 Okay, so I'm going to be talking about B2, the long name project for which we don't yet have an acronym or colonic name, so read it for yourself, feel free to suggest any cool names, otherwise I'll just start. So I'll go over like I think... I'll go over probably the whole thing, even though a lot of people have heard it already for the new people. Basically what is the motivation behind the project? The motivation is that the blockchains that are used on a reusable resource such as proof-of-stake or proof-of-space, they are less secure than the one that is used on proof-of-work. We know this because this has been discussed a lot in the community. There are some known attacks, for example low-ranked attacks, tech bidding attacks, they have been studied a lot in the proof-of-stake setting and basically what we found when we were doing the analysis of the pi-curring consensus protocol is that actually like you can find like some very similar type of attack on proof-of-stake, maybe sometime to a necessary degree, maybe not, but basically that's the motivation behind the project. Okay, so just to give an illustration I'm going to explain what a long-range attack is on the proof-of-stake system. So proof-of-stake basically the stakeholders are the validators, they are the ones who validate the block. So basically a block is validating as long as let's say for example there's like some threshold of signature on each block. Also what's going to happen usually in a system is that the set of validators is going to change. So for example here we start with like the green validator who have validated like this block and then you know they want to move to other business and we change validator and we end up with the pink validator here. That's like proof-of-stake. Now the problem with proof-of-stake is that what could happen is that basically like these validators who the green who are not part of the system anymore, let's say like you know they don't, because they are not part of the system anymore they don't have any incentive anymore, maybe they have cash out their coins, maybe they don't care and like an adversary would basically be able to bribe them to sell their old keys at no cost because these keys they are not worth anything in the current file. So that's problematic because in the proof-of-stake setting if you have the keys you can rewrite the entire history at no cost and no time. It's not like proof-of-work so that would be a very very unfortunate situation because then the adversary can create a chain that is as least as long as it's longer than the current chain, maybe the adversary will you know simulate some like change of validator, basically it can do anything in terms of protocol and then what happens is that the people who have been offline for a long time they wake up out of the blue they see two chains, they both seem perfectly valid, no way to tell which one is the correct one. And basically as you can see the only difference between these two chains are the set of validators right because the adversary has no way of having the pink keys so here we will have some orange keys that's the only difference Alice doesn't know which one are the legitimate even if she knew that the green one were legitimate here like at some point that she cannot make the difference between valid and not valid. Okay there's also another attacks that's called power dreaming attack and again we have something similar in the proof-of-stake setting and the idea behind the attack is the intuition it's like the adversary can do a private chain so a chain that's mine on its own and because in proof-of-stake like new coins are minted every block basically it means that once the adversary does a parallel chain it can get all the coins to itself so then it's going to inflate its stake in a you know not proportional manner and basically the adversary could use that to also build up a really no chain. Here's the reference for interest this is okay so basically the main approach to solving the issue with proof-of-stake is checkpointing so there are a lot of different papers which are based on different assumptions different models and the one that we are focusing on which actually you are also a co-author is and Marco as well is this one called BMS which basically consists in using a proof-of-work chain in this case ethereum in order to do the checkpointing. Okay so let's me like outline the solution so we rely on a blockchain based on the renewable resource so proof-of-work in order to secure the proof-of-stake chain so what's going to happen is that we are going to anchor the proof-of-stake membership and the proof-of-stake states which are linked into the blockchain and in this case we're going to use the bitcoin blockchain so basically this is roughly how this is going to look from time to time we're going to anchor like the state of the blue chain which is the proof-of-stake slash proof-of-stake into the bitcoin chain which is the orange and the idea is like the bitcoin chain it does not suffer from this type of attack because it's proof-of-work it takes time to create blocks so so then like this is kind of like we're using kind of like the security of the current secure our chain so again just to emphasize but surely you know this like the main difference between this approach and the BMS approach is that we are not relying on ethereum because ethereum is moving to proof-of-stake in which case like there is no point doing this because proof-of-stake is vulnerable to the same type of attack yeah yeah yeah I should be actually quite sure so maybe I won't spend too much time on this on this um and yeah and then in this case the difficulty is that in bitcoin you don't have the same expressivity of ethereum so we can't really do like the approach that we did with that a smart contract where you just like send your boat because bitcoin doesn't really is not stable like you don't have okay so I think like basically the the main question that we're going to have is that we need to have this checkpoints that are pushed to the bitcoin blockchain like who is doing this this transaction and in our case like we want that the current validator of the proof-of-stake do this and obviously we want to account for some adversaries so that's why we use first-hand signature because something you know is like in bitcoin we also have like noticing which actually scale really well but in our in our case that wouldn't really work well because because then an adversary could just like abort the whole thing by just like not contributing to have everyone so that that's one so like basically you know you can't really do k out of n and actually like the problem of doing this k out of n is the like is like you would like how to say the t generation basically that would be the problem you cannot have like one address that could be signed by any k out of n uh subset so you would need to do like one different address for every different k out of n subset which actually like either you could do it but then imagine if you have a lot of miners that would be like super inefficient and otherwise you can you can have like one one address for a character then that's okay so our kind of decision so basically what we will have is that um we will have so at um you know step i of the protocol an aggregate key so that's the key that's correspond to the uh special signature so basically pk i will um be the aggregated totally key of all the validator in configuration i and then um what they are gonna do is like this validator they are the one who's gonna push the checkpoint to decide but right but what we want also is that we want to account for changing validators right so um basically what this uh validator associated with pki are going to do that when they're going to put uh push the checkpoint to be played also they're going to transfer whatever amounts they have in their case to pki plus one which will be the aggregated public key of the next set of validators so you're kind of like transferring ownership of the checkpointing mechanism to the new set of validators um okay so we need the transaction to be signed by access f plus one of the proof of state miners that means sense um here again so yeah so basically here you can see like the the kind of like rolling state so you have configuration i minus one so here you have the kind of that transfer for pki minus one to pki uh then you know here we have configuration hi i they did i think and then when you have a new set of validators like the previous one will again transfer to the next um value um and then the idea is that if we have alice uh if we have like um a long range attack again as i explained in the beginning to change to change they look the same then alice you can look at uh the bitcoin blockchain we assume that she knows pki zeros pki zero and then basically from bitcoin you can just like uh follow the chain of like transactions and basically she will be able to find the last like utx so which will give her like pki's the aggregated public key of the turn validator and the checkpoint and basically using this information she can verify which chain is the correct chain that's that's the high lever right there um yes also so um so something else is that basically if we want as we said like on the bitcoin blockchain we don't want to have too much data we're going to have only a hash because it's too expensive and not efficient to have a lot of data so what we want to do is basically include in the checkpoint that we push onto bitcoin also a cid that any user would be able to use um in order to retrieve the actual identities of the configuration basically so she can actually find who are the miners and not just like validates that they are the miners in case you know she cannot turn that down and you could also attach a method that you do not have to verify on pki zero somehow for example attack always pki zero and everybody would just say that but then how would you find okay so basically what she says that she wants to put pki zero also in the checkpoint yeah okay uh okay just so you don't have to follow the the translation but then how would you verify how long do you know what you're trying to do, how do you know what you're trying to do, what kind of focus is that for any of the people and each one has a different behavior but I quite you know like the algorithm it's something you know before it's like the genesis that's what I mean what about attaching it to the last two days but the things like that anyone can attach it anyone who knows pki zero can attach it to their transaction right so you would need to exactly you would need so you would need to find 45 no I know I just thought maybe you can how to take that that makes sense now yeah so yeah so I was saying initially we're saying oh we can use ipfs uh actually like maybe what we're going to do is like use the kbs that our control is implementing on musical so actually you can just like retrieve the data from the musical chain itself using this idea so that's another approach we yeah so this um yeah maybe we'll do that so hopefully we can retrieve all the data okay so now a high level protocol so basically the protocol will be triggered periodically what we are envisioning at the moment is like let's say that you know we are in a configuration configuration I and then we're going to trigger the protocol after like some threshold of change has happened in the configurator so they say we have you know like 20 new miners that I've turned or left and we're like okay nice thank you that's how we do it so first the first thing that we need to do is compute the aggregated property of the new configuration right ptr plus one because only once we have this then we can compute the transaction that's gonna you know transfer the ownership of the checkpointing from pti to pti plus one and basically I think that this step is kind of like the reason why you cannot sorry because we have new participants now so it's not you're doing better yeah yeah um like if we could I would I would love it but I think it's not possible with okay because I last time I discussed it with Rosario okay okay so then yeah like honestly if we had a way of just updating it that that would like change our like our life a lot because this is like the most annoying annoying part of the protocol so yeah if we could have a way to just like remove the participant that have left and then just like give a share to the new participant that would be great but yeah basically yeah so you would kind of like cheap or maybe a bit of that your chair okay okay and then okay well if we can do it I would be super happy so that let's put it like their share would not work I guess anymore yeah so their share we're not yeah that's what we do yeah the trick is that you need to you need to be sure that your chair for two weeks is or you need to somehow record the transition because otherwise any majority of all chairs they'll be able to sign yeah so basically yeah they know that they may know but even here if you don't delete the Rosario yeah but the thing is like if you do that then the transaction it has to the transaction has been spent on bitcoin yeah because basically that's the thing like indeed like we could if someone was doing was doing the long-range attack you know on this key then it doesn't matter because on the bitcoin option once they have spent you cannot spend anything more right so that's that's the idea but yeah to come back to this day that this is indeed like the biggest the biggest part and biggest problem that we have and also yeah that's why you see that you can we cannot you know do no t-sig or or sing that because basically this like tki plus one it needs to be known in some of the fact well in advance of the same because the like passing happens now so basically at the time where the previous configuration like you know gives the key to the to the new threshold like we don't know yet who's going to be honest who's going to be online who's going to be signing so basically we need to commit to the whole set and then maybe that's only a fraction of this rule will participate but we don't know okay so then okay a special timing we send the transaction to the bitcoin so basically that's kind of like the highest nothing nothing too complex but okay that's kind of like one slide simmering right no for the for the for the it's kind of like everyone is a dealer for their own secrets and actually initially the sign like the first protocol actually you need a dealer but but you can remove this so we have so everyone can shoot their own shares send it and everyone can return to the transaction using the share but the signing on the other hand and that's kind of like a problem it's like it's not like for us to pager so basically if someone does not send their share we need to have a timeout remove them from from the protocol they're assigned their managers or something and redo the protocol without them and because we have sign we can redo the protocol without them so the way first work actually is that everyone at the at the beginning everyone generate their own kind of like content and commit to them and then you would take this basically and depending on this and then depending on the set of sign year you will take their yeah well yeah why why yeah okay so that's that's why I guess because and I guess that's why more efficient than others because you have this kind of like pre-processing where everyone creates the randomness and postage and then you use it for your like thing yeah yeah so I think otherwise like the other alternatives you bought this kind of like robustness that you need to have like there was another protocol that was robust but then let's efficient so we decided to go with frost this is less robust but more efficient okay so now about the internalization so basically we had this thing so that's what was working on this and what they did is like they basically implemented the DKG and the second thing is a library but the problem is like what they have done so far is like not robust to failure so they haven't done the case where as I just say like if someone doesn't participate we just need to redo the sign and without them and also even the DKG they haven't implemented the one that we wanted that is robust um also they only had the assumption as you know for participants if not remove them and other than this uh the take so the take on for a creative and push to the different web tests you can tackle the process well we have a equivalent of 20 nodes but I wanted to show you that as you know sometimes it was not working so well so you can stop it maybe I will you um and basically since they have left me with this I have kind of like started implementing like minor improvements on the code um especially one of the issues that I had with shared codes is that the DKG chip coding is like kind of like don't separate it from musical so I started kind of like implementing like merging the two more like adding some space really into the sequencing in some of the digital actors um if you just also help I've also and basically like doing this helped me with um the functionality of removing a minor so because as I was doing uh you know what I said roughly after uh basically so my next step for now uh mostly I'm going to focus on the implementation and on uh seeing the code because you want us to be seeing and basically uh improving this uh what we want to have also for the next demo which is marked is uh used different test sets instead of this one rest set um you should be a disciplinizer but then basically because like different test sets associated with that kind of test set code it's going to be a bit tricky to especially to um make like the initial spending transaction um maybe we'll need to like maintain space like of course but it's going to be a bit more tricky but we are hoping to have this soon before now also as I said at the moment we are pushing the transaction to like to functionalize like in your starter we want to not do this in uh uh and then I think like the next steps which are not my main focus but uh we want to do and we have started thinking about is this problem of uh state so Marco this morning he started mentioning this problem that um when you know when you do this protocol we need to take into account weights right and by weight I mean in proof of state it will be the number of coins and in proof of state it will be like the amount of storage and basically like at the moment we don't have a way as we were asking we don't have a way to do this special so the only way to do this is like to have one cheaper mistake and then we end up with like a lot of this already we don't have a decision algorithm and we now we need to make it into account this it's very easy um and so basically the problem of that is that it's that it's possible this coin that's an open problem like I said like we have DNS stuff like this that are like much more efficient but uh but which one doesn't allow us so we have no yeah but that no that's the thing that you can oh yeah that yeah you cannot do this like yeah what I mean is that uh by a sequence that you need to have some interaction between the the miners you cannot just like do your part and put it on the yudiko um like you know just compute your own share and put it on the on the yudiko like blockchain what what what you were asking yeah but but then still like you have like uh you need like you have n square mentioned because you need to have like a message for every part of the day so so so yeah I mean no I like yeah I still we don't know how to do yeah I think yeah definitely like I mean well yeah uh I thought today like a like long-term problem well I I can just say could be like a number of ideas that we have thought about but that um yeah either require no thermostat or that didn't work we thought about doing something like hierarchical signing so think about what we are doing with the consensus but do the same like with signing like have just like subnets that do the signing and then kind of like combine all of the signing together but again because of the interactions that are necessary for the DKG that's actually like really painful to do this because then you need to have kind of like subnets interacting with subnets which then becomes like the um complex um also like like we have some kind of like small improvements that we actually for the new implement so first we can use like this very kind of like native noticing um functionality so it's just like you know let's say it doesn't like let's say you have like five keys and you just require like three out of this like five keys to sign then you know we could use that and just like subdivide the the whole committee into five different groups and you know just like parallelize this but like each group you have to know but I think I already know sorry okay so why is it that's one of you so each group would have to have another majority yes oh yes basically the problem I think when they do it doesn't work out no the thing is like basically I think you can work out what like I did it because I don't remember this the number like if you do some kind of like um you need to just work out like the threshold that you need to have maybe it's gonna be more than two thirds but yeah you need to have like a threshold for each group definitely uh you you need to find out like how much the adversary can have in one group and then to have that plus one in each group and having having meant it is degraded exponentially the problem that we cannot like with this solution we cannot have more than five groups because anyway like in bitcoin like then if you want to have that more signature it's gonna be so so it doesn't fail very well I honestly thought we were going to yeah uh so the things I think you could use something and hopefully not never do the big bad but something possibly is that you know if I for the minor I get one percent and then if I get one percent of the share they go off of share then it's gonna be something for me I'll never use the sign I don't know how it's you prepare not to be confused that is the thing like we see you like yeah should be one share of that I I'm just going to open it and see if we can do that. But there's a lot to be deal with. There's not a lot to be lined up with. And if you do that, then it's probably... I don't know what part of this is. So I'm going to start with you. Yeah, it's a lot to be lined up with. If you kind of define the problem... Yeah, that's a good one. If you like to line up with thousands, it's better to do different stuff. It's like a forum or whatever at the moment. And it's greater than that. If you like to work in the team, that's probably really great for this. I can work out what can be done. From feedback in the team. And that's the OVFT for us. For... I guess the thing is that a lot of people do it maybe... Yeah, yeah. If you think they're doing this for subnets or if they're... I don't know the number of them. They have the subnets. Yeah. That's my point. They're using the other two. And they don't have that many notes. They don't have that many notes. You're not going to have to grow. If you have thousands, you're looking to have even more. Yeah, yeah. Ideally, in the numbers we want, the big number. You're not kind of... Okay, that's the problem. We're seeing this as you're doing it. On another side, here. We talk from there. Like, right now, you're using the other two. In this case, what do you do? I think I'm using my effect. So, I think what they do is different than... So, what they do, they... Yeah. So, okay. First, what I want to say is that there's also this paper mystery that does exactly what... kind of, like, in their own framework. So, not... According to... According to them, it's self-proclaimed. That's why we do the kind of, like, same thing. So, basically, even if you have, like, a lot of minors, like, anyway, you're going to sample the same... So, for us, we complain about something, because if we wanted to kind of, like, adapt it in our way, we would have the issue where the sample is expected to do the... science is known in that sense, because we need to know that. So, for dynamic effort, then it's problematic because if the adversary can kind of act hard or bribe them, then, because it's simple, like, they're... Do you mind if I get to tell the one who promotes the sample? No, the mystery is the one from Aguilo's sample. Aguilo's sample? So, yeah. So, something... So, yeah. I had in mind... Yeah, so, something... Like, what we could have, like, maybe that would be, like, an overkill for not that great. Like, have something, not that private, something where you know for yourself if you are elected, but someone external does not know. But then, like, you could still argue that you could have some type of a rivalry attack. I don't understand that part. So... So, that's the... There was some idea about using a ring signature to do this, which was a big sort of thing. Like, maybe we don't know if it was an idea by Nicolas. We don't know if it's going to work or not, but the idea was to send up a Q ring signature such that we didn't know which participant was elected, only they knew from Delta and you would use the ring signature to see the final winner comes from the legitimate part. And then the advantage is that even though, like, the symbol is determined in advance, at least it's not perfect. So, yeah. That's... There was a lot of ideas, I guess. None of them were, like, great, but... But, yeah. Yeah. No, that's... So, do you want me to go now? So, yeah, that one for Babylon. So, yeah, very recent paper by the Stanford group. So, basically, what they have is, like, also they use proof of work in order to secure proof of state, but they don't use the Bitcoin chain. What they do is, like, they use, like, their own proof of work chain, but that is, like, merge mine with Bitcoin. So, the idea is, like, you don't need to, like... You can reuse some of that power. So, reuse some of that security. And then, what they have is, like, actually they use the proof of work chain as kind of, like, a time-stamping, like, service. So, what it means is that, like, let's say, like, there's one perfect block that is mine, then any miner can just, like, sense the checkpoints because I do not change. And then it will be added. So, you don't need to have, like, a majority of what you want to say. Only, like, one miner can do it. So, if you want more, then you could have, like, two legitimate blocks, two blocks that are checkpoints on the Babylon chain, even though they are conflicting. And what they say is, like, in the state, Babylon is, like, a time-stamping. So, basically, the first one that was included in Babylon is the correct one. So, you would use this as kind of, as a way to differentiate between these two. So, that happens. And also, they use it for, like, slashing against, like, easy hiding. They also use it as some sort of storing attack. So, they also use it as kind of, like, a fail-shake mechanism in the sense that if you don't have any some sort of storing attack, then you don't need Babylon for this. But then, if there is, like, some sort of storing attack, then you can use Babylon in order to slash the miners for this. So, it's, um, the difference comes from using, like, merge mining. So, that's the thing. Because also, like, for this, like, it's not really clear who will use that merge mining because it's really destroying miners like they are. You know. What do you think? What do you think? Okay, but the thing is, like, they have, no, yeah, they have work to do on top, like, they have, like, to be thrown in front of them. So, maybe some of the tools are taken here. Yeah, and then they don't have any issues with the elevators because, as I said, they won't need one report to be sure of how that can be to do that. So, that's another interesting thing. So, maybe we'll do the three things. And then bringing out to them, or? No, because, actually, I was thinking we're doing the same thing. Yeah, exactly. But now that I've done it, I, you know, yeah, yeah, because also, yeah, we want to clarify about that. So, I'll email them this and that. Yeah, but there's just a new new one. So, maybe see that. I don't know. Okay. Yeah, so I know if anyone, so I'll get some people at sea, maybe I can see if I can make it work sometimes during the week, and I can show you, but anyway, we'll do some maybe hacking, even maybe so I can show you the latest deal. I'll have, if I can connect to the internet, like, maybe I can make it work, but otherwise. Oh, yeah, actually, you have to because we're doing it to make it work. Yeah. Yeah. Yes. I don't know about you, but maybe it's very specific. What? What? Yeah, but they're wrong without it for 24 hours after you activate them, so. Ah, a window for a shield? No. Yeah, they sweep it inside your passport except for the two of you with me. Oh my God, I feel so rejected. You also did not get one? Actually, the old one, there are like 10 weeks, so maybe you can do that for it. Actually, it's medium. No, we just... I need to first, yeah. Oh, no, she's having internet. No, because just my internet was not connected. You can Google that for me. Today, I'm not actually saying that. I mean, I'm going to restart my machine, but it takes a few minutes to start anyway and then I can... Oh, you are a virtual machine. Oh, yes, sorry. No, that would be a problem. Yeah. Yes. Yeah. You're kidding me. Yeah, I'm just kidding. Okay, well, otherwise... For now, I think it's fine now. You should use my internet because then you can expect... Yeah, no, you can expect it anyway, that's fine. Yeah. I wonder why don't you take that one with you? Are you going to spend more than 10 gigabytes in a week? No, it's not important. Yeah, it's like... It's not important.