 Hey, hello, so I know this is John Paul, we like it, and I'm cool, okay, so let me unpack the title, so Instantaneous Decentralized Poker, so Decentralized Poker should be taking community, reactive, secure, multi-party computation and we also want the inputs now to be comprised of both data and money and we want fairness with more transparency So, more on that soon, Instantaneous should be taking to me that we want an initial phase of the protocol where the parties that submit a security deposit, and this phase can be slow submit a security deposit to a cryptocurrency and after that the parties can communicate only among themselves without any interaction with the cryptocurrency and and the political keys of the protocol will hold before parties are honest they can continue to communicate only among themselves, if some parties are dishonest or heavy, then you need to go to the cryptocurrency network to enforce the rules, but that's what we mean by Instantaneous Okay, so about the reasons between reactive and non-reactive secure multi-party computation, so non-reactive multi-party computation also called secure function evaluation is a one-shot computation, and reactive secure multi-party computation proceeds in rounds where in each round parties receive intermediate private outputs, so the classical example for this is Poker So this example at the end of round one so Alice will receive a private card Queen of Spades, end of round two, both receive card Ace of Diamonds, let's say round four, all the parties receive some card Queen of Clubs, so this is a classical example of reactive multi-party computation and we also want computation with money, so the difference between money and data, so let's say Alice has some secret and she sent a secret to Bob, so both Alice and Bob has the secret now If Alice has coins, then she sends the coins to Bob, then Bob has the coins, and Alice doesn't have the coins anymore So this is the difference when parties communicate over the internet, so we are implementing these coins using a cryptocurrency like Bitcoin so actually, parties only send data over the internet, they don't actually send coins but so Alice will send a signed transaction that is put into a global ledger and it is consensus on the global ledger it becomes irreversible in Bitcoin with proof of work and this is a way to transfer coins over the internet, in Bitcoin for example so we have a formal model for secure computation with coins and we do simulation proofs in this model there are also other pedagogical works with similar models, we use paid-in functionalities Can you try to pronounce that F-squared? Sorry, she's kidding me This is a true question F-functionality is standard functionality without form, the F-style is functionality with form What is the square? The square is supposed to be 4,000 F-claim difference, so we see how it will be instead of this square just like black space Okay, so let me give the template for secure function evaluation nothing reactive yet first secure function evaluation so the way that you do it, you run the secure computation among these n-parties and instead of directly delivering the output so the secure computation will not deliver the output, it will create a simple chain of output so any subset of the shares don't repeat anything about the output all the shares together will combine and deliver the output so you give each party one share and the hash commitments to all the other shares and now if we have a good way to submit security deposits to a cryptocurrency that they take into account these hash commitments and do some fair exchange such that if a party is dishonest they may even lose their security deposit then we will get secure fair computation with penalties so this slide basically tells the entire story of this project so if you'd like to take a nap, don't do it now okay, so this will show how to do secure function evaluation that is instantaneous you can do it many many times without interaction with the blockchain okay, so where this what we call a stakeholder contract in the beginning there are n-parties that are going to submit a secure deposit of Q times n-1 coins each Q should be regarded as the compensation amount that the honest part is going to get if it didn't learn the output and be regarded as upper bound on the value of the output okay, so after all of them submit the coins into the contract and they register their public key identically in the contract now they can start to run off-chain secure function evaluation that they deliver those kind of additive secret shares and the hash commitments to these secret shares when those outputs are delivered then they are going to exchange signature on this table the table has all the hash commitments and the index of the target execution so let the execution 1, 2, 3, 4 went okay they exchange the commitment and then they reveal the share and everybody was happy execution number i equal 5 they exchange all of these signed signature on this table and then they started to reveal the commitment but let's say one party was malicious and didn't reveal so in the logic of this contract let's say that party number 1 revealed his share but other parties did not so he has the ability to do an accusation to say I reveal my share so I have a signature from all the other parties on this table i equal 5 and I have my free image, my share that I'm also revealing so now there is a waiting period after I do the accusation and if all the other parties don't want to lose money then they will need to reveal their share, their free image with the signature to the signed table to the contract and then the output becomes known because all the parties are going to reveal the share and if some of the parties don't want to reveal the share they want to let out the output and not reveal the share they are going to lose the security deposit so let's say that one party is malicious and everybody else is honest so let's say the last one is malicious so after the waiting period we give you a coin compensation to each of the honest parties so this is the guarantee that we wanted so this is optimal everything here is optimal everything is constant mind and the security deposit is the minimum that you can hope for so this is basically how it goes the important thing to say about it is that this is a public blockchain so if I'm trying to do an accusation let's say that I'm dishonest I'm doing an accusation against another party who is honest then he will have enough time to react and he will reveal what he should reveal and he will not lose money so because the blockchain is public if the waiting period parameter is long enough then everything here will be secure and the other thing to say about this is that this was too near enough but basically this tells the story of how to get this kind of instantaneous off-chain computation okay okay so this was done using a stateful contract meaning that you do this accusation then you move into this waiting period stage and then you will either go back or you go into this claim stage in the end where you need to give all the compensations and for example we have an implementation of this in Ethereum which is using this kind of stateful contract that is a question whether you can do the same thing in Bitcoin and actually the answer is kind of yes for this specific contract so if you have Bitcoin plus Covenant plus relative log time that you can do pretty much the same thing Bitcoin currently has the relative log time but it doesn't have the Covenant yet it's implemented but they're not used yet so Covenant means that so vanilla Bitcoin is let's say Alice has some coins so Alice is the identity that controls the coins so if she is signing with her secret key she can spend the coins to whatever and with Covenant it says that there is also restriction on where Alice can send the coins to so this is planned on the roadmap of Bitcoin where this is also and it will not give you secure function evaluation I will talk about it soon okay so the stateful model is basically the way that it works the money in the contract can be spent according to what is defined by the current state so there are rules predefined rules about how the money can be spent according to what is written in the current state and there are also rules about how you can change the current state so this is a more powerful model and it's not surprising let me show you the next slide this is a more powerful model and take some completely unrelated example from people 2014 about stateful encryption against the algorithm substitution attack so if you have a stateful encryption instead of a stateless encryption you can achieve more so this is not surprising in general by the way the stateless version stateless model has advantages it is more efficient and actually the Ethereum guys are talking about some stateless version of the transaction for better scalability not so clear cut so this is a clean example that we have about what you can do in the stateful model that cannot really do in the stateless model so this is a lottery so there is a tournament bracket and each two players play and the winner will go to the next round so if it is the stateful model you can put in the state here to continue to the next round this is a very efficient protocol if you try to do it in the stateless model and cannot ride after this competition with the winner and you just need some way to decide the winner I will not be able to convince you in a couple of minutes but basically you get some exponential blow up when you try to do it in the stateless model in the stateless model linear it is very very efficient so we have paper about this it is called a zero protocol let lottery be for you ok so now let's go to the reactive part or the poker part ok so in general in the classical setting the question of whether secure function evaluation and multiple computation are equivalent or not so basically if you have secure function evaluation and you ask if it is feasible to implement from this secure multi-party computation so basically the way that you would do it you want to implement the multi-party computation so you use the secure function evaluation for the round and in the end of the round you secret share the state in the end of the round and then you continue to the next round and if you have an honest majority then the majority can always reconstruct the state and continue so if you have honest majority it works if you don't have honest majority then even secure function evaluation is not secure it's not fair there is actually separation result this is the best of both worlds paper that says that for some parameters so best of both worlds means that if there is honest majority then you get fairness but you always get privacy even if there is no honest majority this is difficult to achieve but there is separation result about what you can achieve with for some parameters you can achieve secure function evaluation but not secure multi-party computation anyway all of this is irrelevant for us because what we really want is to play poker and we want to do it with a dishonest majority even if one party is honest and everybody else is dishonest then you cannot damage the honest party so the privacy is always maintained of the parties and we have guaranteed output delivery at the end of each round so after each round of the computation ends all the parties are guaranteed to get out of the round and the last bullet point that is highlighted says that even this is not enough what we really want is to force the parties to play the next round because the example here is some card Queen of Spades and maybe she doesn't like the card so we shouldn't allow Alice just to abort now after the round we must force Alice to continue to play or otherwise pay melody this is what we want in a we call it a drop out tolerant secure multi-party computation with penalties okay so in earlier work we we had a very complex to force parties to play in the stateless model in the Bitcoin model with a CISO construction that is quadratic round on the cryptocurrency on the blockchain we shouldn't really look at this slide so in the stateful model which is what we do in the DC project it becomes much easier but still not as good as the version before for the secure fashion so the distinction is that for the reactive computation you really need to put logic of the functionality that you are computing into the contract into the on-chain contract that is being verified by all the nodes in the cryptocurrency network because in the previous version just after so each next iteration execution of secure fashion evaluation it's like it's always the same just signed agreement that some data that the parties agreed to sign was really signed here you cannot do it because Alice and Bob are playing poker and they need to decide now is one of them aborted or not maybe one is accusing the other is accusing the first one and you really need to put the logic of the poker game on the blockchain to decide who is right and who is wrong otherwise it will not work become convinced actually so I put in the last bullet an interesting open question for reactive functionality whether you can make the on-chain complexity of it depend only on the security parameter like we can for the secure fashion evaluation it must depend on the complexity of the functionality itself so this is an interesting open question okay so this is basically what is true about how to implement reactive functionalities with energy with money transfers so now I'm going to talk about the problem with the practical deployment of this so the first two problems are not so bad so the first one is the actual mental poker protocol what is the time complexity of the initial shuffle so you put some screenshot there from the best paper that does it with nine players or playing poker seen under like eleven seconds and fifteen seconds so question whether this is good enough user experience maybe this can be optimized so if not this is not a big deal the other one is about the on-chain complexity like if you need to execute the poker logic on the blockchain you need to pay high fees so this is also not a big deal there is already support for this meeting of course for the modular exponentiation which is what we need for the poker logic but the third point is a big deal like it's basically a deal breaker so unless anybody has a guess I'm going to say why the entire scene breaks apart and we cannot really implement mental poker or we can but not really so what the people who actually play poker online really want is that if some player goes then the other players can continue to play the game and this unfortunately there is no contradiction here so let me try to say it quickly so let's say Alice, Bob and Carol start to play poker you give a private card to Alice a private card to Bob and then Carol abort so this is the good case here we are happy because we can now reshuffle the card using the secret but not using the private card of Alice and Bob historically it's not easy but it can be done but let's now talk about the other case Alice, Bob and Carol start to play poker game give a private card to Alice a private card to Bob a private card to Carol and now Carol abort so the only thing that you can do is basically reshuffle the card with Alice and Bob by putting the card back into the deck of cards and reshuffling everything together you cannot leave the card out because if you leave the card out and you reshuffle only using Alice and Bob so Alice and Bob is totally controlled and they can just deal all the cards to themselves and they will know what is the missing card of Carol so this will violate the knowledge so we cannot really reshuffle the card if a player abort this is a big deal for people who implement this in practice for the pure crypto version of poker so an alternative design is using a trusted hardware to implement poker and this will solve all the problems of the previous slide so the shuffle becomes very fast mid-second all the logic doesn't need to be on the blockchain you can move all the all the logic into secure enclave and just on the blockchain you just need to get to verify signatures for this magical trusted party of the trusted hardware and the third point which is the most important is that this party has all the secrets and if one party abort then this magical trusted party can continue to deal cards and continue the game with the other parties so this version has advantages so actually so we teamed up with some of the guys who are implementing poker on Ethereum and what we agree to do with them is to implement both the pure crypto version and the trusted hardware version and we will see what people would like to play more so probably not the pure so for the pure crypto version what it would mean that if let's say one party abort what we can enforce that this party who abort it is going to compensate the other parties so they will get extra money but it's not the nicest kind of user experience like what I said before people who play right now on centralized poker websites they really want to continue the game this is like the fun of the experience so this we cannot really achieve with the pure crypto version unfortunately so we will implement both versions the project is Andrew and Fanny is also good with the trusted hardware so this will be a good use case for smart contracts that is a general question like in the last couple of years what are the killer applications for smart contracts so poker is one of them which we will have other good examples so we are going to work with these guys and they will implement these poker solutions okay, good so they will have like a call sometimes soon so if you want you can invest in that okay, thank you three questions can you tell me which one of the convenient protocol are you using in your work because you are this looks like you need to use active pure convenient protocol yes, it should be active which protocol are you using divided by 2014 2014 this is about twice more efficient so this is a shuffling protocol but it's a young growth it is already pretty good but the one by we so I put it so I already have it so it's the fastest protocol one more question so in one part they are both in the pure crypto version is it possible that they could switch to some default strategy so it continues to play but like the aborted player plays sometimes for you know nonsense so what I said before that what you can achieve and there are actually academic books about re-shuffling the card but they always say we will take the card of the party that aborted put it back in the deck and then shuffle it so this is not exactly the same as the real protocol because this was a bad card supposed to stay on the table you are not supposed to be back into the day so this you can if this was your question you can re-shuffle by putting the card back into the deck did you mean something else? no I meant it would still kind of have like an algorithm to execute like the player would like continue playing that it won't be or shuffle they will still have the card but it will have some kind of default strategy default strategy okay so this is kind of the same as the so what we okay it's an interesting idea but so what what we do in this the way that we do it is we just penalize the player it's kind of the incentives of what you are saying are a little weird because there are also all these the poker balls that might be better than humans so we actually maybe rewarding the player who have them maliciously so he might win the game so I mean what kind of simulation how good is he going to play that depends but then you said one problem is that people are unhappy if someone they want to continue playing right when someone supports them in this case they can but yeah but they want to play with humans well it's the sunrise how do you tell if it's a human or not yeah like I said there's something a little weird about the incentives there because it might be rewarding malicious play so this is game with money right so this is a voting party actually you might win money from the honest parties if everybody knows that that is the way that it works they might not like your suggestion okay so maybe you can continue your play so thank you Adon that's been an awesome session thank you