"We are not what we know but what we are ready to learn" || Industrial Engineer turned data analyst turning Blockchain Developer
16,500 words
https://github.com/r1oga @r1oga

Blockchain privacy technologies serie: Confidential Transactions & Bulletproofs


In the most famous blockchains protocols (e.g Bitcoin or Ethereum) addresses are partly obfuscated by the fact that addresses are pseudo anonymous: they aren't directly tied with an identity. However chain analysis can succeed in discovering the identity associated with a given address.
We've seen that for instance CoinJoin offers a solution to break the link between sender and receiver. CoinJoin still provides limited privacy because it doesn't obfuscate the transaction amounts.

Limitations of CoinJoin

While CoinJoin obfuscates the relationship between a sender and a recipient, Confidential Transactions (CTs) obfuscate the content of a transaction together with the recipient's address.
CTs "blind" the amounts: from_address pays ?? to to_address.
CT were invented by G.Maxwell (Link 1, Link 2) and further investigated by Adam Gibson.

CT: how it works

Bitcoin transactions maps inputs amounts from a sender, with outputs amounts that can be redeemed by the receiver.
On the Bitcoin blockchain, the amouts are in clear text.

4€ 2€
1€ 3€

As defined by the protocl, for a transaction to be valid, INPUTS needs to equal OUTPUTS:
4 + 1 == 2 + 3

Confidential transactions abd bulletproofs allow to

  1. hide amounts
  2. check that the hidden inputs and hidden outputs add up.

A + B == C + D

Trick 1: Commitments to hide and bind values

Commitments solve the first part: hiding and binding the amounts. By relying on asymmetric cryptography they let you keep a piece of data secret but commit to it so that you cannot change it later.

data             ->   Commitment(data)
Commitment(data) ->   data

A real-life simple implementation of a commitment could be a sealed enveloppe.
A and B are playing coin flipping but they are in separate rooms. Only B gets to toss the the coin. Only A gets to call. To avoid disputes (A announcing her call after B flips, or B reporting a wrong result):

  1. A would commit to her call in a sealed enveloppe.
  2. A doesn't communicate her call to B
  3. B tosses the coin
  4. B reports result (B still ignores her call)
  5. A's commitment is revealed and tells who won

A simple commitment scheme can be constructed using a cryptographic hash: commitment = SHA256(data )

Trick 2: Homomorphic (Pedersen) commitments to perform operations with bound and hidden values

By committing to inputs and outputs values, we've hidden the values. To check that the sum of hidden inputs matches the sum of hidden outputs, we need commitments that are compatible with the addition (and multiplication) operations. We need our commitments to be homomorphic.

A homomorphism is a map between two algebraic structures of the same type (that is of the same name), that preserves the operations of the structures.
f: A -> B
f is an homomorphism if for all x,y of A, f(xy) = f(x)f(y)

The natural logarithm or the exponential functions are homomorphisms.
Pedersen commitments rely on the discrete logarithm and are precisely homomorphic. So they solve the second part: checking that the sum of committed inputs matches the sum of committed outputs.

A = Com(a) C = Com(c)
B = Com(b) D = Com(d)
A + B == C + D <-> Com(a) + Com(b) == Com(c) + Com(d)
               <-> Com(a+b) == Com(c+d)
               <-> a + b == c + d

However, if the value of a transaction is encrypted, how do I know that someone didn't spend money they didn't have or that no money was created out of thin air?
|A = Com(5)|C=Com(-100)|
|B = Com(4)|D =Com(109)|

A + B == C + D <-> Com(5) + Com(4) == Com(-100) + Com(109)
               <-> Com(4 + 5) == Com(-100 + 109)
               <-> 4 + 9 == -100 + 109
               is TRUE!! 100 created out of nowhere!!

More technically, we aren't really dealing with real negative values. We rather want to prevent overflow as we are in a finite field (e.g finite field from 1 to 9999, 1 + 9999 causes overflow to 100000 = 1).
Verifying that hidden inputs match with hidden outputs sum isn't enough. We need to be able to verify that the values remain in a given range to avoid overflow, while still keeping them secret!


  • [x] The inputs' commitments match the outputs' commitments only if the inputs match the outputs.
  • [x] Values are hidden.
  • [ ] Values are in a given range

Trick 3: zero knowlege range proofs as a scalar product

We want to transform the verification that a value v is in a given range (2^n) into the verification of a scalar (or 'inner' or 'dot') product that doesn't require revealing v.
We want to have a zero knowledge proof: (1) 0 <= v <= 2^n <-> (2) t = <l, r>.
"Zero knowledge" meaning that knowing that (2) is true tells that (1) is true too but without revealing v.

  1. Break v in bits: 2^n = (2⁰, 2¹, 2², ..., 2^n-1) a_l = vector of bits = (0, 1, 0, 1, ...., 1, 0)

With (3) v = <a_l, (2⁰, 2¹, 2², ..., 2^n-1)> = <a_l, 2^n> then we can verifiy (1) if we can prove that all bits of a_l are real "bits": either 0 or 1.

  1. Prove bits of v are actually bits (0 or 1) f: {0, 1} -> {-1, 0} b -> c = b - 1 0 -> -1 1 -> 0 b is a bit <-> b.f(b) = 0

With (4) a_r = a_l - 1^n, bits of v are actually bits <-> (5) <a_l, a_r> = 0^n.

So (1) 0 <= v <= 2^n <-> (3) & (4) & (5).
We transformed the verification of a range into the verification of 3 equalities!

Trick 4: combine multiple statements into 1 with a "random scalar challenge"

Random scalar protocol: combine 2 statements into 1

A Prover wants to prove A: a= 0 & B: b= 0.
The Verifier provides a "random challenge scalar x" , where x is in Z_p* = [1, 2, ...p].

P <- V: x
a + b*x = 0

Since prover cannot predict x, if the latter statement holds then the first statement holds with a probability (1 - 1/p).

Random scalar challenge to combine n statements into 1

To prove <a, b> = 0^n the verifier provide a random challenge scalar y:

<a, b> = 0^n <-> for each i in [0, n-1], a[i]*b[i] = 0
             <-> a[0]*b[0] + a[1]b[1]*y + a[2]*b[2]*y² + ... + a[n-1] * b[n-1] * y^n-1 = 0
             <-> <<a,b>, y^n> = 0
(We chose different powers of y to avoid that coefficients can cancel each other out)

So we provide 2 random challenge scalars:

  1. Random challenge scalar y to transform (4) and (5) ( 2 times n equalities) into 2 equalities: (4') and (5').
  2. Random challenge z to transform the (3) & (4') & (5') into 1 equation (6)

After some nice algebra we get

(6) <-> <f(a_l), g(a_l)> = h(v, z) = z²v + d(y, z)
    <-> t  = <l, r>

So the verifiation of the range 0 <= v <= 2^n has been reduced to verifying an equality where one side is defined by the random scalar provided by the Verifier, and one other defined by 2 vectors that reveals v.
We can't send l and r over to the verifier because they would discover v because they already know the random scalar z (they sent it to you over!). This would defeat the whole purpose of confidential transaction which is to hide v!
So we use the trick 2 again: with homomorphic commitments we can hide l and r!
<f(a_l), g(a_r)> = h(v) <-> (7) <f(com(a_l)), g(com(a_r))> = h(com(v))


  • [x] The inputs' commitments match the outputs' commitments only if the inputs match the outputs.
  • [x] Values are hidden.
  • [x] Values are in a given range

Trick 5: "compressing" with Bulletproofs for better efficiency

Verifying (7) means verifying n equations. Bulletproofs transactions are an optimization of confidential transactions to "compress" the proof. To reduce it to the verification of log_2(n) equations.
The vectors are "cut" recurringly in half to reduce the dimension of the proof till we get only 1 equality to verify. Then we proceed backwards to check the n equalities.


Confidential Transactions (CT) hide inputs and outputs.

Building block / Mathematical foundation Purpose
Commitments Hide & bind values
Homomorphic (Pedersen) commitments Perform operations while keeping values hidden and bound
Range proofs Prevent accounting overflow (we are on a finite field) and ensure no money is created out of nowhere
Random scalar challenge Transform multiple statements into one, especially transform a range proof into an inner product proof
Bulletproof Optimization (reduce proof size from O(n) to O(log(n)

To go further:
-Fiat-Shamir: how the challenge scalars are generated

Implementations of CTs

Blockstream Logo
Liquid and Elements sidechains by Blockstream.
BEAM logo
Grin Logo

Video explaination of Bulletproof transactions by Cathie Yun

Blockchain mathematical basis: asymmetric cryptography


Backup your private key.
Never share your private key.
Not your keys, not your bitcoins.
Send to: Paste public 0x... address
Sign message metamask

Although, the use of jargon has been reduced to improve UX and onboard more users, the terms "private key, public key, public address, signatures" are still common. Users will also encounter mainstream definitions of blockchain and cryptocurrencies mixing the terms "database, cryptography, security, confidentiality".
How does it all fit together?
What is the mathematical rationale behind this proclaimed and proven security?

> Symmetric cryptography
> Assymmetric cryptography
    > Ensure non collusion & "one-way" mathematical properties
    > Hard to hack ~ intractability
    > Bitcoin application
         > Intractability of elliptic curve discrete logarithm Problem
             > Discrete logarithm problem
                 > Algebra
                     > Finite cyclic group
                         > Group
                             > Set
                             > Binary operation
                             > Properties
                 > Application
                     > Elliptic curve over a finite field
                     > Elliptic curve point multiplication
         > Elliptic Curve Signature Algoritm (ECDSA)

1. Symmetric cryptography

Symmetric cryptography
Symmetric cryptography uses the same key to encrypt and decrypt a message. This key has to be shared between the sender and recipient that want to communicate confidentially. This system can only be as secure as the communication channel used to exchange the key.

2. Assymetric cryptography

By contrast, in assymetric or public-key cryptography, 2 different keys are used:

  • public key: can be freely shared
  • private key: kept secret

The generation of such keys depends on cryptographic algorithms based on mathematical problems to produce one-way (or preimage resistant) functions. Effective security only requires keeping the private key private. The public key can be openly distributed without compromising security.
Public-key encryption is like owning a (key, lock) combination and distributing copies of the lock.

  • "sending" = using a copy of someone else's lock to lock your message = encrypting message to send with someone else's public key
  • "receiving" = opening a message locked with a copy of your lock with your key = decrypting received message with your private key

Public-key encryption illustration


"Hiding": Public-key encryption to ensure confidentiality

To restrict access to a message's content, one can encrypt it using the receiver's public key. That encrypted message can only be decrypted with the receiver's private key. Especially it shall be impossible to deduce the message from its encrypted version.
To ensure this property called "hiding", the mathematical function used to encrypt the message needs to be very hard or impossible to reverse. It needs to be a one-way function. This mathematical one-way (or preimage resistance) property is desirable because confidentiality stems from it.

"Binding": digital signatures to ensure authenticity, non repudiation

Digital signature illustration
Digitally signing is like creating a lock out of the sender's private key and the message to transmit that
is unique,
and that can only be unlocked by the public key associated with the private key that created it.
Any smallest change in the private key or the message would create a different signature/lock. The signature is mathematically bound to both the message and private key it originally was made with.
To be binding, the mathematical function used to generate the the signature need to ensure non collusion . It needs to be injective.

f(x) == f(y) => x = y <-> x != y => f(x) != f(y)

This mathematical non collusion property is desirable because 3 key properties stem from it:

  • message authenticity = integrity: it is very hard to find 2 different messages that generate the same signature out of the same private key. If the signature is valid, the message is authentic.
  • sender authenticity: it is very hard to find 2 different private keys that generate the same signature out of the same message. If the signature is valid, the message has necessarily been signed by the owner of the private key that generated it.

A corollary of sender's authenticity is

  • non repudiation: provided that private key used to digitally sign a message is properly safeguarded by the original owner, the owner cannot dispute the authenticity of the signature. Nobody can forge the signature

Successfully unlocking the message with the sender's public key confirms these 3 properties.

3. Defining "very hard": intractability

All the properties introduced above hold only if it is very hard to find colluding elements, reverse the function... etc..
In the context of cryptography what does "very hard" mean?

A problem that can be solved in theory (e.g. given large but finite resources, especially time), but for which in practice any solution takes too many resources to be useful, is known as an intractable problem. [wikipedia]

...so problems which can be solved by brute force but it would take too long. What does too long mean?
Too long means universe-lifetime-long: longer than 13.799±0.021 ×109 years.

For a more rigorous definition, look into computer science courses.

So to guarantee the "hiding" and "binding" properties, we are looking for a mathematical function that poses 2 intractable problems:

  • Finding an input from an output (one-way)
  • Finding 2 colluding inputs (non-collusion)

4. Example: Bitcoin

The Bitcoin protocol leverages the "hiding" and "binding" properties:

  • hiding: "one way" generation of public keys from private keys
  • binding: signatures of transactions to transfer bitcoins

The intractable problems ensuring these properties in the context of Bitcoin are posed by Ellicptic curves.

4.1 Intractability of the Elliptic Curve Discrete Logarithm Problem (ECDLP)

For elliptic-curve-based protocols, it is assumed that finding the discrete logarithm of a random elliptic curve element with respect to a publicly known base point is intractable = infeasible: this is the "elliptic curve discrete logarithm problem" (ECDLP). The security of elliptic curve cryptography depends on the ability to compute a point multiplication and the inability to compute the multiplicand given the original and product points. The size of the elliptic curve determines the difficulty of the problem. [wikipedia]

Discrete logarithm problem

It is the problem of finding solutions x to the equation g^x = h given elements g and h of a finite cyclic group G. [wikipedia]

Finite cyclic group

Cyclic group

group that is generated by a single element. [wikipedia]

Group [wikipedia]

  • set: collection of distinct elements
    • equipped with a binary operation: calculation that combines two elements (called operands) to produce another element (e.g addition, mutiplication...)
    • such that 4 properties are satisfied, noting + the binary operation on a group G
      • closure: (a, b) in G => a + b in G
      • associativity: (a + b) + c = a + (b + c)
      • identiy: it exists an identity element e | a in G => a + e in G
      • invertibility: for all a in G, a has an inverse element i.e. it exists b | a + b = e

Intuitive example of a cyclic group - clock (12PM format): all hours generated by addition of 1 hours, cyclic because all hours value are decreased when higher than 12: 9:00 + 4:00 = 13:00 = 1:00


In the case of the ECDLP, the finite cyclic group chosen is an elliptic curve over a finite field equipped as binary operation with the elliptic curve point multiplication and with infinity as identity element.
Elliptic curve: curve define by y² = x³ +ax +b, where 4a³ + 27b² !== 0. The condition on a and b is to avoid singular points (points of self intersection or points where the tangents of each branch are equal).
Examples of Elliptic curves
Ellipitic curve point multiplication
- addition P + Q = R = take the symmetric point over the horizontal axis of the intersection of the line (PQ) with the elliptic curve
- identity = infinity: indeed P + Q = R => P + Q - R = 0 = infinity ((PQ) crosses the elliptic curve only in a third point R, no fourth intersection point).
- doubling: particular addition case where P = Q, 2 * P = P + P = take the symmetric point over the horizontal axis of the intersection of the tangent in P with the elliptic curve.
- scalar multiplication: addition + doubling, n * P = P + (n-1)P = P + (P + ....(P + (P + P))
Elliptic curve point operation illustration

Elliptic curve over finite field

In the context of Bitcoin or Ethereum or Blockchain protocols, we want to generate address that have a fixed/finite length. More precisely the Bitcoin public key are 512 bits. So we can't work with infinite numbers. This is why we define the elliptic curve over a finite field of integers:
y² mod p = (x³ + ax + b) mod p.
The general point operations definitions remain valid.
In the case of elliptic curves over a finite field, the generator G of the group is called the base point.
The order is the smallest positive number n | n*G = 0 (= infinity) (number of times the point can be added to itself until its slope is infinite, or a vertical line)
Animation elliptic curve over finite field
Here one can draw the points of an elliptic curve over a finite field.

4.2 Elliptic Curve Discrete Signing Algorithm (ECDSA)

The Bitcoin protocol combines the use of an elliptic curve with following parameters (known as secp256k1.

Parameter Value
Elliptic Curve a = 1, b = 7 => y² = x³ + 7
modulo of the field (prime) in hexadecimal 2²⁵⁶ – 2³² – 2⁹ – 2⁸ – 2⁷ – 2⁶ – 2⁴ – 1 = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFC2F
G = base point that generates the cyclic group (in hexadecimal) 04 79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9 59F2815B 16F81798 483ADA77 26A3C465 5DA4FBFC 0E1108A8 FD17B448 A6855419 9C47D08F FB10D4B8
n = order (in hexadecimal) FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364141

To go further and read about why and how these parameters were chosen: link, link.

Further notations:

z message
d private key
Q public key
G base point
n order

Public-key & private-key

The public key is derived from the private key by scalar multiplication of the base point a number of times equal to the value of the private key.
1.Choose randomly a private key (256-bit integer) d
2.Apply elliptic curve scalar multiplication: public key = private key * base point <-> P = d * G

So given a point P (public key), finding x means finding how many times to substract P to itself to land back on G (base point).
This problem is an ECDLP and is intractable.
So it is computationally infeasible to derive the private key corresponding to a given public key.


Sign message, starting point: a message and a private key.

1.Select a random (or generated deterministically in a secret way) integer k from [1,n-1] (reminder: n is the order)
2.Calculate by elliptic point scalar multiplication the point (x, y) = k * G (reminder G is the base point)
3.Calculate r = x mod n. If r = 0, back to 1
4.Caculate s = (z + rd)k⁻¹ mod n. If s = 0, return to step 1. (reminder: we are on an elliptic curve over a finite cyclic group, especially over group where invertibility is fulfilled)
5.Signature is the pair (r, s)

Verify signature

Let Bob be the recipient of a message signed by Alice. Bob must have a copy of Alice's public-key curve point Q.

Validity of public key

-[x] Q != 0 (Q is not infinite)
-[x] Q is on the curve (use curve equation)
-[x] n * Q = 0 (base point * Q is infinite)

Validity of signature, starting point: a message, a signature and a public key

1.[x] r and s are integers
2.Calculate u = zs⁻¹ mod n and v = rs⁻¹
3.Calculate the following elliptic curve point operation: C = (x, y) = u*G + v*Q
4.[ ] if (x, y) = 0 (infinite) the signature is invalid
5.[x] if r = x mod n the signature is valid

Correctness of algorithm

Let C be the point u*G + v*Q.

C = uG + vQ
    = uG + vdG (definition of public key: Q = dG)
    = zs⁻¹G + rs⁻¹dG
    = s⁻¹(z + rd)G

Signature valid <-> s = (z + rd)k⁻¹
                <-> C = ((z + rd)k⁻¹)⁻¹(z + rd)G = (z + rd)(z + rd)⁻¹kG = kG
                <-> x = r mod n (definition of r)


I lied for the sake of simplicity. In reality the very first step is to hash the data with SHA256 to generate a number containing the same number of bits (256) as the order of the curve (z = hash(message)). SHA256 also makes the address quantum resistant. Quantum computers could reverse the point scalar multiplication to get the private address. Quantum computers cannot reverse hash functions.


To fulfill confidentiality, authencity and integrity, we look for mechanisms to ensure "hiding" and binding. We are looking for functions that are collusion and preimage resistant.
Asymmetric cryptography is about relying on the intractability of some mathematical problems to guarantee these properties.
In the case of Bitcoin (or Ethereum) this problem is the Elliptic Curve Discrete Logarithm Problem.
It is the foundation of the generation of public keys from private keys and of digital signatures.

Blockchain privacy technologies serie: Mixing


“Where does a wise man hide a leaf? In the forest. But what does he do if there is no forest? He grows a forest to hide it in.” ― G K Chesterton, The Innocence of Father Brown
"Mixing" technologies rely on obfuscation to hide sensitive information (identity, transaction data) and ultimately ensure privacy and anonymity. Obfuscation commonly takes various forms: adding noise to cover conversation, blend in a crowd, create copies or decoys, natural camouflage... In the context of blockchain, obfuscation is implemented using cryptography.


Besides, most of the interesting blockchain' properties relies on cryptography: immutability, security....and privacy.
Cryptography is based on computer science and mathematics, especially probabilities.
Often it won't ensure absolute validity but rather ensure a very high likelihood of validity.
It is not absolutely true to say that a blockchain is immutable, or that a private key can't be deduced from a public key. It is "only" very unlikely. So unlikely that we end up considering that the properties ensured by cryptography are always true.

"Mixing private keys": Ring Signatures

Group signatures

A group signature scheme is a method for allowing a member of a group to anonymously sign a message on behalf of the group.
It can be compared to the use of rubber stamp. Several employees are being delivered a company's stamp/seal. They use it to sign documents. They don't sign in their name but in the name of the company they belong to. It serves as evidence of authenticity while preserving anonymity.

However group signatures requires a group manager. This leads to critical drawbacks.
First, anonymity can be compromised. The group manager can reveal the identity of signer using its group manager's secret key.
Second, signers groups can't be improvised. The group manager is in charge of forming the group.

Ring signatures

Ring signatures are an improvement of group signatures. They don't require a group manager. Especially they guarantee the anonymity of signers. And a group of signers = Ring can be improvised.

Consider a group of n entities.
Each have public/private key pairs, (P1, S1), (P2, S2), ..., (Pn, Sn).
Party i can compute a ring signature σ on a message m, on input (m, Si, P1, ..., Pn).
Anyone can check the validity of a ring signature given σ, m, and the public keys involved, P1, ..., Pn.


Monero Logo
Ring signatures only ensure privacy of the sender. Monero goes further with Ring Confidential Transactions that also obfuscate the identity of the recipient and the transaction amounts.

"Mixing coins": CoinJoin

Imagine the following situation:

  • 10 "spenders"
  • 10 "recipients"
  • requirements:
    • [ ] none of the spender wants to be tied to the recipient after sending their 1€
    • [ ] each spender spends 1 €
    • [ ] each recipient receives 1€

CoinJoin follows this protocol to fulfill the privacy requirement:

  1. All spenders put their one 1€ coin in a bag
  2. Each recipient pulls out 1€ coin out of the bag.
  3. [x] each spender spent 1€
  4. [x] each recipient received 1€
  5. [x] no way to tell where any of the 1€ coins came from

In more technical terms, CoinJoin is a special kind of Bitcoin transaction that breaks the common input ownership euristic. Bitcoin transactions are made of inputs and outputs. Inputs being unspent outputs (UTXO) of previous transactions.
Bitcoin Transaction
Usually all the inputs belong to one same address. CoinJoin breaks this rule. It mixes inputs from different addresses to prevent associating sender and recipient addresses. Instead of performing 1-to-1 payments, we perform m-to-n.


Wasabi wallet

zk-SNARK & Mixing on Ethereum: Tornado Cash

Tornado Cash logo
CoinJoin mixes bitcoins. Tornado Cash mixes ethers using a smart contract.
This "mixer" smart contract collects deposits from a depositary, transfers deposits to withdrawer, and prevents linking depositary and withdrawer thanks to zk proofs.

  1. Deposit
    • A secret is generated
    • The hashed secret (="commitment") is sent to the mixer smart contract along with an amount of n-ETH
    • From now on, this unspent commitment, just like an Bitcoin UTXO, is waiting to be withdrawn/spent. It is mixed to other n-ETH deposits
  2. Withdraw For the smart contract to allow the withdrawal, the withdrawer needs to prove ownership of a secret corresponding to an unspent commitment. zkSNARKs allows doing it without revealing which deposit the secret was generated from.

Money Streaming

"When you change the medium, the message changes"

Said Bitcoin Evangelist Andreas M. Antonopoulos in this talk.

The term "streaming" was coined when Internet superseded physical containers (CDs & VHS) as main 'container' for audiovisual content.

Product/Industry Old medium Today
Music CD, Vynils, tapes Streaming
Video VHS, tapes Streaming
News Newspapers, print outs, books, radio Blog posts, tweet, podcasts

Behaviours regarding the consumption of music and video were conditioned by our perception of their medium/containers.
The physical constraints of the containers translated in framed definitions and limited opportunities:

  • Format and quality were conditioned by the medium: albums had to "fit" on vynils or CDs, films had to fit on a VHS or DVD. Short movies were not produced. Too short meant waste.
  • Buyers valued the object. They cared about the ownership of the container.
  • Production of new content was conditioned by the production costs of the medium: press the vinyls, manufacture the VHS, print the newspapers/books.
  • Distribution was also conditioned by the medium.

When Internet became the new medium, it lifted off the limitations of the previous ones and created unexpected opportunities. As production costs decreased and distribution got easier, new formats became popular. People started valuing shorter videos (30s, 20s, 10s, GIFS...). Short films or even clips of a few seconds get millions of views nowadays. Behaviors changed: people moved from valuing ownership to valuing experience: listening over owning a CD, watching over owning a VHS.

Money Streaming

Music, Video, News...
What about money?
What are the current mediums and containers of money?
Cash bills and coins, bank transfers, bills with fixed amount, monthly invoices, monthly payrolls...

The current money mediums present limitations.

  • Bills and coins can't be carried conveniently in high amounts. They have fixed denominations. Can be destroyed.
  • Banks have high operating costs and involve inefficient processes, can't run 24/7, can't fully rely on automation
  • Invoices and payrolls have to be manually created, edited, reviewed...

The limitations of the money mediums lead to pratices that are annoying and inconvenient for the users.

  • Having to go to an ATM to get cash
  • Bank transfers not processed over weekends
  • Subscriptions that can't be cancelled at anytime (notice period) because of the whole administrative process involved
  • Income and rent paid once a month
  • Interest on savings account, or dividends paid once a year
  • Paying for more than what you actually get

Why is payday once a month? Why isn't pay DAY every DAY?
What if it would be possible to make payment on seconds or milliseconds frequency?
Cryptocurrencies on blockchain networks as new money mediums make this possible. Especially thanks to the latest scalability solutions (Layer 2 solution like Lightning for Bitcoin; Sharding, MATIC ... on Ethereum, zk SNARKs).
The changes in behaviours would be bigger than what we experienced with video and music streaming. The opportunities would be bigger too.
Any time based service could be transformed. Some are even already built on Ethereum.


Lending and credit

Compound offers interest saving accounts where interests are paid every 15 seconds. Compound made then the creation of an innovative lottery system possible: PoolTogether. PoolTogether is a weekly lottery pool. Tickets sales are invested in the Compound protocol. Winner of the lottery earned the weekly accrued interest only. All loser participants get their money back: a lottery system where nobody lose.


With Sablier it is "Payday, Everyday".
"On Sablier, time means money, literally. As a worker, you see your earnings increasing in real-time in the Sablier wallet. As an organisation, [the] technology helps you get rid of the hassle of payroll admin. After a one-time deposit, [the] smart contracts will start "streaming" the money towards the payees, without you lifting a finger again."

Concerts & shows

Instead of a price per ticket, one could imagine a price per second. Who has never been disappointed by an artist ending the show after less time than expected?
With money streaming a shorter show means that the concert price decreases accordingly for the fans. A longer show means more revenues for the artist.

Attention & advertising

Every second of ads watched could be monetized. Today it is done already only for the advertisers who pay for a broadcast time. Not for the viewers of the ads.
With Brave Browser and Brave rewards, the viewer's attention is valuable. Users can "earn by viewing privacy-respecting ads and pay it forward to support content creators [they] love."

Real Estate

On realT, houses are first "tokenized". It enables fractional ownership. Then with "money streaming" blockchains, you no longer need to wait 30 days to receive a bank transfer.
"Owning property with RealT allows you to collect rent every day. Rent is paid using a US-Dollar stablecoin" (DAI).

Other assets renting (cars, rooms...)

Cars could be rented per seconds instead of on a day basis. No need to worry about having to pay an extra day because you returned your car too late.
Same for hotels: stay a little longer, pay more; stay shorter, pay less. Although in the hotel industry the constraints about the current pratices doesn't only come from the money medium but also from e.g the need to plan room cleaning etc...)

Subscriptions and bills

Combined with Internet of Things devices that would track consumption, money streaming would enabled utility bills on a second basis. Or it would be possible to "pause" your consumption.
Holiday scenario:
I go on holidays, I pause my utility bills (gas, electricity, home internet) to have more cashflow on holidays. I board a plane. I know I can't use my phone for calls or browsing anyway. I pause my phone subbscription. During 7 hours I have more cashflowI can "flow" this cash back in on e.g on board entertainment offers.

# phone subcription
10€/month ~ 0.014€/hour
# Home Internet subscription
20€/month ~ 0.028€/hours
# bills
120€/month ~ 0.17/hour
# total saved in 7 hours
(0.014 + 0.028 + 0.17) * 7 ~ 1.5 €

Video and music

Business models would switch from pay per click to pay per seconds viewed.


The convergence of old music & video mediums towards Internet had a major impact of both consumers and producers behaviors.
Cryptocurrencies powered by blockchain networks are becoming a new medium of exchange. Behaviors with regards to money - spending, earning, saving, investing - will be radically changed.

Blockchain privacy technologies serie: Introduction - the information asymmetry threat

Privacy matters

It makes possible for us to develop as free-thinking, independent individuals. One common nonsense argument against the importance of privacy is:
I have nothing to hide, so why should I care about my privacy?
Following this logic we go on declaring:
I having nothing to say, so why should I care about my freedom of speech?
There is nowhere I want to move/travel to, so why should I care about my freedom of movement?
I don't believe in any gods, so why should I care about freedom of religion?
And so on... for any basic human rights.

These rights were granted by Law in order to protect from specific threats. What about privacy?
Privacy encompasses many forms and concerns:

  • integrity of family life
  • state oppression
  • value of data
  • true inner self that can only emerge in anonymity or surveillance that causes behavior changes
  • financial concerns:
    • confidentiality of business transactions: hide negotiated prices, avoid signaling when trading
    • security: does not expose the value of your assets to avoid becoming a target for hackers and thieves
    • loss of fungibility: coins are flagged as unacceptable and can't be spent

Our scope is reduced to data and information privacy.

Data privacy & information asymmetry

This form of privacy protects from the information asymmetry threat. Dealing with data privacy we can distinguish:

  • known knowns: security camera we see on the street
  • known unknowns: what happens with the recording? How long will it be stored?
  • unknown unknowns: all the other uncertainities we are not conscious about because we ignore other possibilites exist: e.g processing the footage with a facial recognition software.

People not realizing the importance of privacy is in itself an evidence of these "unknown unknowns". They are also where the asymmetry comes from.
"Asymmetrical" because:

  • we often have no choice as to whether being monitored.
  • we have little knowledge about how much information is collected.
  • all the work of correlation and analysis is done with tools, techniques or computing power unknown or inacessible to us.
  • the predictive outcomes will turn into decisions felt as arbitrary by the people impacted: deny employment, deny credit, restrict movements, refuse membership
  • the collection of data in the name of reducing some risks faced by a larger group (e.g the state) produces new risks whose danger citizens take on: censorship, coercion, oppression of minorities...

Essentially "they" know much about us: Have power over us. While we know less about "them" and can hardly respond.

Acceptance or going offline/"opting-out" isn't really a choice.
Furthermore, the immutability, transparency, openness characteristics of (public) blockchain networks make the relationship even more asymmetrical.

Obfuscation and cryptography for more data privacy on blockchain networks

3 aspects of privacy stand out in the context of blockchain technology:

  • identity
  • transaction data
  • total blockchain state

As solutions to anonymize transactions, obfuscate transaction data or blockchain state, I will structure my posts around the following protocols and techniques:

To learn more about information asymmetry or find answers to the ethical questions raised by relying on obfuscation techniques, I recommend reading Obfuscation, A User's Guide for Privacy and Protest, Finn Brunton and Helen Nissenbaum.

Talent Stack

Scott Adams Talent Stack

Most of the time, excellence and greatness are understood as specific: "the fatest...", "the best x-player", "the best in x discipline...", "the expert in field x...".
So the obvious way to become valuable is specialization. This requires a lot a discipline, time, patience and personal drive.
Scott Adams Talent Stack offers a different path. It says that even if your skill level is mediocre, if the mix of skills is right, you can become unique and valuable too.
This path requires is easier to take. The Talent Stack concept helps explaining success in cases where observers might describe it as "surprising".


Kanye West

I am quite into Hip Hop / RnB music. Although I love his music, I can come up with plenty of other male artists that excel him in specific skills.
But his unique mix of skills lead to his sucess.

Skill Kanye's level not as good as
Rapping ok Eminem, Twista, Yelawolf, Tech 9
Vocoder ok T Pain, Zapp & Roger
Singing can't Timberlake, John Legend, Usher, Chris Brown
Writing/Lyrics ok Andre 3000, 2Pac
Composing/Beat Making ok Madlib, Metro Boomin, Mike Will Made It
Dancing can't Usher, Timberlake, Chris Brown
Business acumen ok Buffet
Social Media Presence good Obama, Rihanna, Bieber
Self promotion ok ?
Fashion ok Beckham?

So he is the best in none of his skills. Most of the time he's good or just good enough. It is in combining all his skills together that he succeeded in becoming so unique.
Same goes for his wife Kim Kardashian West. I've always been somewhat astonished by her rising sucess.


Branding & Marketing Obviously good, she is her own brand
Media Knows how to deal with press, reporters, interviews...
Esthetic Not the most beautiful, but pretty enough
Network Leveraged the connections she built during/after the Ray J sextape episode
Engagement on social media She is maybe not THE best at interacting with and engaging fans online, but she can do it and does it efficiently
Family Spread success to her family
Risk management The sex tape episode was definitely a bold and carefully calculated move...
Recruiting She partners with the right people in any industry: fashion, music, media...

Each of single skill alone is not enough. But the combination...
This is how a women went from sex tape to a $377M net worth: the right talent stack.

An further application and illustration of this concept is what Naval Ravikant describes as an "unstoppable" skill set:

The unstoppable skill set: Build & Sell

Naval notes that every successful company, individual or team needs to be good at 2 categories of skills: building and selling.

  • Building: R&D, design, engineering, coding, manufacturing, delivering...
  • Selling: Sales, marketing, communicating, recruiting, PR...

Let's imagine an excellent engineer building amazing products. If he can't market himself or attract customers, nobody will ever learn about how great his products are. No customers. No sales. Engineering requiring lot of focus, time and ressources, it is not sustainable.
Same goes for the other way around. What if you're great marketer? If the product you're selling isn't good, customers won't buy again. You won't earn the ressources necessary to improve your product. Not sustainable either.
You can't be the best at both, but you need a decent skill level in both.

As illustrations, he mentions in his post some famous successful team that were made of a "Builder" and a "Seller" combo: Jobs and Wosniak, Gates and Allen, the usual CEO/CTO combo of any startups...
Then you have unstoppable people such as Elon Musk. People who can do both: build and sell. He is not good enough to design the whole rocket himself, but he is good enough to drive all key technical decisions. So he is Builder. He has an excellent business acumen too, which makes him a Seller too.

So builders should endeavour to become sellers and sellers to become builders?
Reality is a bit unfair.
Bill Gates said: “I’d rather teach an engineer marketing, than a marketer engineering.
A seller will have indeed a harder time learning to build than a builder learning to sell. Learning selling as an engineer can still be challenging. Depending on character and personality, builders have to figure out what they feel more confortable doing. What communication they're best suited for:

  • Person to person: recruiting, fund raising
  • Writing: blog, articles, tweets
  • Public speaking: make presentations, conferences, workshops
  • Talking: podcasts, videos
  • Photos

CODA: zk-SNARKS & recursive composition for a constant-size Blockchain

CODA logo
I actually introduced in my previous post what zero knowledge proofs are just for the sake of introducing this application I am very excited about: CODA.
CODA uses zk-SNARKS to build a tiny, constant-size blockchain. So tiny that it could run natively in browsers!

If you're still reading this after reading the very title of this post, I think I can also assume that you are familiar with the concepts of blockchain and zero knowledge proofs.

CODA is a new cryptocurrency protocol built on a "succinct blockchain". Succinct means here small in size and easy to verify.
It leverages zk-SNARKs to compress the blockchain down to a few Kilobytes, 22KB more exactly.
To put it in perspective, let's compare it to the 2 first blockchains in terms of adoption and market capitalization.
At the time of writing and according to bitinfocharts, the Bitcoin and the Ethereum blockchains are respectively 14 millions and 10.5 millions times bigger than CODA.

Blockchain Size /CODA
Bitcoin 308.38 GB - ever growing 1.4e7
Ethereum 233.00 GB - ever growing 1.06e6
CODA 22 KB - constant 1

One could argue that 200/300GB are still reasonable and affordable volumes of data.
One can buy a 500GB internal SSD SATA drive for 58€ on amazon. So a tech-savvy user is likely to have the ressources to set up a node on a personal computer and join the Bitcoin and Ethereum blockchains as a validating node.
However nowadays most of the computer are...mobile phones. There's no way they can deal with such big amounts of data.

Which is why CODA is so exciting. It reduces so much the technical requirements to run a node that mobile phones could become nodes and verify the whole blockchain. It would solve scalability, security and decentralization challenges.


A zk proof proves that a statement is true without revealing any info beyond the validity of the statement itself.

When dealing with a blokchain, what could we possibly want to check?
...That the blockchain is valid! That the blocks are valid and correctly chained together.
What's the big deal?
Normally this validation is the job of validating nodes. Nodes that check whether the blockchain is still valid after submission of a new block. A member/user of the network can decide to trust people to validate for him (delegation) or can decide to perform the validation himself. In this case the user has to carry the costs associated with the validation process: remember the ever growing size of blockchains?

As long as you can be convinced that the blockchain is valid, you actually don't want to bother checking backwards the full blockchain history. You care only about a proof that the blockchain is valid. You don't care about the whole content...sounds like a good application for zk proofs, doesn't it?
This is precisely what CODA does: using zk SNARKs to certify that the blockchain has been validated correclty. Like a proof that an audit was executed properly.

Use of zk SNARKs in CODA

  • updating blockchain is just one computation
  • SNARKS can verify any computation
  • Processors produce SNARKs that certify they are updating the blockchain correctly
  • End users don't check the blockchain themselves, they check the tiny certificates instead

How could we use practically zk SNARKs as verification mechanism in a blockchain architecture?

Naive architecture: 1 SNARK for each block?

One could use them to produce a certificate which says: "I know a block which when applied to a data base of state 1 results in a data base of state 2. We can get from 1 to 2 with this block".
The end user receives:

  • certificate
  • a merkle path into Data Base (DB) of state 2 to check their balance without having to see the complete difference between DB1 and DB2.

What if it is not sure that DB1 is valid? We chain.
Just like the Bitcoin blockchain chains blocks together, we would chain certificates backward to check the validity of the whole chain: not chain of blocks but chain of certificates.

This would be an improvement in size buth the blockchain would still grow linearly.

Better architecture: 1 SNARK for the whole blockchain!

In the previous architecture, 1 SNARK consisted in a certificate attesting the validity of a block:
1 SNARK = 1 check = 1 proof that a block was computed correctly
The idea of composition is to check the checking process.

Recursive composition

Checking the validity of a SNARK is itself a computation and so itself can be certified with a SNARK.
So we check if all the past SNARKs have been computed correctly, which produces... 1 SNARK.

# snarkify(0, 1) = SNARK 1 that proves we can get from 1 to 2
# "snarkify(1, 2) = SNARK 2 that proves we can get from 1 to 2
# snarkify(snarkify(0, 1), snarkify(1, 2)) = SNARK 3 that proves we can get from 0 to 2

# and so on ...
0>1, 1>2 ----> 0>2, 2>3---> 0->3

End user

The download of this final SNARK is a sufficient proof of the blockchain validity: downloading 1KB SNARK ~ validating the whole chain.
In addition, to know his account the user has to download the merkle tree (22 KB).


Let that sink in,
a wallet implemeting the CODA protocol can get fully synchronised and achieve full security after the few milliseconds required to download the single SNARK.
It takes days/weeks to fully sync a node with the Ethereum or Bitcoin blockchains. The node has also to be kept up and running to avoid being left behind and become out of sync.
Everyone can become a validating node without any extra costs.

  • [x] Scalable
  • [x] Decentralized
  • [x] Secure

Perfect solution?
Not quite yet. One limitation of zk-SNARKs is that they rely on a "trusted setup". I haven't found out how CORDA deals with this yet.
zk-STARKs are alernative proofs to zk SNARKS that don't require such a trusted setup. Could we compose zk-STARKs recursively instead?

The video feat. CODA CTO Izaak Meckler that explained me what I've just shared is available here.

Blockchain privacy technologies serie: Introduction to zero knowledge proofs

In most of the situtations where you (Prover) make a statement and have to prove its authenticity to someone (Verifier), you'll actually have to disclose the actual value of the statement's argument.

Situation Statement Argument What is disclosed as a practical proof
Voting, Driving, Buying alcohol... I am over 18 yo Age ID card: actual age, birthdate, name
Execute a bank transfer or card transaction I have enough funds on my account Account balance Actual account value
Mathematical problem I know the solution Mathematical solution How to solve the problem
Private Key I am the owner of the private key Private key Actual private key value

Having to disclose the value of my account to anyone I want to buy something from, as a proof that I can actually pay him, is very problematic with regards to privacy and security.

Zero Knowledge Proofs

Zero knowledge proofs are precisely a mechanism to assert knowledge without divulging it.
It is a probabilistic-based verification (verification of the equality of 2 polynomial products by randomly selecting several checkpoints). The verifier asks the prover based on certain randomness. If the correct answer is given, the prover has a high probability of possessing what he claims to be “knowledge.”

Example: How to explain zk Proofs to your children - The Strange Alibaba Cave

As illustrated by the Binance Academy, imagine a ring-shaped cave with a single entry and a magic doorway that separates the two side paths apart. In order to go through the magic doorway, one needs to whisper the correct secret words. So consider that Alice (yellow) wants to prove to Bob (blue) that she knows what the secret words are - while still keeping them in secret.

  1. Bob waits outside. Alice enters the cave and walks until the end of one of the two possible paths. Alibaba Cave
  2. Bob walks by the entrance and shout which side he wants Alice to appear from. Open magic doorway
  3. If Alice truly knows the secret, she will reliably show up from the path Bob names. Alive shows up

Bob could think that Alice doesn't really know the secret words and was just lucky. (50% chance to choose the right side of the cave). To convince him they could repeat the operation. After n repetitions, the probability for Alice to luckily choose the right side has decreased to (1/2)^n. The bigger n, the more reliable the proof.
Hence the description of zero knowledge proofs as a probabilistic-based verification mechanism. zk Proofs aren't proofs in the mathematical sense because there is always a small probability (converging to 0) that a cheating prover may convince a verifier that a false statement is true.

Another famous example is the 3-colarability puzzle.


The combination of the 3 following properties defines more formally a zero-knowledge proof:

Soundness: cheaters get caught

A dishonest prover can't convince a verifier that a false statement is true.

Completeness: true statements get accepted

Following the protocol, an honest prover will naturally convince the verifier that a true statement is true.

Zero knowledgeness: true statements don't teach the verifier anything else except it being true



zk-SNARKs are a particular type of zk Proof

Zero Knowledge


Proofs are smaller in size and quick to perform.

Non interactive

The basic of Zero-Knowledge Proof protocol is interactive. It requires the verifier to constantly ask a series of questions about the “knowledge” the prover possess. zk-SNARKs are non interactive in the sense that there is little to no interaction required between the Prover and the Verifier. The Prover can publish their proof in advance, and a verifier can ensure its correctness.

ARgument of Knowledge

= considered computationally sound (see soundness property).


zk-SNARKs have limitations though. They are dependent on a trusted setup between the prover and the verifier. A set of public parameters is required to construct zero-knowledge proofs. This creates a potential centralization issue because the parameters are often formulated by a very small group. The initial setup phase is critical in preventing counterfeit spending because if someone had access to the randomness that generated the parameters, they could create false proofs that seemed valid to the verifier.

zk-STARKs were invented as an alternative zk proof mechanism to zk-SNARKs. One that doesn't require such an inital trusted setup.

zk-STARK: succinct-Transparent- ARgument of Knowlege


zk-STARK proofs present a simpler structure in terms of cryptographic assumptions. However, this novel technology comes with the disadvantage of generating bigger proofs compared to zk-SNARKs.

Apology of Permissionless Blockchains

I don't believe that private blockchains will become global. They will be confined to national governmental use or to industry specific consortiums.
I'll try to demonstrate my position by examining the architecture choice that different users may take through the lens of the following human motivations.


Acquire (greed) – Desire to collect physical objects as well as immaterial ones like power, status, and influence
Defend (fear) – Desire to protect ourselves and our property
Bond (belonging) – Desire to form relationships
Learn (curiosity) – Desire to satisfy our innate curiosity

Of course, other motivations exist such as Feel (escape – Desire for sensory stimulus and pleasure) but I don't think they are applicable to this reflexion on the architecture choice of a blockchain solution.


Businesses & Enterprises
Random people


User Greed(Acquire) Defend(fear) Bond(belonging) Learn(curiosity)
Businesses & Enterprises xx x
Entrepreneurs xx x xx
Common people x x x x
Governments xx xx
Total 6 4 2 3
  • Business & Enterprises: profit driven institutions (greed).
  • Entrepreneurs: also want to make money (greed). Ready to take risks. Want to innovate (learn).
  • People: as it may naturally vary between individuals, I scored equally all attributes.
  • Governments: especially interested in maintaining their power.

Permissioned or permissionless?

1. Greed: where is money to be made?

Public blockchains are to transacting-transaction what Internet is to communicating-information. Permissioned/private blockchains are to blockchain what intranet is to internet.
Do companies from a same industry exchange information and communicate over an industry-wide intranet?
They don't. They use the open world wide web. It is where all the services were, are and will be built.
Because open networks stimulate innovation. While restricted and closed ones hamper it. Real value of blockchains are in coordination and permissionless innovation. So I believe more entrepreneuship and therefore more value creation will be happen public blockchains.
Problem: they are slow --> see post to come about scalability solutions (dedicated post to come)

Permissionless > Permissioned

2. Fear: what provides users with the best protection against what they value?

What do users value? Who/what may they seek protection against?

User Values Protection against/Fear
Business, Enterprises, Entrepreneurs Assets, capital, cashflow, copyrights, licenses, specific knowledge, secrets (technologies, deals, ideas...) Competition, thieves, spies, data destruction, data loss, data modification, disclosure...
Governments Control, surveillance, coercion power; military secrets; justice; democracy; cultural heritage; art; land registry; monetary, media control Foreign states, fraud, injustice, spies, data destruction, data loss, data modification
Common people Personal assets, privacy, legacy, freedom, identity Thieves, censorship, arbitrary decisions, intrusive surveillance, spies, data destruction, data loss, data modification

Unsurprisingly, 3 famous blockchain attributes emerge as mechanisms to offer protection against the different threats just listed:

Privacy: people protecting themselves from surveillance, businesses protecting competitive secrets.

Some private blockchain solutions providers such as Corda claim that "permissionless blockchain platforms—in which all data is shared with all parties—are largely unsuited for businesses.".
This statement used to be true. But today some privacy solutions on public blockchains exist (dedicated post to come).


By governance I mean the ability to define or redefine the rules of the network.
Permisioned blockchains are the most straightforward architecture to fulfill this need, which is paramount for governments.
Indeed governance seems incompatible with the decentralization and immutability of public blockchains.
However public blockchain have been (more or less successfully) experimenting with on-chain governance and DAOs (dedicated post to come).


(Dedicated post to come)
Permissionless = Permissioned # Diligence required!

3. Curiosity & Belonging: what's more open and inclusive?

Public blockchains are by design permisionless: open and inclusive. While permissioned ones are the opposite.
Anyone can join public blockchains. Which is obviously the preferred choice for curious people who want to freely exchange & transact or try & learn new things. Morevoer, innovation and entrepreneurship (see 1) will thrive on an open network whereas restrictions on a closed network will hamper it.
Permissionless > Permissioned


I only see two motivations that would drive the selection of a permissioned blockchain over a public one:

  • The fear of loosing a central control power that individuals, organizations or governments may possess.
  • The fear of data destruction/loss/modification due to security risks & features specific to public blockchain architecture (such as miners collusion if PoW is used, immutability i.e. incapacity to rewrite history...)

Bitcoin and Stock to Flow Model

Common sense tells us that scarce things are valuable or costly. Scarce things such as precious metals or antiques are especially costly because they are hard to create for anyone.

Nick Szabo calls this property of being costly to forge "unforgeable costliness". Unforgeable costliness provides value independently from 3rd parties. Monetary systems are based on objects that are naturally (precious metals) or artificially (fiat and accouting) unforgeably costly.

However we can't really pay with metal online. Worse, it is free to create bits online. To have digital money we need a technique to create bits online in a costly way.
This technique would ensure that the "bits" it produces will keep being scarce. These bits would become a suitable digital money.
No such technique had ever existed until Bitcoin: Bitcoin is a protocol - a "technique" - that produces at a high cost (electricity bill) bitcoins that can be used as digital money.

The relationship between unforgeable costliness and value can be demonstrated by the stock to flow model.
StockToFlow = SF = stock / flow = 1 / supply growth rate
Stock is the existing reserves at a given time. Flow is the yearly production, the yearly injection of new volumes of commodities.

SF value of different commodities

SF numbers

For a commodities to increase its SF is very hard. As soon as individuals stockpile them, the offer and demand equilibrium will break and prices will rise. This will incentivize people to produce more of it (e.g mine more palladium). Prices will fall again.

So this property - "unforgeable costliness" - is essential.

Bitcoin SF model

Bitcoin has a current supply of 18,1M coins and a supply of 0.7M/year.
SF = 18.7 / 0.7 = 26.7
This places Bitcoin gold and silver.

However the Bitcoin protocol is designed in such a way that:

  • its maximal supply is fixed at 21M
  • The supply of additional bitcoin is cut in half every ~4 years (every 210,000 blocks) Bitcoin Monetary Inflation

Is this model valid?

PlanB tested the hypothesis that scarcity, measured as SF, drives value.
For gold, silver and Bitcoin he:

  • collected historical supply data. In Bitcoin's case, he queried the Bitcoin blockchain to know the number of new blocks (thus new bitcoins) per month.
  • collected historical price data

Then he plotted SF vs market value (logarithmic axis).
SF vs log(market value)
There is a strong statistical relationship (R^2 ~ 95%) between SF and market value.

Can we use this model to predict Bitcoin future price?

Unlike gold, the evolution of Bitcoin's supply is known, because it is predefined by the protocol.
We then have a way to predict the evolution of Bitcoin's price.
Bitcoin price evolution
The model predicts a bitcoin market value of $1trn after next halving in May 2020, which translates in a bitcoin price of $55,000.

On-demand delivery services and meal kits for a more sustainable food industry?

Upon reading the "Fate of Food" article in the Imagine 2030 report from Deutsche Bank Research, I starting reconsidering my opinions on the food industry current problems and potential solutions.
I tend to feel bad when I indulge myself ordering a meal and I have always refused to make use of a meal-kit service such as HelloFresh.
Indeed,besides food quality and costs considerations, isn't it non sense from an ecology, energy or sustainability point of view?
More packaging, more transport costs, more energy consumption?
But what if I was wrong?

From supply-driven to demand-driven

Today the food chain is supply driven: the upstream producers push whatever they harvest down to the downstream customers.

  1. Farmers harvest crops
  2. Wholesalers buy from farmers
  3. Retailers buy from wholesalers
  4. You and me or restaurants buy from retailers

The problem is that especially wholesalers, but also retailers and end customers buy in the hope it will be eaten, ordered, or cooked in the coming week.
Otherwise the food is wasted.
All the apples or tomatoes you see on the shelves in your supermarket will actually be waste unless someone buys it or the supermaket donates their food surplus.

In a demand driven chain, the downstream customers pull only what they need from the upstream producers.
It could obviously reduce waste because only what is necessary would be bought or ordered. It requires much better planning though.
How can wholesalers or retailers reliably forecast the volume of food they need per month all over the year, taking into considerations seasons, customers trends...
This is where meal-kit services come into play. Because they collect tonnes of data on the order habits of its customers, they can define these necessary forecast demand models. Machine learning and artificial intelligence can optimize them even further.

  1. Customers order periodically meal-kits
  2. Meal-kit services can forecast the food supply they need and order accordingly accurate amounts from the retailers
  3. Retailers can forecast the food supply they need and order accordindly accurate amounts from the wholesalers
  4. Wholesalers can distribute better what they bought from farmers between wholesalers
  5. Farmers keep harvesting as much

HelloFresh claims its model cuts food wastage by up to 4/5 compared with a traditional retailer.

Incentivize customers to order meal kits?

The previous reasoning of a demand driven food chain fails if the customers don't order periodically meal-kits. The more frequent the meal-kit orders, the more reliable the forecast models.
It is actually a strong assumption because it involves an important customer's behaviour change. Am I ready to commit today to my future meals for the complete next week? I am forced to plan ahead. No more spontaneity.
How to incentivize customers: raising awareness on the positive impact it could have on food waste, price...?

Blockchain: what is it, what is it for?

For a technical definition, read here.
A non technical definition is: "a technology that enables digital exchanges of value between entities that don't trust each other without intermediary".
Why does it matter?

Internet: information network

If you are reading this post, I can safely bet you know you what Internet is. So you should be able to wrap your head around the idea of what a network is: Internet being something often referred as THE NETWORK.
One can be 'part of', 'on a', 'connected to' a network. Anyone on the Internet network can directly exchange digital information with another connecte member.
Services whose job precisely used to be to execute some form of exchange on behalf on a sender and recipient progressively became obsolete.

Pre Internet Post Internet Information exchanged
Communication Post office Emails Peer to peer message
News Newspaper Blog, twitter News
Music & Video Music labels and movies studio Streaming Released music
Hospitality Hotels Airbnb Avalaible rooms
Transport Taxi Über Avalaible taxi

In practice, that exchange is seldom disintermediated. Indeed it is more convenient to rely on streaming & hosting services or apps. However nothing technically requires doing so.
Internet = birth of a disintermediated information network.

Post office, newspaper, music and movies studios, hotels, taxis... anything missing on the list?
BANKS. Banks have kept being required because they don't only facilitate exchange of information but exchange of value.
I have often read or heard that "data is the new oil". As a data analyst I used to believe it myself. I would repeat it to people to give me importance. However since such data is exchanged digitally on Internet, this statement is totally bullshit.
Because: ctrl + c & ctrl + v.
Oil is physical. Have you ever ever copy pasted an oil baril? Therefore oil has value. Selling that baril, means the seller is losing ownership of that baril to the benefit of the buyer who pays him. Value flows both ways (asset and money).
Data isn't physical. Therefore, I can just hand over a copy created at no cost and sell again the file later. I don't loose ownerhsip of that file. The file's value hasn't been transferred from me to the buyer. Value flows one way (money only).

Buyer Seller
Money -->
Oil <--
Money -->

Other example: sending 1 mail to 1 person or sending 1 mail to 1,000 persons costs the same.
So, as such, data has zero fundamental & commercial value.

Double spending problem

This "copy pasting" of an immaterial asset leads to the so called double spending problem.
How can one prevent a double spend?


One must keep track of the past exchanges performed. Double spends could then be detected by checking this history of exchanges. This "history of exchanges" is called a ledger.
Let's say I want to transact with a stranger I don't trust.
Who will write into the ledger?

  1. Myself: I can "omit" transactions so that my double spend don't appear and screw the stranger. He/she won't let that happen.
  2. Stranger: he/she can "omit" transactions so that his/her double spends don't appear and screw me. I won't let that happen.
  3. We both write in the same ledger: ledger will turn into an inconsistent and useless mess.
  4. We both write in our own ledger: two ledger's exist. Their content will be in conflict. Which one to believe?
  5. We ask a third person to write all the transactions in the ledger for us: we both hope for the best and decide to trust that person won't try to screw us.

1, 2, and 3 can't obviously work.

Centralized ledger

5 is the centralized way of solving that problem. We have been relying on them because banks provide a solution to this problem. They act as a trusted intermediary responsible to check whether an immaterial asset exchanged is only spent once. The very reasons of banks' existence is to make trusted exchanges between people that don't trust each other possible..
When Alice wants to wire money to Bob, she doesn't wire it herself from her account to Bob's. Here's what happens

  1. Alice wants to pay Bob.
  2. Bank checks her account balance
  3. Banks substract amount from her account balance
  4. Bank add that amount to Bob's account

The bank is in charge of keeping a big accounting book up to date.
The main issue with that solution is that you have to "hope for the best and decide to trust that banks won't try to screw you".

Decentralized ledger

This the approach described in 4: instead of trusting one single person to maintain the ledger, everybody keep and write in their own copy.
Several challenges need to be solved:

1. How do we agree on what is the current valid version of the ledger?

By distributing to everybody a copy of a the last version of the ledger which was considered as valid.

2. How do we ensure that what was written can't be changed or deleted?

  1. Bundle new records to be added to the ledger in pages
  2. "Mark uniquely" each page based on its content.
    This makes changing a page's content obvious. For instance imagine adding on the corner of a page the number of characters on the page. Adding or deleting character changes obviously that number. So cheaters are detected. The harder the creation of that mark, the more secure the ledger
  3. Link each new page to the previous one. Write on each page's corner its "unique mark" along with the mark of the previous page. This way if one want to "remark" a page, one has to remark all the following one to achieve the change without being noticed. This makes the ledger even more secure.

3. How do we agree on what to write next?

By intuition, a fair way would be to decide "democratically": the correct version is the one most people consider as valid.
How to count what is "most"?
We need a digital voting system. Especially we need to able to ensure nobody is voting twice. Otherwise our voting system is rigged. In the real world we prevent people from voting twice by checking who they are before letting them vote.

On internet nobody knows you are a dog

Don't forget we are "on Internet", which means we can't identify people. Websites may require to authenticate yourself but "Internet protocols do not force users to identify themselves". There are ways to identify people on Internet. It would always end in having some form ID/certificate providers but that would grant internet users with digital IDs. These ID providers would become the "trusted" 3rd party, in charge of maintaining the ledger of all IDs. We would be back to the centralized scenario I refuse to follow.

In a digital voting system, a same person could impersonate lot of different "digital profiles". Using email account as digital ID to count votes? One same physical person could create at no costs 1000 different mail accounts to vote 1000 times.

Voting costs

As we can't identify people, we need a way to dissuade them to vote twice: voting must become costly. It needs to take time or cost money.
But if voting is expensive, why will people vote in the first place?
One solution is to add to the voting system a lottery system:

  • make expensive to be granted the right to vote
  • reward randomly one of the voters: the winner get rewarded economically and get the right to add a new entry in the ledger

Application: Bitcoin

This brilliant combination of voting and lottery system is actually at the core of the Bitcoin Blockchain.

Voter Miner
Voting costs Mining: solving a mathematical challenge ("Proof of Work") that can only be resolved by brute force by spending computer ressources (the "unique mark" on each page of the ledger)
Ledger Bitcoin Blockchain
Content of the ledger Transaction = exchanges of Bitcoin
Consensus The longest ledger is the correct one (the one most people spent ressources to build!

Blocks are simply a group of transactions. Bundling transactions in blocks makes it easier to check the validity of a ledger. Similarly, it is easier to review the content of a long text, when that text is structured in different pages of a book.

Blockchain: disintermediated digital exchange of value

Let's look back at the initial definition: "a technology that enables digital exchanges of value between entities that don't trust each other without intermediary".
Assuming we want to exchange value: making money transfers over the internet, sell or buy digital assets (digital pictures, music, certificates, loyalty points...), trust that double spending can't happen is required.
Ensuring this required trust can be achieved in:

  • a centralized way by relying on a third party (banks, escrow, notary). It comes with costs and risks: will the third party behave in their or your best interest?.
  • a decentralized way thanks to Blockchain technology. It also comes with drawbacks, such as transaction speed.

Blockchain Technical Definitions


Anything that has value to a stakeholder.


Data structure comprising a block header and block data.


Specific type of DLT.
Database which is:

Blockchains are designed to be tamper resistant and to create final, definitive and immutable ledger records.

Block data

Data structure comprising zero or more transaction records or references to transaction records.

Block header

Data structure that includes a cryptographic link to the previous block.


Accepted by consensus for inclusion in a distributed ledger.


Agreement among nodes that:

  1. a transaction is validated
  2. the distributed ledger contains a consistent set and ordering of validated transactions

Consensus does not necessarily mean that all nodes agree.
The details regarding consensus differ between blockchain designs and this is one key distinguishing characteristic between one design and another.

Consensus mechanism

Rules and procedures by which consensus is reached.

Cryptographic hash function

Function mapping binary strings of arbitrary length to binary strings of fixed length, such that it is computationally costly to find for a given output an input which maps to the output, and it is computationally infeasible to find for a given input a second input that maps to the same output
Computational feasibility depends on the specific security requirements and environment.

Cryptographic link

Reference, constructed using a cryptographic hash function technique, that points to data.
A cryptographic link is used in the block header to reference the previous block in order to create the append-only, sequential chain that forms a blockchain.

Distributed Ledger (also called distributed ledger technology: DLT)

Ledger that is shared across a set of nodes and synchronized between the nodes using a consensus mechanism.


Property wherein ledger records cannot be modified or removed once added ("append-only") to a distributed ledger.
Where appropriate, immutability also presumes keeping intact the order of ledger records and the links between the ledger records.


Device or process that participates in a network and stores a complete or partial replica of the ledger records.


Information store that keeps records of transactions that are intended to be final, definitive and immutable

Ledger record

Record comprising hashes of transaction records or references to transaction records recorded on a blockchain or distributed ledger system.

Public Key

Key of an entity's asymmetric key pair which can be made public.

Private key

Key of an entity's asymmetric key pair that is kept secret and which should only be used by that entity.


Information created, received and maintained as evidence and as an asset by an organization or person, in pursuit of legal obligations or in the transaction of business.
Applies to information in any medium, form or format.


Smallest unit of a work process, which is one or more sequences of actions required to produce an outcome that complies with governing rules.
Where appropriate, transaction is understood more narrowly, as the smallest unit of a work process related to interactions with blockchain or distributed ledgers.

Transaction record

Record documenting a transaction of any type.
Transaction records can be included in, or referred to, in a ledger record.
Transaction records can include the result of a transaction.


Status of an item when its required integrity conditions have been checked.
A transaction, ledger record or a block can be validated.


Application used to generate, manage, store or use private and public keys.

Night sky effect

This TED talk from Aaswath Raman really puzzled me and made so optimistic and hopeful for our planet's future.


The alarming starting point is the vicious circle of cooling we are currently stucked in:

  1. We cool:
    • To live and sleep comfortably in places where the heat can become unbearable.
    • To keep our food longer
    • To operate data centers
  2. The warmer it gets, the more we need to cool.
  3. Back to --> 1: vicious feedback loop.

Cooling energy counts to 17% of global electrical use and 8% of greenhouse gas (GHG) emissions. Demand may increase up to 6 times by 2050. Cooling systems may become the biggest contributors to GHG and electricity "consumers".

Solution recipe: Night Sky Effect = target atmosphere transmission window to benefit from space coldness and build a negative heat balance sheet thanks to thermal radiation.

Night Sky Effect is a natural phenomenon. This is how ice is made at night in the desert even though the air is warmer than 0° C.
How does it work?

1. Fourier's Law: heat follows negative temperature gradient

q =-k∇T

This law says that local heat flux densityqis equal to the product of thermal conductivitykand the negative local temperature gradient∇T.

In layman's terms it says that heat "flows" towards colder places. This law explains us a first thing: because the sky/space is cooler than the Earth. The heat "flows" from the Earth to Space.
What does "flowing" actually means?

2. Thermal radiation: heat "flows" as light

When matter particles get warmer, they start moving very fast at microscopic level (thermal motion). By doing so they also generate electromagnetic radiation = light.
This phenomenon can be visualized with night vision/thermal googles. Another evidence of this phenomenon is when a material changes color when it gets hot, like a piece a coal that gets orange/red.
So we have heat that flows from hot places (Earth) to cooler places (Space).

3. Absorption & Greenhouse Effect

Unfortunately, in the same way particles can emit energy as electric radiation, they can also "absorb" light and generate heat back!
Especially we say that some gases in the atmosphere "absorb" some of the heat that the Earth tries to "radiate" towards Space: we call these gases Green House Gas (GHG) and this effect the greenhouse effect.

4. Infrared Window

Luckily not all that heat is absorbed and reflected back! Otherwise the Earth would be much warmer than it is.
Light is made up of a range of different wavelengths: the electromagnetic spectrum. There are infrared, ultraviolet, X-Rays...
The atmosphere doesn't react the same way to all wavelengths. Especially the wavelengths between ~[8 μm, 30 μm] aren't reflected back: this is called the infrared transmission window.
So if an object emits its heat within that specific transmission window, we guarantee that its heat will go completely through the atmosphere: the object will get cooler! This how we can turn water into ice at night in the desert.

Why don't we already make use of this phenomenon to cool everything?! Because it is called NIGHT Sky Effect.
During the day, the sun heats all the objects (Earth) that we may want to cool so much that the overall heat balance-sheet gets positive again. The night sky effect is not strong enough to counter balance heating from sunlight during the day.

5. Nanophotonics

Wouldn't be cool to benefit from the Night Sky cooling Effect during the day?!
For this we need to "target" the infrared transmission window of the atmosphere.
Thanks to nanophotonics it is actually possible to design materials that radiate their heat precisely at the wavelengths that are best let out by the atmosphere.
It is like engineering a heat mirror: something that gets cooler when they receive sunlight! Or very counterintuitively, something that get cooler when it gets out of the shadow!


Manufacturing techniques to build these materials already exist. This is also what Aaswath Raman explains in his TED talk.

Cooling panels

Such materials can be used to build "cooling panels" that are placed in sunlight. It can already increases the efficiency of cooling systems by 12%. In the future, cooling systems may require no electricity at all!

Integration with solar cells.

Solar cells get less efficient when they get hotter. So by integrating such materials into solar panels, we can improve their efficiency.

Heat engines: "generate light from cold darkness of space".

One can imagine using the temperature delta between Earth and Space to generate electricity! Or generating electricity when solar panels can't work.

Bitcoin mining

Kickstarterreum: Kickstarter on Ethereum

Kickstarter helps artists, musicians, filmmakers,
designers, and other creators find the resources and support they need to make
their ideas a reality. Potential future customers, 'backers', can contribute to a project to finance the development of a product.

Sounds awesome.

However, a fundamental problem for crowdfunding is how asymmetrical the risks faced by backers and founders are.

After having invested, backers don't get a say on how their money will actually be spent.
Worse: which guarantee do they have that the founder they backed, will actually
deliver what they promised, and not go away which the funds successfully collected from the backers?

Ethereum & smart contracts are a great solution to come around these issues. Indeed, the collecting of funds and spending of collected funds gets automated in a secure and a decentralized way.

The risks previously faced by backers disappear because they get to vote on how funds are spend.

The smart contract application I deployed on the Ethereum Rinkeby test network fulfills the following:

  • [x] A founder can create a new campaign. He/she sets the minimum contribution amount for future backers.
  • [x] Anyone can back a created campaign, provided they contribute at least the minimum amount set by the founder.
  • [x] The smart contract controls the funds. Neither the founder nor the backers are able to take out or spend funds collected by the campaign
  • [x] Only the founder can create payment requests. He requests the backers to agree on how to spend the campaign's funds. He specifies the payment's recipient.
  • [x] Backers can approve (1 time each) payment requests
  • [x] The founder can finalize a payment request that has been approved by a majority of backers. This automatically executes the payment (transfers amount to recipient)

Github repository
Demo video