 50B is one of the experience conferences that we are doing, earlier we did 7, 8, 7, 7, but thanks to one of the D.V.R. decks that we have hosted for the conference for the 25th Jan. And the stock nicely takes off from the last conversation we had with Manjula. Manjula spoke about authentication and payments. And I think the issues that basically came up in the product is that I think authentication is such a complicated mess and just to be able to understand what the problem is in the system. And I think we sort of left with this position that the fundamental problem is how do you authenticate? What are the sources of authentication over here? And the technology is probably the second level problem, it's not even a problem. So what we got to figure out is how do we sort out this problem of authentication. And when I got introduced to Christian and what he was doing, as a nice way to take off from that conversation, I think the director did too well that she managed to put out a complicated talk into something that was still accessible. I think at the end of it Christian left with things like maybe Manjula more offered to talk more about this topic. But I'm glad she's here and Christian is here. I had just come back from a very dystopian kind of an event. So I'm going to let Christian introduce himself. We're at a music festival in Halseesal. And the interesting thing was that everybody, all the Pellawalas over there, had to have credit cards, the machines that they have like ATM and all that. And in spite of that, because there was just one cell phone tower and three thousand people in the festival, we had such a hard time during the transition that I was just wondering like, you know, are we going to get through the way or not? So I think we're still coming out of that experience. But just briefly, Christian is going to talk to us about the system that's been created over here. And I'm expecting that there will be a lot of questions for you there to follow. And I'm going to let you introduce yourself and take your power from here. Thanks for coming in. Thank you for the introduction. And thanks to Esti for having me. Now, really bad self-interjection. So I'm first of all the GNU maintainer of GNU Tower. So GNU, as you all know, is the version of the free software movement. And GNU has lots of packages. I'm sure you've all heard of it. GCC, GDB, Emacs and others. And so GNU Tower is another GNU package. And you can maintain out of that. And together with some of my colleagues, we're working at INRIA, which is the National Institute for Research and Computer Science and Mathematics. We're developing a follow there. Well, do I need to start with the motivation here? I'm not sure. Well, we like to have cash. Kind of necessary these days, still. Now, when you talked about the authentication question, one of the things, do we really want to authenticate for cash? And I want to remind you of a little thing that happened in 1971. Well, they asked an American think tank, right? The corporations want these big traditional American think tanks. Suppose you were an advisor to the head of the KGB, the Soviet secret police, right? Which is usually not considered to be a very good and friendly organization for democratic countries. Supposed to give me the assignment of designing a system for the surveillance of all citizens and visitors within the boundaries of the USSR. Well, it's a bit more, right? The system is not too obstructive or obvious. What would be your decision? Do you know what the result was of this study? That is credit cards. Credit cards, yes. They pretty much propose the water credit cards. Because, of course, if I do this, I know where you are, what you do. For pretty much anything that matters, right? Taking a cab, buying something, eating food, whatever you do. Most of the things that will be included. Some of the tight economically. So, one claim would be to say, I think these are quite simply too transparent to really facilitate a democratic society in the first place. Now, as hackers, we all know about Bitcoin. He does not know about Bitcoin at all here. Yeah, exactly. Which is, in some sense, this proposal is saying, okay, we don't want this regulated system. We want to do something completely done by hackers. These centralized P2P systems done in free software. So it's very hard to stop this, right? Nobody's income is normal. Nobody's in charge of this code. And this lack of regulation, the fact that there is nobody in charge of this code is always consistent with advertisers, right? There is no central bank. Nobody will set interest rates. There can't be a moody. Right? Isn't that the slogan that the Bitcoiners would use here these days? No possibility of demonetization. You know what I'm saying? Well, these centralized banking requires this Byzantine consensus where everybody agrees on what the balance is. And Bitcoin had this great solution of tying initial accumulation hardware in the first place to solving the Byzantine consensus problem through mining. Now, this group of work computation is very expensive by design. And as a result, it's very expensive banking. And how expensive? Well, here's the historical chart of the transaction costs of Bitcoin. Now, how do we get to this chart? We look at how much we take one transaction, which comes with transaction fees. And of course, lots of transactions are put into a block. And then this block is mined and the miner gets the reward for the transaction fees plus the mining reward itself as new Bitcoins are being created. So we take the total number of Bitcoins being created plus the transaction fees and divide this by the number of transactions in the block. Multiply this by the current value of Bitcoin converted to US dollars. Makes sense? That's the cost for transaction. And this is also how much energy a rational miner could invest into mining a block. Which also makes this as much common dioxide as we're going to blow into the atmosphere for per transaction. Notice this here, it peaked at around $100. It's still around $5 per transaction. Now, $5 per transaction. So, most of the things that you're really having problems with these days in India, if you pay $5 transaction fee, don't bother paying, right? It's ridiculous, right? I mean, you get your dinner for $5 or less, but usually much less. And so, this is not going to work for most transactions. In fact, if you look at the average size of transactions done with Bitcoin, they're typically transferring values of about $1,000 on average. Right? Now, if I transfer $1,000 at paying, you know, $10, $5, $10 a fees, it might be okay, especially for global transfers, so banks usually charge a lot. But this is not what we can run our economy on. At least not most of it. The other thing about Bitcoin is the cartography is rather primitive. It's mostly on hashes. In particular, all Bitcoin transactions are public and linkable. Now, this has two implications. I do not have good privacy guarantees with Bitcoin. I have these accounts which are hash keys, or public keys of my wallet, and somebody might be able to trace my transaction because they're all public. Anybody might, in fact. On the other hand, as a government, I might not be able to. I might be unlucky. So the citizen, I have no guarantees of privacy, and as a government, I have no guarantees of accountability. Right? It's just hard for both sides to give anything trouble. Now, of course, not having privacy guarantees meant there was research done on how to achieve privacy with it. And so, if you look at zero coin crypto node and zero cash or Zcoin these days, they offer unlinkable transactions which are very anonymous when they do the transactions. Now, this comes to the cost that transactions are even more expensive. And what we have to ask ourselves is basically, this society is going to form a domestic economy. The one selling point Moody had for me was to say I want to curb the right way. I want to curb corruption. Most people agree that that's usually a bad thing. Now, with these kind of systems where nobody can trace anything, nobody can control anything, but guess what? Corruption, crime, they love this. And in fact, they also can pay the high transaction fees. If I sell the normal, I'm dangerous to legal drugs, if I take bribes, I might be able to pay 100 euros to transaction fee for a transaction. But if I want to buy my dinner, I won't. So they are not the answer. Of course, the answer is no. And our goal was to really build a cash that is socially responsible and not explain to what I mean by that. So Tata actually is an acronym that stands for taxable, anonymous and group electronic reserves. So I'm going to explain what all of these drugs mean. But taxable at a high level means the government can see income. Whenever you receive money, be it because you're working or because you're selling something, the government should be able to see okay, you receive this amount of money. So taxable. On the other hand, if you spend money when you give money at a store when you pay for something, you can't be anonymous. You never have to authenticate here. It's very nice because we don't have this authentication problem, but it also helps with other things. And of course it protects our similarities. People, because they're making a free software, and as an open standard, there's no patents on it. Anywhere. And that's also important because this has to be a comment. If you transition your economy to use Visa or MasterCard, what's this thing here that's coming from? We'll bring it here. Okay, you've got a bunch of jellies. Then if those companies take over, they can charge you 1%, 5%, 10%, if you're locked into that, you'll pay whatever fees they have. If this is a foreign company, what they can do to your economy whatever they want, they won't be directly impacted. If it's an open standard based on free software, then you can run this with any number of competitors within your country. You don't have to worry about some foreign government saying this is not illegal, we're not going to give you the license, we're going to charge you high fees but not being out of your control. So if you want to have any kind of digital sovereignty as individuals as well as a country, you want to make sure that your payment just like in some sense, rupees were kind of the covenants because the process was owned by the government. If you go to a decision to a private economy, this will no longer be the case and that is a very big fundamental change in terms of how individuality can live relax. So that people, it's not just a small thing. And of course it's electronic which means it's supposed to be practical and easy and all of that, and resource friendly because we do not use expensive global work calculations So what's the high level architecture? Well we have a payment service provider which we call the exchange. Now the exchange does not convert between two different currencies, it's not like Bitcoin in your currency, all it does it takes your rupees that are in your bank account and converts them into rupees in your electronic wallet or it takes rupees from an electronic wallet and converts them back into rupees in your bank account. So it's really like an ATM that can also take cash, right? Take cash, output cash, that's what the exchange does. And you as a customer would go with your electronic wallet and withdraw coins with the help of the exchange provider. Once you have a familiar wallet you can spend the coins at a merchant the merchant would then have to deposit them in the exchange he cannot act as a customer and spend them again and because he has to deposit them at the exchange to put them into his bank account the state can say, oh you've got money so it's not transitive on purpose and finally we have an auditing component which makes sure the exchange operates correctly that's required because what really happens is of course the customer has some bank account but he transfers the money from his bank account to the provider and returns it at 20 tokens and in the end when the merchant deposits this the exchange will send it to the bank account of the merchant and in the meantime the exchange has the money in its bank account everything makes sure it doesn't run away with it and does it all properly now this is actually an electronic process the exchange will have cryptographic proof that it operates correctly it can show how much money it has to have in the bank it can show that these are the outgoing transfers it had to make and so on so it can prove that it operates correctly this is not what some person is looking at or what someone is talking about okay at this point I wanted to start with the demonstration of how the system works because I think this is really important to understand what all critical benefits are so I've turned away now now I should say you can all do this demo on your own computers anytime the website is public you can just install a Chrome browser here without anything so this is just like you would do it with your app when you go to our demo page the first step you have to do is you have to install the title of wallet in your browser so let's go to the installation page here I have Chrome I have to say add the extension from Chrome to the browser I'll quickly download it now I'll pass the networking into it it's not because of the cycle oh is it? yeah okay it was working though so this usually works a bit faster but you know the download is about 700 kilobytes so it's not gigantic okay so now I have it installed and the first step is obviously I'm going to go to my bank so here we created effectively a fake bank for testing purposes and so the first step for you would be to register at the bank to create a new account we made this very simple so now I've created myself a new bank account and this is a because it's a fake bank put in the currency kudos so you should read this as rupees except we do not have the license to operate in India and this is a very nice bank because it gives me a joining bonus of 100 kudos so I have some money to start with it's toy money and here is the integration with Tata and so my first step is going to be obviously to install some kudos into my electronic wallet so I'll say I would like to have 10 kudos now I have to select the payment service for the browser and here the wallet then shows me the fees are going to be here because as with any payment system there can be fees the payment service provider can set them at zero or whatever else he wants in our case we have also set them to show that there could be fees so 0.2 kudos in fees that's fine except now I'm back at the bank and we're doing the usual authentication step I have not used Indian banks recently but I'm sure you've had some kind of pin 10 method here so we've implemented pin 10 here in a very secure way so I'm going to initiate security of this and now I told the bank I as the customer authorized to transfer the 10 kudos that have been taken out of my account then they'll be put into my wallet so if I now click here you see I've got 9.8 kudos in the wallet now I can lock out so at this point I could become anonymous I could go over tour I can change my IP address delete all the copies whatever so this is no longer tied to my accounts if people get this wrong I think it's still tied to my bank I know the bank from now on I will no longer be able to distinguish this customer and this browser from any other of its customers or rather exchange service for them all the coins are equal so now what we have done is we've created a shop again a nice little test shop here in this case we have an author who worked a bit very commercial and he's trying to sell his book and we have the usual teasers for the articles we can say ok I would like to know why I should release this software at the university and now it goes and says well you have to pay to read this article and so I can say ok I'm going to confirm the payment and if I do confirm the payment payment happens this was the payment process ok this was real it was a software in France it was your network connection here from India and it had a full payment cryptographically secured and as a user it didn't see any crypto now I have to warn you you're going to see the crypto later right but for the users our goal was that they should not have to deal now I can do some other fun things now I can buy another article I have to do one more payment one very quickly now I can also say ok well what happens if I already used this for buying newspaper articles it's the way I might navigate back to it so let's go back to this 8th article first one of these little things we expose if a merchant comes to us and says hey pay for this article have I already paid for exactly this article and if so I just tell him yes I already paid proof I already paid and then he goes ok here's the article directly and I don't have this interactive step however it is not possible for the merchant to figure out all of the things I bought they can only make me a proposal and if I say exactly this proposal I already have then I put the store here and show that I did it of course it's electronic wallet so I have my balance I can go to my transaction history and see what are the various things I have bought but this is all on my computer if I leave my wallet it will be gone if I lose my computer my money is gone now I can make backups so right now not very easily but in principle this will fall making backups and if you want to see what it really looks like there is this strong database function here which shows you the crazy you know crypto coins and everything that is actually stored on the computer do you have any questions about the demo yes when you say you know that you want the wallet your wallet knows what is the exchange no the exchange does not the exchange does not know who bought what and they also never know what was bought the exchange never gets the contracts the exchange only this amount plus bank address of the merchant plus hash of the contract and so if the government wants to do an audit they can say okay dear merchant you received 50 cents for hash of this contract now please show me what the hash of the contract is that's what the government would do in a tax audit so the payment service provider has no idea all he sees is I have to send 5 euros to this guy I have to send 20 rupees to this guy I have 20 proof I have to do this but that's all I know it's really data minimization it's privacy by design nobody gets any information they don't absolutely need so the payment service provider knows when you withdraw money because obviously his cash will come out of your account and so you can say how much money you withdrew you cannot say how much money you've got left on your computer you of course can say how much it is true where you spend and what you've spent it for however you do not ever get the account details of the merchant you get the hash of that and solve it so it can't be proved first yes can you please show a demo where you transfer 2 euros from Hasi to my account but you would have to set up a merchant okay right now we need to register as a user yes if you created a bank account you can use this for both in the demo but you have to because we currently only have the website you have to version you have to create some kind of website where you have done the merchant integration where you have configured your bank account to tell it to the shop and offer me the webpage where I can go and pay now we have tutorials for how to do this on our webpage if you want to do this on a merchant at the very bottom there's manuals for merchants and one will tell you how to set up the payment back end and the other one will tell you how to do the front integration with your web shop it's pretty easy I'm going to talk about some of these details later but if you want to do this and receive money you can do it and if you are happy with kudos you can do it I'm a little confused here what I want to understand is who owns the exchange and who owns the wallet this is an API it's an application which we can integrate in our own suppose I want to start a wallet company so I can integrate Teller into my Tyler is a couple of things Tyler is a protocol that we have defined and there's a webpage with the detailed specification so that's the open standard anybody can see how it's supposed to work Tyler as a new package is also a free software reference implementation where we give you this wallet where we give you examples of how to run a merchant where we give you an exchange service provider and where we're working on giving you an audit report right now if you want to go and write your own wallet or write your own merchant integration please try to make it free software but of course we have no control over that and as long as you abide by the protocol you can just do it and for running an exchange you basically usually will need the permission of the government for two reasons one of the governments usually you want to tie to existing banks and they will not let you do this without permission and secondly if the government gives you permission and says we are auditing you just like all the banks are being audited that's the reason why people will trust you to bring the bank their money because they believe that if the government audits the bank the bank is not going to be so likely to go bankrupt I even wrote but in this case of course if the auditor is run correctly the provider cannot go bankrupt but still you want to convince your users that you can't go bankrupt which means you have to have an auditor which typically means that you involve the government do you mean to say that Tyler cannot be used in India as long as the government doesn't run the exchange for it? the government doesn't have to run the exchange government doesn't have to run the bank but it has to give you permission to do so because as you integrate with the banking system they can find who you are and usually that ends up badly you can do this kind of thing about permission in Germany and the US the jail sentences are many many years I suspect in India it's not going to be any different so yes you have to have this permission on the other hand people tell me that in India getting permission to run an electronic banking system isn't that hard these days you have payment banks and corresponding banks and they are not very hard to run there are two between licenses for this one the payment bank and the corresponding bank yeah this is not a corresponding bank those corresponding banks let you become an E on behalf of your government they can operate like a E well then maybe this is like that okay okay let's go back to the visitation again, you can look at it also all the codes for these websites is all in public in your credit cards so what's the value proposition? for the customer you pay with one click compare this to verified by Visa and Cry right? you never have to be here by being rejected by false pauses and fraud detection when I swipe my credit card in India it's always you know double the five beats because what if it says in India what's he doing there rejected and then you run out of credit cards cash and then what do I do but here the money is in your wallet you have proof that this is your money there is not going to be any fraud detection the only fraud detection happens is if your wallet twice to double spend it will reject it but as long as you didn't hack your wallet software it can't happen it's secure like cash except of course you don't have counterfeit I know in India that used to be a big problem these days but here if you are able to counterfeit this you can break one of the other I have my privacy nobody can trace me nobody knows where I'm going right? so this will allow me to say donate to political parties to buy used articles that may not be agreeing with the government to travel where I want to travel without people knowing who I'm meeting it's stable because we do not introduce new currency huge currency fluctuations here you can pay in rupees, in euro, in dollar or in bitcoin whatever is typically for your transaction I ask you software so you don't have to worry about this thing doing more than it should for the merchants again the transactions are really fast which means your customers won't be so annoyed right? or won't abort in the middle you get the unsigned contracts you have electronic proofs of what happens you are sure that no legitimate customer will be burned by saying oh I can't do this because it's free software there should be competition and fair pricing as opposed to if you go for a monopoly like Apple Pay or Google Pay whatever they want the protocol itself is also of course very efficient and there is no possibility of fraud so there are no costs you can pay any currency of course the currency has to match between customer version or some banking service has to do the exchange you don't do the conversion between euros and dollars but in principle the system can pay any currency in any amount again you go as a merchant also works to have no fluctuation risk and of course it's unsuitable for a legal business that's also a good thing for your reputation he won't be in the same corner as the drug dealers and human traffickers and finally for Europeans it's good because this actually complies with European regulation in Europe soon people will require to use their privacy by designing a minimization by law so I'm very curious to see how other payments are going to realize those requirements for the government as I mentioned before three software taxability no black markets, no tax evasion so these are the key goals I will support in general for the demonization of India it's highly efficient which means lower transaction costs like a reduced bet that's good for the economy you have signed contracts no counterfeit problems you have bad banks because you can audit the providers automatically and even for the governments the privacy can be an advantage because there is such a thing like it does to the espionage there are people that want to figure out where profits are being made what your supply chain is like and if you can hide one half of the transactions this kind of espionage will be harder we know the NSA has switched if you switch this is a big international exchange we know of course that they will look at Mastercard and Result Cartridge in fact I knew in 2000 they were looking at in-game trains of coins to trace money laundering so having a way that this makes it very hard because except for the customer really nobody knows and it's on the customer's computer it's very good to project against espionage now before we go into the technology if you want precise definition what we mean by taxability so we say it's taxable because as I mentioned before it's taxable when you get the coin you have to deposit it and that means the governments can see who you are the head of the contract is part of what has to be given the deposit data which means later the government could continue and say what did you sell here was it bicycles, was it computers, was it drugs if it's drugs you probably go to jail and therefore if they can trace your income they can say well this was income taxable now they might do this problem to you they don't have to do this for every transaction they might say every x years to pick the someone that right now I'm going to go to you check that you paid the right amount of taxes I'm just going to go through your transactions that year and see to send the total right taxation to the government and then for the rest of the time they may never know what they haven't at all and that's fine so the government knows what the merchants sold and how much now of course this is just what the payment system provides if the government says you are allowed to sell guns but only if you verify the identity of the buyer right then you just add the identity of the buyer into the contract based on whatever verification protocol the government prescribed to you right and then the government can see who bought the gun right but in general for both purchases the government would be insane to require you to do a strong identity check we would hope it doesn't do that we would hope it follows data minimization right and then if you buy a true gun you don't have to prove identity with finger print you're a scanner first so the key thing I'm taking away is the data minimization part it's the entity that you laid out in the beginning of your talk right so how much information the merchant needs how much information exchange needs how much information the consumer needs yes you get the bare minimum that can be added as voluntary I as the customer can of course disclose proof that I bought this to another party I could disclose this proof and go to court and say hey give me my car I paid for it so I have the proof right just like you as the merchant have the proof that I paid and that you should go to the exchange and say you have to send me my money right but you as the merchant also have the contract now if you don't give it to the exchange usually the state could of course compel you to do so so everybody has the information that they naturally minimally have and need and everything else is voluntarily not required by the payment system okay so these are the key things for taxability but there are some limitations we call them loopholes the rest of us draw loopholes when I go to the bank at the ATM and one of us draw cash just to take the normal thing I can put in my credit card and my pin code and then you can go there and take the cash out and then you can take the money the same applies here if I log into my bank site say withdraw things on your computer with your wallet you have it in your computer if I go to the bank site using your computer login with my password on your computer allow you with your wallet to withdraw cash onto your computer using my account so I guess what then you receive money and the system will think that I got it at the time of withdrawal then it could go to somebody else that's the withdrawn point that's pretty much impossible to prevent for any kind of payment system at the normal ATM I can put in my credit card and you take the cash out you're sure it's not counterfeit you got it and everybody will think it was me but it requires my collaboration at the time of withdrawal the second one is a bit more subtle which is of course I can share my wallet with others and I want it now this is not giving you the same as allowing you to withdraw it because now we both have the money it's just data computers are a good copy now what happens at this point is that either of us can spend the money but whoever spends it first wins and the second person loses and of course I cannot really prove to you that I deleted it from my computer even if you see me typing in the RM command I might have made it back up earlier right so here this is if I share like this the wallet state that's between my family and friends if we trust each other if you're my wife, if you're my spouse if you're my kid who gets pocket change am I transferring mine to you that way if this is a business transaction or I'm really buying something and the store has to go well he may give me the money or he might spend it in another store he may have already spent it in another store I might not get anything but they will not like this they will not like to just copy over the coin but isn't that also a little force for awarding Dr. Taxi? yes but what we say we distinguish between transaction and transfer or what we call sharing so we may say sharing doesn't have to be taxable when I share within my family money I have a joint account for my family transfers between me and my family members but if I buy my friend a drink that doesn't have to be taxable if it's a mutually exclusive transfer of value I give you the money and I no longer have it that is a transaction that we want to have taxable if you share the wallet with the money that's how black money gets won no because the merchant can't be sure that he actually got it I might bribe 5 politicians just to say 15% I think there is that cost between merchant and buyer if there is that much trust we say it's okay that it's not taxable because then it's really a family or friends just to like what happens in a regular store you ask for you show the credit card and say it's 2% and then you pay 10 that's your point I mean sent you the merchant just saying give me the cash yes but he has to trust you not to have spent somewhere else that's the point because you're not giving it to me you're just giving me a copy you can do this at multiple merchants and in the end he's out the money he's taking a high risk he's taking the risk that he got nothing that's the point if you're that close that the guy is willing to take the risk that he got nothing no but he may get nothing he may save the 5% tax he may get nothing because I might have given the money to somebody else the same way or I might have spent the money the regular way I gave him just an old copy of an old coin that was already worthless so what if you have a black exchange that's the point nobody would trust the black exchange because in the end the exchange can always have money it's not valid so how do you do it how do you exchange online detection when you go to the merchant you give him the payment the merchant goes immediately to the exchange deposits the money, the exchange comes back to the merchant says this was spent the first time and then the merchant says it was successful no I actually meant it's the same exchange no there can be many exchanges but the customer will pick which one he likes what is your exchange what is your exchange the exchange is the exchange that the customer has the exchange is tied to the coin now the merchant can say I want to accept exchanges that are audited by these auditors and then have fees that aren't high I'm going to only pay fees up to this amount if the fees are higher you have to cover them so the merchant can impose constraints on the payment process but he has to select the exchange so it's like he also picks the currency usually and he makes it proposed okay now I was thinking of the existence of an exchange in Ukraine or something for Indian transactions so this sort of friendly neighborhood transaction they both agree to use that exchange essentially value the choice of the exchange makes no difference here the friendly discussion the friendly exchange here happens without the exchange that's the point if I just copy what the friendly exchange happened without the exchange the merchant and this buyer would be that the merchant wouldn't be entirely sure that they actually had the money to give and if there were a black exchange sitting in the Ukraine these guys would balance it against the black exchange proceeding to give money to each other and it would effectively be untaxable so it's a licensed exchange so I'm not sure the merchant could he gets the black exchange and we ask has this coin been spent but 5 milliseconds later he hasn't spent yet 5 minutes later it might be spent so without having this agreement from the exchange and you are the one who's going to get the money you may get nothing the whole sharing process works on how fast the exchange is no if there's a delay in the exchange there might be multiple transactions if there's a delay because the delay between the first transaction and the second transaction the wrong transaction might go to it no because the merchant would only say this transaction was successful and after he got the confirmation from the exchange so if you spent your money twice one of the two will come faster to the exchange the exchange will let the first one say this is it the second one will say a double spent and it comes back and one of the merchants will say it was successful and the other one was not but if you share the coin you cannot be sure that you are going to belong then you know that when you spend the first time it will be good so sharing only works if you can really trust the other party ultimately not have spent the money already confirmation of payment from the wallet via the exchange is it only done after you get the confirmation from the exchange so you spend and then the other connectivity is there and you have spent somehow there is no connectivity and the wallet has money this is a money payment system you can only spend money if you are online right am I spending money as coins or am I spending money from my wallet you are spending your money as coins from your wallet so for example if I am sharing it with my friends and family and both of us are trying to do a payment using for example if I initiate a payment will it go through with a specific coin that I am using or will it go through as an initiate from a particular wallet no it will just use a coin the wallet itself is just a piece of software the wallet has no identifiers in that case if I give the coin to my family how would they be notified in case I have already spent it if you want to really give a coin to your family you have to just need it from your wallet locally I would say then you have given it to them otherwise you risk that both of you try to spend it and one of them goes against an error if you are spending a wallet they are just improperly yes now you might of course share a wallet by having a synchronization service that keeps them both in sync all the time which is what you might do if you have multiple devices so let's look a bit at how it works so first of all we decided that we will expose one bit of information to websites namely is the taller wallet present in the browser or not this is so that the browser site can say here enable the taller payment option if it's there not show it if it's not supported by the user and simple ways you use our shared library and then you can do your JavaScript taller on present or taller on apps and do something else and thereby say activate elements or deactivate elements in your web page depending on how you are being present you can also do all of the interactions that you have mentioned including payment and this without JavaScript being enabled at all in the browser here you would use CSS where you can say CSS visible if taller is there invisible if taller is not there and also the rest of the payment all works without JavaScript being enabled in the browser for websites now how do you do payment well basically once you have built a shopping cart you know what the user wants when the user clicks go buy it you send a response back it should be 4 or 2 payment required who has seen the status code before so in respect for it 4 or 2 all places right it's below 4 or 3 so and in our case we just have to send Xtaller contract girl some address where the wallet can fetch the contract and then what you do is you send the normal body that you would send for credit card payments so if the browser does not have color installed while the user will get this and this line will be ignored and in fact the 4 or 2 status code is pretty much just read like 200 okay here is render the body if the taller wallet is installed or 2 wallet goes up that's my signal grabs this thing fetches the contract, shows the contract to the user and allows you to access the payment so this is how the payment starts very easy there what does the contract look like well this is a bit messy we have things like what is the payment amount who are the acceptable auditors what are possible rules for the exchange how long does the offer a balance the fulfillment of your health says once the user says I want to buy this thing where do you go what is the fee structure that is allowed what is your address what is the public key of the merchant what is actually being bought how long can you get refunds and so on we have a long specifications of possible fields and something is missing please let us know but this is just basically the specification of what the deal is I should mention after you go to the fillbook for the material what basically happens is the browser goes there you say hey payment required the browser will post to you the coins you pass the coins to the exchange you just pass actually the flow basically what you get from the browser the payment goes to 200 okay payment successful or error code if the payment fail you give the error message back to the wallet it is pretty simple after what is being met now let me explain to you now how the mathematics works just a number exactly are the coins passive on that you are so the payment related to the money the fee is given no you can do this at the end because this is a recording and I don't want people to look at the recording so basically if you in the fulfillment URL when you go there the first time then you get a payment required again and there it says what the address is where the coins have been posted if you look at the space paper it is on my web page all of these things I will also look at in detail now for the control this is where the payment goes that is the first produce okay look at the years these are the years when the primitives we are using the things we are combining were pretty much first in the literature so unlike some of the other payments you will see that they are rather ancient which means we have been studying them for 40 years and they haven't really been broken for 40 years now of course we don't use mb4 as the cryptographic hash function but if you think you can break shaft 512 well go for it you know blind signatures based on rsa say 2048 you know break that if taller is the only thing that falls I would be very surprised right digital signatures same thing if you have an e-h change using elliptic curves on curve 25519 you know please go for it you know there is lots of really really good prices waiting for you if you break any of these and this is in contrast to some of the other things most like zcash where the constructions are like one two or three years old and in the last year I have suddenly lost 15% 20% of the strength because of a new attack coming out against it so these are really time-tested constructions and I will explain to you how they are being combined so you can go ahead break them okay first of all I know it says elliptic curve on this slide do not panic you all know what a curve is right set of points to the space and so we can understand that they have points on a curve right and so suppose we are given some curve made up by some crazy mathematician then we can pick a point on that curve and say that is the generator g okay and if I have elliptic curve it is a group which has a group operation which means I can take two points and add them to each other and I get another point now the additional is pretty much you draw a line between the two points there will be a third point where it meets on the curve you take the complement of it and another point on the curve but you don't have to understand how two points are being added another point I can add two I and I will get a third point always okay so which means if I add g plus g I can call this 2g right and if I add another times g I have 3g which also of course means if I take some scalar some number you know 5, 10, 15, 15 billion times d I can do multiplication with a scalar okay are you ready with me so far? from addition to multiplication is pretty easy now it turns out all these elliptic curves they are a group which means if I do this 4 times we are always defined as the group order and some prime number 4 times plus 1 I am back at g it rolls around it is like a module also the key problems now one more thing which is if I give you some c if I give you some curve pixie some point and I ask you what is the small c what is the factor against this generator basically you want to do c divided by g right well there is no efficient way for you to do that you know to really more or less try a lot and given the elliptic curve we use fields of 2 to the 250 something or both or the group size I will show you using the energy of this universe to do this right so if you can break this people have been studying this for 50 years please get your fields right so that is pretty much all you think about it to curves so why do the other so-called weaker wallets don't do that I would not say that we don't want to use that it depends on what kind of wallets you have but we don't just use them use lots of other things and just giving this as one little bit of background before we go into the real thing okay the elliptic curve is part of the elliptic curve which is basically basically this well the elliptic curve can work on you know explanation with more like rsa or it can use the elliptic curves so for the elliptic curve the elliptic curve okay but first of all you will now see a crazy number of public-private key pairs and I'm only showing you a subset of the number of public-private key pairs in the system to kind of focus on the important ones right so this is okay so first of all in the setup phase when we are the exchange provider we're going to create an rsa key pair right so if you like the mathematics look on the left alright if you like pictures look on the right okay so this is I always give the full math which means of course if you understand you know that this works out at the end fine if you don't trust us the math is pretty simple yeah yeah so this is total function yes and this is by the way it's really canonical rsa at this point but let me try to stick to the pictures for the explanation so we roll some dice generate some numbers p and q from those numbers we're going to derive the seal which is like the public key something saying this is the valid point later alright and a hammer that's the private key and we can use the private key to apply the seal to something right this is minting alright signing so the hammer is what we're used to signing to see this what everybody knows this is a valid thing so it's like the printing press for making new rupees right everybody knows what it looks like but only a few people have to hopefully only a few people have to okay now second thing set up as a merchant I have to create myself a public private key pair for signing contracts so I'll take a random m small number and multiply this by g now what does this mean I now have the capability small m to do digital signature using the two curve signature schemes which pretty much looks like this this is proof signed by m now everybody can see that was signed by this merchant as long as he keeps a small m secret only he can do this as the customer when I want to withdraw coins first thing I do I follow my dice generate a small c and calculate the big c I visualize the big c by putting the actual public key on the rim so it's a unique thing you know the c's are so large that if two people read your generate a random number there is no chance that they will be a collision by accident it just will not happen you're more likely to die by meters so I can lightning at the same time as them you know sun goes supernova or something what but this is proof by opinion education yeah so now well first of all we have this a plan sheet and we have the capability small c to apply a seal with the coin right this coin improves notice when we sign contracts you'll sign them as the customer we will sign them with the coins and since they are our coins signing with the coins is I accept and hereby I pay at the same time ok now I need to withdraw so again I'm going to throw up generate a random b and I'm going to use that to mask the plan sheet I'm going to put the plan sheet effectively into an envelope signed as locked by b so without knowing small b you can't open this envelope that's the key concept of blind signatures so it's in this envelope it's on my plan sheet and I'm going to set this to the exchange and the exchange takes a hammer and hammer is on the envelope right and sends the result back to the customer of course when I do this transmission I tell the exchange I am this customer please sign this coin and we deduct the respective amount for my thing and so on what we don't have to show then and then well since I have small b I can open the envelope and get out the signed coin so basically the hammer applies through the envelope onto the coin which now means this is a real coin the longer a plan sheet now it has value because it has been signed by the exchange provider as a real one on the other hand the exchange does not know the specific serial number the public key that's on the coin it could not open the envelope which means when I spend it it is not tied to me to my identity so you look at the demo how does this work again well here's your bank you authenticate against your bank you say I would like to withdraw certain amount the wallet is going to go to the etada exchange you say hey what kind of coins do you have available what kind of denominations what are the fees gets those user says okay then you execute the withdrawal from the bank who you are authenticate please whatever he withdraws the coins sends the money to the provider he goes to the provider and says hey I want to get my coin here's your coin I'm lining up I've got my coins let's go shopping shopping of course initially means that I find myself some merchant and someone will negotiate with him some terms some proposal of what we need to do then what happens is let's call it D the merchant will go and sign it saying this is an offer first negotiate something can be very simple let's just click on the perspective link but the merchant first starts and says I offer you this under these terms sign the merchant then it says to the customer that's the 4 or 2 and as the customer well I take my small C I say signed now of course if one C is enough I might apply multiple coins in details um sign the coin and I send it together with the real coin to the merchant the merchant says hey this is a real coin right if something passes it on to the exchange and the exchange says hey this is one of mine does the same check well then it looks hey have I seen this coin before database hookup no I haven't valid yes I have the old signature whether it's a hash of the contract here send me the old signature as proof that it's double spent or I send you a message saying yes it's okay you know payment accepted and then we know payment went through virtual delivers the article and everybody's happy again let's look like in the browser you know negotiate what you want you select possible tile of payment method you tell your model yes I like this to the fulfillment URL merchant says hey this is the piece pay you send the payment the merchant follows the tile exchange the payment the browser re-loads the fulfillment URL you send the correct resource back that the user bought or just a confirmation page your shipment is on the way over any questions about the process small problems except for the nice vibrant integration it was 25 years ago and then patent it and therefore not usable for a while for free and software but one problem I was always there which is if I want to pay for 100 euros or one lakh if I use one rupee coins that's an awful lot of signing still each of these individual crypto operations is like a millisecond very fast but if I have to do 10,000 of these oh my god right? on the other hand if I withdraw say 10,000 rupee coin or actually it's 2,000 rupee coin and I want to pay 100 rupee bill with it and the system comes back what you can't it's a 2,000 rupee thing not so good right? so I don't want to have billions of one rupee coins and I do want to have a situation where the customer has enough rupees in his wallet he has 2,000 rupees but he can't spend them I got caught by lunch this way he has 2,000 rupees coins great so unless you like that situation we have to have a way to give what you would call change right? and we can't of course we don't use this coin to spend so we can't withdraw the exact change we never want to be in a situation where I have enough money in total but not the right change now there are 2 other goals we have when we do this exchange we want to maintain unlinkability which means if I use my money and spend it once to have something sent to my home and therefore I have disclosed my data to the merchant that would be okay now if I use the same thing where I need some hostile government political propaganda and they say hey this was the same guy because they used the same coin I can link the two transactions what's the change from this other transaction well I might find myself in jail in a really bad situation so we need for it to be unlinkable still even if I'm using the change for one transaction the next transaction nobody should be able to say this was the same guy it's coming from the same wallet right? so that's unlinkability you also want to maintain taxability which means that if I get changed from a transaction I shouldn't be that I didn't get the change but somebody else got the change if you look at the transaction there's change happening and somebody else gets it then that would be income that then he might not have to tax and I can't tax the change because if it's really just a change that goes to me well that's certainly not something I want to have pay income tax on on change so I have to have this tricky situation that I have to make sure the change goes to the same person that they had possibly before and that it's unlinkable to the option section 2G equals how do we do this? well first of all in the contract that I've signed with my coin I can specify hey I'm signing this with a 500 rupee coin but it's only worth 100 rupees which means the coins in that's 400 rupees worth alright? that's very easy and the exchange will only pay the merchant the 400 rupees and remember in the database the coin was fully spent but partially spent there is some value left very easy to do for any amount and then what we can do is we can go ask the wallet and say hey I own this coin I don't tell you I am I just I own this coin right? please give me change for the remaining value of the coin right? there's 400 rupees left please give me 400 rupee in return alright that's the high level idea so let me tell you a solution that doesn't work first so when I try to get this change what could I do? I just make myself a new planche I make myself a new planning factor put the mention down below ask the exchange to sign it alright and I authenticate not with my normal account but with the old coin saying this old coin compels the exchange to give me change why does this not work? well because this new coin may not be mine I could have him generate these two things send me the envelope and I take the envelope sign it with my old coin and say hey exchange please give me change exchange signs the coins and I give him the signatures and since I never had seen you but he does he has exclusive control over the new coin which means he had income and I give him the change this is why this doesn't work is that clear? so how do we fix it? first of all we need a diffie helmet so diffie helmet for those who haven't seen it is basically I can have two numbers which are private keys and they have the corresponding public keys and I can compute from this the diffie helmet of the two and the interesting thing is I can compute the diffie helmet of the private keys for one of the private keys and one of the public keys now if you look at the math it's not any simple right? capital D is DG capital H is HG and multiplication is commutative either of the private keys and one of the public keys or both of the private keys I can compute this and of course I can use this this is a big number again as input for generating other secret numbers like private keys so what do we do? I have my old private key for my old coin that I want to get changed for and I just make up a new number T just we call it a transfer key compute the diffie helmet of the two and from the diffie helmet I derive two other secret inputs the new key, point and the blinding factor and I can derive the envelope from that I will send that to the exchange now the first problem is if I do this from the exchange point of view this does not look any different than the strawman solution I send an envelope to the exchange so that's not going to give me anything because I have to guarantee this construction so what I first have to do is I have to do the construction three times like this I just use three T values and generate three envelopes and now the exchange is going to pick two of the three for me to demonstrate that this was well formed cut and choose what you call so basically if I cheat with a chance of 66% the exchange will say you cheated and keep my money and if I was honest and the tax rate was less than 2 thirds then it's all good the tax rate is more than 2 thirds so we have to do more than 3 so the exchange says right and then what I have to do is I have to send the T values the small T values of the ones that wasn't picked to the exchange the exchange can now take the old public key of the coin, the public key and the T1 also to the Diffie Harlem and compute the envelopes if that worked for two randomly chosen out of the three the exchange will believe that the third one was well formed as well right? now low guarantee but of course you have a guarantee of 2 and 3 of being caught and if being caught can use all of your money economically it doesn't make sense to cheat unless the penalty of taxation is more than 2 thirds yes so is 3 just in your example or is that the implementation? 3 is also the implementation because there are very few tax systems but more than 2 thirds are the taxes and of course then the cost goes up so this is a very expensive no then it gets expensive but of course you have to do some cartography here each time and you have to have the bandwidth for it so with 3 it's pretty cheap but with 10,000 this would start to get very expensive and there's no real reason because 10,000 versus 100 it means your taxation rate from 90% to 99% for 99% but this is an expert institution it's one overhead ok by the way unless your taxation rate is over 100% you can find a value that will work but I mean very few people pay more than 60% of tax benefits want to meet the point now if everything worked out then the exchange takes the third one the gamma one that it didn't get the t value 4 science it sends the result back to the customer the customer lines it has just changed this doesn't by itself quite fix everything that's going to be some change we also need one more step then your first suppose I'm having this scheme here I can do this whole scheme and have t3 if I want to transfer money to somebody else I just have t3 being picked by somebody else he's supposed to illicitly receive money from me so he picks t3 he can use my public key of my old coin doesn't matter do this computation I never know this they're all well formed just I did not know the c news and then of course he can get the final side of me and unwind it so the money was transferred to him but what the exchange does it says if you give me c old I will tell you t gamma the public t that wasn't picked it goes to 5.1 and the side envelope that I said earlier now if the exchange gives out these two values and I'm the owner of the original coin if I have c old we can apply the diffi howling in the third way and say combined c old is t gamma the public key here compute the diffi howling I can then derive the b and the c values and I have also the coin so basically the link will allow me as the owner of the old coin to get the new coin even if I didn't create it which reduces this to the sharing case so it's like if I had copied the coin between the two of us which is the case every set was acceptable even if he generated the whole thing even if he just first knew the coin well that's a millisecond earlier maybe I will still get it so to summarize the exchange protocol can be used to convert old coins to new coins also leaving change and the new coins will be owned by the same entity now if people trust each other ultimately they just want a big entity like that we can use this to give change we can also use this to give refunds if the merchant says yes you paid me I deposited the money but dear exchange I want to give the money back to the customer all the exchanges it puts the money back onto the coin in the database says the merchant says give it back I as a customer do the refresh for the value I got back and I'll have a new freshly minted coin unable to the original one and it's only possible that the original customer gets this coin and I don't even know who the customer was so I can give change to anonymous customers the other thing we can do is we can expire coins so as the exchange provider I do not want to keep the database forever unlike bitcoin so what I will do is this denomination is valid for 2 years and after 2 years if you still have it in your wallet please just go and exchange it for a new public private private for new coins that are freshly signed that are having and you can use this protocol to convert the keys of the coins that are going to expire into new coins and then obviously presumably most of the old coins have been spent only a few new coins were generated because most people don't withdraw things to not spend them ever and then I can expire the old database and say well these coins now have nobody should have them anymore and of course the wallets will do this automatically well this is an old bill 5 years old nobody has ever spent it I should exchange it for a new one because it's about to expire ok so those are the 3 main uses of this protocol question is about refraction can you expand a little bit on the refining process how does it work basically in the original contract when the merchant was depositing the coin at the exchange this public key was there visible for the exchange and Audit says he signs the message saying I want to give the customer money back from this deposit operation and specify how much does not be the full amount he sends this to the exchange remember the exchange with partial spending just deducts some amount of the coin value and he just puts it back on the coin value and now we use the refresh protocol because now the coin has again some value maybe it's his value to transfer it from that public key to a new public key so it's not linkable to this initial operation that was refunded so the refresh has to be initiated by the original customer the refresh is always initiated by the wallet so when you buy something and there's change left in your wallet it will automatically do this in the background and if you get a refund of course the merchant has to tell the exchange hey the customer gets the money back and someone has to tell the consumer hey you're getting money back that's logic okay two questions the whole coin will never be monetized and the second question is as I said if I put it in my physical bank for 20 years and then I come out of the bank grab it and go the point is if the exchange can set an expiration date because it may not want to keep state forever and because it has to detect double spending it has to keep all of the auto transactions around until this denomination key expires until the seal expires so in my example where I put the money in the background and put it in the physical bank then if you do this past expiration date it will be lost but remember this is for an economy this is not savings and loans if you want to do savings and loans put this in your bank account not in your wallet this is for commerce this is for economic activity not for saving so there's no real reason to put it in a thumb drive and put it in a vault if you say what if I have money left over and I want to spend it well just act like a merchant and pay yourself then it goes back into your bank account and then all you have to convince the tax authorities well it was an income because look I'm also the customer you have that proof so it's not like there's no way to get it all of you want it back into your bank account but your wallet should effectively be live to a frequency corresponding to the expiration times 12 points sorry the second question was what's the point of the old coin the old coin why does the future exist well as I said we need to be able to give change so that if somebody has a a donation that's larger than what the transaction is we need to be able to get change for the remaining value we need to we want to be able to give refunds which we can do with this and if coins do expire we want to be able to move them over to what is the purpose of the expiration so the database and the exchange does not grow indefinitely if I have to remember all coins that were ever spent at my provider for 100 billion years that's going to be a long storage space and I have to search this for every transaction for every deposit it's a hash table lookup so it's reasonably efficient but not if it's a billion records that's a problem because it will not grow forever and here no data has to be kept forever once but I can put my Bitcoin in my station forever so it's like I'm essentially doing the frozen coins thing well this is not a system for savings it's a different purpose so the question is that all points of time in the transaction whoever has information about your old coin has the most authority over the exchange and that's the wallet the wallet is the only one who ever gets the private key of any coin he don't give it to the merchant and is this wallet like stored centrally somewhere? no your wallet is on your computer it's your browser plugin or it can make your app anymore if one exists at some point or it can be a piece of hardware that you have but it's huge and nobody else needs to have any control over it so should we at this point just summarize the architecture this is really this is the this is the then maybe at some point we should summarize for those who came and made since the wallet was asked so here's again something water wallet so you have your browser and in our case the wallet is a web extension which runs in different contexts from the front page which means that when you see a contract it's not the version you can control and only this extension has access to the wallet state has access to your coins has access to your transaction history all the websites cannot access it assuming let's say the browser doesn't have the major security vulnerability in its old security model and these two only communicate effectively via signals sending here payment initiation or whatever then between the browser the web shop you have here whatever and the web shop itself consists of a front-end a usual built-in shopping cart delivery of goods to your business logic and when it has the contract it has two interactions it personally builds the contract sends it to the back end it will send back a signed version of it so the signing process can happen in the back end so it doesn't have access to the signing keys and similarly when the payment comes in it sends the payment to the back end the back end talks to the exchange comes back to the front-end so all of the crypto is actually in the Tata back end which we provide and so the front-end is really just concerned with building the adjacent contract and passing through requests likewise in the previous slide we were talking about the exchange like from 500 we want 5 denominations so are we considering this whole system at a digital level why are we talking about the change so are we going to get the real cash after using this wallet or everything is going to be transferred only digitally well this is all being transferred digitally the signature the signature that is 5 with RSA the digital signature of the exchange on a coin represents a particular value of digital denomination this signature is worth 1 rupee or 500 rupees and we need different denominations so I do not have this one set problem ok ok I understand that the wallet is part of the computer all of this is on your computer and this is on the merchant side so suppose by some accident there is no money yes it is similar to suppose I drop my wallet into the toilet the nice thing is you could make a backup right but of course you could make a backup of your wallet state in the cloud on a second computer you know but if you did not make a backup the backup does not duplicate the money no it does not duplicate the money because not all spending will be detected right so this is your physical wallet if you use control bridge you lose your money here there is 2 cases of losing control right if a hacker gets you know proxy computer you know controls it completely he can spend your money and then it is gone right whereas if you just drop your hard drive if you have a backup it is still ok the security of my wallet is not yes it is not so one of the key things in the whole system is if you of the three components exchange wallet or customer or merchant if they get hacked right it is their problem and nobody else gets hacked if I as a customer if my computer is under my control I may lose the money I have in my wallet nobody else can possibly lose anything right and how much I lose true that is my maximum risk but if I am the shop and I get hacked the most that can happen to me is that the money doesn't go to me but goes to the hacker right if never goes to the loss for the exchange or the loss for the customers I do not get any sensitive information about customers either right so again I am not going to lose I have to go to the newspaper and say oh sorry we lost 100 billion credit cards and please replace all of the credit cards can't happen to me similarly if the exchange provider is broken into yes you know somebody might be able to mint coins but then it's going to be the exchange who has to suffer the loss and not nobody else in case that let's say we use our money let's say normal currency normal currency works is there any way to file an address with the exchange that okay this was my wallet this is my private key I lost it and no you have no proof the exchange does not know who was the right customer all of the proof that this is real money don't you think that's a flaw in the design you must draw cash from the ATM and burn it try to go back and say sorry I burned my cash the house burned down as all of my cash in it please government give me back my millions of rupees you think this will do this that's the point if you just want to immediate the flaws of existing physical wallets then why would you go digital no we don't we have to share that same flaw that if I lose my digital wallet it's the same as if I lose my physical wallet because why would you eliminate that flaw because we don't quite have a choice we do it slightly better of course we can do backups we do it slightly better because we can do backups unlike cash we do not have this possibility of bribes and tax evasion unlike cash we do not have problems you know demonetization problems but we suddenly don't have change you just said that you are the demonetizer no I don't have problems with issuing lots of coins issuing it's electronic that's advantage I don't have to worry about cash distribution I don't have to worry about ATMs being out of cash you know as long as I don't have CPU power I am fine I don't need that much CPU power that would be an issue so I have many disadvantages of cash to go away the one that if I was to cash and lose it does not go away I have this traditional cash I can make backups but if I lose it if I lose all my backups or didn't make backups I still have the same risks there we don't solve all the problems there is just one question on the database having to be cleared every 2 years the posing for instance is required by law to be maintained for 5 years that's fine whatever this is configuration parameters you configure how long you have to we have 3 periods basically the coin can be issued for a certain period of time 2 points of this then a period where it can be spent possibly months years later and then I have an additional period where I preserve the database for unsettling legal disputes it could be that a customer goes to the last minute and says spend this something happens there is a disagreement and if I then delete everything I have no more proof so I have an additional period it might be additional many years I might hold this on cold storage and then I have a regulator and of course the business decisions of the exchange the compliance of the regulation says how long are these periods so the initial periods of how long to withdraw and how long it can be spent are partially business decisions by the exchange provider and then the how long to be stored afterwards is kind of of course a legal requirement that comes into play as well but the design allows us to at some point delete everything and still be correct is there a possibility of repeating a buffer value in the wallet kind of I don't want to withdraw every time from my bank that's usually what you should do yes, you do not ever want to withdraw the exact amount you are about to spend because then I can correlate those two things you should withdraw one block and then spend it over a month and withdraw another lot or something whether I want to maintain suppose 10,000 rupees every time in my wallet and I just want somewhere some threshold I just authenticate a payment and it gets back into my wallet a very nothing you authenticate it with strong operation is there a possibility of some risk because I don't want to the problem there would be the authentication with the bank if your bank allows some piece of software to automatically restore some amount from your bank account no, there needs an authentication from my end as well then it's a question of usability thing do you really want your wallet to pop up and say now please authenticate or is it something what you do consciously so I would believe the usual cases that we treat this really like we treat a physical wallet we know here we're running short on money it's easy to find out, look at the balance and then you go to the ATM and similarly if you're running short on money then you decide to go to your online banking side and just draw more this is one of the contrast to cash you go to a website, not half an hour in a queue so not all the problems of cash yeah we understand that there has been a coin in fact the exchange holds the actual but it's all actual currencies the exchange holds kind of the banking money in escrow so now let's have a little demonetization but the Japan had a case where the yen was suddenly divided by a hundred a hundred a hundred devaluation this is just how you shift the this has no real impact my mind is if you're buying the rough line how does the exchange change the other currency the question does not happen does this change the definition of yen do you have to change the definition of yen to yen2 or something like that do you go to a physical exchange where you can exchange this currency for the exchange so what's the deal on Ethereum when you compare it with Ethereum and Ether Ethereum has many very different goals we do not try to build distributed applications decentralized applications like this we do not try to have a computational engine it does not do computations here this is really just a payment system Ethereum tries to do something completely different than payment systems and of course Ethereum just shares the efficiency loss the efficiency of the blockchain whereas this is way more efficient remember we talked about the transaction costs on the blockchain which would also apply to Ethereum to some extent dollars here we're talking about transactions being ten hundred thousand times less expensive because basically transactions put a couple of things into a database computations and check a couple of cryptographic signatures those guys have also come up with a group like MetaMask they also sort of transfer payments from one merchant to the other and also these smart contracts we don't use smart contracts in that first part because we don't have a machine that executes arbitrary code it's just very different here there's competitors our cash try paying online this cash doesn't work but online this is going to be nice on the other hand the transaction cost will not work this is one of the key disadvantages especially in rural areas transaction costs we believe we're cheaper than any of the others but we are also much faster much easier for taxation the payer has better visibility of the other systems the AE whoever receives money has less visibility better security everything's proper crypto we do not have the conversion risks and of course just like these blockchain most of them we also play software and what about like people had invested in the Bitcoin earlier and had made a lot of money when the value goes up remember I had this slide on the pyramid scheme where you have an incentive to get more adapters because who you see on investment that doesn't happen here because you do not create a new currency can you say what the parameter is why is it here oh that's the one pay anonymity we have that here but the technology is a bit more cutting edge and here as I said this is for me a problem because I do not want people to receive money that they can easily hide from taxation one thing I was thinking as you said that the vendor cannot spend the Bitcoin without depositing it remember he doesn't really get the coin just gets a signature saying exchange please give this amount of the value of the coin to this vendor in a way it makes it a little more inflexible you don't have the transitivity of cash but we do this on purpose because the transitivity will allow people to evade taxes will allow people to take rights that's one of the key differences to cash but if I have got the money right now I cannot wait right now if there is no connectivity yes we know sorry just one point about taxation is there a system where the exchange gives the data to the government or the government certain data when the exchange wants to transfer money to the merchant let's go stop the exchange some hash and then with this hash anybody who can access this hash can go to the exchange and say what were the transactions and the transaction contract hashes there is an API for that this will be used by the merchant for his back office they could be used by the government to say hey you got money here let me find out but you only get the hashes of the contracts the match is this hash code and assuming Shafiq Fahab is secure you better give the real contract and say that the customer saw and exchange would be based in one country around the world no I expect that there will be many exchanges in each currency domain for multiple reasons first of all you want to stick with the regulation of the respective currency that will end with the culture that would be easier if you are in the country but secondly you get better network latency that way me doing demos with a server in France in India you would have a server in Delhi or Mumbai or one in Delhi and one in Mumbai and then you get better latency and of course the government would want that anyway you don't want your payment to be one in New York for India it makes no sense it makes it less tolerant higher latency makes no sense now of course you could if you want to go we have the new world currency but the system itself I want many providers so you have to go to an exchange every time right then the quicker you get to the exchange my short my question is if I got given my wallet to him and we both have a copy of the same wallet and I went to one exchange and he went to another exchange if you have the same exchange same coin same exchange the coin is tied to the exchange the exchange had the private key to sign as with one that you go to can my wallet have a coin signed by multiple exchanges multiple denominations all no problem is it exchange to exchange link how is that concept no the exchanges only talk to the existing banking system using the usual wire transmitters can I take a coin signed by one exchange and give it to the other exchange no what if the one exchange is facing connectivity issue it shouldn't it should be highly reliable and available if it's down it will high availability architecture high availability architecture if you need reliable connectivity if anybody is offline then the payments for that provider will not be working during that time period these things if you go to a building high availability system what do you want to do no the customer every customer can pay whatever exchange is commonly accepted by the merchants right so it could be that every bank that exists today runs an exchange for example it could be that there are fewer exchanges it could be that there are more exchanges it's a question of what is profit to operate you have to of course have this high availability architecture you have to convince people that you are a good exchange opening at no fees which means of course due to economies of scale but there can be many many for currency we have actually programmed that one exchange only does one currency because the rest just features it doesn't make it more complicated can you show some examples of business in this as in like the exchange as you said is a business I can start my exchange and charge people for converting can you give some examples of different businesses that can be modeled around this whole thing as you just mentioned if you are providing an exchange you have to have this you have your cost for providing an ideal mental structure but you do get can operate on fees for whatever you do now if you are a bank you might say I am going to offer this to my customers and only my customers for example with the banking web page I showed with their normal online banking and I use it as a way to attract customers because they like fast and cheap and easy payments as a merchant you would want to use this for all the various reasons like earlier fast transactions cheap transactions and so on other business models of course will be that if we get this deployed widely lots of merchants will want to have integration support so just doing software development support to integrate this as existing merchants to develop more new architectures as kind of help us to invest in maybe an initial expense but to provide support for exchanges or in terms of running their systems auditing their systems helping them run it and for merchants there are also business models so being an exchange, being an auditor and doing software support are business models and being the model as well given that we are trying to provide free software models because we want the customers to trust their models and given that most people are used to rather free apps for most things if we give some value addition in that I don't know what you would do that couldn't be done in free software in the end and again I also think that we need to use free software and this is the only thing that I mean actually this is an underlined software which gives you privacy the protocol gives you privacy now if you have a commercial implementation of everything you know you have certainly privacy guarantees from the protocol what I meant is bitcoin and blockchain there is that thing happening there no there is no blockchain not blockchain there is something that you have built underneath this which could be used in multiple scenarios not just in cash that's the question well underneath some of this which is our replacement for the internet architecture but I'm not going to talk about that today this is based on part of the code is 15 years old where we are trying to reinvent the internet but focusing on something that we can deploy and use today and you actually don't need to do any of the rest of the community you don't need to run any of this but underneath there are lots of other technologies that feed into this cryptographic libraries, web servers and so on but I'm not sure that was this question what's going on right now we're still improving the model in more features, more browsers supported we're working on the exchange auditing process we have written this to trial for merchants in the web for integration and I'm seeking feedback for that if you want to see details about what the API looks like you know it's a restful API what's each URL, what are the requests what are the responses, what are the formats it's all documented in detail here but how can you help overall the current model only works for browsers we should do this also with mobile phones I'm sure you appreciate that so if you have time please write it down to mobile phones and do a point of sale integration that's kind of the next big step most existing web shops only support credit cards so again we need to have people who write even plugins for Gruntwiler who gets all of these web shops out there the card documentation is mostly in English and here this is the country of the most languages so you're welcome to join our team to help us translations of user interfaces, of documentation of everything the exchange needs to be legal business to operate as I've mentioned many times you have to take action please so go ahead and find a creative startup in India I would love to see this happen we're trying the same thing in Europe but I'm not going to try the same thing in India what is the cost of setting up an exchange like what are the regulations that depends on the country I cannot answer that question for India I can answer the question for the OS it's simply outrageous and the question answered for Europe is still tricky to get for India maybe the current moody pain is just high enough to make this easy I don't know to conclude what can we do you can suffer from mass surveillance you can engage in arms races blockchains trying to prevent crime you can continue to enjoy the benefits of cash or you can help us establish a free software to enter balancing social goals of privacy and accountability thank you yes we'll start with questions and then we can do the demo again if somebody hasn't seen it yes any questions or should we do the demo again stop with questions why do I always say show that you're interested in this not that I know of but I'm sure they have shown some interest in me for other reasons have you picked the web payments API the web payments API is better than the other products we have people who are from our group participating in the work of a consortium in the interest group we have taken some inspiration from those discussions but let's say some of the people on that are not terribly privacy friendly and they are also not necessarily looking at free software solutions and looking at a lot of credit card payments so maybe partially compatible we're looking at trying to see that the contract formats are not too far apart if you can help it say I'm generating this contract in JC it will work for both of these APIs so we're trying to keep the difference small either by nudging them in the right direction or adapting where it's easy for us to adapt but I cannot make any promises that will be the same because of course that's an ongoing process but there will be like a bridge of thoughts at the end could there be an indication that it is pretty much good to comment on anything that can be because there is no standard yet and it's that all we can say is we are participating in the standardization process but of course I believe that we should just do this and forget about all of this anyway unlike the US India is not a very it is not a country where people are too sensitive about their privacy I mean privacy is not like the EU so privacy is not something that can be marketed it is something as a feature which is there in this whole thing but people will not be in India at least they will not be attracted by the privacy part what you should market is the usability the transaction speed the low cost the fact that it's a commons and you are a member as opposed to you making yourself dependent on somebody else so all of these other advantages that will appeal to many other groups from governments to merchants to citizens now some citizens will be open to the privacy argument others may not care but I believe there are enough advantages as I've listed on the value propositions that there is appeal for all the groups that let's say have a limited appreciation for privacy can you summarize for citizens at least which are low hanging fruits for citizens that are not which are clear enough for them one is the speed speed I think is one thing I believe these are the main advantages for citizens now of course you might also add the ones from governments to that because as a citizen in the government there are some shared interests so here we do not list that no illegal activity takes place but do you like a crime space as a citizen no but we still list this under an advantage for the government but so as you see here the privacy is one point the fact that Bitcoin is not a new currency no fluctuation the fact that it's free software you don't get some unexpected features the fact that it's secure obviously no identity theft problems no credit card theft problems no credit card was rejected because of fraud detection going on these are clear advantages for citizens or of course the usability that apply even if you don't have the privacy the nice thing here is that the privacy gives us usability gives us speed gives us fast transactions it also gives us accessibility because I can tailor the device to the user if the user is blind can't do retina scan can't cut off, can't do a fingerprint it doesn't matter whatever this device you just want him to authenticate against I can adapt it to him whereas the existing payment systems as a logic factor taking the devices off the merchant I'm taking a very set system here I can adapt it to the user and get accessibility from this but one of these advantages are coming indirectly from privacy are coming from the fact that I do not need authentication so I think I rise from it but they are well I have the other system right, convenience so adding to that I think mobile phones today are becoming very personal right it has become a single point of failure for a lot of things actually so in that way having money in your phone device makes it more sensible actually that you already protect your phone for many reasons so having money in that actually makes sense rather than having it anywhere else if your phone gets stolen then there are so many other things that are also failing with that you are you can make backups you can rely on your single point of failure to have more data on your single point of failure but you can just draw on your limited amount on your phone and you could make backups just like for your phone does the valid physically apply to the device no, it is that you can make backups then you could it is just a file, it is just a JSON database so remember we do not want to have any device identifiers we are privacy insensitivity we never send anything identifying the user out and out horrible, I mean say no it is only locally it is only locally on your computer we do not yeah but the valid can simply use the computer but that information does not have to go there yeah, what you might decide to do is you could say I am going to try to steal what politics is on some kind of TPM module to make it hard to access but I do not actually believe that this gives you efficiency in all cases okay so basically one valid can be easily used for my bandwidth yes and then you learn that your system must be compromised and it also has some value for you if we all set up cloud wallets how are we from no, I think if you have a compromised device and you withdraw from the cloud into that device it can still be accessed you know, if I compromise with a device and I can access your cloud storage I can delete your pictures in the cloud as well so the cloud does not prevent you from being attacked in fact it just increases your tax service this relies this entire logon accountability of your devices this is one of the key things here we want personal accountability because one of the things I do not want to say I did everything right and somebody else says this transaction was fraudulent I did everything right and somebody else supports this transaction I want to be able to say if something goes wrong it was me who did something wrong and it should be me who suffers the consequences a little bit of personal accountability is not a bad thing which means a lot of education well, in this case it does not need that much because in analogies to a physical wallet don't try to you do not need you do not need you do not need a lot of education to know don't lose your physical wallet you do not need a lot of education to know don't lose your physical phone don't draw sites where you can get mad when infected that's very difficult let me help you with one point here the one major source of the malware application is advertisements going across sites and here we offer a new way for websites to pay for their operations with micro payments where I can efficiently pay the couple of cents this toddler which means the websites have a new source other than advertisement namely direct payments that they currently can't do because nobody pays for credit card access in the web article and so if we reduce advertisement because an alternative way of payment is available we might also reduce the number of entry points for malware a little I feel a little bad here I think I'll teach you how to take care of it okay it depends on sure sure but the point is it depends on how bad the infection is because at some point you're going to decrypt the word access it and if the software still has control over your computer well, so again you have to be your responsible for keeping your own devices secure and you can only spend one exchange as a merchant or as a customer I know I don't buy quick one though I have a wallet and I can only spend one exchange no, you spend it as a merchant but the merchants have to allow that as a exchange to be so with that so I am limited to spending my money but the merchant is limited to spending money on only the one exchange no, no, no you as a customer was drew at a particular exchange at a fee structure you liked this is an exchange I do not trust say, you know, obviously I could make up one that isn't audited by the government and why shouldn't the exchange trust that you know, random black guy to be correct so the merchant would say you could say, I accept the following auditors you know, the bank of India has to say this is okay, then I'm happy to do this actions okay, let's have a round of money now every merchant would say that I don't like that exchange anymore when you send it back to yourself send it back to myself through a different exchange no, through the same exchange does the exchange exist anymore? it's not if you are a customer no, no my fault that the exchange went out if there is a bankruptcy from a couple of times an exchange goes bankrupt in a normal process it will tell the wallets and the wallets and send the money back to your bank account now, if the exchange is not properly audited and can really just disappear, you lose your money but that's just like, you know if the exchange decides tomorrow, we go on and they disappear and to nowhere you know, that's why you want the government to regulate it because the exchange will not just disappear tomorrow that's a big flaw in your personal accountability I don't know and I'm sitting with my wallet and my exchange goes round no, no, no the bank will not trust the exchange in the first place the exchange is not licensed the exchange is fully licensed and everything it's like perfectly... but what is this here, this component auditory, auditory exchange so you're relying on the government to valid to sign the exchange yes, just like you rely on the government every day that your bank is not going to disappear tomorrow it's exactly the same space the exchange is today, these exchanges with cash are the Reserve Bank of India or the European Central Bank or the Federal Reserve which can bring money no, no, no, no this is a normal proper bank it's a payment service provided your cash says this is for cash, by the way but if you have few money it ages BC or but you were saying that it's in my wallet so you're saying that once it's with me it's cash but it's still backed it's backed by the respective issuance instead of having RBI cash you will have HSBC cash which makes it extremely RBI cash is God cash okay, cash it was called cash we have to buy it too we don't deserve cash, it's God cash because they can print cash HSBC cannot print cash it's a huge they can print cash here we can pilot this the point is these payment service providers will be allowed by the government and licensed by the government to issue these digital points alright and this exists already if you take pre-paid credit cards for example you have a private bank that issues a pre-paid credit card and it guarantees to everybody whenever someone is swiped we will pay them that's exactly the analog and you have to trust these systems because the government says we are checking on the banks, we'll guarantee you that they will not disappear tomorrow and take away your money I would not take the word of any private bank however much you are depositing your money okay maybe I think the point is I believe most of us do trust most of us do trust they get our disabilities already if they are sufficiently regulated and if you do not nobody says that this could not be run by the government it could be that the government runs the exchange in some cases and it will limit competition and efficiencies of government it might increase trust in some cases in some cases it might decrease trust if it's the Indian government but it really depends alright the architecture allows it to be many banks and you can specify which auditors you trust you can specify I trust only these exchanges explicitly as a customer right but in general I believe the answer is there's going to be multiple auditors some government appointed maybe some foundations and they want to say we audit these people and then you as a customer can say I trust these auditors, I trust these providers and then if your trust is misplaced you lose your money what you said the Indian government does not allow a bank to afford they ask them to merge and you get up to 1 lakh of your fixed project no I don't think that's the point I think one of the things that you pointed out was in the points of here in Palo Alto if I lose my wallet it's my fault but here there's an extension argument as well which is if my trust in an exchange is misplaced then also I lose my money right which is come on that's the point I'm not saying it's his own but he may not have elected the current government and everybody said we trust this government to audit our banks and keep them safe and if then the Lehman Brothers gets you can't say I was the opposition and the government didn't prevent Lehman Brothers and I lost my money but in the end the technology at least tries its best to protect you the credibility of a lot of auditors and a lot of people who back this will also go down but the point is this is not a problem that's unique after the year 2008 you are proud to be with me I mean you thought that it happened we were all there that it happened hopefully we do not solve that problem if the governments are unable to ensure that Lehman Brothers remains liquid it's a problem however we improve in one respect currently banks contemplate three domains they have investment they have savings and loans and they have the currencies and we have seen the investment crash the other two the 2008 and here also architecturally we have the bank that's for our savings and loans we have the exchange that is really just facilitating commerce and investment could be a very third thing and we could keep these three functions that were fused by relaxations of laws in the US separate and thereby also contain failures to the respective domain and the nice thing is here by the exchange you have a clear business model where you clearly show our fee structure allows us to make more profit than our expenses are and you can verify as the auditor that it operates correctly by trading the digital signatures on all of the transactions so the risk of those providers going bankrupt compared to an investment bank that speculates on whatever the markets might do tomorrow is very very small and so by separating savings and loans where you know what yes where if you loan my default so investment is highly speculative and currency so we can reduce the risk of people dealing with currency and we do not have like what happened in Greece where savings and loans first investment then impacting currency supply those kind of cascades would not happen if we separate these institutions clearly and at least architecturally we do the argument is sound right I do not think anyone will argue that argument at least in this room but but people are being crying foul about breaking up large banks in the US for like exactly the along the lines that you have to talk about I cannot solve the political problems actually it solved that problem like in the United States what they do with these exchanges over the concrete transactions you actually have a trade regulated body that is essentially happening because the central exchange and that is regulated by the government and is also effectively trustable but let's again the point do you trust the government which is an effect on it no no in this case they have guards against the government essentially there is a sort of who will guard the guards but here is one nice thing in our architecture this could be the government but who says you only have to have one monitor I could have a government monitor I could have a central bank but I could also have a foundation or a private hacker club and as a customer I can also say I only trust the hacker club and the version might say I only trust the government and some people might say I only trust this foundation and all the auditors exchange says here is my database with all of the transaction records that I have taken and it goes over them talks things up checks the wire transaction says here are matches you can just check out so it's not a very expensive process and you could have multiple auditors I would not say you can have anybody be an auditor like all the citizens because the database is going to be a bit big to just replicate it everywhere but you can have multiple auditors at a reasonable cost and therefore put even a check on does the government do a good job because if the government fails to detect some fraud and somebody else does then there was something going on today the Australian government has said that it attacks the government to ask somebody yes he says he is not solving the political problem at all he is trusting in the current you have to of course make sure that you have good backups as the exchange you have reliable 24-7 operations that you can know how to solve and yes you might only get 6-9 reliability but other systems also sometimes fail it just has to work almost all the time and the cases where things can go wrong are reasonably clear they understood and reasonably limited so should we do the demo there are no more questions and then we can always have the confirmation you want to stop the recording but I am also able to ask questions