 much more work to be done way beyond what I can do and I want you to sort of get you excited about what one could do in this space and what there is to come in the research pipeline up ahead for us. So let me do this a bit at a time and what I why is this not starting hang on so oh so are we now projecting yes perfect so where are we now so starting out as we are so block chains have become a one of these words that requires no article we don't talk about a blockchain we don't talk about the blockchain we talk about blockchain if you walk around in downtown Manhattan and you see two suits discussing fintech latest fintech stuff one of them will turn to the other and say what's your strategy for blockchain the only other word I know that doesn't require an article like this is God so crypto cryptocurrencies have become a new asset class people have coined the term crypto assets and the sum total value of such assets is more than a hundred billion dollars Ethereum itself has emerged as a platform for new projects so there's a lot of money going into startups at least 1.4 billion the last time I tallied this which was over a year ago that was traditional VC money and a lot of the sort of the on ramps into new projects has turned into ICOs and ICOs are projected to raise more than a few billion dollars of value in the current year so and with the theory in itself there's a strong foundation the EVM works very well there has never been any downtime since its launch solidity is a language that we all have a bunch of wishes from and it's evolving and it has been very successful in getting people to think about writing smart contracts and of course there's a rich DAP system if you go around walking in the alleys here in the in the hallways you'll hear everybody talking to everybody else about what their favorite applications are and new new up projects are and what what happened over there okay how is that okay okay so so we have multiple implementations of of the Ethereum code of the Ethereum virtual machine there is a most importantly I think this was the the main point that I'm super proud of that that makes me really excited when I'm here is that there's a supportive constructive science-driven community this is worth its weight in any currency plus any other tangible asset you might imagine that is the is the actual value proposition of this particular system so so let's see what is the significance of all this what does this mean so there are three things that really get me excited the first one is that we're witnessing the emergence of a new class of systems these are systems with high integrity that can execute programs and give you a strong assurance that they will execute according to how you devise them they achieve their trustworth through auditability and transparency based on this foundation we are seeing the emergence of a new class of financial instruments up until a few years ago the most exciting instrument I could ever get my hands on and believe me I tried an upstate New York it was very very hard they made me talk to when I tried to buy bonds Russian bonds they made me talk to a very funny gentleman at my local bank who told me that I was essentially trying to buy junk bonds and it was going to be very difficult and so forth but the most exciting financial instrument that I could possibly write that I could get my hands on was a check and if I was fancy I could write a post-dated check and that was it and now anybody in this room can write all sorts of really fancy really exciting instruments and that of course means that we can it's now there's a revolution and it's in the hands of everyone and finally and this is probably the sort of the most out there claim there is a new form of social organization of foot so if I look back at the sort of history of humanity going back thousands of years there are some highlights and how people organize themselves so one of them is perhaps the written laws prior to written laws you lived and died at the behest of a ruler afterwards then it's actually you've got some rules and you have some predictability and how your life is going to be managed then we have to again another highlight is the emergence of the corporation now that we have corporations we don't have personal responsibility for everything we do the corporation is a virtual entity and with smart contracts we now have the ability to have contractual contractual programs that manage assets that that can transfer value so so now that's all nice and fine and good but where do we end up with challenges ahead so what what do we all what do we still have to deal with I believe there are three fundamental challenges in front of us the first one as you all know is scale your cousins in Bitcoin land in fact many of you are also Bitcoin holders I assume are dealing with this day in day out and I want to tell you a little bit about this particular dilemma so that you're all well-versed in in the best known on-chain and off-chain scaling solutions okay so the Bitcoin folks they they have an information dissemination problem and they won't really tell you exactly the full story and it comes with a funny slant depending on which forum you're in so I want to tell you what we know from from academics second thing I want to talk to you about and this is where I get kind of blue blue yonder type and talk about things that one could do without a necessary a solution is correctness how do we ensure that smart contracts do what they claim to do how do we reason about them and finally I want to talk to you about privacy and I want to tell you a little bit about the work that's going on at IC3 on how to marry two things that most people consider so incompatible private data with public blockchains so let's start with the scale issue and so everybody assume knows the operation of a typical blockchain you have the notion of a over some kind of a block let's say the Genesis block on the left-hand side you have transactions that are issued you have minors that collate these transactions into into blocks then they solve some kind of a proof of work puzzle and that allows the system to attach the last block to the previous one and once they do that they announce their block and the miners start building the next block and the next block and so forth this is of course we have to incentivize people to do this and to do that we give them some kind of a block reward for discovering these blocks this operation makes it infeasible to modify the past as the attacker as long as the attacker does not have control of the majority hash power so if we have blocks like this and the blockchain is getting extended in some some what you know it's in some reasonable form and you decide to break from the majority you decide hey I'm going to pretend that I did not make that payment to that online merchant well you can do that but but without the majority hash power you will find yourself falling behind and unable to keep up and your portion of or your version of the financial history of the world will be pruned and you'll be cut off so this is fine and dandy and at the core of this operation this is the magic that Nakamoto consensus gave us at the core of this operation is this frenetic activity anytime a block is found so every time somebody finds a block they have to very quickly disseminate it so as to get other people to adopt their version of the reality and that's a difficult thing to do writing protocols where everybody gets access to the same thing at about the same time without giving some kind of an advantage to the bigger miners is difficult and that of course has led to the Bitcoin community rift so there has been a civil war in the Bitcoin world over the size of this block size if you make it too big then you have this problem that that big miners have an advantage in fact that small miners will want to collate their resources and combine to create a bigger mining pool if you make it too small then you limit your throughput and exactly where to put that that knob where to adjust it has been the subject of much debate as you might might have heard from the Bitcoin box in the in the theorems case the blocks come every 14 seconds the throughput comes out to realistically it comes out to seven transactions per second if all of the transactions were just value transfer simple transactions it might be up to about 25 transactions per second just so you can visualize what that means I believe the Bay Bridge in San Francisco is about about five to seven transactions a second on a busy busy evening so that's about the rate we're talking about like an Ikea on a Saturday might be a few transactions per second and so it's a very hard foundation it's a very limiting foundation to build a worldwide global transaction system on so and simply simply increasing the block size is not a long-term option so you could up it a little bit in fact you could up it certainly could up the Bitcoin block size because they're in a very very low range but you couldn't up it indefinitely if the blocks were really big then it would not be enough time to build on one before the next one arrives so what have we done academics have looked at this put this this issue and what you typically have in bad communities is you have what we call designed by gut a designer ideally with a big beard holds his gut and says well I feel like this particular block size is the best one and that's that's okay it depends on the sort of the people swaying power of the beard in some sense but but really that's no way to build systems okay the science-driven way to build this is you come up with metrics you decide what your minimum viable platform is you then show that the metrics you have chosen the particular parameters you've chosen are ideal for what you want to achieve and to help with this process at IC3 we came up with some metrics for characterizing now come what a consensus protocols these are things like mining power utilization obviously you want all of the power spent on mining to go into your blockchain and if that's not happening or something wrong you want the mining process to be fair even to small miners you want the consensus delay to be low and we also came up with two very interesting metrics that I don't have time to go into time to win and time to prune that talk about the latency of the process of the consensus process from the point of view of a minor and to aid this we also built a bunch of apparatus aparatus aparaty or whatever the word is for for experimenting with with consensus protocols one thing we built which is an interesting artifact is miniature world a replica of the cryptocurrency world one for one in the basement of our computer science department so for every bitcoin node out there we have a replica of it in the department and work is underway that allows us that will allow us to have a replica of every ethereum node as well these systems are not that big that they could not be replicated especially given the fact that we don't have to do the mining when we do simulations we also built relay backbones for for bitcoin to able to be able to collect data from inside the network and we operate one of the two backbones for bitcoin and so there are some interesting findings that I can share with you one of them is the ethereum system actually the current protocol incurs many uncles we end up actually wasting some effort in uncle blocks that would be nice to reduce that number also we found that the network the network would greatly benefit from a relay network the ecosystem the ethereum mining ecosystem as it is is more centralized than bitcoin that's an interesting finding and there are fewer number of actors that control more of the hash power it changes from from week to week month to month but overall it's fewer and and it's an interesting interesting outcome but the real issue here is okay so this is all fine and good these are just findings from the current network how would one make this better and the funny thing of course here is ethereum is going to switch to proof of stake so what I'm about to tell you might not necessarily apply but I want people in this community to know what the best state of the art is so the state of best state of the art is not let's tweak a parameter you can only go so far with tweaking parameters so I want to talk to you a little bit about Bitcoin and G which is a protocol for on-chain scaling and as far as I know I'll also refer to its cousin bizcoin at the end as far as I know this family is the best on-chain scaling protocol so so essentially this starts with a very simple observation the typical mining process as we know it has blocks that serve two purposes one is that the block acts as a leader election mechanism and two the leader then says in the preceding block interval the following things happened so it's a retrospective protocol you elect me by chance and I say okay guys well this is what happened in the last week so that's fine except if we were to break these two functions apart we can then end up with much better protocols with much stronger guarantees so the way we propose to break this up is into key blocks and micro blocks a key block is the leader election portion of of a block and essentially every now and then what we do is we elect a leader and from that point on that leader vets transactions as they come in not retrospectively not retroactively over the last block interval but as they happen on the fly and of course the key block is related to the micro blocks by a signature the signature in the key in the key block signs the the the transactions in the micro blocks so the thing to notice is of course that key blocks are very small and rare and micro blocks are small and frequent so and of course the commonality is they're small and the smaller they are the better it is what we are going to do is we're going to take the process of that frenetic block generation and we'll smear it across time we won't do it all at once and go crazy and try to scramble we'll do it slowly so the way this is going to work is that when it's time to mine something instead of mining a giant block with everything that happened in the preceding block interval we simply mine a simple block that says hey this is my key and that elects the blue leader as the leader from that point on he can mint transactions so whereas he would normally normally be minting a giant block with transactions in it now he starts minting them one at a time linked of course in blockchain formation but without a proof of work so his proof of work arrives first and then the rest of the block the rest of the block contents appear one at a time so this process will lead us with a to a chain and at some point it'll be somebody else's story somebody else will discover a a key block in this case the yellow leader and the yellow leader will then start issuing his own blocks his own micro blocks so the critical part of course is that I'm glossing over in the stock is getting the incentive structure just right you want the yellow guy to to attach and extend the longest chain and you don't want the blue guy withholding any data you want him to be to be cooperative so if you set it up as a set of constraints the math is a gets a tiny bit more complicated but you can come up with the actual actual incentive structure that will get everybody to behave cooperatively and and so in this graph we're showing what happens to Bitcoin and Bitcoin and G so Ethereum would actually have the same kind of a graph so on the X axis is block size as you go right it gets bigger on the Y axis is fairness to smaller miners and as you can see as you make the blocks bigger and bigger and bigger Bitcoin starts starts deteriorating now these block size have been scaled down and the actual Bitcoin block size debate is being waged in that zone over there actually where it's just as indistinguishable but it doesn't matter if they were to try to push their block size beyond the particular threshold they will find that the protocol actually deteriorates and in contrast Bitcoin and G does not do that and that's not surprising because of the way it's structured so where does this get take us well it takes us to this to this location where we can achieve about 300 transactions per second about one to two orders of magnitude increase in throughput and that happens without a change to the trust model so it's the same same process as before and follow-on work called bizcoin generalizes this idea to a coalition of leaders so is this good I think it's okay it's 300 transactions per second is not quite Google scale it's not quite visa scale we'd like to do much much much better and I want to tell you a little bit about how to do better using help of special hardware so you've probably heard of Raiden you've probably heard of the lightning network all of these systems are protocols to take the load off of the blockchain into two pairs two parties that communicate in private and then settle back on the main chain and these protocols are software only protocols and as such they are subject to one big problem if I'm a participant in any of these networks any of these protocols I have access to old states right so I start out the transaction with you and at the beginning of time I have a hundred dollars you have a hundred dollars I buy something from you now you have hundred and eighty I have 20 I could try to settle using the old state as opposed to the current 180 20 state and that's a problem so this requires and if we use software this requires you to constantly monitor the chain so that I don't try to settle early and that changes the ecosystem you suddenly start either connecting to the network and watching it like a hawk or paying someone to do that for you and who is that someone it begins to look more and more like a bank which was the exact same thing that actually tried to get us out of this but that was one of the main reasons that I actually got excited about these kinds of systems the the system is vulnerable to transaction male ability and the performance of these software transactions the software off-chain transaction systems is limited so you and I have to sign and resign and resign new set new transactions for every payment so let me tell you a little bit about an interesting development that's happening that many people are not aware of inside every shipping Intel chip today is what we call a trusted execution environment this is something far better than the treasure something far better than a ledger now tell you why there are two reasons why it's better in both dimensions and it's not just Intel it's also arm has something called trust zones and AMD has a similar functionality so these this T this trusted execution environment provides the notion of high integrity secure execution so you can get some code to execute inside the cheap chip unmolested if a Russian hacker comes into your system and changes your program what will then happen is that the encryption keys that this program runs under is not accessible even to that new modified program so it won't be able to read its own data it won't be able to touch what it touched before so this is is one way of of guaranteeing that the code will only execute and only take those steps that you programmed it to do and the second feature that these environments give you is remote attestation not only is the chip executing code with high integrity but it's able to tell someone else hey inside my enclave inside my secure inner sanctum I'm going to execute some code with the following hash and if you know what that code is then you know all my future behaviors and of course you have to trust that the that Intel a company with 56 billion dollars at stake actually got the T implementation correct so so let me tell you what one can do we developed a protocol for for value transfers called teach and very very quickly the way this works is as follows Alice and Bob on the left and right have in their enclaves inside their teas two keys Alice has the green key that commands her green contract and Bob has the the orange key that commands his contract in the initial establishment phase Alice and Bob securely swap keys with each other after verifying that that both of them are operating on on top of T's so this seems like an anathema it's like I just gave my key to someone else but I can do so securely knowing that she can't get my key out she can only do those things that I authorized her to do the next thing that the protocol does is make a copy of the contract state into the T's so now my contract and yours are locked inside my T and your T and on chain on the actual chain we freeze the two contracts so now they can't just might get modified underneath us from this point on I can actually life goes on I don't have to monitor the chain at all we could be in the middle of the Sahara just the two of us and I can go back and forth with you and and authorized changes so in this case I made a transaction from the green contract to the purple one and and the only thing I need to do is get you a message that says hey this this transaction happened and that changes your state as well and we can do this all day back and forth back and forth constantly updating our state without having to hit the actual chain and at some point we decide to settle at which point one of us updates the chain with the modified modified state and this is going to be a two out of two multi-sig so that ensures that indeed this is an authorized new state that got updated in private so this is a pretty nice way of actually doing things off chain and we then extended this work to something called T chain T chain is a generalized form of teach and accept it's actually multi hop so in this case Alice and Bob are not directly communicating with each other they might have other parties in line shown here with different colors and the payments go across multiple parties and they're guaranteed to be atomic that is a transaction will not get stuck in the middle of let's say of the country so I want to pay from New York to San Francisco my money will not be stuck in some contract in Ohio it's either happens or it doesn't happen it's atomic so we implemented this fully we actually got the keys from Intel to sign it we have an actual you know actual implementation that operates directly on hardware counter to what you know the Bitcoin trolls make noise about and we deployed it across the Atlantic so the types of numbers that we are seeing with this this setup is in excess of a 100,000 transactions per second per channel so if you think about that for a second that's actually a lot of zeros that takes us into a different domain and you can have as many channels as you like of course then all sorts of other issues begin to you might have to worry about it if you're actually if you're a bit Finax or if you're if you're an exchange you're going to have to worry about actually terminating these these channels on your end but but the bottom line is this gives you an enormous ability to leverage the power of off-chain transactions the latencies are simply network latencies in this case and we're currently working to port it t-chain to Ethereum to support Ethereum transactions and protocols our contracts natively on top of t-chain the hour implementation is is with Bitcoin let me switch gears so this is as far as I know from my perspective the best of on-chain and off-chain scaling that's had that has been realized to date let's talk a little bit about correctness as as I'm sure this is a critical issue for everybody here who has ever written any line of code for Ethereum so what do we want to do we want to be able to verify that smart contracts what do what you think they should do and this is typically done with the aid of a specification we write in some other language typically a very mathematical language what this contract ought to implement and then we use lots of techniques from a very rich field called program verification my colleagues who work on it have been spending decades on this is ever since the 60s people have been paying attention to how do we write bug free code it's very very difficult this typically falls far short of target software verification has focused on two issues safety and liveness and I'm here to tell you that there is much more to this domain than safety and liveness I'd like to sensitize you to what actually needs to happen to the research that needs to come so yeah okay so let me let me expand on this so so far the research has focused on safety and liveness and and so I think I've okay so what is safety safety means that there is no path in a program where a bad thing happens because I have a predicate in mind things like I lose so the number of tokens coming in is not equal to the amount of money going out that's a bad thing that's what happened with the Dow right so that shouldn't happen and if it were to happen I want I just want the guarantee that that can never happen in my code that is a safety criteria and we understand quite well actually the program verification techniques required to check that kind of criteria liveness means that always eventually something good happens okay so that's a precise statement so in every path there is eventually a good thing that you want to have happened the user is able to withdraw her funds that should be all possible at all times so so this is a this is what this field has really been focused on why because they've been worried about things like nuclear power reactors being correct and their safety matters a lot their liveness matters a lot but what they haven't paid attention to are game theoretic properties which matters to you and you need to learn to demand this from the researchers so what's what's the yeah okay so safety criteria are things like some total of tokens is less than and token balances are conserved this and liveness criteria are things like the smart contract does not get stuck in academic parlance these are all properties you can reason about them by reasoning about the execution trail the execution trace of a single smart contract of a single trace so I have some code it follows some path and on that path nothing bad should happen and we know how to check these things or it follows some trace and at the end of that trace there is something good happening again we know we have techniques the liveness issues are not as well covered as safety issues but we have some techniques for them what we have nothing for and what I'm here to sort of try to get people excited about our game theoretic properties what do they look like well these sound a little bit more nebulous these are properties like this contract is fair to all participants okay so this contract is truthful it elicits a truthful response the way you actually you know bid for a truthful bid when you are trying to buy an ENS name this contract is incentive compatible given these incentives you will do the things that they want you to do or things like late voters are not disadvantage in as was the case in the Dow or this contract is regret free if you have the following goals in mind no matter what you do as long as you rationally follow these these steps you will end up at a good place where you'll be happy or most important of all contract maximizes social utility and that that word typically doesn't mean much for people but it really means contract maximizes social outcomes it makes the most number of people the most happy if you will so these are really interesting and we don't have techniques for actually dealing with them and to be able to even get at these problems I think the very first step is to couple a smart contract with with models of utility and to reason about the contract and the actors in that context so this requires a set of new techniques that I'm really happy that to announce that myself Ari Jules and Andrew Myers at Cornell just got a grant to actually explore but but they are not well known and not well appreciated so the reason why these techniques are difficult is because we're not reasoning about a single trace of a program to actually reason about these things these are meta properties they are not related to a simple prop they're related to a simple price they're not related to a single trace regret for example explores what happens on all paths so all I'm on one particular path do our do eggs are are there other paths where if I were to have followed them I would have been better off so that explores a combinatorially more exploration of paths and I'm very more much more complicated analysis so we've begun to study this topic at IC3 but much more work is needed but I wanted to bring this up in the sense of an academic trying to look at this this this situation and trying to make sense of what needs to still come so just in case don't forget that we actually do need regular good old program verification so that still applies we do need safety criteria we do need lifeless criteria checked for our solidity code we still need additional mechanisms for solidities the language is not enough we need the run times for smart contracts to that and there exist entities like virtual notary town crier or a client or a client's auger and many others that can import real world facts into blockchains and they're very much needed we still need escape hatches in fact we need crowdsourced escape hatches as we proposed shortly in the aftermath of the Dow where you can say things like well I want a non-gameable way to stop the stop to press the red button when something terrible has happened how do we build those things I don't want to privilege the developers and yet I want to be able to stop things when bad things happen and right and in fact many of the problems we found with the Dow of which the Dow hacker used one plus he used another one many of them were game theoretic bugs even if the Dow had not been hacked by that hacker it would have been hacked by many other hackers in this room I'm definitely certain of that so we need mechanisms to keep that from happening so in the last few minutes I want to talk to you about another topic privacy and tell you a little bit about some ongoing work so as you well know private data and public blockchains don't mix it's very very difficult to put private information into blockchains because all contract state is public I cannot the contracts cannot hold or or exercise secret keys I cannot put API keys inside my contract I would love to be able to have my contract interact with Google services interact with with exchanges but I can't put those private keys inside a contract that'd be madness it would be revealed to anybody who decompiles my code so but and there is much on you know much other private data that we'd like to to store there so what can we do well we've been working on something called credit eb it's a it used to be called credible but we thought it was just too hard to type so it's called credit eb for a credible database it's a new database implemented on secure hardware it's not on a chain but on the network imagine a database that's connected to the network connected to the the Ethereum blockchain that gets its commands an API from the blockchain itself so it's tightly coupled to the blockchain but keeps its data private off chain it's an idetic database that is it remembers everything that ever happened and you can query for past states and as I said it's blockchain driven everything that happens to it is stored on a blockchain it is just like before just like the teach and teach chain implementations relying on some secure hardware that advertises its presence on the blockchain it attests to the fact that it's running on a tee and it holds some private data and once it's announced this public key on the blockchain it is now accessible by all now you can send messages to it encrypting those messages for that destination so that only this code can decode what it is that you want to read you want to read some genetic data out of a very private DNA database you can actually do that only that guy will know and he will access he will be able to access this but I'm getting ahead of myself so the invocation you perform by invoking methods on this item that are encrypted that you put them as blobs onto this blockchain send them into the tee and the tee will compute on your behalf you use the blockchain as a rendezvous mechanism and this entity is essentially a nameless entity it's on the network but you don't know where it is and you're not tightly bound to it you invoke them solely by key this would be a great way to build decentralized exchanges for example and and so when this thing has computed the result it can make the result known back on the blockchain and optionally encrypted with the key that you provide so that only you can read it so very self-contained very simple straightforward application of teas and blockchains and what's more is you don't have to have just one of these you can have as many of them as you like and they would then form some kind of an overlay network on top so okay so you can have as many many such databases and contracts okay so where does that take us well you all have built an amazing planetary scale decentralized computer that executes in tandem with high integrity it's sound it's secure and it's got lots of exciting new applications there are lots of exciting challenges ahead and I hope I I managed to point out some some that you knew about and maybe a few directions that maybe you had not thought about and most importantly as I mentioned in the beginning with a science-driven constructive community I look forward to tackling all of them one by one thank you