Agoric and the Decades-Long Quest for Secure Smart Contracts - Hyperlink Annotation

43 minute read

This is a transcript of the epicenter podcast, where Brian Fabien Crain and Friederike Ernst interviews Mark Miller on the history of smart contracts, the Agoric Papers, and more. I’ve adapted Epicenter’s transcription (CC-BY-NC-SA) of that interview - adding links and headings, for acessibility purposes.

UPDATE: The Agoric team added some more polish to my adaptation, and re-published on their medium blog!

Show Notes

Episode 286 May 7 2019

We were joined by Mark S. Miller, Chief Scientist at Agoric. Mark is a computer scientist who has done ground-breaking work on many topics relevant to blockchain and smart contracts going back decades.

We discussed his visionary 1988 Agoric papers, which explored how markets could be applied to the world of software. We also covered how his view of smart contracts, which focused on secure bilateral agreements complements and converges with blockchain. Finally, we covered his new company Agoric and their conceptualization of higher order smart contracts.

Topics we discussed in this episode

  • Mark’s effort to prevent the government from suppressing the discovery of public key cryptography in the 1970s
  • The legendary project Xanadu and its attempt to create censorship-resistant web publishing
  • Mark’s Agoric papers and the vision of markets for computation
  • Why AI hasn’t changed the shortcomings of central planning
  • The difference between his view of smart contracts and Nick Szabo’s
  • Their decade-spanning work on making JavaScript the best language for smart contracts
  • Agoric’s work on higher order smart contracting

Show links

Agoric and the Decades-Long Quest for Secure Smart Contracts

Agoric and the Decades-Long Quest for Secure Smart Contracts


Brian Fabian Crain: So we’re here today with Mark Miller and I actually tried to have Mark on the show around four years ago in 2015, somewhere I had stumbled on his work so he had done this work on kind of smart contracts you know a very long time ago much before Bitcoin and blockchain and all that, and I know that he wasn’t working in the blockchain or Bitcoin space back then but I found his email and and I emailed him and he was at Google at the time and he sent me a talk that he did in 1997 (video featured below) about smart contracts and the kind of legal ramifications and technology implications smart contracts which was just amazingly prescient. You would watch the talk and it’s astonishing how many of the ideas that later became you know kind of widely used were there so unfortunately it didn’t happen back then that we had them on but since then Mark has transitioned, he’s left Google and he’s working fully on kind of decentralized networks and digital money and kind of the blockchain space in general. So I’m really excited that you know finally the episode is happening and we’re having you on Mark.

Mark Miller: Well I’m very happy to be here.

Brian: So to start off I mean you’ve been part of this cipher pong cryptography world for a long time. But like how did you originally become involved in that.

Mark: So I’m going to go all the way back to 1977. I was working with Ted Nelson on Xanadu. Xanadu and Augment were the two early hypertext projects. Well before the web. And Xanadu was the one that had the vision of worldwide hypertext publishing as the new electronic medium for humanity. And Ted and I were both very influenced by George Orwell 1984 ministry of truth and we understood that the coming world of electronic publishing could be a force for oppression and tyranny or could be a great liberating force giving us all privacy and freedom from censorship. Then we very much wanted to do the second we saw it as our mission to lead the world into the coming of electronic publishing as a liberating force and we didn’t know how to do it. In 1977 Martin Gardner was editing a column for Scientific American named Mathematical Games and one issue of that column explained the discovery of the first public key algorithm the RSA algorithm. And he did not actually explain the algorithm. He explained the logic of what you could do with a public key system both the asymmetric encryption for privacy and the asymmetric signing for integrity. He painted a very nice picture of the power of this. I called Ted up in the middle of the night very excited. Ted we can prevent the Ministry of Truth. We wrote away for the paper. The paper did not arrive. And we found out that the reason it did not arrive is because the US national security apparatus, some part of it, decided that the paper should not be publicly released. They, I’m going to say classified, I don’t know what the legal category is, but they made it very clear that they would consider it to be illegal to distribute the paper. I got really incensed by this. I got passionate and angry in a way that I have really not in my life before or since feeling quite literally they are going to classify this over my dead body. I went to MIT, hung around campus, managed to get my hands on a paper copy, I was very careful to handle it only with gloves. I took it to various copy shops there were no home copy machines. I made lots of copies at different shops. I put them anonymously into envelopes sending them from a variety of mailboxes sending them out to home and hobbyist computer organizations and magazines all across the country without any cover letter just the the article itself. Fortunately early in 1978 he U.S. government decided to declassify. They gave the green light for distribution of the paper communications of the ACM immediately published the paper in the February 78 issue. And I will never have any idea whether the actions I took had any impact. I don’t have any particular reason to believe they did have an impact. But the experience of doing that of for example with handing copies of the paper to some select friends saying if I disappear make sure this gets out. This was a really radicalizing moment for me. Realizing the power of cryptography to change the world to protect us as individuals from large and oppressive institutions. And that this was worth fighting for.

Brian: Such an amazing story and I think it’s hard for people today to conceive this cause today, yes okay somebody writes a paper invents a new science thing they can publish it right so the idea that the government could try to say this information is too important that the people shouldn’t know about this. It’s pretty amazing.

Mark: Yeah. There have been several phases of governments of the US government in particular impeding the progress of cryptography and impeding the progress of decentralized markets smart contract built on cryptography. Export controls lasted till about 1998 the E-lang which was distributed, cryptographic object capability language that which a lot of the language based smart contracting ideas came together. We came out with that language during the era of export controls. So we had to actually split the effort where we where we were distributing it from the U.S. without the cryptography and then Tyler Close a collaborator living on Anguilla, a Canadian citizen, then reverse engineered how to put the crypto back in and the E language was actually distributed from Anguilla during those days. There was also the Clipper Chip trying to get trapdoors in to mandatory trapdoors into cryptography. And then 1998 export controls were lifted and then after 2001 with 9/11 there was the Patriot Act and suddenly this big chill in the air where Doug Jackson from E-Gold, one of the first attempts at doing a cryptographically based currency system in this case backed by physical gold. He was arrested. And there was a chilling of the work from that forward. So there was a lot of fighting going on. There was the RSA T-shirts where people would have the RSA algorithm written on a t shirt and go across borders with it all kind of daring people to arrest them because it’s a free speech issue at that point.

Digital Cash: Early Thoughts and Work

Brian: So you talked a little bit about Xanadu and how the thing that you guys saw there was this idea of censorship resistant publishing and this amazing you know force it would be in creating freedom. Of course the parallels to a Bitcoin are like you know astonishing way because people would always speak about okay censorship resist money and basically speak about it in very similar terms. Did you guys back then as early as you know when you started working on Xanadu, already think about okay maybe there should also be something like censorship resistant money and what that could look like.

Mark: Oh I don’t know that my thinking about cryptographic commerce all the way to cryptographic money goes back that far. I think my first exposure to really strong crypto for money, when did DigiCash first come out?

Sunny: Yeah I think that was in the 80s, I think.

Mark: OK. At the time we wrote the Agoric assistance papers in 1988. We assumed secure electronic money and micro payments without really exploring how to achieve that was more of assuming that there is some solution to that. Then elaborating and exploring all of the claims of smart contracts, all the kinds of behavioral commercial institutions and auctions and and various kinds of incentive engineering we called it, now called mechanism design. We explored all of that as computational embodiments of contractual arrangements and institutional arrangements assuming that there would be an underlying money system. I did do in my 1987 paper Logical Secrets, a really terrible first attempt at a distributed secure money. But the idea of doing a money with no central issuer like blockchain has, I did not see anything like blockchain coming. I was much more thinking in terms of like Hayek’s paper on the denationalization of money where you have many separate currencies competing with each other. And this is in general a theme I’m going to come back to which is in general my approach was decentralized not the way in which people in the Bitcoin space in the blockchain space referred to decentralized which is mutually suspicious parties all coordinating together to arrive at consensus on single decisions. That’s one form of decentralization it’s called a coordinated decentralization. I was much more thinking what I’ll call loosely coupled decentralization which is what we see in the Internet, what we see in the web, where there’s tremendous architectural diversity, there’s there’s essentially no decisions that everyone has to jointly make and nationalization of money was basically saying the same thing with money. Let many monies compete with each other, let reputation feedback and competition drive the system towards emergent robustness so any one money might fail but if it fails the competition and drive customers to other monies. And we saw that as a model for commerce in general.

Sunny: Brian and I actually chatted once with James Dale Davidson who wrote the book The Sovereign Individual and a lot of people you know try to draw a lot of parallels between his work and Bitcoin . But you know that work he’s actually talking you know talking about decentralized money in a very similar way that you are like he talked about cryptographic money but he actually really had the idea that there’ll be many many private issuances of money like a Swiss bank will issue its own money backed by gold and people will issue their own money and then users will kind of choose which money they want to use.

Szabo vs Miller

Mark: Yeah and in the mid 90s Dean Tribble, who’s now one of the founders with me of Agoric, and had been collaborating with me all the way all the way back into the late 80s. Dean Tribble and Norm Hardy creator of the KeyKOS object capability operating system, the two of them came out with a decentralized payments proposal. You can think of it as decentralized money called the Digital Silk Road which was basically routing payments through paralysed bilateral relationships which bilateral relationship has a credit window, so I won’t go into it, it has many similarities to what Interledger is now doing. But the main point is that it really was this hyper decentralized in a loosely coupled manner system of payments but then as you accumulated imbalances each bilateral relationship you’d have to clear the imbalance through something else and that something else was just so assumed to be of a variety of competing real world money with no new insight as to how to make those cryptographic. So I want to give a special credit here to Nick Szabo, because during this period of 90s first of all his vision of smart contract was of tremendous influence on me but also the kind of thing that we now understand from blockchain. Nick Szabo was trying to explain the power of that to me and I wasn’t understanding it and I did not understand it until I saw blockchain and I understood how Bitcoin and Ethereum work. And then there was this ‘aha’, that’s what Nick was talking about all this time. So while I was thinking about the emergent robustness from competition and reputation feedback you know loosely coupled network where any one point can fail, looking at, inspired by the dynamics of the marketplace in terms of what happens between businesses, Nick was very focused on the internal controls by which a large institution can by having internal controls and public audits and well-designed governance systems and separation of duties, you can build an individual institution that can be much more trustworthy than any of the individuals in it. And Nick understood that things like byzantine fault tolerance, like massive replication with cross check and consensus mechanisms is kind of the extreme form of internal control so that we can now build a logical individual institution that is much more trustworthy than anything humanity has been able to build before and there’s some kind of contracts for which that’s needed and one for which it’s most needed which was highest leverage is money and it’s no accident, I think that we saw it emerge first with cryptocurrency.

Sunny: Specifically at least from money issuance. Like you said, I like to call that the distributed version, the distributed version kind of took, the intellectual protocol is sounds very very similar to what you’re talking about here. But then Interledger doesn’t have like a native money and it kind of assumes the existence of some other settlement mechanism. But on Nick Szabo’s vision it seems that yes this is good for coin issuance but at the end of the day maybe payments don’t need to be on this, what I think is actually really interesting is that the Lightning network seems like a combination of these two ideas where you use a base redundant system for issuance and then you try to use a distributed system for payments and you can also use the base system along with issuance as a message board or this reputation right. One of the issues I always had with Interledger is yes it assumes the existence of reputation but where does this reputation go. Is there a bulletin board where I can go tell everyone that hey look this guy screwed me over. There isn’t. And so that’s one of the things that a redundant blockchain also gives you that’s kind of what Lightning does where like you know if you want to challenge someone you can challenge them on the base chain. I think it’s kind of cool to see that both your vision and Nick Szabo’s are kind of both correct impartially.

Mark: Yeah. It took me a long time to see that. I think that’s exactly correct. I want to give a shout out to Jorge Lopez who had studied both what was going on a blockchain as well as my old papers and he came to me with the integrated vision and then I saw that oh it’s not that Nick’s vision and my vision are alternatives or competing with each other. They actually fit together and they’re actually about different layers of the system. And that very much inspired what Agoric is now doing. My new company. So the way we see the combined vision is that you still want the overall system to be a loosely coupled network of mutually suspicious machines hosting mutually suspicious computation talking to each other. But now we can view a blockchain as a way to build a computer out of agreement rather than building it out of hardware, by building it out of agreement we now have a logical computer that’s much more trustworthy than any one physical piece of hardware can. But now it’s still that logical computer is just one node on a much larger network and that larger network can include other communication secure communication between chains secure communication between chains and not chains. So while the kinds of coordination we were doing with cryptographic protocols in a loosely coupled distributed system we can now do that as well on top of blockchains include blockchains within that overall fabric.

Brian: Yeah. No I think it’s very nice how you explain this and one of two ways that kind of comes to my mind when the way you speak about it is that you can think of you know often one talks about blockchains about you know removing a third party. But in a way the blockchain is a third party it’s just that decentralized third party. So in many ways maybe the way economic interactions work is not that different from the existing world. It’s just that the centralized third party of the decentralized third party whereas you’re where it kind of goes into you know more in a way it’s a more radical direction in that it’s actually decentralized you don’t have the third party so much anymore and then of course if you bring the two together that you have maybe some of these architectural differences in terms of the way the interactions works. And then when you need a third party you have a decentralized third party. So yeah I think it’s super fascinating how you have this kind of different ideas and different ways so they’re playing out.

Mark: Yeah I think that that there is there is some small number of institutions, like money like Augur is another great example of worldwide prediction market where you need worldwide credibility without prior negotiation but most contracts are local and they don’t need to run on a globally credible blockchain. And the transactions that they do they can do against local representations of remotely pegged money. Which is what several parties including Cosmos are doing what we’re doing and what Lightning is doing where the transactions that don’t need to themselves be on the blockchain can happen much faster and much more privately and then the outcome of the transactions can roll up in to net inflows and net outflows and have those have them roll up the outcomes, eventually roll up into public blockchains without having to reveal what the contracts were that they rolled up from.

Agoric Open Computing

Brian: So you wrote a set of paper called like Agoric Open Computing I think. And there were three different papers and they had quite a lot of you know widely read and they had some impact. I think. So you mind walking us through what are the core ideas that you were exploring in these papers.

Mark: There are three papers. The central paper is the one called Markets and Computation Agoric Open Systems. And that’s the one where we really go through all of the layers of our vision and how each layer builds on the previous layer and arguing for why our foundational layer was necessary to support the higher layers. So at the lower layer we talk about computational foundations distributed computational foundations with encapsulation and communication of information access and resources. And that’s encapsulation communication is very much sort of the centerpiece of object capabilities encapsulation is a form of property rights from ownership. Communication is a form of rights transfer. So together they form a core rights theory. Information access and resources maps very cleanly to confidentiality integrity and availability. Integrity turned out to be the core issue that most of our later work through the decades has been on so object capabilities at the low level and then smart contracting and markets and auctions for dynamic price discovery and adaptive price based behavior including with regard to applying the invisible hand to resource allocation issues, things like auctioning off the next CQ time slots. Having markets in space. And network bandwidth. And then on top of that a vision of how the coming of distributed decentralized electronic markets covering the world would be enmeshed with and part of the human economy and really change the nature of the human economy. So that was the central paper. The incentive engineering paper, that’s the one where we actually sort of go into the to the detailed design of some core auction mechanisms for doing this allocation and some game theoretic analysis of it. And the term incentive engineering we didn’t know about the mechanism design literature but that’s just our term for what has otherwise been called mechanism design. And then the Comparative Ecology, a Computational Perspective is another kind of big picture paper. This one taking a look at various complex adaptive systems that we see in the world, systems in which coherence emerges from a process that we’d call some kind of evolutionary ecosystem. So we looked at real world human marketplaces. We looked at biological ecosystems. We looked at some A.I. systems that were making internal use of evolutionary adaptation, Driscoll in particular, and we were trying to compare and contrast them in order to learn what is the framework that would best create the selective pressure from which distributed problem solving would emerge and we very much supported the use of market mechanisms as a robust system of selective pressure to encourage this emergent growth of problem solving ability. So those were the three papers.

Sunny: What was the context of these papers and so you co-authored these with Eric Drexler. And so for people who don’t know he’s often called the father of nanotechnology. And so you know that seems very far off from some of the stuff that you are working on and so I guess how did you meet with Eric Drexler and how did you guys decide to write these three papers together.

Mark: So Eric and I have very aligned visions of the future. And when I first met Eric he was working on light sales, basically solar sails for propulsion in space. He was presenting it at a space conference. I was working with Ted on Xanadu. I think this was the late 70s, 79 maybe at the Princeton space industrialization conference and I explained to him about hypertext and about Xanadu and his jaw kind of dropped open and he said do you know how important that is. And I actually learned to appreciate hypertext through his view of it. He saw value in hypertext that none of the rest of us had and really deepened our view of what was so great about it. So we were talking about all sorts of things but we were thinking in terms of a much higher tech future a higher tech future that would have for example the scale of computation that we would have with nanotech based computers which is still many orders of magnitude beyond the scale of computation we have today. And it was clear to us that at that scale of computation the central planning approach to coordination would not work and that you needed something decentralized where the overall goodness of the system emerged through loosely coupled decentralization through a coherent framework of rules. And it was that future orientation and also our fascination. There was another critical breakthrough also which came from, I was explaining to Eric my excitement about object oriented programming. And when I explained to Eric about the power of encapsulation in object oriented programming he said oh that’s like Hayek’s explanation of the utility of property rights. And that was a big aha moment for me. It was that a ha moment I think more than anything else that led to the Agoric work. So there’s many virtues of property rights but the one that Hayek explained is in terms of plan interference is that the central problem of economics is how is it that all of these separate creatures (people) with all their various intentions and mostly ignorant of each other formulate plans whether these plans are to serve their interests and to unfold in a world that in which the plans of other agents that have been formulated in mutual ignorance of each other are all unfolding together. How do you keep these plans from interfering with each other. And Hayek said one element is that by dividing up the resources into separately owned parcels, where each planning agent knows that there are some resources that he has exclusive access to, he can formulate some plans minimizing plan interference with other agents. Well that’s exactly the object oriented understanding of encapsulation is a way to enable programs that are formulated separately to be able to operate on their own encapsulated data free from interference by each other and that enables these separately formulated plans to be composed together. To realize co-operative opportunities from the composition while still minimizing the dangers of destructive interference with each other. So that understanding made both of our understanding of Hayek’s point and our understanding of object orientation deeper and led to the appreciation of object capabilities as a form of encapsulation coordination that is not just minimizing the dangers of accidental interference but also minimizing the dangers of purposeful interference.

Decentralized Planning

Brian: Okay. So this is a very interesting concept so let me try to dive into this a little bit. So you said that OK if all of these you know very powerful computers let’s say if nanocomputers and stuff then this central planning approach wouldn’t work anymore with computing. But it seems like the way you’re speaking about it is let’s say I have a company, my company has various different employees and resources and stuff like that. Now within that company obviously there is that kind of a central planning approach right. That’s sort of the nature of companies right. You say OK there’s markets between all the companies but then within each company there is the central planning approach and then I guess there was the work by Ronald Coase and stuff about what determines the size of these firms into kind of transaction costs but are you basically saying that if you think of the different components of a computer program or computer architecture all of them should interact with some market mechanisms. And if that’s the case how does that align with property rights. Does it make sense let’s say for a company to own all of these computing resources and then there still being some market where all of these competing computing resources interact, you know sort of making payments and trying to maximize their profits and stuff like that.

Mark: So that’s a big question has many parts to it. First part of answering it is that I think that price and adaptive price behavior is not the important early step. I think the important early step is a system of rights based coordination so that things that are formulated separately mostly in ignorance of each other can still be composed together that people can create reusable libraries where there is in the computational fabric a notion of separately owned data and resources so that we can compose reusable components and get larger outcomes. And the modern richness of software I think has largely been based on kind of informal hacking imperfect insecure rights based theory of coordination. This is the encapsulation of conventional object oriented programming. And within a company you also have imperfect systems of that are like prices. You have for example on a single machine you have various forms of priority, on a Google data center you’ve also got various priority and urgency knobs and resource allocation knobs and all of these are self reported. There is some if you want to think of it as a central planning scheduler you can do that or you can think of it as an analogue of an auction mechanism, but it’s not a central planner in the sense of it making the decisions about what priority other things should have. Rather all of the other things self report their priority very much the way players in a market express priority by using money and produce price information. So this is kind of a cheap analogue of prices. And the reason why you can get along both with insecure encapsulation and imperfect price mechanisms within a company is because the company has various kinds of sanctions. Everyone within the company is trying to cooperate with each other. If someone is seen as too abusive you’re taking advantage then the company has other ways to react. So companies have strong admission controls whereas as soon as you expose this to the outside market now you don’t have those other forms of feedback you need genuine protected objects, protected boundaries, and you need for example Ethereum with the gas system has to have a genuinely robust system of selling resources, not so much in order to have efficient resource allocation but in order to have not horrible service allocations not so much a question of optimizing it’s a question of deep pessimism. It’s a question of avoiding the really terrible behavior. And companies internally have other ways to avoid the really terrible behavior.

Sunny: So I’m actually really glad you mentioned Google’s data centers as an example here because I read an article a few weeks ago talking about how Google’s actually using their deep mind A.I. to coordinate energy resources within its data centers and that this experiment of theirs actually reduced their cooling costs by 40 percent. And so do you think that centrally planned maybe humans aren’t the best way of doing central planning. Maybe this leads into a larger political question but do you think A.I’s are on the brink of being better central planners than both markets and human central planners.

Mark: So first of all I want to say I don’t know the particular system that you’re talking about I know a lot about how Google operates more conventionally before they started applying a deep mind technology to this issue. But I also just want to mention, sort of a reasoning by analogy here. Back in the 1940s and 1950s in the socialist planning debate when Hayek and Mises would talk about the what unfortunately came to be known as the calculation problem. What came to be known in later years as a knowledge problem. But the calculation problem it was well you can’t centralize the knowledge needed for a central planner to act. That’s the knowledge part of it. And then there’s no possible way you can build a central planner, you can create a central planning institution that would act. And back then the advocates of central planning were pointing at look at these new fangled computers. Surely these computers will grow up into central planning agents and they can solve the calculation problem and now we can do central planning and the thing that the asymmetry. There is a false asymmetry that was assumed there which is they were imagining the market of the day with the complexity of the market that they knew and imagining that the planners were much more capable than the planners of the day because they were using computers but they didn’t imagine that the markets would also have players that were using computers and therefore were all much more complex and interesting. And in fact the knowledge problem gets worse not better as the individual players get more sophisticated and embody more knowledge that they’re also not able to articulate.

Sunny: You get almost to a turing problem there where you know the central planner computer can’t simulate all of the millions of computers in today’s economy.

Mark: Right. So with regard to the deep mind thing once again I don’t know that specifically but what I’ll react to is the thing that it’s planning is about temperature and power and such things. And that’s also not a set of resource allocation decisions that programmers have been writing their programs to deal with. It just hasn’t been on the radar traditionally so that there is no local decision making by programs to try to be adaptive on those regards. So it’s essentially a situation where we had no decentralized planning and very poor centralized planning. So it’s a situation where planning so badly that even a central planner can do better. Once you’ve got that kind of sophistication in the agents that are subject to the plans and they are now also as capable of reasoning about those issues. Then you have to again ask does the asymmetry go away where the central planner has gotten special technology ahead of all of the agents that are subject to its control.

Brian: That’s really nice how you explained this and I must say I find it kind of encouraging knowing that if this is true and it’s going to hold true then maybe it is something that will kind of work counter towards some of decentralizing aspects that come with A.I.

Human Utility Function

Sunny: And so then one last question I have about the papers before we you know I want to go back into talking with their core company. But what about the fact that when Hayke talks about you know, part of the issue I think is that humans are very complex beings that it’s part of the measurement problem or information problem as you phrased it was how do you measure people’s utility function. We don’t have a way of doing that. But when we’re talking about bots here like you know just computers I feel like at least until we have very strong A.I’s they don’t seem very complex creatures and so I think it might be possible to model these simplistic bots rather than humans and so I don’t know if some of Hayek’s ideas around this complexity of humans comes into play or not.

Mark: The notion of utility function I think is very much like the notion of the perfectly spherical cow. There is this complex real world both for people and of programs where what you’ve got is behavior that has been shaped over time to be adaptive and serves some interests and then you have outside the system using the concept of the utility function as one way of idealizing the behavior to reason about it. But there is no representation in the person’s head or in the program over a utility function. Programs have complex behavior that are written by programmers and modified by programmers over time to adapt to whatever the complex job is that the program is doing, both with respect to what the job is and with respect to how the program is performing the job and the programmers modify and change it in complex ways to just be more adaptive. And it’s very hard to reason about programs what we know is that it’s impossible in general to predict what a program will do other than by running. So then our computer systems run the programs discover what they do by running them. But I wouldn’t call that central planning I would call that just a distributed system of the running programs.

Sunny: Cool and to lead back into the blockchain stuff, one of the things that interested me about this property rights. You know I think in the blockchain space we have two very prominent models of property rights and transaction fees that are kind of dominating right now and are very different. You have the first one which is done by Bitcoin and Ethereum where there’s a limited amount of block space or gas limit and people use fees to basically it’s essentially going in a constant auction where there’s a limited amount of block space and if you want to get in you have to put in a fee and the highest number of people get their fees and you know there’s a lot of innovation going around on that front like Vitalik has a proposal for doing different type of auction mechanisms and whatnot but then there’s a complete other and which I think this is one of the few interesting things that EOS actually did, was they proposed a more property rights based model of fee. So the more EOS tokens you have you get, for simplicity’s sake you could say that if you own 5 percent of the EOS tokens you have the right to use 5 percent of the EOS blockchain’s resources, you have 5 percent of the disk space, 5 percent of the computation power, and so that takes almost a more property rights approach rather than this constant auction. So what are your thoughts on these two approaches.

Mark: So I don’t know the EOS approach. I also don’t know of Vitalik’s recent proposals. Right now we don’t have good composable systems of electronic rights. And I think that that’s really sort of the prior issue. So in that sense I’m responding positively to what you said about EOS even though I don’t know the actual EOS system. Having a foundation in rights and rights transfer is I think the right conceptual starting point such that markets emerge from interaction between multiple parties within a rules based rights based framework. And obviously auctions is one way to do that. A proportional share ownership rights is another way to do that. All of these things are worth exploring. I don’t have a strong opinion that one is better than the other. I will say that that Agoric is planning to implement the escalator algorithm for scheduling on the Agoric blockchain but we also want to encourage all sorts of different experiments there.

Agoric, Object Capabilities, Secure Smart Contracts

Brian: Okay. This is perfect because this kind of leading us exactly where I wanted to go. So I mean there were the papers many years ago that had the name Agoric in it but then much more recently also you co-founded a new company that is also called Agoric, so can you tell us a little bit what is the main vision of the company what are you guys trying to accomplish.

Mark: So what we’re trying to accomplish is to bring the world economy online. And right now there is a problem which is the blockchain space, the world of smart contracting that we’re seeing, has not been successful at penetrating the mainstream economy. But it’s basically this separate world and the business activities in the mainstream economy see a barrier there that they’re not getting over. So markets are all about network effect. We want to create a distributed system of objects in contracts on different platforms, blockchains, non blockchains, permission quantum systems, individual machines, both publicly and within companies, we want to span that entire network of activity in a uniform framework of at the low level object capabilities, and then at the high level the system of electronic rights and smart contracts that we want to build on top of that. And the result is that we want to enable the mainstream economy to be able to take incremental steps towards adoption of the technology where all of the steps towards complete public participation are as smooth as possible. I want to make an analogy here which is the web as we think of it is mostly a public thing. But the fact that companies inside their firewalls have their own internal private web sites and the content on those websites freely link into public pages and people inside the company following the links go from internet pages navigate to external pages in this completely seamless manner. That’s good for the public web and it’s good for the spread of the technology to apply to things for which public visibility is not appropriate.

Brian: And so do you see a similar function that Agoric will have in that people can kind of seamlessly go from traditional means of doing commerce to blockchain base and this kind of friction goes away.

Mark: Yes there are several barriers. One of the biggest ones is that smart contracting right now is too hard and too dangerous. We’ve seen smart contracts constructed by experts in which hundreds of millions of dollars have disappeared overnight with no recourse due to simple bugs. And in order to open this world to the mainstream you have to make it much more reasonable for programmers who are not experts on smart contract and programmers whose experts line their subject matter to be able to create business arrangements contracts institutions with much greater confidence that their contracts mean what they think they mean. And our approach with object capabilities and rights which I’ll get back to in a moment, helps tremendously in creating system of of compositional reusable contract components that enable that kind of construction with confidence. We did a lot of this exploration I mentioned in my e language, starting in 2007 I’ve been on the JavaScript standards committee getting the enablers of that into the JavaScript standard. So JavaScript now supports a subset which is an object capability subset of JavaScript that essentially includes most of JavaScript such that many old JavaScript programs run in SAS as we call it, secure acme script, which comes out of work we did at Google and now it’s work that Agoric has done in collaboration with Salesforce. So the result is that we’re bringing this to programmers not just as an extension of the object oriented paradigm that people already know so that they can extend the intuitions they already have about objects, but we’re even bringing it to them in a language that 20 million programmers are already familiar with.

Sunny: How does this relate to the language you guys have been creating with this Jessie idea, is that related.

Mark: Yes it is. So there’s two subsets of JavaScript that we’ve defined, a very large subset we call SAS and a very small subset we call Jesse. Jesse itself as a subset of SES. In doing secure programming there are sort of two fundamental stances you can take with regard to theirs. I want to protect myself for misbehavior by your code. And I want to ensure that my code means what it thinks it means and in particular when I express security policy in my code how my code should let’s say enforce certain arrangements on your code, bBut I want to know that my code is interacting with your code in the way that I think my code was designed. So SAS is designed to solve the first problem. Which is that I can run your code that I don’t trust inside a SAS sandbox under object capability rules where I am confident that your code has only gotten the authority that I intended to give it, that your code cannot escape the sandbox, cannot do things with more authority than it was given. And because Jesse is a subset of SAS your code might be in Jesse. But if I’m just protecting myself from your code I don’t care whether you stayed within Jesse or whether you’re using for full SAS. For my code JavaScript has many hazards. Double equal for example, the famous one, that has crazy coercion rules so everybody’s programming style for JavaScript says avoid Double equals. So in Jesse we just define a subset that omits all of the unnecessarily dangerous things, only includes the best parts, and the wonderful thing is that the best parts JavaScript are a really good programming language. So we’ve been essentially keeping our code in Jesse. We expect to be also we’ve been collaborating with academics on formal specification languages so that you can verify that object capability code means what you think it means and we think Jesse is the candidate to apply those tools to. That’s how those things fit together.

Brian: Okay great. So yeah that’s very interesting so all your work on JavaScript and secure JavaScript and how that’s kind of coming together. So you spoke a bit about JavaScript and how you guys enabled smart contracts there but what is powerful about this approach and what are the kind of capabilities that this approach that you guys take the smart contracting has.

Mark: So one of the things that makes our current world of software so rich and so composable is higher order composition and what I mean by that is we start with higher order functions where functions can operate on data and compute things can operate on values but the functions themselves are values so higher order functional programming is where functions operate on functions but with no limitation. Objects cause effects, take actions, and objects can also hold and manipulate other objects. So a table can store any kind of object but then when you reapply a concept like a table into an object then you enable the kinds of things that objects manipulate to be also the kind of thing that the manipulation is. Likewise in the marketplace, much of the richness of the market interactions we have is the reaffication nature of property rights, that property rights started off very literal. But then anytime you create a contract that unfolds over time, the continued participation in the contract is itself valuable and by labelling that continued participation, a property right, then any contract building block that’s generic and parameterizable over anything that’s described as a property right can now operate on the rights created by other contracts and you can compose contracts together.

Sunny: As an example, I can imagine an options contract where an options contract is basically me making a contract with you saying hey I want the ability to buy this from you at a later date. But then I can turn this contract into an asset itself and I can go resell my end of the options contract. And so you turn contracts into assets and you can make contract out of those assets and you can have this innovative approach where contracts and assets are kind of interchangeable.

Mark: That’s right. So we talk about the duality of contracts and e-rights, contracts manipulate e-rights and contracts that unfold over time create e-rights. And ERTP the electronic rights transfer protocol is the top protocol layer in our system and it’s essentially a set of object interfaces and specifications for generically representing a wide range of kinds of rights. Rights that are fungible and non-functional, divisible, so many non-functional things and the right to continue participating in contracts within our framework are all redefined as rights described by ERTP, and then to the extent possible we create contract components that assume the rights that manipulating that only assume that they’re described by ERTP, you can’t always do that but we can do that with exchange you can do that with options and futures you can do that with a variety of auctions, single auctions, continuous double auctions. So we have this tremendous opportunity to create highly reusable generically parameter risebale contract components in which you can feed any ERTP described contract and then if that contract unfolds over time then it creates a new derivative right that in turn can be fed into other contracts.


Sunny: Right. And so for our listeners who want to get a much better understanding of this, I highly recommend one of Mark’s papers he wrote called Financial Instruments As Capabilities, and to me when I was first trying to understand this whole capability stuff and it didn’t make sense but then after reading that paper it had a little bit of pseudocode in there and it’s like okay reading that I’m like okay now I see how this makes sense and I can visualize how to put these pieces together.

Mark: The actual title is Capability Based Financial Instruments. It was published in Financial Cryptography 2000, which by the way also occurred on Anguilla which became a little haven of crypto activity initially because of the export controls.

Sunny: Yeah so we’ll definitely link to that in the show notes. And so then another question I want to ask was, now you have this ERTP system and this Jesse smart contracting language, you could have went ahead and created a simple smart contracting platform like Ethereum or Tezos or you know any of these systems, but it seems you guys are not just creating a single blockchain contracting platform. Could you talk a bit briefly about what the goal there is with that.

Mark: So again it’s network effect. And it goes back to the differing early visions of hypertext. I hadn’t thought to make this analogy before but Doug Engelbart’s Augment system was kind of a single system for those who signed up to Augment. Whereas Xanadu was a worldwide distributed loosely coupled hypertext publishing system where there’s no one provider. We want to enable. contracts that span from the one extreme of completely permissionless globally credible blockchains all the way to various systems that are more private. But one of the things that I think is really important is most contracts are local. Most need for contracts are local, most actual real world contracting is local. There’s no need to create worldwide transparency into the internals of a contract that’s done by a small set of parties. And then there’s a few arrangements which I would call more institutions than contracts, that do need that credibility, we want to span that whole range. There is this large tradeoff space. We want one uniform mechanism that can sit on top of that diversity and span it and enable contracts that started off being designed for one place in that fabric to be able to be moved and continue execution in another place on that fabric.

Brian: Cool. Well thanks so much Mark. I think that there’s so much there to talk about and then dive into and there’s a lot of resources we talked about that we’ll put in the episode links so if people want to dive in there’s definitely plenty to keep someone busy for weeks or months. Yeah and we’re very much looking forward to seeing what comes out in terms of practical use cases from Agoric and hopefully we can do another episode at some point in the future. So thanks so much for joining us today.

Mark: Yeah. You’re welcome. It was a real pleasure.