Discussing Federated Chaumian Mints On Lightning

A group of Lightning network experts explore the scalability properties of federated chaumian mints.

Watch This Episode on YouTube

Listen To This Episode:

• Spotify
• Apple
• Google
• Libsyn
• Overcast

[0:07] P: Really looking forward to this one. Yeah. This is obviously Bitcoin Magazine Twitter Spaces. We do these multiple times a week, but today, we're going to be talking about the Lightning Network and federated chamian mints and what they mean, what they are, why they're interesting. This is a recorded conversation, and it will be released on the Bitcoin Space's live feed, which you can find on whatever podcast app you use. It's also published on YouTube. That's basically why we're here and what we're about.

Eric, you've been working on chamian mints. Can you give us a little bit of your backstory, who you are and why you are interested in chamian mints?

[0:51] Eric Sirion: Okay. Awesome. Yeah, my background is mostly in computer science. As such, I had a keen interest in old eco-schemes. At university, I did a talk about all the development from the beginning in the 80s with chamian eco-schemes and right up to Bitcoin and all the amazing stuff like Lightning. That's how I got an idea of being able to integrate all these different ideas. Yeah. At some point, I heard about Liquid and federations and I was like, "Why don't we use the federation tag to implement these old e-cash ideas that allow us to have perfect privacy on Bitcoin, but perfect privacy in the eco-scheme to improve Bitcoin?" That's where the idea came from.

[1:42] P: Very cool. Very cool. Casey, you want to go next?

[1:45] Casey Rodarmor: Yeah, sounds good. Yeah. I am a programmer within the Bay area. I used to be, I guess, briefly a Bitcoin core developer at Chaincode Labs a long time ago. Like Eric, I'm really interested in pre-Bitcoin forgotten knowledge. A lot of Bitcoiners don't really know about stuff like e-cash and other weird systems that existed before Bitcoin. Often, they were pretty centralized, but they have interesting properties.

My interest in chamian mints actually comes from being concerned about Lightning Network usability for normies. It's likely that stuff like payment failures, a difficulty in managing nodes, etc., I think there's going to be real usability challenges there, especially for just normal people. I'm very interested in federated chamian mints because they allow this very nice trade-off where you can have essentially what amounts to a posted wallet with better security guarantees than if a single actor was hosting that wallet. Yep. That's where I'm coming from.

[2:47] P: Love it. Love it. Rindell, do you want to? I'm assuming you want to stay completely anonymous, keep us all in the dark about who you are and what you're about?

[2:56] Rindell: Yeah. I'm a software engineer. At least that's what they say. I've worked a lot on, I'll call it cryptography engineering. Taking cryptographic primitives and building really big systems out of them. A lot of distributed systems work on really big systems. I've been talking to the people around here and in Pubnet and other event for a little while now about scaling Lightning Network in kind of two different ways. One of them is the last mile scaling in which Casey talked about a little bit.

How do we have end users get a private and inexpensive and really high throughput experience without having everybody in the world have multiple Lightning channels open? I just don't think that's going to work, and there's a lot of different interesting ideas there. Then another dimension is, how do we scale Lightning routing? We've been having a lot of conversations around what would subnetting for Lightning actually look like.

When the federated chamian mints funding was announced by Blockstream, it just fell into place for me in my head. This is a really interesting new primitive in the tool box that comes with some interesting trade-offs. I think that for the leaf nodes of the Lightning graph, it's really appealing for a bunch of reasons and there's a lot of interesting directions that I can go in. So I'm just super excited to be digging into this. There's like a new primitive that we can use to build really interesting stuff on top of Lightning.

[4:25] P: Love it. Finally, Vivek, I'm so glad you decided to join us on stage. I know you've been super busy lately. Can you give everyone a brief introduction to who you are? Don't undersell yourself or I'll scream.

[4:37] Vivek: Sure. Sure. Hi, guys. My name is Vivek. I do business development for Blockstream but have many hats. Done some MNA stuff as an analyst back in the day. Done lots of consultative sales work. Right now, these days, I'm working with Christian Decker to essentially figure out the product market fit for our green light, a Lightning node hosted solution and also working with Samson and the team on Liquid. I'm happy to be here and just participate and see what federated models we can explore and security guarantees as Casey elaborated on.

[5:16] P: Love it. I think the most useful way to go about this is, I'd like us to talk about... As a group, so this is a free-for-all. Please, if anyone on stage has something to say or a comment or a thought or a question, just jump in and say it. The first thing I want to do is talk about the specific challenges. I want people to understand exactly what a chamian mint is and what it means to have a federated chamian mint system as well. I suspect that the best way to do that is to start by defining the challenges that these systems attempt to solve. What are the problems that may exist in the future that we can highlight and then talk about how the system aims to resolve those?

[6:09] Rindell: Yes. Go ahead.

[6:10] Eric: Yes, sure. Okay, then. I think the biggest problems Bitcoin is facing or will be facing, is privacy, which is already a concern, and scalability which kind of is a concern today, but not as much as I expected to be in the future. In the future, I'm thinking of that on-chain usage will essentially be a privilege of review unless there's some throughput increase on chain, which always has been contentious. Oftentimes, if we want to have major throughput increase, it comes with higher requirements for full nodes, and yeah, it's just people haven't been comfortable with doing.

I think we are facing a future where for most people doing on-chain transactions isn't all that feasible talking about like the majority of people that make less than, let's say, $50 a day, which I think is quite a few people on this planet. We still want them to be able to participate in Bitcoin. I think federate e-cash can solve this problem in a sense. Having a different trade-off when it comes to trust properties. That's one of the ways to put it.

[7:25] P: Got it. Okay. Privacy and usability. Is that right? Or scalability? Was it scalability?

[7:31] Eric: Yeah, exactly. Exactly.

[7:32] P: Okay.

[7:33] Eric: Yes, scalability and usability to kind of, but that's more like, that comes automatically, more centralized solutions.

[7:41] P: Got it. Okay. Rindell?

[7:42] Rindell: Yeah. I was going to say, a lot of times when we talk about scaling Bitcoin, what it really comes down to is, how many transactions can you have before you actually have to touch the blockchain, right? With Lightning, the idea is you do an on-chain transaction to open a channel. I open a channel to Odell. I do as many channel or as many transactions back and forth on that channel as possible. Then eventually, at some point in the future, we do another on-chain transaction to close it. With these 2 on-chain transactions, we have all of these different payments that can go back and forth. Ideally, you leave your channels open indefinitely.

You're really only using the layer 1 blockchain as like a decentralized cryptographic back to justice system, right? In a perfect world, I have all these channels open. I never actually have to go down to the main chain, but if there's a conflict or dispute, then we go and we settle up on the blockchain. That's great if you have channels open, but if you look at the size of a Bitcoin Lightning Channel open in terms of block weight and you do the math of, a Bitcoin block can have, let's say, 1.3 megs of transactions in it. Channel open is like on the order of 140 vBytes. You multiply that out, multiply by how many blocks you have in a day, assuming ten minute blocks.

The conclusion that you come to is if you wanted to have a billion people in the world all have 1 channel open, it's going to take 3 years, right? If nobody's doing any other transactions, nobody's closing channels, nobody has 2 channels, everybody's just opening 1 channel. The conclusion that you come to if you do that is you say, "All right, we need to have either more interesting batching mechanisms to bulk up in channels," or you just come to the conclusion that not everybody in the world is going to have a Lightning node with a channel open.

One model that you could have is you can have custodial wallet, right? Where you have something like Wallet of Satoshi, where you have an account and they have a very well-connected, well-capitalized node that does all the actual Lightning transactions and you just have an account balance with them. That's similar to if you're using Cash App or something, right? You can think of Cash App as a Bitcoin scaling layer. It's just very centralized and very closed.

What's cool about chamian mints... Then we should probably take a step back in a minute and talk about what a federated chamian mint is. What's cool about it is it lets you have a less centralized federated custodial solution for a Lightning wallet. Instead of me trusting one company or one party with my Lightning wallet balance and them doing all the Lightning transactions, I can put trust in a federation of different entities that may be are in different geo-political regimes, have them manage Lightning transactions out to the rest of the network. Then within the mint, all of my transactions, other people who have accounts there never actually touch Lightning or touch anything else. We're just sending bytes of data back and forth.

It's a way of, if you think in the future that this is going to take off, what you can imagine is there's going to be a network connected by Lightning of these different chamian mints. You join up to the one that has the custodians that you trust or that has the properties or capabilities or semantics that you want. You have an account there, all of the transactions inside of that bank. If you will or like fast as private as they possibly could be and very secure. When you need to move money between these mints, it's over Lightning. That's the big picture. If this really takes off, you get crazy good scalability, you get crazy good privacy and you can still connect to Lightning without every person in the world needing a Lightning channel.

[11:51] P: Got it. Matt, you've been uncharacteristically quiet. Would you add anything to that or to the top of the discussion so far?

[11:59] Matt Odell: Basically, my TLDR would be creating more accessible Bitcoin privacy in a way that has better trust properties than current custodial wallets, which everyone's already using. So many people are using custodial Lightning wallets.

[12:17] P: Yeah, for sure or custodial on-chain wallets, which is even worse.

[12:21] Vivek: I'd also like to add... Rindell made some great points about the scalability about the Lightning Network and channel opens. Everything in Bitcoin is going toward this, like, scalable mentality. We've gained some fantastic vByte efficiency through Taproot and Schnorr signatures. A lot of this is a similar mindset of not necessarily needing to reveal the inner details. For example, the script, the policy itself, other things like that. It's usable and a bit more efficient. It's great.

[12:56] Rindell: Yeah. P, it might make sense just to take a step back and describe what a FediMint is and then we can... It might make more sense for people about where this fits and maybe we can talk about different applications and problems that it solves.

[13:10] P: I love it. Let's do it. Rindell, do you want to give a high-level, your view and then we can jump to Eric and Casey? Does it make sense to do so?

[13:19] Casey: One suggestion, maybe we should start with a non-federated chamian mint first and then later on, federated n on top because they're a bit separate and probably confusing to try to digest them both at the same time.

[13:34] P: I love it.

[13:34] Vivek: David Chaum, I don't know who that is.

[13:36] Casey: David Chaum is an old-school cryptographer. He's still around. He developed a system called e-cash, and I don't have the Wikipedia article in front of me. These details are probably wrong, but e-cash was a centralized payment system. I don't remember if people got cards or how it worked, but the idea was that you could pay at merchants for stuff in your daily life with Fiat. It used cryptography and particular blind signatures so that every time a user was spending money, the operator of e-cash or DigiCash didn't learn anything about who it was that was making a purchase.

[14:18] Rindell: Eric, what is a blind signature? I have heard of Schnorr signatures and ECDSA. What is a blind signature? Does it overlap with those?

[14:29] Eric: Yeah. Basically, a blind signatures [inaudible] scheme is a signature scheme that allows the user to acquire a signature on a message without the signer ever learning this message. Normally, this wouldn't sound too useful because normally, if you sign a message or [inaudible] of e-cash, what you actually use it for is that each signature has the same value. Let's say each signature is worth one dollar. Anyway, the bunch of random messages and the only property that these messages need to have is they need to be unique. You can essentially do this by drawing them randomly and having a big enough message space to draw from. Then you let the chamian mint blind sign these random messages, give you back the blind signatures.

You can unwind these signatures and now, you have a bunch of just random messages with signatures attached. Each such pair, we can call them e-cash tokens, for example, or I think we call them redeem receipts in our blog post. Each one is worth one dollar. If I give the chamian mint five dollars and five of such blinded messages, just random message, just essentially, then I get 5 such tokens. I can then spend them anonymously because the bank or the federated chamian mint never learned identity.

[15:58] Rindell: If I can jump in really quick. When you're thinking about cryptographic protocols, I think it's really helpful to think about an analogy just like using paper and just like physically passing things around. A good metaphor for blind signatures, I didn't make this up, I'm stealing this from the Chaum paper, is if anybody remembers carbon paper, right? You had 2 pieces of paper and you'd sign the top one and then you'd lift it up and underneath, your signature's transferred through because there's a layer of graphite on the bottom of the first paper. You use that when the utility guy comes to your house and hooks up your gas and you sign a piece of paper and they give you the bottom paper. That's like carbon paper.

What Eric is talking about, imagine that you have these carbon envelopes and there's a slip inside of it. You have a serial number on a slip of paper and you seal that inside of an envelope and you hand it to the chamian mint, and the chamian mint doesn't know what the serial number is because it's inside this envelope. They sign the envelope and then they hand it back to you. You can tear the envelope open and pull out the piece of paper, and now...

[17:07] P: I think we lost him.

[17:09] Casey: I can continue that thought.

[17:11] P: Yeah, go for it.

[17:12] Casey: You hand the bank this envelope, and inside out of it is this little slip with the serial number. The bank signs the outside of the envelope, essentially and the bank's signature is transferred to the slip on the inside of the envelope with the serial number, but the bank can't see what that serial number is. Then let's say this represents like a deposit of one dollar. You leave and eventually, you come back later to the bank when you want to spend that dollar and you present it with that sign serial number. Because the bank never saw what that serial number was, it just saw the outside of the envelope that it's signed, it can't link that serial number back to the original act of signing and can't correlate the person who's showing up with some person that it's seen in the past.

It can verify that it produced its signature. It can see it produces that this is the serial number was signed by its private key. So it can just trust it and be like, "Okay, I guess this is worth a dollar," and let you do whatever you want to do. You make a purchase or make an outgoing Lightning transfer in the case of a Lightning chamian mint. That's the basic. You show up and you say you deposit money, and it produces one of these blind signatures. You get this serial number and then you show up later and say, "Hey, I want to do something with some money." The bank isn't able to correlate those 2 events because it never saw a serial number that you're presenting later when it originally signed up.

[18:43] P: Got it. I haven't heard that before. That's a fantastic metaphor, analogy, whatever the right term is.

[18:50] Casey: Yeah, I love the idea of somebody showing up to what amounts to a bank and being like, "Hey, if you don't know who I am, but check out this signature like you made it so you can trust it. So do what I tell you to do with the amount of money that the signature covers." It's just great. Customers show up, the bank has no idea who they are, but it's like I say, prove their deposit before so this must be legit. Then they just do what the customer tells them to do.

[19:18] Matt: Casey, how did the e-cash project end? Does that have anything to do with how the federated model is multiple banks and a bit more better off?

[19:29] Casey: I think that I'm not super familiar with the history, but the original e-cash implementation which is called DigiCash, I think it just wasn't popular. It allowed individuals to make private payments. I don't think that this was something that people really cared about. I don't think it was super popular. I think it did a trial with one bank somewhere in America. I should really get the Wikipedia article in front of me so that I know what's going on. I think it just wasn't popular and it just faded into obscurity.

[20:01] P: Okay, so--

[20:01] Matt: [inaudible] those back?

[20:02] Eric: Yeah. From what I gathered like I wanted to get to reason too because I'm writing a paper about this. It seems like it's really benign. It's just like they ran out of money. They had some tests running, I think, with Deutsche Bank, actually. They were experimenting with the chamian e-cash idea. As you said, the interest wasn't there. They're also after 9/11. There were some new regulations, and this all happened in parallel. The DigiCash just went bankrupt. At the same time, a new legislation came into effect and made it completely impossible to ever run such a chamian bank on a legal basis.

[20:48] Rindell: The key change here is, for the first time, we have programmable money that is sound that increases in purchasing power that you can easily interact with. One of the coolest parts about Eric's proposal is that it interacts directly with the Lightning Network. It takes it a step further. Not only are you or you have this federated model so that the trust and the custodians, any individual custodian is reduced and you have privacy from the custodians so that the custodians can't see all of your transactions and your balances. You can also directly interact with any other wallet on the Lightning Network seamlessly without any kind of a regulatory approval with banks or anything like that.

[21:31] Casey: Yeah. I think that's really important because DigiCash was regulated. It was like a regulated legal entity. It could only do regulated legal entity type stuff, which made it less appealing and less powerful.

[21:44] Rindell: Yeah. I think the portability that you get over the Lightning Network is also really cool, right? If I am in a federated mint that Odell and P and Eric are running and then I decide that I want to move to a different mint or I can move everything over Lightning or I can be in multiple and interact with other services. One of the things that I'm really looking forward into the future about is having different mints, have different policies around what capabilities they support and you being able to just pick and choose where you want to be spending your money on different things. Having that all interoperable over the Lightning Network is really amazing, right? Having one chamian mint is cool. Having an internet of chamian mints all connected by the Lightning Network is way cooler.

[24:30] P: Can I ask a clarifying question? The description we gave earlier of the envelopes in the carbon copy, that was a description of blind signatures or that was a description of how chamian mints work?

[24:41] Rindell: That was a description of... The envelope was blind signatures.

[24:44] P: Okay, right. That was--

[24:45] Rindell: Using that for money is chamian mints.

[24:47] P: Okay. Got it. That was where I was missing the connection. Can we just give like a high-level summary of what a chamian mint is one more time for the audience? Should we then transition into federated chamian mints?

[25:00] Casey: That sounds great. I would say that a chamian mint is essentially a bank that uses blind signatures to unlink deposits and spends.

[25:13] P: Okay. A chamian mint is a bank that uses blind signatures to unlink deposits and spends as we've described. Actually, one more question before we go into that. Why would a bank in the current system want to do that? I'm so curious why... I think you said Deutsche Bank was experimenting with this. Why would they want to do that? Because that seems like it would be against their interest. It makes sense that...

[25:40] Matt: I think banks want to do a lot of things and they want to have the best product possible for their customers. They want to reduce their liability by knowing customers' balances and transactions and everything, but they're hamstrung by regulation and they keep getting more and more hamstrung. PayPal is not really a bank, but they're like a neo-bank. PayPal doesn't want to block people's accounts. They don't want to lock people's accounts and stop people from using the product. They want as many people to use the product as possible, but they're forced and compelled to do under burdensome regulation.

[26:12] P: Yeah, totally. I think a great analogy here is like a data storage, right? It's expected at this point that if you're using Dropbox, which you shouldn't be using, or iCloud, which you shouldn't be using, or whatever you're using that they basically don't have access to your information. That's a selling point for a lot of these services.

It's fully encrypted, client-side. No one in our company could even look at your data if they wanted to. We're already seeing, like with iCloud, the announcement that they're supposedly scanning all of your iCloud photos now to keep everyone safe from child pornography. The idea that we would hold data providers accountable for that information, I think, would be surprising to most, but for some reason, with banks, we just accept that. "Oh, yeah, they have to have 100% insight into everything." The idea that they can keep that totally private is something that everybody has just already, I don't want to say given up on, but acquiesced to.

[27:17] Rindell: The chamian mint model, it maps the analog system onto a digital system really cleanly, right? What you end up with these vouchers or these tokens, they look like paper money, right? Each one is a uniformly denominated bearer instrument that you can pass around between users and then deposit it at the bank, right? If you're trying to build an electronic cash system, it's a pretty natural way to model the problem. One of the reasons why, and I'm sure we're going to talk about the federated model on a minute, but one of the downsides with it is that it only works at your bank. There's a huge kind of centralization risk. The bank is a single point of failure, which I think is a big reason why Eric's work is so interesting.

[28:07] P: Sorry, that is an issue with non-federated.

[28:11] Rindell: Yeah, with non-federated with the old-school one. If I'm trusting Deutsche Bank, then I'm trusting Deutsche Bank.

[28:16] P: Yeah. It's almost like wildcat banks from back in the day, where every bank had their own currency and they were interoperable only if the bank said that they were interoperable.

[28:26] Matt: The original chamian mints proposal was, it was a trade-off. You had what it was essentially perfect privacy, but it came at custodial risk. You didn't have the ability to seamlessly interact. This proposal removes or mitigates the 2 main negatives, which is the custodial risk and the ability to actually transact outside of the Mint easily.

[28:52] Eric: Yeah. I think this interaction with other banks wasn't even that much of a problem. The problem would have been, let's say the US imposes some rules that US banks may only cooperate with other banks that know their customers. Then if you run a bank with chamian e-cash, then you cannot interact with any of these banks. That's how financial regulations are done these days. Many of them aren't even laws in all the countries where they apply.

The most important banks of this world forcing this onto other banks in order for them to be able to actually send money between each other. That's the power of Bitcoin that you don't have to ask for permission that way. You just connect to Lightning Network, and now, everyone who runs the Lightning Network or who is part of such a federated chamian bank can just interact with each other. No permission's needed.

[29:48] P: Love it. Okay. Let's transition to... We defined what a chamian mint is. Let's define what a federated chamian mint is.

[29:59] Eric: Yeah. On the highest level of understanding, when we federate some entity then we just split it up into “n” parts of which up to a certain number, that's called “f”, may be malicious without the functionality of the entire system breaking down. For example, we have this for federated things like Liquid. Sorry?

[30:24] P: Can you repeat that. You said?

[30:26] Matt: Eric, would you say that’s good? I don't know if it's an analogy, but for Bitcoiners is instead of just a single sig custodian, you have basically a multi-sig custodian. You're spreading out the risk.

[30:36] Eric: You mentioned you have two or three multi-sig [inaudible]. Then you have 2 risks. One risk of just losing your keys and you mitigate this by having not a three of three but a two of three. You may lose 1 key and you're still able to get your Bitcoins out. Then you have the second risk, which is SAFT. You mitigate it by needing two of these three signatures. Only if someone manages to steal two of your three keys, then they can actually take your funds. Actually, that's how the on-chain part of federated chamian bank is implemented as just a multi-sig wallet. Yeah, that's the beauty of Bitcoin.

It's the first asset that can actually be held in such a way that only if a certain amount of a certain set of people agrees, then you can transfer funds that was never possible before. There was always some higher instance like a bank that could just dictate who owns funds and who doesn't.

[31:31] P: Got it. Okay. Let's talk about how one implements or what the... How does one get from a chamian mint to a federated chamian mint in terms of practically? What does that mean? What is the proposal? How does the Lightning Network integrate with that?

[31:49] Casey: I think it's good to separate out the Lightning Network from... It's irrelevant what the federated chamian mint does. It just so happens that it's like, appealing application of federated chamian mints to have them make and receive Lightning Network payments. In principle, you could have a federated chamian mint that did anything. You could have a federated chamian mint that had a stash of Beanie Babies and then when you could send it Beanie Babies and then tell it to send out Beanie Babies, have Beanie Babies like tokens. It's like a very general technology.

In the Lightning Network case, the federated chamian mint would be making and receiving payments. The actual federation itself is something I don't know very much about, so I'll let somebody else take those details.

[32:36] P: Just to be clear, I love the analogy of Beanie Babies, we should do that just because it would be hilarious. Federated chamian mints that the only thing you can exchange is Beanie Babies. You could do this on chain. It does not necessarily have to be on Lightning. The fact that it is on Lightning is because Lightning is an extremely effective way of transmitting money value.

[32:57] Rindell: The way that I would frame it right is, imagine you have a Bitcoin federated chamian mint, right? There's a chamian mint where I show up to it and I hand it some Bitcoin and it hands me a bunch of these vouchers or tokens that represent well-defined denominations of Bitcoin. I can hand them to you, P. You can hand them to Odell and then Odell can redeem them at the Mint and get Bitcoin back out. That's the thing that you could just go build, and you could do that as a single custodian chamian mint or you could do it as a federation. In that way, there's not a single player that can unilaterally run away with everybody's funds.

If you were to build that, you can imagine that there are APIs or operations or commands that you can issue to the mint. One command that you can issue to the mint is, "Here's some Bitcoin, give me vouchers." Another command that you can issue at the mint is, "Is this voucher valid?" Another command that you can issue at the mint is, "Redeem this voucher for Bitcoin," right? These are the commands that you can give to the mint because the mint is just a piece of software and it'll do things using either vouchers or Bitcoin.

Where this connects the Lightning Network is, imagine if I can take one of my vouchers, my payment coupons to the mint and say, "Hey, use this to pay this Lightning invoice." Then it pays the Lightning invoice on my behalf using that voucher. Or I say, "Hey, generate a Lightning invoice and then pay me in my chamian mint tokens." Now, other people or myself using another wallet can send payment over the Lightning Network to the mint, and I redeem that payment for my chamian mint tokens.

It's less that the mint is built out of Lightning and it's more that if you have a chamian mint implementation that plugs into the Lightning Network, then it can interact with the Lightning Network like any other Lightning node, but on our side of the mint, we're passing around these little blobs of data that are redeemable for Bitcoin.

[35:00] Eric: Exactly. I think we should separate the Lightning part from the federated chamian mint part because actually, if... It's quite separate in the first instantiation. There might be some implementation down the road where we actually fade away to Lightning node, but for now, all we do to interact with the Lightning Network is we just have some sort of small contact in a federated chamian mint that enables trustless Lightning payments essentially or Lightning Payments in the same trust model as the federation already has, like the federated trust model.

I think we wanted to come back to, how would we actually federate a mint? That comes down to 2 parts. One part is holding the collateral, which is on-chain. It's just a good old multi-sig quality on Bitcoin. The second part is the issuance of these e-cash tokens. In a traditional chamian mint, that would be done using some [inaudible] scheme. For federated chamian mints, we need the threshold bank signature scheme. Meaning, again, you can think about it like multi-signature for Bitcoin but for blind signatures. In the academic world, we call these multi-signatures actually special signatures because you need a certain threshold of participants that cooperate with you to generate such a signature.

Essentially, it's just a “t” of “n” blind signature scheme where like a certain amount of parties in the federation has to be honest and then they can generate these vouchers. That's the 2 parts you essentially need to featherweight chamian bank or chamian mint.

The last thing maybe to mention is that you still need some consensus algorithm between them, between the federation members. We actually agree on the right order of transactions because that's the same problem that Bitcoin solve for an open set of well data's being minus. For closed set where we know who is part of the federation of part of the network, this consensus was solved a long ago like in the 80s or 90s, if I remember correctly. We're just using some old tech there to get an order of transactions, which every kind of system needs. Otherwise, you can easily double spend.

[37:10] P: Got it. Interesting.

[37:13] Matt: Eric, this sounds very academic. Is it possible to use Minimint today? Have you used it on anything?

[37:20] Eric: Please don't use it right now like at least not on [inaudible]. Please use regtest if you want to play--

[37:26] P: This is how we know you're not a shit coiner. For the love of God, do not use this amazing--

[37:33] Eric: I built it as a proof of concept.

[37:34] P: Yeah, and I just love it. You're like, for the love of God, do not use this amazing thing that I have built. It's not quite ready yet. You should be testing it and breaking it yourself as opposed to being like just floating it onto the ether as they...

[37:47] Vivek: Just asking you, Eric, in general. I think I saw you bought a coffee with it or something. Also, I was wondering if people did want to get involved and contribute. What repo should they look at? Maybe what language should they be familiar with, any general suggestions?

[38:03] Eric: Yeah. What you saw, yes, I bought a coffee with it at HCPP in Paralelní Polis. What I did there was I actually had a regtest federation running with completely worthless Bitcoin, but I coupled it to a Lightning node, which was actually running on main net, so I did atomic swap from my local regtest network to mine that Bitcoin, which is a totally insane thing to do unless it's on your own computer. If people want to contribute. I had a few people reach out to me. I don't want to disclose their identities here because that would force them to commit.

In private, I've been talking to a few people like ideally, some Rust like Minimint [inaudible] Rust, but also, if you are just generally interested and want to improve documentation and all the good stuff, you just want to play around with it. It's on GitHub. It's github.com/fedimint/Minimint or you can also find the link to the GitHub repo at fediment.org. They can just look around. I wrote a little week me that instructs you to set a federation on the regtest. You need the installation of Bitcoin core. There are some scripts included in the repository that automatically has been a practice network and then also the Minimint nodes.

Then you have federation of, I think, by default, 4 nodes, running of which one may be malicious and then you can just play around with it. It's really unfinished right now. There's only a [inaudible] app to interact with it. Yeah, but I'd be super happy about more contributors because that would mean that we can move along more quickly. My dream is that at the next HCPP in Prague, I might be able to actually buy a coffee with a main net federation. That would be awesome, but for now, for the love of God, please don't use it on main net. Some flaws in the wallet logic that may make you lose funds, and I don't want it. I couldn't live with that. Please don't.

[39:53] Rindell: Yeah, just a quick observation. For people who don't know, you can run a Bitcoin node in what's called regtest mode, where it just sets up like a private little Bitcoin network and you can mine blocks at will. It's really great for testing. They're completely worthless because it's just like blocks that you mine at will on your own laptop. I think it's funny that because you atomic swap that to the Lightning Network. The regtest running on your laptop is more valuable than half the shit coins that are on a Coinbase right now.

Good job for that. Another quick point. You mentioned Rust is an awesome language. If folks are looking at contributing to the Bitcoin ecosystem and are looking for a new language to learn, a lot of Bitcoin projects are popping up in Rust right now. Minimint which we're talking about, if you follow like CPO, that's all in Rust. There's some cool stuff happening with LDK and Rust Lightning. Learning Rust will let you contribute to a lot of projects that are up-and-coming in the Bitcoin ecosystem.

Then to Eric's point about there's obvious things that are wrong like he's done an amazing job working on it so far, there's some stuff that's just like low-hanging for that. If you're a Rust developer, you can jump in and work on. If you've done Tokyo, a networking before, just adding retries, the networking code and that kind of thing. There's lots of opportunity to get involved and help out with the project.

[41:12] Eric: Yeah, definitely. The people from some of Bitcoin reach out to me. If you are like a student at university and want to get into a Bitcoin development, then I will be preparing some project proposals for some of Bitcoin and then you could apply for the 2022 version of it. That might be a really cool way to get into it because then we'd have some structured mentoring and stuff like that. If you're interested, just take a look at some of Bitcoin once it's out. I will have to write multiple project proposals till December. I think they will publish it beginning of the year, and people can apply. That would be awesome. Generally, if you just want to work on a project, contact me. I'm available on Telegram, on Twitter. Just reach out. Always happy.

[41:59] Rindell: Right. Instead of Summer of Code, it can be Summer of Chaum.

[42:03] P: Now, Rindell, that was a terrible pun.

[42:06] Rindell: Yeah. Now, you have a picture in your head of federated chamian mints, right? The model is you go to the Mint and hand them Bitcoin and they give you these e-cash tokens and you can hand those to anybody and they can go redeem them for Bitcoin. When you plug the Lightning Network into the other side of that, what you can see is or what I hope you can see is that that's a model where you could have a semi-custodial managed Lightning wallet. Build that into Wallet of Satoshi, and now, there's not a single custodian that you're trusting with your funds. It's actually a federation. If you're spending money to other people who have that same wallet, then it doesn't even touch Lightning. It's actually even faster and more private and cheaper, right? That's a pretty cool thing.

[42:53] P: It's very cool. Let's step into the pontificating zone.

[43:03] Casey: You mean the pressure to adopt things like federated chamian mints?

[43:06] P: Exactly.

[43:08] Casey: Yeah, I think actually, we're already facing that pressure, and that pressure is not coming from scaling problems. It's coming from usability problems. Super, super hard to run a Lightning Network node. I have a project that I work on that requires people who want to use our project to run their own Lightning Network node. That's like the main barrier to getting to onboarding users, basically. All sorts of non-trivial things. You've got to manage your channels. You've got to manage Liquidity. You've got to keep your computer online, etc. All this... No, go ahead.

[43:40] P: I do want to push back slightly. I think you are both correct. I think that we... Certainly recently, it's gotten a lot easier and there are much larger communities of people running their own Lightning Nodes, but I do agree that it is a significant challenge for the average person to go from zero to running their own Lightning Node. Though, both are the things like Umbrel and [inaudible]. Also, I [inaudible] Voltage which basically, you can host your own, they’ll host the Lightning node for you.

Again, that is not to say that everything you just said is not 100% accurate because I think it is. The average person is not going to be able to just download an application on their phone or on their computer and just be like, "I'm running a Lightning node."

[44:23] Rindell: Yeah. That's where the real advantage is. The real advantage is when we see a mobile wallet that is as easy to use as something like Wallet of Satoshi but has way better trust properties in terms of custodial risk because it's federated and it has insanely good privacy guarantees because of chamian mints.

[44:41] P: Exactly.

[44:41] Rindell: It'll have better privacy guarantees than pretty much anything we have out there right now, with the trade-off being a slight custodial risk. You can just install it on your phone. You don't have to run a node. You don't have to know what channels are and you can interact with a greater Lightning Network.

[44:55] P: One hundred percent. It's basically--

[44:57] Casey: To be clear, even better privacy than what cryptocurrencies that their only feature's privacy. It's real good privacy.

[45:05] P: Oh, interesting. Wait, wait. Speak more of that for a second.

[45:08] Casey: Yeah. There's this no... Think about an outside observer looking at one of these federated chamian Lightning mints. They see it sending and receiving payments, but there are many users. That federated mint is acting on behalf of many users. In a normal case, an outside observer can't tell which payment is being made on behalf of which user. All the users of the federated mint act as an anonymity set. This provides extremely good privacy, and it means there's absolutely no temporary or permanent footprint that these transactions leave.

[45:43] P: How does this comp-, it's a basic question.

[45:45] Rindell: Then within the mint like the federation doesn't know what any of the payment activity was because they have no way of linking deposits and withdrawals. The operators of the Mint can't tell what you're doing. Then from outside of the Mint, all of the transactions are all flowing through this single aggregation point. Casey said it really well. It acts as a giant anonymity set, right?

The more people use your mint, the more anonymous it is because all of the traffic gets merged together going in and out of the gateway of the Mint. Then inside of the Mint, there's no linkage between transactions and withdrawals. There's not a ledger where you can follow all of the transactions.

[46:26] P: So is this basically… it’s like a superior… in it’s ideal form, how does this relate to CoinJoins? I know it doesn't directly relate at all.

[46:39] Casey: It's like a massive ongoing CoinJoin. You transfer into the Mint which is like entering the CoinJoin and then if you want to get out, you transfer out. I guess the anonymity set is all the users of the Mint, and it's also not an on-chain CoinJoin. It's like an off-chain CoinJoin which adds an additional more privacy.

[46:59] P: I expect all the CoinJoin implementations to hate this. I'm kidding, I'm kidding.

[47:03] Eric: You can think of it more as most of the tunneling protocol, actually. There are CoinJoin and tumbling Bitcoin, and it's something like TumbleBit. It comes pretty close, actually, to what you could achieve with Minimint.

[47:16] P: Can you define the difference between a tumbler and a CoinJoin?

[47:20] Eric: Okay. According to [inaudible], you have a single transaction with inputs and outputs and only all the inputs and outputs in this one transaction get mixed that is your anonymity set. With tumbling, you have anonymity set over a bigger amount of inputs and outputs. With tumble bit, I think you can have a lot of transactions that set up inputs to a big tumbling pool. Then later on, you can take your funds out again.

Essentially, with Minimint, you have the anonymity set of everyone who send Bitcoins into the federation ever when you take it out again because you can't really tell who already took their Bitcoins out again and who didn't.

[48:02] P: What is the trade-off?

[48:03] Eric: It's really great.

[48:04] P: What is the trade-off for on-chain transactions between the tumbler and a CoinJoin? Why aren't tumblers supported by Samurai and all the other related...

[48:14] Eric: I'm not entirely sure. It's not directly my field of research. As I understood it for like tumbling protocol's more complicated. I'm not even sure if like [inaudible] couldn't be counted as a tumbling protocol because they use also some blind signature scheme internally. I'd actually have to look into this again.

[48:33] Casey: Are there any non-custodial tumblers?

[48:35] Rindell: I don't think you can. You can do a series of CoinJoins, but most tumblers are all custodial.

[48:42] Casey: I think that's maybe the issue is that we only know how to make custodial tumblers which have that single party single point of failure problem and we also lack super illegal like the most illegal.

[48:57] P: When we say illegal, we mean just that the government doesn't like anybody to have money that they have full control over.

[49:04] Casey: I think we've seen specific legal action by the state against people running tumblers.

[49:10] Rindell: Yep. If you're a prosecutor and you can't convince a jury that a tumbler is money laundering, then you suck at your job, right? That's just how it is.

[49:25] P: It's so crazy to me that the goal of having privacy around your money is something that is even in question as a legal issue. It is obviously and I understand why, but it's crazy that people are sucked into the often false narratives around that. How long do we think before yelling and all the other related people and agencies are promoting narratives that federated chamian mints not only are trying to destroy Christmas but also are supporting child eating and cannibalism and all sorts of other terrible things?

[49:59] Casey: Honestly, just on that very specific question, I think we might be good. They don't even really understand how Bitcoin works. They don't demonstrate an understanding of very simplest concepts. Having somebody go up on, I don't know, in front of Congress or whatever and being like, "Federated chamian Lightning mints are a threat to," I don't know. I've been consistently surprised by how uncoordinated and uninformed state actors are.

They haven't really done anything meaningful against Bitcoin except for some, like an unfavorable acts treatment by the IRS. I'm very specifically against on-chain transactions and Bitcoin developers and miners and stuff like that. I don't know. It'd be surprising to me if they got their act together. Although, I guess if one of them, if a federated chamian Lightning mint was super popular, then yeah, maybe we would start getting some heat.

[50:52] Matt: That's definitely the biggest risk with a proposal like this, federations in general. Especially if they're offering privacy, it becomes a regulatory target. What's really promising to me about this proposal is that you can see, it appears that Eric intends, and Blockstream with their funding to him, intends to do it in a free and open source way. The fact that we could have many such federations doing this and they could be located around the world in different places competing with each other and interacting with each other makes it way more difficult for that kind of regulatory attack to happen.

I would caution against being too cocky in terms of... If it's very public, if it's being done by very obvious regulatory targets that have their ball based in the same country, stuff like that, they could get hit.

[51:48] P: Yeah, I agree. As soon as this becomes a significant…

[51:52] Eric: The great thing about federations though is that you don't have to trust the people running the federated chamian bank fully. I could just have to trust them at their own to conspire against you. That, in my opinion, allows for pseudonymous federations. Just imagine, we have a bunch of pseudonyms, the type of reputation they care about, and they come together to form such a federation. Who should be prosecuted? Nobody knows who they are. You can't prosecute a pseudonym them. It's just not possible. If they do it correctly.

I think even if there was a crackdown, the federated part would make it still feasible to run it through a federation, especially since if you only take down one of the nodes, then the federation still runs. You did nothing.

[52:42] Rindell: Yeah. I was just going to say, as long as not a signing quorum of your federation all get pinched at the same time, the federation still operates. If you start to lose trust in your federation like maybe your federation people start tweeting crazy shit coinery, then because this is all connected over the Lightning node, your exit cost is really low. That's one of the things that really jumped out to me about having these things be connected over Lightning is that your switching cost is incredibly low.

Stepping away from the resistance to nation-state story for a minute, another thing that's just really interesting about this model because it's just software that a couple of people have to come together to run together. I think it opens up a lot of really interesting scenarios for community banking. That could be community banking at a geographic level or within like your social group. If we wanted to say on Plebnet, a bunch of a plebs get together and run a federated chamian mint and people on Plebnet want to use it or not, that's great.

I live in a town where I'm trying to get some of my local small businesses to take Lightning. We could definitely do a federated chamian mint for my town that plugs into the Lightning Network, right? You can have these things make sense at different levels of social organization and you can choose the group of people, the group of custodians that make sense for you to trust, right? This is the Bitcoin beach model of, you have a community bank that you have a Lightning app that interacts with it on, but you don't have everybody responsible for opening up all their own channels. You can do that for your community or a community of interest or an internet community, whatever makes sense to you. You can really mix and match here. It's really interesting.

[56:24] Eric: Maybe to elaborate…

[56:25] Casey: No, no, go ahead.

[56:26] Eric: On the community banking for just a minute. Like, [inaudible] is already doing this with Bitcoin Beach Wallet, but what they did is they went quickly to market, which is great because we need it now. What I'm trying to do with Minimint is improve privacy because when you're doing a community banking, you don't want your neighbor to know how much you own. That's really bad. It's probably even worse than Coinbase knowing how much you own because such social structure is often preferable for your PS not to know how much you make or how much you own. In a community banking environment, privacy is even more important.

[57:04] P: Yeah, I agree.

[57:06] Casey: I had maybe like an obscure technical question for Eric. Let's say that you had a federated chamian mint and for some reason, you didn't trust some of the participants or thought that there was a chance that it was going to fail. Do you think that it would be better to build into the protocol ways of, for example, ejecting members of the federation and voting in new ones? Or do you think people should just use the ease of exit and essentially just transfer all their funds to another federated chamian mint that they trust more, maybe even with some of the old participants?

[57:42] Eric: I think that's more or less an engineering trade-off. What you're describing is dynamic federations, and that took approximately quite a while to figure out for Liquid. I think initially, I will launch without this dynamic feature that you can just replace or switch in and out federation members. It's just a lot of work, but ideally, you would have those because the cost of switching isn't all that low actually. On the individual level, it might appear low. You still need to rebalance your channels for... If all your money flow's outgoing, then that's not optimal.

Ideally, your federation has some balance of money flow. Otherwise, again, the current model, we have a Lightning gateway, which is the independent actor of the federation. The Lightning gateway would have to repeat it like actually withdraw Bitcoins from the federation. Then we balance that channel so they have outgoing capacity again. I don't think it's optimal to just migrate in that way. It would be a little bit better to be able to throw someone out of the federation if they are clearly compromised.

[58:50] P: Interesting. Okay. Where do we go from here, in this conversation? Are there specific other topics that we want to talk about, Matt, Vivek, Rindell, Eric, Casey? Do you want to do like a round table? We can pull people up and get questions answered. What do you all think? Let's do it.

[59:07] Matt: I would love to hear Shinobi's opinion. Shinobi just came up here.

[59:10] P: Give us your thoughts, Shinobi.

[59:11] Shinobi: This is epic. I'd like to know if anybody has talked at all about using the federated mint to enforce more complicated smart contracts?

[59:19] Rindell: Dude, yeah, that's literally the fucking hand grenade that I was about to lob into this conversation.

[59:25] P: Let's fucking go.

[59:28] Rindell: Dude, okay, yeah. This is like my soapbox. In my mind, the final form for federated chamian mints on Lightning Network is that you have them process more interesting smart contracts semantics. Imagine, I go and set up a chamian mint where you can upload, and I'm just going to say it, like an EVM compatible smart contract. I don't need to make a shit coin.

[59:55] P: Sacrilege!

[59:55] Rindell: You know what I can do? No, you know what I can do? I can charge you to execute the contract. It's called, I don't know, like, pay for execution SASS, right? We've been doing it for years. If you want to do EVM smart contract shit, you Lightning over some sats to my chamian mint, I will execute EVM smart contracts and publish a snark or some other zero-knowledge proof in a publicly viewable place that it executed properly. You can do crazy speculative smart contracts with Eric inside of my mint. Then when you decide that you want to do crazy other smart contracts that only Shinobi's mint supports, you Lightning over there and you do it.

We can have this network of these little islands that have different smart contract semantics that have different trade-offs or different guarantees or different semantics. You can just choose which casino or which computer you want to play in, zip yourself over there, do it and then leave when you're done. We don't have to push new bullshit into the base layer. We don't have to create new tokens. It's just go wherever has the compute capabilities that you care about.

[61:08] Casey: Mind blown.

[61:10] P: I love the idea of that. It's like when you go into a PVP arena, whatever your favorite MMORPG is. It's like you go and it's yes. "These smart contracts will eat your face off, get ready."

[61:23] Shinobi: There is no restriction that would prevent a mint from issuing tokens representing things other than Bitcoin too. You can get the entire ERC-20 type dynamic and interaction with those types of contracting platforms directly in the middle.

[61:40] P: How is this?

[61:41] Rindell: Yeah. If you're OpenSea and you want to do an OpenSea chamian mint, people can go there and then you can leave when you're done.

[61:51] P: OpenSea has no control?

[61:53] Shinobi: You can use single-use seal, Rindell, for something representing NFTs instead of just the chamian token. That single-use seal is actually universally portable to all the different mint up there. It's not just a token if you solely buy that mint's authority.

[62:10] P: Wait, but I understand the premise, but I guess I'm trying to wrap my head around why that would be better than... I think it still totally screw everybody out of their shit.

[62:20] Shinobi: Not with that. A single-use seal would be like, imagine, I just make a key that represents something and then I time stamp it with open timestamps. If I want to give it to you, I find a transfer to your public key and time stamp it with open timestamps. Then you keep all of that data, my original key, the timestamp data, my signature. Let's say, you want to go pass that to Rindell, you do the same thing. You extend it again and sign his key and time stamp it and he keeps all the data. It's like a little growing mini blockchain that it's just the representation of this single asset and its ownership team.

That could interact with things like a chamian mint. That could be an atomic part of a smart contract that the Mint is enforcing, interacting with their native Bitcoins opening.

[63:13] Rindell: Yeah, the thing that you need for a single-use seal is... Go ahead, Eric.

[63:16] Eric: Possibility of NFT is, let's call it NFTs for the sake of it. It's interesting. Not because some wacko artist so popular, some apes, but the one big problem we still face is domain names. We still need to really decentralize the naming system. Ideally, this would be built on Bitcoin. A single-use seal, I think, that's the main application for it.

[63:39] P: It's so interesting.

[63:41] Eric: We have stuff that people are doing easily [inaudible].

[63:45] Rindell: Yeah, because the thing that you need to make...

[63:47] P: Oh my gosh, and it was not controlled by some centralized bullshit.

[63:52] Rindell: Yeah. The thing that you need for single-use seals is you need a proof of publication mechanism, and it turns out we have a really good distributed ledger underneath all these chamian mints.

[64:00] P: Wait, what are you talking about? Which ledger could you possibly be referring to? The answer's always Bitcoin.

[64:06] Rindell: I was going to say something about BSV, but I can't do it.

[64:09] P: Will you throw up a little bit in your mouth just even trying?

[64:11] Rindell: Yeah. I just asphyxiated on my own vomit thinking about it. Yeah, think about it this way, right? You have a world where people can choose the semantics and the trust and the different trade-offs that make sense for them for their use case, their risk tolerance, their applications. Those things are interoperable over the Lightning Network. If you decide that you just want to nope out of the whole thing, you can resolve anything down to layer one Bitcoin and it's all like more private and more scalable than any other cryptocurrency out there. That's the final form of this shit.

[64:51] Shinobi: This is Bitcoin if we don't get channel factories. It's not as cool as channel factories, but it's good enough.

[64:58] P: Wait, hold on, back the truck up. What do you mean by this is Bitcoin if we don't get channel factories? How does channel factories address all the stuff we've been talking about?

[65:09] Shinobi: Scalability and the ability to partition thing. My point is, if we stop getting more native second layers to Bitcoin, Lightning, the base layer and chamian mints are enough to scale everything.

[65:23] P: I see.

[65:24] Shinobi: [inaudible] for everyone.

[65:26] P: Got it. Got it.

[65:28] Eric: Yeah, because I think channel factories are super interesting. Coming back to [inaudible] earlier, the [inaudible], I think that's what will force them to be something that own the power users.

[65:44] P: You're cutting in and out. This is the most excruciating thing, Eric, my man.

[65:48] Shinobi: I think what he was saying though is that the user experience were channel factories. It's just real garbage and it's a lot more complicated than Lightning. So that's a tough thing to get past power users. I think this is what he was saying.

[66:03] Matt: The cool part of this proposal to me, in Bitcoin land, we've been talking about all this time. I have privacy that is cheaper than non-private transactions and have privacy that's easier than non-private transactions. This trade-off balance makes it so that you could just have a mobile wallet, where you just load it up with $50 worth of sats and you'll be paying lower fees than anyone who's not using Lightning. You're able to interact with the whole Lightning Network and you have great privacy guarantees at a mitigated custodial risk. That trade-off balance just seems absolutely fantastic to me.

[66:40] Rindell: Yeah, it's kind of like, if I have Strike on my phone and I pay another Strike user, I don't know for sure. I really doubt they're actually doing a Lightning transaction. I assume that they're just bumping balances because it would be insane to do anything else. Then if I want to pay somebody else that's out on the Lightning Network, then it does an honest-to-goodness Lightning transaction. Imagine that, but without the single custodial risk and with much better privacy from the custodian, and that's where you land. I think that that's amazing.

Then on top of it, something that we haven't really talked about but I just wanted to touch on is, I think another scaling pressure that Lightning is going to face is the size of the channel graph and being able to efficiently compute routes over it, especially on memory constrained devices, right? If everybody in the world has Lightning channels, everybody else in the world, you're not going to be finding efficient routes on your phone. It's just not going to happen.

There are different mechanisms that people have been throwing around about the way that we solve this problem on the Internet is with route aggregation and with having a bunch of smaller networks all aggregated and then routing between larger networks. That's how internet routing happens. Different people are talking about different mechanisms to do something similar on the Lightning Network, and this very much accomplishes a similar thing, right? If you say a lot of mobile users are going to be using their choice of chamian mint and then Lightning routing needs to happen between these mints, that's a much smaller problem because you've aggregated all of these mobile users down to a single endpoint on the Lightning Network. That's a great way of handling the scaling pressure.

[68:25] P: What else? What else we got?

[68:26] Shinobi: I'm assuming that Eric already discussed the potential for doing atomic interactions between the Mint and Lightning so that either finishes it.

Read more: https://bitcoinmagazine.com/technical/federeated-chaumian-mints-lightning

Text source: Bitcoin Magazine: Bitcoin News, Articles, Charts,