 Up to now, all proof-of-stake-based cryptocurrencies and blockchain solutions have been constructed in a heuristic way without proper security analysis, definitions and proofs. So you basically don't have a proper guarantee that your proof-of-stake-based system is going to actually be secure in the real world as opposed to proof-of-work-based schemes that have been analyzed, improved and secure. So what we have been aiming to do is to pave the way for the study of proof-of-stake-based consensus protocols under a more formal framework of provable security and cryptography through which we aim at guaranteeing users that the protocols we're rolling out are actually secure according to a reasonable definition of security. In order to do that, we had to overcome several challenges starting by how you even define security for this kind of scheme and then how to actually build schemes that match this security definitions. So right now we have our paper out on the e-print. It's been circulated around for peer review and basically implements such a protocol that we managed to prove secure according to this framework of provable security and the security definitions that we have put forward. Of course there's still challenges to be overcome such as improving efficiency and scalability but that's all part of research. We've laid the first stone in this foundation so that's already pretty interesting. It's as far as we know the first provably secure proof-of-stake-based consensus protocol and our security definition captures all the attacks that have been proposed against previous solutions that didn't come equipped with proper security analysis and maybe even thwarts even different attacks that people might come up with. So we're pretty happy about the security level that we can achieve. So most cryptocurrencies are based on this proof-of-work mechanism that basically requires you to compute millions billions trillions of hatches per second if you want to generate a block for the blockchain to grow and for the system to work. This represents a huge waste of computational power and electric energy which we know to be a very scarce resource and especially these days when we have the environment threatened by all the CO2 emissions and a shift towards green energy. We would like not to waste all this computational power or maybe actually use this for something actually interesting and applicable to real-world problems such as sequencing genes for finding cures to diseases or doing simulations to predict tsunamis and earthquakes and stuff like that. So with proof-of-stake we don't need to do this scarce resource depletion proofs anymore. We just base the system into the assumption that the people who have a lot of money invested in the system actually want to keep that system working. They want to keep it functioning otherwise their money that has been invested in the system will lose value because the system that is not trustworthy or that doesn't function properly will not be used by many people. People will sell their coins from that system and that will lose value. So the people who have a lot of money invested in that they want to keep their money actually valuable so they have a clear incentive to behave honestly and play the protocol to keep the system working. So that's what we base the security on, not on the fact that somebody is willing to waste thousands, hundreds of thousands of dollars in energy and equipment to keep the system working. So right now we have the main backbone of the protocol all laid out and the main characteristics that we wanted to achieve for that protocol have already been achieved. Our next steps are actually addressing more real world issues such as scalability and efficiency when you have thousands, hundreds of thousands, millions of users in the system as it happens with most cryptocurrencies. And of course we also want to address other issues such as making it compatible with mechanisms such as side chains and achieving better efficiency through implementations and actual protocol modifications that could benefit from better data structures or from better underlying protocols and primitives. So that's a clear future work direction into bringing the protocol as close to real world as possible even though we have something that already works. We want to make it as efficient as possible and we're very confident that we're going to be doing this in the near future. So one of the main attacks against proof of stake based systems is the so-called nothing at stake attack that basically arises from the fact that you don't have to deplete a scarce resource in order to generate a block in proof of stake based systems. Usually in proof of work based schemes you have to compute the thousands of hashes in order to generate a valid block in the blockchain. So if you want to generate several alternative versions of history you would have to compute much more proofs of work by computing so many more hashes but your resources are finite so you can't possibly do that unless you invest a lot of money in that. Also you can't just follow different forks of the blockchain because you simply don't have enough resources to compute all the proofs of work that would take for you to extend different forks again because your resources are scarce. Now when you remove the issue of scarce resources which is what we want to do with proof of stake you open up to this issue where entities might try to extend several different forks of the blockchain or try to generate fake versions of history without actually needing to spend resources which actually gives them an incentive to be mining let's say we don't even do mining per se in proof of stake based systems but let's say to be extending the blockchain in different directions in conflicting directions because they might get a better financial outcome from always being guaranteed to always be on the winning fork. Now this has been a problem with previous heuristic schemes that didn't consider the proper function for selecting who gets to generate a block in a proof of stake system so how we solve it we build our scheme in such a way that you can't just extend a block if you want to you have to win a lottery and we prove that to win to win that lottery you you can't really do any attack you can't really influence the lottery it's as if you have a nice green leprechaun in the sky who tells you who won the lottery and by doing that we are guaranteed that people can't just do this kind of attack where they try to extend different chains basically because they can't just extend the chain that they wish to extend they have to be selected for that first and we show that everybody playing the protocol correctly ensures that people are selected randomly according to the proper distribution and that can can't be influenced as long as a majority of the stake is controlled by honest people and we can also easily see when somebody's trying to cheat on this protocol and influence the outcome of the lottery so that measures can be taken to punish these people if so wished by the players of the protocol and the nice thing about our analysis with formal proofs and formal definitions is that we are guaranteed that the people generating these blocks selected through a proof of stake are selected by everybody in the protocol in such a way that we are a hundred percent sure that unless they can let's say break our same Christian or something similar they wouldn't be able in whatever way to influence the final outcome does warting there's nothing at stake attacks so since we are doing taking this first step into analyzing this kind of protocol formally we start with an assumption that the network is synchronous meaning that we have a sequence of rounds that we call actually slots inside which all messages are guaranteed to be delivered even though the adversary may tamper with them in any way he wants the only assumption that we have is that let's say if a slot lasts 20 seconds the messages sent by parties participating in the protocol are delivered in these 20 seconds and not arbitrarily delayed for let's say 10 years so this is a first step a natural step even in analyzing this kind of cryptographic protocol since it allows us to have more compact and clear proofs and to understand the problem to begin to understand the problems and pitfalls in constructing and proving this protocol secure uh obvious next step also in our line of future works is relaxing the synchrony assumption to a different scenario where the adversary can actually delay the message for a very long time that is not known by the users in such a way that the user knows that the message is going to be delivered eventually but he doesn't know if it's going to be delivered in 20 seconds one minute or one hour while still maintaining the same security guarantees now you might think that the synchrony assumption is a completely bad and real thing but we can with current internet and current technology we can actually get pretty tight clock synchronization that can be used to keep track of the round synchrony in a very reasonable way with reasonable security guarantees if you look around the information security community they're proposing new cryptographically secure protocols for clock synchronization and so on that can be used to that to that end so for a first step towards probably secure POS protocols I believe it's a reasonable assumption well the POS scenarios people get selected randomly to generate a block according to how much stake they own in the system that means that maybe if you want only a handful of coins you're going to be selected in the space of a year but you don't really want to keep your computer on for the whole year just waiting for that one 20 seconds lock when you're selected so what what can you do in that case first you want to make money by generating your block and also you want the system to work you don't want blocks not to be generated because people are offline so what can you do you can delegate the ride to generate a block when you're when you are selected by the protocol to a third party which might be somebody who already owns taking the in the system or a complete the third party the company that has a delegation service let's say that is very positive because it allows people who have small amounts of stake to still make some money when they get selected for participating in the protocol and it allows for it allows for us to tame the scalability issue because then you can you can just define thresholds for participating in the protocol can actually say you can only participate if you have x percent of the total stake in the system does reduce in a number the total number of people who are actually actively using the protocol and it allows for better reliability guarantees for the whole system because you know that delegates who have a lot of who have to control a lot of delegated stake will want to keep their systems online 24 seven with good reliability because they also make money by playing that role of delegate so that guarantees both that everybody's happy even by making some money even though they don't have much stake and without having to waste a lot of money and energy with their computers and so on and that the system runs smoothly so that's a nice mechanism it will certainly be improved in the future can probably get better guarantees and better distribution of funds between people and delegates and so on but that's certainly a positive characteristic of the protocol so when cryptography started thousands of years ago people would usually come up with an idea a way of encoding information of encrypted information such that other people couldn't read that they would do that they would pass it around the monks and friends nobody could if nobody could break it they would be happy about it and go on using this idea until somebody managed to break it it happened until very recently you could even mention in the second world war when you had the german enigma machine that they believed to be very secure and it indeed was for the time for the time of history until somebody managed to break it so with these systems you have no idea of what exact security guarantee you have until somebody finds out a completely unforeseen attack and breaks your your whole idea into pieces beyond any hope of repair so what started in the late 70s and has evolved into modern cryptography is what we call provable security which is the practice of proving that a given cryptographic system be it a cipher a signature or more complex protocol is secure and remains secure as long as a certain set of assumptions remain true so what assumptions are those apart from system assumptions such as the synchronicity that I've just talked about and assumptions as to the power of the adversary of on corrupting people let's say the adversary only corrupts a minority of people or on third of people of all the people in the protocol and also very importantly the assumption that we cannot solve certain computational problems securely for example factoring large integers which is the basis of our encryption that is in everyone's cell phone computers even smart cards these days so basically what we aim at by using provable security is to lay our security guarantees onto solid foundations of problems that have been long studied by mathematicians and and other and other people in the scientific community and which are believed to hold which are believed to be hard to solve so by doing that we are not simply waving hands and saying we believe a system is secure we're saying we believe the system is secure because after a hundred years of research into solving this specific problem nobody came up with a solution to this specific problem so we find it reasonable to assume that it's going to take a while to solve it it's not like simply saying i just had this idea out of my head to build a system a crypto a crypto system and i believe that that it's secure how could you say that when you've been the only person to think of that a specific problem we have much better guarantees when we rely on problems that have been widely studied by the community