S16 E29: Zooko on Ecash, Bitcoin & Zcash

On August 11th 2010, Satoshi Nakamoto famously said on the Bitcoin Talk forum: “This is a very interesting topic. If a solution was found, a much better, easier, more convenient implementation of Bitcoin would be possible.” This interaction was a reply to a user named Red, who suggested a novel way of adding privacy to Bitcoin transactions. Though Red didn’t explicitly mention zero knowledge proofs, fellow forum member Insti did… and Satoshi followed up with another famous quote: “It’s hard to think of how to apply zero-knowledge-proofs in this case.” To learn more about this legendary conversation, check out this Bitcoin Talk forum link.

Fast forward 15 years, and Zcash (a Bitcoin fork which adds ZK SNARKs for state of the art transaction privacy) has figured out how to apply zero knowledge proofs to the Bitcoin protocol in an efficient and elegant way. Zooko, one of the project’s co-founders, calls this a solution to Satoshi Nakamoto’s last wish. Pushing the research and development of ZK proofs has proved to be a productive endeavour: an entire industry makes use of the Zcash technology nowadays, from Railgun and Tornado Cash on Ethereum, and all the way to the Zside Drivechain and the Citrea ZK rollup that’s coming to Bitcoin.

But Zooko is no stranger to cypherpunk projects, electronic money, or challenges that seem impossible to accomplish. At the age of 21, he joined Digicash: the first start-up which attempted to build internet money, for the purpose of making e-commerce private and safe for credit card owners. Ecash, David Chaum’s vision for a more market-driven internet, was maximally private but absolutely centralized. Admittedly, Zooko has been thinking about ways to decentralize ecash since he first arrived in Amsterdam to work at DigiCash. His colleagues at the office, esteemed cypherpunks Nick Szabo and Wei Dai, were also trying to figure out ways to remove centralization in ecash (which is why Wei Dai wrote the b-money paper, while Szabo published papers on Bitgold and God Protocols).

On November 7th 2008, just two hours before Hal Finney famously replied to Satoshi Nakamoto for the first time, Zooko was posting on the same cryptography mailing list about potentially joining a third attempt to create decentralized Chaumian ecash. It’s definitely interesting that Zooko was on Perry E. Metzger’s cryptography mailing list at the same time as James A. Donald, Ray Dillinger, Hal Finney, and all the other cypherpunks who commented on Satoshi’s Bitcoin before launch. It’s also suspicious that someone who openly expressed his interest in creating decentralized Chaumian ecash and was posting on parallel threads did not also comment on the Bitcoin announcement.

On the other hand, Zooko did publish the first blog post about Bitcoin in January 2009 – which Satoshi Nakamoto also linked on the bitcoin.org page. So I’ve asked Zooko is he is the creator of Bitcoin and he denied it, saying he was working on Mojo Nation. If we follow the theory that Satoshi Nakamoto was a bad coder (the broken game of poker and P2P marketplace in version 0.1 of the code, as well as the feedback from Hal Finney and Ray Dillinger suggests he was inexperienced), it becomes less likely that Zooko would have coded it. After all, the Zcash advocate did port PGP to HP-UX, and worked for cypherunk legend Eric Hughes alongside Bram Cohen to build Mojo Nation. Other contributions of his include creating ZRTP alongside Phil Zimmermann, co-inventing Tahoe-LAFS alongside Brian Warner, co-authoring BLAKE2, and also collaborating with Aaron Schartz and Mark S. Miller (who is responsible for naming the decentralization-security-user meaningfulness trilemma as “Zooko’s Triangle“).

Between 2009 and 2016, Zooko was one of the biggest Bitcoin bulls and advocates. He defended the network every time it was necessary, onboarded many of his friends and co-workers (Slush, founder of Slush Pool and former CEO of Trezor discovered Bitcoin through Zooko), and even made a small early contribution to Bitcoin Core by fixing a bug (Satoshi was very grateful and acknowledged this effort).

But the year 2013 turned out to be both productive and exciting for Bitcoin: two papers, Zerocoin and Zerocash, were published in order to fix Bitcoin’s privacy problem with Zero Knowledge Proofs. Adding ZK SNARKs to Bitcoin only required a soft fork… but it was difficult to reach consensus due to the experimental nature of the proposal. On the plus side, Gregory Maxwell came up with the CoinJoin wallet bounty as a way to temporarily improve Bitcoin’s privacy until Zerocash becomes a much more mature proposal. DarkWallet, built by Amir Taaki’s team, was the first such wallet to emerge. In the following years, bitcoiners also witnessed the releases of Samourai Wallet and Wasabi Wallet… but they can’t possibly provide the same degree of privacy as ZK SNARKs. They merely provide temporary deniability.

The fact that Bitcoin Core developers were not in favor of the ZK proof upgrade did not deter the research and development of Zerocoin and Zerocash. In 2016, Zcoin and Zcash were launched as stand-alone blockchains. Both of them borrowed Bitcoin’s open ledger design and monetary policy, but added a privacy pool that uses Zero Knowledge Proofs to hide the transaction sender and conceal the amounts being transferred. Zooko, upon spending months trying to raise funds alongside Zerocoin and Zerocash paper author Matthew D. Green, became the co-founder and first CEO of Zcash (later renamed into the Electric Coin Company,a development team for the project).

But in order to see the light of day, Zcash needed more than funding. To fulfil the cryptographic requirements to launch the network, a creation ceremony was required: 6 different security experts from all around the world followed the same procedure on the same day, then burned the laptops that they used for generating the secret keys (aka “cryptographic toxic waste”). While this trusted setup was never the ideal model and was completely removed in a more refined iteration from 2022 that came up with the Halo2 proving system, it was the necessary first step. The 6 Zcash ceremony participants are Zooko, Edward Snowden, Peter Van Valkenburgh, Derek Hinch, Za Wilcox (Zooko’s brother) and Peter Todd (whose destroyed laptop I bought in 2021 and is a significant talking point in this podcast episode).

Over the last 9 years, Zcash has grown and improved exponentially. Today, it’s the most influential project in the entire crypto space: privacy protocols Tornado Cash and Railgun are built using the zero knowledge technology that Zcash researched, while ZK rollups on Bitcoin (sovereign or optimistically verified) couldn’t exist without the work that Zcash did to achieve greater data compression. Furthermore, an upcoming project upgrade named Tachyon (proposed by cryptographer Sean Bowe) fixes the biggest criticism that privacy protocols have received for the past 15 years: scalability. Generally, transactions that include obfuscation are either larger in size, or else more computationally intensive (at least compared to a simple 1 input, 2 outputs transaction in Bitcoin). But Tachyon promises to bring scalability to billions of users without any privacy tradeoffs – which is the holy grail for solving the trilemma. It’s definitely going to be interesting to observe the improvement and refinement of the Zcash project over the next few years – as everything that’s being built is 100% compatible with the Bitcoin network and can get added as a future upgrade.

Listen to Zooko talk about Ecash, Bitcoin and Zcash on YouTube, Spotify, Apple Podcasts, Twitter/X, and more!

Time stamps of my interview with Zooko:

Introducing Zooko (00:00:55)

Early Cypherpunk and Digital Cash Days (00:03:18)

Cypherpunk vs. Cryptography Mailing List (00:03:52)

Discovering Digital Cash and Chaum’s Blind Signing (00:04:44)

The Internet, BBS, and the Fall of the Berlin Wall (00:09:10)

Growing Up with Technology in Eastern Europe (00:12:04)

First Computers and Early Programming (00:13:02)

Loading Games and Computer Limitations (00:14:05)

Impact of Tariffs and Internet Access (00:16:47)

Economies of Scale and Computer Conferences (00:18:28)

Social Media, Privacy, and Information Overload (00:19:33)

Twitter Blocking & Echo Chambers (00:21:06)

Personal AI and Information Control (00:24:08)

First Computer Memories and Speech Synthesis (00:28:55)

Programming Languages: BASIC, Pascal, and C++ (00:31:15)

Vocoder Technology and Privacy (00:32:27)

Video Games and University Life (00:34:28)

Science Fiction and Cypherpunk Literature (00:36:10)

Working at DigiCash and Early Digital Currency (00:39:04)

Nick Szabo, Social Scalability, and Economic Thought (00:46:27)

AI-Generated Personas and Real-Life Community (00:52:42)

Global Talent, Work Ethic, and Financial Management (00:55:51)

David Chaum as a Boss and DigiCash’s Downfall (01:00:06)

Decentralizing Ecash and Early Bitcoin Attempts (01:04:50)

Wei Dai, Crypto++ and Peer-to-Peer Innovation (01:06:19)

Open Source Maintenance and Funding Challenges (01:10:00)

Why Digital Cash Mattered in the 1990s (01:12:30)

Cypherpunks, Remailers, and Privacy Motivation (01:13:46)

Bitcoin’s Early Days and Zooko’s Initial Skepticism (01:19:55)

Bitcoin Advocacy and Security Flaws (01:39:07)

Zooko’s Triangle and Naming Systems (01:43:31)

Altcoins, Experimentation, and Maximalism (01:51:09)

Bitcoin’s 2013 Privacy Papers: ZeroCoin & ZeroCash (01:55:12)

Funding Innovation and Open Source Economics (02:00:27)

Zcash Launch, Sidechains, and Market Dynamics (02:03:40)

Sponsors and Bitcoin Innovation Renaissance (02:09:01)

Proof of Stake, Hybrid Models, and Cross Link (02:26:14)

Network Sustainability and Burn Mechanisms (02:33:37)

Quantum Resistance and Lost Coins (02:37:26)

Peter Todd’s Compute Node, Zcash Ceremony and Trusted Setup (02:42:19)

Zero Knowledge Proofs and Counterfeiting Bug (03:05:35)

Zcash Design Choices and Block Size (03:43:04)

Bitcoin Blocksize War and Evolution (03:49:09)

Zcash vs. Monero and Privacy Models (04:27:33)

Tachyon: Sean Bowe’s Scalable Privacy Breakthrough (04:08:22)

Live Zcash Demo and Address Privacy (05:27:00)

Zcash Mining, Liquidity, and DEX Integration (05:49:57)

Decentralization, Transparency, and the Future (06:02:22)

Closing Remarks and Podcast Wrap-Up (06:05:15)