 Hi, everybody. I'm Charles Hoskinson, CEO of IOHK, and I came up really briefly to introduce some amazing speakers and amazing minds. Professor Roman Olinikov and his team, they took a look at the RS coin white paper about a month or so ago, and we said, hey, this looks really interesting. Why don't you read it and do something with it? And they said, okay. And they ended up actually not only reading it, but they analyzed the protocol very deeply and have some suggested improvements. And it's just really been amazing to see what they've been able to accomplish. The other one is Arseniy Soroka and his team at Sarakel. They actually built a full Haskell implementation of RS coin with a GUI, and we'll be showing that today in the presentation. So without further ado, Roman, could you come on up? All right. There you go. Thank you, guys. Okay. Thanks for coming. I'm very glad to see you. Thank you for visiting this presentation. The topic is extremely interesting for us, and we hope that it will be also of great interest for you. We are speaking about next generation of cryptocurrencies. These cryptocurrencies are intended to be deployed in Central Bank, and it's possible that such a variant will be implemented in future and we'll all use such techniques. So the presentation will be divided into several parts. The first part is the academic view on RS coin, its properties. The second part is a cool presentation by guys who knows what is category theory. They are not afraid of algebra and they work with Haskell. They know that it's cool, and they share their own experience with you. They share how they implemented RS coin in Haskell. And after that, there will be some discussion with RS coin, with their properties, and what is potentially can be done even better with RS coin from our point of view. So this is our agenda. So a few words about myself. I'm a professor from Ukraine, and several months ago I joined IOHK team, and I found that cryptocurrency field is very, very interesting. So I have almost 20 years of experience in security, in symmetric cryptography, in network security, in software security, and I began to work with security questions when I was a student. We had limited internet access. It was very unfair. And to improve the situation, I created special software which helped good guys to get their internet access at the local university in Ukraine. Then I get my PhD degree in symmetric cryptography in Ukraine. I give courses in security, in different fields of security. And after PhD, I also go to industry and we create different information security systems for commercial banks, for national bank of Ukraine, for administration of president of Ukraine, for other big companies. And it was very interesting and very, very useful. Besides it, I gave lectures outside Ukraine in South Korea and in Norway. And together with it, I continued my scientific researches. When I got to my habilitation dissertation in Ukraine, we have two levels of dissertation. It is such a system as implemented in Ukraine, in Russia, in France, in some other countries. When I got to my next level dissertation, I was lucky. Because when I finished almost finished my dissertation, Ukraine decided to change its block cipher. Ukraine used old Soviet block cipher. And I worked on ideas for the new block cipher. We have very strong team in Ukraine, in company, in that company. And that team worked for a new block cipher very, very actively. We implement, as for my opinion, very good solution for it. We published in English for the previous year and we got very many positive feedbacks for it. This block cipher is adopted as a new national standard of Ukraine. It's a block cipher Kalina. And besides it, we implemented the new standard. It's a hash function Kupina. So, of course, it's very cool to be the developer of Ukrainian AS and so on. But to be just an honorable professor, it may be very good when you're over 60, when you're under 40, it's time to find some other interesting direction. And I was lucky for the second time. I met founders of IOHK and they introduced me to this topic of cryptocurrencies. And I'm very lucky that I met them. I have very many exciting tasks with a very cool team. So, let's begin with cryptocurrencies with RS coin. First of all, I would like to thank to George Danez and Sarah Michael John, they are present at this conference and they are present in this room. Thank you very much for your new approach. New approach for cryptocurrencies, cryptocurrencies with very excellent properties. And these cryptocurrencies can be easily deployed as currencies of the States. Then I will tell a few words about open problems with Bitcoin and some governmental interest for application of cryptocurrencies based on blockchain. Then it will be architecture and general properties of RS coin. After that, there will be a talk from guys with practical implementation of RS coin in hard scale. And then there will be the discussion on what properties of RS coin that can be made even better. So, let's continue with Bitcoin. So, Bitcoin is a great cryptocurrency. It was a revolution. It creates very many new markets. It implements very many new ideas. But after several years of its use, we have some problems which can be looked as a rather serious problem. The first problem it already was mentioned today and the days before adds this is a poor scalability of Bitcoin. Bitcoin allows in theory up to 7 transactions per second when Visa and MasterCard allows up to 10 or even 100,000 transactions per second. 7 transactions per second is very limited. We have limited amount of transactions per day, even per one year. For example, if somebody in the United States wants to make his transaction in Bitcoin and every citizen of the United States will want to make his transaction in Bitcoin, some people will get this chance to make this transaction in 18 months. If every citizen of China would like to do so, to do his first transaction in Bitcoin, it may take up to 7 years or even more. The next problem of Bitcoin is network latency. So, we need to long, very long time up to 10 minutes to get approval to be sure that our transaction will be constantly included into the blockchain. Next problem is liquidity limits. If we need to convert from Bitcoin into fiat currency, it takes us with a big sum of money, it will have some problems with it. And we have some problems with stability and predictability for Bitcoin. The first open question, the first open problem is oligopoly of miners. We have very few miners and these very few miners, less than 10 miners, completely control the mining of new blocks. Imagine that some country like Israel implements such proof-of-work cryptocurrency and other country like Iran provides cheap electricity for mining and provides some additional money for building farms in their territory. What it means, it means that at some moment Iran can completely switch off currency of Israel and completely stop its economy. Of course, it's not good and the similar situation we have for Bitcoin. Government should have full control over its currency. The next problem is Goldfinger attack. When somebody provides very huge computational resources, they can easily take control over the network. It was also mentioned that Bitcoin takes a huge amount of energy consumption up to 1 gigawatt of energy. It means that 1 gigawatt of energy just destroyed for maintaining block. And the next serious problem, potentially serious problem of Bitcoin is following. If we take amount of transaction which can be done within one year and compare it to the profit with reward which is taken by miners, we can see that a miner takes at least $3 per each Bitcoin transaction. We can send, for example, $0.15 by Bitcoin transaction, but miners will earn $3 for this transaction. This money for now is paid for a huge amount of newcomers. Very many people want to buy their first Bitcoin, to have some Bitcoins they believe in such cryptocurrency, but such amount of newcomers is limited. When there will be no new newcomers, then the situation will be different and as for me, it's very difficult to predict what's happened with Bitcoin for that time. Bitcoin has some problems, but it's a really revolutionary technology. Government institutions are interested in Bitcoin. Here on slide, you can see an example from some British government agency with researches on distributed ledgers and so on. But traditional cryptocurrencies have serious disadvantages from a central bank point of use. So for traditional cryptocurrencies, central bank cannot control monetary supply, miners some new coins and government cannot do nothing with it. It leads to little or no flexibility for macroeconomic policy. When economic needs new money, central bank cannot provide new money for the economy. It's a very big property of currency, which can be used for the whole state. And if the number of money is limited and not controlled by the central bank, there is extreme volatility and the value as currency. Somebody begins to buy some coins. After that, he sells a big amount of such coins and the price goes down very fast. People see that price goes down very fast. They begin to sell their money to save something and the price goes down even faster. So it's very bad from a central bank point of view, which want to have stable currency in the country. So for solving such problem, it was proposed RS coin cryptocurrency with a new architecture. In usual currencies, we have three types of unusual currencies. We have only one type of participant or one of participant. Every participants are equal to the other. We have a flat network. In RS coin, we have three different types of participant and there is a central bank, which is only one trusted entity. All the rest are not trusted and their productivity can be easily revealed. So money in these new coins in this cryptocurrency is created only by central bank. It is RS coin also has transparent transaction ledger. It has distributed system for maintaining this ledger. It has transparent money movement like in Bitcoin and very good property of RS coin that the solution is scalable. It can be improved adding new entities to such a system. We can get as many transactions per second as we want. So it was proposed by George Genesis and Sarah Michael John in their paper, centrally bank cryptocurrencies. It's available on imprint archive and many other sources. So RS coin has three different type of participants. The first type is central bank, which forms rules for the RS coin. The second type is mintets. It's special institution, which are authorized by central bank for maintaining their low level blockchains. For government application point of view, we can look at mintets as some commercial banks, which support transactions. And the third type of participant in RS coin is just users, users which send and receive money via this cryptocurrency. Mintets and users are not trusted and if something goes wrong, it can be easily revealed by analysis of the blockchains. So central banks authorize mintets for a given period of time. So some companies which want to make, to take participant and earn money in such a system will take, will submit a request to the central bank. Central bank decides which company will take part in the next period. Then central bank forms high level blockchain, high level block from data which are received from mintets. If there are some misbehavior of mintets or users, there is arbitration procedures which are taken by central bank and central bank provides monetary supply for macroeconomic policy. So users interact with mintets. Mintets interact with central bank. There is no direct interaction between a user and central banks. There is no direct interaction between mintets among each other. So mintet makes certification that there is no double spending for some transaction which is requested by user and it provides the evidence to the user that this transaction will be included to the block by the central bank. Mintet also keeps the transaction ledgers and this transaction ledger is provided to the central bank. Another additional property is that transaction ledgers of mintets are crossed hashed and if some mintet wants to change his transaction ledger, it must made to do so all the rest mintets. So in practical it's impossible. So all changes will be discoverable by the central bank. So user in a rescuing request evidence of absence of double spending and sends this evidence to receiver mintets for providing confirmation that the transaction will appear in the transaction ledger which is produced by the central bank for the next period. So simplified model you can see on the slide. So we have here user. User will send some request of absence of the double spending to some shot of mintets. So some set of mintets receives the request from the user and then say confirmation that there is no double spending. There should be majority of such mintets which provide such evidence. User collects votes from mintets and send such votes to the output shot mintets. Output shot mintets check the consensus of input mintet shot and if everything is okay, then they include such transaction into their transaction ledger and send confirmation to the user that this transaction will appear in the next period. In the next period this transaction transaction will appear in the high level block which is produced by the central bank. This is simplified model. So this is how it works. So why mintets do want to take participation? First of all they got reward fees for transactions. So each mintet has its own fee for transaction it processes. Besides it they have special coin generation transactions. So like in Bitcoin we have mining reward the same situation we have for risk coin. Central bank may give some money to mintets for providing their activity. So risk coin has the following integrity properties. No double spending like in all cryptocurrencies non-reputable ceiling. If mintets gives confirmation to the user it cannot refuse that this confirmation was given by such mintet. It can be done some audits by a specific mintet or for the whole system and if some mintet is not active it also can be very easily seen by the central bank by analyzing lower level blocks which are formed by the each mintet. So here we also have consensus. Consensus is taken by mintets and the central bank. So risk coin has the following general properties. So each central bank may deploy their own cryptocurrency with its full control over it. So the central bank gives full rules for this system. It can completely control it. This system is easily scalable to get an all necessary speed of transaction processing and number of transaction processing per second. There is no wasted resources. We don't spend gigawatts of energy into nothing. In this model the central bank always assumed to be honest and mintets have their transaction ledger crosshatched. So if some mintet will change his transaction ledger in this situation central bank will easily find such productivity. Okay so this was theoretical model of risk coin. Let's switch to a practical implementation. Hello. Hello everyone. My name is Arseniy Siroka. I'm the co-founder of the Siroka team who is now a part of IOHK family and I'm responsible for the first full Haskell implementation of risk coin. We fold the paper as close as possible and we had great experience when we were developing risk coin. So I'm very grateful to Dr. Danezes and Dr. Michael John. We implemented everything from scratch. So we didn't take a thing from implementation by Dr. Danezes and it means that if we have two working implementations of risk coin they can check each other's correctness. We've choose Haskell as a programming language because it has a finest balance between industrial applicability and the ease of implementation of academic papers. Also Haskell provides strong guarantees during the compilation time because of strong type system and also Haskell has a great framework called QuickCheck by Dr. Hughes. With the help of QuickCheck we've created our own framework to make tests for our distributed system and we would like to thank Konstantin Ivanov from Itmo University in St. Petersburg and we would like to thank David Turner. We know that risk coin is an interesting thing and scientists would like to know how it is implemented. That's why we try to make our code base as clean and as easy to be read as possible. For example you can check the fee allocation function. You will see that it is just one line function. You can change it and you will achieve another behavior. You can check out our source code at GitHub. We have more than 900 commits per month and pull requests and issues are very appreciated. So in our implementation we used MessagePark LPC library for communication. It is a debuggable binary protocol library but it had some problems in its Haskell implementation. We've made a patch and sent a pull request there. Also we are using Blake2B library for algorithm for hashing because it's modern and fast. We are using ed25510 curve for signing. We are using AC state library. It's a Haskell thing which helps us to store data and it provides AC guarantees. Also we are using comduit as a streaming data processing thing. During our work we wanted to know if we did it right or if we did it the bad way. So we had made several benchmarking, tweaking and tuning of our own code. But first of all let's talk about pitfalls that we had. The first one is a network. We had to handle lots of communications between Mintats users, also between Mintats and banks. So we need to think how can we handle them fast and correct. Also there were several Haskell related problems like immutability and garbage collection. Once we were stuck with input output threshold in our database and also threads. Our implementation uses lots of concurrency and we also had contact switches, locks and we had to deal with them. So our approach was first of all we tuned the compilation of our implementation. We fixed garbage collection options and Haskell runtime flags. It turned out that persistence is almost as fast as memory module of database. So we continued to use persistence. We used fast libraries for Haskell like byte string, text are not containers because when they were designed the main thing that they were following is to be fast. And also we made lots of our data structures strict because Haskell is a lazy language but we can tell him to make our data structures to be in a normal form in runtime. So we're using green threads over the native ones and we are using STM on it for transaction. We found lots of great tools for profiling. First of all Haskell GRC Glasgow Haskell compiler has lots of flags for options to show us information. We were using flame graph and GRC profile frame graph. We were using thread scope to check our threads during the runtime or garbage collection and not the charge related to this. And the most important thing that every programmer uses someday is a straight. So what about benchmarking? Dr. Dainese's benchmarking were made with the help of several Amazon micro instances, computers. Here ran about 25 users and from 5 up to 30 mintets and the best result he achieved was 760 transactions per set with the help of 9 mintets. What we did, we had one computer with four cores and we ran there at bank mintets and two users. But we made about 2,000 transactions and also we were trying to make to run for users and 4,000 transactions and we achieved the same results for every count of users and it was about a 760 transactions per second too. But you can see that our way of benchmarking differs from Dr. Dainese's so I can't really compare them. But I think that all of them are correct. Now I would like to show you a demo run of our Erasko and user interface. So I would like to do a bootstrap of our system. So now I will run 8, 9 mintets, one bank and one user who is connected to bank account. So the user interface you will see is there interface for bank. So here it is. On the left side there are several tabs. But first of all let's open another user interface for a regular user. So on the left side you can see an interface for a regular user and on the right side you can see an interface for bank. At the beginning bank has some amount of money, several thousands. Oh, we can see that the period had finished, there was a mission and the bank received several amount of money. Let's create a transaction from bank account to users one. We can select a tab to send money but first of all we need to copy paste users address. We can pass it here. For example let's send this amount and it's sent. But now the period hasn't finished yet and we can see that there are unconfirmed some coins and only after the period is finished user will receive them. Here it is. User received this amount of money, bank lost this amount of money but he received one thousand more. So there is a difference. Also we have a contact list here. You can add several accounts there. For example user. That wasn't user. So here it is. And also on the last tab we have several addresses connected to our account and we can use all of them. We can create new ones and that will help to manage our account. Also we have automatic synchronization with the network once in a second so you don't need to manually update the blockchain. And we have tons of future improvements for our user interface so it's in heavy development. That's why I said that full requests are welcome. And we are going to make a more appropriate benchmarks for our system to compare them to the benchmarks by today's users. So thank you for your attention. I would like to welcome Roman back. Okay, thanks for practical demo. Let's continue. So it's my way of you. I came to cryptocurrency from security and my security experience shows me that you must think about the worst case scenario. Maybe it won't happen in practice, but you must take into account everything which can happen. Moreover, I live in Ukraine and I know that sometimes the situation can become even worse than we can think. So we do very critical analysis of RISCOIN. It's an excellent solution, but we found some open questions which we would like to present and our proposal how we can make RISCOIN even better. So the first question is, which is not completely defined in the paper, it's fair distribution among mintets. Of course, mintet can receive their fees for processing user transactions. But user transactions go to low-level blocks via user software. Of course, everything is in user interests to take all the response from mintets and to send it to the output chart. But software is created not by user itself, it's written by some company. And if this company is affiliated with some mintet, it may lead to the situation when user software will infiltrate such mintets' reply and competitors' mintet won't get their records in low-level blocks of output chart. And this some mintet may decrease the profit of the competitors, but just by creating a user software. User will look how this application is working, consensus will be reached, how it is convenient, interface can be good, but it won't, for some situation it cannot be good for mintets. The second open question is not also well defined in the paper, is mintet incentive for their investments. So some mintet may invest money into huge data center with reliable internet channels and so on. Another mintet can use very old software with bad internet connections. So there won't be very significant difference among them. And for example, if for Bitcoin you invest some money into equipment, you get your profit definitely. For this situation, for Raskoen, this situation is not so clear. Then it is a potential long period between ending, potentially long time between ending old period and starting a new one. So when we have some period, it can alone for a minute or for several minutes or even longer. During this time, users will do rather many transactions. This transaction is spread among low level blocks. And Raskoen implementation of central bank should take all this transaction and make a unique copy of them. It cannot be done in parallel. It always requires several sequential steps even if you run on very powerful clusters. So in this situation, some period was finished. After that, some period of time is needed just to protect a transaction and process transaction by the central bank. And only after that the new period starts. So we also think how to such situation can be solved. And in Raskoen, there are no forks. And it means if there are some dishonest mintets form its chart and they can certify double spend transaction, this transaction will be definitely included into the high level block. And only administrative steps of central banks can prevent such situation. So can do some steps after such situation. So if such transaction will be included, we can minimize the probability of such situation. So if you look in very, very worst case scenario, then we will have the full potential open questions. The system may not have its best performance because mintets won't invest enough money to achieve the highest probability. Then there is, for now, there is no clearly defined procedure for mintet rewards. And if something goes wrong, there can be potential problems with transparent investigation. So the system is completely transparent for the central bank. And the central bank is a trusted entity. That's quite okay. But if there is some corrupted officials in the central bank or so on, they can actively hide some dishonest activity of mintets. Other mintets would like to have transparent investigation. And it's better to have technical means to make the system transparent not only to the central bank, but to all participants of the system. So we thought how we can do RS coin even better. And we looked to the further features of RS coin. So there should be defined clear procedure for mintet rewards. There should be obligatory available transparent transaction ledger for all participants. For current situation, central bank may not share in all high level blocks with mintets. Just share ETXO for a specific chart for specific mintets. And the system will continue to work normally. And we would like mintets to do high level block also. When mintets produce high level block, there will be no pause between different periods. So our proposal for further development of RS coin is the following. High level block is formed by mintets. Some mintets may make veto on transaction if some mintet can see that there is some problem. It can do some veto because we don't have forks for blockchain ledger. And user software must prevent the order in which mintets reply was received by such software. And when we have such properties, RS coin become even better with additional properties which will be discussed later. So for high level block we propose the following. For nowadays, consensus of output mintets are checked by central bank only. We propose that we extend the system and consensus of output chart, output mintets also checked by mintets themselves. We build over the current RS coin something bit shares like system. And this bit shares like system receives such transaction, several mintets receives a transaction, check consensus among output mintets, and then in their turn include such transaction into high level blocks when they have a turn to be a witness in such situation. So in this situation when central bank receives the high level block, the only need for central bank is just to sign it. Moreover, for such situation high level blocks also available to mintets and the system becomes transparent for all participants. High level mintets, at least high level mintets has full access to the transaction ledger. It cannot be hidden from them. The second, when some mintets we can see some dishonest transaction, it's not just skips this transaction, this mintet sends veto on this transaction. And if output chart see such a veto, then this transaction is blocked and information is sent to the central bank for investigation. The same situation is done for output chart. And if there is some disagreement between different mintets, it means that some of them, at least one of them, definitely misbehavior and should be punished by the central bank. So if we see some probability of implemented such an attack, we have a much better condition for discovering such an attack. The next property when user software receives some replies from mintets, from input mintets, they save these replies in order which they received input digital signature to this list and send this list to the output mintets. Then this information is also included into high level blocks. What it means? If mintets are responding very fast, they should be rewarded by the central bank. So mintets which invest in their infrastructure to process user requests more frequently, then they receive additional money from the central bank. Mintets which do not invest money, additional money, they won't get additional price, and so on. So mintets will have their incentive for improving their infrastructure to be among the best mintets. Then if some user software becomes to change this order, then mintets having access to high level block, they can use statistical analysis on high level blocks. And if some mintets behave dishonestly, some user software behave dishonestly, it can be easily revealed by statistical analysis. Just we take the high level blocks, analyze them, and we can see if user software works dishonestly. If we can see it, then we can just do some specific test on it, analyze an input and an output traffic, and then it will be enough information that such a client works incorrectly in the system. So having such additional properties, we have the following properties of a risk coin with implemented proposals. So mintets receives, mintets get their incentive to invest to their infrastructure. The better infrastructure they have, the more money from central bank they earn. They assure that they invest such money into the system. Then they check that the rules are equal for everyone. And central bank officials cannot hide some inactivity or some dishonest activity by other mintets. Everything is transparent for every participant, mintets. This system remains highly scalable. It can process any amount of transaction which is needed. There is no delay before starting a new period by the central bank. There is no need to process a huge amount of the duplicated transaction and remove duplicates. And such a system has increased difficulty for double spending attacks which are laid by users and dishonest mintets. And all key integrity properties of the published version of risk coin remained valid. So such system has all good properties of risk coin and it has additional properties which allow to get all advantages of cryptocurrencies not only to central bank, but to all participants of such a system. So that's all. Thank you. Maybe if there are any questions, both on theoretical part, on practical part, we will really answer them. You are speaking about this light? We don't really test deployment. We don't test production here. We test under load. And all we test for is transactions per second. So this is why we don't care about the amount of users. What we want to benchmark though eventually, and we're working on it right now, is we want to see how does the throughput scale when we add mintets. So it's just two nodes generating load. So that's it. And I'm sorry, in real deployment when we're talking about production, the paper suggests running something like 30 mintets no matter the user base. Thank you. Next questions. Yes, that's quite unusual for traditional cryptocurrencies. So for traditional cryptocurrencies, it is allowed to have forks. So if there are some double spend transaction, we have fork with all honest transactions, and this block with the double spend transaction become orphan block. RS coin doesn't have forks. So in this situation, if there are some transaction goes into the block, it remains there, and we need to take only administrative steps by the central bank or criminal responsibility or something else. To prevent this situation, we need to increase the attack complexity. And in this situation, if mintet receives such transaction confirmation, it must send vital. Of course, it's very unusual, but it's different architecture. The mintet sets sends vital and it gives us the following properties when user want to do some double spending attack. In this situation, he knows what mintets will support this double spending. There must be majority of the input chart of such mintet. So to get such transaction, he need to mine. He need to change very many parameters to get input chart which consists of such mintets. So now imagine this situation. System works normally, and normal replies from mintets is approximately maybe 95 or 98 percent. And for some other transaction, we receive a number of replies, which is exactly as majority. For example, 51 percent. And we look into this transaction later, and it signs for us that we need to check this transaction more carefully, more attentively. If attacker wants to hide such transaction, then he needs to find much more dishonest mintets. And it means that if he hides the transaction from such statistical analysis, the complexity of attack, the number of dishonest mintets which is needed by the attacker, and the complexity of mining to find such a transaction increases even more. Another thing to understand is the realities of banking in general. So when you're at the Treasury Department or some federal agency, you don't sit around and watch every transaction that happens in the grid. Instead, you have the banks actually watch the transactions, and you force them to issue what are called SARs, suspicious activity reports. So it is a good idea to give commercial banks or mintets some lower level entity an ability to flag a transaction as a bad transaction potentially. And this can be meta. It can be more than just a double spend. It could be this touch the terrorist account or this is money laundering or something like that. So on a practical system, it actually makes sense as well beyond just a security perspective. Okay, another questions? Okay, then thank you very much. We love the system. And I hope that you also like the system. We hope that we will see this system in the future within our national central banks. Okay, thank you.