180 Sean, thank you. 11 00:01:05,700 --> 00:01:09,600 Fresh out of the Department of Motor Vehicles, on to Trust Revolution. 12 00:01:09,780 --> 00:01:11,560 Appreciate you making that context switch. 13 00:01:11,860 --> 00:01:15,000 Hopefully it's a little more pleasurable doing this than that. 14 00:01:15,420 --> 00:01:16,020 Yeah, absolutely. 15 00:01:16,280 --> 00:01:18,740 I don't want to be standing in lines and talking through a glass wall. 16 00:01:19,440 --> 00:01:20,240 Nobody needs that. 17 00:01:20,420 --> 00:01:22,060 We're just talking to glass screens instead. 18 00:01:22,420 --> 00:01:28,780 Well, hey, so we have been working on this for a bit since you and I sat beside each other at an event at Bitcoin Park. 19 00:01:28,800 --> 00:01:35,040 and started talking about our beloved First and Fourth Amendments here in the United States. 20 00:01:35,160 --> 00:01:40,900 And so I am particularly excited to talk with you, to speak with you about your work, 21 00:01:41,180 --> 00:01:47,960 about what privacy means in terms of financial transactions and payments specifically. 22 00:01:48,620 --> 00:01:50,180 And let's start here. 23 00:01:50,320 --> 00:01:55,400 Congratulations on getting PayJoin Foundation off the ground. 24 00:01:55,400 --> 00:02:10,700 And for those who may not be familiar with the work and your leadership of it, could you give us a brief background, Dan, on PayJoin and PayJoin Foundation and its relevance to Bitcoin and payments generally? 25 00:02:11,920 --> 00:02:13,620 Sure. Thanks for that tee up. 26 00:02:14,700 --> 00:02:17,740 Oh, I need to also thank my team, of course. 27 00:02:17,740 --> 00:02:31,460 The whole reason PayJoin and PayJoin Foundation exists now is because we've had around eight independent compensated contributors working on PayJoin for about a year. 28 00:02:31,840 --> 00:02:34,020 And we've got a volunteer board. 29 00:02:34,020 --> 00:02:46,760 It was time to be able to recruit directly for specific needs that the PayJoin dev kit had. 30 00:02:46,760 --> 00:03:16,240 But I'm getting ahead of myself. So pay join is what you can think of as interactive batching. Bitcoin has had batching since, you know, it was became widespread in 2017, I think, when the fees got crazy. But if you make naive Bitcoin transactions, that's one transaction per transfer of money. And if you're moving money often and high volumes, that starts to really add up and become 31 00:03:16,760 --> 00:03:23,980 more expensive than it needs to be so when the fees got high in 2017 people started batching 32 00:03:23,980 --> 00:03:31,060 non-interactively where like the common example is an exchange would service multiple withdrawals 33 00:03:31,060 --> 00:03:40,340 in one transaction where they'd provide a single input and be able to pay say 100 people all in one 34 00:03:40,340 --> 00:03:47,720 transaction, only producing one change, which kept their wallets small, kept their customers 35 00:03:47,720 --> 00:03:52,600 served often, and they pay a much smaller fee for making that batch versus making the 36 00:03:52,600 --> 00:03:53,940 hundred separate transactions. 37 00:03:54,640 --> 00:04:02,420 And that is, if I am a customer of Strike or Cash App or one of the more sort of consumer 38 00:04:02,420 --> 00:04:07,620 focused apps of that nature, I want to sweep my Bitcoin. 39 00:04:07,620 --> 00:04:13,600 I want to move it into self-custody, whatever that may look like. 40 00:04:13,820 --> 00:04:22,480 What you're laying out is sort of the operating process that these exchanges go through, whereby they're not having all their margin eaten up by fees. 41 00:04:22,700 --> 00:04:29,760 And they can process these withdrawals more frequently so that, as you say, I, as a customer, a consumer, get what I want when I want it. 42 00:04:30,600 --> 00:04:30,920 That's right. 43 00:04:31,820 --> 00:04:32,200 Exactly. 44 00:04:32,200 --> 00:04:36,840 And then if I am, again, that individual who, you know, maybe I'm holding IBIT. 45 00:04:37,280 --> 00:04:42,440 I want some, as they say, exposure to Bitcoin, but I'm not yet holding Bitcoin in self-custody. 46 00:04:42,600 --> 00:04:55,260 Or I am, as I noted, a Striker, a Cash App user, really looking at it more as a neobank with an eye toward how do I enjoy sort of the full benefit or set of benefits of Bitcoin. 47 00:04:55,260 --> 00:05:03,000 rewind and explain why any of what you just described sort of matters in that context. 48 00:05:03,120 --> 00:05:07,140 What ultimately does PayJoin get us or get that individual? 49 00:05:08,100 --> 00:05:08,760 What's the benefit? 50 00:05:09,640 --> 00:05:15,020 So in the context of self-custody, this is what you're talking about as opposed to an 51 00:05:15,020 --> 00:05:16,820 IBIT or some ETF? 52 00:05:17,400 --> 00:05:24,440 Well, more that I'm that person who is looking to take the next step into self-custody or 53 00:05:24,440 --> 00:05:29,740 just progressing, you know, toward using Bitcoin to its fullest extent. 54 00:05:30,340 --> 00:05:31,460 What is PayJoin? 55 00:05:31,540 --> 00:05:34,340 What's the impact of PayJoin on that individual? 56 00:05:35,060 --> 00:05:35,620 So easy. 57 00:05:36,860 --> 00:05:42,960 Bitcoin exists to remove intermediaries from the movement of money online. 58 00:05:43,240 --> 00:05:47,800 So you want to be able to move money and you don't want to be censored by some party in 59 00:05:47,800 --> 00:05:50,160 the middle that says, no, you can't do that because I don't like that. 60 00:05:50,160 --> 00:05:51,920 in order to do that 61 00:05:51,920 --> 00:05:54,160 we need privacy 62 00:05:54,160 --> 00:05:56,320 because without privacy if someone can see 63 00:05:56,320 --> 00:05:58,300 how money 64 00:05:58,300 --> 00:06:00,120 is moving they don't like someone you paid 65 00:06:00,120 --> 00:06:01,960 if you're relying on them to 66 00:06:01,960 --> 00:06:04,120 move money or 67 00:06:04,120 --> 00:06:06,300 even if they can make a lot of 68 00:06:06,300 --> 00:06:08,380 noise that you move some money then they can discriminate 69 00:06:08,380 --> 00:06:10,120 based on that 70 00:06:10,120 --> 00:06:11,580 so we need some baseline privacy 71 00:06:11,580 --> 00:06:14,120 and in the original white paper 72 00:06:14,120 --> 00:06:15,360 Satoshi said that 73 00:06:15,360 --> 00:06:18,060 there's privacy problems 74 00:06:18,060 --> 00:06:19,560 with Bitcoin and that 75 00:06:20,160 --> 00:06:26,520 the way bitcoin works with inputs like coins and outputs for each transaction he said all the 76 00:06:26,520 --> 00:06:33,260 inputs necessarily come from the same person which at the time was true based on the wallet 77 00:06:33,260 --> 00:06:39,340 software available but it wasn't a consensus constraint and that assumption that all the 78 00:06:39,340 --> 00:06:43,840 inputs come from one person is called the multi-input heuristic or the common input ownership 79 00:06:43,840 --> 00:06:51,360 puristic and is used to dragnet surveil everyone on bitcoin it's a pretty easy assumption to make 80 00:06:51,360 --> 00:06:54,580 that all the inputs come from the same person so you can just look at the chain and kind of follow 81 00:06:54,580 --> 00:07:00,860 coins for may to be see how much money someone has um how much money they make on a regular basis 82 00:07:00,860 --> 00:07:06,680 who they paid in the past and then in the future even who they might pay so pay join is the 83 00:07:06,680 --> 00:07:17,460 simplest way to break that privacy problem that satoshi brought up and i think of it as the next 84 00:07:17,460 --> 00:07:22,580 iteration of batching so the batching i mentioned is non-interactive batching 85 00:07:22,580 --> 00:07:28,780 with page on you have interactive batching where rather than the batch being made just by the person 86 00:07:28,780 --> 00:07:35,040 with the inputs you can have a sender and a receiver both contribute inputs to a transaction 87 00:07:35,040 --> 00:07:40,300 So this breaks the heuristic and it saves people money. It's supercharged batching for Bitcoin. 88 00:07:40,300 --> 00:08:01,360 Right. And I think that's, you know, exactly what I wanted to convey is that the, in my mind, significant innovation here is that privacy becomes an economic benefit, not a liability. 89 00:08:01,360 --> 00:08:09,840 And so as you just teed it up, Dan, I'd like to go from there to let's do talk Fourth Amendment. 90 00:08:10,120 --> 00:08:15,400 And so the Fourth Amendment says your papers and effects can't be searched without a warrant. 91 00:08:15,780 --> 00:08:17,300 We use physical cash. 92 00:08:17,420 --> 00:08:18,680 That protection exists. 93 00:08:19,280 --> 00:08:25,420 When we use Bitcoin, as you eloquently noted, so-called chain analysis tracks every transaction. 94 00:08:25,420 --> 00:08:32,460 How, in your mind, did we end up with less privacy in the digital version of cash than the physical one? 95 00:08:32,460 --> 00:08:36,000 I love this question because it's kind of like history rhyming, actually. 96 00:08:36,280 --> 00:08:39,360 The same sort of thing happened when the telephone was invented. 97 00:08:40,420 --> 00:08:47,580 So, you know, we are even the telegraph before that we had all these wires on the ground, people using Morse code. 98 00:08:47,580 --> 00:09:00,480 But they passed laws very quickly that made physical taps that arbitrary, like if you if you physically spliced a wire into the phone cable to spy on someone that was illegal. 99 00:09:00,480 --> 00:09:29,560 But then someone figured out, oh, you can just wrap a wire, a coil around the wire. You're not physically tapping it and you can read the signal still. And it took until the mid 60s to pass laws that made that Fourth Amendment protected that required police departments and government agents to get warrants to be able to search and seize that information. 100 00:09:30,480 --> 00:09:34,740 So how did how did we get here where it's not protected by the Fourth Amendment? 101 00:09:34,860 --> 00:09:37,340 I think it's just new ground. People aren't aware. 102 00:09:39,740 --> 00:09:45,680 There was also a sort of a necessity when Bitcoin originally came out. 103 00:09:45,680 --> 00:09:55,980 We didn't have zero knowledge proofs, so we weren't able to do that kind of verification without all the amounts being available in this public record. 104 00:09:55,980 --> 00:10:10,000 So it's part of it's partly just that the laws and norms take time to catch up and some technological limitations at the time that Bitcoin came out. 105 00:10:10,080 --> 00:10:13,200 But all of these things, I believe, are being addressed. 106 00:10:14,520 --> 00:10:20,120 And that is certainly another point that I want to underscore is this is the preservation of rights. 107 00:10:20,260 --> 00:10:22,500 This is not the assertion of new rights. 108 00:10:22,500 --> 00:10:52,260 And so you touched on it. You know, a government agency wants transaction data in the physical world, get a warrant. And so the question with Bitcoin is, you know, why does that standard disappear? And not, Dan, that I expect you to be to act as an historian, but I know that you, by necessity, as a builder of PayJoin, get into this is, you know, what's your sort of understanding as it stands with 109 00:10:52,260 --> 00:10:57,600 regard to the so-called reasonable expectation of privacy. And I'm thinking about, you know, 110 00:10:57,720 --> 00:11:03,980 cats versus United States in the 60s, I think it was. And so what is your assessment or 111 00:11:03,980 --> 00:11:12,440 understanding of how Bitcoin sits in that sort of that rubric of reasonable expectation of privacy? 112 00:11:12,440 --> 00:11:15,840 And where is PageWine pushing us or taking us? 113 00:11:15,840 --> 00:11:43,920 Hmm. So yes, cats is sort of what I was talking about, where you have a reasonable expectation of privacy. I think the issue with Bitcoin is specifically that while the system is pseudonymous and has the potential to grant people the ability to preserve their privacy, in practice, everything people do is published to a permanent record on chain, as, like I said, noted by Satoshi. 114 00:11:43,920 --> 00:11:49,360 And even before that, if people reuse addresses, if people are relying on a third party to sink. 115 00:11:50,540 --> 00:11:51,680 Third party doctrine kicks in. 116 00:11:52,420 --> 00:11:53,600 Well, yeah, not even that. 117 00:11:53,740 --> 00:12:08,400 But if you're beyond the legal part, just the strict practicality, if you're depending on someone else to tell you what your balance is and you're not validating, you're revealing your entire history to someone else that you must trust not to reveal that. 118 00:12:08,400 --> 00:12:14,760 Never mind if someone goes and knocks on their door and says, give this over because you're a third party and third party doctrine applies. 119 00:12:14,860 --> 00:12:15,860 So we don't need to get a warrant. 120 00:12:15,860 --> 00:12:28,120 Right, right. Well, and maybe to contrast that, you know, for those paying attention this week, Samurai, the wasabi or pardon me, Samurai mixer. 121 00:12:28,120 --> 00:12:35,920 that litigation has come to a head where the government has shown that they're taking a 122 00:12:35,920 --> 00:12:41,700 particularly aggressive stance. Prosecutors have claimed that Samurai pooled funds and 123 00:12:41,700 --> 00:12:47,280 operated as a so-called financial intermediary, and they're pushing for the maximum sentence of 124 00:12:47,280 --> 00:12:55,080 five years. How does payjoins architecture differ from mixing technically? And 125 00:12:55,080 --> 00:13:07,260 And to the degree you want to go there, you know, sort of why does that matter in light of some of these lawsuits and some of these, I would say, witch hunts? 126 00:13:07,260 --> 00:13:10,900 Yeah, it's a shame to see the way that's gone. 127 00:13:11,220 --> 00:13:13,640 That whole case is a disaster for so many reasons. 128 00:13:13,940 --> 00:13:15,360 It is. It absolutely is. 129 00:13:15,360 --> 00:13:25,840 The biggest one is just that they pled to the money service business charge and not some of the other charges, which seemed like the most ludicrous of what was on the table. 130 00:13:26,140 --> 00:13:31,460 The whole point of pay join is that it happens while you're making a payment. 131 00:13:31,620 --> 00:13:38,260 Like I said, it's transaction batching generally rather than some form of mixing. 132 00:13:38,560 --> 00:13:44,560 Right. It's in the flow in the process of executing or conducting a payment. 133 00:13:44,560 --> 00:13:51,280 it is not a discrete separate activity is that fair even if it were which it's not i don't think 134 00:13:51,280 --> 00:13:59,360 that activity makes it more suspicious but it definitely makes it um less convenient so 135 00:13:59,360 --> 00:14:03,640 pay join there's it's got two things that really make it quite different from your 136 00:14:03,640 --> 00:14:10,680 classic coordinated coin joy one is that it happens in the typical user experience so you 137 00:14:10,680 --> 00:14:15,120 scan a qr code like you would you're trying to pay someone you click send and in the background 138 00:14:15,120 --> 00:14:20,080 if both wallets support it it'll try to make a batch based on the configuration of each wallet 139 00:14:20,080 --> 00:14:27,680 and therefore it doesn't require an explicit like user action i'm trying to mix and separate old 140 00:14:27,680 --> 00:14:37,040 history new history but it also tends not to have this distinguishable fingerprint on chain when you 141 00:14:37,040 --> 00:14:42,660 look at a coin join from a samurai or wasabi you're going to see a lot of outputs that are 142 00:14:42,660 --> 00:14:50,220 of equal amounts and when money's being transferred whether in a batch or not 143 00:14:50,220 --> 00:15:04,869 it wouldn usually look that way that would only happen if you doing a self because payjoin both involves a transfer and only involves uh two people mainly because it involves 144 00:15:04,869 --> 00:15:11,789 a transfer it doesn't have this signature you don't produce equal amount outputs it produces 145 00:15:11,789 --> 00:15:18,049 typically a transaction that has two outputs which 80 of the transactions on the network have 146 00:15:18,049 --> 00:15:21,829 two inputs, I meant to say, not outputs, have two inputs. 147 00:15:21,929 --> 00:15:23,849 So it looks like everything else on the chain. 148 00:15:24,429 --> 00:15:28,789 It's not really possible for someone to point at something and say with any degree of certainty 149 00:15:28,789 --> 00:15:29,929 that is a pay join. 150 00:15:30,449 --> 00:15:32,689 It looks like the rest of the traffic on the network. 151 00:15:32,689 --> 00:15:39,529 So it's much harder for a third party or even a second party to a transaction to discriminate 152 00:15:39,529 --> 00:15:44,809 based on history that includes a pay join activity just because you don't know for certain 153 00:15:44,809 --> 00:15:45,289 if it's happening. 154 00:15:45,609 --> 00:15:47,169 Right, right, right. 155 00:15:47,169 --> 00:16:09,089 And if I am then, if we shift from a user of money, of Bitcoin to a developer, what is the benefit or why should I integrate PayJoin rather than avoiding privacy features altogether in light of Samurai and other scenarios? 156 00:16:09,089 --> 00:16:16,869 Sort of what's the call to action to a developer to build PayJoin into their wallet, into their consumer experience? 157 00:16:17,169 --> 00:16:20,409 Yeah, if you're avoiding privacy features altogether, I'm not sure exactly what that means. 158 00:16:20,509 --> 00:16:23,069 I mean, you're custodying your users' funds and that's it. 159 00:16:23,169 --> 00:16:24,769 You don't go any further than that. 160 00:16:24,769 --> 00:16:35,309 If you want to give people control because it's a benefit to them and a selling point for you, then privacy is just another knob. 161 00:16:36,169 --> 00:16:36,269 Absolutely. 162 00:16:36,269 --> 00:16:39,629 You're giving people the control to reveal their activity or not. 163 00:16:39,629 --> 00:16:45,509 and it may even make your life easier because you don't need to manage any sort of personal data 164 00:16:45,509 --> 00:16:53,789 take responsibility for that but beyond that i think the reason to integrate payjoin now 165 00:16:53,789 --> 00:17:03,069 is because it gives this opportunity to your users to do these automated batches 166 00:17:03,069 --> 00:17:07,149 that fall back to the old way of doing things. 167 00:17:07,149 --> 00:17:11,129 So it's optimistic and it's not going to break your flow. 168 00:17:12,228 --> 00:17:16,988 And not only do your users benefit with this idea of privacy, 169 00:17:16,988 --> 00:17:20,909 but the whole network stands to benefit as the floor upgrades, 170 00:17:20,909 --> 00:17:27,508 as this basic common input heuristic becomes less reliable for all. 171 00:17:27,709 --> 00:17:30,468 So if I were to send you money, Sean, 172 00:17:30,468 --> 00:17:42,488 You might know some details about what I sent to you and vice versa, but our ability to cluster one another, to know, oh, all of these coins belong to Sean. 173 00:17:42,849 --> 00:17:50,109 These are the people he transacts with, and this amount becomes much less reliable, and that improves everyone's safety. 174 00:17:50,649 --> 00:17:58,409 And in my opinion, the longevity of the whole network, the selling point of Bitcoin is that it is censorship resistance. 175 00:17:58,409 --> 00:18:04,149 It's censorship resistant and this element of privacy is necessary to preserve that. 176 00:18:05,449 --> 00:18:08,968 Yes, and I think that cannot be overemphasized. 177 00:18:08,968 --> 00:18:19,189 This is delivering on the promise, I think, of what so many expect from Bitcoin, whether or not they understand deeply the technical details. 178 00:18:19,649 --> 00:18:27,109 And, you know, as you called out, there were caveats that Satoshi made note of. 179 00:18:27,109 --> 00:18:32,049 But peer-to-peer electronic cash is what I hope most people expect of it. 180 00:18:32,309 --> 00:18:36,769 And I think what's so exciting about PayJoin is pushing, you know, closer to that vision. 181 00:18:37,949 --> 00:18:54,869 And my monologue here is only to say that there are not dedicated business models and firms that I'm aware of that are, you know, spying on me moving cash from point A to point B across a counter or to another individual. 182 00:18:54,869 --> 00:19:01,529 And so why should they enjoy that particular benefit or business model with Bitcoin? 183 00:19:02,889 --> 00:19:08,149 Beyond that, I think there's one thing I want to touch on with regard to why the time is now. 184 00:19:09,349 --> 00:19:17,369 The PayJoin DevKit is the tool that lets developers plug this into their wallet experience. 185 00:19:17,369 --> 00:19:25,549 and until now if you wanted to have one of these privacy technologies in your wallet or your service 186 00:19:25,549 --> 00:19:30,769 I mean really if you have an exchange or a custodian or a treasury or a payment processor that's all 187 00:19:30,769 --> 00:19:38,609 viable you have a lending product now the payjoin dev kit in about a thousand lines of code with two 188 00:19:38,609 --> 00:19:45,708 developers in a weekend you can plug it into that existing flow wire up the RPCs the glue make some 189 00:19:45,708 --> 00:19:53,069 database calls. You basically implement how you'd save some data. And because this is approaching 190 00:19:53,069 --> 00:20:01,089 stability, we just did a release candidate for the 1.0 API. I think, especially if you want to 191 00:20:01,089 --> 00:20:06,748 show people that you do in fact care about user privacy, the time is now because it's just 192 00:20:06,748 --> 00:20:13,329 possible now and it wasn't possible a year ago. I was yesterday taking, I was refreshing myself 193 00:20:13,329 --> 00:20:19,609 on the Bitcoin design guide and the particular pay join section or elements. 194 00:20:20,248 --> 00:20:26,329 And, you know, it's a bit above my pay grade, but what I so value about the Bitcoin design 195 00:20:26,329 --> 00:20:33,629 guide and the team, the group behind it is the sort of classic approach to what is the 196 00:20:33,629 --> 00:20:39,809 objective that a particular user has and what are they trying to accomplish to achieve that 197 00:20:39,809 --> 00:20:40,189 objective. 198 00:20:40,289 --> 00:20:41,488 And I think it lays it out nicely. 199 00:20:41,589 --> 00:20:42,689 I'll be sure to include that. 200 00:20:43,329 --> 00:20:48,988 But my understanding is that it is uninvasive. 201 00:20:49,629 --> 00:21:00,189 And as you say, part of the payment flow, as opposed to some of these other approaches, which I think have interjected a lot of friction, which we do not need, clearly. 202 00:21:00,449 --> 00:21:05,949 And I think we're already in a situation where we're sort of chasing a lot of neobanks, a lot of consumer payments apps. 203 00:21:06,248 --> 00:21:11,988 And the more privacy we can enjoy, the less friction that it injects into the process, the better, which is great. 204 00:21:11,988 --> 00:21:26,149 OK, so with that, let's get into a bit of the details, Dan, and I'll see if we can sort of keep this a little higher level with regard to the mechanics of PayJoin. 205 00:21:26,149 --> 00:21:42,549 And I think, you know, my objective would be for someone who is privacy curious, who is Bitcoin curious and or holding Bitcoin and wants to understand what is this magic that you have created, you and the team have created behind the scenes. 206 00:21:43,208 --> 00:21:45,929 Let's get into a little bit of the detail. 207 00:21:46,069 --> 00:21:52,269 So most privacy tools, I think, make us choose between convenience and anonymity. 208 00:21:52,269 --> 00:21:59,968 PayJoin, which as I've noted, I think what's so powerful is it saves you money on fees while improving privacy. 209 00:22:00,529 --> 00:22:06,228 Could you walk us through sort of the Lego brick version of how that works? 210 00:22:06,988 --> 00:22:10,869 You've touched on it, but I'll just ask you to sort of go back and walk through. 211 00:22:11,269 --> 00:22:14,929 Yeah. If anything gets too deep in the weeds, reel me in for a minute. 212 00:22:14,929 --> 00:22:19,649 Yeah. So Bitcoin has inputs and outputs. 213 00:22:19,649 --> 00:22:47,968 You know, you have coins. Anytime someone pays you, you get a coin. And if you want to pay someone a certain value, you need to supply sufficient inputs to cover all of the output values you want to pay. So it's kind of like dollar bills, right? If you wanted to pay someone $7 and you had a 10, you would use that 10 and give them a 5 and 2 1s and you'd make change of $3. 214 00:22:47,968 --> 00:23:02,049 Now, we don't need these denominations strictly, but another example, if you needed to pay someone, say, $8 and you only had two fives, you need to spend all, like, the whole input. 215 00:23:03,549 --> 00:23:10,849 So, typically when you'd make a transaction, like I say, you use one input and you'd get an output and change. 216 00:23:10,849 --> 00:23:17,389 with page one rather than just broadcasting that to the other person when they give you their address 217 00:23:17,389 --> 00:23:25,309 the information they share includes a mailbox which is an out of band just like your email 218 00:23:25,309 --> 00:23:30,909 place to to put a message that they listen for so instead of broadcasting that transaction them 219 00:23:30,909 --> 00:23:37,089 you put it in the mailbox and they're waiting for it they can take that add their own input 220 00:23:37,089 --> 00:23:42,769 an output so if they added some input and still wanted to be paid to the same address they then 221 00:23:42,769 --> 00:23:47,829 just augment the output by the amount of their input take that same transaction put it back in 222 00:23:47,829 --> 00:23:56,649 the mailbox for you as the sender to take out and then you can check this as the sender verify that 223 00:23:56,649 --> 00:24:02,569 it pays only the amount you wish to go to the receiver and gives you sufficient change sign it 224 00:24:02,569 --> 00:24:08,609 and broadcast it. And once you broadcast it, the receiver can see that, oh, this is what I, 225 00:24:09,169 --> 00:24:12,988 yeah, they get paid. And if for some reason, after putting it back in the mailbox, 226 00:24:13,809 --> 00:24:18,889 the receiver doesn't see that on the network, they always have that original that they got 227 00:24:18,889 --> 00:24:25,748 in their mailbox that they can broadcast to fall back on. So the interaction, the ability of the 228 00:24:25,748 --> 00:24:31,228 center and the receiver to send messages to one another gives the receiver the chance to augment 229 00:24:31,228 --> 00:24:37,409 the original transaction with some more transaction intents, whether that's 230 00:24:37,409 --> 00:24:44,109 a consolidation, as I described, them including their own inputs and adding it to their outputs, 231 00:24:44,369 --> 00:24:49,728 or even forwarding money to another person. So instead of taking the output directly, 232 00:24:49,728 --> 00:24:53,849 they could replace the output that would pay them with outputs that pay other people. 233 00:24:54,569 --> 00:24:55,669 That's the high level. 234 00:24:55,669 --> 00:25:01,769 Nice. And then what is, was the fundamental breakthrough that made PayJoin possible? 235 00:25:02,948 --> 00:25:08,529 Or was this the grind over years to get this implemented? 236 00:25:08,909 --> 00:25:17,089 Yeah, I don't know that there was one fundamental breakthrough. It's a little history. In 2018, 237 00:25:17,809 --> 00:25:25,508 there was a workshop in London that was Chatham House Rules. A bunch of people came together. I 238 00:25:25,669 --> 00:25:39,389 Because even in Greg Maxwell's original CoinJoin Bitcoin talk post, which is, I think, from 2013, where equal output CoinJoin is spoken of, like putting payment amounts was listed there. 239 00:25:39,649 --> 00:25:48,529 And so when these folks got together in London, Blockstream wrote an article called Pay to Endpoint that described how this might work. 240 00:25:48,529 --> 00:25:54,008 you could use a web endpoint to do communication at a band and combine transactions, preserving 241 00:25:54,008 --> 00:25:57,789 privacy, because these transactions could have multiple interpretations. Like I said, 242 00:25:57,829 --> 00:26:06,228 they don't really look like pay joins. I think Adam Gibson dubbed the name pay join to the idea 243 00:26:06,228 --> 00:26:10,649 instead of pay to endpoint, P to EP, which rolls off the tongue a little nicer. Absolutely. Much 244 00:26:10,649 --> 00:26:21,488 better marketing yeah mr cooks and nicola dorier from btc pay put together bip 78 which was a simple 245 00:26:21,488 --> 00:26:32,289 pay join protocol that used http that was implemented quite widely actually i and btc pay server of 246 00:26:32,289 --> 00:26:40,429 course samurai not samurai aspero wasabi join market but the issue was you had to run a server 247 00:26:40,429 --> 00:26:47,269 yes and not everyone wants to run a server and even if people do run servers that do they want 248 00:26:47,269 --> 00:26:52,789 to connect a hot wallet to it there was just a lot of um a lot of barriers to adoption that even 249 00:26:52,789 --> 00:26:56,629 were called out on the mailing list craig raw wrote on the mailing list and he's like you know 250 00:26:56,629 --> 00:27:03,649 the server thing is kind of stinky join market fix it fixes it by using uh tor but then even 251 00:27:03,649 --> 00:27:08,109 though all these wallets can send pay joins if they don't have tor they can't communicate with 252 00:27:08,109 --> 00:27:12,569 So there was this whole fragmented situation. 253 00:27:13,248 --> 00:27:17,689 Low ceiling to the adoption curve, I think. 254 00:27:17,809 --> 00:27:19,629 So this is around 2021, I'd say. 255 00:27:19,728 --> 00:27:24,049 After between 2018, 2019, the spec got made. 256 00:27:24,129 --> 00:27:28,669 It got rolled out to quite a few wallets where people did hand-rolled implementations. 257 00:27:28,789 --> 00:27:31,189 And it didn't really take off because it was hard to receive. 258 00:27:31,349 --> 00:27:35,748 It was really easy to write the sender, but not the receiver because you needed to have the server and it needed to interact with the wallet. 259 00:27:35,748 --> 00:27:49,809 it so around 2022 i had noticed i'd been working on equal amount coin joins uh in ios but i kind 260 00:27:49,809 --> 00:27:54,389 of realized after some time that the operating system doesn't matter we're not going to solve 261 00:27:54,389 --> 00:27:59,169 bitcoin's privacy by taking these manual steps and the page one idea had gotten some 262 00:27:59,169 --> 00:28:03,609 attention it seemed like people got the idea people liked it 263 00:28:03,609 --> 00:28:12,609 Armin Saburi and I who he still works on payjoin we won MIT Bitcoin hackathon hacking payjoin 264 00:28:12,609 --> 00:28:19,228 into the iOS wallet we were working on and HRF gave us a little grant to productionize it and 265 00:28:19,228 --> 00:28:26,208 that's when I really shifted focus I'm like okay there's something here worked on the payjoin dev 266 00:28:26,208 --> 00:28:30,409 kit which was a library instead like how do we how do we ship this thing as a library instead of a 267 00:28:30,409 --> 00:28:36,448 specific application and in doing that and doing the integrations i realized that the protocol itself 268 00:28:36,448 --> 00:28:43,329 was the problem so it's over the past two years we've been working on an async pay join protocol 269 00:28:43,329 --> 00:28:49,149 that instead of requiring the receiver to run a server both the sender and the receiver communicate 270 00:28:49,149 --> 00:28:54,609 using these mailboxes that are blinded the messages are blinded from the server hosting 271 00:28:54,609 --> 00:29:00,349 the mailboxes and the server hosting the mailboxes is called the directory is run by a third party 272 00:29:00,349 --> 00:29:07,769 and because of this now you can take the payjoin dev kit off the shelf which is 273 00:29:07,769 --> 00:29:18,289 more or less an http client like a web browser client and some crypto sprinkled on top with 274 00:29:18,289 --> 00:29:24,228 partially signed bitcoin transactions so some transaction serialization and with this pure 275 00:29:24,228 --> 00:29:31,429 client software any wallet can speak pay join and slip it into their experience so the real 276 00:29:31,429 --> 00:29:40,008 the real breakthrough was this async pay join protocol and the ability to use that with an 277 00:29:40,008 --> 00:29:46,448 off-the-shelf dev kit so the dev kit is all highly tested performant written in rust it's 278 00:29:46,448 --> 00:29:56,817 systems oriented we got the abstraction setup so they very easy to reason about someone can come in and contribute however they want and then we bind to that in all these different languages so 279 00:29:56,817 --> 00:30:03,977 if your wallet's in dart or python or kotlin or c sharp you can call this core library 280 00:30:03,977 --> 00:30:13,017 and know that your implementation is going to be interoperable so this confluence of factors i 281 00:30:13,017 --> 00:30:23,157 I would say mainly the async protocol that Yuval Kogman and I co-authored, BIP77, are the reason that we've been able. 282 00:30:23,357 --> 00:30:24,017 Yeah, we're here. 283 00:30:24,017 --> 00:30:33,297 We've been able to go from this thing that was sort of fragmented and difficult to use to something that is now in CakeWallet and BullBitcoin Mobile. 284 00:30:33,717 --> 00:30:39,077 You know, half a million monthly active users approximately can just scan a QR code and it'll happen in the background. 285 00:30:39,977 --> 00:30:40,037 Brilliant. 286 00:30:40,037 --> 00:31:04,177 And so on the back of seven years of grinding, here is a, you know, and I know you're a humble guy, but here is a significant breakthrough that fast forward gives us the ability, if you are a developer, if you're a builder, if you're a product person, to drop PayJoin into your consumer experience and off you go. 287 00:31:05,477 --> 00:31:05,857 That's right. 288 00:31:05,857 --> 00:31:12,077 And you said, Dan, I believe that you've compared page one adoption to HTTPS. 289 00:31:12,557 --> 00:31:12,857 Yeah. 290 00:31:13,037 --> 00:31:16,977 And most of us, you know, we take that little lock in our browser for granted. 291 00:31:17,237 --> 00:31:26,237 So, again, for those who may be coming sort of up that curve, why is that the apt analogy? 292 00:31:26,737 --> 00:31:31,297 And then what does that network effect curve look like as a result? 293 00:31:31,297 --> 00:31:36,997 i'm glad you asked both of these questions because they're exactly why i frame it as https 294 00:31:36,997 --> 00:31:47,397 so the reason https makes sense as a an analogy is because before https everything on the web was 295 00:31:47,397 --> 00:31:53,197 totally unencrypted and if you and i were having this video call and say we were both on hotel 296 00:31:53,197 --> 00:32:00,997 say i was on hotel wi-fi uh the hotel is a sort of third party in the middle that would be able to 297 00:32:00,997 --> 00:32:09,217 listen in on the stream and find all the packets once we introduced https um not the streaming was 298 00:32:09,217 --> 00:32:14,157 that easy back in the day maybe it was emails instead but assume it assume it was once we 299 00:32:14,157 --> 00:32:20,897 assumed https then the ability of the third parties that are not not us the uh counterparties 300 00:32:20,897 --> 00:32:29,577 to to read that information was was fixed it was protected by encryption page one is much the same 301 00:32:29,577 --> 00:32:32,437 and that when I'm sending you some money with a pay join, 302 00:32:32,837 --> 00:32:35,877 you still know my inputs and I still know your address 303 00:32:35,877 --> 00:32:39,677 ultimately at the end of the transaction on chain. 304 00:32:39,797 --> 00:32:43,217 But without that information of my wallet or your wallet, 305 00:32:43,277 --> 00:32:45,597 without those additional details, the second-party information, 306 00:32:45,737 --> 00:32:48,697 third parties don't know that with any certainty. 307 00:32:48,697 --> 00:32:53,297 The reason the network effects can take off as well 308 00:32:53,297 --> 00:33:00,677 is because HTTPS became seamless and embedded in the browser. 309 00:33:00,777 --> 00:33:01,977 Any browser has this now. 310 00:33:02,077 --> 00:33:05,357 I think this year Chrome is going to release an update 311 00:33:05,357 --> 00:33:07,377 where if you go to an HTTP website, 312 00:33:07,537 --> 00:33:08,777 it's going to give you a big warning. 313 00:33:10,097 --> 00:33:11,997 It's not for an invalid certificate, 314 00:33:12,097 --> 00:33:13,977 just if the thing doesn't have a certificate at all. 315 00:33:14,037 --> 00:33:15,937 It's going to say, do you really want to even go to this website? 316 00:33:16,397 --> 00:33:20,497 We've come so far in large part thanks to Let's Encrypt 317 00:33:20,497 --> 00:33:21,757 making certificates free. 318 00:33:22,097 --> 00:33:22,377 Yes, thank you to them. 319 00:33:22,377 --> 00:33:23,317 You can start up a server. 320 00:33:23,917 --> 00:33:24,037 Yeah. 321 00:33:24,157 --> 00:33:27,277 And that was a very similar model as well. 322 00:33:27,277 --> 00:33:37,257 That's a nonprofit, the Internet Security Research Group, supported by all sorts of, you know, the browsers and EFF. 323 00:33:37,937 --> 00:33:44,937 And they were able to roll out the software that automated HTTPS so that it's expected everywhere. 324 00:33:45,057 --> 00:33:45,817 PageLine is much the same. 325 00:33:45,957 --> 00:33:46,857 We've got the nonprofit. 326 00:33:47,077 --> 00:33:48,297 We've got the development kit. 327 00:33:48,297 --> 00:33:51,297 you can include it in your wallet 328 00:33:51,297 --> 00:33:52,737 with a couple weekends 329 00:33:52,737 --> 00:33:54,077 you can make a proof 330 00:33:54,077 --> 00:33:56,857 with a couple engineers in a weekend's time 331 00:33:56,857 --> 00:33:58,157 you can make a proof of concept 332 00:33:58,157 --> 00:34:02,237 and the last reason 333 00:34:02,237 --> 00:34:04,837 to call it HTTPS 334 00:34:04,837 --> 00:34:06,977 is because it contrasts 335 00:34:06,977 --> 00:34:07,857 with something like Tor 336 00:34:07,857 --> 00:34:10,417 so this is beyond your initial questions 337 00:34:10,417 --> 00:34:12,917 but Tor gives you 338 00:34:12,917 --> 00:34:14,437 second party privacy 339 00:34:14,437 --> 00:34:15,757 so you connect to some 340 00:34:15,757 --> 00:34:17,957 website 341 00:34:17,957 --> 00:34:22,757 and that website doesn't know your origin ip address even though you connect to them directly 342 00:34:22,757 --> 00:34:29,057 so right yeah true the third party can't see the traffic because all parties are blind to the origin 343 00:34:29,057 --> 00:34:37,537 yes but the tor protocol uh onion routing protects the ip address and i think i know 344 00:34:37,537 --> 00:34:41,877 payjoin can go that direction in the future but what we've shipped right now is the closest to 345 00:34:41,877 --> 00:34:46,877 HTTPS. Yes. And I think, you know, the thing again that I would like to underscore is this is not 346 00:34:46,877 --> 00:34:53,697 nefarious. This is would you visit a website where the lock is open on your browser? Of course you 347 00:34:53,697 --> 00:35:01,577 wouldn't. Would you engage with a bank that didn't implement HTTPS SSL? Of course you wouldn't. 348 00:35:01,697 --> 00:35:06,717 Can you imagine? No. Yeah. I mean, so I love that. And I think it's it is, 349 00:35:06,717 --> 00:35:15,357 dare I say, appropriate and powerful to make that comparison because that is what should be, 350 00:35:15,497 --> 00:35:21,317 is that same level of protection from snooping and from invasions of privacy. 351 00:35:22,017 --> 00:35:28,177 So, bull Bitcoin, cake wallet, I believe foundation devices? Is that a – did I imagine that? 352 00:35:28,177 --> 00:35:34,337 They probably – the device itself will sign a pay join. I don't know if it works 353 00:35:34,337 --> 00:35:36,937 with either of those two pieces of software. 354 00:35:37,457 --> 00:35:40,157 You might be able to sign a pay join 355 00:35:40,157 --> 00:35:43,077 with like Sparrow from that, 356 00:35:43,137 --> 00:35:44,237 the old protocol, 357 00:35:44,437 --> 00:35:45,257 but yeah, it would work. 358 00:35:45,337 --> 00:35:46,497 The protocol is backwards compatible. 359 00:35:46,737 --> 00:35:47,177 So there's that. 360 00:35:47,617 --> 00:35:48,877 Like I said, Wasabi, Sparrow, 361 00:35:48,997 --> 00:35:51,717 Join Market, Bitmask, Wallet, 362 00:35:51,837 --> 00:35:53,117 and BTC Pay, of course. 363 00:35:54,397 --> 00:35:55,857 Cake and Bull Bitcoin have the new protocol. 364 00:35:55,997 --> 00:35:56,897 That's why I bring them up. 365 00:35:57,337 --> 00:35:59,437 Yeah, I installed the Bull Bitcoin app 366 00:35:59,437 --> 00:36:00,217 last week. 367 00:36:00,317 --> 00:36:00,557 Brilliant. 368 00:36:01,817 --> 00:36:02,397 And so, you know, 369 00:36:02,417 --> 00:36:03,417 you're getting real adoption. 370 00:36:03,417 --> 00:36:33,037 This is not an academic paper. This is not a white paper. This is not aspirational. It's real. And so, you know, what then would be, and you've touched on this, we talked about sort of to a developer, if we shift a bit, Dan, to a CFO, COO of an exchange, what is the message to them as to how they should, it's a reiteration of what you said, 371 00:36:33,037 --> 00:36:41,397 how they should perceive PayJoin and what's in it for them, not as a dev, an engineer, 372 00:36:41,577 --> 00:36:44,137 a product person, but as sort of CFO, COO. 373 00:36:44,197 --> 00:36:45,497 What's the message to them? 374 00:36:46,977 --> 00:36:53,317 The biggest reason for someone in such a position to use PayJoin is just that they can raise 375 00:36:53,317 --> 00:36:53,977 their bottom line. 376 00:36:54,077 --> 00:36:55,857 They can save on fees. 377 00:36:56,217 --> 00:37:01,077 We've got an example on our website of a 16% fee savings, pretty modest with some basic 378 00:37:01,077 --> 00:37:01,577 batching. 379 00:37:01,577 --> 00:37:08,117 um so and this is assuming you're already doing some some batching right um 380 00:37:08,117 --> 00:37:17,577 that's that's the main thing um i i often get asked in terms of the compliance department 381 00:37:17,577 --> 00:37:24,037 like oh what do i what do i do about this i want people not like this um i'm not gonna go there but 382 00:37:24,037 --> 00:37:27,957 by all means go there yeah no i i'd like to go there i think it's i think it's related because 383 00:37:27,957 --> 00:37:35,457 it always comes up as the next question um and the thing is there's nothing preventing it's it's an 384 00:37:35,457 --> 00:37:43,597 independent problem because these kyc measures if you're obligated to do them are a data collection 385 00:37:43,597 --> 00:37:48,457 with regard to like who you're dealing with and it doesn't nothing prevents you from collecting that 386 00:37:48,457 --> 00:37:56,777 information um so when i'm talking to someone in a cfo position this is naturally going to come up 387 00:37:56,777 --> 00:38:03,097 the the bottom line can increase you can save on fees you basically take your batching 388 00:38:03,097 --> 00:38:11,017 strategy to the next level and you also can get higher velocity of money because you can do 389 00:38:11,017 --> 00:38:16,337 something like cut through so if you're in exchange as this example your depositors can 390 00:38:16,337 --> 00:38:21,397 directly fund your withdrawals so you don't have to take the deposit wait for confirmation and then 391 00:38:21,397 --> 00:38:25,737 spend that utx so you can actually spend it in the same block with page interesting okay 392 00:38:25,737 --> 00:38:43,657 Right. Right. So, yeah, you're not you don't have that carrying cost. And what is that? You know, you touched on it. I won't say this is your perspective or your position, but having had many of those conversations myself, I know that. 393 00:38:43,657 --> 00:38:51,057 some, hopefully more and more over time, of these forward-thinking executives are looking at how to 394 00:38:51,057 --> 00:39:01,157 reduce the exposure that they carry to keeping so much personal data. Is there a scenario in which, 395 00:39:01,157 --> 00:39:05,237 as you said, you know, if they're obligated, they'll do it because nobody wants to get perp 396 00:39:05,237 --> 00:39:11,357 walked out the front door. And that's a different conversation than we're having today as to KYC 397 00:39:11,357 --> 00:39:15,977 and FinCEN and Travel Rule and all this stuff. 398 00:39:16,557 --> 00:39:20,517 But, you know, is there a benefit to sort of shrinking that attack surface 399 00:39:20,517 --> 00:39:25,017 if you're that head of compliance, if one implements PayJoin? 400 00:39:25,237 --> 00:39:27,037 Are you sitting on less data? 401 00:39:27,897 --> 00:39:34,337 The reason I hesitate to answer is because as PayJoin is implemented today, 402 00:39:34,457 --> 00:39:37,957 the current protocol, it's actually about the same amount of data. 403 00:39:37,957 --> 00:39:45,777 You still know who your counterparty is, what funds were sent to you, and what address was used. 404 00:39:45,977 --> 00:39:56,777 The biggest difference is that even if you give that information to a third party for analysis, the ability of the analysis is greatly reduced. 405 00:39:56,777 --> 00:40:05,717 now beyond that i can imagine a future where an upgraded protocol has more effective batching 406 00:40:05,717 --> 00:40:12,997 where as the recipient to a transaction you don't necessarily know which coins 407 00:40:12,997 --> 00:40:17,237 were sent to you or as a sender you don't necessarily know which address or addresses 408 00:40:17,237 --> 00:40:24,117 those funds ended up in you just end up with a proof this is would be very similar to lightning 409 00:40:24,117 --> 00:40:33,277 which as far as I can tell has proliferated and is possible to use within compliant regimes. 410 00:40:34,277 --> 00:40:36,137 So I think there's a future for that too. 411 00:40:36,257 --> 00:40:41,857 But to answer the question right now with PayJoin, you actually don't even need to consider that question 412 00:40:41,857 --> 00:40:44,677 because you have the same information you've always had with on-chain Bitcoin. 413 00:40:45,357 --> 00:40:51,857 And again, worth pointing out an exchange intermediated approach versus truly peer-to-peer. 414 00:40:51,857 --> 00:40:58,137 appreciating that those are quite different. So if we, as you say, you know, fast forward, 415 00:40:58,837 --> 00:41:03,357 I'll just pick a number, 30% of transactions implement or use PayJoin. 416 00:41:04,477 --> 00:41:09,497 What happens to the surveillance model, Dan? Who will think of the chain analysis firms? 417 00:41:11,737 --> 00:41:18,277 There are more problems that we need to address, actually. So yes, the common input heuristic might 418 00:41:18,277 --> 00:41:25,217 be gone but we still have a lot of work ahead of us in terms of privacy every wallet tends to have 419 00:41:25,217 --> 00:41:29,837 a fingerprint so there's things like unlock time sequence number the script you're using 420 00:41:29,837 --> 00:41:36,957 amount correlations generally timing analysis of when transactions are made if you can figure out 421 00:41:36,957 --> 00:41:43,357 a pattern so their their pay join in its current form common input heuristic is not the end of the 422 00:41:43,357 --> 00:41:50,437 story it does make the very most useful tool that chain analysis has obsolete especially if 423 00:41:50,437 --> 00:41:57,177 with 30 penetration it's you're taking almost a 50 flip every two input transaction on the 424 00:41:57,177 --> 00:42:04,437 interpretation and truth be told i did arrive at that number on purpose so uh right yeah of course 425 00:42:04,437 --> 00:42:10,697 yeah it's also difficult to measure like how do you even know how many transactions and what volume 426 00:42:10,697 --> 00:42:12,157 is using PayJoin. 427 00:42:12,497 --> 00:42:12,837 Right. 428 00:42:13,677 --> 00:42:13,957 Yeah. 429 00:42:13,957 --> 00:42:15,477 Which is itself wonderful. 430 00:42:16,377 --> 00:42:22,057 So, you know, I think the takeaway that I wanted to pull out, and of course you nailed it, 431 00:42:22,057 --> 00:42:26,837 is it's a great start, but there's a lot more work to do. 432 00:42:27,237 --> 00:42:36,937 And in that vein, does PayJoin lay a foundation for doing some or more of what you've just laid 433 00:42:36,937 --> 00:42:43,857 out sort of breaking some of these common heuristics or is that the domain of a different 434 00:42:43,857 --> 00:42:46,637 BIP, a different set of technologies? 435 00:42:47,777 --> 00:42:48,417 I would say both. 436 00:42:48,557 --> 00:42:53,917 Like I would probably still call some of this stuff PayJoin, but it will require new specs 437 00:42:53,917 --> 00:42:55,017 and new tech. 438 00:42:56,657 --> 00:43:02,677 The cool thing about PayJoin DevKit is we deliver this off the shelf package with all 439 00:43:02,677 --> 00:43:08,697 the goodies you want and we can have some what i like to call a chain surveil yourself tools 440 00:43:08,697 --> 00:43:15,517 to do analysis within your wallet and inform your transaction construction um so you can get some 441 00:43:15,517 --> 00:43:19,857 counterfactuals you can figure out what the privacy effects of your wallet would be just 442 00:43:19,857 --> 00:43:29,097 by using the software that's being developed in the dev kit and the next big protocol change 443 00:43:29,097 --> 00:43:31,257 that'll happen over the next 444 00:43:31,257 --> 00:43:33,357 year or so for payjoin 445 00:43:33,357 --> 00:43:34,697 is a multi-party payjoin. 446 00:43:34,777 --> 00:43:35,297 So like I said, 447 00:43:35,357 --> 00:43:36,117 when you involve 448 00:43:36,117 --> 00:43:39,157 more than two people 449 00:43:39,157 --> 00:43:40,157 in a payjoin, 450 00:43:40,777 --> 00:43:41,897 then there can be some real 451 00:43:41,897 --> 00:43:42,957 indistinguishability 452 00:43:42,957 --> 00:43:44,817 from the counterparty. 453 00:43:44,877 --> 00:43:45,677 So I pay you, 454 00:43:45,757 --> 00:43:46,817 and I don't know what address 455 00:43:46,817 --> 00:43:48,417 you necessarily had. 456 00:43:49,497 --> 00:43:51,337 It's more interactive. 457 00:43:51,337 --> 00:43:52,917 You have to send more messages around. 458 00:43:53,037 --> 00:43:54,417 Anytime you have a distributed system, 459 00:43:54,537 --> 00:43:55,697 it becomes more complicated. 460 00:43:56,957 --> 00:43:58,537 But the... 461 00:43:59,097 --> 00:44:08,857 The team we have focused on this is built to people who have been thinking of this problem for a decade plus. 462 00:44:09,377 --> 00:44:12,577 And this problem has only been around for how long has Bitcoin been around? 17 years? 463 00:44:12,577 --> 00:44:13,237 Yeah, right. 464 00:44:14,617 --> 00:44:18,417 So there are ways to overcome these challenges. 465 00:44:19,037 --> 00:44:37,597 And then especially combined with some of the analysis that I see being brought into the clients and not just being done by surveillance firms in a defensive way, we will have very robust privacy for normal, everyday people on Bitcoin very soon. 466 00:44:38,317 --> 00:44:38,677 Fantastic. 467 00:44:39,197 --> 00:44:41,777 That's the bullish sentiment I was hoping for. 468 00:44:42,577 --> 00:44:54,246 If we zoom out a bit Dan and we touched on the Fourth Amendment I like to talk a bit about the first and code of speech We rewind to the 90s 469 00:44:54,306 --> 00:45:02,566 Daniel Bernstein successfully argued that publishing encryption code for PGP was protected speech under the First Amendment. 470 00:45:03,466 --> 00:45:09,786 Again, you are not a lawyer, but the samurai prosecution seems to attack that precedent. 471 00:45:09,786 --> 00:45:30,566 Some, you know, some are saying it's it's crypto cryptography, not cryptocurrency, sort of crypto wars 3.0. What's your read? And, you know, how well do you sleep at night, frankly, with regard to the ability to enjoy First Amendment protections as a publisher of software? 472 00:45:30,566 --> 00:45:45,786 I sleep okay with regard to that. The really screwed up part of that case was, again, the fact that the money transmission was tied in. 473 00:45:45,786 --> 00:46:01,786 That really doesn't make sense even for someone that's not just publishing software but running software on a server because that software didn't give them the ability to transmit the funds, to control and transmit the funds. 474 00:46:01,786 --> 00:46:03,066 They did not have custody of funds. 475 00:46:03,066 --> 00:46:19,686 No. So I'm glad to see what I think is progress in Congress on codifying the right to publish this kind of transaction and formally enjoy the protections. 476 00:46:19,686 --> 00:46:30,366 um but it's it's just until that happens it is a bit uncertain what the behavior will be especially 477 00:46:30,366 --> 00:46:38,446 the most concerning part of that case and the roman storm tornado cache case yes 478 00:46:38,446 --> 00:46:43,846 was that fincen came out with guidance in 2019 in my view explicitly 479 00:46:43,846 --> 00:46:57,086 I mean, they did explicitly carve out anonymizing software providers, people that published and ran software but didn't have control of money. 480 00:46:57,206 --> 00:47:00,846 And then the judge, despite seeing this guidance, disagreed. 481 00:47:01,626 --> 00:47:08,566 And in the United States, judges decide matters of law and the case was able to be brought forward. 482 00:47:08,566 --> 00:47:17,986 So until we get some greater precedent in the courts or law passed by Congress, it's a bit up in the air. It needs to play out. 483 00:47:19,566 --> 00:47:31,306 And in the meanwhile, without naming names, of course, you know, any sort of insights or anecdotes in terms of what you're observing as to chilling effect among Bitcoin developers? 484 00:47:31,306 --> 00:47:39,546 the biggest thing is that the coin join coordinators are no longer run by like white 485 00:47:39,546 --> 00:47:46,626 market companies there are some gray market pseudonymous centralized equal amount coin 486 00:47:46,626 --> 00:47:52,366 join coordinators um i know a lot of people are avoiding the u.s in terms of a lot of foreign 487 00:47:52,366 --> 00:47:59,726 people are avoiding the u.s in terms of travel i think that's a it is like a vibe rather than 488 00:47:59,726 --> 00:48:02,006 based on reality 489 00:48:02,006 --> 00:48:03,066 because at the same time 490 00:48:03,066 --> 00:48:04,126 we've seen, you know, 491 00:48:04,226 --> 00:48:05,726 Phoenix come back to the U.S. 492 00:48:06,346 --> 00:48:07,586 There's just a lot of uncertainty. 493 00:48:08,126 --> 00:48:10,306 But the momentum, 494 00:48:10,746 --> 00:48:11,046 it seems, 495 00:48:11,146 --> 00:48:12,386 I'm not seeing a slowdown 496 00:48:12,386 --> 00:48:14,746 with regard to product ships. 497 00:48:14,746 --> 00:48:17,546 No, it's reinvigorated. 498 00:48:17,926 --> 00:48:19,666 I think the thing that's 499 00:48:19,666 --> 00:48:22,006 been beneficial in some ways 500 00:48:22,006 --> 00:48:24,606 is that the need 501 00:48:24,606 --> 00:48:25,766 for the actual privacy 502 00:48:25,766 --> 00:48:28,306 is here in force. 503 00:48:28,446 --> 00:48:29,386 I think before... 504 00:48:29,726 --> 00:48:37,426 When you had these companies that were making a profit on running CoinJoin coordinators, they didn't really need to provide privacy guarantees. 505 00:48:37,426 --> 00:48:38,906 They were the only game in town. 506 00:48:39,366 --> 00:48:41,586 And they made all these claims. 507 00:48:42,186 --> 00:48:46,106 Some of them continue to the gray market stuff that's on the edges. 508 00:48:47,566 --> 00:48:49,506 And it was hard to. 509 00:48:49,686 --> 00:48:50,746 How do I put this? 510 00:48:50,906 --> 00:48:52,026 People didn't know any better. 511 00:48:52,586 --> 00:48:52,746 Right. 512 00:48:52,826 --> 00:48:53,726 People didn't know any better. 513 00:48:53,786 --> 00:48:57,726 And I think I think we're seeing some of that analysis come out now. 514 00:48:57,726 --> 00:49:10,746 And people's focus is on things that will actually have more of a tangible benefit in terms of privacy and some guarantees, some real protections. 515 00:49:10,746 --> 00:49:22,586 So a bit of Streisand effect on private use of Bitcoin in drawing attention to, well, I would like to think that. 516 00:49:22,746 --> 00:49:29,746 Let's put it that way, you know, that in hunting or chasing down, creating these witch hunts, that they're increasing awareness. 517 00:49:30,846 --> 00:49:32,886 But maybe that's my aspiration. 518 00:49:34,786 --> 00:49:35,846 Well, let's talk about – 519 00:49:35,846 --> 00:49:36,266 I think there is. 520 00:49:36,366 --> 00:49:36,646 Go ahead. 521 00:49:36,946 --> 00:49:37,086 Yeah. 522 00:49:37,566 --> 00:49:39,906 No, I think there is some of that. 523 00:49:39,906 --> 00:49:41,986 I'm agreeing with what you're saying. 524 00:49:42,126 --> 00:50:07,986 There's more momentum and motivation knowing that this problem really needs to be solved at a technological level because the government process, even if it ends up doing the right thing, it just takes so long and causes everyone so much pain in the interim that we need to have a technological solution to enforce it ultimately. 525 00:50:07,986 --> 00:50:08,306 Yes. 526 00:50:09,126 --> 00:50:09,586 Yeah. 527 00:50:09,586 --> 00:50:21,266 Yeah, as some of us have heard far too many times, the all-important regulatory clarity, right? 528 00:50:21,346 --> 00:50:31,826 There's a parallel universe in which we, I'll speak for myself, wish that, you know, we could simply transact in privacy and peace, but such is not the world. 529 00:50:32,386 --> 00:50:35,866 But in the meanwhile, the second to that is, okay, tell me what the rules are, right? 530 00:50:35,986 --> 00:50:37,666 Just so I know how to play the game. 531 00:50:37,666 --> 00:50:43,526 And as you say, that will be slow to arrive, but hopefully we're making progress. 532 00:50:43,986 --> 00:50:58,906 If we shift in to practical first steps, if I'm running a Bitcoin business, if I am a builder, a product person, you've touched on the PayJoin dev kit. 533 00:51:00,246 --> 00:51:03,506 How should I first approach thinking about privacy? 534 00:51:03,506 --> 00:51:06,366 And we've touched on this, so I'm asking you to reiterate. 535 00:51:06,366 --> 00:51:08,766 and what do I do next? 536 00:51:09,126 --> 00:51:11,726 You know, if I am merely accepting, 537 00:51:11,986 --> 00:51:15,646 if I'm an online retailer accepting Bitcoin for payments, 538 00:51:15,726 --> 00:51:17,286 if I'm a wallet developer, 539 00:51:17,526 --> 00:51:19,746 if I'm building something new and interesting, 540 00:51:20,426 --> 00:51:23,586 you know, where should I start to understand 541 00:51:23,586 --> 00:51:28,086 privacy with regard to Bitcoin payments 542 00:51:28,086 --> 00:51:29,146 and PageOne specifically? 543 00:51:29,366 --> 00:51:30,926 And what do I go do next? 544 00:51:31,926 --> 00:51:33,306 If that's a fair question. 545 00:51:33,306 --> 00:51:35,246 I would separate thinking about privacy 546 00:51:35,246 --> 00:51:42,406 with payjoin fortunately because a lot of the design is that once if you're a business doing 547 00:51:42,406 --> 00:51:48,586 e-commerce accepting bitcoin by the time you know payjoin is happening it's been taken care of for 548 00:51:48,586 --> 00:51:54,086 you behind the scenes in software thinking about privacy in general much like you would on the 549 00:51:54,086 --> 00:51:59,666 internet is about thinking about what information you're revealing and who has it so the first thing 550 00:51:59,666 --> 00:52:07,926 to do is to make sure that you're validating transactions yourself ideally or at a bare 551 00:52:07,926 --> 00:52:12,386 minimum you really trust the person that is doing the validation for you because they're seeing 552 00:52:12,386 --> 00:52:18,486 if you're depending on the third party the whole transaction history as well as all the people 553 00:52:18,486 --> 00:52:24,166 you're transacting with how much money you have on a on a normal basis and you need to make sure 554 00:52:24,166 --> 00:52:28,926 that they're careful with that information ideally you're running why you're running a node or some 555 00:52:28,926 --> 00:52:34,186 light client software that allows you to sync privately. 556 00:52:36,126 --> 00:52:41,406 Beyond that, you want to be broadcasting your transactions in such a way that 557 00:52:41,406 --> 00:52:44,066 the whole world doesn't know they're yours. 558 00:52:44,066 --> 00:52:50,806 So using something like Tor or a relay, you don't want to be reusing addresses 559 00:52:50,806 --> 00:52:58,526 because if you're giving, say, one address to a person to reuse, then it's trivial to 560 00:52:58,926 --> 00:53:06,766 cluster them all together. I think those are the real basic things for someone who's starting to 561 00:53:06,766 --> 00:53:12,686 take more of a privacy conscious approach to Bitcoin to deal with. And then, you know, just 562 00:53:12,686 --> 00:53:17,906 really consider what software you're using. Because some software... 563 00:53:17,906 --> 00:53:20,526 And that's kind of, sorry to interrupt, Dan, that was sort of what I should have clarified, 564 00:53:20,706 --> 00:53:26,346 is if I am that individual and I'm thinking of, oh gosh, so many that I've interacted with over 565 00:53:26,346 --> 00:53:32,626 the years in various roles who are operating businesses and accepting Bitcoin payments, 566 00:53:32,626 --> 00:53:38,586 it's not to say they're going to implement PayJoin, but really why should they ask or 567 00:53:38,586 --> 00:53:44,966 even insist that their e-com point of sale, you know, integrates PayJoin, which I think 568 00:53:44,966 --> 00:53:46,086 you've touched on the why. 569 00:53:46,526 --> 00:53:46,806 Yeah, of course. 570 00:53:46,886 --> 00:53:49,986 Look at the reputation of the software vendor. 571 00:53:50,126 --> 00:53:53,466 What other people that use Bitcoin think of them? 572 00:53:53,466 --> 00:54:01,706 um that'll that'll give you most of what you need it's imperfect it's harder than it's easier than 573 00:54:01,706 --> 00:54:08,206 going and looking at github issues and uh commit history right i think that'll give you a good start 574 00:54:08,206 --> 00:54:14,606 absolutely and then if you are a builder uh what what are sort of the first two or three 575 00:54:14,606 --> 00:54:21,906 steps that one takes to to begin to uh build pocs or pilots with page one what does that look like 576 00:54:21,906 --> 00:54:26,686 I know you've said it's quite straightforward and I get that, but maybe what are those two or three steps they should take? 577 00:54:27,046 --> 00:54:29,606 Definitely don't hesitate to reach out. 578 00:54:29,686 --> 00:54:31,866 If you go to payjoin.org, we've got a Discord. 579 00:54:32,166 --> 00:54:34,746 You can find me and ask me directly and I will help you. 580 00:54:35,566 --> 00:54:39,646 Yeah, or you can send me an email, dan at payjoin.org and I will help you. 581 00:54:40,366 --> 00:54:47,326 But beyond that, if you go to payjoin.org, we've got some documentation on what the protocol is. 582 00:54:47,326 --> 00:54:55,046 it links to the crate, which is approaching a release candidate. There's a reference implementation 583 00:54:55,046 --> 00:55:01,666 on Bitcoin Core that I've heard is invaluable when doing an implementation. So you can follow 584 00:55:01,666 --> 00:55:07,886 that as an example and plug in and you ask some questions, you shouldn't have a terrible time of 585 00:55:07,886 --> 00:55:11,206 it. It should be pretty straightforward. You should maybe even have some fun. 586 00:55:11,206 --> 00:55:18,126 Yeah, as Kali said on Nostra today, hey, if you want to stick around, be sure you're having fun. 587 00:55:19,646 --> 00:55:23,386 And then lastly, Dan, give us some spoilers, man. 588 00:55:23,526 --> 00:55:26,786 What does the next six to 12 months of Pajon look like? 589 00:55:27,406 --> 00:55:28,586 Oh, you're going to see rollouts. 590 00:55:28,586 --> 00:55:42,286 Yeah, you're going to see we did proof of concepts at the MIT Bitcoin Expo Hackathon this past year for an integration with Boltz Exchange and Liana. 591 00:55:43,066 --> 00:55:45,446 And those have made some pretty significant progress. 592 00:55:45,626 --> 00:55:48,706 We've been keeping them off of our priority list. 593 00:55:48,766 --> 00:55:50,506 So we got the actual SDK stabilized. 594 00:55:50,746 --> 00:55:54,086 But now that it's stabilized, we're shifting in integrations mode again. 595 00:55:54,086 --> 00:55:59,786 So you're going to see that and you're going to see some progress in this multi-party pay join protocol. 596 00:56:00,826 --> 00:56:07,586 There's even some pay join cross input signature aggregation crossover. 597 00:56:07,726 --> 00:56:11,486 There's a lot more savings than you can get even with pay join if you combine these things. 598 00:56:11,706 --> 00:56:14,946 And you're familiar with cross input signature aggregation. 599 00:56:15,506 --> 00:56:17,566 I am, but I don't want to assume everyone is. 600 00:56:17,566 --> 00:56:34,906 Yeah. So cross-input signature aggregation lets you combine all of the witness information in a transaction, all the signatures, into the size of a single signature in the full aggregation case that's been proposed. 601 00:56:34,906 --> 00:56:40,626 there's been some security proofs and some tangible algorithms published in a paper this 602 00:56:40,626 --> 00:56:46,706 year at Dahlia's and the biggest question with full aggregation was well what protocol do we use to 603 00:56:46,706 --> 00:56:51,966 actually aggregate the signatures to actually because you need to interact much like page 604 00:56:51,966 --> 00:56:57,626 join you need to communicate between the different people providing signatures if you're not doing it 605 00:56:57,626 --> 00:57:04,826 on your own and because page one already has this sort of interactive protocol we can piggyback 606 00:57:04,826 --> 00:57:11,826 one on the other. And then that example that's on our website of a 16% fee savings versus Naive can 607 00:57:11,826 --> 00:57:21,386 turn into something like a 25% fee savings. You can get this massive incentive to use Bitcoin by 608 00:57:21,386 --> 00:57:27,406 default in a privacy preserving way. So watch out for some explanations and fun pitches of that 609 00:57:27,406 --> 00:57:33,206 coming soon. Incredible. And so, I mean, that clearly is the TLDR for anyone counting sats is 610 00:57:33,206 --> 00:57:37,926 up to or no guarantees, but a potential saving of 25%. 611 00:57:38,486 --> 00:57:43,826 Yeah. And this is just, this is a simple example of a relatively small transaction. Honestly, 612 00:57:43,926 --> 00:57:48,026 I'm talking four inputs, six outputs. I think we can get significantly better than that, 613 00:57:48,086 --> 00:57:53,006 but I haven't done napkin math and tried to push the envelope. I'm just like, okay, 614 00:57:53,006 --> 00:57:56,946 what's a kind of simple example and do some calcs on it. 615 00:57:56,946 --> 00:58:08,646 And I mean, where else, and I'm, you know, thinking through this, where else do you get to increase or improve privacy and pay less for it? 616 00:58:08,726 --> 00:58:12,746 I don't know that I've got any examples that come to mind. 617 00:58:13,646 --> 00:58:14,786 Well, I think there are, honestly. 618 00:58:14,946 --> 00:58:16,766 I think Lightning is a big one. 619 00:58:17,026 --> 00:58:21,486 It's hard to use in self-custody, but Lightning is basically a coin join. 620 00:58:21,486 --> 00:58:28,566 Like you're combining transfers from different people and settling later. 621 00:58:29,526 --> 00:58:35,326 And if you're using eCash, you're giving up custody, but you can have some potential privacy benefits. 622 00:58:35,446 --> 00:58:44,826 I mean, anytime you're using a custodian, assuming you trust that custodian completely with your privacy, you are getting fee scaling benefits. 623 00:58:45,706 --> 00:58:48,706 But the problem is you have to trust that custodian. 624 00:58:48,706 --> 00:58:55,026 And it's very possible that they just say, oh, this information, I left that on a hard drive and we let the hackers get into it. 625 00:58:55,086 --> 00:58:59,066 Or even they have some program where they publish it and sell the information to someone else. 626 00:58:59,426 --> 00:58:59,786 Absolutely. 627 00:59:01,786 --> 00:59:07,146 Practically on Bitcoin, especially for on-chain wallets, there's nothing like PayJoin. 628 00:59:08,186 --> 00:59:10,546 How could we wrap it up any better than that? 629 00:59:10,986 --> 00:59:12,186 Dan, really appreciate the time. 630 00:59:12,426 --> 00:59:13,066 Thanks so much. 631 00:59:13,146 --> 00:59:13,686 Well, stay tuned. 632 00:59:13,686 --> 00:59:18,466 I'll get all these links out for everyone to keep track of this fantastic progress. 633 00:59:18,586 --> 00:59:22,346 And we'll look for those announcements and all the wallets to get our hands on to use 634 00:59:22,346 --> 00:59:22,666 PageOne. 635 00:59:23,546 --> 00:59:23,906 Thanks, Sean. 636 00:59:24,486 --> 00:59:25,206 Thank you, Dan. 637 00:59:25,426 --> 00:59:25,826 Take care.