 I've been doing work for IOHK, working on design and research on the wallet. Most of the publications that we've been putting out are very technical in nature and not very suitable for a completely general audience. So tonight the talk will be giving some of the intuitions and the ideas behind the work that we've been doing but at a non-technical level appropriate for a completely general audience. I think for people who are interested in a system or are using it it doesn't matter what their background is. It's important for them to understand a little bit about some of the ideas and their research and even if you don't understand all the technical details that you have a feeling that there is real science behind all of this. So when you make a payment in a cryptocurrency like Cardano it works a little bit like cash. So when you go to the supermarket and you pay for your milk with cash you have to pick coins from your wallet, right? So maybe you pick a 50p coin and a 1 euro coin or whatever. Now when you make a payment on a cryptocurrency actually it works in quite a similar way. You have to pick coins and you cannot make half coins or something like this. And it turns out the process of picking these coins is actually quite tricky, quite difficult because when you go to the supermarket you might have 10 coins in your wallet but in the software we might be dealing with thousands of coins and we need to make a good choice. So how we make that choice influences all kinds of things, especially over time. So it's very important to do this well. So we spent a lot of time thinking about this and coming up with a way to do it correctly. I think it's very important to have a mathematical description of how the cryptocurrency works because without it it's very hard to make precise scientific statements about how it works and for example in a specific example of the wallet one of the questions that a user might have is what is my balance? How much money do I actually have? Now you might think that's a trivial question but actually it's not at all and it turns out this is mathematically quite intricate and there's different answers depending on your purpose. Without a mathematical model I cannot give you a correct answer, I cannot give you a precise answer. The mathematical model allows me to study the question and allows me to study the different ways I can answer it and make it very precise. So the term UTXO literally means Unspent Transaction Outputs and I talked about these coins in the cryptocurrency. Now that's really just an analogy. The technical term for one of these coins is a UTXO. So for end users it depends a little bit on what kind of end users. The work that we do is very fundamental and very mathematical so most end users wouldn't necessarily see the immediate results of that. For them it would just be more reliable, they know they can trust in it. It's not necessarily this feature or that feature but for them they can know the underlying system is I can trust in it. For some end users of course there are big end users like the exchanges where people exchange money. For them it's really important that we do this correctly. So for them this work, this fundamental research is crucial. So the next thing that we're going to be looking at is right now we've been doing work on the wallets and we started with a mathematical model and then we translated that mathematical model into code and now we're going to take the exact same approach for the underlying blockchain. So the blockchain is where all the financial transactions are recorded and that has a whole theory behind it. Lots of people working on it, especially cryptographers. We're going to take some of the work from the cryptographers turn it into a mathematical model that we as programmers can work with and then from there translate it into code so that we have a very clear path from the cryptography research to a mathematical model to reliable trustworthy code. For me it's quite interesting to work for a company like IOHK and actually there's not that many companies like IOHK. There's not many companies who take the mathematics underneath their products so serious. And especially I work in a programming language called Haskell and there's a lot of companies using it and one of the slogans is Haskell is like mathematics. But people say it, but very few people then actually do it. There's not that many companies who are actually taking the next step and actually let's look at the mathematics and make sure that it is what we think it should be. Whereas in IOHK they take it very serious and it's great to have this opportunity to look at this work and really sit down and really work it out and really mathematically prove what we want to prove and then go to code. I believe in the approach absolutely and not many companies give you that opportunity so I think that's really good. Thank you. So I'm going to try without the mic. I prefer just addressing you guys with the mic. If you can't hear me I will switch to the mic but I prefer to do just this. You can hear me okay at the very back, then we should be fine. I just teach martial arts so I guess I'm used to this. All right. So yeah, I'm going to talk about the wallet. This will not be a talk about the wallet software that I'm sure a lot of you have installed. This will be a talk about the mathematics underneath the wallet. It won't be a very technical talk. I've tried to aim this at the general audience so I'm not going to assume much knowledge about anything really at all. So I hope I achieved that. Yeah, but as John said, if anything is really unclear feel free to interrupt and I'll try to clarify. Okay, so in order to talk about the wallet what do you use the wallet for? Well you use it to make payments, right? So in order to talk about the wallet I need to tell you a little bit about how payments work on a cryptocurrency because it's a little bit different from how payments work in the real world. So I'm going to relate it back to the real world first. So suppose that we have your regular bank account, right? So we have Alice and Bob here and Alice has some transactions on her bank account and her current balance and we have Bob also has some transactions and his current balance. So I'm going to transfer 70 euro, dollar, eight or whatever, it doesn't matter to Bob. Well in a bank this is really very simple, right? We just make a new transaction on Alice's bank account it shows 70 went to Bob on Bob's bank account it shows 70 came from Alice and we adjust the balance accordingly, right? Very simple, you're all familiar with this you've seen this a million times, right? Now why am I telling you this? Because I want to contrast this with cash and I know that you know this also but there's something quite different about cash and bank accounts. What is that? Suppose here on the left here we have Alice and she has some coins and bank notes are coins here we call everything coins and Bob has some coins also. Now if Alice wants to pay Bob 70 now she doesn't have a 70 coin, right? So she has to make a choice and either give Bob the 100 one or the 50 ones, right? But she can't break a coin in half and give half a coin, right? So maybe she chooses the 250 coins gives us those, Bob and then Bob picks up his 30 coin and gives it back to Alice. Now of course I know you're all very familiar with how cash works but I just want to point out this is quite different from a bank account, right? We cannot break coins in half we're restricted by the coins that we have. So this is relevant because in a cryptocurrency it works more like cash. In this case Alice wants to pay Bob 70 again but now Bob doesn't have a 30 coin available to give us change. It doesn't matter. It works a little bit different from cash. What does Alice do? Alice chooses one of these coins. Maybe she chooses the 100 coin but she destroys it and she makes two new coins a 70 coin and a 30 coin. Now I've visualized in this here as a broken coin because of course you can only do this once, right? You can't use a coin more than once. After she's done this the 17 coin she gives to Bob and the 30 coins she keeps herself, right? So this is how payment works in a cryptocurrency like Cardano. Now this process of taking some coins and by the way I should say she could also choose the 250 coins. We can take a bunch of coins, destroy them make some new coins, keep some ourselves and give some to other people. That process is called a transaction. When we talk about a transaction in a cryptocurrency this is what we mean, right? And therefore these coins are also known as UTXO, Unspent Transaction Outputs. The result of these transactions. All right. Now in a wallet we have to think about a particular problem that's called dust. So suppose we change the setup ever so slightly Alice now wants to pay Bob 8. Bob doesn't have any coins, doesn't matter, right? Alice makes her own change. Alice needs to make a choice. She can take up the 50 coin or she can take up the 10 coin, right? Both would work. Now maybe you might think the obvious thing to do is to take the 10 coin, right? The closest. So it's possible she can take the 10 coin, destroy it make an 8 and a 2 coin, give the 8 coin to Bob and keep the 2 coin herself. But that's a problem. That 2 coin has a very small value. When you go to the supermarket and you pay in cash you prefer not to have too much small change around, right? It's annoying. It makes your wallet heavy, right? Actually the exact same problem happens here also. We don't want too many small coins in our wallet. It's bad for the wallet, it's bad for performance, it's bad for a lot of things. So actually this is not a very good choice. Instead what we prefer is to pick the 50 coin. If we pick the 50 coin we break it apart, we keep a 42 coin and we give the 8 coin to Bob. This is a better choice. In general, by dust we mean all these small coins. And if we're not careful we end up with a wallet that has tons and tons of dust. We have all these small coins, which I'm rendering here as these copper coins, right? To remind you of Nichols or something. So if we're not careful about this how we pick our coins, we end up with a wallet Now of course when you make a transaction in the wallet, you don't actually choose coins, right? The wallet is doing this for you underneath the hood. But you can imagine that if your wallet looks like this the wallet will have a hard time doing that, right? So we prefer to keep the size of the wallet small. Alright, so that brings me to the next part of this talk which is how do we do this? How do we do coin selection? But before I talk about that I want to talk a little bit about this animation here. This is an animation of flocking birds. It's one of the standard examples in biology of something called self-organization. So what is self-organization? Self-organization is where complex behavior, in this case flocking birds emerges from very simple rules. If you watch flocking birds out on the wild there's not one bird who's the leader, right? Every bird follows the same sort of simple rules and this complex behavior they flock together, they sit down emerges as a result. This is called self-organization. I've always been fascinated by this. So we're going to take inspiration from this in how we design our coin selection algorithm. So, to remind you the problem was that we don't want a wallet that looks like this, right? We want to keep the number of dust the number of small coins in our wallet small. So you might think well if this is the problem the obvious thing to do is simply always pick the largest coin possible, right? In the example, if we had a 10 and a 50 50 was the right choice, right? So I might think, okay well maybe that's the right thing to do. So, to assess these questions to address these issues we're going to simulate it. And I'm going to show you these simulations for a number of different possibilities. I just want to explain before I show you the real simulation I want to explain a little bit what's here. This big histogram here shows on the x-axis the size of the coins and on the y-axis how many of them we have, right? So in this case we have a lot of dust, right? This corner of the wallet here are small coins near zero, right? So we want this to be small. Now this graph here shows the balance of the wallet which is not too important for now and the total number of coins that we have in the wallet which we want to keep down. Okay, so I will show you a simulation of what happens if we always pick the largest coin. And it looks like this and it's a disaster. Look what happens, right? The number of dust coins goes up and up and up and up and up and up and up and in this situation if you look at this number of coins we have in the wallet it grows to 60,000 coins in our wallet. So clearly this is not working. So I want you to think about this picture one more time. If you imagine this ball of coins in front of you and you just close your eyes and you pick a coin what kind of coin would you pick? Well, if there are so many small coins here you're very likely to pick a dust coin, right? So this is an observation by Mark Erhard in his Master's thesis on this topic and he says, he doesn't say it quite like this I'm paraphrasing, but he basically says if we choose a coin at random close our eyes and pick one then we're very likely to pick a small coin precisely when we have a large number of small coins. And this is what I'm going to call our first self-organization principle. It's a very simple rule but it will mean that if you have a lot of small coins you're going to use them. So let's see. In this animation here we're first running again largest first, right? Disaster. And now you can see the exact moment where it is, right? Very, very effective, right? This is not ambivalent, right? We can very clearly see it, right? It goes up and up and up and up and now we switch to a new policy we now just close our eyes we don't do anything smart and we just pick with our eyes closed and because we have so much dust it's very, very, very likely to clean it all up very quickly. And this is actually limiting itself by only using 10 coins per transaction. So it could even be faster than this. So clearly this is working quite well. So you might say, okay, well maybe here's the answer. We just pick randomly. This is what happens when we just pick randomly. If you look at the number of coins in a wallet before it went up to like 60 or 80,000, right? Now we're stuck with the same sort of underlying data about 1400, much, much better, right? So this algorithm is doing better. Why? Because it's using all these small coins that it might create. But if you look at the histogram it's also still clearly generating them, right? All of these coins here are dust. Yes, it cleans them up afterwards but it's still creating them also. So we would like to do a little bit better. So, and here's where we move on from Mark's work. I mean, Mark and his thesis goes on one direction. We're going to slide a slightly different direction. And that direction is what I'm going to call the second self-organization principle. And his thesis follows. If for each payment of value x, so you pay 70, say, we create a chain's coin roughly of the same value. So we try to make a change also of value 70. Then we will end up with a lot of chain's coins in our wallet of size 70, precisely when we have a lot of payments of size 70. So this is again a very simple rule but it means that over time, the coins we have in our wallet will reflect the kinds of payments we want to make, right? So let's simulate it. Again, oh, sorry. This was the problem, right? This was just picking randomly. And we had all these dust coins here, right? So now let's switch and try to make change coins which are roughly of the same size of our payment and see what happens. And here's the result. And as you can see, dust is completely absent, right? This is doing very well. And we've tested it under a large number of different situations, large number of scenarios. And this is very resilient. It does very well under large number of different circumstances. So I want to talk a little bit about how we do it. So suppose that, again, Alice needs to pay 70. Now she starts picking coins. She closes her eyes and just picks them, right? So maybe she picks a 30 and a 50. So now she has 80 in total, right? Which is enough. She can do the payment. But the change would be 10, right? So she tries to improve this. That's why we call this algorithm random improve. We just pick randomly and then we try to improve it. OK. So maybe she picks not a 10, maybe a 20, whatever. And she tries to get closer and closer to 70. So her change is 70. OK. But now think. Suppose that she happens to pick a very large coin. Maybe she picks a 300 coin. Now her total will be 318. What is she going to do? She has basically two options. Well, maybe she has lots of options, but at least two. One is, OK, she just puts the 300 to the side and continues her search. Right? But this is not a very good solution. And why is that? It's because in the worst case scenario, it would mean that she will start to look at every single coin in her wallet looking for the good one, which is not a very good solution because it's too slow. So the other solution is, well, maybe she just stops and gives up at that point. And I might think, oh, that's a bit too simple, but actually that might work quite well. So here's what we're going to do. Alice wants to pay 70. She wants a change of also 70, ideally. She's going to tell herself, OK, I'm going to pick randomly, getting to the 70. And if I go above twice that value, 140, I give up. Right? So maybe I pick, you know, if I have a change of 70, it's good. I have a change of 100, it's good. 140 is also good, but 150, if I happen to pick a coin which is over this 150 limit, I stop. And whatever I have so far is what I'm going to run with. Now, why does that work? Third self-organization principle. First, searching the wallet for additional coins, trying to improve our change, is only useful if our wallet has sufficiently small coins. If I only have a little bit to go to get to my ideal value and I have a large number of very large coins in my wallet, well, then there's not much point containing my search. So, but precisely when the wallet contains many small coins, it is less likely that the randomly chosen one will push us above the upper limit. So, we pick the 30 and the 50, we get to 80, and we start picking coins. If we have a large number of small coins in our wallet, well, then we should find a good solution. Right? But if we then pick randomly, we're also less likely to go above our maximum, so we search for longer. But that's correct, because in this case we should search for longer. If, on the other hand, we have only large coins available and we pick randomly, we're more likely to get ourselves over that limit, so we will give up sooner. But again, that's correct, because in this case there's not much point searching for longer. Right? So again, a very simple rule, but one that works very well. Okay. So, the last part I want to talk a little bit about is balance. How much money do I have? And you might think, well, this is such an easy question. Why is balance complicated? Well, actually, it turns out balance is pretty complicated. And I'm going to try to give you an intuition of why that might be the case. So, we have a mathematical document, which is like 45 pages or something with mathematics improves. And a large part of the document is dedicated to the question about balance. I'm not going to talk about the document. This is as much mathematics as I'm going to show you, and I'm not even going to explain this. I just want to give you the intuitions. And before I do that, I want to go back to the bank example, because even here, balance is a little bit subtle. Suppose again that Alice wants to pay Bob 70, right? In the normal bank, right? You're a regular bank. But maybe this transaction hasn't gone through. It's in the system, you know, on the way, but Bob hasn't got it yet. Right? So, Bob still doesn't know anything. Now, when Alice logs into her bank account, or a bank might tell her, well, actually, your balance is 580, but you paid Bob 70. It's still being processed. It hasn't gone through yet. We're going to call it its pending. But it's there, and it will go through. And therefore, your available balance is only 510. Was that a question? No? Okay. All right. So, we already have two concepts of balance, even for your bank, right? Your current balance, as well as your available balance. And the difference arises when we have transactions in a system that are pending, that haven't gone through yet. So now, let's go back to how this works in a cryptocurrency. Right? Again, we have these coins. And we said, here, a transaction, what is a transaction? Well, a transaction is we take a coin, maybe in this case, the 100 coin, make some new ones, keep one, we're going to keep the 30, and give one to somebody else. The 70 goes to Bob. Now, this whole thing is a package called a transaction. But that whole thing might be pending, might not yet be processed. So now, what happens? Alice's balance is 200, right? She has all of these coins, the 50 and the 100, because this is still pending. It hasn't actually happened yet. But she did submit this transaction. So her available balance, just like in a bank account, is only 100 because she used this 100 coin. However, at the time that this transaction goes through, she would get some change back. Right? So now, we have also what we call the total balance, where we add the change back in. So we have now three concepts, current balance, available balance, which we also have in your bank account, as well as total balance, which is new because in your bank account, you never get change back. And there's a fourth. But in order to give you the fourth, I need to explain a little bit about how the blockchain works. And this goes a little bit back to Bernardo's talk, but at a much higher level of abstraction. So it might not be very obvious to you, but when you make a transaction, that transaction gets sent to absolutely everybody. Everybody sees every single transaction. So in this scenario here, I have some computers, some people here. Maybe they live in US. And on the right, I have some people maybe in Europe. And let's just say for the sake of the argument, there's only one connection between them. A big chunky cable over the ocean floor. Of course, there's more than one transaction in real life, but let's just, for the sake of the argument, assume there's only one. So what happens? Whenever somebody in Europe sends a transaction, it gets sent to everybody, and everybody writes it down. Same for the US. Whenever somebody in the US sends a transaction, it gets sent to everybody, and everybody writes it down. This is the blockchain. The blockchain is this list of all the transactions that have happened. Why is it important that everybody has every single transaction? Well, if I give one coin to Alice, it's very important that I can't give that coin also to John. Otherwise, money wouldn't be meaningless. In order for you to verify that, you need to be able to tell, if I give you a coin, did I already give it to somebody else? So this is why it's very important that everybody sees every single transaction. That doesn't mean that everybody knows exactly how much money you have, and that doesn't mean that if I give you a coin, you can verify what this coin already used. But if I show you this picture like this, you might already wonder, what happens if that connection between the US and Europe momentarily gets broken? It happens sometimes. What happens now? Well, now if somebody in the US sends a transaction, only the people in the US know about it. When somebody in Europe sends a transaction, only the people in Europe know about it. They're disconnected now. So this is very bad. And what we have is what we know as a fork in the blockchain. So at this point here, it forks. Everybody agrees about these three, but after this fork, after this connection got broken, the US people only know about these guys and the European guys only know about these transactions. So, not so good. Of course, usually when this happens, of course, at some point, this connection gets restored again. So maybe we're in this place here. Everybody agrees about the first three transactions, but then the European chain has three more transactions here and the American chain has two more. And at this point, the connection gets restored. Now they can talk to each other again. Now what happens? What is the chain? And now this is where the chain selection rule comes in. Bernardo briefly mentioned somewhere about all the technical detail. I don't know if you remember it. He said in the simple version, which is the one that's currently in use, we just pick the longer one, right? So in this case, when this gets restored, everybody just says, okay, we'll pick the European one and we continue business as usual. Any transaction that was in the shorter one disappears. Maybe they get resubmitted into the network and eventually they get onto the chain. Maybe not. We're not sure. We hope that they will, but we have no guarantee. Okay? So what does this mean for our balance? Well, let's look at an example. Suppose here somebody in the US gets a 1,000 coin. Okay, fine. Balance 1,000. Now the fork happens, doesn't really matter so far, and they get another coin, a 100 coin. So now their balance is 1,100. All right, easy so far. Some stuff happens in Europe, it doesn't affect us, balance is the same. Now suppose that this guy here submits a transaction into the network that spends this 100 coin, sends 10 to somebody else and keeps 90 himself. This is still pending. What does it mean? This 100 coin was used. So the available balance is the total balance, minus that coin, 1,000. The total balance is what we get when we get back that change eventually. So the change is 90, so the total balance is 1,090. Okay. Some stuff happens in Europe, we're not affected. And now, we resolve the fork. So now we go back to the situation where these transactions that lived on the American chain, their situation is unclear. They might be included in the blockchain, eventually they might not. What should I tell this person about their balance now? What is their balance? Well, these two transactions, where they got the 100 coin and spent it, might eventually both be included in that new chain. In that case, their balance would end up as 1,090. It's also possible that neither of them will be included. In that case, their balance would be 1,000. The third possibility is that the first one does, but the second one does not. In that case, their balance would be 1,100. Bear in mind, by the way, it's not possible that the second transaction here is included and the first one is not, because the second one spends the output from the first. So that's not an option. But if I don't know which of these situations will happen, the safest thing, the only conservative thing I can tell you about actually your balance is 1,000. Because I don't know which of these three possibilities will happen. Let's look at a smaller, slightly different example. Again, we started the same scenario. We have the 1,000 coin and no 100 coin. And we have a fork at this point. But now we spent both of these. So we spent both the 1,000 coin and the 100 coin. We give 200 to somebody else and we keep 900. So what is our balance? Well, we spent both our coins. We have nothing left. Our available balance is zero. Our total balance, remember, is when we get back to change. How much change do we get back? 900. So our total balance is 900. Okay, fine. Some stuff happens in Europe. The other fork, we're not affected. And now, again, we resolve the fork. Now what happens? Again, we don't know. These two transactions may be included in the new chain or maybe they won't. If both of these are included, our balance will be 900. If both of these transactions are not included, our balance will stay at 1,000. If the first one is included or the second one is not, our balance will end up as 1,100. So now the conservative estimate, the safe thing I can tell you is we should assume both of these will be included. In a previous example, the safe assumption was neither of them is included. Now here the safe assumption is both of them will be included and the only balance you can really be sure of is 900. Make sense? All right. So the safe assumption is 45 pages of mathematical proof. I'm not going to bore you with that although if there's questions, I'm more than happy to talk about this. But I'm going to leave it here. If there's questions for me or for Phil or Manuel or other people here, I'm sure we're more than happy to take them. Otherwise, thank you very much.