 Hi everyone. I'm Bing Shen Zhang from Lancaster University. I'm a Program Director of the Cyber Security Master Program here. Our master program is one of a few fully recognized by GCHQ. Now it's known as NCSSC. Our university is also among the first eight certified by GCHQ as an Academic Center of Excellence in Cyber Security Research. Today I'm going to talk about a Treasury System project which is in collaboration with IOHK and it's a subproject under the Cardano. So when we are talking about the Treasury, we need to first go back to the blockchain. So when we say it's a blockchain, it's a cryptocurrency, that's not our company. So the cryptocurrency itself does not have money support. The blockchain itself does not have money support. I mean the real-life money. So the Treasury System aims at solving two things, how the funds come from and how the funds are decided to use. So if you think about current funding strategy, maybe there are some non-profitable organizations such as Bitcoin Foundation, Ethereum Foundation. They say they are volunteered to take in charge of developing, maintaining the underlying cryptocurrencies or the underlying blockchains. That's a way of finding those cryptocurrencies. Some other ways, like ICO, you pre-mine some coins and you sell them and you get a lot of money. Then you use that money to find the developers, to find the scientists who make some new algorithms or to find some marketing team. The problem of those funding strategies is they are not sustainable in a way that what if the money runs out? For instance, if a cryptocurrency purely based on donation money, what if the donation money runs out? Then suddenly you don't have the money to hire the developers, so suddenly the software will stop being maintained. Then the less people will start to use the software and the cryptocurrency will die out. So alternatively, there are some other funding strategies, more sustainable. For instance, we see a model like Zucco with Zcash. When a miner gets some block reward, certain percentage, say 10%, 20% will go to that company. That company will be in charge of developing, maintaining, marketing, etc. So that's one way of doing it. Another way is like a Dash Governance System. You take the money also from the miners, let's say 10%, 20%. You put it into an account called a Treasury account. Then later you decide how to use it. So the main difference between the aforementioned way of handling the funds is centralization vs decentralization. So for the organization-based funding management or the company-based funding management, the biggest problem is the risk of centralization. So who is going to decide how the money is going to be used and how they are going to develop the next generation of the protocol, etc., a very small group of people and not the actual user, certainly not the majority of the stakeholders. So if you are looking at, for instance, the Dash, they are trying to resolve the problem by making the Dash system, have a Treasury system, and supposedly everybody can join to participate in the voting, and then the decision-making process can be more decentralized. But there are a few problems with the Dash Governance System so far. It's great as a first step, but we also have saying it does not have privacy. And when it does not have privacy as an existing one, when it does not have privacy, which means it does not support the freedom of choice for the voter to vote because it may subject to coercion. If there is no privacy and you don't assume the underlying blockchain system gives you fully anonymity, then if anybody can see how you voted, then basically you can sell your vote, for instance, and maybe someone will also coerce you to voting a certain way, then it will affect the soundness of the voting result and also does not represent true democracy. So the project we are working on the Treasury system wants to resolve this to bring a next-generation Treasury system that is private, that is coercion-resistant, and that supports some new fancy term called liquid democracy. I will mention it later, what's liquid democracy. So first let's have a look at how the money comes from. There are three main resources of the Treasury, one supposed to be mint. So basically it's like a Bitcoin, every block you mint 50 coins at the beginning, and now it's 12.5, et cetera, half every four years. So a Treasury system may have a Treasury account, and that account at each block you may mint certain amount of coins. Second is tax, so taxation. For some blockchain system you create all the coins at the beginning, then basically if you start to mint coins you may create unnecessary inflation, but those blockchain systems we can take tax from the miners' block reward, such as Zen cash, such as Dash governance system. Let's say we take 10%, 20% the block reward as taxation and fit it to the Treasury account. And the third way is donation. Donation is not sustainable, so it's there to address the current issue with the charity account. So if you think this Treasury as a charity, someone gives a donation to this Treasury account, then we can actually make the charity more transparent by using the Treasury system to do so. Next question, what is liquid democracy? That's the key word, sorry. So if we have a very small amount of people, very small set of people, typically the best way to achieve democracy is called direct democracy. So we have an issue, yes, no, and everybody will directly vote for this issue. For example, if I propose a project and anybody can vote for yes or no, directly when we have a small amount of people. When the number of nodes going bigger than this, let's give you another example. When the number of nodes going bigger than it's like a country election, nowadays we are using so-called representative democracy. So we actually have a fixed set of delegators. Nobody can vote directly on this issue. You can delegate your vote to either one of them and they will vote on your behalf, either yes or no, and then we come to the result. Okay, that's called a representative democracy. There's a small problem with this setting is maybe because this set of people are fixed, maybe you don't trust any one of them, but you have to delegate your vote to them, that's by design. Or maybe for a particular issue, none of them are actually familiar with those issues, but they have to vote because that's their duty. So what is liquid democracy? Liquid democracy aims to make a hybrid system between these two. So let's say we have a bunch of people for different issues, different people of them are experts, are familiar with. We are going to vote for yes or no. If you are a voter, you might vote directly, maybe because you really care about the outcome of this issue or you really want to express your opinion about this issue or you are actually an expert, you really do not want to delegate to anybody else. You can vote directly or if you're not familiar, you can delegate your vote, voting power to someone you know, not a fixed set, anybody you trust, you know, and that guy can even delegate further if they want and that guy can also directly vote if he's already an expert. So a liquid democracy basically says any voter can either vote directly to the issue or delegate their voting power to someone, anyone they trust and those guys can either delegate further or vote. So a rough graph could be like that. So then we come to the votes. So such kind of system, we do have some realisation but not so secure realisation in reality. For instance, Google has an experimental project called Google Vote. It tried to implement liquid democracy using the social network, Google Plus. It does not have privacy but as I mentioned before, if a system does not have privacy, maybe subject to coercion, maybe effect the soundness of the election result. So we want privacy and for many, many years, nobody has been proposed the liquid democracy e-voting system with very good security considerations and at Lancaster, we actually implemented the word first liquid democracy e-voting system with very high provably secure security guarantees and we implemented it. For the treasury system, we did a few more tweaks to make it more decentralised because if you think about the environment of the blockchain and the environment of traditional e-voting, the traditional e-voting have centralised usually small scale or centralised election authorities who are in charge of the election but for the blockchain, there's no such authority. So we want to further make decentralisation of it. Okay, so let's have a look at the big picture first then go back to the voting. So let me also remove this. It has three phases. First, pre-voting. In a pre-voting phase, anyone can propose a proposal. So you can propose a project. So in the pre-voting phase, anybody can propose a project and the users can register themselves if they want to be a voter or they want to be an expert or they want to be participating in the election committee. By the way, not necessarily you register as an election committee we will let you be. Just show your hands and later on we will run some cryptographic algorithm to select a small set of election committee members and with certain assumptions we can guarantee majority of this set will be honest. Okay, so voter, if a user wants to be a voter you need to deposit or log a certain amount of money. The exact amount depending on the underlying blockchain system depending on the total amount of the coin supplies, et cetera. The expert, they are like the normal voter. The only difference is they actually by declare they are expert they now can receive delegations. In a treasury system, the voter will receive the incentive, the reward proportionally to their deposited stake. So they will deposit a stake, they will deposit a stake and the expert will also deposit a stake but the expert will get a reward proportionally to the delegations they receive. So for example, if I'm a voter, I deposited 10 coins and after I cast my vote, after I participate the voting phase at the end I will get some reward proportionally to 10 coins. Now if I'm an expert, if there are 1 million coins worth voting power delegated to me then after the voting phase I will get a reward based on that 1 million delegations. So it's worth mentioning a traditional voting. In a traditional voting each voter have one voting power, have one vote. In blockchain we certainly cannot do that because maybe there are civil attacks. The adversary can generate a lot of vote, fake voting accounts, then start to vote. So we definitely need to put a minimum amount of stake to guarantee that you need certain amount of stake to be a voter, for example to provide or deny a service attack. And another thing is we want to assume the majority of the stake is a hold in good people's hands. So if a voter cast a ballot, his voting power is calculated proportionally to the amount of stake he deposited. If this is an expert, his voting power is based on the amount of stake he deposited and based on the amount of voting delegations he received. Well for example if I'm a voter, I have 100 coins, I delegate to the expert. Now the expert get my voting power corresponding to 100 coins then the expert can vote on my behalf. So committee members, it's a role. So their job is to participate in the election, take in charge of the election process, make sure the election terminates, prepare the election, calculate the election result, announce the election result, sign the result and enforce the execution, post election execution which I will mention them later. So now the next phase after certain period the voters, the experts, some people want to register as committee members or registered, then we go to the voting phase. In a voting phase, at the beginning of the voting phase, we use the idea like a cryptographic sortation, we use some seed, a random seed coming derivated from the underlying blockchain. So note that it has a different concept than the proof of stake. In a proof of stake system, you are using such kind of seed or what we call beacon, you are using such kind of seed or beacon to guarantee consensus. But the treasury system are built on top of the blockchain layer, so the consensus already done. But we are using this seed to select a small set of committee members. So now the first thing is the committee election phase. We use some cryptography algorithms to use a seed, supposed to be random, supposed to be unpredictable, to select a set of committee members among those who registered. Proportional, well the probability you get selected is proportional to the amount of stake you put. With the assumption that if the majority of the stake is good, then the majority of the committee members are good. It's a small set of committee members. They will be in charge of the election process. So after they get elected, the first thing they do is to set up the election parameters, such as the key set up. They will do a decentralized, distributed, threshold cryptographic algorithm to set up the election key and to put it on the blockchain. And once they set up this, all the voters can start to submit their ballots. So it's called ballot casting. For voters, the ballot contains two sort of behaviors. One is a delegation, one is a voting. Oh yeah, it's worth mentioning why in the history there are not so many good system or secure system can achieve liquid democracy. Either because of there's a one conceptual barrier, people think delegation phase must happen before the voting phase because of the concept coming from the representative democracy. Let's say everybody first delegate, then those representatives start to vote. But when you are talking about the blockchain, can we merge these two phases? Why I have to first delegate, then those guys to vote, can I do them simultaneously? That's a conceptual breakthrough. First, everybody needs to clear because that's a conceptual barrier. Because in blockchain, you may vote directly while someone else is delegating. Well, why doing that? Because that gives you maximum privacy. Otherwise, people just by looking at, oh, this guy actually casted his ballot way before that guy. Which means this guy actually is delegating to someone because nobody else is casting a vote yet. That guy now start to cast a vote, then he definitely did not delegate to anybody. He definitely cast a vote directly. That's a privacy violation. So we want to group them together. We want a ballot can simultaneously represent to a delegation ballot or a direct vote. When you are a voter, you are allowed to indicate to yourself who you want to delegate to. And you can also indicate the direct vote opinion. So for each project, you can vote yes, no, upstate. The same for the voter, the same for the expert. Just one exception, the voter can actually delegate further. You can decide which expert to delegate. So you cast the ballot. Of course, we have a lot of fancies. There are knowledge proofs to guarantee the correctness of the ballot. Okay, now the third phase is post voting phase. After everybody has casted their ballot, the election committee members will do the tally. First, calculate the tally. Announce the tally. Give necessary zero knowledge proofs to show. By the way, when I say zero knowledge proofs, usually it's non-interactive and succinct. But do not miss it with a snag because it's a fixed term. Standard for a very small group, a small set of technology of zero knowledge technology. So if we use non-interactive zero knowledge proofs, doesn't mean we must use a snag. But a snag could be one small part of it. Okay, so now you have a tally. You proved the tally is correct. Then you need to do some post election actions, for example, execution. So at the end of the treasury system, the proposal will be ranked. Ranked based on the amount of years minus the amount of no. So the net years. So if a system has five people voted for yes, if others or abstain never participated, then this system should be better than a system have six people voted for yes, four people voted for no. That's our understanding. So you rank the project according to the difference between yes or no. And we actually have a cutoff line. If some project, the percentage of yes minus the percentage of no, is less than 10%. So basically less than 10% of people thinks more favorable to fund the project. This project will not be considered in the ranking, even the treasury system still have money. So now we rank the project, let's say P1, P2, P3, P4, etc. Then there's a cutoff line. Okay, below that the amount of yes minus the amount of no is too low. So we do some threshold. So we do not consider. Now we start to fund the project one by one. So okay, let's look at how much money we got in the treasury system. How much money this project wants. If the project wants a certain amount, then okay, we take this, then we find the next. Do we still have money left? Okay, this is also possible. Maybe at a certain stage we run out of money, then we cut off here. For example, this is the last project we found, then we cut off here. So the execution will be we found those project from the treasury account. Then we reward the committee members, we reward the expert, we reward the voters. For the voters, as I mentioned before, reward is based on their participation, based on the proportional to their stake. For expert proportional to their delegations, because we want to avoid the malicious user to claim they are expert, actually they are non-expert. So if there is an expert who received zero delegation, he received zero reward because nobody delegates to him. He actually did not contribute to the voting at all. For the committee members, if they behave honestly, they get a reward. If they refuse to, for example, open the tally, some of them may refuse to open the tally, and their deposited amount will get, for example, a discount or a punish depending on the actual setting. The system currently is designed in such a way, if majority of the election committee members decide to open the tally result, the tally result will be open. Otherwise, the tally result cannot be open because it's due to privacy. However, we can show mathematically with a good quality of the seed, with the majority of the stake are good, we actually can guarantee with very high probability, majority of the members in the election committee are good. In the worst case, maybe due to some very unexpected event, for instance, majority of the stake holds in the adversary's hands. For instance, some of the cryptographic primitive, such as the hash function, is broken. The majority of the committee members may be all bad. For example, all the election committee members are malicious. What can they do? In current design, the only thing they can do is to prevent the election from terminating. As a side effect, they can learn how the voter votes because they can decrypt the ballots. We need that because they can calculate the tally, which means definitely they can decrypt the ballots. For instance, if there is only one vote voted, they need to be able to pronounce the tally, which implies they actually need to be able to decrypt that vote. Other than that, they know how you voted. They can block the election from terminating. They cannot change the election result. They cannot change the tally result. They cannot deviate it. It's guaranteed by end-to-end verifiability. This is the first system. We can support the liquid democracy. We give the end-to-end verifiability, and we prove universal composability model, which is the UC. Let me go on for the general picture. In a general picture, we have a decision-making. We have a bunch of treasury coming from a mint, from a tax, from a donation. We have a bunch of people who want to be experts, and we want a bunch of people who want to be voters. A lot of people who want to be voters. They will cast their ballot to the decision-making process, or they can delegate their voting power to the expert, and the expert can vote. All of these are backed up with a stake. It has a stake escort. Everybody has a stake escort. At the end, we can actually calculate what is the total amount of percentage for the stake to participate in the election-making. Oh, there's a committee, and then the committee will announce the result, the Tali result. Based on the Tali result, we actually start to execute. We still need another party, proposals. We have proposals, project proposals. There are certain project owners make a proposal, and then we have the treasury. Let's say once per month, we have this process. Now the voters come, the expert comes, they jointly do a collaborative decision-making, and the committee takes this to give the execution. Because we need a seed or a beacon to select the committee member, so actually at the end of the election phase, the committee member will do a coin flipping. Well, because we already have the public key crypto system, the coin flipping is quite easy. It's much more efficient than a coin flipping from the scratch. So they do produce an encryption of a seed. And at the beginning of the next voting epoch or voting phase, those amount of committee members will decrypt that seed so that we can use that seed to select a new set of committee members, a new set of committee members, and then the system can go on. Okay, so what is missing? Cost. How to minimize the cost? One way is via random sampling, like a cryptographic sortation. Let's say we have a lot of people who want to participate in the decision-making. We can randomly sample, let's say 10% of them. Then we basically reduced the amount of cost by one-tenth, 10%. Then if the decision-making process gives a very good margin, very good separation, then basically we can use the randomly sampled voting result as the general result. Another way is like what we did in the liquid democracy form. So let's say I'm a voter, but I can choose not to participate. I can delegate my ballots to some other expert. And the expert can keep delegations further, or the expert can directly participate in the decision-making. So for each project, the voter-voter, yes, no abstain. For each project, the voter can delegate to different experts because they are domain experts. The expert can be familiar with one project, can be not familiar with some other project. In the future, so what's the future? In the future, what we're going to do, if you look at this decision-making process, it's about the same as a governance system because the core part are the same, a decision-making, collaborative decision-making. So at some point, we want to upgrade the system to handle software fork, for example, hard fork, soft fork, to have a governance system on top of the treasury system using the same decision-making protocol. Or hypothetically, we can even make the underlying cryptocurrency more resilient. For instance, sometimes due to emergency situations, there is a need on the liquid, on the circulated coins. For example, maybe at some moment, we instantly the market really need a lot of coins at that time. Hypothetically, we can use the treasury system to do QE because if majority of the stake want to do the QE, they can actually do it. So instead of we have a regular money supply, we can actually alter the money supply process with the collaborative decision-making. That's one way. In the future, we are going to deploy. Currently, the system has been implemented as a proof concept. We do have a benchmark. We currently are in process of developing the first system in collaboration with ZenCache to integrate our system with their system to tailor-make the parameters to make sure it is suitable for that cryptocurrency. But in general, this treasury system is based on modular design. It can be suitable for any blockchain, any cryptocurrency. It does not necessarily rely on smart contracts. But for each cryptocurrency, we have certain parameters. They need to be tailor-made. For example, how to fund the treasury. Sometimes, mint is not good for some cryptocurrencies. Mint is good for some. For example, if we want to use the treasury system for charity, then maybe donation would be the major source. How to define the minimum amount of stake the voter need to deposit, the minimum amount of stake the expert need to deposit, and the minimum amount of stake the committee members need to be deposited. All these are depending on the underlying cryptocurrency, depending on the blockchain. So the treasury system has a modular design, has a lot of parameters need to be tuned. We currently are having some game theoretics to analyze those parameters. And the first pivot system we are going to do with ZenCache probably in 2018. The academic paper will be submitted for peer review and will be available on archive online. Okay, thanks for watching. Hopefully, this gives you some rough idea about the treasury system. Of course, I hide a lot of details about the collaborative decision-making process. How to support the liquid democracy because it's an academic paper, unpublished paper. I don't want to review too much detail, but stay tuned. I will put the details on archive very soon, potentially by the end of this year. Thank you.