We sit down with John Reynolds, a Product Manager at privacy-focused developer platform Aleo, to discuss leveraging zero-knowledge cryptographic solutions to help secure information while also providing privacy. John explains how his experiences at the Air Force Academy first got him invested in personal information and privacy concepts, how ZK proofs work, how CBDCs relate to privacy, and more.
John Reynolds is a Product Manager at Aleo and an Air Force Veteran. Prior to working in the Web3 space, John attended the U.S. Air Force Academy and served as a cyber operations officer in the Air Force.
Mark:
Hi, John. How are you today?
John:
Good, Mark. Happy to be here. How are you?
Mark:
Good. We'll start with particular and actually understand this whole ZK thing, how it impacts identity, and we'll pull it out to the bigger picture, which I agree is kind of the most interesting part. I think you have a particularly interesting perspective on, because you have a background in government before you've come into this space, right?
John:
Yeah.
Mark:
So why don't we start? Could you help our audience understand what makes you such an interesting, incredible guide on this particular topic?
John:
Yeah, definitely. Well, thank you obviously for the kind words. I think I have an interesting background, like you mentioned. I think not many folks have the opportunity to be very vested in a government position, especially as it relates to technology and cybersecurity and cyber operations, but then also have the chance to dive deep into a new evolving industry and technology that in a lot of ways helps protect against what I guess some people's fears are. When I was active duty in the military, I was a cyber operations officer, so I went through a series of technical training. I also got my undergraduate degree from the Air Force Academy in computer science, so always been very intensively focused on cyber operations. I actually also got a minor in philosophy that was focused on the ethics of cyber warfare. So it's just been something that has mattered to me.
I think that there's a lot of ambiguity still as this technology continues to thrive and advance and become more integrated in not just our daily lives, but our interactions on a global scale. And so that kind of unique perspective and background, having gone through specialized training as it relates to the Air Force and then been in a position where I was helping make decisions and provide information and intelligence around some of the national decisions that leaders in our country were making and then coupled with a deeper understanding of the tech and a background in education, in engineering and computer science, I think leads me to be hopefully a helpful guide on some of these topics and lend some clarity.
Mark:
Awesome. I think it certainly does. You've been on both sides of the table. You've done the surveilling and now you're in the solution. First of all, thank you for your service. So with all that said, can you give us a little bit what prompted you to want to deal with the privacy problem specifically, and then why Aleo, and what does it do to solve and address that issue?
John:
Yeah, I think so. Personally, I got really invested in the personal information and privacy aspect of this while I was at the Air Force Academy. I had already been studying and researching and invested in cybersecurity and cyber technology, but there was a breach of top secret security clearances or just security clearances in general while I was at the Air Force Academy, I believe this is in 2014. A lot of individuals had their personal information taken, a lot of information that was private and confidential got exposed. And this kind of highlighted to me that even our military that's supposed to be the most renowned in the world, it's fragile. There's aspects of the infrastructure that we have that's holding and securing private information that's valuable. There's weak points. And so I think when I saw that all of this information, not just of myself, but all of these other individuals around me got compromised, and we've invested so much time, energy, and money to keep this information safe, there has to be better opportunities for us to create more trust without necessarily empowering centralized authorities or centralized individuals.
And so this is what kind of led me down the path of cryptography, getting more deeply invested in zero knowledge, proofs, zero knowledge cryptography, so we can leverage algorithms and cryptographic solutions to help secure information without empowering centralized entities as much as just giving them the information straightforward, maybe lead the lens to.
Mark:
Makes sense. Okay. I have a bunch of philosophical questions, but I'm going to leave them for that segment. Can you help me understand how ZK's served to provide a useful service for an L1? How do you actually use them, and what do they change in the day-to-day of what we do?
John:
Sure. Well, I think like you mentioned at the beginning, one of the biggest fears as it relates to crypto right now is this transparency aspect. And so the reality is is in order to expand crypto to the total addressable market, we have to be able to provide privacy as well. If you just think about a bank account, for instance, you don't operate a bank account with this sense of transparency where anyone can see what you're sending money to or receiving money from. Anyone can see how much you have at any given time. And so this is just an uneasy and an unnatural interaction. And I think there are ways obviously to work around this and there are solutions that can exist in this transparent world. But I think in order to really embrace traditional finance or a lot of the benefits that lend to traditional finance, we have to be able to provide some sense of privacy as it relates to the blockchain.
Mark:
I think that's right. Just to orient the audience, when you think about a normal bank, they have an internal database of everyone's account number and how much crypto they have and all the transactions. And what a lot of people don't realize is in crypto there's a public ledger. Everyone shares the database, which means you can see every account number and every balance and every transfer between since the beginning of time. In the case of Bitcoin, it's kind of walking into a bank vault, but all the safety deposit boxes are clear, and there's like a log you can see of what was put in and what was taken out. Or in the case of DAOs or online entities, it's like if a shareholder registry were open transparency.
I just have this one memory of talking to someone who was from TradFi worried about the narrative that crypto is going to disrupt banks and going to disrupt corporate organizations. I explained this to them, and they just started laughing. They were like, I no longer feel threatened whatsoever. That is so absurd. No one's going to want that. And so it's a real thing that people don't fully understand. And so the privacy problem is a real one. It's probably pretty easy for anyone to go figure out what my addresses are online in every transaction I've done because I'm not the most secretive in the world, and that's kind of a problem.
John:
And even if you are, that's the reality. Even if you are very secretive, the truth is, especially with these recent advancements in AI, it's so easy to be able to link interactions outside of the blockchain back to the blockchain, whether or not that's through an on-ramp where you've converted your US dollars into some form of cryptocurrency in order to begin interacting on chain or whether it's just a swap mechanism where you're exchanging tokens of different types on some form of exchange. These things, especially with like I said AI advancing, we get to a place where the transparency by default is just not something that we can support at scale as it relates to banking and finance.
Mark:
Agreed. Okay, cool. So how do we solve it?
John:
I think the next step from there is being able to introduce privacy. One of the main benefits obviously of the blockchain is the ledger aspect. It's a transparent ledger. Where can we structure privacy into this as opposed to the transparency, and zero-knowledge is right now, especially in the crypto space, Web3 space, it's really blowing up because people are starting to recognize, "Oh, this is how we can really enable privacy in this ledger paradigm where we can have trust that's cryptographically insured, but then we can also prevent our private information from being exposed."
And so it creates kind of this interface of, "Okay, nobody can cheat this system, but also you don't have to worry about giving up all of your information to ensure you're not cheating." And so zero-knowledge, the whole concept behind it is being able to prove something, whether it's about yourself or about a transaction, for instance, undeniably without having to actually reveal that underlying information. So it's proof without revelation or proof without revealing. In that sense, you're able to reserve the privacy, but still get all the benefits of the cryptographic guarantees and the security that the ledger infrastructure offers.
Mark:
That sounds great, but I'll be honest, it's hard for me to grasp the connection to the mechanics of it. I've heard a few explanations of ZK proofs, right? It's like proving something without actually conveying anything about the thing of what you know. In a crypto transaction, you're sending things from one address to another. I guess somehow you're obfuscating where an account update came from in a balance. How does that actually play out in a transaction or an app or some specific real use?
John:
Sure, sure. No, that's actually a great question. I think one example that I can give that might kind of help illuminate what this looks like and how this functions is around one of the products I'm working on right now in the identity use case realm. So working on this project that's built around this paper or protocol that was written called ZK-creds, and the idea is to try and introduce an issuer agnostic, so no issuer exists, passport or digital credential that you can use on chain to prove things about yourselves in zero knowledge. So the idea is essentially you upload the information from scanning your passport. Our passports have NFC chips in them, so we can scan them with something like a smartphone and extract some of this digital information about ourselves from this and bring them on chain in an encrypted capacity. So there's two main things to this is, one, US passports have these cryptographic signatures.
The US government has already done this on their end. These are signed in order to be able to authenticate the information. We can pull that information into a zero-knowledge circuit, and then we can also pull all of the information pertaining to one's identity from the passport into a zero-knowledge circuit. Now, when you think of a zero-knowledge circuit, you have to think of this as computing over information privately. And so you can imagine maybe a program that's taking place locally on your computer, so it's not broadcasting information outside of your local computer, and it has functions within it that are used to determine specific information. So, for instance, if I wanted to do some sort of age verification in my local space, almost like a private enclave you can think of this as, the verifying party or whoever may be doing this is going to provide functions or computational functions that allow you to run the information through these certain checks.
And since this is happening locally, they're not seeing your personal information, but they are seeing the result of these functions and you putting your personal information into these functions. And so we have this basically private computation where it's lending results that maybe aren't revealing. So for the age verification, for instance, you would take date of birth and the current date in order to calculate age, and then maybe you compare that against whatever you're trying to define as access criteria. So if your access criteria is 21 and the person's calculated age is above that, then the only thing that's returned by this private function is true or false. And in this capacity, nothing about my personal information is ever revealed to the on viewer, but I'm still able to have these cryptographic proofs and guarantees around these functions.
Mark:
So let me try to repeat that back to you. Let's say I'm on my own computer, it's not hooked up to the internet, and I upload my passport data to my computer. I just scan it, and then I have some file or software program from the US government, and I can run that and then send something to the US government or someone else that proves I'm over 21, but nothing else.
John:
Exactly.
Mark:
And so there's some sort of function that basically the US government they just trust that this function when it's run on my own computer, will only spit out true if my passport's legit, and otherwise it will not. And so they're just confident with the truth, they don't actually need the underlying passport.
John:
And the other thing is these functions can be transparent too. So these can be something, maybe these are deployed on chain. So this could look more like a smart contract, and the smart contractor of this program that has these functions can be transparent. We're fine with everyone seeing what these functions are and how these interact and the computations that they're executing. If anything, it's actually beneficial to keep the programs transparent in some capacity. Everyone can be certain that all they're doing is these specific functions, there's no storage, and so on. And so, yeah, the idea would be that... And it doesn't even have to be the US government that's doing this from a verification side. This could be anyone, any party that wants to verify something about me. Yeah, exactly.
Maybe I would take this program from on chain, I'd look through it to make sure there's nothing that feels fishy or maybe there's some sort of auditing process that's already provided some trust there. And then I share my information with this in a private capacity locally, and it privately computes an output. And then that output is what provides the criteria check. Am I over 21 or am I not?
Mark:
All right. So that's identity. And then can this actually help with the public bank ledger problem? How does it actually do that?
John:
So you can think of this kind of exchange happening in a transaction setting as well. You could be sending specific information about a transaction that you want to place into one of these programs as well. And what could happen is it could run specific computations or functions against this. And maybe from a compliance perspective, if this transaction is over a certain amount, we want to enforce more checks or we want to have certain aspects about this transaction be public because, again, maybe it's a large volume of tokens of some sort, or maybe there's some other underlying compliance or regulatory reasoning. And so what this does is it allows you to abstract the information that needs to stay private in a way, but verify it still, but then also provide these checks or compliancy checks of publicizing or making public the information that is pertinent for those specific reasons.
Mark:
So maybe one more question here, because it is difficult to understand.
John:
I know.
Mark:
What does the actual ledger look like then? Let's say you're just doing a ZK based chain. What does a block explorer look like?
John:
You're going to be looking at basically encrypted information. I'll have a private key, I'll have a public key or a public address. But the one thing that's kind of unique about zero-knowledge, especially layer ones, is you also have a view key because all of this information is encrypted on chain. So the public ledger is maintaining the information in the proper order of the information as it's received by the validators who then push it to the blocks, but it's all encrypted. So there's nothing that you can really pull from this information.
Mark:
I see.
John:
But the individuals that have private keys, their view key, they can then go and decrypt their particular transactions to be able to get that visibility.
Mark:
I see. So it really is, it's very similar to the Bitcoin blockchain or the Ethereum blockchain, but all the actual data in the database is encrypted. And the way to view what you have and don't have permissions to view is through proving your identity with a zero-knowledge proof from your model or something like that.
John:
Yeah, you can think of it just like Ethereum honestly, at least from an idealistic standpoint. We also have Zcash, which is just solely focused on transactions sending and receiving funds. Ethereum has that, but it also has this programmability aspect where you can deploy these smart contracts that have different functionality in them that allow you to create more interactive experiences on chain. And so if you think of that, but you just introduce cryptography to it or public key infrastructure, that's essentially what Aleo or zero-knowledge layer one blockchains are trying to accomplish.
Mark:
Got it. Makes sense. Thank you. So maybe let's get philosophical now. Maybe let's start by the reaction to crypto broadly is that it's used for laundering money. And that's a strange one because historically it probably was true because crypto got its start around things like Silk Road and some illicit stuff, but in practice is actually a terrible place to launder money because it's all transparent. And so anyone who really gets in, there's a great I think Reddit AMA with a secret service recently, and someone asked, "How do you feel? What's the best way to launder money? Is it crypto?" And they were like, "No, cash." We can see everything. And so the natural response I think of people to encrypting all this stuff is, "Oh, well, that just makes it easier to do illicit things." And people seem to jump to this negative without first jumping to, oh, that enables people to preserve their privacy. And I've always wondered why that is and how you respond to it when you get that criticism.
John:
Yeah, it's a great one, honestly, and it's a great question. Why is the negative the first thing that's kind of resorted to in people's mental train of thought? I don't know if I can answer that more than outside of just the reality that privacy I think in general is something that people take very sacred, but then it's also something that's taken advantage of in some capacities. And so people recognize that, and as a result, I think there is some fear that comes along with privacy. But that being said, I also think what we enable by providing privacy holds a lot more value than some of these concerns as they relate to money laundering and things of this sort. I think that we have the ability to implement safeguards to protect against some of these different behaviors that we're so concerned about, but there's no way that we can provide all of this functionality and all of these benefits and innovation unless we are focusing on being able to provide privacy.
We just started the conversation kind of talking about this. Traditional finance literally laughed when speaking about blockchain and the transparency aspect as it relates to the blockchain. And so, again, I mean the TAM, the total addressable market here without privacy is very small, but it grows significantly. And the impact and innovation that it can provide as a result of privacy, I think, is also very significant, and it outweighs some of these concerns that are the first immediate train of thought of most folks.
Mark:
I agree. It's interesting. At Shipyard, we develop decentralized exchanges, and there's always this issue of toxic flow and non-toxic flow. You're going to do trades that are going to lose money versus trades that will make money for LPs. And there's all these things you can do to stop people from trading with you that are bad. The problem is you can stop every bad trader in the world by doing no trades. And similarly, it's like a credit card company can prevent all fraud day one by just declining everything easy. But there's a trade off, and it seems like that trade off is just difficult for people to do. We say privacy, and I think that's somehow at times why we encode things as rights in the constitution, which arguably we haven't with privacy because they're so easy to be poo-pooed. I just wonder why do you think it's so hard for people to weigh privacy as a benefit in the cost benefit analysis with this stuff? Is it because it's so amorphous? I guess it's hard to pin down a little.
John:
Yeah, I think also part of it too is it's one of those unique things that there... Well, it's not absolute, one, right? Privacy is not absolute. There's trade-offs that have to exist. I think that oftentimes those trade-offs aren't always thought of in the most meaningful way. Privacy is also this kind of esoteric thing. It's like this thing that we talk about a lot. People talk about it in different capacities. People have different, I think, maybe somewhat interpretations of what privacy is. It's a great question, and I've thought about this a lot pretty deeply. I think overall it does go back to this kind of required trade off. You know that whether you want to define privacy as if we want to get really philosophical as a human right, then in order for us to protect that, there are things that we have to trade off. And then also for other freedoms to exist, oftentimes there are trade-offs with privacy as it relates to security and things of that nature. And so maybe living in this kind of never ending trade off is part of the reason. I would say that might be the lending hand.
Mark:
Interesting. There was an old debate about this when encryption was coming out that I think the government started trying to ban encryption initially and then realized that was kind of a losing battle, and now it's seen as unambiguous good. It protects our communications, it protects credit card information from fraudsters, and maybe it's as simple as re-articulating it as a defense against attack vectors to an individual.
John:
And also maybe shifting the focus. We focus so much on the negatives honestly. We focus so deeply on the negatives and, oh, well, if we enable privacy, we're going to be enabling these other fraud. The list goes on. But that focus, unfortunately, does not lend to innovation and being so concerned about what we have to try and prevent by enabling privacy instead of what we can push forward, the things that we can perfect, the things that we can improve. I think that's a big piece too, shifting the focus and the tone as it relates to privacy, I think is important.
Mark:
Interesting. Okay. What are your other philosophical... I'm sure you have three rants in your head on a philosophical part about privacy. I'm curious what they are.
John:
I do have some. I think it'd be worth maybe talking some or discussing some of the topics behind some of these CBDCs and stuff, so central bank digital currencies and how that relates to privacy.
Mark:
That would be great, CBDCs. And that's going to be a very hot button topic in the upcoming presidential cycle too. CBDCs, a lot of people see them as a gateway to more of a surveillance state. And so it seems like there's actually a lot of pushback from politicians about them, and yet it's put forth as a competitive necessity to have a CBDC in the modern age. And I think we'll see that tension playing out. So I'm curious, I'm very curious for your thoughts on that.
John:
Personally, I totally understand the sentiment behind concern from the surveillance perspective especially if we're talking about having this full transparent blockchain and leveraging ledger technology as it exists right now without this layer of zero-knowledge cryptography. I personally think honestly it does. It does provide a lot of competence to centralized authorities. It also provides a lot of competence to third parties on viewers who could be reading and tracking the interactions and information. But I do also see the value in implementing something of this sort if it's actually going to revolutionize how we interact, how our financial systems work, and if it's going to also make maybe some of these things more accessible to people, some of these currencies in a digital capacity more accessible to individuals. I think that we're on the right path of thinking by introducing this kind of technology and trying to push it forward because if we're going to innovate, we want things like this to be embraced.
But I also think we should be raising an eyebrow if things like zero-knowledge proofs aren't in those conversations deeply. Because if we want to position ourselves where we live in a democracy where we trust the leaders that we elect and we operate under a social contract where we're enabling these individuals to provide protection and safety in order to maybe give up little bits of privacy, well, if there's opportunities from a technological standpoint to limit that or to provide more control where we're protected as citizens, then those things should be the main points of discussion. I think from my perspective, it hasn't been as directly and deeply focused on it as it should be.
Mark:
Yeah. Are you pro CBDC in something like a zero-knowledge privacy framework?
John:
Yeah, I would say I am. I would say that I think that this introduces there's still a lot of hoops that have to get jumped through to get to the end point where it's like, okay, this has privacy and this also supports the use case that we defined it to. But I do think that with privacy it does enable some safeguards. And the other side of it is this is not a one-way street. This should work to support our ability to get trust and proof that funds on the government side aren't being used illicitly. A lot of people have frustration around the fact that we don't have meaningful audit processes as it relates to our military and government and ledger technology provides us with that support in a really easy and straightforward way, as long as it's thought of properly and reasonable safeguards are put into place.
This doesn't have to be something that's just put upon us, the citizens, the people. This is something that we put into place as a system, as a process that we all can benefit from. And that's another thing I think that happens here with crypto and Web3 in general is we forget that we operate in this democracy and we provide power to government with consent. We are consenting to giving them power in order to help protect us and safeguard our rights, and so it's going to take us working together. And I think sometimes this is overlooked or sometimes it's easy to move towards us first them or we're going against the big man, but the truth is this is actually hindering I think a lot of the progress. And the more that we can embed with one another and figure out where to balance these things, the more this becomes more a democracy and less like us shrugging off realities that honestly lend to, like I said, rights that exist in our society and impact us daily.
Mark:
Interesting. Awesome. Well, I have one more question, which is how do you think your philosophy compares to the prevailing wisdom within the military cybersecurity community from which you come? How do they see it? And how does it differ from how you see it? Are you a Maverick or are you actually mainstream?
John:
I think that there is a blend maybe more on the Maverick side in terms of trying to be innovative in how we think about integrating these solutions together and these different perspectives. But I do think that generally there is an open-mindedness more so than is maybe portrayed by the media. I do think that the military and the people who serve are just like you and I. They want to empower their children and their communities as best as they can, but they also don't want to give up privacy. They don't want to be victims of a surveillance state. And so that's also overlooked oftentimes. But generally, I would say there is an open-mindedness, and people are eager to learn and understand how we can use this to better our circumstances.
Mark:
Interesting. And do you think that that applies to crypto more broadly? In general, do you think the military is open-minded to crypto or do you think it's feels defensive like it's a potential threat?
John:
I think that it's open minded to it, and that expands beyond just the currency use cases. There's a lot of use cases for crypto, and there's a lot of use cases for privacy preserving ledger technology. Just in general, I think there is more open-mindedness than is often conveyed.
Mark:
Well, that's great to hear.
John:
Yeah.
Mark:
John, thank you again for coming on, and thank you again for your service. If people want to learn more or follow you, either you or your project, how can they do that?
John:
You can check us out at aleo.org, and we have a variety of different support documentation that gives you an idea of what we're doing, what we're working on, what we're building. For me personally, I'm on Twitter, Gwei world. Feel free to follow me. I'm constantly updating or providing different updates as it relates to identity and zero-knowledge and blockchain technology. I also have a medium blog where you can follow some of the different things that I'm writing and some of the different works that I'm putting out. I'm also part of the Zprize team obviously. I work for Aleo as a product manager, but I'm also on a steering committee of what we call Zprize. Zprize is focused on trying to support the advancement of zero-knowledge technology to make it more broadly used and capable. We host the competition. We get investors from the industry to help support different categories in that competition.
Last year we focused on hardware. This year we're focusing more on use cases. Definitely check out Zprize.io if you're interested in zero-knowledge and getting involved and just understanding where the tech is at right now and where it needs to get in order to be more widely accepted and used.
Mark:
Awesome. Great. Well, thank you very much. We appreciate it.
John:
Yeah, thank you, Mark. Appreciate it. Thanks so much.