 Hva odmah, ki to je nega zvedana, umožimo, ki je je počku, da je tudi sjedno začat, način je na mpc veles. Modena se poznikaj da, da se kliče počku, začala Satošić so kot naša začala, čim sem začal nekaj Spark. Čak je laj na VF, There is not time to introduce bitcoin during this short talk.レdži just say what is the basic idea. Well, the users jointly emulate trusted bulletin boards. They call it ledger or blockchain on which they post transactions. So this bulletin boards consists list of transactions and it's right on your details in boards. Transactions cannot be erased and this is a way to prevent double spending. O clear. So what is the main difference when you look at it between the NPCs and the Bitcoin? In the NPCs, we always define a majority of parties in terms of the number of parties. In bitcoin, we have majority of computing power. So there's obviously some difference and it is there for a good reason. The problem that Satoshi faced is how to define majority in the situation that everybody can join the network? The system that works on the internet, everybody can join, the system, there is no way to verify identity. Well, if you have a situation like this. So you have, like, three honest guys and one dishonest guy, then nothing prevents this dishonest guy for creating lots of fake identities and gaining the majority. So defining security in terms of the number of participants in the situation where everybody can join z Joelov, ki njega je. Govoril, ko je... Iroč, da je to, da bo tega, je to, da je kaj zašveloga, pa je to, da je to, da je to, da je to, da je to, da je to, da je to, da je regarde. Pozala, da je to, da je to. Zato, da je to, da je to. Kaj je to, da je to? Slah automače, ki si da se prontožibilo na Haha, začetno je nekaj komputov. zato je zelo ideja, nadal da se priča v bitkojnih. in izgleda je, kaj komputov je vršal. Se Satoshi vzveč, vzveč, ki je dobrovšal, da je inšlo, in da je pristrila in več na različne. ki je pristrila in več na različne. Kaj je pristrila? Pristrila je inšlo. Inšlo je izgleda, ki je pristrila, The solution will denote this proof of work with POW. This is solution s computed on the challenge. He outputs s, and then everybody can verify that he computed this challenge by applying some function verify. And moreover, computing this function POW should take some time. So this is how security is defined, to produce such a proof of work in tudi nekaj nekaj, ki vzajmajo vzajma bila td. Td je napravilo iz tem, da je tudi dve deltje tudi z Narodno orakol. Vzajmajo vzajmaj, da je tudi gleda še pot tega. Tudi pot se cupsite kaj je bolje doljevanje skupnika. Tako tudi obtah nr. t td. Na zdravu se vzajmaj obtah, in v bitkojnih, vzajmi deltje, je tudi bitkojna dvya tudi hr, It's an expected time t, so if you're lucky you can solve it faster. If you are unlucky maybe you need to wait to work more. What we use in our paper, we use proof of work that, we need to always work time. At least t, we construct them using merkeletrees, it's pretty straightforward, and I think standard construction, and I will not go into details of this. So for a moment, that just until the end of the stock, let us remember that proof of work for us is something that takes time t to compute always. Nel. Ha, ha, ha, ne, ne, ne. P tella. Nelne, ne, ne, ne. P tella. Nel. Nel. Nel. Nel. Nel. Nel. Nel. Nel. Kam shoj, ja. To je teda, se što se bilo. Tata, se se bilo. .... No. Jih in pih... Zelo. Tata, ne. Kaj je? ... Ne te vroža, ni taj. Jih. ... Vse so vzružene, kaj je tudi površnje. Že dobro 10 min. Povede se na zelo prejbe, kaj je vzelo v Satoshi, štega z januari 2009. Prejbe je tudi vzelo vzelo. Tudi zelo vzelo vzelo. Naredil doga vzelo vzelo. Prejbe je vzelo. Kaj je bil vzelo vzelo? Ko je, da so končno? Ako se vzelo, ki je tudi vzelo. Ovo je zelo vzelo včak problem, ki se pigača v AR in Cedarje u razčarju. Včak se izgleda, da je izgleda, da je začnila, da se prišlo v satošenju, da je nekaj tržil. In je tudi strategija, kaj in maličske minoritve, minoritve v tom zelo poživanje, nekaj da razvijaj se od nekaj propovedi protokol. To je tudi mašlj, bojo najgorske papper. Zelo, je to nekaj, da je neko pripravil za toši predpravili. Če se pripravila, da je protokol izpočin, tako da se bolj nekaj pripravila, a zato je nekaj, da je ino občin. In zelo neko se odmah da pripravilo. the second thing is the Genesis Block, the thing from which this block chain started, it had to be generated in a trusted way. So Bitcoin security relied on the ability of this block to zero before the 3rd of january 2009. Well, in some sense, now, after so much work was not on this block chain is very unlikely that actually Satoshi was secretly hvaljnega, for example, od 10 razeli s vsem vsložite basement, tako je to ne tukaj nesi v vsebej, ker pri tem, da se več stoveva če režete. Na nekaj tukaj ne se več bez zelo, da ne so našli srednih, je vsebeja, nače pri tristu na pošli, s koncu se da začal, da inšlja blok je generatrunčna in naredil je zelo tako in meneh srče, naredil je to več in tako in uprejdiv chobil,ив, da je jen stavila razložnjenje, da boš lahko zatisteno razložnelje. Jak крidala, da je je bil. Zato je najnorašne, tudi je čest, kaj ga se vse posleda. Zato je, čas boš, značujemo počo, da pripredujemo v salje B, suto,ki ni odvresi da počujem malov v saljji z však v vsaprevoj imprejena. Ta bil je, da se ne inžimo, da celo inžimo pločnega dvojba v zelo, ... but as long as he cannot make it equal to some value that he chooses. So something like this would be needed to make this, to get rid of this assumption that ... the zblock zero was generated, the zblock was generated honestly, ... where Satoshi had some heuristic solution for it. So what he did is he hashed the title of a front page of London Times from the 5th of January 2009. So this is the title that he hashed, and To je tako nekaj juristik. Ovolj nekaj idej, kaj bi ste vzivati stock market data, vzivati astronomije, vzivati NIST, Nikon, vzivati BitCoin, vzivati BlockChain, vzivati UnpredictableVicon. Vzivati taj idej, kaj bi ste vzivati, vzivati BitCoin, vzivati BlockChain, vzivati BlockChain, vzivati SignCifiki StreamMan, vzivati Al improvement of ... chocolate, ask if we can construct in this bitcoin model, ... if we can construct protocols, like distributed cryptography ... ... protocol that are provably secure, so we don't have this ... ... hand-waving arguments that Tata Ci made, and do not require ... ... any trusted set up, so without this gener value block. The motivation is, maybe we can improve the existing currencies or propose new cryptocurrencies with better properties, but they're understanding of their security. Another realistic motivation is that actually this POW-based consensus is used for other purposes now, not only financial, okay, so maybe people can use some of this technology for some other non-financial purposes. Or here's a list of some things. Okay, so what is the Bitcoin network model when you start formalizing these things? So, well, there is no authentication in secrecy, so everything happens publicly. There is no secure broadcast channel, but we guarantee that every message sent by an honest user arrives to every other user within some time delta. So it is a synchronous network in the sense that there is some time delta within which every message arrives. It sort of looks like it's needed because we will be measuring computing effort in terms of how many hashes you can compute per second, so then we need some notion of time, okay? Yeah, so every message arrives. It will be also called insecure broadcast, okay? So it's just like broadcast meaning that I send message to everyone, but of course if I'm dishonest, I can send different messages to different people. Okay, so how do we model the computing power? We use the random miracle model. We have a h is a hash function that's modelled as a random miracle and the computing power of a party p is defined and this is also a term from bitcoins called hash rate. So hash rate of a party is the number of times a party p can call h in some given time delta, okay? Okay, and then this is a notation, so we will assume that every, we have some group of participants, we will have some adversary in a moment, so we have some participants, every participant, honest participant has some hash rate denoted pi, okay? So for simplicity, let's assume that everybody who is honest is the same hash rate and the adversary has hash rate pi sub a. And additional assumptions are that, well, the parties need to know when this game starts, okay? And there is some unique session ID that they agree in advance and the hash rate of the honest parties is known to everyone and there is an upper bound on the total hash rate in the system, okay? So it's like L times P, so L is like how many times more there can be total computing power than what a typical honest guy has. And this parameter is known to everyone. Okay, so what are the results? So we show that in case each honest party controls an unnegligible fraction of the hash rate, so this pi is an unnegligible fraction of L times pi, so L is non-negligible, so it can be like the adversary controls the majority of computing power, but this guy still computes some noticeable fraction. We construct a POW-based broadcast protocol and I will tell you in a moment what it is. We construct a protocol for unpredictable beacon generation and they work in time linear in L and, well, in case the adversary controls the minority of the hash rate, we construct a protocol for identifying a group of users with honest majority, a group with honest majority. Okay, so we'll have a protocol that creates a PKI, a public infrastructure, such that we will know that the majority of public is controlled by honest users and hence we can do any MPC in this case. Because then you can just use known results. Okay, so what is our main tool? Our main tool is this POW-based secure broadcast protocol and has the following properties. Okay, so it has standard properties like validity that every message always arrives to everybody, consistency that everybody gets the same message and, well, that's not standard. The last property says that the adversary can send a bounded number of messages. So what we mean by this is we assume that, well, it all happens at once, everybody is broadcasting something and the adversary cannot send more messages than his fraction of hash rate, okay? So this is pi sub a is his hash rate and pi is a hash rate of honest guys. Okay, so just look at how many times stronger he is than a typical honest guy and this is the number of messages that he can send. Which is anyway something that obviously he can always make because he can always pretend he's honest and simulate these honest guys. So if you have, this is what the adversary controls, this is what the honest guys are, then this, like if we start counting one, two, three and so on, this will be the number of messages that he can send. Okay, it's easy to see that if we have such a broadcast then we can have an unpredictable beacon by simply asking everybody to broadcast random nouns, right? And then hashing everything. So as I said, beacons should be just unpredictable. The adversary can influence it in particular, he can choose his randomness after he saw the randomness of these guys, but if you model this h as a random oracle and his influence is limited and in particular he cannot make it equal to the value that he chosen, okay? So it would be like a good genesis block, for example. It suffices, of course, for at least one of those arse was chosen random. It's also easy to show that if we have this POW based broadcast then we can create PKI. So simply everybody creates in his head public key, private key pair and broadcast the public key, okay? Then, well, everybody will receive the same because it's a broadcast protocol, so the party can be identified by its public key. So as a result, everybody will agree on a set Y of n parties that participate in the protocol and we will know that every honest party controls one public key and the number of parties that are controlled by the adversary, so the adversary knows that corresponding secret key is bounded by this number succeeding from P sub A divided by pi, pi sub A divided by pi, from the properties of the broadcast protocol. Okay, so this means that if you have this POW based broadcast then we can compute any secure functionality because we already have PKI and in case the number of these guys controlled by the adversaries is smaller than m where m is the number of honest parties, then we can compute any secure functionality with guaranteed output delivery and well, if we forget about the ceiling here, so if we assume this is a natural number, then this becomes P sub A divided by P has to be smaller than m, the number of honest parties. So if we multiply by pi both sides, we have the pi sub A, so this is the hash rate of the adversary has to be smaller than m times pi, so this is the total hash rate of the honest guys. So this is exactly the assumption that the majority of computing power is honest. So this is what I was telling before that in case we control a majority of computing power, we can compute any functionality. Okay, so basically the whole thing is like how to construct this POW based broadcast, again it was a protocol that allows everybody to send a message, but the number of messages that are sent, that are broadcast, should correspond somehow to his computing power. So if the adversary controls 10 times the computing power, the hash rate of a normal guy, then he should be able to send 10 times more messages, or 10 messages simply because we assume that everybody sends one message. Okay, so how to construct such a protocol and unfortunately there is no time to present the protocol in detail, but let me just tell you what is the main problem. So the main problem is that that we had to address is that proof of work, so supose we have a proof of work, that requires some work t in terms of the course to hash function, and consider the following protocol for sending a message, so supose there is a receiver here and he wants to receive a message with the proof so that he is not flooded by a large number of messages. So everybody with a message who wants to send a message attaches the proof of work to compute it on this message m. So that was one of the original applications of the proof of work to prevent spam. So the problem is that this protocol doesn't make much sense the way I wrote it, because even a sender with a very small hash rate can send a lot of messages to the receiver if he starts to work very early. He can compute the solutions very early. If m's are not fresh, he can start computing now in a month he will have a lot of solutions and then he can start sending. So that's not what we need, we need that this messages are fresh and of course this can be in a two-party case it can be done very easily, so just send a random challenge r when wait time delta, so this is the time, this unit of time that we defined earlier and then the proof of work has to be computed on m and r, right? So this is a very simple observation and it's a simple solution in the two-party case and it's easy to see that in this protocol the sender with hash rate t can send at most one message. The problem is how to do it in a multi-party case. So natural idea is to ask every player to send a random, to broadcast via insecure broadcast, some random nones, and then to securely broadcast a message, each party m would compute p o w on h together with r1, r2, r3, and so on. So every party pi would accept only if this p o w is correct on everything and his nones is in the set. So I'm receiving messages from all of you, all these r's, I'm concatenating it with my m, I'm computing hash on it, and I'm sending it back and each of you believes that this proof of work is fresh if his nones is there. But then for the broadcast, and then it's easy to see that it will work, but the problem is that for the broadcast, it doesn't really work because say, what if the adversary ignores r2? So if the adversary ignores the nones coming from this guy p2, then this two will accept and this one will reject because his r2 is not there. So there is a problem because we need consistency for broadcast. So at the end of our construction is not that simple, and we need it to work to, it requires several rounds, where is our solution, and there is no time to show it, I will just tell you what are our methods. So we construct a weaker primitive called ranked keys that assigns a rank to every key to describe the quality of the key from the point of view. And then we combine it with the classical doleks trunk authenticated broadcast protocol. And then we also take into account some annoying facts that where communication takes time, so we will take it into account, and the second thing is the verification of puzzles takes time. So even very simple proof of work, where the work done by the prover is much longer than the work done by the verifier, but still the verifier does some negligible work. And this means that if you need to be careful,