New Developments in Cryptocurrencies and Blockchain Technologies
Now. I'd like to introduce, to. You our featured. Presenter Dan, Binet. Professor. Binet heads. Applied, cryptography, group. And co-directs. The computer, security, lab here at Stanford. Professor. Bernays research focuses, on applications. Of cryptography to, computer security his. Work includes crypto systems, with novel properties web, security, security, for mobile devices and crypto, analysis. He is, the author of over a, hundred publications. In the field and is a Packard, and Alfred P Sloan fellow he. Is a recipient of the 2014. A cm prize and a 2013. Gödel prize in. 2011. Dan Binet, received, the ICI award for industry, education innovation. Professor. Binet receive his PhD from Princeton University and, joined, Stanford, in 1997. Now. I'd like to turn the floor over to Dan. Great. Thanks Joe so. Excited. To be here welcome, everyone and, I want to tell you a little bit about a little bit about our work on crypto, currencies and blockchain technologies, and everything that we're, doing in. This space here so I'm looking forward to this webinar and you. Know if you have any questions you know please please, type them in and we will answer the questions, in the Q&A session so this, is this is meant for you if I say anything it's not clear please feel free to ask and we will answer the question right away all. Right so let's get started so as Joe said I'm Dan, Bonilla professor, here I work, on cryptography, computer security and I've. Been doing a lot, of work on block chains over the last couple of years that's, a fantastic area a lot of fun to work in this in the space and I want to tell you a little bit about our work and particularly what excites me about about, this area, before. We get started I wanted to mention that in, computer, science we have a very active computer, security lab, which. Is covers. Lots, of areas within computer security which intersect, very strongly with blockchains so, let me just quickly explain kind of what's what we do so I work on on crypto, blockchains, things. Like that. We have secure. Works on measuring, notions of security, Matea works on big data insecurity, we. Have folks doing static analysis, which is actually quite relevant. Smart, contracts, or you want to make sure that the contract actually, does what it's supposed to do and so we have a number of people working on verification of software, in particular and, smart contracts. As. Well david. Nazir's works on operating systems and consensus, protocols in fact the, stellar consensus, protocol, steller, is one of the largest, cryptocurrencies, out there that, consensus, protocol was designed by david monsieurs we. Have folks, also working in IOT security, john mitchell works on various. Aspects of protocol design and programming languages programming. Languages, are also a big component of blockchains. Again the question is in what language do we write smart contracts, that are then executed on the blockchain and that's, that. That's a fantastic area that's that's growing, quite rapidly and, then Mendel works on VMs, so there's a very active security, lab but, in this in this webinar, I'm going to focus specifically, on our work on block chains and what we've been doing in the space so. What. I'd like to tell you a little bit about today is basically a. Couple of things we've done, one. Thing I'll tell you about is something called confidential, transactions, using a system called bulletproof that we developed. And. We'll talk about all the applications, of that and where that's where, that came from and then I want to tell you a bit about what. Are called proofs of solvency which, is how to prove that a cryptocurrency, exchange. Is actually actually solvent. And can cover all of its obligations then. We're going to switch gears and. Talk about an application that's actually not directly. Motivated, by block. Chains but, is, relevant, as well I'll tell you about a system called Creole which is used for privately, aggregating, statistics.
Everything. I say here is work. That's available, in. Papers that are published in public. You. Guys all have links that if you want to read more about the work you're, very welcome to you and as I said if you want to use any of this this, is all public domain and I, would be happy to answer any questions you have about deploying, any of these techniques ok, good so, let's. Start with bulletproof, and confidential, transactions, this is joint work with, my student Benedict bonds as. Well as our collaborators, Jonathan boodle Andrew Palestra Peter Woolley and Greg Maxwell Andrew Peter and Greg are in, a company block stream and. They're actually also one of the core some of the core Bitcoin developers okay. So this is work that appeared earlier. This year I have a link here to the paper in case you want to learn more about how. Bulletproof s-- work but. Let's get right to it so. I guess before I tell you about bullet proofs I want to talk a little bit more broadly about block, genes and cryptocurrencies in general. It's. It's an, area that from my point of view is a fantastic, area to be working is to be working, in the, interesting, that the this. Area though you know kind of suffers as you, may know a little bit from overhype, but. There nevertheless there are real scientific, problems here and just to give you and that's kind of what attracts me to the area kind of the hard scientific. Questions. That need to be answered I can, tell you that, literally, every, project that I talk to in the blockchain space, I walk away with. Three, new research problems to work on so there are really lots, and lots and lots of open questions which. Is kind of great for a researcher, like me so, just to tell you kind of the the, things that attracts us to this attract us to this area, so. You know there's need for new consensus, protocols, when we'll talk about consensus, protocols in just a bit and this is generally kind of work in distributed systems. So, yeah so developing, new clean new consensus protocols I already mentioned there's a lot of demand for new programming, languages, for programming, smart contracts, and. Along. With programming, languages. For smart contracts has also need for, verification tools, so how do we verify that, the contract, does what it's supposed to do so, we don't end up with a situation like, the Dow where because of a programming, bug a lot of money was stolen or like, other exact like other famous contracts, were because of a, bug a lot of money was locked up so no one could actually access, those funds so verification. Is becoming quite a central. Area of. Smart. Contracts, and, as. I said there's there's a fair amount of work of that on that here there's, obviously a need for new cryptography, that's kind of my bread and butter that's where I live and that's where I'm gonna talk to you about and. Then there's also really, beautiful work in what's called mechanism. Design or more generally this area called algorithmic. Game theory which, is essentially, how to distribute rewards, in how to divide how to design. Incentive. Compatible, mechanisms, that, encourage, players to act honestly, in contribute, wall to the system so all of these are kind. Of, wonderful. Areas where, the blockchain introduces. New research problems, so there's really a lot of new, science that's being created here in, my opinion of course this area is like, I said a wonderful area, to work in it's, not a fad it's an area that's here to stay and it's gonna be with us for a long time as. I said in this, talk I'm gonna focus on some of my work which is basically kind of new cryptography, that's, needed for for. Cryptocurrencies yeah so I hope this will all be clear. And exciting to you and like I said I'd be happy to answer any questions that. You have at the end of the talk. So let's. Get to it although, I do want to say that because of all this. Kind. Of scientific interest it turns out there were, many people working. On block chains around the university at Stanford here and so, what we did is we created this, new center for blockchain, research it's called CBR, the center for blockchain research if you want to learn more about the CBR please go to CBR, that stanford.edu there's, a lot of information there about, what we do in, particular. This, is a research focused, effort but in addition to our research we run a lot of outreach activities, including.
Courses And, MOOCs and books and seminars. So, there are a lot of activities, all our activities, are open to the public and we you know we want people to come and. Kind, of join our activities, here on campus so, you know please go to see be our best Stanford I need you to learn about our outreach activities particularly. If you go to the seminar, page, there. Are instruction, there's instructions there on how, to add yourself to the mailing list just to learn about activities. That the center runs I promise, it's a very low volume mailing list all you will get is just emails about. Events. That are open to the public, that you are all welcome to come and participate. In in particular in January, we're running our third Stanford. Blockchain, conference, if. You want to submit, a paper to that if, you want to present some of your work you know their instructions, on how, to submit papers if you just want to come and learn you're very welcome to as. I said this is in January open. To the public and. Anyone can comment participate in the conference you, if you come to one of these events you kind of realize there's, so much energy in the blockchain space. Even. Though it's a technical conference it's really fascinating to, hear all the conversations, the talks and the conversations, in the hallway, and. Again I can tell you that a lot of our brightest students now are going into the space and. With so much talent in the blockchain, area, you know it's almost guaranteed. That good things are gonna, come out of it so. I do want to mention that our Center. For blockchain, research is sponsored, by sort of top projects. In the space the Assyrian foundation protocol labs inter-team, Foundation of Michigan Michigan affinity, and polishing. Capital so, it's. Been great to work with them and as I said we're always always, looking for for, more folks to work with if you have any any questions, about a project that you're interested in you, know please reach out and we would love to talk ok. So with that let's get started with the, technical part of the of the presentation, and. I guess I'll start by. Taking. On a challenge that someone asked me recently which, is to define a blockchain in 10 words or less so what is a blockchain yes, so, let me try to define it in 10 words or less and then we'll kind of dig into the words so. A blockchain really is a data structure that, has a number of critical, properties right so the properties, are basically, liveness. Which, means that. Anyone, can write to the blockchain and there's no way to prevent you from writing to the blockchain right we call that liveness, like. When you write to the blockchain obviously, there's sometimes, there's a transaction, fee associated, with that but if you're willing to pay the transaction, fee you, cannot be prevented from writing to the blockchain so that's liveness, persistence. Means that once the data is written to the blockchain it, can never be removed and, typically the, way we achieve persistence.
Is By, replicating the blockchain this, data structure replicating. In many many times all over the world so. That if you're gonna remove something from the blockchain you have to remove it from all the replicas, or a majority. Of the replicas so that's persistence, and you. Notice there's a little star there because. Typically persistence, is achieved under, certain, assumptions, basically, say, the adversary, has less than 51%, of the computing power in the, net work or, there are other ideas, that are coming up about. Less. Than a certain amount of the stake of the funds in the network less than a certain amount of the space that the network uses and. So on and so forth but persistence, typically is achieved, under certain assumptions, and. Once. You have liveness, and percent and persistence the other important property that's, implied by that is what's called consensus, which essentially, means, that anyone, that's using the blockchain agrees, on the, current state of the blockchain that is we all agree on what beta currently, resides. On the blockchain good. So, those are kind of the three properties that. That. Block chains provide, to us but fundamentally, I want you to remember it is just a data structure for managing. Data and it just happens to provide these, properties, now these properties enable a tremendous, number of applications, the. Most us the, simplest one in some sense is a cryptocurrency right. If you have liveness and persistence essentially. This means that, if. Somebody sends you money there, is no you know a crypto, token say there's no way to take to, undo. That transaction, because of the persistence, properties or rather I should be more precise there's no way to remove the transaction, from, the blockchain because, of the persistence, property of. Course you can if you want to you can send the money back and undo the, transaction, but there'll be a log or the fact that money was sent to you and then, money was sent back so, persistence. Is kind of necessary for a cryptocurrency application, the liveness property means, that no. One can prevent you from spending your funds once, you actually decide that you want to spend them okay so that's why a currency. Is a very natural application, for a blockchain data, structure, but it also enables a whole bunch, of other applications, like, what's, enabled by smart contracts, it enables, crypto, asset management, so. Once I bought once I owned a particular physical, entity, I, can, record that on the blockchain and that can never be taken away and until. I actually transfer, ownership to somebody else you can also talk about crypto, asset management for digital goods and I, have to mention there's. A game called crypto. Kiddies which, which, is where people trade digital. Kiddies for fun and it's actually a pretty pretty. Pretty amazing game, I encourage you to check it out it's a really, really well-designed game. Where people can buy kiddies. And, then trade them later on breed them with other kitties and and, trade them and so on those, are that's a wonderful, example of a, digital asset that managed, managed, on the on the blockchain. Essentially. Who owns which katie is recorded, in, this data structure and once you own a kitty no one can take it away from you even if the company that runs the crypto kitties a game goes, out of business yeah so you will always always always owned this, kitty and no one can take it away from you and that's kind of the power of the. Blockchain okay. So. A crypto asset management is another application I have to say that there's a lot of interest were. In, the Stanford Registrar's. Office in putting Stanford transcripts, on the blockchain there, are a lot of benefits, to that so for example you. Can always if you if you present your your transcript, to an employer the, employer can always test can always tell then it's looking at the latest version, of the transcript, because the, latest version is recorded, on the blockchain so there are a lot of benefits to putting. Contracts, on the blockchain just, for the purpose of freshness so you know you're, looking at the latest version, of the documents and, again even if you, know the unthinkable, happened happens, and for some reason they you know Stanford is no longer around your. Transcript. Would still be on the blockchain and you can still prove that you are a Stanford graduate so again, the persistence, is what is such such a powerful mechanism that. That. Makes the data structure so useful and of course everything is transparent the blockchain all the data on the blockchain is public the whole world can see it so. There are a lot of applications, that require transparency. And blockchains, are a wonderful, data structure for those just, to give you one example if, you want to run a lottery, for.
Example If you want the lottery to be transparent, so that you are guaranteed that the randomness, that went into the lottery really. Is unbiased, randomness, then, again a, transparent. Data structure like a blockchain is a very good is, a very good data structure to use yes so I kind of walked through a number of a number of applications there are many many others, but. This is why there's so much excitement about the space in that there is this like, I said there's this data structure that's now available out, there it, enables, us to do things we couldn't do before and. Again that's why so many people are building new applications and why, so much challenge going into the space alright, so, with that let's. Kind of drill. Down a little bit and I. Guess, what I wanted to do even though there are lots and lots and lots of blockchains out there with very different characteristics, in very, different designs I wanted to just pick on one and. Drill down a little bit more just to show you how it works so you know the one that I just I chose is the Bitcoin blockchain maybe that's the most well known but. Again I want you to remember bitcoin is just one example of a blockchain, in fact, we consider just a generation one blockchain, in that it's very limited, in its capabilities, generation. Two block chains are things, that are. Things like if you um did include smart contracts and, other other, other capabilities, and, generation three block chains are the ones that are being developed and deployed now, those. Are ones that kind of avoid the, expensive. Proof, of work that's needed to make block chains work and, we'll talk about that a little bit later okay. So let's talk about the Bitcoin blockchain just, so that we start at the beginning alright. So the Bitcoin blockchain basically. Is you, know as the name implies it's basically a sequence of blocks yeah so you. Can add blocks to the blockchain at, will in. Fact every ten minutes a new block is created, and these, blocks basically form, this very very long chain yeah it's basically. From. The beginning of time you know since 2009, these. Blocks have been added every ten minutes so there are many many many of these blocks and the, reason they form a chain is, because you notice when.
I Look at block number n minus 1 that's. The block header contains, in it a bunch of transactions. You can see there's a whole transaction. Tree that's, embedded. In the block in, the block header this, this is what's called this tree here is what's called a Merkel tree which, means that, essentially. All of these transactions. That, we, represent the block and we'll talk about transactions, in just a minute, essentially. They. Are sort of committed to in the block header yeah so the this this, value. Here, is a hash value that, commits to all the transactions, that are embedded in this particular block, there's. An what's called a nonce which. Is. Related, to the proof-of-work I won't talk about that here there's a timestamp. But the important field and the block header is what's called the hash so what is this hash basically. Every. Block is. Can it's in, every block what you do is you, hash the block hitter yeah, so you compete some sort of a compressed, function of the, block header and then you write the resulting, hash value into, the hash field of the next block and this is what forms the chain structure yeah, so you can see here again block number n contains a hash of block number n minus one block. Number n plus one will continue hash of block number n and so we get this very very long-chain structure, where, there's. This dis hash operation. Induces. Sequence. Among blocks and that's, what we call the chain as. I said this, is only generation, 1 of blocked of the block chain structure there. Are many new ideas being. Distiller. Rather than using a chain people are talking about using more complicated, graphs but. Here let's just keep it simple and just talk about the Bitcoin blockchain ok so that's what the blocks are now, you notice, there are all these transactions, here so every block has a number of transactions, typically there are you know between several. Hundreds, to several thousand transactions, in a particular, block so let's talk about what these transactions. Are and, a transaction, again just to give, you a sense of how they work I'm not going to talk about the specifics, as a transaction format, format just, to give you a sense of what they are essentially. Every transaction. Corresponds. To a, transfer, of. You. Know potentially, a transfer of funds between.
Between. Addresses, in the Bitcoin network yeah so what, happens is in a transaction, we have these inputs, to the transaction, these, are kind of the. The. Addresses, that provide funds into the transaction. So. In this case there are two transaction, inputs and then, the transaction has transaction, outputs, which, are basically where, the funds are going so. Every transaction output, basically has a value which is how much money is being transferred, to, this, particular address and then it has the address which, is where the funds are actually going alright so transaction, outputs contain, value and address in, this case there, are two transaction, outputs we, call these things UT excels UT EXO spans stands, for unspent, transaction. Outputs so, here, we have UT Excel number one and UT EXO number two okay, so what, happened here is this transaction basically, created, two new UT, expose these, UT excels belong to you know. You know address number one in address number two and each one has a certain value associated, with it now, later on if you want to spend, money. From a particular address you, actually don't spend money from an address, you have to spend money from a UT Excel okay so there are no accounts in Bitcoin no, accounts funds, are actually held, by these UT exo's and what, this means is that. When. You want to spend money from a UT Excel essentially. You create a new transaction here we have one transaction, input, going, in this, transaction input, essentially, points, to the UT exodus', being spent okay so the value, that's, going into this transaction is the value associated with the UT Excel and then, there's a signature by, the owner, of the address that says yes I'm authorizing. The spending of, this UT excel all, right so remember, you, have a secret. Key that essentially. Allows you to, spend the UT Excel and only you can cause a UT Excel to be spent or rather only whoever owns the secret key that's, able to create, the signature is. Capable, of spending a particular UT excel so, it's kind of it's kind of cool in that. No. One can take your funds away from you other than by taking your secret key so if you keep your secret key safe, no. One can ever spend your your funds and by, the way I should say that there's a whole industry forming. Around custodial. Services, for holding, secret keys for, cryptocurrencies. So. If you, happen to own a bunch of cryptocurrencies, maybe, as an investment maybe because you're an enthusiast or, maybe because you want to use it the cryptocurrencies for something the question is always where do you store the corresponding, secret keys that, enable you to spend those funds you, can store them at your home if you want um but. If something happens and I don't know maybe there's a burglary maybe, your home. Maybe. Something happens to your house maybe you lose the secret keys in some, way those. Funds can then be, spent on your behalf and so there's a whole industry of. Custodial services, where you can give them the secret key and they will manage and store it for you so, yeah so keep. In mind it's probably a good idea not to store. Cryptocurrency. Secret, keys yourself it is probably a good idea to give it to a custodial service and this is their business to keep those secret keys safe and, make sure that they're not never lost okay, so regardless. So we have these transaction, inputs that basically authorize, the spending of aut XO and here, we have the you know two new, utx cells that are being created so for example here you see iut excel number three was created and the, interesting thing about the UT excel model is it's. Again it's not account, based so funds are, held in these uth cells which, means that after you spend the you TXO that, UT excel dies okay, so no one can spend funds. From that UT excel anymore and it's as if it never existed okay so this. Would be called a spent transaction, output as opposed to an unspent, transaction, output and no, one can ever spend funds, from that UT excel again okay so that's how funds are basically. Held, on the blockchain and that's, how they're being transferred, from address, to address they're, held in UT exo's and a, transfer, means creating, another UT excel okay, so that's the UT so model so that's how the. Bitcoin network works. It's. A pretty interesting model, although I have to say other blockchains actually, use an account model where, funds.
Are Actually held in accounts and if you wanted to see how much money you have you basically check how much money is in your account in in Bitcoin if you wanted to see how much money you have you have to sum, up all the UT x so that all the UT exo's that, belong to your address and that will tell you how much money you have so it's a little harder to tell what, your balance is but at the same time this, model is actually quite clever and that it makes it quite easy to to. Manage what's, what's live on the blockchain and what's, not live on the blockchain okay, so that's the UT Excel model let's. Dig in a little bit and look at a particular transaction so, here I just listed one random transaction, from, the Bitcoin network and the thing that I want to point out here which is quite interesting is again. You can see the addresses, here you can see the exact addresses, that, provide, the funds okay, so this is one address that provided the funds here's, another address to the prize of the funds and. Here's how much money was being transferred in so in this case it's point five bitcoins and then the other address provided one point four seven bitcoins, okay, so you can see exactly, how much money came in and. Then you can see where it went right so it went to this address, you know 0.01. Went to this address and then two bitcoins went to this address so. You can see exactly which addresses. In which addresses received. Those funds and it can tell you that there's a lot of work out there that, shows that in fact it's very it's not difficult to map addresses, to physical entities. So there's no anonymity. In these addresses, it's, actually not that hard to figure out who these addresses belong to so, literally, you can tell who, transferred, funds to who and how much yes. So the amounts are all public, so. And. You remember these transactions, all go on the Bitcoin blockchain which is then replicated, all over the world and is public, for anyone to see and it's important, that everyone can, see the blockchain so they can verify that, all the transactions, are legitimate, we'll talk about what legitimate legitimacy, means, in just a minute okay, so. The problem with this is that, this this the fact that all these amounts are public, is somewhat. In is somewhat contradictory, to. Business needs right so for example if, yeah. Because everybody, can see who the payer is who the payees and what the amounts, were this, is problematic, for business needs right so for example if you. Know if Stanford wanted, to be my salary in cryptocurrencies. Effectively. In a Bitcoin cryptocurrency say effectively. Everyone, could see what my salary is yes so the salary would be public so, that's, kind of you know contrary, to what. A lot of businesses need it, even, worse like for example if you. Know you wanted to supply. You know, manufacturer. Wanted to pay. Its supplier, in cryptocurrencies, when. Bitcoin in particular everyone, will be able to see how much the supply the. Manufacturer. Plays pays for the goods so forward for example we'd have to reveal how, much it pays for tires just as an example so. Again this is gonna counter, to how to, business these generally, this, information, needs to be kept secrets. And. So the question is what to do so can we adapt, these. Existing, cryptocurrencies, so. That maybe, it's okay too hot to reveal who, the pair and the piggy is but it's not okay to reveal what the value is right so it's okay to say that Stanford pays me my salary everybody, knows that, I'm a Stanford professor what's. Not okay is to reveal what my salary is just as this is one example yeah. So that's our goal so can we kind of hide what, the amounts are in the transactions, and this is what's called confidence, transactions, some confidential transactions, is basically. The. Idea of instead, of having the amounts be available on the clear like you see here the amounts are actually in the clear, the idea is to actually hide. What the amounts and yet make, it possible for everyone, to verify, their transaction, okay so what are we gonna do well, instead, of writing the actual amounts in the clear like we do here we're, gonna we're, gonna write something else onto the blockchain instead we're gonna write what's called the commitment so what is the commitment so, here I have to do a little bit a little bit of math here I cannot give a talk without doing some math so, let's put let's let me explain what this means so if you look at the amount here you, see it says zero point five three three bitcoins, instead.
Of Writing the number zero point five three, three in the clear instead, what we're gonna write is the number five. Three three in the exponent, of some some base yes we're gonna write G. To the power of five three three multiplied. By some some sort of a random value that. Hides what, the value is okay. So this, is what's called The Commitments yeah so I'm committing, to the number five, three three which was the amount that's being transferred but. Anyone, who's looking at the blockchain has no idea what, the number is that I committed to five three three because, this number has been blinded, by this random number here by, this H to the r1 where r1 is a totally random number and I do the same thing you can see this is a transfer of one points four seven eight well, I'm gonna write G to the power of one one four seven eight right so I'm committing, to the number one, four seven eight but, nobody can tell that that's the number that I committed to you and the same thing on the outputs in one, thing that's interesting is actually that. The. Fees are still going to be you notice that let. Me kind of jump here the fees are still available. In the clear so everybody, can know what. The miners were receiving, but. Everything else is hidden okay. So let. Me just say a few more words about this commitment this commitment is what's called a Patterson commitment it's a very basic mechanism, used, in cryptography and when. You want to commit to a particular value v again, like I said you put, V in the exponent and then you blind it with, some random number H to the arm okay so by, looking at the number by, looking at the commitment you learn nothing about V, but, whoever committed cannot. Change the value, of the number V that's, the idea okay so now we. Get this private. Privacy, more privacy preserving blockchain, in that, no one can tell what amounts, were actually transferred so again Stanford can pay my, salary no, one can tell what, my salary is but. Now we run into an immediate problem which. Is well if since, the amounts are hidden how do you validate the transactions, in, particular what does it mean to validate it validate, a transaction, what, you have to check is that the sum of the inputs, going into the transaction write the sum of the funds. Going into the transaction should be equal to the sum of the funds going out of the transaction plus, the transaction, fee right, that's kind of a fundamental equality, that, has to be held has, to be it has to be true for, every single transaction when. The amounts were available in the clear everyone, could just look in the blockchain and verify that all the transactions, are valid if the transaction was not valid the whole block would get rejected and thrown. Out of the blockchain but, now that the amounts, are commitments, they're not actually available in the clear you, can no longer verify, that this property holds so we have kind of a fundamental problem and the question is what do we do okay, so this is kind of where. The beauty of cryptography, comes in and so, what we're going to do is we're going to use a, little, bit of crypto magic and the crypto magic we're gonna use is what's called a zero knowledge proof okay. Zero knowledge proof so. What is a zero knowledge proof a zero knowledge proof is something that allows me to prove to you that a certain fact is true without. Revealing anything else about that fact so you learn, you. Have confidence that the fact is actually, true but, you have no idea, about. Anything else yeah that's kind of the magic of zero knowledge proof and, let me explain what we do here so. Again even though the. Public doesn't, know what the amounts are whoever. Creates, the transaction, can convince, the public that this, equality actually, holds, without. Actually revealing what the input and output values are so, that's one thing so you have to ver convince, the public that this equality star actually holds it, turns out there's another property, you have to prove which, is that in fact it's not just about the equality the other property have to prove is that all the values are actually positive yeah, so it's not just that the sum of the sums are equal you want to make sure that none of the output values are negative, let me explain quickly why that's so important, imagine.
I Had a transaction, they had three, inputs, going in so, there's a UT so worth three, bitcoins going in and then, one UT, Excel and the output was equal to 7 and the, other UT Excel and the output was equal to negative 4 right so we have 3 going in 7. And negative 4 going out well. 3 is equal, to 7 plus negative 4 yes, so, star. Is satisfied, however. Now we have a uth so that's worth 7 bitcoins which, anyone. Can then spend as if, they had 7 bitcoins yeah so money was all of a sudden created. Out of thin air and of course they've been ignore them the negative for output, they're just gonna use the, 7 Bitcoin output and sort of all of a sudden money was created out of thin air so, in fact proving. That all the outputs are positive, is kind of crucial to prevent money from, being created, and, so we have to do that as well the odd thing is that proving, that star. Holds is quite easy proving that inequality like, this is actually quite easy this is just follows from, the. Rules of exponentiation, yeah, if I have well. Let me kind of convince you that that's true if I have a commitment you can see G to the 5 3 3 and G to the 1 4 7 8 if I multiply these two together I get, G to the 5 3 3 plus. 1 4 7 8 yeah and I can compare that to the, sum to the product, of these two outputs, yeah so in fact checking. That a sum holds, is actually, quite easy, checking. That a value, is positive that. Turns out to be kind. Of tricky why. Did I write a 2 to the 50 to minus 1 here well it turns out that's. The denomination, of Bitcoin yeah so a Bitcoin, can. Go up to basically the the it, has Bitcoin, has 52. Bits of precision for. Particular, amounts so the amounts, can be specified as. A 52, bit string and we have to argue that that 52 bit string is a positive. Positive. Value okay that's the hard part all, right so what do we do so our work basically which, we call bullet proofs is a very, efficient, zero knowledge proof system for. Proving that a commitment, to a value V is positive, yeah. The value that was committed to in fact, is positive, and it builds on some earlier work again. Beautiful, work of bouteille Cirelli China's, gross and petite from 2016. We, basically kind of improved. Improved, it somewhat and and. Experimented. With with it for this particular application and. So what we can do is. Essentially, if you have an n-bit, proof in so you, have a commitment to an n bit number and you want to prove that number, is positive this. Is what's called a range proof it, turns out, again. I have to write a little bit of math here it, turns out our proof, size effectively. Is logarithmic, in the number of bits okay, so even, if your number is a you know a thousand, bits the, proof will only contain ten ten elements in it yeah so it's a very short proof whereas. Previously, the, proofs were much much much longer they basically we're linear in the, in. The size of the value yeah, so we kind of went from linear sized proofs to logarithmic sized proofs logarithms. Of course grow much slower, but, even more importantly if you have to do deep proofs like if you have to prove multiple. Ranges, at in. A given in a given block remember. Every block has like a thousand, transactions, in it and. So you have to do like a thousand, of these arranged, proofs in every block and before.
The, Size of these proofs would just add up so if you have to do a thousand proofs the. Proof would be a thousand, times bigger than. A single proof in, our case using bulletproof snow you just basically if you have to do a thousand proofs all you, do is you add like ten additional elements, and that's, it and then nothing else nothing, else changes, and. Of course there, is no trust I set up which I won't talk about talked about here okay so these bulletproof are, kind of extremely well-suited for confidential, transactions, and, then just to give you an example. Essentially. If you wanted to implement confidential, transactions, using, the previous best zero knowledge system if you, had one transaction, the, with, a data that would have to go on the blockchain would be around four kilobytes, whereas. With bulletproof sits only six hundred bucks so, even for a single transaction we, save a lot of space on the blockchain if. You wanted to do proofs for like two transactions, before, everything, would scale linearly for. Us things, scale much much better so instead of you know seven, thousand bytes we only need seven hundred bytes if, you want to do ten proofs you know here before you would need forty thousand bytes we, all need we only need nine hundred bytes okay so again. The amount of data that goes in the blockchain all these proofs have, to go on the blockchain to convince the public the, amount of data using, bullet proofs is much much much shorter than what was possible before in the case of no trusted setup and, as, a result this makes confidential, transactions, much much more practical and easier. To deploy in the real world without blowing up the size of the blockchain, good. So yeah. As I said this. Is the the bullet proofs are like a very good match for confidential, transactions, just, to be concrete, if. You wanted to implement confidential. Transactions. Without bulletproof, blockchain. Would, be like 160, gigabytes with, us it kind of drops to like 17 gigabytes so you know significant. Savings, and I want you to remember the blockchain is, replicated. All over the world all. Over the world right so everyone, would, have had to store 160. Gigabytes here. We are providing, quite a bit of savings in the amount of storage the. Other thing that bullet, proofs are good for is proving. What's called solving. The solvency problem yeah now explain this is a paper that we wrote in. 2015. And, how to prove that an, exchange is solvent and I'll talk about that more in just a minute but I can tell you that. You. Know first results the, proof, of solvency that the exchange actually can support all of its all of its obligations, that, proof was 18 gigabytes every day would have been would have had to be produced with, bullet proof the. Proof goes, down dramatically, to, something like 60 megabytes which is much much much easier to do in, practice and, it turns out a bullet proof can also be used for, providing. Other anonymity, mechanisms, which I won't talk about here okay so, let's talk about a solvency problem so that's kind of in a really, fascinating area, in its own right so let me explain what. The solvency problem is so, I hope, many of you have heard of mount gorks yeah so mob GOx is a Bitcoin exchange, that, essentially. Held, a lot of people's funds yeah, so instead of holding the funds yourself you would give the funds to Mongkok sand they presumably, would store them for you well. Unfortunately through. A sequence of. Mishaps. They basically lost all the funds that were given to them and just so that you understand something. Like 450, million dollars were lost as a result, of the month cost compromised, this was a big deal in the Bitcoin world. You. Know it caused a crash in the prices, of Bitcoin now, this was kind of a very traumatic event, for for, the for cryptocurrencies and for Bitcoin in particular but, it turns out map box was nothing special in. That many other exchanges, have failed to basically people gave them their. Funds to hold and then the exchange is basically lost those funds and a lot of people lost their cryptocurrency. Savings. And, again this is why you want to use custodial, services because this is their business they, will not lose or presumably, that, they're built to not lose your your keys so, don't hold the keys yourself give, them to a custodial service that's the probably the safest, thing to do okay, so the. Question is what can we do about these these. Solvency, problems the, fact that exchanges.
So, Many exchanges have, lost. The funds given to them so, the question is what to do and so, again, we can you we can, use. The fact that we're dealing dealing the digital goods to, provide what's called a proof of solvency so what is a proof of solvency, in. The physical let's see so every exchange has a bunch of obligations, to its customers, this is how much money they owe their customers, and then, they have a bunch of assets that they hold right, so these are basically crypto currencies crypto, funds that, the exchange owns and the, goal is to prove that the amount of assets is at least as big as the amount of obligations. In. Fact, if you wanted to support, reserve reserve currencies, where maybe, the assets are only 1/10, of the applications, you, can do that too but let's stick to the simple. Simple case where, just assets are bigger than obligations, okay. This is what solvency, means, in, the physical world the way a bank proved that it proved it as solvent is it brings in auditors, once a year and these auditors, certify. That the bank is solvent that is not a transparent, process not. Transparent, right nobody in. The public knows what these auditors do they. Just certify, but. There. Is no. Transparency. To that process in the beauty, of a, cryptocurrency is you can actually transparently. Prove to the entire world that, you're solvent, because everything. Is stored. As crypto. What. We would like to do though is prove, that the exchange is solvent, without, revealing secretive. From you no internal information that's private to the exchange, well, this again takes us to, the world of zero knowledge groups where you'd like to prove in, zero knowledge that, you solvent, without, revealing anything about your internal business okay, so again that was a beautiful problem, for us that that, we worked on and as I said we developed, an efficiency or in-house protocol, for this problem yeah, it's kind of remarkable that, literally, the exchange can, run this protocol, every day yeah. Every day it, would produce you don't have to do this once a year like in the physical world every. Morning it would produce as urinals proof that, says yes my assets are bigger than my obligations, nothing. Would be revealed about its obligations, and nothing would be revealed about its assets and yet, the public now is confident, that they are solvent yeah, so that's what you can do with, these proofs. Of solvency is your knowledge proofs of solvency and. As, I said bullet proof makes this very, efficient it's, quite interesting actually if mom Cox had run these proofs like on a daily basis their, trouble, would have been detected many many months before they. Actually had to declare that they're bankrupt yeah in fact they would have discovered themselves. That they cannot run the proof of solvency and they would have realized that there's a problem much earlier on then, when the problem was actually in public yeah so I, have to say that bullet. Proofs have been adopted by a number of projects and they're actually put, in use somehow. Somehow. Proofs, of solvency have not yet been adopted, by the industry so. If you know and if you run an exchange if you know an exchange that's, interested, in deploying. A proof of solvency please, get in touch with us you, know I think this is a useful thing to deploy I think, one once-once exchange, does it all the other exchanges, would have to kind of deploy it as well and. You know it would make it would give us more faith in. How these. Exchanges, run and so, generally, this is kind of a nice thing to do and we as I said we can do it so, we might as well so again if you're interested in actually deploying. And using this please get in touch with us. All. The research that we do is available. In the public domain to support ecosystem, and. In fact we'd be happy to help you deploy. This okay, so that's kind of what. I wanted to say about proof, of solvency and. Have to say I literally, only touched the tip of the iceberg, when it comes to cryptocurrencies it's a huge and fascinating, area all, I told you about is this one project that we did this year we. Have many many many other projects, that we do at the CBR and. You, know lots and lots of forward-looking, looking, research, that we do if, you want to learn more about the, work that we do as I said go to CBR, destined for the ddu and check, out our research page and. Then in addition we're also running a class, on.
Cryptocurrencies, And blockchain technologies, this, will be the third time we run this class we've been doing it for three years now the, class is called CF 251, it's, actually a televised, class so, anyone, can sign up to this class via SCPD, pass, stanford.edu so, anywhere in the world you're welcome, very welcome to take the class, either. You, know if you're local you know come to our lectures and listen in if you're remote you can you can you watch it on the web. The. Class is gonna go through a lot of the issues that surround cryptocurrencies. How, the crypto works have the consensus protocols work how, to write smart contracts, what are the upcoming technologies, in, crypto currencies and block chains it's. A lot of fun to teach this class obviously, the students are quite interested in this, and as. I said we'll cover a lot more than I was able to cover here today so. I look forward to seeing you there now, I think we're actually running kind. Of this, took a little bit longer that I expected, I hope it was all clear, I was, hoping to tell you about another project which maybe I'll just summarize in 30 seconds and then stop, which. Is a way to privately, aggregate, statistics and, again, I put up a link to this project if you want to learn more about what it does but, maybe I can just walk through in, 30 seconds and explain what this project does it's, kind of an interesting interesting. Topic, in its own right so. I just want you to be aware that this technology exists and if it's applicable to you you, know please use it or get in touch with us and we would be happy to, help you deploy it so. The problem is basically, how do we how does a company learn. About. Its users aggregate, statistics about, its user in a, privacy-preserving, manner, okay so today suppose. Let's, take a simple application suppose, your Twitter you want to measure, our site suppose you're you're an applique that, measures I don't, know people's blood pressure and you, want to measure you know how does blood pressure correlate. To how many minutes a day you use Twitter yeah, so every. Point here corresponds, to one user right so this user uses. Twitter this much and his blood pressure is this much right so, if you wanted to kind of build a model for how Twitter. Usage correlates to blood pressure this is just a comical. Application. Nobody. Actually does this but if you wanted to build sort of a model, for what the correlation is the, way you do that today is basically every, user sends. The data to the application, to the application, developer and then the application developer runs regression, to figure out what, what the model is yeah, that's kind of how we do things today this is highly. Non private in the sense that you have to send all your data to, the application, developer. Even, though all the application, developer cares about is aggregate, statistics okay, so this is very, non private and the question is can we do better and, it turns out we can do better basically what you can do is you can split your data and. Share and send. A share. Of the data to the stress tracker which actually. Reveals nothing to the application, developer you can send another share of the data to, say Google which again on their own they learn nothing about your data so, this is called secret sharing where each where, by themselves. They absolutely learn nothing about the individual data and yet, they can actually together they, can figure out what the model is yes, oh this is great yeah this is great allows the, the, developer, to learn what the model is without, learning anything about private. Data however, the Harvard is a problem, the problem is that, someone. Can come in and send you bogus data you can see they send a point, that's way way way way way up here and that causes of the whole model to skew that, one point is so off the, charts that it causes the whole model just queue and so, what our system can make it what, system, makes it possible to do is basically, you.
Know Learn the results do it with privacy but, also make, sure that all the submissions, actually. Are lie within a legitimate. Bound a valid bound so. You cannot have one submission, that, will skew up all the results all. Right so that's what the prio system does if you have a need for private. Aggregation. I'm not gonna say much more about this if. You have a need for a private, aggregation, you know I would encourage you to go check out this project this is something that we did again this earlier this year everything. Is available online including code and paper that explains all the system works and. If. You'd like to use it as I said please, get in touch with us and we'd be happy to to, help you do that all. Right so I'm gonna stop here and I will open it up for questions so Joe take it away great, well thank you so much Dan for joining us and giving us such a wonderful presentation. Now we'll shoot some questions over to Dan for the, end of this presentation so one, of the first questions that came up and I think, it you know it definitely, stands, out is why are machines being used to. Generate Bitcoin. Hash so highly power-hungry, yes. That's a great question right great so this is you asking about the proof of work so. I guess this is this is related to the consensus part which would. Quite didn't quite talk, about here so. Let's see so Bitcoin. Uses this proof of work mechanism so that the. More power you, invest as a miner the more likely you are to be minting, the next block and I. Should say that whoever mints, the block gets. What's called a block reward the coin base which is. You. Know essentially an, amount of Bitcoin that then you you as a miner own, yeah. So the reason so the reason for this proof, of work mechanism, is actually very very. Very. Simple to understand in that. Effectively. It's, a way to randomly. Choose a miner, from the set of all miners, in the system yeah so, you know everybody, invests. A certain amount of energy. In trying, to solve a particular puzzle. Solving. That whoever solves the puzzle is, gonna kind of wins the lottery and gets to mint the next block which, then pays, back to that miner okay so effectively. A proof-of-work is what, we have come to call a randomness, beacon yeah if you have like, say a thousand, miners then. The. Proof of work is basically a way to choose at random from. The set of thousand miners in a way that no one can bias right so you. Know everybody tries to solve the. Challenge, that was you. Know embedded in the block and whoever, solves it is the one that actually gets the block reward. Yeah so basically proof-of-work. Is a way to to. Is one way to implement a, randomness, beacon yeah that chooses a miner at random but now we're coming you know there have been many proposals for other, randomness, beacons that actually are not that power-hungry, that don't require burning. So much energy so, in fact this is kind of as I said generation, one block chains require, proof of work the, third generation block chains are actually started starting to move away from proof of work and. Just. To give you some examples, there's. A lot of. There. Are many experiments with proof of stake so rather than. Generating. Randomness, by solving, a hard challenge we, can generate randomness, by basically, requiring, everybody to prove mistake and if they misbehave they lose that state so there are several, experiments, with that there's, a beautiful just beautiful work on using proof of space instead of proof of work so, a, company, called project called chia is doing that proof, of space means that rather than proving that you own a lot of CPUs. You, prove that you own a lot of disks and this, we have a lot of storage and disks, themselves actually don't consume that much power so, it's gonna be much more eco-friendly. As. It's. Gonna be a much more eco-friendly way to generate, randomness. To, sort of choose a miner. At random in fact, gia, calls it farming, instead of mining because it's so much equal more eco-friendly and, so we're actually gonna be moving away eventually, from, proof-of-work and these, these this. Mining process is not gonna take that, much energy but again to answer your question yeah, in one sentence essentially, it's the proof of work as a way to choose a random miner that.
Well. Then mince the next the next block great. Thank you for that, another. Question and this come came up a few times if the, blockchain info, can't be deleted how, was the mountain, ox. Crypto. Disappear. Like get. Stole. Well. Well. The information is still on the blockchain we can still see that it was stolen so it's not that the trend the data was deleted, from the blockchain what, happened was essentially. There. Were a couple of things that happened essentially people, were so mal Cox, people. Sent their money to their their their crypto currencies to, to, mount GOx mangas. Consolidated. It to their own assets and then, unfortunately due to bugs in the system an. Attacker was able to withdraw more. Money than the attacker deposited, so, even though all the money was pooled together mount GOx paid out more, than it was supposed to to d2 the particular, attackers, and as a result they you know it's all recorded on the blockchain they basically lost the funds that were given to them essentially the funds were transferred to, other, other. To another you. Know malicious user, and. So yeah, so the fact that the data was not removed from the blockchain it's just that the funds moved, where they were not supposed to move, and. Follow-up to that if the. Ledger is is always. There and you could see the transaction. How, are they not, able to identify. Who the, attacker was hah. Well. That's a good question too right so if the attacker moves the funds to two. Different addresses you can definitely follow. The money and see where the addresses are but. You. Know the attacker might actually just leave the funds in, in on, the blockchain and never actually translate. Them to a physical entity so. Right. That could still then, if there's no interaction. With the physical world you're not gonna you're not gonna figure out who. What the physical entity is, associated. With a particular address right so you. Know the funds are just sitting there maybe in a couple of decades some of someone, will withdraw them but. Right now they're just there and we have no idea who, they belong to great yeah, this last questions, yeah last question might be a very timely question so. By definition there, is no privacy, how does this play into privacy laws oh my. God hahaha. Okay. So let's just be listen, be precise here it's, not quite you. See there's no privacy in the blockchain that's. Not quite true that's. Not quite true so in the Bitcoin, system, as is yes, when you put data on the blockchain the whole world can see it when you make, transactions, the whole world can see the transactions, the, work that I described here basically allows, you to protect. The amounts yeah so still, you would know who paid who but the amounts will be hidden there, are other block chains like Z cash like, Manero that. Actually, protect. Everything yeah they're completely, private, so. In, Z cache for example you have no idea who's paying who what, the amounts are just, nothing is hidden all you can do is you, can verify that transactions. Are valid but, you have no idea what's in the transaction, so Z cash actually is a very, very good 4-bit fit, for, business needs if you wanted to transact, with. Your supplier and not even reveal who your supplier is you. Know Z cash is a good way to do it, so. To, say that there's no privacy it's just not true yeah there are block chains that do provide a. Very, strong notion of privacy it's, just that the you, know the most widely used ones Bitcoin, aetherium and so on, act. Of fundamental, layer they, don't provide privacy, but again you can build things on top of them that will provide privacy as well so, yeah so this was me let's make let's make sure we're, precise and accurate they're great well, thank you so much for, your time today Dan and, we hope you all enjoyed this presentation about. Crypto. And block chains and if you have further questions please, reach out to our client, services team have, a great rest of your day yeah, thanks everyone this was a lot of fun and feel free to send send us more questions. You.