 Okay, so Hendrik was born between E.T. and Blade Runner. He's occasionally and breaking things. He's a computer scientist living in Berlin and Hendrik will indulge us today in the next hour, why there is not a single problem that should be solved with Blockchain except maybe Bitcoin. So here I am, highly curious. So here we go. Hendrik, over to you. My name is Hendrik Pletz. I'm a computer scientist living in Berlin and this is Blockchain 102. I have been doing things with cryptography for about 15 years now. I'm not a cryptographer per se, but mostly interested in communications protocols. I've been doing a lot of access control, RFID related research. As of late, I have my own company, we're doing payment stuff. Fair warning, I did have some Bitcoin in the early 2010s. I sold the last of it around 2016, I think. And since then I've been more and more concerned with the, basically the Blockchain hype and how it captures resources. And resources does not only refer to electrical power, but also engineering capacity, public attention and mind space, basically. This talk is not going to be Bitcoin 101. I assume a basic knowledge of the Bitcoin and Ethereum networks, at least what they are and how they are used. I'm not going to introduce the basic concept of blockchains. What I will do is spotlight several interesting projects and protocols in relation to that. I am going to play fast and lose with the definitions. I'm not going to stick to a very specific definition of what a blockchain is versus a hash chain. Anything basically related or in the vicinity of the distributed ledger technologies is fair game. I hope by the end of this talk, you will have noticed that I'm not a big fan of anything I'm about to show you. And I do reserve the right to poke fun at any and all bad ideas. As a baseline, I think Bitcoin is a work of genius. It is very elegant in its simplicity. The original paper by Satoshi Nakamoto in 2008 showing the first combination proof of work, distributed ledger and hash chain solved the Byzantine agreement problem in a permissionless environment that is simple proof and only based on reasonable cryptographic assumptions. Like I said, it is elegant in its simplicity. It solves the problem for a very specific niche. And there are at least three or four design decisions that are very integral and irreducible in the Bitcoin system. Taking any of them out will harm or break the entire system in obvious and or non-obvious ways, which of course is why people are going to do that. Authorization itself has only very limited scripting in its transaction scheme. It's not designed to be a programming language. It's not designed for smart contracts, but the scripts are merely a very nice serialization format for authorization decisions so that you don't have to don't have to hard code into the network all the possible authorization schemes that are that should exist, should be able to exist. But any user of the network can build a script that authorizes the spending of funds in any way they like. Bitcoin is a very elegant scheme and it's mostly useless. That's the point. That's what I'm sticking with it. I'm sticking with since the only purpose it can have is a global decentralized globally available currency, but it does have very, very low transaction throughput and very high energy usage at that. Ethereum came later. They tried to improve by having a full-blown, true and complete smart contract language. Basically, Ethereum is a global computer that as a side effect also processes payment transactions. First, we're going to look at Bitcoin, Bitcoin, Ethereum, both proof of work. We're going to look at the different proof of something schemes. The easiest one, of course, is proof of authority. Works mostly like you would imagine that it's going to work. You have the normal transactions. You have nodes that verify that transactions are correct. They put them into a block and sign the entire block with their own private key and sufficient form of authoritative nodes needs to sign a transaction block for it to become valid. Very simple, very efficient, and requires trust in those authorities. How they are chosen is completely out of scope and non-obvious. It is one of the standard constructions for private or permission blockchains. That's why we say those are basically just glorified databases. A slide step up is proof of stake. Proof of stake, though, is basically the same as proof of authority, except that authority is now indirectly established by some sort of stake, such as token holdings. If you hold enough token of the underlying currency, you have more stake and therefore more authority. These systems may sometimes offer an integrated punishment mechanism called slashing so that if you veiled your authority in an inappropriate way, if you lie, you're penalized. Currently, proof of stake is the holy grail for the established proof of work systems to get rid of this energy-raced stigma. For example, both Ethereum and Yota, I'm going to talk about Yota later on, currently are planning to pivot to a proof of stake-based system any day now. Proof of stake has a very hard problem. How do you initially distribute the stake? That's why I said it's essentially the same as with authority. You need to somehow select the authorities you trust. You need to select stake holders you trust. They then get to determine what happens on the network. A very popular mechanism to do that is sale of tokens, which is why I have this little red flag next to it, a sale of tokens or initial coin offering. I'm going to invent a network, the very cool chain. I'm going to sell $600 billion worth of cool chain tokens. Then you all are on my network and I'm $600 million richer. I don't care what happens to the network afterwards. Alternative to this is to bootstrap the proof of stake system of an existing blockchain. For example, the Ethereum chain or Yota is going to do that, I think today, which is... It doesn't have the same benefit for the creators of the network. The general problem with proof of stake is that there is no built-in defense against centralization. Bitcoin solves the centralization problem by sheer physics. It's very, very hard to have more than 51% of the global computing power currently. But in a proof of stake system, there is no built-in defense against anyone accumulating 51% of stake on their account or on any suck puppet accounts. This is what I mean when I say there's no civil resistance because on the internet nobody knows if you're a dog and nobody knows who and how many you are or claim to be. A deeply ingrained problem is that even if you bootstrap the thing correctly, you have no defense against it becoming centralized later on by a stake being transferred and accumulated onto one big stakeholder. The other POS is proof of storage. I'm not going to talk about that very much. There's one scheme that has gained notoriety because basically the introduction of the Chia network crashed the global SSD market. It was very, very hard to buy any disks at that time. Also, the operations on this network destroy SSDs in less than a year. It's really expensive to operate even though it doesn't use electricity. It uses SSDs and basically there's no other use, so I'm not going to talk about it later. The funniest proof system and actually the thing I came across that motivated me to give this talk is proof of Ellep's time also called Poet. The idea is very simple, ingenious. Instead of computing hashes for proof of work and proof of work in this case means waiting sometime, instead of computing hashes you just do nothing, you go to sleep. Compared to a proof of work system, this offers incredible energy savings and it's a drop-in solution. It behaves exactly like a proof of work system in any network. You can just swap out the proof of work system for your proof of Ellep's time system. Mostly it makes sense in permissioned environments, private blockchains. There is a very small question, a teeny tiny issue. Which guarantees do other nodes have that no one cheats, no one is going to wake up earlier than assigned? Well, of course Intel SGX is the secure enclave in Intel processors. Intel guarantees that inside this processor secure computation can take place and programs that run inside the enclave can prove that they are running in an officially, officially official Intel secure enclave and are not being controlled by anybody else from the outside. And thus allow trusted execution. Small problem. Obviously this wasn't going to be secure forever. There was a very nice break of Intel SGX two years ago. It went so far that they offer an attestation as a service. There's a Twitter account and if you need anything signed by a real Intel SGX enclave, anything at all, any attestation to any fact, you can just tweet it to this Twitter account and they will happily sign it for you. And this is one of the underlying topics I want to draw your attention to. Some of these systems appear to be secure, but they're just shifting the security barrier somewhere else and hope you don't look too closely at where the security is now. For example, Mobilecoin is the other extreme basically. Mobilecoin has a proof, I would call it proof of complexity. Mobilecoin is a mobile device focused new cryptocurrencies started last year and it pulls every cryptographic register there is. They're using Stellar Consensus Network. They have zero knowledge proofs for everything, risk, treasure, abstraction, schnore, anonymous signatures, criticism commitments, you name it, they have it. There's a very good book about it. This Mechanics of Mobilecoin I've linked here. So even though I'm showing this part of the abstract to scare you, I'm very grateful that it exists because not everyone has an abstract that so clearly states what they are doing and what they are hoping to achieve. Many of the documentation, a lot of the documentation that I've been reading for this talk doesn't clearly tell you what they are doing and why. Two small problems with Mobilecoin. The entire token supply is pre-mined, which is one of the other red flags. 85% of the current Mobilecoin in existence and all the Mobilecoins that will ever be in existence are held by the creators of Mobilecoin. They can sell it to you at will and their security against double-spending. So they have security, they have privacy guarantees that probably maybe are good. It's, like I said, it's very complex and I wouldn't bet on there not being any implementation errors. But absent any implementation mistakes, their privacy guarantees and properties are probably good. But their security against double-spending is entirely reliant on SGX enclaves. See previous slide. Circling back to Bitcoin and misusing Bitcoin, I introduced it as not having an entire full-blown scripting language, but you can still do cool stuff with it nevertheless. One of the earliest examples of that I saw was due to Dan Kaminski, who sadly passed away this year. In 2011 in his Black Ops of TCP IP talk, he presented a tribute to Len Sesseman, who died that year, on the Bitcoin mainnet that is embedded in the Bitcoin blockchain, and thus verifications of the entire blockchain is dependent on this tribute being present, which is a very nice idea. I'm not sure, but I think it was one of the first examples of this. A lot of people have embedded stuff into the blockchain later on, and a very moving memorial to a friend. Another very cool hack that is actually not being used as a hack anymore, but is in production, is the Lightning Network, starting in 2016. I'm going to explain this in a little bit more detail, but not entirely in detail, since we have other content to get to. What's interesting about the Lightning Network is that it works with Bitcoin, more or less without changes. There were very small changes made to the Bitcoin mainnet, but no fundamental changes. There's no new scripting language, only new instructions in the existing language. It's a clever use of time locks and multi signatures. One of the features that most people aren't aware of is that not only can the Bitcoin scripting language allow you to put signature restrictions, like possession of a private key, on spending of Bitcoins, but you can also put a time lock on it, and can say that a specific amount of Bitcoin can only be spent after some time, basically time either in unique seconds or in block height. Since the Bitcoin network as a whole has a more or less predictable block time of 10 minutes, you can rather reliably say that some amount of money cannot be spent for 48 hours, for example. That's the basic idea here. Two parties collaborate to open a so-called Lightning Channel payment channel. They need to fund this channel on the main chain. I'm putting the main chain here and the Lightning Channel on the entire Lightning Network at this point. A properly functioning Lightning Channel only is visible in two transactions in the main network. There's the funding transaction, the one up here, that basically locks up some money in escrow, essentially, in escrow for the channel. And after that, the two parties exchange transactions amongst themselves. The main network does not need to know about these transactions, and they can send money back and forth. In this example, both start with, for example, two Bitcoins. Both commit two Bitcoins for this channel, so the channel has an entire capacity of four Bitcoins. Each party starts off with two Bitcoins at first, and then they can transfer or exchange transactions that transfer any arbitrary partial amount of that in either direction. So I'm starting with 0.2 Bitcoins to B. Now the internal state is that B has a bit more money. Then I'm transferring, in this example, 1.5 in the other direction. Now B has less money. And so on, and so on, and so on. These transactions are very fast, since they are just two signatures and a TCP connection, and therefore can happen instantaneously. At the end of the channel, both parties can mutually agree to close the channel. And only the last state is written back onto the main blockchain. The cool thing about this is that due to the clever use of time locks and multi-six, all the amount of money in the channel is protected against a cheating party. These intermediate blocks need to be signed by both parties. So the end transaction is signed by both parties. But there is a Damoclas sword, basically, hanging over this using the time locks. If any party cheats, the other party automatically gains the authority to claim the entire funds for themselves. This prevents parties from cheating, because who wants to lose two Bitcoins? But it also means that the maximum outstanding amount of money on this channel is limited to the escrow amount. This in the channel, for example, in this example, at no point can any party owe the other more than four Bitcoins. If you want to buy something really expensive, four Bitcoins is a bit much, but if you want to buy something really expensive, you cannot use this channel, you need to close it and open another one. And that's the other big problem. The money that is held in escrow for this channel cannot be used for anything else. If you open a lighting channel to someone, that money is gone for the moment. And even worse, through the time lock mechanism, if the other party misbehaves, you cannot access the money for some time. 48 hours, for example. So it is a very cool hack, but I don't think it has any particular usefulness. Especially since due to this, because the outstanding amount cannot exceed the entire capacity of the channel, it does not lend itself to being used, for example, for payments. It's okay if you have a friend and you lend them like a bit of money today and they pay you back tomorrow. They are after that, you don't have any money with you and they lend you something and you pay them back. But for a channel to exist over a long time, its mean amount needs to be zero. It must be the same on both sides. While most transactions and most systems are in a merchant and customer relationship, if I buy something, I pay money to the merchant and very seldomly do they pay me money. This is the fundamental problem of the lightning network. They do have an extension. I've been drawing this with two participants. Lightning channels can be chained. So if A and B have a channel and B and C have a channel, there can be a value transaction between A and C mediated through B. But the problem that the outstanding amount on the channel cannot exceed the funding amount doesn't go away. Back to something that was actually designed to be programmable, Ethereum. Very shortly after the introduction of Ethereum, there was the DAO. At that point, there was a singular noun, the decentralized autonomous organization. Today, DAO is mostly used as a collective noun, basically a DAO, but at that point it was the DAO. It was a cool idea. It's from the Code of Law, Code is Law people. Basically, you have a venture capital fund that anybody can contribute money to, ether to, and anyone who has contributed money into the fund has voting rights and basically governance rights on the amount and can vote on where this money should be invested, proportional to the amount of money they invested. It had its own token at that point and was crowdfunded end of June 2016 and sold at that time for more than $150 million. This didn't last long. There was a vulnerability in there. The DAO has a function to split out sub-DAOs if there's no consensus about what's supposed to happen. The majority of the funders decide to do something that a minority disagrees with. The minority can split out their money into a child DAO that then behaves like a normal DAO and anyone can propose to create such a child DAO. The code that processed that request had a bug, a classic check time of use bug. The smart contract first retrieved the ether to be sent to the child DAO from the main DAO and only then checked the balance of the account that proposed the split. But at that point a recursive call is possible so you can nest this problem which means the nest transaction happened so it deducts money from the main, funds it into the child DAO, recursive call, deduct money from main, fund into child, deduct money from main and so on and the check against the balance would only happen afterwards. Someone found this and well people say abused it and by June 2016, like two weeks later, about 50 million US dollars worth of tokens were in the child DAO that was controlled, was supposed to be controlled, about to be controlled by one party. Luckily, as luck would have it, there was a built-in waiting period for proposals to go through and people to read their mails and stuff like that. That meant all the money that was in this child DAO couldn't be transferred out for exactly 48 days. So there was some discussion time as to what should happen now. This was the big discussion of that time because one party says code is law, someone used the code and obviously it's correct what they did because the code allowed that. Though the main Ethereum network did not quite see it that way which led to a hard fork of the entire blockchain. That's why we have Ethereum and Ethereum Classic now and I don't think anyone uses Ethereum Classic. Like I said, the DAO had its own token was one of the first. There is now a generic mechanism to create your own tokens. It's basically an API specification. If your contract fulfills this API, then you are an ERC20 token and these tokens behave like money. Something you can transfer, you can query the balance, those are the only relevant functions. So if you put a contract onto the Ethereum blockchain that fulfills this specification, you have your own money. Lots of people do that. There's more than 480,000 token contracts currently on the Ethereum blockchain and all the details of those tokens are up to the token creator obviously. It's a smart contract that only has an interface and you can deposit and transfer money. Where this money comes from, this amount value comes from, is not specified entirely up to the token creator. These tokens can have their own value independent of the Ether and some do and that's how that works. What you can use this for is what I call crypto-enabled financial trickery. Since these tokens can basically only be traded, you have dogecoin and if I would want dogecoin, I could buy it from you and then you would have some other amount of currency, some other kind of currency. And now we have over 480,000 different kinds of currency to choose from. This enables exciting opportunities of arbitrage. If I find two marketplaces that sell token pairs at different prices, I can buy one token at the cheaper price and sell it at the more expensive price. That's the classic thing that you would also do on a normal stock exchange. The cool thing about Ethereum and smart contracts is that the smart contracts are executed automatically and force automatically the contract stipulations no matter what they look like. One of them, really mind-blowing or very, yeah, mind-opening things that you can do with that is an uncollatarized flash loan. Basically, it's a smart contract that always has the following form. I give you some amount of money. You do whatever you want and then you return the money with some fee plus some fee. You're completely free to do whatever you want in this step. You can, like I said, exploit arbitrage opportunities. You can sell something at a different marketplace and then buy back. The important thing is that you pay me back plus interest. And the cool thing about the Ethereum or the smart contract language is that this is guaranteed to happen atomically. Either the entire thing happens or nothing happens at all except for some gas spending. If you cannot return the amount, for example, because your cool arbitrage trick didn't work out, it's reverted and never happened. So I can enforce for you to pay me some money and you can, so that's for me, good for me, good for me as I can enforce you to pay me some interest. And good for you, you have a lot of money. Like I said, it's very good for exploiting arbitrage opportunities. And it's also very good for exploiting smart contract vulnerabilities because a lot of these need some funding. And if you have a vulnerability that doubles your input, for example, it's very cool if you can lend, if you can borrow $100 million for like $10,000 in interest and then double it. And finally, decentralized finance, DeFi, DeFi, DeFi. Decentralized finance, DeFi is just the umbrella and marketing term for everything we just talked about. It allows most operations that you can do with traditional financial instruments, but on the blockchain. Borrowing lending, flash borrowing, high frequency trading, price speculation, and swapping between token pairs. Like swapping Dogecoin for, what's one of the other coins? Dogecoin for Tether or back, something like that. Now, this is one of the subjects I'm most often laughing about because as you can see on this slide, there's a huge, a huge amount of money in here. There's a hell of money bound in DeFi contracts. But the complexity means that very often, well, code is law, but the law does not always say what you thought it is. By my estimation, and when I, when I searched for that, I found this website, which very graciously already has an entire list. I didn't need to compile it. In my estimation, about approximately every other week, someone exploits a bug in one of the DeFi systems to the tune of 10 to 100 million US dollars. These are just from like the last two months. Now for something completely different, the IOTA NetDark. IOTA is not a blockchain. Like I said, I didn't don't want to dwell on the terms, but they call themselves a Tangle. It's a directed as a cyclic graph. It's not a chain, but every every transaction is supposed to confirm to other transactions. It doesn't have any proof of work. So it's very fast and energy efficient. It doesn't use a lot of energy. I'm not sure if it's efficient. If it doesn't do anything, but it doesn't use a lot of energy. It doesn't have any proof of work. It doesn't have any proof of anything really. It doesn't have any transaction fees. You just required to verify to other transactions. It's designed or marketed for intent of things, things that works. It's actually run by a foundation with located here in Berlin. The thing that sets it apart from one of the things that sets it apart from all of the other established players is that it's not a decentralized system. Their consensus protocol is that they have a central coordinator that has to sign off on every transaction. If the coordinator didn't verify it, it didn't happen. There were several attacks on the Yota system in the past and the foundation could luckily could stop the attacks by basically just stopping the coordinator. Like I said, the coordinator is just one of the things that makes this one unique. The other unique thing about Yota is that they want to be unique. They have their own or they had their own home-built cryptography. One of the rules is never rolled on cryptography. And not only did they build their own cryptography, they did it in trinary. So in their system, there isn't just zero or one, but they have minus one, zero or one. Everything is a treat. And of course, their custom-built trinary hash function was broken in 2019. The Yota foundation did not react favorably to this. The second link on this page has some of the history or some of the meta history, basically. There was very interesting Twitter discussions and threats against the researchers, threats of legal action, including the Yota foundation claiming that, or the creators, I'm not sure if the foundation itself, the creators claiming that they knew about the vulnerability and it was there on purpose to act as a sort of copy protection. Their defense is that if anybody would copy the Yota protocol, since everything is open source, and build a clone Yota network, they could then use this vulnerability to shut down the other network, which is a bit of bullshit. In the aftermath, they removed the broken hash function and replaced it with one that's based on Kekak, the Shara 3 hash function, but still in trinary and it's still broken. Nobody cares. It's still broken. Nobody cares. Okay, let's move on in our alphabet soup. SSI. It's not server side include this time. As I supposed to stand for self sovereign identities and Wikipedia defines this as an approach to digital identity that gives individuals control of their digital identities. And no one knows what that means. There's no single standard nor specification or shared understanding of what this might be. The graphic I put here is one that's most often used to explain how this is supposed to work. It's indistinguishable from a standard PKI attribute certificate issuance. You have an issuer that issues a certificate that's stored in a wallet and can then pre presented to a verifier. For some reason, some reason that nobody has been able to explain to me to my satisfaction is also stored in the blockchain. What this diagram lacks and what most of these systems tend to lack is a very crucial additional arrow. It's very good if I have the cryptographic proof that some credential was really issued by a certain issuer. But I still need to get trust in that issuer from somewhere. I still need to know that they are who they claim they are. And this is something that's basically entirely ignored in all of the self surround identity schemes I've seen coming up on. Key terms. There's this thing called a decentralized identifier, DID, which is supposed to be the abstraction. There's a WS3C standard on that and the registry currently lists 114 mutually incompatible DID methods. Like I said, it behaves like an attribute certificates. This is called a verifiable credential. And one of the only new things or one of the things that establish protocols don't have, it's not new, it's that they should support selective disclosure. Selective disclosure means if I get a credential to multiple facts like my name is Henrik, my last name is Plutz, I'm living in Berlin. I can then present this credential, but block out some of the fields and just prove, for example, that I'm living in Berlin. If I want something from the Berlin authorities, they might not need to know who I am, just that I can prove that I live in Berlin. It's one of the key features, for example, of the U-Proof system due to Stefan Brands in 2000, I think, which was built into Microsoft Cardspace, I think. And for some reason completely vanish off the face of the earth, nobody ever heard of it again, but it did solve all of this in 2000 already. Nevertheless, all these self-soronarity people are very eager to show you their use cases and their show cases. For example, this one presenting information to an employer. In the future, you will have your diploma or your master's degree as a verifiable credential that you can then attach to your CV when applying for a new job. And your employer will be able to verify that and doesn't need to trust that you didn't change your grades. I said very small, insignificant issue. The employer still somehow needs to trust the issuer. I can go on the blockchain and open the very cool University of Coolness and issue master's degrees in coolnessness and give everyone A grades. And I can prove that I really am the cool University of Coolness. But somehow the verifier, the potential employer still needs to know whether I am an officially accredited university whose master's degree is worth anything. And at that point, you have a very standard PKI structure. You have a central authority like a list of good universities. And from there on, you can delegate the trust down and you don't need any of the decentralized stuff. And in either case, you don't need any of the blockchain stuff. I have never understood why. No, that's not right. I made this point on Twitter once and someone actually emailed me. I'm not sure either ID Union or Lizzie. Someone emailed me and said that they kind of know that they don't need it. But the problem they are solving is that there are so many interested parties in this space, so many companies who want to promote their own wallet product. That there's no way that they can decide on a governance structure on PKI structure on who trusts whom and who delegates trust where. So instead, they are putting it all onto the blockchain and thereby completely erasing the trace of where the trust chain comes from and hope their respective companies don't notice. So basically it's money laundering for PKI is what they're using the blockchain for. A related standard in this space is DIDCOM. It's from the Identity Foundation, very cool domain name, if I may say so. It's a long standards document. It's a really long standards document. It has everything. It has JSON web messages, JSON web token. It has a custom asynchronous request reply messaging scheme with multiple parallel asynchronous threads of communication. It has a routing layer, transport layer, discovery, there's everything in there except provisions for recipient verification. So I can have my decentralized identifying my verifiable credential. I could present my verifiable credential to someone selectively so that they only get to know what I want them to know, except I have no idea who they are. Which brings us to this year's news, the ID wallet. Exactly in the last week before this year's German parliamentary elections, our esteemed government released an app, one of the intermediaries released an app to a big PR fanfare called ID wallet or released the use case for that, which was supposed to be a self-soron identity system based on DIDCOM that could in the future be used for a lot of other things. We're completely ignoring at this point that Germany already has an EID system that works, but it's not cool, it's not blockchain, it's not hip. So this ID wallet app, you can use it to create a self-soron identity called BasisID. And the self-soron identity is created by having the Bundesdruckerei sign data set that they expected from your national ID card. So the self-soron identity is created by the Bundesdruckerei essentially. And you can then use this identity to query the Federal Motors Transport Authority for a copy of your driver's license that is then assigned to this verifiable credential. Nothing you couldn't just do with a database of signature, but it is a blockchain system and it didn't end well. A few days after public release, the entire thing was stopped. The official reason-giving is that there was too much interest, too much load due to unanticipated high interest in the system. What you will find on Twitter, if you're looking into Wittmann and Flippke, who were the main actors in this space, is that the entire thing was run on very badly maintained infrastructure. There were DNS zone transfers, there were open sub-domains, a lot of things not good. And the cool grass is that Lilith showed the privacy problem mentioned earlier that even though I can present my verifiable credential to someone in a secure way, I have no idea who I'm presenting it to. And that's inherent in the protocol. There's no way to fix it and no plans to fix it. So the thing remains shut down for the time being and probably for good, hopefully. On the subject of silliness, NFT. NFT stands for non-fungible token. So for comparison, the tokens I talked about before, the ERC20 tokens, are fungible. Every token is the same. You can replace every token with any other. In Bitcoin, even there is no stable token. Every time you spend Bitcoin, your existing Bitcoin gets destroyed and a new Bitcoin is created. ERC20 tokens don't really need to exist in any exact meaning of the phrase, but still it's just the value. There is no countable token and not only no countable, there is no unique token. The other standard, the newer one, ERC721, specifies the API for non-fungible tokens. What it essentially does is track every token individually. The token gets a token identifier, token gets a token identifier, and blockchain records who's the current, the identifier of the current owner of the token. And what the smart contract then allows is transferring the token from owner to owner. Normally it doesn't store any other information other than who the current owner is. So this emulates basically a collectible. A token can be created on the blockchain and then sold and resold. But now you might be asking where do these JPEGs come in from, of which I've heard so much. What you can do in the token standard is associate metadata with a token. Actually you can't, you can associate an URL with the token that can point to metadata. And this metadata might then optionally point to an asset file. Could be video, could be video model anything, or some other metadata like the name of the token. There's something I'm not going to talk about that's called the interplanetary file system. It's a decentralized storage system that actually behaves mostly as you would like it to. Most crucially if you point to an IPFS address it's immutable. But that's not the standard, wasn't the standard for a long time. All the metadata and the data was just stored on the server of whoever minted the token, of the platform that the token was minted on. And Moxie made this very cool demonstration where you can look at the same, the identical non-fungible token on different platforms. And it would display differently because the metadata points to a URL that can behave differently depending on where you come from. So what are NFTs good for? Basically scams. One of the problems is that there's no verification requirement, no relationship to any real world identity. Anyone can mint any asset into an NFT and sell it. They don't need proof of ownership. And if you believe that I have a very nice bridge to sell you. The different platforms where you can create and sell NFTs mostly are tired of the problem now and are very much slower to respond to complaints now. There are entire, so apparently there are people out there who just go through for example DeviantArt, take every image from there, make an NFT out of it and try to sell it. It's like if you go on Twitter and say I need that on a t-shirt, there will be a bot that offers to sell you that t-shirt even though it probably doesn't have the copyright on whatever you responded to. A very cool thing someone found on Twitter the other day is that related to the previous slide, if a lot of these platforms actually store the data, the NFT data just on Google Cloud Services and Google's takedown processes are still working so you can remove the NFT content without cooperation from the NFT platforms. Another problem, it's a very complex, the entire thing. This leads to many, so even if there are no engineering or security vulnerabilities in there, this leads to a lot of successful social engineering attacks with the added benefit that any token that has been stolen now rightfully, Code is Law, belongs to the owner. There was this very famous case a few months ago of the board apes, very high profile case, someone got scammed out of three apes I think, with a value like $2 million. They successfully petitioned the trading platforms to stop all trading on these tokens, which doesn't bode well for the decentralized nature of this thing, but that's that. For me, it's funny to the people affected it's not since you have no verification that an actual person is on the other side or who is on the other side. There's this phenomenon called Rackpool. Basically you start a new project, you announce borrowed apes where yesterday's news, we are now doing evolved apes. They are better, they are better in every way, they can be used in games. Please buy them here. Enter money here. And after you've received all the money, you just clean out the accounts and vanish. This is what happens a couple of times now. I don't have all the examples on here. Sometimes it happens even in teams. There are a couple of posts of people actually trying to start a project and then complaining that the administrator, they tasked with keeping, safekeeping of the secret keys, just went and took all their money and is gone now. In conclusion, there's really not a lot of uses for any of this, except for Ponzi schemes and tricking people, especially it's all self-referential. You can do financial instruments just fine, everything works great. Not the most energy-conserving way to do that, but it can give good return on vest. Of course, you always need to keep in mind that if you earn money, someone else lost it. So you can do the crypto-enabled financial trickery just fine. But the core problem of any and all blockchain projects is the oracle problem. All the cryptographic stuff, all the verification, zero-knowledge proofs, what have you, only works within the system. You cannot interface into the real world in any meaningful way. Because if you did, if you wanted to, you would need a node that acts as a mediator between the blockchain world and the physical world. You need to trust that node to, for example, accurately report sensor data or to accurately execute some actions. And if you can trust that node to do that, you can also trust the node to do that without a blockchain. Like one of the funniest projects I've heard was for trash collection. Fairness in trash collection, there's a sensor in every trash bin, and trash collectors, like municipal waste, and every trash collector gets money for the trash they collected based on the sensor readings. But the sensor nodes, of course, can't be part of any blockchain. No energy, no nothing, no no connectivity. So they just report all their readings to a central server, and that central server then records all the data on the blockchain. And at that point, the central server just disbursed the amount due for trash collecting. There's no need to direct the blockchain into anything here. Put into one sentence, cryptocurrencies have more or less by definition, only one use case, and that's on these schemes and other scams. There can be, I've said that before, there can be some benefit to having pure time stamping service, so the blockchain combines time stamping and consensus. If you don't need the consensus, because anything you do is centralized by nature anyway, there can be some upside to using a mercury or a time stamping chain without any of the blockchain overhead, consensus overhead. So this is the end of this talk. I will be available for your questions now. Yeah, thank you, Henrik, for this talk. Sorry, wrong language. So thank you very much, Henrik, for this talk. And I found it really good, actually, as an overview of what is out there. Okay, so we have questions. And I'll wait a minute for questions. I see we have roughly 14, 15 questions by now, so it should be okay. Both of them one by one. So first question, here it goes. Why do you think Bitcoin is wasting a lot of energy? Used for mining depends on the difficulty. The difficulty is lower than Bitcoin will become more energy efficient. So the real problem is just that the Bitcoin price is used as a speculative asset. The energy consumption can never get lower, except if the price collapses. Only if the price is below the cost of energy will the energy consumption fall. Otherwise, you do have, obviously, there is this hashing capacity in the world. There are groups of people who do have both the hardware and the energy supply to mine. So if everybody else mines less, they have an incentive to mine more, A, in order to get more rewards, and B, at some point, the reward shift, if you have a group that is large enough to have 51% of the hashing capacity of the world, they can then just do double spending on the blockchain. They can then do scams outright. So there is the incentives to have... The incentives mean that the hashing capacity needs to increase or stay the same, except if the energy price is too high. At that point, the hash rate is capped by the energy supply, and at some point it becomes profitable to just do the double spending attack, and everything collapses entirely. Thank you. Second question. Since man invented currency, it has always been based on trust, whether in gold, real estate, or the economic strength of a nation. It has been known even longer that greed eats the mines, which why it is deadly. However, neither of these is an argument for me to demonize the entire blockchain technology. In your opinion, how would a blockchain in the context of digital currency have to be implemented? What's the ideal implementation of a blockchain currency? There isn't one. Like I said, so proof of work only burns rainforests for very little gain. Proof of stake is just a different form of authority. It's just a different thing you're trusting in with no physical and no cryptographic guarantees of anything that you would want to guarantee. If you have currency, you need to have trust, basically. And at that point, you can formalize the trust like we're currently trusting the euro to be something rather because the European Union is worth something. Thanks. Would you also take a look at proof of burn consensus? It is described as a POW without energy waste. Miners can burn coins to get the right to produce blocks. Proof of work. No, I haven't seen that. It doesn't sound like proof of work. It's like a form of proof of stake, basically. Here it's called proof of burn consensus. And it says that it's described as proof of work. You already need to get the things you burn from somewhere. And at that point, it's just totals all the way down. Regarding lightning channel, how does the Damocles sword that you mentioned and previous cheating work roughly, I suppose, technically? Okay, so there's two timelocks involved. And basically, I showed this exchange between the two parties. And in order for them to send me their signature under the new state, I first have to send them a signature that guarantees them the money in 48 hours. So I enable them to completely clean out the account in 48 hours. And only then will they send me the thing I asked for. And the other thing has a timelock of 24 hours. So either if the party that... I'm not sure about the order, but the first party that this behaves basically needs to broadcast their misbehavior on the blockchain or to be... So they need to broadcast the transaction they want to execute. At which point I have a certain time amount, 24 hours or 48 hours to broadcast my transaction that they gave me beforehand basically as a proof. Yeah, as a ticking time bomb or as a counter escrow. So they need to misbehave on the blockchain publicly, visibly visible. In which case I can transmit my... It's like in a hostage. In which case I can transmit the thing I have they gave me to entirely counter the thing. So it's basically implemented by integrating the blockchain at this point steps out of the lightning channel. Yeah. Why do you think that proof of space and time has no use cases from what the person that asked that question reads it solves a lot of problems BTC has. So Bitcoin and the Nakamoto consensus is completely reinvented. It is very decentralized, has a minimal hardware requirement. The pool protocol is very robust. It is auditable because it uses variant of Lisp and solves a lot of attacks that are possible on a lot of blockings. So one of the things... One of the hints you might get is that nobody uses it. If something is a good solution, it's likely someone's using it. That's the cheeky answer. The other is that it isn't as environmentally conscious for example as their proponents make it out to be because it destroys SSDs and that's also a lot of energy waste and hazardous electrons, electronic waste. So yeah, that's basically that. I think IPFS, if you want to have distributed storage, IPFS is a way to go probably. And it still needs someone to operate it. That's the problem that's true. Did you explore the use of LN for messaging payment information instead of just sending value as a content type for within a payment service? Question, Allen, a LNN. He answered capital L, capital N. I'm not sure either what it stands for. It's the Lightning Network. So did you explore the use of Lightning Network for messaging payment information instead of just sending value as content type for within a payment service? No, I did not. Yeah, I don't think I know what messaging on LN would be. Okay, Fair enough. Did you consider the concept of atomic cross-shard compatibility? What radix solved with Cassandra? No, I only have a vague idea of what you're saying, but no. Unfortunately, we can't ask back. I also have the text I read to you. So if the person maybe can quickly submit a clarification, then we can cover that. Could you elaborate on issues with blockchain? So yeah, it's blockchain and then small R, E. So can you elaborate on issues with blockchain, re, or a physical or digital asset tracking? In terms of real decentralization or the consequences of no real decentralization? So yeah, that's what I said. That's basically the oracle problem in a different form. You need someone to enter the asset information into the blockchain, at which point you have someone that you trust to correctly enter that. I wanted to look this example up. Unfortunately, I didn't find it again. I saw that on Twitter where someone described their blockchain experience, where someone built an asset management system and it was entirely great inventory management and we buy blue widgets and red widgets and it entirely tracks them from origin to destination and then they ask, so what happens if we buy 10 black widgets and someone enters that we bought 10 red widgets? At which point the other side felt completely silent. So it is just a different form of the oracle problem. And also the agro problem. For example, Germany has the current German federal government as a blockchain strategy, where they want to investigate having the Grundbuch, the register of which area belongs to whom on the blockchain, which begs the question why? Because there are not that many things that a state naturally has to do, but providing for the security of real estate, certainly one of them, since if there is a transaction on the blockchain or the blockchain says this plot of land belongs to me, who am I going to call to enforce that? The blockchain, please? That's the same. That's asset tracking. That's inventory management. At which point I already have a centralized trusted authority. Next question. Did you consider the concept? We had that. Could you elaborate on... Sorry, I had that too. My apologies. Everything you describe has been used for decades in finance from short selling to the most complex derivatives. Why should digital currencies be any different? In the stock market, it has been always true. Everything depends on whether there's more fools than papers or more papers than fools. Sure, sure. I'm not against entirely not arguing against using, well, certainly traditional financial instruments are not better than blockchain financial instruments or vice versa. It's just that the blockchain ones also have the energy usage of Sweden for the equivalent of four transactions per second. That's basically a small town. It's not the New York Stock Exchange. The New York Stock Exchange has a much, much, much, much lower energy footprint than the different blockchains and a much, much, much, much, much, much, much higher transaction throughput. Okay, so we have now 12 questions left and I believe we have something like five minutes. So, okay, perfect. I just heard that we have 10 more minutes, so that's awesome. Thank you. So, how does ION by Microsoft fit the stated description of SSI? Yeah, I haven't looked into ION. I know of it and I actually didn't find that much information. So, I cannot quite answer that. It's the same problem as everyone. So, these SSIs things tend to ignore the main problem is trusting the source. The main problem is not writing the cryptographic credentials or verification signatures, certificates. I don't think ION does anything particularly good. Fair enough. Why does SSI need blockchain? Yeah, I don't know. Is it like a PGP key server but with blockchain? Like I said, so it doesn't. It's just cool and integrated and it blows the technological lines. You don't actually know how it works anymore. The complicated thing is trusting or getting a trust chain to the issuer and the way I understood it is proponents believe they put this trust chain into the blockchain or basically if it's on the blockchain, it's trusted but the blockchain doesn't add anything except maybe for timestamps but you can have timestamps much more cheaply. Your main point is that blockchain crypto is only useful to prove scarcity and is therefore only useful as money, nothing else. But I guess this was the point of Bitcoin in the first place. The whole scam started later then. Yeah, you can. So, it's absolutely the same scam as every scam before them like selling valuable stocks, penny stocks like that. My point is that there blockchain technology. So, there is no use for blockchain technology except maybe exactly this very small niche for globally decentralized civil-proof currency with no prior trust in the participants though it comes at a very high energy cost. And removing any of these words from the sentence completely collapses the rationale for that. And you don't need any blockchain proof anymore. Thanks. How could one benefit from irrationally the market? Sorry, you're dropping out. How could one benefit irrationally of the market without falling prey to it? The question is how to profit of NFTs without being the prey. It's the first mover thing. You win if you are the first. And you need to keep very good care of your digital security in order to not lose anything. Even then it's basic pyramid scheme scam. So, the short answer is if you can be successful if you already are successful scammer and then you know what to do. Okay. How much energy do payment systems use overall consume? Please also count in the dependencies. Yes. I had this number once. I don't have it anymore. Yeah, I don't have it anymore. The calculation was like the entire global financial system including all banks, computers, secretaries, cleaning crews, consumes a lot of magnitude, like a tenth, maybe a quarter of the Bitcoin network. But it includes all banks. I'm not sure about the exact number, but it was less. It was not that much less. It was like half or quarter. But it includes all banks. And all support staff. All the vacuums that always and stuff like that. That's insightful. Thanks. Are you aware of OpenTimeStamps.org, a service that lets... All right. So, great proof of existence for law purposes. Mm-hmm. Right? So, my issue with OpenTimeStamps is that they still depend on the blockchain or the Bitcoin blockchain or Ethereum blockchain. My point is that the blockchain, the one thing you need, one of the things you might need a blockchain for is to find a consensus. For proof of existence, you don't need a consensus. Proof of existence works because the thing itself... That is it. So, the thing is actionable in itself. If you publish something onto a mercury, like certificate transparency, this publication is effective in itself. You don't need a consensus whether this publication happened because obviously it happened because it's on there if it's not on there. You don't need any blockchain consensus for that. The only thing you need a blockchain... The only thing they use it for is because they are afraid of their own courage in order to tether their system to an existing system. But this doesn't need to be a blockchain. Actually, it was a company or several companies that did something similar using a standard mercury and publishing the current hash of the tree, the current hat into the New York Times, the newspaper of record. And then there's like 100,000 copies of that day's hash. It's very hard to modify afterwards and gives you proof of existence without wasting any energy. Questions come pouring in, actually. So I don't think that we'll be able to all cover them. Would it be okay for people to contact you? Sure. Do we have afterwards like, I don't know, computer conference stuff or whatever? I'm not sure. Or contact me directly. I think it would be easiest if people could contact you directly. I think you had it on your last slide. Maybe you could repeat how people could reach out to you. Yeah, I have an e-mail address, a Threema URL and Twitter, Henrike Blötz. H-E-N-R-Y-K-P-L-O-E-T-Z. Cool. Thank you. Yeah, so maybe one short question. Stop. Is there any use for the blockchain then? It seems that there's no point of it at all. Exactly. So there's use, it's scams. If you don't think that's a legitimate use, there probably isn't. I'm fully in support of at least, if not banning it, for example, for public projects. There's really no reason why our government should spend any money on that. Yeah, so thank you very much, Henrike, for this talk, for all your patience and questions that you answered. I think it was great. I think the amount of questions also shows some interest. My pleasure.