 Hi guys, I'm a researcher at UCL and for the past year I've been building this cryptography library and There's going to be a disclaimer for this talk. I'm not going to go deep into the math The ZCAS Foundation have prevented some useful workshops that will do that later on and I only have 20 minutes in the tea Skeptography any more than 20 minutes. So instead what I want to do is I want to leave you with an impression That cryptography can be really useful for smart contracts if Nearly essential as well But first what is cryptography? Well, when I talked to non-experts, they tend to say that Cryptography is about designing ciphers i.e. encryption and the encryption But hopefully it's some people in this room know over the past 30 years and with the rise of the internet Cryptography is so much more. It's about authentic hitting people on the internet i.e. you're a theorem account or endorse an information i.e. a digital signature, you know, that's authorize your transaction and spend some coins and even more It's about building publicly verifiable protocols. We're of a group of people run a protocol and I'm not involved They can send me the transcript and I can have faith or actually I can be certain that that protocol was run correctly So as a cryptographer when you look at Ethereum you wonder what does Ethereum offer well another goal of cryptography It's to minimize trust. We want to remove as much trust from this system as we can But in every system there's always a little bit of trust So when we design a system sometimes there's a trust at third party But what's really cool about Ethereum is that a smart contract can be your trust at third party with public state So the as because that's public state and it's a little robot over there it gossips It reveals all our secrets, but it never modifies the protocol and it will always faithfully execute our protocol on our behalf And it's atomic either it runs the function or it won't and using smart contracts. We can build really cool things But first let's consider a really simple example rock paper scissors and let's consider it where we don't use any cryptography So our contract is a matchmaking service if I want to start a game for rock paper scissors I can start a game. Somebody can pay my game on the smart contract and then they can play against me So Alice with the little Mexican hot See starts a game and because we're not using any cryptography She's going to leak rock so she'll reveal rock and say I want to bet five pound or five dollars in my rock paper scissors game Bob can look at the contract and say well Alice just played rock So, you know, I'm just gonna play paper and win the and win five dollars You know the contract of value. It's that it comes back to sell. Well, you won the $10 you won the prize So really we can't actually play rock paper scissors in a public setting like a smart contract without using any Cryptography, so what do we need to actually build this? We need a we need a function where or we need some cryptography where I can hate my choice But then I can later reveal my choice and I cannot change my mind And we can do this using trivial crypto and as most people in this room are probably aware of there's cryptographic has functions So if I want to choose rock, I put it through the house function. I'll get 32 bytes of random data I'll store that in the contract and later on when I reveal rock The contract will hash it again and compare the result with the output of what it hashed So that's really cool. And what I also want to add are two really cool features of smart contracts deposits and refunds So the idea is that when you start a game you send a deposit and Then when you finish the game you get your deposit back and this will provide a financial incentive for people to finish the game So let's go back to our little simple example of rock paper scissors Alice will make a choice So run it through the house function and then she'll send the house of her choice Five dollars on that small little deposit now Bob comes along and Bob can look at the contract You can see that Alice wants to play but now he can't see your choice So there's a bit of risk. It could be rock paper scissors So he'll make a choice He'll send the house of his choice five dollars on a deposit and he'll tell the contract that he wants to play rock Paper scissors with Alice now in the second round of this protocol Everyone must reveal their choice before time t if you don't reveal your choice you forfeit your deposit and Likelihood the counter party party will probably automatically win So next Alice will reveal scissors The contract will evaluate to say that well scissors was her commitment. It matches the hash that she gave me next Bob can see that Alice's choice for scissors. So now he has two decisions a He aborts the protocol because he's lost or to he plays the protocol if he wins or loses Now because he's left the deposit He's going to reveal paper and he's lost the game But he does this because he wants to get his deposit back The contract will evaluate this and say okay. I'm sorry, you know Scissors beats paper Bob gets his deposit back and Alice wins and gets ten dollars Now to the security experts in the room as my little disclaimer You should normally use announce when you do this But I want to avoid these details because I'm not here to you know present exact secure protocols So it's the intuition of why cryptography is useful So what's really cool about the previous example is that that the positive refund scheme Provided this financial incentive for people to participate a more the house function pervades that ability to hide my choice But also commit me to my choice in a public setting What's not really good is that? When Alice sends her harsh, there's no way to verify that was either rock paper or scissors Alice could have sent Spock and then later revealed Spock But in this setting that doesn't really matter because if Alice did choose Spock The contract will say well Spock wasn't a valid choice. So Bob automatically wins But what have we said when we have a protocol or an application where a user can't reveal their choice So all the contract has is encrypted information and the classic example is the voting Where we want to maximize voter privacy. So the idea is that You should be able to see the Patrick has cast his vote But it's encrypted so you should never be able to see what I voted and awesome I may have four encrypted votes and these are in These are stored on the smart contract and now we want to compute the tally We should be able to simply add these votes together And once all the encrypted votes are added together, there'll be some crypto magic and it will automatically perform the decryption So then we get the tally that's one yes vote and three no votes Now in this setting Voters cannot reveal their vote so we can't do that really nice commit and reveal trick that we did with house functions We also need to be confident that every encrypted vote is either yes or no If we don't have that guarantee Then an attacker could create an encrypted vote in such a way where they change somebody else's vote They cancel somebody else's vote or they just vote multiple times Because remember these are encrypted votes and under the hood is all mathematics. They're doing additions subtraction multiple cases and etc etc So One way to get around this is to use a zero knowledge proof And what I can prove to you is that my encrypted vote is either yes or zero And with this proof all and that's the only thing I reveal about this encrypted vote I don't reveal the vote itself. I just reveal that it's well-formed and it satisfies some type of criteria So now we can build a contract Where each voter they'll do an El Gamal encrypted vote and they'll send it to the contract Alongside a one out of two zero knowledge proof that this vote is either yes or no The contract will accept it and store the encrypted vote and every single voter will do this Then at the end of the election we can add the votes together and it will leak the tally now If people want to know more about this type of e-voting smart contract, I'll be given a full talk about it at 10th on Friday morning So that's just a little advertisement for my talk later this week. Let's consider another application Lots of say we want to outsource some type of computation So Alice has his large computations. You can't do yourself and now she finds two different cloud providers But she doesn't necessarily trust them So she makes each cloud do the same exact computation and Then if she's given the same result from both clouds then she has some confidence that the competition was done correctly So what she wants to do is set up a bounty so neither just smart contract out there and if the contract and if the two clouds can prove That they did the same computation and they got the same result the contract will reward the clouds for their work So what we can do now is use a Peterson commitment So this is so this is different than a house function So with a Peterson commitment, we can do some type of computation on it This is known as a common morphic encryption and the idea is that it's computationally binding and it's informant I can't really pronounce it information theoretically hiding But we don't have to worry about those two properties. The idea is that we can do some type of commitment on the final result of the computation So now each cloud will send their commitment to the contract and that will be stored And later on they will reveal and open that commitment to Alice via some private channel Alice can then compare both of the open commitments and she can see She can see that they've both Done the same computation and got the same result and they've both committed to this end result in the contract Now what Alice needs to do is that Alice needs to convince the contract that both of the clouds Did the computation correctly and that they did both indeed commit to the same result And we can do this using an equality zero knowledge proof So the idea is I've given to Peterson commitments. I can prove to you That they both commit to the same message We're very revealing what the message is about So essentially what Alice can do is that so you can say okay. Yes both of the clouds did the work She sends the robot or smart contract this equality proof and Then the contract will get the two commitments. It received from the cloud It'll run it then it will use that as input to the proof And then the contract will be convinced that both of the clouds did the same work and Then it'll reward the cloud for the hard work So that's really cool that we can actually do this now, of course in this application You could argue well both of the clouds can collude and always and not do the computation But then get the money from Alice we're going to ignore that for the security experts But we have done some work in this area. So if we interest it afterwards I can talk about it and offline But essentially what I now want to talk about is local crypto dot sol So these cryptographic primitives are implemented in solidity and they're available for experiments So the first three were used for my voting system the second two were used in that anti collusion smart contracts I just spoke about and there's another one that's under review, but I won't go into that too much at the moment But what would be really cool is that? Ideally what I wanted to do now, and this is my disclaimer. I wanted to have gas costs off before and after the hard fork Because now a theorem supports elliptic earth mathematics natively Unfortunately, I've not managed to get the new upcodes to work So if someone in the room is very familiar with that you can talk to me afterwards and hopefully for Friday I can have updated gas costs and how expensive this is and I'll give you an example So the one out of two zero knowledge proof Before the heart fork would cost two point five million gas Which is really expensive considering a block only contains seven million gas I think it was roughly like three or four dollars or something Where now that the heart forks happened the gas cost should hopefully be in the region of two hundred three hundred thousand gas But I still need to you know get experimental results to say yes, that is actually the real gas cost Now I like the finish talking about other pieces of work So I'm not the only researcher who's been looking at applications of cryptography on the blockchain And I'm going to highlight some papers that I thought were really interesting So one was by Andrew Miller called decentralized poker and the idea is that a group of people can play poker as a smart contract and Everything's done using cryptography So we can ensure that the cards are Shuffled correctly and that I have two private cars and we're actually playing this game in a way where everybody can verify that is correct The second one is by Sarah Michael John who works for me at UCL and they have a scheme was a bit similar the coin join So everyone can deposit coins and the essential smart contract and then using ring signatures They can withdraw their coins back from the contract in such a way where they're hiding in a group So that's to achieve some type of financial privacy and it's actually really cool So I highly recommend reading that one the second ones are the third ones done by Arthur's group at ETH Zurich And the idea is that let's just have a contract is a betting contract And I am betty that Newcastle United is finally going to win the Premier League We still never do but let's just say I go in the BBC website And then the BBC confirms that while Newcastle United actually did win the Premier League I can then prove to the contract that the BBC said that to me and that's really useful For any Oracle type service The third or the fourth one is publicly verifiable seeker sharing So this is the scrape protocol and the idea is that they design this scheme The work towards building a publicly verifiable random beacon and this means that you could have some type of random number on Ethereum every so often and that's really useful for gambling games and everything else We built that in it. Well, I built that in its solidity, but it's only towards that goal and doesn't achieve it yet Of course, there's my anonymous voting protocol and the counter collusion contracts that I spoke about just before So thank you very much for listening to this talk before I finish. I have one takeaway message Cryptography is only one tool in our toolboxes engineers to solve problems And if you think cryptography can solve your problem alone, then there's a really good quote by Roger Needham He was a professor at Cambridge in the 80s 90s and eventually in the early 2000s And he said if you think of target we can solve your problem You either don't understand cryptography or you don't understand your problem. Thank you for listening