Eleven years ago today I had my last email exchange with Satoshi; here it is:

Subject: alert key
Satoshi Nakamoto satoshin@gmx.com
26 Apr 2011, 10:29

I wish you wouldn’t keep talking about me as a mysterious shadowy
figure, the press just turns that into a pirate currency angle. Maybe
instead make it about the open source project and give more credit to
your dev contributors; it helps motivate them.

I’ve moved on to other things and will probably be unavailable. Here’s
the CAlert key and broadcast code in case you need it. You should
probably give it to at least one or two other people. There are a few
long time users who are always around all the time.

My reply:
On Tue, Apr 26, 2011 at 4:29 AM, Satoshi Nakamoto satoshin@gmx.com wrote:

I wish you wouldn’t keep talking about me as a mysterious shadowy figure,
the press just turns that into a pirate currency angle. Maybe...

Take this as a little piece of science fiction; the chances the future looks like this are small, but of all the possible futures I think this has as good a chance of any of happening:

Imagine: it is the year 2061.

The BTC price is six million US dollars– equal to about a million 2021 dollars because of inflation.

Miners are being rewarded 0.006103515625 BTC per block, plus transaction fees of about 5 BTC for 4,000 or so transactions ($7,500 per transaction).

But most BTC transactions don’t happen on the BTC network. Most BTC is locked up in multisignature outputs secured using multiparty computation and mirrored on another chain as “wrapped” tokens. People moved their BTC either because they want faster transactions, lower fees, more privacy, or want to invest their BTC in decentralized financial stuff. Or maybe all of the above.

The transactions that do occur on the main BTC...

This is a price chart for one of the top-25 cryptocurrencies, from Jun 2019 to May 2020:

And here is another coin:

One of them is Iota, which had a technical problem that resulted in no transactions confirming from February 12 until March 10.

The other is Zcash, which had no technical problems.

I can’t tell which is which from looking at how the markets reacted, can you?

That… I just… whaaa????

I like to think that technology matters, and better tech tends to win in the long run. I still mostly believe that, but I have to admit, seeing a cryptocurrency fail to perform its most basic function for a whole month and the markets shrug it off makes me wonder what people are thinking as they speculate on cryptocurrencies.

Probably nobody is thinking, and it is all day traders and bots.

Why am I excited about the potential of Tornado.cash when I haven’t been excited about other privacy-preserving thingamabobs?

I’ve never liked ‘mixers’ like CoinJoin or CashShuffle, because they don’t match the way I want to use my ‘spending’ money. I want to receive some money, store it someplace safe, and have it available to spend whenever I decide to spend it.

I could use a fancy mixing wallet that mixes coins in the background automagically, but I’d have to remember to run it so it can find other people to mix with. And to get a large enough ‘anonymity set’ probably means several rounds of mixing, meaning my money might be tied up in the middle of a transaction when I want to spend it. Also, every round of mixing means paying more transaction fees… which can be significant if the network is congested (fees on the ETH and BTC networks are high as I write this).

Tornado.cash is...

tornado is a smart contract running on Ethereum.

When I say smart, I mean really wicked-smart; it uses “Zero-Knowledge Succinct Non-Interactive Argument of Knowledge” cryptography (ZkSNARK) so the ether (or tokens) deposited into the contract can’t be linked to those that are withdrawn.

But… I won’t be surprised if there is a paper at the Financial Cryptography 2023 conference showing that 85% of tornado usage was not private; not because the cryptography is broken, but because it is really hard for mere mortals to use something like tornado (or CoinJoin or other similar technologies) in a way that doesn’t leak information about their wallet. The tornado developers wrote an article with tips to help maintain privacy, but I think 62% of their users won’t read it and another 25% will read it and then immediately do something the article says you shouldn’t do.

I think the mistake most...

In my last blog post, I said that tornado is a fantastic building block that will let some clever developers build a much more private Ethereum wallet. In this post I’m going to describe the wallet I’d like to use.

I’ll sacrifice a little privacy for lots of convenience

I don’t want to have to think about anonymity sets or unspent transaction outputs, and I’m not going to keep track of separate ‘accounts’ for everyone I interact with financially. I want an opinionated wallet that doesn’t ask me a lot of questions, but is easy to use and makes it a lot harder for somebody to see what I’m doing by tracking transactions on the blockchain.

Setup

Ideally, setting up / backing up the wallet is just “write down these twelve words…” and that master private key is used to generate (or re-generate if I’m restoring the wallet) all the secrets needed.

If data has to be backed up somewhere other...

People assume that the people who worked on Bitcoin in the early years are fabulously wealthy.

That’s a bad assumption, for lots of reasons:

It was easy to lose coins. They weren’t worth much, so people didn’t bother to take the time to keep them secure and back them up.

Many of the early developers didn’t have extra money to buy coins; they were still in school, or were pouring all of their money into a startup. Venture capitalists were NOT throwing money at Bitcoin startups back in 2010 and 2011.

“HODL” wasn’t a thing– instead, bootstrapping the community by purchasing things (like 50BTC alpaca socks or 10,000BTC pizzas) or giving away Bitcoin was encouraged.

Even if an early developer had the free cash and foresight to purchase a bunch of coins, they might be level-headed and follow tried and true investment advice to:

1) Make a long-term plan and stick to it, ignoring...

Are you holding some cryptocurrency secured by a paper wallet in a safe deposit box? Good for you! That’s an excellent way to keep it safe.

But then your currency splits. Last week that piece of paper was worth 100 FooCoins, and this week it is worth 100 FooCoins and 100 BarCoins.

If you think one side of the split is a terrible idea, doomed to fail, you might be tempted to go get your paper wallet, “sweep” the coins into a wallet that supports the bad coin, and move them to an exchange to cash out (or maybe buy more of the good coin).

Great! I don’t give investment advice. But I will encourage you to sweep the “good” coins, first, and move them to a new wallet. Don’t be lazy and just write “BadCoins swept Nov 11, 2017” on the paper wallet and put it back in the vault.

Why?

Because sooner or later I think somebody will create a BadCoin (or a wallet) with a transaction signature...

Let’s say you’re the leader of an open source implementation of Bitcoin, and you decide to follow my advice and Know Your Customer.

And you decide your customer is primarily big mining pools and businesses that just want a “full node” that runs on the network. Immediately after making that big decision, you can make your life much simpler by doing a lot less.

You can drop any code related to maintaining a wallet; big businesses and mining pools will have their own multisignature-secure wallets and will have somebody who’s job it is to make sure they stay secure.

You can drop (or drastically cut back) any graphical user interface code, and can drop support for Windows and Mac. Your customers will almost certainly tell you they run Linux boxes maintained by sysadmins who aren’t afraid of terminal windows.

You can drop “deterministic builds” – in fact, you can probably drop packaging...