 Our next speaker is Shuvik Dem from the University of Washington, who will be discussing poset, proof of work availability and unpredictability without the work. Shuvik. Hi, everyone. I'm Shabik. In this talk, yeah, as Jonathan mentioned, I'll be describing the post that it is the first probably secure. This is a proof of stake blockchain protocol that achieves both dynamic availability and unpredictability. This was a joint work with Shuram Kannan from the University of Washington and David say from Stanford. I hope you enjoy the talk. Bitcoin achieves three properties. It is secure under honest majority while guaranteeing dynamic availability and unpredictability. The question that we ask in this work is that can one designer proof of stake protocol that achieves all three or not. In order to understand that, let us first understand dynamic availability and unpredictability in the context of Bitcoin. Dynamic availability in Bitcoin can be best visualized from the evolution of Bitcoin's total hash rate, which has seen an increase of 14 orders in magnitude since its conception. Bitcoin although guaranteeing dynamic availability is still secure on against a private attack under an honest majority. To understand this, consider that in the first year of the operation of the Bitcoin, no adversary is online. At the beginning of the second year, suppose the adversary comes online. However, with high probability, the adversary will never be able to mine a chain longer than the longest public public chain. In the context of dynamic availability in proof of stake, previous works like sleepy model of consensus, Snow White and Auroboros Genesis have used longest chain protocol in an attempt to guarantee dynamic availability. However, without careful design, the longest chain protocols are vulnerable to costless simulation attacks. So in order to understand that, as before, consider that only honest take is online in the first year of the operation in the proof of stake system. At the beginning of the second year, suppose adversarial stake comes online, which happens to be greater than the honest take in the first year. In the second year of the operation or VRF is used for determining the winner of the leader elections, then the adversary can costlessly obtain a longer and denser chain almost instantaneously. Sleepy model of consensus and Auroboros Genesis had sidestep this attack by assuming that the adversarial stake is constant, while honest take can vary. These are very strong assumptions. If we consider as in the prospect in the perspective of Bitcoin it is akin to assuming that the adversarial mining rate has remained constant since the day one, which is not true. As for unpredictability in Bitcoin, due to proof of work mining, no node including itself can predict when a node will be able to mine a block. For proof of stake commenting our unpredictability is bit more complicated. The prediction is used for determining the winner of the leader elections, then everyone can predict who wins when this makes the system vulnerable to bribery attacks. If VRF is used as suggested in many of these papers, then no one can predict who wins except the winner itself. However, now an adversarial node can predict, advertise its prospects of winning leader election in future. In our work, we present POSAT, which is the first proof of stake protocol that guarantees both dynamic availability and unpredictability, while being provably secure under honest maturity. In order to achieve dynamic availability and unpredictability in POSAT, we use verifiable delay functions for conducting the leader election. VDF is a tuple of three functions, namely the setup function, the eval function and the verify function. There are two key properties that motivated us to consider the VDF for the purpose of conducting the leader elections. First, computing eval function of VDF, even with parallel processors, takes at least, at takes at best linear time and no less than that. However, the verification of the work done to compute this eval function can be done blazingly fast. Second, even with multiple VDFs, with all of them having the same speed, the probability of winning a leader election remains invalid. Leveraging these properties of VDF, we obtain a proof of stake puzzle that is not costlessly computable and provides an unpredictable randomness beaker. In POSAT, we use a VDF puzzle that is constructed from the eval function of the VDF. Now when a block is extracted from the block, now when a randomness source of randomness is extracted from the block and it is checked whether the VDF puzzle difficulty is satisfied or not. If the POSAT puzzle is not satisfied, then the updated source of randomness is again sent to the VDF puzzle. On the other hand, if it is satisfied, then the node proposes a block and the updated source of randomness will be embedded into that block. To summarize in POSAT, for conducting the lottery to propose a block, the randomness embedded in the parent block is used as a source of randomness for the next block. However, this block by block update of source of randomness gives an adversary many more random chances to increase the growth rate of the private adversarial chain. This block offers an independent source of randomness and due to nothing at stake phenomenon, the adversary will grind on all blocks by parallel executions of multiple VDFs, causing the growth rate of the private adversarial chain to be amplified by a factor E. By creating this nothing at stake attack, the adversary can now grow trees on all blocks in the honest chain, with each of them having an amplification factor of E on their growth rate. However, we have shown that for beta less than one by one plus E, there exists some block in the longest chain, denoted by the green color here, such that with high probability, no adversarial tree, starting from any of its ancestral block would be able to grow trees up with the longest chain containing this block. This is generally called convergence in the literature. So, for beta less than one by one plus E, POSAT is secure against private attack. However, we know that Bitcoin is secure against private attack for beta less than half. So we ask, can you push the security threshold for POSAT to one half or not? That will make the POSAT guarantee similar security as Bitcoin. The natural question would be, does less frequent update of input randomness, which is the security threshold against private attack in POSAT closer to half? We find that in our work, in our work we found out that the answer is yes. So how to do that? With less frequent update of source randomness, the source randomness required for computing the eval function of VDF for proposing the next block is updated once every C blocks. For illustration, consider an epoch of C consecutive blocks. Then the randomness embedded in Genesis block is used as source randomness for computing the eval function for each block in epoch 1. For blocks in epoch 2, the randomness embedded in the last block of the epoch 1 is used as source randomness and so on. Now by controlling how frequently the source of randomness is updated, that is by tuning the value of C, one can control the amplification factor phi C of the growth rate of the adversarial tree. For instance, for C equals to 1, we go back to our original case of updating source of randomness every block, which gives the highest amplification factor. For C equals to 2, the amplification factor is decreased. For C equals to 3, the amplification factor is decreased even further. We show that amplification factor is a decreasing function of C. Eventually for C tending to infinity, we have amplification factor approach one, which is the amplification factor in proof of walkthrough. We'd like to point out that in contrast to Auroboros, where the source of randomness remains fixed for days in poset a chain of C blocks over which randomness remains fixed comprises of seconds or minutes. As for unpredictability, consider this to be the state of the blockchain with RS0 being the randomness embedded in the last block of the epoch. Now, after receiving this last block with RS0 being the source of randomness, the node will start evaluating the eval function of BDF. The unpredictability of BDF guarantees that guarantees the unpredictability when this node will win the next lottery. Suppose the node is able to win the lottery and propose a block with randomness RS1 embedded in the block. Now the node will start evaluating the eval function of BDF with RS1 being the new source of randomness. This new computation can be thought of as a continuation of the computation from the beginning of the epoch. Again, the unpredictability of BDF guarantees the unpredictability when this node will win the next lottery. Now, after operating all these design choices, we finally present a main theorem that guarantees security for poset while ensuring dynamic availability and unpredictability. For some time t, consider all those on a stake that has been online in the system since at least time t-bit dataset. We present them by lambda HCT. We assume that lambda HCT is upper bounded by lambda max, which is a valid assumption in the context of proof of stake system. Let lambda AT be all the adversarial stake online at time t. Let delta be the network delay among all the honest notes. Then if this condition is satisfied, then we show that the poset is secure. Using proof techniques from EIR paper, we show that we show that this stick which provide a security proof that shows that this security theorem holds true for all spectrum of attacks and not just private attack. Now the question is what is the right value of C to choose from. In one hand, with increasing value of C that security threshold approaches the desired value of one half. On the other hand, the latency to confirm transaction is directly proportional to C. So there is this tension going on between the latency and the security threshold. Depending on the application, one can tune the parameter C to obtain the appropriate security threshold while taking into consideration the latency. To summarize, a poset successfully guarantees the proof of works, dynamic availability and unpredictability while being provably secure under honest majority. So let us know if you have any questions, I'll be happy to answer them.