Riccardo Spagni a.k.a Fluffypony had been for long the lead maintainer of Monero — the most prominent privacy-centric cryptocurrency. In this conversation we dive deep into the chronicles of this coin, its comparison with other privacy coins as well as fundamental challenges related to privacy in the blockchain space, and in Bitcoin in particular. We also talk about his views on the identity of the pseudoanonymous author of the Cryptonote protocol as well as his work on Tari which has been mostly under the radar so far. You can follow Riccardo on Twitter.
Hi Riccardo, let's start from scratch — how did your crypto story begin?
I first got involved in Bitcoin in May 2011. I read a post on Slashdot all about this Google engineer who had written a library for Bitcoin, and that Google engineer ending up being Mike Hearn. I read this article and thought if a Google engineer finds it interesting then maybe I should look at it.
So I started playing around with Bitcoin and at first glance, I was like no, you know what, this is nonsense. It’s a nice pipedream, it’s a great idea, but there’s no way this consensus mechanism is robust and would withstand a bit of onslaught. I set about basically trying to break Bitcoin. That was my initial thing. I just wanted to prove it wouldn’t validate the consensus mechanism or the claims that Satoshi made about the consensus mechanism.
I think part of it was that some aspects of my understanding of the Nakamoto Consensus weren’t great. It was a new technology, there wasn’t much news besides the white paper and the two forum posts. I’m one of those people that learn by doing so no amount of reading would have stopped me from actually trying to attack it. I tried a simple attack on Bitcoin and a few things like that. It was an interesting experience because it taught me a lot about Bitcoin’s underlying structure, how it comes to a consensus, and so on.
What’s interesting about that is having that technical knowledge, over the years, as the Bitcoin core has added and improved some of the things like the way blocks move around the network, the way transactions move around the network — I’ve learned why some of those changes have been valuable and participated in debates around the “magic numbers” and what is the baseline and so on — so that’s been really interesting.
That was sort of my initial introduction to crypto. Thanks to Mike Hearn, I guess, for writing a bitcoin library and getting a Slashdot article written on it.
The origins of Monero are connected to the CryptoNote protocol — its author is Nicolas van Saberhagen. Are there any clues on his identity? Can you comment on that?
Over the years, there’s been a lot of speculation. Currently, the main thinking is that a lot of the code is probably of Russian origin. It’s hard to say whether the CryptoNote is of Russian origin, but certainly, there’s enough evidence not only from certain aspects of the code.
People who were involved in CryptoNote from the beginning have come forward over the years so we’ve got a fairly solid idea that the codebase came from developers in Russia. It’s hard to tell on the white paper side. I have some suspicions about who might have written the CryptoNote white paper but no hard evidence. We’ll just say it’s either Satoshi or it’s someone else.
Actually, during my research, I ran into a person who claims to code most of the codebase of the CryptoNote protocol — Andrey Sabelnikov. Is this also your version that he is probably the author of the code?
Yeah. Andrey is definitely the author of much of the code. It’s hard to say whether he is the author of all of the code. He is clearly the author of one of the main helper libraries in the codebase. His name is all on it so it’s hard to deny that. Based on my discussions with Andrey directly, it’s pretty clear that he’s been involved from the beginning and was responsible for a lot of the code.
You see a lot of similarities between the code in that helper library and in the code of Monero itself based on the CryptoNote protocol. Obviously, up until early 2014, when Monero launched as BitMonero, and then there was this hostile community takeover, I think it was largely the expectation that it would continue that way and that was the point of divergence; that point where the community started becoming responsible for it.
At this point in time, there’s still a lot of that code floating around the codebase, but it gets used less and less, and a lot of it exists for historical purposes — for synching up from scratch and being able to gather old blocks, not so much anything new.
The first implementation of CryptoNote was Bytecoin. And there were many forks of Bytecoin that occurred shortly after such as PhantomCoin, MonetaVerde, and so on. Why did they all fail to gain some meaningful traction, unlike Monero?
Now we’re really digging into the archives. That’s a great question. Basically, what it boils down to is all of those forks, except for maybe Boolbery, weren’t launched by the organization that created CryptoNote. I suspect where their mind went was Bitcoin has a bunch of forks like Litecoin and at the time Feathercoin, and VertCoin. These are all forks of Bitcoin that have value so if we can launch Bytecoin and then a whole bunch of really stupid forks, they’ll all have value and we’ll be able to fast mine them and dump them on unsuspecting idiots.
What they didn’t expect, and it still fascinates me to this day that this is the way it played out, is that the very first fair launch, that first fork which was BitMonero, they did not expect that the community would take it over, that their sock puppet would be ousted by the community and the community would say “don’t worry, we’ve got this”.
To that end, Monero has only been successful because of that, because of being community-driven from that point when thankful_for_today was kicked out and told by [the community] that they’re running Monero and let’s see what happens.
That’s actually my next question. Monero was launched in April 2014 by thankful_for_today, a few days later he was kind of kicked out of the community. Can you elaborate on that story? What happened?
What happened at the beginning, you sort of thought thankful_for_today is this benevolent dictator, not an uncommon marvel, especially at the time. Lots of coins had that, Litecoin had a benevolent dictator too — Charlie Lee.
What we found within a couple of weeks was that he came up with this obviously stupid idea from our perspective, a great idea from their perspective, to merge mine Monero with Bytecoin. But we said no. It was interesting because it didn’t have Bytecoin’s premine and it was a different codebase and interesting technology, and we said, why would we want to shackle this to Bytecoin?
And he said OK, I tell you what, let’s put it to a vote. So in every block header, we’ve got a major version and a minor version of the block. We said OK, let’s use the minor version as an indicator You indicate with this block version “yes, I want to merge mine”, or by choosing this other block version you indicate “No, you don’t want to merge mine”.
He set the default to ”yes” and said cool, it’s going to run over this period of blocks. And of course, we said no, you can’t set the default to “yes”. So, we scrapped that initial vote and we did it again and the default was not set, and then miners were able to vote yes or no.
Of course, the bulk of the votes coming in were no, we don’t want to be merge mined, so miners were indicating they don’t want to be merge mined. The community was indicating it didn’t want to have this merge mine and thankful_for_today still said no, we’re going to make them merge mine.
That was the point when the community said: “you know what, we’re going to take the code and run it on our own”. So I and six others took the codebase from BitMonero into Monero and the two ran in parallel for a while. You could still sync up with an original BitMonero coin up until about January or February 2015, and that was just the point in which it became infeasible to do that because it was still loading stuff into memory and no longer working for the two systems.
During my research, I ran into a coin that doesn’t exist anymore called AppeCoin developed by Sergio Learner. I think it’s considered to be one of, if not the first privacy protocols. Were you familiar with that protocol before you got engaged with Monero?
No. I’m familiar with Sergio’s earlier work but not with that. A lot of my early exposure to privacy protocols and Bitcoin was with the AnonCoin, I was, sort of, heavily involved with the AnonCoin guys. We had a pretty good vision of where to go but the issue was on-chain privacy.
No one really had a good idea as to how to do that and the AnonCoin was kind of heavily focused on network-level privacy and we didn’t have an answer for what to do with the on-chain privacy, and I think that ultimately led to its demise.
CryptoNote is now basically one of the earliest privacy-centric protocols. Today, we have ZkSnarks, ZkStarks, and ZkSharks or protocols developed by Enigma etc. How does CryptoNote still compete with them? Can you compare the trade-offs between these protocols? Do you follow these protocols and how they develop?
CryptoNote in its original form doesn’t compete at all. There are too many issues with the way the whole thing is structured such as the fact that you end up grouping outputs ultimately because you can’t spend any, originally. A lot of those issues are fixed by RingCT that Monero added to the codebase in 2017 or so. Because CryptoNote never kept up with that, it’s kind of a dead protocol in many ways; it just doesn’t compete.
If you’re talking about Monero compared to ZkStarks and ZkSharks and so on, that’s a more nuanced discussion. I’ve seen a lot of silly things bantered around like Monero only has a privacy set of 11, which is definitely not true.
It’s hard to make those comparisons, but pretty much most modern privacy protocols get a couple of things right, and this includes Monero.Firstly, they’re hiding transaction amounts with no problem. That’s something they all do and they all do it well. You’re not going to break Monero’s hidden amounts, you’re not going to break ZkSnarks’ hidden amounts, forget it.
The second thing is hiding where the funds are going to. Again, Monero does this to stealth addresses; you’re not going to break them. It’s pretty feasible that you can’t break them so that’s pretty solid. The third thing and this is the big one, is where transactions are coming from and this is where Monero uses ring signatures, which, of course, have to be battle-tested, and stuff like ZkSnarks are arguably better. And it’s true, if you look at it from a per-transaction basis, you could argue that Monero’s privacy set is smaller.
But I like to look at it in the context of a couple of other things. The next thing, for example, is network-level privacy — what is being done in terms of hiding the IP addresses where the transaction originates from, Monero does this through I2P and TOR integration as well as Dandelion ++. So even if you are not doing I2P or TOR you still benefit from Dandelion ++.
Another aspect is default privacy. You can have the best privacy system in the world, the most advanced, magical cloud of privacy, but if only five people are using it, it doesn’t matter how grand your privacy status is on a per-transaction basis, your total privacy status is still five. And that’s really where Monero dominates. That’s the tipping point — the fact that there are so many users in the Monero ecosystem — individual users, small users, big users, exchanges, all sorts of services, companies accepting Monero payments — there are so many of them that the privacy sector is actually massive.
When you’re operating in Monero and you’re sending a Monero transaction, you’re getting lost in that crowd. You’re not just getting lost in the five people using this magical cloud of privacy. That said, obviously, you want to make sure you’re continuing to improve and that is what Monero is doing, just trying to have that drumbeat of improvement
Because privacy is not just a state that you achieve, like, oh, we’re now private, but that’s not how it works. You have to remember that there’s always an attack and there’s always an attacker that’s trying to improve their ability to attack so you have to improve your ability to provide privacy to users.
That’s really the focus of a lot of the research that’s being done on things like Triptych and, even to some degree, things like the Bitcoin and Monero atomic swaps. This improves liquidity. It improves the user base that people shift in and out, and I think that all these things combined, at least at this point, make for a better overall privacy set. I don’t know if it will be like that forever, but that’s where it is right now.
There’s still plenty of protocols like ZCash, Grin, ZCoin, and others. What would be your top three privacy solutions in the blockchain space that provide the highest level of privacy in your opinion?
I would say in terms of the top three, Monero would be my go-to. Second, I would say Zcoin (now rebranded to Firo) when they release Lelantus and it’s all live and happy. The third would be using shielded transactions on Zcash.
Privacy solutions sometimes may result in a lack of auditability of the coin supply. Do you think this kind of risk could be acceptable on Bitcoin itself?
That’s one of the things I have been arguing for lately; at the end of the day, Bitcoin is not immune to auditibility risks. And you can see that because there have been two clear inflation bugs on Bitcoin. The first was actually exploited in 2010 when someone created billions of bitcoins. Thankfully they didn’t spend it thereafter and there wasn’t a lot of traffic on the Bitcoin network at the time, relatively.
The second one was a little more of an issue and that was the 2018 CVE, which was double spending transaction outputs. It was discovered and fixed before it could be exploited, but it existed for quite a while, for over a year. Thankfully, no one else discovered it and exploited it during that time.
But, think about what would have happened if it had been exploited. It could have been exploited and then, yeah, cool, you’ve got this amazing auditability, but it gets exploited and an attacker goes and double spends these things that you only discover down the line because of the amount of traffic on the Bitcoin network, and you can’t suspend it and tell everyone to stop using Bitcoin for now. And maybe the attacker makes deposit transactions to some of the exchanges, and it’s gone. — now it’s too late; you can’t undo it. You’ve got untold amounts of damage that have been done and there’s no recovery.
So both Bitcoin and Monero and other privacy-enhancing technologies face the same risk, whether you can look at the numbers on a block explorer and count them or not. You face the same risk of a potential auditability bug destroying the underlying soundness of the money thesis.
Given that the bug shifts whether you can see the transaction amounts on the block explorer or not, I would argue that Bitcoin can and should add privacy because it’s not like the risk changes; it’s not like the risk goes away or suddenly appears.
The risk is already there. It’s there, it’s already existed on Bitcoin with two incidences that we saw in the past so there is no excuse to not add privacy to Bitcoin — at least adding transaction amount privacy through something like confidential transactions, which would be extremely beneficial to not only something like Coinjoin but also to Lightning Network from a privacy perspective.
What about privacy coins and their compliance with regulations like AML and KYC? I noticed that Monero team and Perkins Coie recently published a white paper on Anti-Money Laundering Regulation of Privacy-Enabling Cryptocurrencies. Can you perhaps elaborate on that and how you see privacy coins and their future compliance with all kinds of financial regulations that are present in the financial world?
We worked very hard with Perkins Coie to help them gain an understanding of all of the nuances, and basically, what the paper argues is that it’s actually not that difficult for an exchange to comply with existing regulation when it comes to privacy-enhancing coins, or, also something like the CoinJoin deposits and withdrawals or deposits via Lightning because you can remain compliant with a number of mechanisms.
I always sort of wind this back to how banks feel about cash. Banks are very familiar with dealing with cash; they’ve got no problem with it. You can walk into a bank and say, I’d like to withdraw 50,000 euros in cash or I’d like to deposit 50,000 euros in cash. They have processes for dealing with that.
And yet, when it’s a privacy coin, exchanges say they don’t know how they can do this — it’s (supposedly) impossible. And I say just look at the banks. It’s pretty obvious. By large, the paper argues the same thing. Stuff like the Travel rule should not be inherent or should not carry with the actual transaction. The communication that exchanges can do around the travel rule can be done out of banks.
So I think anyone who runs an exchange or an actual service and has regulatory concerns about the privacy technology around things like Lightning, because Lightning under the microscope is also privacy protected, should read that paper — it is on the Perkins Coie website.
It’s well worth reading, especially in terms of compliance and auditing in the blockchain space. And I think it not only provides a detailed overview as to how you can comply but it also shows where the edges are, where you’re imaging you need to comply that you don’t.
One of the issues that I keep hearing about is how people criticize Monero in regards to its decentralization as 3 pools are in charge of most hash power. Is Monero decentralized enough in your view?
If you look at Bitcoin over time, the same things happen. You have mining pools that have gotten big and mining pools that have been small. At this point in time, I think it’s not as bad as it used to be. I think the largest Monero mining pool has 25–27 percent, somewhere around there. Of course, you can combine a few big pools and go to the races; they could collude. It’s the same thing with Bitcoin.
You could get a couple of big pools. You don’t need 50 percent, by the way, to do damage. You could do all sorts of damage with 30 percent. Is collusion a real risk? I don’t know. I feel like a lot of the mining pools in Bitcoin and in Monero have existed for a long time. There have been situations where both Bitcoin and Monero mining pools have come really close to 50 percent in a single pool.
If those were going to do damage, I think they largely would have done damage already. But they are also very cognizant of the fact that any damage they can do would likely destroy Monero and Bitcoin, and there goes all their infrastructure, all their earnings, all their money. So generally speaking, I think the collusion risk is pretty low.
Recently, the IRS announced some grants to break the privacy of Monero. Can you imagine a situation in the future where agencies like that could possibly start some attacks or efforts to deanonymize networks like Monero?
Again, I go back to my thing about privacy not ever being an achieved state. Could they find ways to reduce Monero’s privacy or damage it substantially? Sure. You have the risk that some 15-year-old kid in Poland one day wakes up and figures out a critical break in this. It doesn’t have to be a sophisticated adversary like the NSA. You always have the 15-year-old-in-Poland risk, and you always have the threat of a sophisticated adversary.
All you can really hope for is to use the power of open source and many people looking at the code and looking at the underlying research. All you can really hope for is that you’re staying one step ahead of the sophisticated adversary that’s trying to break the network.
Are you satisfied with the adoption of Monero?
That’s a good question. Of course, I would love more adoption. Again, as an analogy, having that sense of how many people are using this and how powerful that really is for ensuring that you get lost in the crowd, I think that’s such a critical element. There is work being done to encourage adoption.
Sometimes, it takes the form of projects such as MyMonero.com and Cake Wallet, which are trying to provide really good interfaces for mobile users. At the time, it’s something like Feather Wallet, which is trying to provide a very familiar user interface because it’s basically an Electrum face.
I think there’s a lot of work that’s being done there but it’s slow. I campaign about this a lot that things like addresses are very confusing to people. Bitcoin addresses are confusing enough. Now, you’ve got a Monero address that’s 95 characters long.
I see your point. I know that you’ve also decided to work on the Tari Protocol. Can you elaborate on what was your motivation behind that?
Yes sure. A couple of things occurred to me. First, I feel like Monero does extremely well in terms of supporting developers and contributors. But at the same time, we lack more of what I would call corporate support. This kind of support that you get from operations just doesn’t exist in the Monero space much. There are organizations like Xmr.to, MyMonero, and Edge Wallet who do provide as much of that as they can but we need more. So, part of my motivation was to try and get more corporate assistance to be able to do things like regulatory white papers.
Another part of my motivation was I wanted to see something built on top of Monero or at least attached to Monero, and to provide a model for others but doing so in a way that doesn’t compromise Monero and doesn’t embed things in random transactions that could leak additional metadata because you want transactions to be as uniform as possible.
The third thing is I am just generally really interested in the digital asset space. It’s interesting to me to some degree. Digital art is certainly interesting; I’ve given a lot of criticism about it, but I do think that digital art is a space that will hold value in the future.
And, of course, other things like loyalty points and so on — being able to break out of the system and take loyalty points that you’ve earned on an airline and sell them on the open market or just exchange them for some other loyalty points. I think all of that just appeals to me, just being able to provide the underlying infrastructure to help people create these things and products. Just having that infrastructure I think is incredible.
We are now going through a DeFi craze so I have to ask you: Do you see Tari potentially being able to penetrate the DeFi space as well?
I think that there will be people who will build DeFi-like products on Tari. I hope they will have some degree of robustness and just sort of a general sense of maturity when they approach that development, understanding that they do put people’s privacy and funds at stake.
I feel like a lot of the DeFi stuff we’re seeing at the moment being brought out in Ethereum takes a very lax approach to security. It takes a very sort of casual approach to people’s funds and I think that by the time Tari launches and provides any such functionality, even remotely, I’m hoping we’ll foster a community of people, of developers, that think more carefully about this before they build anything.
From my perspective, Tari has been quite under the radar during the past months. Can you break down its key technological components and also specify the current stage of the protocol in terms of development?
The way Tari is designed to work, and of course being a software project that’s still in development, the way it works today might be different tomorrow, but it’s a merge mined sidechain with Monero; it is written in Rust and uses Mimble Wimble. It’s not based on anyone’s code. We haven’t forked Grin or anything.
There is a live testnet. Tari Aurora is a mobile wallet that you can just grab on the Apple or Google Play stores. It’s not on F-Droid yet but at least it’s on the two big ones. You can also download and run a testnet node.
That’s sort of where we’re at now. The digital asset functionality is a little more complex and basically revolves around a set of validator nodes that come to a consensus about a particular asset. It is a kind of sharded architecture. A lot of the validator node functionality is still in its infancy; there’s a lot of work that still needs to be done before we can even try it on testnet.
That’s sort of the next hurdle we need to overcome — getting the actual digital access creation stuff and operation to work on testnet and that’s a big hurdle; there’s a lot of work still to be done there. Every day progress is being made and that’s great.
I can imagine that’s a lot of work. How do you see Tari being able to compete with Ethereum, maybe also in regards to protocols like Tornado Cash, which basically uses on-chain Ethereum privacy for digital assets? What is your strategy? How do you want to compete with these protocols?
That is also a good question. One of Tari’s big focus areas is on scale, and I think that Ethereum has done a lot to introduce people to many interesting ideas, but Ethereum wholly fails to scale. We see that when fees grow to 100 dollars to do anything with a smart contract. It just can’t scale and I remain unconvinced that Ethereum 2.0 is going to come with any benefits to make up for that.
Tari is not designed to be a world computer. It’s not designed to be any of that. It’s designed to enable these digital assets to either create a closed-loop system where you’re running the infrastructure or an open system where other people are volunteering to run the infrastructure and getting paid for it. You have all of those options.
That, inherently, already lends itself toward doing things that Ethereum cannot do. You’ve seen this with stuff like Quorum and other enterprise Ethereum systems where Enterprises say: “we like Ethereum but we want to have control so we’re just going to fork it and run it ourselves”.
That’s so boring because they totally fail to use up interoperability and all of the cool stuff you could do. What Tari is trying to provide is the best of both worlds. If you want to do enterprise stuff — no problem. Run your own set of value nodes, control your infrastructure, but you still interact with them. You’re still able to serve stuff outside of the walled garden, or you can keep it to yourself, whatever.
I think there’s a lot of that stuff that’s interesting that Ethereum is unable to do. On the privacy side, we’ve got a bunch of interesting ideas around confidential assets and blind assets that I think will certainly make things very interesting.
Just having a privacy slider where [the user] can say: “okay, this particular digital asset needs a lot of privacy, or this particular asset is a security token in its essence and they want to see everything that happens — no problem”. Just slide that slider all the way to the right. Being able to do stuff like that, I feel, will change the way people think about the assets, the way people work with them. At the moment, with Ethereum, it’s very much like one or another.
I share your skepticism regarding scalability advancements coming from Ethereum 2.0. On the other hand, especially in the last few months, we’ve seen that some DeFi projects have implemented their own Layer 2 solutions like ZkRollups which to me seems like the way we can scale DeFi applications. Do you agree with that?
Absolutely. I think that in terms of the next steps. A couple of things that I have observed when talking about Ethereum — yes, some of them use their ZkRollups and Layer 2 stuff. I think it is challenging. I think you lose a lot of composability when you end up doing your own thing.
And to some degree, it kind of isolates you and does make it a little bit challenging. At the same time, I’ve seen a couple of projects that are like: well, look, we’ll just provide this functionality on Binance smart chain as well and we’ll just have a bridge where you could just move from their Binance smart chain. Then, you still get all of the composability on Binance Smart Chain that you get on Ethereum. You just don’t have the scalability issues.
So I think that maybe what we will see, as we’re seeing already, a few projects are adding BSC functionality like Cream and a couple of others have done. Maybe that will become the interim; until Ethereum 2.0 does exist in real life and has some sort of real scale, maybe people will start using stuff like BSC as an in-between.
The last question I ask everyone: what do you think will be the role of the Bitcoin protocol in our society ten years from now?
I think that Bitcoin is not going away; the first 10 years of Bitcoin have proven that. It is an extremely robust protocol that has withstood all measures of attacks from a social and regulatory perspective as well as an actual cryptographic and technical perspective, so it’s still going to be around in ten years.
I do think the actual Bitcoin transactions are going to start to become sort of digital dollar style transactions, like when banks move money between each other. That sort of settlement. Or when you go to Starbucks and swipe your credit card, Starbucks doesn’t get like seven dollars in their bank account with a little note that says Riccardo’s coffee. It rolls up. Every 30 days, the banks are transferring money to Starbucks for 30 days worth of coffee purchases.
I think that’s probably what we’re going to see more and more of is Bitcoin being used to move large sums of money in settlement of any small transactions. Of course, that doesn’t preclude people from using it individually, but people will probably use it more as a store of value, and they won’t draw from it on a daily basis, but maybe draw from it on a monthly basis or add to it on a monthly basis. Even if you’re using gold as a stored value, you’re going to go get gold out of your safe and sell it on a monthly basis. You’re not going to get the gold every day. And I think it will be similar with Bitcoin.
Coin Story brings you in-depth interviews with the brightest minds in the crypto space. If you like this interview, be sure to check out our past ones too, and Sign up to not miss out on the future ones, and to get a regular digest of news and trends in the crypto world. Explore more interviews and educational resources on cryptocurrencies at coinstory.tech