Link to the YouTube (the timestamps are based on this): https://youtu.be/HL3iLnZSpJU
Matt Odell [4:22]: I’m fortunate enough to have return guest and absolute legend Adam Back here. How’s it going Adam?
Adam Back: Pretty good! Never a dull day in Bitcoin land.
Matt Odell [4:32]: Never a dull day! That’s for sure. Before we get started: you just got back from Riga from the Baltic Honeybadger 2022 — how was that experience?
Adam Back [4:44]: Yeah! It’s been a couple of years, but it’s always one of my favorite conferences — very Bitcoin-focused. The HodlHodl team who puts it on does a good job of curating what kind of topics they want to see, and so they keep it informative and there’s some technical tracks and a medium size — so, not too large, not too small in terms of attendee counts — and so it’s a good place to have lots of conversations and see people.
Matt Odell [4:52]: I love the size! It’s the ideal size — it’s like 500 people.
Adam Back: Yeah. It’s great.
Matt Odell [4:52]: It’s a nice balance between a small event and a large event — super high signal. I was there in 2019 — truly a special experience! They do put on a good show. I was really disappointed that I had to drop out last minute due to family, but I will say: I was not surprised to hear all the good words after the fact — I had massive FOMO. I think at least the 2019 one — and from what I’ve heard it was similar this year — I think it’s the single best event of the year. It’s just a truly special experience, and Riga is just a really really fantastic city.
Adam Back [6:06]: Yeah. Well it was good to go back there anyway.
Matt Odell [6:09]: So Adam, we have many topics that I’d love to go over with you, but first and foremost, a topic that has been a major discussion on Dispatch partly because it feels like a lot of other shows don’t want to touch it because it is a bit of a sensitive topic is: since I last had you on we had this Tornado Cash sanction event where they sanctioned a smart contract on Ethereum that provided privacy to users. And they targeted the developers, they took the code off of GitHub, which is a centralized platform that hosted the code — it’s owned by Microsoft — and they arrested one of the developers in the Netherlands. I’m so grateful to have you on! I mean, you were involved in the crypto wars of the 90’s, which I personally think has never really ended — it’s just continued. And I’m curious on your thoughts here about the Tornado Cash situation similarities with the export controls put on PGP in the 90’s and — obviously this is an Ethereum tool, but — how do you think this impacts all the work being done on Bitcoin?
Adam Back [7:34]: Well, it’s certainly not a good direction. In terms of similarities, there is a little bit of similarity with the trouble that Phil Zimmerman had for a period of time when he got investigated for exploiting the implementation of encryption in PGP, which was export restricted at that time, and effectively the rules changed some years ago now. But nevertheless, the concept that a government or justice system could make an order telling somebody to unpublish code or modify code is a bit of legal adventurism, I would say. And I saw Coin Center pushing back against that strongly and looking to contest that. Now I think the other thing is that you don’t want a bad legal precedent of something to stand. And effectively the legal process itself — I’m not legally qualified by any means but just observing — it seems to be a bit chaotic with the general combative nature of common laws that the prosecution throws all manner of claims and the defense has got to try and counter or whittle them down. And you’ve got to assume that — just as a matter of course — the prosecution knows full well that most of the claims are exaggerated or outright false, and it’s just a way to land [a punch] somewhere. And unfortunately — at least in the US — it seems to be a lot of attempts to plea bargain so that somebody would agree to something that doesn’t really make a lot of sense, but they just want it to end from their own perspective. And that’s a recipe to get to a bad precedent. So I’m certainly hopeful that Coin Center and others put some effort into pushing back on a bad precedent getting developed here.
Matt Odell [10:05]: So at the core of this argument is that in America, speech is protected, and code is speech that was the core of the argument back in the 90’s. Am I correct: Were you the one who printed the T-shirts with the RSA code on it?
Adam Back [10:24]: Yeah, that was me! Actually recently Blockstream did a re-run and published the old T-shirt — or a small modification of it — just for historic purposes, but I guess kind of topical to this development. And at the time, the point of that bit of code was to say: What’s the distinction between electronic publication and print publication? Or speech and a T-shirt? Something that’s small enough to print on a T-shirt is kind of silly to have speech restrictions on or writing restrictions on, none of which make sense in the US context. Now of course, Tornado Cash is more international in flavor, and I don’t know the specifics of the Netherlands. But I think another factor which you saw was: there was an Ethereum fellow who got himself tangled up in North Korea somehow. Some of the accusations are not public at this stage and from the outside we won’t know what’s going on exactly, but sometimes it can get blurred where maybe the person did something semi-related that is actually what got them in trouble more than the issue at hand which is of concern to the wider Bitcoin ecosystem.
Matt Odell [12:09]: Right. The particular case you’re talking about was Ethereum core developer Virgil Griffith, which maybe code was a portion of that situation, but ultimately he went to North Korea and I believe that the allegation, at least, is that he gave a seminar to North Koreans on how they could use it to evade sanctions, which is strictly illegal in America, at least.
Adam Back: Right. Well I think other countries too, yeah.
Matt Odell [12:43]: Yeah, so you’re basically saying that potentially there’s something that we don’t know about the Tornado Cash case, that it’s not just related to the code?
Adam Back [12:51]: Right, because I think prosecutors generally as a pattern — it varies by country a bit but we won’t know exactly if there’s some other issue behind it — I think prosecutors tend to like to pick cases where they think they have a reasonable chance of winning. And so some kind of combination case where somebody does something that’s clear-cut plus something they would like to push the envelope on — then they tend to pick those, which is unfortunate from our perspective.
Matt Odell [13:47]: So they can get some kind of legal precedent there. So there’s two elements here: one element is — from what I take from what you’re saying — is that 1) this should be fought in court and you think that, based on what happened in the 90’s, 2) the code side should be considered protected speech in America, and that should be defended in court and will probably be upheld.
Adam Back [14:12]: I certainly hope so! And I think that people in the justice system sometimes lose track of who they work for. Basically, they’re there to enforce societal norms, not to get into misadventures of eroding civil liberties and changing the balance of society. So I hope that is prevented here.
Matt Odell [14:40]: So that is one side. There’s a group of Bitcoiners — and there was a portion of the cypherpunks before Bitcoin even existed — that believe that we should be building systems outside of state control, outside of the legal system. Do you believe this is a dual-pronged front? You build the tools, you use the tools, but also you fight it legally through the necessary channels?
Adam Back [15:17]: Yeah, if you have to! I’m also a fan of the publish anonymously phenomena and have a decentralized system — which is the effect that Bitcoin has — because it’s not really possible for somebody to sue Bitcoin. Where would you start? That’s one of its strengths! And of course, the fact that Satoshi stayed anonymous, stepped away many years ago now — and so there’s not really anything in the way of a hierarchy or an identifiable control point I think is beneficial. So in a way this is a stress test of relative decentralization and will push privacy tech to be more decentralized.
Matt Odell [16:19]: So with you specifically in Blockstream, you guys have obviously been building in the open for quite some time now. Does this case change your viewpoint on building on Lightning, Liquid, other layer 2s, building on Bitcoin? Will we have more pseudonymous devs? More anonymous devs working on these systems? Do you think that’s what the trend is gonna be?
Adam Back [16:47]: I’ve said for a while: I think it would be good if Bitcoin itself had more anonymous developers, because it’s an extra layer of protection. And for Lightning itself, I think it’s quite decentralized — the infrastructure is operated by individuals such as it is: it’s all peer-to-peer. And you have self-custody, or a reactive security model version of self-custody. For more federated systems like Liquid — which is perhaps a bit more geared towards traders and providing an incremental security and confidentiality advantage over transacting on a single centralized exchange — then you are somewhere in that zone where you’re relying on a group of companies, basically. And so that is what it is, but clearly it’s a better protection against a centralized failure than trading on a single exchange, which is what most people do by volume.
Matt Odell [18:42]: Adam, you brought up Liquid — obviously Liquid is being built out and run in the open, the federation members are all known. There is a privacy component to Liquid with confidential transactions. Has this case changed your viewpoint on Liquid going forward? Or how do you think about that?
Adam Back [19:06]: Not too much, because the operators of Liquid are by and large exchanges or entities that are anyway providing some form of customer-facing service. And so there’s a possibility from time-to-time that companies like that could have users that become targets of different kinds of legal action. With Liquid, many of the network participants who operate block signers are already providing custodial service — in the sense of: if it’s operated by a Bitcoin exchange or something like that — and so of course it’s much harder for something like that to happen with Liquid because Liquid is operated by 15 or more different companies in different countries and so forth. So it would be — procedurally — much harder, and the UTXOs in it are not identified in the same way that the balance of a given exchange account typically has got KYC associated with it and so on.
Matt Odell [22:21]: One concept that I talk about a lot on dispatch is this idea of trade-offs, particularly between convenience and security, convenience and privacy, convenience and censorship resistance. And with this Tornado Cash situation, specifically, a lot of people have said, Okay, we obviously have privacy tools that are used on Bitcoin: for collaborative transactions, we have JoinMarket — which does not have a centralized entity that runs it — but then we also have Whirlpool and Wasabi that use a centralized coordinator. And people say, Can’t that coordinator be targeted? The way I tend to look at it is: if we’re able to use more convenient options that have some kind of centralized element to them that make them more convenient, it behooves us to use those options while we can. But if push comes to shove and we’re not able to use those options for whatever reason, we can go towards less convenient, more censorship resistant, more robust options. Is that how you view Liquid? That: as long as this federation is legally allowed to stand as is, then maybe that’s enough and we get this convenience advantage. But if for some reason there are legal challenges or prosecutions or whatnot, then we move to more censorship resistant options instead?
Adam Back [24:03]: Yeah, there is something to be said for the parallel existence of more decentralized and censorship resistant technologies so that it makes it less interesting for some organization to try and censor the easy-to-use thing, because they know ahead of time that people will just switch to this other system. It’ll become a little less convenient, but they won’t be prevented from their activity. Now of course, Liquid’s main use case is transacting and limit orders and swaps and things in peer-to-peer non-custodial trades like on SideSwap and TDEX and Bitmatrix and things like that. It’s more about confidentiality: there’s a bit of indirect privacy because every transaction is like a PayJoin, because there’s enhanced ambiguity about the types of the assets in the transaction and the values of them. Whereas in Bitcoin — because you don’t have that confidentiality, being Bitcoin — then people analyzing the chain can draw some inferences from values, probably. So you get a bit, but people will use technology for what they find interesting to use it for — there’s so many people using Liquid for all kinds of different things. But I think the main use is these more decentralized-than-single-exchanges, less-custody-risk-than-single-exchanges trade-offs to reduce their single exchange custody risk.
Matt Odell [26:13]: So what you were talking about there — just to bring it back for the audience that might be a little bit confused — is: Liquid has something that you guys are calling confidential assets which is on top of confidential transactions. So when you send a transaction, not only is the amount hidden, but also what is being traded is hidden. So if it’s Tether, for instance, or if it’s Liquid Bitcoin on-chain, you can’t tell the difference. So if you make a transaction — when we talk about these chain surveillance firms — they’re essentially doing a probability analysis of whether or not money has changed hands, or if someone’s sending to themselves. And confidential assets breaks that probability analysis to a degree, at least as more people are using Liquid.
Adam Back [27:02]: Yeah. I was also a fan of PayJoin — formerly called Pay-to-Endpoint — and that was something that Blockstream helped organize a brainstorming hackathon workshop on, and a number of people that were interested in privacy tech like developers and protocol researchers came to that. And Pay-to-Endpoint, or PayJoin, was the idea that came out of it, which is basically that — and I believe the BTCPayServer actually implemented it in their wallet as well, and a couple of other wallets did — so the idea is that: as part of a transaction, there’s a benefit to the recipient to defrag their wallet a bit. I.e. to combine and tidy up their change. And so effectively they are opportunistically joining some of their UTXOs with a payers’ UTXOs, and that makes it a bit more ambiguous about how much is being paid and what’s change and what’s the payment. So I think that’s an interesting thing, because it’s possible to do that peer-to-peer between two wallets. It actually saves money — it reduces fees overall over time — and it’s an action that nobody can argue about. Like, Yes I want to defrag my wallet, and, Yes I want to make payments, and, Sure I want some privacy while doing that.
Matt Odell [28:42]: Right. So a normal transaction has inputs and outputs. The inputs are almost always the same individual — the sender — but in a PayJoin it’s a collaborative transaction where the receiver is contributing one or more of the inputs, so that when you’re doing the analysis you can’t just assume that all inputs belong to the sender, because it could be a PayJoin — it could be a collaborative transaction. We haven’t really seen that much adoption of PayJoin. Why do you think that is?
Adam Back [29:17]: I think most wallets are pretty busy keeping up with new developments like Taproot and descriptors. I would like to see more PayJoin integration — it’s something we want to get done in a Green Wallet as well. If you research, it’s possible to find 2–3 wallets that have it, so you can vote with your feet by adopting wallets that support it, or adopting self-hosted merchant tech like BTCPayServer that supports it and making sure the configuration is up.
Matt Odell [30:06]: Yeah it seems like there’s just a lot of friction there. Also, from my perspective, it also requires interactivity — you need the receiver to be online to do it, which works for in-person transactions. I know Samourai has their own implementation of PayJoin where essentially if you’re already making an in-person payment or a payment with someone you know, presumably they can be online for that payment when they’re doing the receiving. And with BTCPayServer, the idea was: if you have this merchant that’s already always online with a hot wallet because of Lightning, they could do the same with PayJoin and be ready to do the interactive transaction. It is a little bit disappointing that we haven’t seen more uptake of it. The general concept for the audience is: if we got 5%-10% of transactions to be doing this, it provides cover for the remainder because these surveillance firms can no longer assume for any transaction that the inputs all belong to the sender. Because the transactions by and far, for the most part, will look like a normal transaction — there’s not a clear distinction on-chain like you see with other collaborative transaction types like CoinJoin. So before we move on from Liquid, you guys just recently announced XDEX. Do you know anything about that?
Adam Back [31:40]: Yeah it’s another non-custodial exchange tech. So basically with a Bitcoin transaction there’s a simple rule that the inputs have to add up to the outputs, plus the change. And on Liquid that’s extended a bit so you can have different types of assets coming in: you could have some Tether coming into a transaction and some Bitcoin coming into a transaction — the rule is that the inputs of each type have to add up. And so a consequence of that is it’s relatively straightforward to make an atomic trade and actually to place a limit order. So even with a hardware wallet, you could approve a transaction and the keys never left your hardware wallet, and nevertheless you’ve got a limit order on a decentralized order book or even a centralized order book, but one that doesn’t have custody of your assets! And there are a few variants of that: one is the TDEX, and XDEX is another. TDEX is a Liquid and Bitcoin wallet and it has peg-ins. XDEX is a decentralized exchange system. Another one is SideSwap, and Bitmatrix is an automated market maker concept which is using similar tech. Basically the way that works is: if you wanted to sell a Bitcoin for $19,000, you would put 1 Bitcoin into a transaction and send the change to yourself, and then you would put your own Liquid address to receive $19,000 Tether out and you’d sign that part of the transaction with the right sighash and then you either broadcast it in a decentralized exchange network — the peer-to-peer network — or you give it to a bulletin board that manages an order book. And then anybody can take it! All they have to do to take it is put enough Tether in — anyone can spend that if you pay — and so that gives you the effect that you can actually place even out-of-the-market limit orders and just leave them sitting there, and if somebody pays for the price then the trade happens and it appears in your software or hardware wallet. If they don’t it just stays there, and if you want to cancel it you either rely on a centralized order book manager or you double-spend yourself to robustly get rid of the transaction.
Matt Odell [34:30]: So, to compare that to something like ShapeShift or SideShift.ai: those platforms allow you to go to a website and trade one asset for another asset — they’re custodial in nature. You’re essentially trusting this centralized entity to hold your funds in that interim period. The transfers go through pretty quickly if it works — if everything goes according to what they say is going to happen — but you have a moment of custodial risk. With this setup, my understanding — correct me if I’m wrong — is: you’re trusting a centralized entity to coordinate and matchmake, but you’re not trusting them with custody of the funds. Correct?
Adam Back [35:17]: Correct. The private keys for the coins stay in your software or hardware wallet, and the infrastructure to match the trades are XDEX, TDEX, or centralized in the case of SideSwap — now SideSwap is also a mobile app and a desktop app, but because the order book is non-custodial, it’s much easier for them to operate it with simpler licensing or no licensing.
Matt Odell [35:53]: So to bring it back again: if you had an outstanding limit order on Bitfinex, while you’re waiting for that order to get hit, you have custodial risk. But in this case you could have an outstanding limit order — if Bitcoin hits a certain price — without actually putting anything up for custodial risk.
Adam Back [36:14]: Yeah. If you’re trading, you’ve also got to think about how long you’re exposed. If it’s an immediate swap — I want to sell at the current market price and swap some Bitcoin for Tether — and you do that on SideSwap or ShapeShift, your exposure, like how many minutes your custody is exposed, is probably under a minute. It’s pretty fast! But with these limit orders, they could sit there for weeks or months and so then people start to get nervous. They think, Well maybe I shouldn’t put the coins in the exchange, in custody risk — I will monitor the price and put that on later if it happens. So you get this trade-off where the exchange liquidity — to be robust against flash crashes — is pretty thin because there’s a point where they think, if their trade is unlikely to happen, they don’t think it’s worth the custody risk. And so some of the exchange order books are a bit vulnerable to flash crashes where they’ll fall below — I think Bitfinex is generally pretty robust because there’s a lot of pro traders and bots and market makers and algo traders and stuff that will arbitrage against other platforms or make decisions. But some of the more retail exchanges will just flash crash $500 or $1,000 below the Bitfinex next price, and that’s partly because people don’t want to leave out the money limit orders on there because they’re worried about custody risk. So I think this could help, as well as reduce the risk of something like QuadrigaCX happening to you, which you never know! Ultimately, even if the exchange is not doing something untoward like QuadrigaCX, there’s always a small risk that they get hacked or an insider hacks them or something. So this largely takes that out.
Matt Odell: Or if they get shut down or something like that?
Adam Back [38:21]: Right — that’s happened too. I think BTC-e may have had that problem: the regulator seized the exchange at some point.
Matt Odell [38:35]: Yeah, they stormed his vacation house in Greece and they drove an undercover car through the gate and he walked out in his robe while he was still signed into his computer and they seized everything. So it seems pretty obvious to most people watching Liquid development that Liquid has not really gotten much adoption. Do you think things like XDEX will increase that adoption? What do you think is the reason why so few people seem to be using Liquid right now?
Adam Back [39:14]: Yeah. I mean I think it’s somewhere in the region of Lightning by value but not by volume. Bitfinex published some data — they have both Liquid and Lightning integration — they said the value was similar but the average Liquid transaction, like the Liquid deposit or withdrawal, was larger than the average on-chain Bitcoin one. Whereas the Lightning ones were on average much smaller. So I guess that says something about: people are interested to hide values when they’re doing larger things, perhaps? And these decentralized order book technologies are relatively recent: SideSwap dropped on the market last year — it’s not something we were aware that was in development but they released this thing and it had the trustless limit orders in it, which is pretty cool. And they’re continuing to innovate on that to make it more convenient — they’ve recently added desktop support. So I think that the technologies are reaching maturity, and there’s a potential for an existing custodial exchange to mix these type of orders, because they could be the maker or taker against a trustless trade from their online order book as well. So one way to look at it is: once it’s available on a platform where you can switch to a platform that has reasonable liquidity and market making, why would you go back? Because the custody risk is something that worries most traders, or it should. And so if you can get the same kind of service for the types of trades you do without having that — and particularly if it has hardware wallet integration — that’s a pretty nice situation.
Matt Odell [41:09]: To be 100% clear here: using Liquid rather than using on-chain Bitcoin or using Lightning brings additional custodial risk to the end user, because if you use Liquid, there is an element of custodial risk — it’s just minimized because it’s a federation. It essentially can be treated like a multisig custodian. But if you look at it from a trader perspective, their current option is a purely custodial platform with a single custodian, so they have a strong incentive — a strong advantage — to move over to Liquid tools because that custodial risk is greatly reduced, and they have additional privacy. Would you agree with that?
Adam Back: Yeah I agree with that. It’s clearly a significant incremental improvement for a trader, because for something to impact their coins would require cooperation from lots of services globally — some threshold of them. Now I think there’s also something subtle about custody versus some kind of automated peg: usually when people talk about custody they’re thinking about something with human discretion and identity and stuff involved. You’ve got something like Lightning which is automated and people are running nodes — you can create a Lightning channel and you can close down a Lightning channel and so on. Whereas in Liquid you’ve got the peg. And even though the peg is not purely software — that HSM has been operated by exchanges in different parts of the world — it’s nevertheless unattended, fully automated, and even the operator of it, if they want to override its behavior, they have to tamper with the hardware. So it’s a different trade-off: it’s not as decentralized as Bitcoin, but it is unattended. That’s where that terminology “functionary” comes from, which is: something that sits there and does a task in an automated system.
Matt Odell [43:28]: Got it — that’s an interesting point. We have OrangeSurf in the Matrix chat: he made an interesting point — just to go back to our PayJoin conversation real quick — that if you copy a BTCPayServer payment link and they have PayJoin enabled and you paste into Sparrow Wallet, it will automatically use that by default. And he recently changed how that is visible on BTCPayServer’s side so it’s more visible. Hopefully that will result in more people using it. He also has a question for you, Adam: he wants to know if you think it’s practical for people to contribute anonymously if they’ve already contributed publicly, previously?
Adam Back [44:14]: Yeah I think so. You just don’t want to be too chatty: talking about non-technical topics or writing long form text I think is more likely to reveal stylometry — and there is an analogy for coding style. But in a project like Bitcoin, people usually try to fit in with a style of surrounding code anyway, so I think that’s plausible. And any developer is going to have some kind of developing history — typically some open source history — but it’s great if somebody new to the ecosystem who hasn’t written open source code starts that way as well. I think it’s all valuable and it insulates Bitcoin from political pressure that could be put on individual developers. Ultimately, I think Bitcoin is fairly well insulated from that, because: the binaries have to get built from the code, there are lots of people reviewing it, there are lots of people cross-verifying the deterministic builds, and it’s relatively implausible that users would refuse to run it if there was something bad. But still, it’s good to have developers who are not impacted or having to be concerned about these kind of issues.
Matt Odell [45:50]: Yeah I think this goes back to what we talk about a lot on the show — just in general — that most of the stuff is not black and white: if you can make certain improvements like contributing anonymously separate if you’ve already contributed from your known legal identity, that’s still an improvement even if it’s not perfect. There are obviously areas where you can make mistakes. Like Adam said, we’ve seen that with Satoshi — people trying to unmask Satoshi going back and going through miscellaneous writing and stuff like that to try and compare that to other sources of information. So the more information you have out there with your legal identity, the more likely it is that that can be attached to your pseudonym. But it’s just straight up a net improvement at least on the plausible deniability side, probably, for a lot of these contributors if they choose to contribute anonymously in addition to contributing publicly.
Adam Back [47:02]: Yeah, the confidential transactions — and I’m talking about things like PayJoin and CoinJoins in general — bear in mind that I originally proposed confidential transactions for Bitcoin as a way to improve privacy in Bitcoin itself, and then I found that because it’s a relatively complicated change, it’d be difficult to get that integrated into Bitcoin and so I tried to find ways to make Bitcoin more modular, which is how we came to be working on sidechains to do that. And so then we were able to get confidential transactions in the sidechain, but I remain hopeful that eventually the Bitcoin main chain might get consensus to integrate confidential transactions for Bitcoin directly. And the beauty of that for protocols like PayJoin and CoinJoin is that every join is perfect because you don’t have to worry about values giving the game away at all, because it’s only visible to the sender and receiver.
Matt Odell [48:10]: I’m glad you brought this up because I wanted to bring it up: you had mentioned something similar in our last epic 3-hour rip and you mentioned it in the middle and it’s a very controversial topic and you kind of got a pass on it! I don’t know if people missed it or just the fact that you’re an absolute legend so you’re allowed to talk about controversial things without people going crazy but —
Adam Back [48:38]: Well they should critique me because that’s part of the, Don’t Trust, Verify, right?
Matt Odell [48:46]: That’s what we appreciate about you! You said specifically: not only would you like to see confidential transactions on Bitcoin, but you coupled that with another controversial statement which was that we could increase the block size as a result because we’d be less at risk of miner censorship. Do you still stand by that? You’d like to see both happen on Bitcoin?
Adam Back [49:15]: Yeah, I would like to see confidential transactions, and of course the downside with confidential transactions is the transactions are a bit bigger because of the range proofs. And so with SegWit there’s a space reserved for — I mean it’s not a separate data stream, but — there’s a different discount for witnesses i.e the signatures, and with confidential transactions you could potentially have an even more discounted witness space for the range proofs. And so that would give you potentially more data — which in literal terms is more data transferred per block — but that might be useful to get people to want to use them, because otherwise what will happen is it will reduce the number of transactions you can get done per block, because they’re bigger. So they’re a bit interrelated. And the argument is — as you reminded the audience — why do we not want too much data? It’s so that we avoid the risk of selective censorship coming. And if there’s more privacy, that’s another way you avoid selective censorship. Somebody who wants to censor something can’t figure out what’s going on so they don’t know what to censor. And so that’s maybe a bit of a boost to censorship resistance to offset some of the increased data footprint.
Matt Odell [51:08]: Yeah. Just to bring people back if you were not around during the 2017 Block Size Wars — the basic premise is: the more bandwidth required, the more data being transferred, the more likely miner centralization happens and we have less distributed miners. And then as a result: if you have less distributed miners and less people being able to use their own node because of higher data requirements, it would result in more censorship because it would be a more centralized system. But your thought process goes: if we had confidential transactions there — even if mining became slightly more centralized — those centralized miners would not be able to pick transactions to censor because they wouldn’t really know what was happening.
Adam Back [52:05]: Yeah, to a certain extent. And so you could think about that as an offset. And of course: it’s a bit of a gray area to argue if it’s a net win or not. People would have to develop an opinion about that.
Matt Odell [52:25]: And so the main argument against confidential transactions on Bitcoin is that it’d be harder to detect unknown inflation happening with Bitcoin. What do you say to people that levy that argument?
Adam Back [52:40]: Yeah it’s a valid concern and it just seems that some altcoins with more complicated forms of privacy have near misses in that regard. With confidential transactions, there are two versions: one which uses ElGamal commitments where you mathematically prevent inflation — like, inflation is not possible — and Pederson commitments where, if ultimately Schnorr signatures were broken in the far future, then inflation could become possible. And that’s all excluding software bugs. The technology for confidential transactions sounds counterintuitive, but actually the building blocks are basically the same as Schnorr signatures and ECDSA, so it’s using quite conservative cryptography assumptions.
Matt Odell [53:43]: Correct me if I’m wrong — the latter, the Pederson commitment model is what Monero’s using right now, right?
Adam Back [53:50]: I think so, yeah. And it’s actually what Liquid uses as well, coincidentally. And I think that’s an okay trade-off for Liquid, because in Liquid you’re not really looking to do cold storage — you’re more looking to place trades that probably won’t sit there for too long.
Matt Odell [54:07]: And what’s the advantage of using that over the ElGamal version?
Adam Back [54:13]: The Pederson commitment version was just developed earlier. The ElGamal commitment version came a bit later. Also, ElGamal is a little bit bigger so there’s more —
Matt Odell: More data.
Adam Back [54:30]: Yeah, just incrementally though, so it’s not prohibitive.
Matt Odell [54:34]: So if we were to see confidential transactions on Bitcoin, that would be a hard fork. People need to remember that anyone can fork Bitcoin whenever they want to fork Bitcoin without permission.
Adam Back [54:49]: It’s a bit of a gray area whether that’d be hard fork or not. Felix Weiss had proposed a way to soft fork confidential transactions. It was a bit complicated, but it looked to kind of work! So there are a couple of avenues where it could be soft forked, and then of course it could be done in a slightly simpler way with a hard fork. So yeah, maybe it could be soft fork.
Matt Odell [55:20]: Realistically speaking: do you think we will ever see that?
Adam Back [55:31]: I’m not sure. I think one other track is through Simplicity, and that may actually be more attractive to people in a way. Simplicity is a second generation scripting language which was designed for Bitcoin and has also been worked on for Liquid. And that is lower level and brings a security and formal proof focus to low-level bit or logical level language to Bitcoin in the future which allows extensibility so that something like the Schnorr signature could be implemented from scratch. And it has this concept of jets which are access to lots of lower level libraries, so the actual implementation of something like Schnorr remains remarkably compact. The point there is: something like Simplicity would probably allow enough extensibility that confidential transactions could be implemented, as well as covenants and many other things that people might want to try. Now of course this is still some distance away! Simplicity is not in Liquid yet but we’re hoping to get it there later this year so people can try it out. Eventually I think Simplicity is potentially the best option for ossification of Bitcoin because it enables this extensibility. So it could be the last soft fork sort of thing, right? And so that might be an easier topic for people to get consensus on, is: introducing security and formal proof-focused extensibility into Bitcoin.
Matt Odell [57:35]: What would that look like in practice? You’d basically have the option of using confidential transactions? Or the option not to?
Adam Back [57:44]: Yeah. Simplicity is very conceptually similar in terms of UTXO organization — and it’s soft forkable itself as a new Tapscript or SegWit version and it just has a different encoding and a low level implementation — and then the Bitcoin wallets tend to have a form where the recipient is going to choose his own spending scripts and the sender may not even know what it is because it could be hashed. And so if users want to opt into some scheme that requires both sender and recipient, then that’s going to work between them, and people who don’t have that will get a non-confidential output — which is possible with confidential transactions: you could mix confidential and non-confidential.
Matt Odell [58:42]: That’s interesting. So we have OrangeSurf again in the Matrix chat asking: Would CT implemented using Simplicity result in very large scripts?
Adam Back [58:56]: Maybe not so large, because you would be relying on jets, which are library calls to big number libraries, big arithmetic operations. And so at the highest level: if all you’re doing is gluing together hashing and big number operations and elliptic curve [inaudible 59:19] and things like that, then the program is quite small at that point. And it is log scaled, so if there’s anything repetitive about it, it generally gets smaller by a log scale.
Matt Odell [59:36]: Got it. But in practice: if you were using confidential transactions in this way, you’d be paying higher fees than if you were just doing a regular Bitcoin transaction?
Adam Back [59:50]: Yeah, that’s just a side effect of people using different transactions that applies today, but the in the specific context of confidential transactions, some people have offered the opinion that the fee should be the same whether you use it or not to encourage people to use it. Because you get you get more privacy and confidentiality if everybody’s using it, and if the fees aren’t higher for using it then you might as well use it kind of thing, right?
Matt Odell [1:00:29]: Right. There’s two trains of thought: if you make privacy cheaper then more people will use it, but if you can make it at least the same cost then also more people will use it. That’s interesting. So just to put you on the spot here: 10 years using Bitcoin with confidential transactions — how likely is that percentage-wise? Is it greater than 50% in your mind?
Adam Back [1:01:01]: Yeah, maybe that would be around that range. Bitcoin development is very methodical and this has happened before in the sense that Liquid had Schnorr signatures — well, Elements, the open source part of Liquid, the base that it’s implemented in — had SegWit and Schnorr signatures in the past, and that itself took 5 years or something until there was a concrete proposal. And the version that Bitcoin has actually improved and fixes some limitations with that early version. So I think Liquid has shown itself useful as a test bed in a way for live value and new features. So, possibly! If Simplicity is palatable and interesting to people, and they’ll get confidence in the security assurances that it provides, then a lot of things become possible to innovate on faster in a permissionless way.
Matt Odell [1:02:15]: So the way I look at it is: one of the main value props of Bitcoin is that it is extremely hard to change. And as a result — for changes to happen — there needs to be a ground swell of support. There needs to be overwhelming support for a change to happen. And it’s hard to measure that overwhelming support, but when I look at the privacy situation with Bitcoin — obviously it’s a major focus of this show and my time — I view it as: if we start to see more state attacks, which I expect, on individuals, Bitcoin is very robust at the protocol level against states, but at the individual level there’s a lot of privacy vulnerabilities of people getting pressured. If we start to see more of that happen, then all of a sudden there will be more support and more momentum to improve Bitcoin privacy guarantees. Would you agree on that thesis?
Adam Back [1:03:15]: Yeah, I think so. You certainly see that with the way the human part of Bitcoin antifragility works. For example: that after the big block situation, the big block debate drama was resolved, you saw — since that point — a lot more initiatives towards running full nodes, education about that, improved ease of doing that, and a whole push to do that! And those are, in part, reactive: if you verify with your own node then you’re much better protected against unwanted protocol changes. So I do think the system learns, and the antifragility is people adopting tech and pushing for educating the wider community to adopt things and change things.
Matt Odell [1:04:11]: And then in turn, more robust as a result. Just to change gears here a little bit: since you were last on, Blockstream has provided open source funding to this new concept originally called Minimint and now it’s called Fedimint. Since then, a for-profit company has also been spun up called Fedi that is leading the charge here in terms of development and rollout to users. They expect to have a wallet in people’s hands by the end of the year — maybe early January. What are your thoughts on Fedimint as a concept?
Adam Back [1:04:59]: Yeah it’s interesting and it has led to some different trade-offs being considered that hadn’t been really contemplated before. The original idea with the federated Chaum mint was as a very private — in terms of privacy — Bitcoin denominated utility coin. And so we’d contemplated being able to redeem it for Blockstream swag and services like data on a satellite, buying T-shirts, buying hardware wallets, buy mining. And of course, because it’s peer-to-peer and respendable, people could use it for other website integrations and things like that. So we had approached it from that point of view originally, which is a little bit more centralized and has a clear trust story, which is: Well, as long as Blockstream honors the selling them to you, you could reuse them, gift them, and potentially redeem them. And there was a prototype of that that Greg Maxwell had implemented I think around 2015–2016 — something like that. But that was just at the library level. So since the refresh of that idea and Eric [Sirion] working in our research team to tie it to the federation — I mean, the original one was just library level, but to make it work concretely you have to have the coordination mechanism for a federation to have a group of people’s nodes sign it, so there’s a bit of coordination glue in that. Coincidentally, it’s the same kind of logic that Liquid uses to coordinate block signatures and things like that, so there’s a bit of overlapping tech there. And then arose the idea that communities of people could run the nodes, which is a new concept, and of course it has its own trade-offs but it’s nevertheless quite interesting and a new experimental trust model, if you like.
Matt Odell [1:07:22]: A key aspect of the Fedimint proposal is that they’re interoperable with each other — all the different Fedimints are interoperable with each other using Lightning. Going in and out of Liquid has obviously been a pain point, I think, in Liquid adoption. Do you think Fedimint might find greater success because of that interoperability built in?
Adam Back [1:07:54]: Yeah, I think the idea of gluing things together with Lightning is quite interesting, because at the starting point the eCash tokens on different Fediments would be incompatible and not directly acceptable, but then you get an arbitrage or exchange process where different Fedimints can accept Lightning deposits and withdrawals, and that becomes a rapid way to do that. I think another interesting potential which has been less discussed, but something that people were chatting about during the Baltic Honeybadger Conference last weekend, is the idea that the Fedimint federation — it’s issuing eCash coins with privacy from a federation — that those could potentially be simultaneously issued into Liquid as an issued asset, and that the Fedimint federation could offer to convert between a Liquid-issued asset and an eCash coin. And so those could become another kind of connecting technology so you can move assets backwards and forwards using Lightning or using Liquid. And to put that in context: another design aspect of Liquid which is probably less well known is that there are two functions which are separable. So there’s 1) the federation that is signing the blocks with a multisig and the HSMs, and then 2) there’s another federation which is managing the peg wallet — and in principle they could be different federations. In today’s Liquid configuration, they’re the same federation. And so the idea here is that you could actually have multiple pegs and they could be managed with that same code or they could be managed in a different way — the same code could be managed in a different way where a given Fedimint just issues Liquid tokens which represent a claim on the Bitcoins that it has in its multisig wallet spread across the federation. So that would be an interesting additional two-network visibility of the same issuer coins that are backed by Bitcoin, and also a way to use the decentralized order books we were talking about like SideSwap, and you swap Liquid Bitcoin for [other assets]. Some of these wallets like TDEX has actually the ability to do a trustless peg-in — so you can peg Bitcoin into Liquid Bitcoin — and SideSwap has a way to swap Bitcoin and Liquid Bitcoin bi-directionally as well.
Matt Odell [1:10:51]: So in practice Fedimint wallets could be a convenient and relatively private way of moving back and forth from Liquid and Lightning or on-chain Bitcoin?
Adam Back [1:11:04]: Yeah, I think it’s interesting to see interoperability and new configurations arise because it could be convenient to different people. For example: what Bitfinex reported about the typical transaction sizes on Lightning versus Liquid versus main chain, that they saw larger transactions on Liquid, medium size on Bitcoin, and smaller on Lightning. So that could allow different size of transactions to transact perhaps, where it might push the limits of Lightning liquidity, let’s say.
Matt Odell [1:11:46]: So the major trade-off with Fedimint wallets will be essentially custodial risk. Now that custodial risk is attempted to be minimized because — ideally — multisig custodians will be used: you’ll need a quorum, you’d need a majority of those federation members to get a rug pull or to have them exit scam and take your money. But also at the same time: if you have that majority, they can inflate the supply of the eCash tokens — the internal tokens within the Fedimint wallets, which is like a more quiet rug pull. What do you say to people that say that the Fedimint design is dead on arrival for that trade-off?
Adam Back [1:12:38]: It is a trade-off. I thinkit has some advantages as well as having that trade-off: one is that the reason — that you articulated — that it could suffer from inflation is a side effect of the privacy and the fact that it’s not really a blockchain so it’s not auditable. It’s to do with the unlinkability of the eCash coins. Of course, you do get the benefit of a federation, so you have to have a high degree of collusion before that could happen. I think some things could be done to harden it: we’ve been interested for a while to provide Liquid functionary hardware to developers as a programmable HSM, and with that you could use some extra features, you could use the tamper resistance, some of these chipsets have TPM remote attestation so it’s basically a way to provide hardware-assisted assurance of what code is actually running on the HSM. I know it’s a bit of a foreign concept for people that a distributed thing could be running HSMs, but why not? Effectively, something like the ColdCard auto signer is a kind of HSM that you can buy — a very small one — and implement things on. And actually Intel and ARM chips have some basic TPM security functions on them so you can make use of them additively.
Matt Odell [1:14:22]: Right. So that trade-off can’t be removed completely, but the risk could be mitigated to a degree.
Adam Back [1:14:30]: Yeah. The other context is: people have looked at Lightning versus Liquid, and Lightning is bearer self-custody — you’re not trusting any other parties — so that’s on the trust dimension, but on the security dimension you’re ultimately running a hot wallet. Whereas I think Liquid has arguably better security assurances but lower trust assurances, so there’s some kind of trade-off in the different dimensions, and so it really ultimately depends what you’re doing. And you can get some of those benefits of hardening for Fedimint too. But yeah I think you need to pay a bit of attention as to who’s operating the federation. Now in the case of Liquid it’s clear: it’s an identified set of companies where they are providing exchange services, typically, so they wouldn’t want to exit scam because it would impact their main business. Whereas with a Fedimint, if it’s people trusted in the community, there’s a risk that somebody from outside the community might trust the wrong person or something.
Matt Odell [1:16:03]: Right. I expect there’ll be many different federation models using Fedimint — some will be public, some will be anons, some will be small community leadership, some will be a combination of the above, and end users will essentially choose what they prefer.
Adam Back [1:16:22]: Yeah I was thinking it might be interesting for a hybrid between companies and individuals — but not too many companies, so the companies in isolation couldn’t freeze funds, basically — and then they could provide a bit of security assurance without being a freeze risk.
Matt Odell [1:16:48]: You could actually set it up so the individuals couldn’t collude on their own either — they would need companies, so then both sets of entities couldn’t do it without someone from the other side defecting.
Adam Back [1:17:02]: Yeah. I think you need one to be larger to override the other, because if companies wanted to freeze things then the end users — power user type that uses nodes — need to be able to override them. And that means that they can still exit scam but it’s just harder because they have to reach a higher threshold.
Matt Odell [1:17:30]: In general, would you agree with the premise that: the ideal situation is that Bitcoiners have many different tools with many different trade-offs and they’re able to choose which tools fit their needs best?
Adam Back [1:17:42]: Yeah I think so — it’s certainly desirable! One observation which I learned over the years and we saw repeated a Blockstream is that you learn by doing, in the sense that: we build something now and it improves our understanding of the system behavior and sometimes leads to ideas that were not previously known of how to improve them. For example, with confidential transactions, Greg Maxwell and myself tried to size optimize it — to make the range proof smaller — and then ultimately Peter and Greg went to see Dan Boneh, one of the academic crypto researchers in the Bay Area, at a university there, and explained the problem statement. And out of that conversation and collaboration ultimately came Bulletproofs, which was a lot more! It was something that people hadn’t envisaged, which was SNARK-like construct but using the same kind of conservative and simple security assumptions that Bitcoin uses. So I think by building things and trying things we might arrive at something beyond — that’s more than the sum of the parts. So yeah it’s got some trade-offs, but now that we’re looking at the trade-offs closer and thinking about them in a different way, maybe ultimately we make a new leap or we see more end user adoption and programming around TPMs, which: even though the technology’s been around, they haven’t been that widely used for peer-to-peer security protocols, for example.
Matt Odell [1:19:32]: That makes sense to me. Okay, let’s change gears again: to people who haven’t been paying attention, it might not be obvious to them, but I have noticed that y’all at Blockstream have gone pretty hard into mining — you’re almost a Bitcoin mining company-first now. You recently — I don’t even know when it happened, maybe it happened a year ago — you guys acquired Spondoolies, an ASIC manufacturer. What is the strategy over at Blockstream with mining?
Adam Back [1:20:11]: Yeah, so generally we’ve been focused on decentralization, privacy, and defending hardening, and improving Bitcoin. And actually from the initial launch of the company in 2014 we were already thought to do something, as I thought about how improved mining would be if every company in the ecosystem that’s doing things related to Bitcoin — whether it’s an exchange, etc. — did a bit of mining, then mining would be more decentralized. And we started doing it after some time and then expanded that to providing hosting to other companies, which has been a great area for us over the last few years, to the point that we’re managing quite a lot of megawatts — in fact, more than some public mining companies even though we’re a private company so we don’t disclose the actual data. And so one of the obvious areas of concern which has been escalated by the final, actual attempted ban of mining in China — there were threats of that for many years but finally something actually happened that visibly moved the hashrate and saw relocation equipment — is that China became a little bit more hostile to Bitcoin or specifically to Bitcoin mining. And yet most of the equipment that people are mining with — the boards are actually manufactured and assembled in China by Chinese companies — so there’s a little bit more of a geopolitical risk there. And also just for diversification, it would be good to have a miner manufactured more internationally. And so we had actually mined with some of Spondoolie’s equipment back some years ago and quite liked it — it’s a rack mount form factor, high build quality — so a different form factor, more data center and fitting in standard racks, that kind of outlook. And so we got the opportunity with the B Round Q3 last year to bring them into the Blockstream fold, and they’ve been doing their thing and making an ASIC, making a miner. So that’s something that’s ongoing and we hope to have more progress on that that we can talk about going into next year.
Matt Odell [1:22:45]: But you guys plan on releasing your own ASIC?
Adam Back [1:22:48]: Yeah. Actually the whole system: the ASIC, the finished miner, the control boards and everything that goes into that. Of course, we favor the open source approach, quite like what Braiins has been doing with their open firmware, so we’d probably look to collaborate with them on that.
Matt Odell [1:23:06]: That’s exciting! I’m looking forward to what you guys build there. So on the mining front I’ve been going down this thought experiment with a lot of my Bitcoin buddies and I’m curious on your opinion, since I have you: in 50 years, what do you think the total percent of energy consumption in the world will be dedicated to Bitcoin mining? Out of total energy consumption, what percent will go towards Bitcoin mining in your mind? Just a rough estimate? We’re not going to hold you to it in 50 years!
Adam Back [1:23:50]: It’s hard to project that far forward, but I think it’s certainly a lot less than what people would assume, because it’s a commodity economic situation. So if people push up the hashrate too much the profitability drops and the hashrate drops, so it’s in an equilibrium. And of course the halvings happening over that time period would start to reduce the number of coins mined quite a lot, as that exponentially reduces. And then the final thing — which is a big area of unknown — is: What is the top of the S-curve? How much of global monetary use does Bitcoin capture? Do we end up in the Saifedean Ammous situation with a new gold standard being Bitcoin? But I think even in that case — which in today’s money is in the several-hundred-trillion-dollar range — you can estimate based on future difficulty and many halvings in the future and that price point, that it’s quite practical. And the other point is that: typically, civilization grows along increased power. So wealthier countries have more available power, and wealth generation is correlated with access to power and new types of power. So I hope we have a future where humanity will develop a lot more power resources from various sources — whether that’s nuclear, fusion in the future, solar, wind, hydro — there’s an enormous amount of underused power in the world. To give an example of underutilized power: we have one data center in Montreal, Canada, and that the Quebec province of Canada has a lot of hydro resources — I think it’s something like 65 hydro dams — and most of that power is unused! And there’s actually enough unused hydro power that’s connected to the grid and ready to use that it could power the entire Bitcoin network just out of the unused power. Of course there are lots more hydro resources globally both constructed and untapped, so even on the hydro side there’s a lot of upside. And of course, I think Bitcoin is a great vehicle for providing the business fundamentals to fund building more power infrastructure, to drive economic growth for the future.
Matt Odell [1:26:53]: Adam, I appreciate your deliberate and insightful answer there, but I’m gonna have to put you on the spot: do you think it’s gonna be less than 5% or more than 5%?
Adam Back: Less than 5%.
Matt Odell [1:27:03]: Interesting. Okay, well we’ll readdress this in 50 years and we’ll see how close you were! I think it’s just a really interesting thought process, because you see the Elizabeth Warrens of the world — a lot of the anti-Bitcoin, anti-Proof of Work people say that Bitcoin is going to consume a lot of energy, but then you talk to some of the most bullish Bitcoiners particularly in the mining space and they almost uniformly say under 5% — there’s a massive disconnect there.
Adam Back [1:27:45]: As you see in the Quebec province of Canada: government policy is often misaligned with their stated intent. It’s hard for governments to operate as efficiently as a free market and so they’re foregoing economic activity for the Quebec province in the tune of billions of dollars per year because they’re choosing not to sell power. It’s almost entirely hydro, so it’s pretty much neutral environmentally, because the heat is dissipated anyway because they just open up the sluice gates and pour it downstream on all these dams. So I think that is a source of economic wealth that could be used to further expand power infrastructure, increase employment, bring wealth and jobs to the region. And ultimately: those jobs go to other regions — and that’s how things evolve.
Matt Odell [1:29:01]: Yeah, from my thought process — why it might be higher than 5% — is: Darin Feinstein of Core Scientific released some stats on wasted energy and lost energy in America, specifically, and it was significantly more than 50% is lost or wasted. So in my mind, I feel like Bitcoin eats a lot of that waste because it provides a direct financial incentive, so I do wonder — in the commoditization of ASICs, when ASICs have much larger life cycles, they’re easy to acquire, they’re incorporated in a bunch of different things that we use on a day-to-day basis, specifically in my mind I’m constantly thinking about water heaters heating your home — I feel like Bitcoin will dominate a lot of that current waste that’s happening because there’s a direct financial incentive. So that’s where I come from when I think it could be higher, but I guess we’ll see — we’ll find out.
Adam Back [1:30:12]: Yeah I think some of the waste is because some types of power source are slow to start and stop, and then you’ve got an excess people get paid negative power rates to get rid of — you put space heaters outside and heat the environment with or something, or burn off gas [flares] and things like that which is not so great for the environment. Some of the other power sources don’t have that problem — they’re faster to spin up and down, so maybe that’s an evolving thing too.
Matt Odell [1:30:52]: I have another question for you from the Matrix chat — this comes from Communer — he was wondering if you’ve ever read the book, The Mandibles?
Adam Back: I have not.
Matt Odell [1:31:04]: The Mandibles is a book that I’ve been talking a lot about because it goes through a hypothetical situation of the US going through a hyperinflation event. And there’s just a lot of similarities to what we’re seeing today. But I encourage all the freaks to give it a read — it’s an interesting thought process. And you, Adam — I don’t know, you’re a busy man. So maybe the audiobook. I just want to thank you for joining us! I know time is scarce and I really do appreciate your thoughts and I appreciate all your contributions to the space. You really are just an amazing human being, and we really do appreciate you — I think I speak for all the freaks. I like to end this show with final thoughts from our guests: so Adam, do you have any final thoughts for us?
Adam Back: I think that Bitcoin’s drive for progress is [what gives it] the antifragility. It’s the combined enthusiasm and energy all of the Bitcoiners. So I think we’re going to win, basically, because it’s like the mind virus that captures everybody’s imagination and pulls more and more people in. Of course the price is volatile, but that’s a short-term thing. In the long-term, a lot of the adoption metrics are still pretty impressive — over the last year, even.
Matt Odell: I love that as final thoughts: we are going to win — we’re going to win, freaks. And it’s an honor and a privilege to be a part of this movement with all of you and Adam. I just want to thank Adam again for joining us. I want to thank all the freaks who joined us in the live chat — you guys make this show truly unique. I want to thank all the freaks who continue to support the show, whether that’s through sats, direct financial support, or whether that’s through subscribing to the show on your favorite platform, leaving a review, sharing with friends. It really is appreciated and I couldn’t do without all of you. With all that said: Cheers! Stay humble and stack sats. Thanks Adam.