 Well, good afternoon and good evening, thanks for having me here for this meetup. My name is Bernardo David and I'm an assistant professor at the Tokyo Institute of Technology and IOHK Collaborative Research Chair on Blockchains. As part of our work with IOHK and on the Cardano project, we have developed in the partnership with Edinburgh University and University of Connecticut in the US, the family of Uroboros protocols which are used as the main consensus protocols in the Cardano platform. So what is so special about these protocols? What makes it different from Bitcoin and from other blockchains that have been proposed in this space? Well, the main feature we have is that we are based on proof of stake or POS instead of proof of work or POW. And in this talk, I would like to tell you a little bit about the advantages of working with POS instead of POW and how we make sure this is actually secure. So in this talk, I'm going to cover first an introduction on the differences between POW and POS, focusing on the several issues that POW has and then tell you a little bit about the basic structure that we want to get from a POS protocol. Then I'm going to delve into the Uroboros protocol which was the first provably secure POS consensus protocol based on blockchains and show you the differences between this and the next level which is Uroboros praos. The next paper we published this year in Eurocrypt 2018 showing how to improve both the efficiency and security of the original Uroboros protocol. And then just a quick word about Uroboros Genesis which is the latest development in this series of papers and POS protocols which basically achieves all the characteristics of the Bitcoin blockchain while achieving the same security. And finally, I'll give you a little bit of a conclusion with thoughts for future works. Now to start this discussion, let's think about the issues that we have in POW based blockchains such as the Bitcoin blockchain or the Ethereum blockchain and other blockchains that are based on the original Nakamoto Bitcoin consensus protocol. Well, first of all, there's a clear distinction between the coin holders and the miners. In any proof-of-word based system, you have people who have actually invested their money in the system by buying tokens or even mining tokens occasionally and the professional miners, the people running professional mining farms where they generate new blocks and obtain some kind of profit from generating these new blocks. What happens is that the people who are generating new blocks who are running the mining farms are not necessarily the same people who have invested their money on the blockchain, on the POW based system. If you invest money on that, it doesn't mean you can generate the next blocks, it doesn't mean you can steer the evolution of the system, it doesn't mean that you have any control on the working of that blockchain. The people who actually control how the system works are the miners who can simply decide to run a 51% attack, destroy the blockchain or make it grow, make policy changes, change in the format of the protocol hard forks and so on. So there's a clear distinction between who controls the blockchain and who actually invested money on the blockchain. That happens with POW with all the POW based systems. Another problem is there are diminishing rewards for mining. We know that every many years the rewards for mining a new block are halved so you cut in half the rewards for the miners and that takes away their incentive for actually spending huge amounts of electric energy and of money in buying specialized hardware that makes the systems work. So what happens when these rewards reach zero or close to zero, when there's no more incentive for people to mine blocks? What happens to those systems? Nobody really knows. And more than separating the control between the miners and the people who invested money on the system, the control is not only separate from the investors but it's also very centralized. We now know that the whole Bitcoin network is controlled by a handful of Chinese mining pools. So if the great firewall of China decides to close on those miners or if they come obliged by the Chinese government to take certain actions, that could be the downfall of the Bitcoin system, for example. So it's not nice to actually have a decentralized system that is controlled by a very centralized pool of people. These are the main issues that we can find in current POW-based systems. And then we think what could we do to solve those issues? Well, an obvious direction is shifting from POW to other mechanisms to achieving blockchain-based consensus. The main mechanisms we know these days are proof of stake and proof of space and their variations. As the title of the talk says and as the Cardano project indicates, it's obvious that I'm going to focus on the proof of stake-based solution. Now, why do you want to do that? Well, first of all, proof of space is also a resource depletion proof. So you're proving that you're wasting your physical resources, in this case space, as you would prove that you're wasting your computation, computing all those hashes for the proof of work. And we would like to move to a model where we don't have energy waste, where we do not waste our resources, but we actually employ those resources to do something useful for the system, for the blockchain and for the community. So that's why we chose to focus on proof of stake early on in the development of the Cardano project. Now, let's compare a little bit of the advantages and the disadvantages of proof of work and proof of stake. First of all, with proof of work, you have something like, if you have more resources, if you have more hardware, if you have more electric energy, you have more control over the blockchain. If I have enough electric energy and a specialized hardware to mine more than 50% of the other people in the Bitcoin network, I can take it over. I can take over any other proof of work-based scheme. So the more resources you have, the more control you have. The more physical resources, mind you, not more financial resources on the system, not more investment, but the more physical resources of computation. It generates a huge energy waste. There are estimates that the whole Bitcoin mining pools spend more energy than the whole country of the Netherlands per day in mining blocks, which is not good. We do not want to spend precious natural resources and generate more pollution by running our blockchains. And also, as I said before, it can become quite centralized. On the other hand, in proof of stake, the more investment you have on the system, the more money you invest on the blockchain itself, the more you can control the system. So if you think some blockchain is good, if you think Cardano is a good project and you go and invest your hard-earned money on that project, you can actually be sure that you're steering the way the project is going and that by investing that, you get the voting power, let's say, to make the system work as opposed to having some random miner control the future of your investment. Also, it's energy efficient. All you need to generate a block in a proof of stake-based system is a signature in a couple of cryptographic operations that spend no data or energy at all. In fact, it could be running the Cardano system on my phone. The protocol is so lightweight that not even on my phone, this is a good phone, it could be running that on an old phone, on a raspi, on one of the first raspis. It's a very lightweight system. So you do not waste resources unnecessarily. And finally, the actual users, the investors, are the ones controlling the system, are the ones making sure that the system works to generate profit and to generate value and to actually make sure that the blockchain grows. Now, I've said all those good things about proof of stake, so let's get into a little bit of the basics of what you want from a proof of stake system and how it should work on a high level description. Oh, I'm sorry for the slides, whoever is into the Gibburi, the Japanese studio called the Gibburi Studios pictures, might recognize Totoro and Porcoroso and Chihiro. I had a very bumpy flight to the Netherlands, so it couldn't adjust the slides to something more Dutch friendly, but I hope this will go. Now, let's look at how those guys are going to interact in order to run a proof of stake based system. Now, we see that Totoro, the big mythical creature here has nine coins. Porcoroso in the middle has six coins, while Chihiro is very rich because she worked on that crazy God spa in the movie and she made, well, 15 coins. And as I said before, whoever has more coins in the system, whoever has invested more should be able to generate more blocks in a POS based system. But how are we going to do that? Well, we're going to run a lottery. We're going to run a lottery where the people who have more coins have a higher probability of winning. So Chihiro with her 15 coins to the right should have a much higher probability of winning this lottery than Porcoroso. And that's how the lottery is going to work. In order to generate a block, we run a lottery. Let's say it's selected Chihiro. So she gets to generate the next block. And that's what she does. So generates the next block, and now we need to figure out who's generating the next block after this one, block two. So we run the lottery, it's selected Totoro to the left, and he generates block B2. And we keep running this lottery every time we want the blockchain to grow. So instead of solving a proof-of-work puzzle, we are running a lottery that selects people who have money invested in the system, and they have a higher probability of winning that lottery, the more money they have invested. Yes? Exactly. That's a very good question. And that's what I'm going to tell you in the next few slides. So there are several ways to run the lottery, and nobody should be running the lottery centralizely because we want a decentralized system. So we're going to use cryptography to make the users of the system themselves run the lottery. If you think of it, those are techniques that come from the early 80s. And we have, of course, largely improved on them in order to make something that is efficient enough for something as large as Cordano. But that's a very good question. You cannot have a single authority or a single entity running that lottery. It must be decentralized. But now let's assume the lottery comes from the sky. The sun gives you the lottery, and that's how it works. And we keep running the lottery every time we want to grow this blockchain. Of course, Chihiro, to the right, is going to get elected more often. She's going to win the lottery more often than the other people because she has invested more. That's the first assumption we have. And we repeat this lottery over and over again for every block. So this is a basic mechanism of proof of stake, whereas opposed to proof of work, we're running this lottery that by now we're assuming that comes from the sky. Now, just a little bit of terminology. I guess you're going to read that in the Cordano documents and in the forums. The person who generates a block is called, in our protocol, a slot leader. So for every block to be generated, we say we have a time slot. And during that time slot, somebody gets to generate a block. So let's say that every 20 seconds the block should be generated. So we have a 20 seconds long time slot, and we select people through the lottery to generate the block that corresponds to each 20 seconds slot. And we call these people the slot leaders. And the lottery, we call the slot leader selection process, which is basically what it's doing. The lottery selecting whoever gets to be the slot leader and generate blocks. So what have we done towards making this reality, towards making this system truly secure? There have been several approaches to proof of stake-based systems in the previous years. Those systems have been discussed in forums. People have proposed ideas on how to implement them. But they had one really big problem. None of these proposals had a mathematical proof showing that they're actually secure. With the Bitcoin blockchain system, we can actually come up with a convincing mathematical proof that shows that as long as you have secure signature systems and cryptographically secure hash functions, we can achieve consensus. On the other hand, for the previous POS-based proposals, nobody was able to come up with that proof. And there's a very good reason for that, because it's actually a very complicated proof to write. So what we did in the course of the past three years or so was coming up with a system that is not only claimed by us to be secure, but can be proved mathematically to be secure and verified by other experts in the field that can check these proofs and make sure that what we claim to prove is actually true. Now, the first thing we came up with was a formal model for proof of stake-based system security. That's a paper we had in crypto 2017. That's one of the major cryptographic research conferences that's been running for almost 40 years. And we showed how to construct the first provably secure POS-based blockchain consensus protocol, which we called Uroboros. Uroboros in ancient Greek means a mythical creature that is basically a serpent that's eating its own tail. Why we call it that? The way we do the lottery, the way we construct this decentralized lottery, basically entails that the blockchain is generating new randomness for the lottery from its previous states. As if it's constantly eating its own tail to speed out more randomness. Now, this first paper was fine. We had a nice protocol, we can prove it secure, but it still had several caveats. And we solved them this year with the Uroboros PRAOS, which improved both the efficiency and the security of our previous proposal. And then you think, what is PRAOS? Again, from the ancient Greek, PRAOS means calm or relaxed. And this is the case because in the previous Uroboros protocol, the original one, we basically have to assume that all the users are online all the time and posting their messages as fast as they can. Basically, they are nervous, they have to act fast. Now, with the new proposal with the Uroboros PRAOS, we can have users there in a more real world setting where they basically go online and offline at times. I mean, you're not going to keep your cell phone or your computer running 24-7 just to keep Cardano running. So we have found out a way to keep security while achieving this more real-world scenario. And the current protocol using Cardano is still the first Uroboros. And we have plans in motion to move it to the next version of Uroboros PRAOS. And as I'm going to tell you in the end of the talk, we actually came up with an even better version called Uroboros Genesis. Now, what is the deal with Uroboros, the original protocol? First, we have to assume synchronicity, which means that we assume that everybody, whatever in the world they are, they have synchronized clocks. Think of one of those movies when people are robbing banks, they synchronize their clocks and they know when to get out or they know when to send a message. It's the same thing. We assume that everybody has their computers running some synchronized clock so they know when to send their messages for making the lottery work and for generating blocks. Given this assumption, and given that we have standard cryptographic assumptions such as secure digital signatures and hash functions and so on, we prove that as long as the adversary does not control more than 50% of the whole stake in the system, meaning that the adversary does not own more than 50% of the tokens that exist in this system, we prove that the system will be as secure as Bitcoin, which is what we want. We want to be at least as secure as Bitcoin, right? We don't want to get something that's less secure. And we also need to assume, of course, that the adversary, in this case, does not get to automatically corrupt people. What does this mean? This means basically that once the adversary hacks into your computer, steals your secret keys and starts impersonating you on the protocol, you need to wait a little bit until he hacks into the next computer. That's basically this assumption. I guess you might be thinking, but this doesn't make any sense. People would just hack into my computer. They're not gonna wait for some delay. And, well, clocks on the internet, they are not synchronized. How can you properly synchronize a clock without very expensive technology? Are you gonna trust the NTP clock protocol? No, nobody trusts that. So those are not very good solutions, but we're gonna overcome that with Roboto Sprouse. Let's just take the simplifying assumptions for a moment and try to appreciate how we can use those to first build a simpler protocol and then go from those to a protocol that does not need to assume any of that. That just assumes the regular internet scenario. Now, the lottery. That's the main deal in POS protocols. How do you do the lottery? How do you select the people who get to generate the next block? We do that using this procedure called follow the Satoshi, where we get some random value, which I call here the seed, and having the seed, we evaluate the seed through a cryptographic hash function, H. That hash function is going to give you some outputs, and I'm assuming here that this output is between zero and the total number of Satoshi's in the blockchain. So the total number of the smallest division of coins in this blockchain. In the case of the Cardano project, let's think of it that the output of the hash function is something between one and the total number of ADAs, of ADA coins in the blockchain. Now, let's say this gave me ADA coin number I, and there's a guy who owns ADA coin number I, and there's a transaction in that block right there that shows that he owns ADA coin number I. So the guy who owns that ADA coin is the one who gets selected to generate the next block. Now, let's look at this process. If you select a number at random that represents each of the coins in the system, and the person who owns that coin gets to generate the next block, what does this mean? This means that if you have more coins, there's a higher probability that you will be selected by this process to generate the next block. These numbers I, that are being output by this process are completely random. So anybody has a chance to get selected. Any coin has a chance to get selected. All coins are selected with equal probability. So if you have more coins, you are going to be selected more often. So that's the idea of this process. But still we have a problem. How do we generate this random seeds? Where does this randomness come from? We cannot expect this randomness to fall from the sky or to come from the nest or to come from other organizations. We are running a decentralized system. We want this randomness to be decentralized by nature. Well, we're going to resort to great old blooms coin tossing by telephone protocol that's a protocol from 81 that allows any number of parties who communicate through the internet or telephone or any remote channel to generate uniformly random numbers. And we're going to use this idea to generate these seeds. So let's look a bit at the structure of the Autobotus protocol. Yes? Sorry, what if you select this random new block producer on another line? The block is not produced. That's it. So if you select somebody and they're not online and they're not respond within the slot, that block is not produced and you go to the next slot and if a block gets produced in that slot, it links to the previous two slots block. Let's see. So we need people to be online and that's why we have designed this feature called delegation where you can delegate the power to generate a block on your behalf to a third party. The third party cannot spend your money. The third party cannot do anything with your money or your coins. All it can do is represent you in the block generation and you're going to get part of their rewards. So the rewards are split between you and the third party and that maintain security. Does that answer good? So let's look a little bit at the protocol and that touches on the question you asked. We have the protocol divided in epochs. So we divide time in several epochs and we further subdivide these epochs into slots. So each epoch has a number of slots and on each slot, a block is produced. As in every blockchain system, we start from a Genesis block, the block that was there before the beginning of time. So we have block B zero, which is going to include a description of all the coins that are available in the system and the people who own those coins. So you have a description of user number one owns this many coins. User number N owns this many coins. That description is hard coded into the Genesis block and furthermore, the Genesis block is going to include randomness that fell from the sky that we can't get rid of. As in Bitcoin or in other protocols, we need to assume we have an initial block that tells the truth and we're going to assume that in this block, we have this randomness that came from the sky. Now, what do we do for every block, whoever is elected by using this randomness in the follow the Satoshi process, meaning hash this randomness through the cryptographic hash function, get a number between one and the total number of coins in the system and let the person who owns that coin generate the next block. We do that and we generate the blocks for this one epoch. In the first slot, nobody was online. The guy who was elected here wasn't online. No block was generated. So we go to the next slot. This guy was online, a block was generated. The next guy was online, a block was generated. Again, the guy wasn't online, no block was generated and you proceed with the protocol. We have one problem here. We are using this list of people who own coins and this fixed randomness to select the people who generate the next block. But people are going to be conducting transactions and exchanging coins between themselves. So this list is going to become out of date. I say here that user one has this many coins, but let's say that in this block, user one transfer all his coins and now he doesn't hold any more stake. But throughout the end of this epoch, he will still be selected to generate blocks as if he still owned, as if he still controlled all these coins. We need to do that in order to achieve security. That's a cave yet we have to deal with. But of course, we don't want this out of date list to persist through the whole protocol. And that's why I divide time in epochs. The idea is by the end of this epoch, we're going to update this list and we're going to generate a new random value. Updating the list is very easy, right? We have the list of transactions in every single block. So we just read all the blocks in one epoch and we know whoever owns the coins. I'm not going to go into details on how this randomness is generated. I just want to tell you a little bit about how this is an extra Japanese expression that says, well, Mendoza, explaining this proofs is too complicated to do now. But it actually is. We have 40 pages of mathematical proofs in the paper. But well, these papers have been published in major cryptographic conferences and people believe, other experts believe they are correct. So that's how we get assurance in these cases. Yeah, it's peer reviewed by other experts. So let me just tell you a little bit about what we improve because I had a lot of caveats in the first protocol. So first of all, in Roboto Sprouls, we don't need this synchronicity assumption anymore. We can just work in a regular internet model. Everybody's desynchronized. Nobody knows what time is in the other end of the world. Nobody knows that the computers have a synchronized clock. And also, we can assume that we have hackers that hack you instantly. You have hackers that can hack up to 50% of all the stake that can gain control of up to 50% of the stake immediately and adaptively choose who they're going to hack, which is the real world. So now we can work in the actual internet while retaining the same security guarantees. And we do that via a number of new techniques of selecting the slot leader, whoever generates the block in a different way where you do not know who's going to generate the block in the epoch in advance. We need different cryptographic techniques for that. And we show that we can generate the randomness for the lottery in a different way. Now, let me jump the cryptography on that. That's a bit more technical on how we do that and get to the next step. So the robotics prowess, even though we solved those other problems, we actually still had one big caveat. We had to assume that the users that joined the system, the new users who just joined the system, they had not been running this blockchain before that they would need somebody that they trust to give them intermediate states of the system. So intermediate blocks so that they can check that the chains they're receiving are correct. And that's not so nice, right? We want to be able to bootstrap the whole blockchain just from the Genesis block and by knowing the protocol rules. And with the robotics Genesis, it's solved while also achieving this kind of security called universal composability, which means that the protocol can be running parallel with any other protocol and inside other protocols and so on, which is a more real world thing. The universal composability for this case is achieved basically by adapting the techniques from Urovoros, prowess, and security without checkpoints, meaning you bootstrap just from the Genesis block is achieved by using a different chain selection rule. So usually you use the longest chain rule where you pick the chain that has the most blocks. And that's easier to analyze mathematically and so on, but that doesn't give you the best guarantees. In Urovoros Genesis, there's a more sophisticated chain selection rule that allows you to bootstrap directly from the Genesis block without intermediate trusted checkpoints. So that's where we are right now. So basically we are at the same security level of Bitcoin, while using a tiny fraction of the energy and achieving much more transactions per second. The benchmarks, as far as I know, are getting to at least 100 transactions per second for the Urovoros protocols while Bitcoin does six transactions per second. And this 100 transactions per second was a benchmark run on a not optimized implementation two years ago or so. So I'm pretty sure that the current Cardano implementation is even better than what I used as a researcher to evaluate the performance. Now, this is basically the message that I would like to leave today, that we can get the same security as Bitcoin with much less energy and while achieving better performance. And we, how we do that by using a lot of cryptographic techniques, they're well understood and most importantly, mathematically proven to be correct. So it's not just me standing here and promising that this is secure. We actually have mathematical proofs that this is secure and those proofs have been checked by the best experts in the world who are in the program committees that select papers who get published in these conferences through a very strict peer review process. And if you're interested in more details about how these protocols work, of course, you're very welcome to send me an email and also take a look at our papers which are all publicly available in the ePrint server from the International Association for Cryptologic Research. We have all the original Uroboros, Uroboros-Praos and Uroboros-Genesis papers publicly available at these addresses. And we're always open to answering questions here or by email or by pigeon carriage, whatever you want. I'm very happy to talk about these protocols and to answer any concerns you might have. So that's it. Thanks for your attention. Thanks for having me here in Rotterdam. Thank you.