Bind Currency Field with airSlate SignNow

Digi sign branding proposal template

so you know that I know you'd have where it's a half hour until your talk and you decide to add like 10 more slides and then somebody calls you and says you're talking right now you're missing it that's the nightmare that I just had so I apologize for being a little late this is kind of weird talking and you are gonna get a couple of places where I've got these like great slides I was just about to throwing this this is kind of a weird talk I was invited very graciously by the organizers to come and give a talk to this community and sort of there are various things that I was interested in talking about and I decided maybe against my later better judgement the thing that is probably the most interesting that's happening right now is cryptocurrency and I say that even though there are a huge load of interesting things that are happening as well one of the other things that's happening right now is we're finally seeing deploying applied crypto that's actually making the difference or CTLs really take off we are seeing a huge variety of different crypto attacks we're finding backdoors in real systems and these are all really really interesting things and yet when you think about the change and the rate of deployment of new crypto nothing really compares to what's happening right now so I wanted to give a very high-level kind of overview talk that goes back into the past maybe looks at the future and talks about some know some of the things that went wrong in the past why it took until maybe 2008-2009 to get to what we have today and what maybe we can do in the future ok so quickly let me just give you my background of probably much of you don't know me I'm teaching Johns Hopkins and the work that I do is primarily applied crypto so the work I do is really in kind of systems security taking cryptographic protocols building them putting them together and actually getting them real implementations a lot of the work I've done is TLS we looked at a lot of messaging systems tunnel growth messaging systems but I would say the majority of the work that I've done since I was a grad student where I did my thesis on oblivious transfer is on privacy preserving protocols I also have a blog which I try write from time to time somewhere in the last few years I co-founded this weird cryptocurrency which is called Z cache which is really cool because it uses your knowledge to actually give privacy and that was a really weird experience okay so oh so why are we gonna talk about what is so interesting about this well there are a whole bunch of things happening that kind of affect us all so one of the things that's happening is that we're losing the right to the word crypto we're losing this largely because you know unfortunately crypto is so much more interesting when it has money attached to it and most of the crypto we do so it's obviously affecting us in some very silly and obvious ways the other reason that you know this is so interesting to us I guess is that the amount of money and the amount of height and the amount of interest in this field is really really taken off it's taken off too absurd now in December I think etherion went up to 1,300 1,400 dollars it was insane as drops back to only insane levels but you know things are happening it's really interesting at least the rest of the world so whether you love it or you hate it cryptocurrencies are kind of exerting this gravitational pull on our entire fields and that's the good way too badly so for most people cryptocurrencies are their first major exposure to cryptography that's great not really the most interesting group don't look like anything that gives you the door and also lets us explore and deploy some really interesting novel crypto I think we've had more use of multi-party computation techniques in the last few years is that if you stare into cryptocurrency it stares back at you and it can also kind of distort our research priorities sometimes it's not very good this is kind of wrong so what am I going to talk about today well one of the things I want to talk about today is some history I want to talk about some of this sort of practical stuff that's happening right now researchers a few people in this conference have been working on and I'm gonna cop to the fact that many of the problems that interest me are privacy related and I've been told that people outside of this field that privacy is not the most interesting problem and cryptocurrency and I don't believe them because I think it really is you know these things need there are other problems to be solved to I'm gonna focus a lot on privacy and kind of the PostScript to this that's all is that I'm also going to talk about some kind of random bad cryptography that I turn came across on different cryptocurrencies and that's not really part of this talk number at the end okay so I want to go back in time to the 1980s kind of the theme of this part of the talk is what went wrong we started out with all of these dreams and we got paid how did that happen what exactly happened now to sort of understand would happen with the payment system research of the 80s and maybe the 70s and so on you have to start with the understanding that there was already a banking infrastructure so banking was not a new problem he already had plenty of systems that were basically databases that held account ledgers of different people's account balances and we're updated in all sorts of a pretty standard ways so banking is not the problem the problem that we started to tackle of these was the specific problem I guess we call it retail pans small individualized payments between customers and merchants or between customers and customers and when we talked about this kind of this era of payment research we're really talking about actually had some level of first off any kind of payment system spending is a huge problem so if you have anything that's a digital currency maybe not a currency but of course points and that means that you can spend the same money twice so we have a building system that can capture double spending implemented or maybe trace people who double spend and so on if you're going to build the system and your reference point is cash then you also need some kind of system that allows you to make sure that that pays and other parties in the system have some privacy's so that you don't leave too much information during payments and you have other questions like how does money get into this system you need a connection to the banking system in order to move money around it probably the the vast majority of the research we in the cryptographic Mandy did this area is into this appeal to call me - which began with John back in 1982 the paper is actually cited as 1983 and later with Tom Fiona and Nora and these papers I'm sure many of you have read the national literature at least have seen this very early lion signature based cash basically these ETF systems all had a very similar architecture so there are cash model with this kind of added privacy and privacy was the new problem in this research so anybody who wanted to get money to get a receivable token or a group email tokens and ultimately the problems being solved was detecting double spending in a situation where users had the privacy let's take a look quickly at the Tom 83 doing a very favorite this is probably the simplest he cast system you could build the Tom 83 scheme is the simplest thing you can build basically in order to get some money up the pain has a signing key it signs blindly using an RSA blind signature bold serial number the pair have that serial number they could reveal the serial serial number in the signature to the merchant and ultimately the merchant can then present that parrots of the bank and the bank can verify that the serial number have appeared before so this is 1983 I want fast-forwards in 9 mm and this is a schema cabinet for a pawnbroker the sea sky which is published in Europe if you look at this scheme it looks very familiar it's ultimately got some much much more powerful crypto in it Sene scheme okay the CHL scheme uses a key it's like December and Bitcoin if the CHL scheme uses you know it uses much more powerful technology so down here we have a PRF so we can we can pull out entire wallet in coins instead of just one coin so instead of signing a serial number will sign up keeper PRF will compute the serial number using the PRF Watson encounter and then we'll use a descendant to make sure that you know everything here is kosher will give the resulting visit to the merchant okay we do this it's much nicer and much more efficient but it's really the same set there's nothing new and this is 20 something years in the future from Chama so it thinks did not fundamentally changing the entire you guessed field and there was a lot of research done in the e gas field so huge number were a certain electronic cash on Google Scholar results and they come in variations there were online offline schemes that were even used trying to hardware there were schemes that would reveal your identity if you double spent fundamentally the main problem all of these works was privacy because privacy is kind of the problem so the question we should ask and this is you know not the deepest question but why did this ecash work not take off ultimately in order to build an ecosystem and people trying David John tried what did you get you really needed to have to this you need to have a centralized way and that vein would be a single point of failure that thing went down everything was gone your customers have nothing and you need some way to get money into your system which typically was just another version of it you need a bank and it's very hard to get banks to partner with you when what you're trying to do is build a privacy preserving system that it doesn't allow nation-states and banks Tracy in 94 EU regulations came out that basically said the only people have the right to issue the debit cards was were banks and that basically killed it to cash because this this meant that their entire business model didn't work in 911 in the u.s. 911 saw a huge new laws that basically meant that anybody was trying to operate a currency whether it was you know he got not was it was actually shut down many of these people had their doors so this idea of centralized electronic cash private or not was really a non-starter the question you should ask is were these actually technical failures or were they just policy and the answer to that questions kind of who cares doesn't really matter they're indistinguishable you have a certain type of policy environment and the only technology we can work in that policy environment is something that you know is not going to work there then you have a technical so you have the centralized problem and ultimately we focused maybe too much on privacy which scared regulators too much any solution we had is going down and work around these manufactured problems so to switch gears a little I'm going to show you one other payment proposal that was made in the nineties and this one was much more conventional was developed by these a MasterCard how many of you have heard of secure electronic transactions okay that's a surprisingly large number this was a proposal that was developed by Visa and MasterCard so really the the people who are in the industry with an access to the payment technology and it was a pretty sophisticated cryptographic architecture based on credit cards using digital certificates the it was to get assurance authenticity of confidentiality for some things you have to love this kind of early eighties clipart the basic idea of the system was that there was gonna be an online party and you as the payee was going to have a digital certificate that you got from somewhere you were going to authenticate yourself using your certificate you're gonna go to this online market and they were going to gonna then just authenticate to the merchant for you and the key here was that you would never have to reveal you our credit card information directly to the merchants because merchants couldn't be trusted with this we didn't have as a cell working back that very well and so this was kind of a solution to all that and if you look at this this is probably the biggest technical feature of that system this is a little system that allows you to verify a transaction is authentically signed without knowing all of the inputs to the transaction and if you see this is like the world's smallest Merkle tree so they were kind of anticipating Bitcoin at this point this was kind of a sophisticated visit God so functions okay once again why didn't I see T so the obvious problem was it required users to get search get said nobody wants certificates nobody wants to deal with key management and Identity Management so you have a manager on keys plus you have to bind them to an identity and you have to store them somewhere and that is really unpleasant and very hard so this idea of binding keys to identities is just not really workable so what are our conclusions from this 1980s to 2007 time well all of the cryptographic solutions we had were too complex or they were desirable features like privacy and I say undesirable coasts meaning that they were honorable commercial solutions including set really didn't support a special case which was person-to-person payments which turns up a lot of people really want to do web browsers at the time that kind of most advanced technology did not support fancy crypto and the end result was this little company called PayPal which came up as a company that was starting out as a Palm Pilot to the Palm Pilot payment system came along and developed a system which was probably and I'm gonna say this in a really nice way but probably the dumbest possible solution this was was a very expensive fraud layer built over the existing banking and credit card infrastructure and the reason that was kind of annoying was how many of you have ever seen something like this I made no my PayPal is legendary for not letting you big transactions not letting you make payments or take your money and the reason is that the only way they made this work was by putting a huge amount of fraud detection on top of things okay so the good news from all of this is without paypal we also got Elon Musk so now we have prices right now and you know Peter deal that's fine too so so moving on in 2008 everything changed I think this would be really the wrong audience to spend a lot of time talking about deserves a slide or two just to sort of explain you know what was so fundamental about this so the main thing that the Nakamoto paper Nakamoto implementation did was it replaced this idea of a trusted server with a distributed ledger letters are complicated to bill turns out you need some kind of consensus technique and in this case not the motive invent a new consensus technique and that consensus technique was really new and unique and had some special properties which I'll talk about a second that made the system work very well it was standing up there was an obvious things that came along puzzles were introduced to handle consensus to generate the funds this was not a new idea I think play day and other people and thought of this before but these ideas were integrated and one really really fundamental invention was that Bitcoin eliminated the need to identify to find keys and identities together just use your father is my identity hey when you consider these four major developments and this is going to be like the worst summary that have ever made everything else is really straightforward right it's all straightforward crypto you use public key crypto to initiate payments use secret keys to sign and invalidate payments once you have a legend that works you can do this very soon so everything else is really just engineering so what are the lessons we can take from Bitcoin well the first thing we can get is that picking the right consensus algorithm it makes a huge amount of difference I think that kind of underestimate how important the Nakamoto consensus was this is from Alain which is the block teams found consensus achieve certain robustness properties in the presence of sporadic participation and no churn that none of the classical style protocols - this is sort of one of these an anodyne academic statements but it's really fundamental if you're starting up a volunteer network with nodes that are not reliable that are peer to peer nodes that are going to go away constantly you need to the census mechanism that doesn't require setup that is able to handle these cases and even today as we're deploying things like proof of State cause we're still fighting with this problem there are a number of protocols that propose to use things like verifiable secret sherry inside of a group of state protocol well that requires that a bunch of nodes stick around for 10 minutes no stop sticking around for 10 minutes and this is something that you know unless you have a system that can actually achieve these guarantees you don't have a workable consensus for this particular set obviously the lesson we need to eliminate this key Identity Management thing because nobody wants to deal with identities obviously that simplifies the problem and then there's this kind of third lesson of Bitcoin which I called the human beings are weird lesson and this is seem this is gonna seem like the most trivial this is not a technical observation is probably the most privy elaboration you make here is the lesson that we seems very obvious in retrospect but is not was not obvious and would not have been obvious until you actually tried to deploy a cryptocurrency like this okay so the thing that we learned in 2010 11 12 13 14 15 song was then if you build a system that has totals that have a guaranteed supply or predictable supply then are secure in the sense that people have a high confidence that the entire systems not going to be shut down or the system is gonna fail then weirdly enough they're going to assign value to those totals it's bizarre we didn't know this was gonna happen the fact that it happened actually has really big implications probably bigger implications than anything I could say about technology or cryptocurrency now the value that people pick these tokens are arbitrary maybe they're ten times too high maybe they're 100 times to lie but the fact that they have nonzero value at all is really significant this is something that we can't figure out until you build this is really the major so what were the limitations there are a lot of limitations now I'm a little bit focused on privacy so obviously the privacy limitations are what matters most to me there were functionality limitations as well scalability and ultimately sustainability limitations for mid language we're still sort of tackling the good news is we've solved the scalability limitations just by making like 150 new coins so that's all taken care of now the serious news is that you know there are a lot of different people taking different approaches the first really huge limitation of Bitcoin was the privacy limitation this is a fairly old route you can tell it all because that big red dot up there says Silk Road but this is a map of the Bitcoin transaction graph this is a whole bunch of people buying drugs on a publicly available lender and doing this in a way that's gonna last forever and they're doing this with pseudonyms but they're not doing this with good pseudonyms ultimately those students are gonna leak or they're gonna be linked to exchanges in people's and identities would be to anonymize so this system does not work particularly well now I show you this next slide some of you may have seen this this is a slide from an NSA program called monkey rock how many people have seen them on the rocket slide a really small number of people saw this this is actually the result of a VPN system that the NSA set up in 2013 2012 they set up a VPN overseas and they allow people to connect their Bitcoin nodes to it and as a result of that they saw huge amounts of Bitcoin traffic on the wire not just on the block they were able to link IP addresses just like the addresses I think it actually says MAC addresses to this to this they were actually able to be anonymized a huge amount maybe a large fraction of the block these proportions went through this so it is very very hard to keep if you are one of these unlucky people are okay so I dress well two different things that we worked under I worked on with a team of folks I CLA here too we worked on basically having anonymity I'm not going to go into the details of this I worked on the having anonymity two different papers one called zero coin which used RSA accumulators systems your knowledge crucifix this and later a zero cash or a C cash and actually deployed this the reason I'm showing this is more as a warning now I said that we're deploying a lot of crypto and this is good when my grad students and I wrote the first version of the zero cash flow limitation we decided that we write a library we wrote this library we put up on github we had it this morning the wedding says for God's sake don't use this in any kind of reduction occurrence don't put money into this terrible implementation that we banged out now the reason I'm showing you this is this morning I copied it out of the git repo for a coin called C coin which is currently worth five hundred million dollars in terms of art not only did they take all of our code unchanged but they actually copied the warning into their code alright so this is this kind of stuff you can build things and they're gonna get deployed and they're gonna get deployed in scary ways to turn up the end of ulnar ability in our code which was that at one place where we had to check the value of the field element we forgot to specify that it had to be a field element and as a result you can double spent currency by computation a or a plus right P or a plus 2b and so on so you can make big mistakes where you replace so what other problems are there well once you have a ledger I mean the obvious problems that come up or you need some way to go from a ledger to or go go let me rephrase that once you have a legend you can do a lot of interesting things so if you think about a payment system is basically just a state transition where you have certain transactions that haven't been spent and you're going to some you know having some new transactions that have the obvious next step is to make this entire thing into a generic evaluation of some function and make that function into something that updates the state on the ledger so this really was where aetherium came from this is kind of a general trend in future all of these currencies will replace these very simple state update functions with complexity and this is great so now we have a theory and we can actually control spending of money in very sophisticated ways so I wanna talk a little bit about some problems that kind of interest me and when I say this is the future I don't mean this is all that's happening in the future I mean these are a few things that I think are kind of essential going with modern currencies so the three problems that I think are the most interesting to me are how do we make block chains in Bitcoin system Bitcoin type currency scale as they're very limited ways that we can do this most people know that the current Bitcoin in theory in transaction rate is about seven transactions per second it's not very high I think that seven maybe may be relatively high in fat compared to what it actually is a practice if you compare this to visa and again most of you know this that that you know the visa system can top out during holidays of forty thousand transactions per second globally so these are not calm well we need some way to actually make these systems scale to a reasonable through one of the ways that people are proposed to do this is they propose to do it using channels how many of you have heard of the Lightning Network okay good so the idea of a channel system is really really really very soon the idea is that you have two parties and they want to interact but they don't produce a lot of bandwidth not chain so what they're gonna do is they're going to establish what is basically an escrow don't worry about details of how it's done but just say they put something in each person puts money onto the blockchain they have one transaction that transaction will be later unlocked using the digital signature made by both parties or it one morning goes away and we unlock maybe after certain time the idea of channels is extremely simple so let's say we have one party that puts in one Bitcoin another one that puts a zero Bitcoin once they've done that on the blockchain they can go ahead and they can interact directly to produce new signed transactions that change the balance of that they can do that many many times without ever going back to watching at a certain point thing they decide they're going to close this channel they can take the last transaction back to the chain and they can cash out whatever each person's balance is if there's a dispute there's a mechanism to deal with the dispute the Lightning Network is actually up and running on Tesla this is a visual and Explorer that basically shows you all of the different Lightning nodes that are online nodes that are available to establish pages and the lines between them represent individual payment channel relationships that have been established locked let me zoom in on one of them so this is a particular node and you can see it has channels with other nodes but also some of those nodes have channels with still further on homes so this allows us to send money technically speaking anywhere but what are the problems on these networks the first thing you have to see is that we're just talking about a single hop payment channel I'll go back one there's really no privacy at all between the individuals who are communicating so if these two individuals have a payment channel open they have to know there's identities they have to know every span that the other person makes if we go back to the lightning Network lightning doesn't really have a solution for this because it's not privacy technology what lightning does is it says if you want to achieve privacy so that you don't know the two endpoints are on this channel you have to place more intermediary so instead of a single channel the yuan will open up a channel would I 1 I 1 will open up a channel with I 2 and so on all the way over until it gets Peter and the idea here is that as long as these parties in the middle are not colluding hopefully Peter will not learn Yvonne's identity does this system work not so well first of all that requires that to get any privacy at all we have to make extra hops which nobody wants to do in any sort of a system like this we're not even sure there are going to be a series of channels that go from one person to the other and we're not going to be sure that they have enough balance inside of them to make this work but even if you accept that all of those things work there is a really significant problem with the label protocol which is that the transactions that people use to generate these things to allow them to atomically clothes have to share a value called a hash table that means every single person in this channel is going to share a value each and that value each basically binds together every node in the channel which means that in I three colludes with I 1 even if I 2 is honest the channel can still be linked together the anonymous improperly Bunyon products much much weaker how do we fix this like what's the fix for this channel - channels are supposedly the future of cryptocurrencies we're all going to be using channels to buy our coffee and pay our rent we want some privacy how do we fix this what an obvious idea is we could use Xiaomi Andy cash we already have this technology we spend 30 years building it let's deploy it in the Senate in the simplest one channel case we can basically treat one party as the pain we can establish some some balance between the two parties and now whenever one party wants to spend money Elon can let's say when draw some currency from David over here and then spend it back anonymously back to David we're assuming David as many channels open and doesn't know who's spending what money so this seems like it's a pretty simple solution what happens if we want to go to hops is there a solution to this problem come on channel with friends I need some way to go to the bank so it turns out that if you turn this around in a sort of strange way you can make Tommy and he cash work for two hops and what I mean by this is we can elect David to be an intermediary and David can basically act as a banner Elon can connect it David withdraw cash and in exchange balances with with David and Peter can do the same thing where Peter initiates a connection to David in the middle this is great and if we have a system that allows us to exchange both positive and negative balances now we have a way for one person to sent money all the way through by something for example positive one to david and then david contender so this system works can it work for three hops I don't think so I don't actually see a way that you go too long numbers of hops in a system like this it seems like chummy kneecap fundamentally brings down when you try to go to longer channel lengths and so this is because disparate channels have to be tied together in systems like this there's no obvious way to make these work in a privacy-preserving way so this is kind of a big open problem if we're going to go to a world a layer 2 world where we're gonna build channel networks between people we have to find a way to build longer channels to the privacy and none of the current techniques really seem to work very well so another probability just made is this idea of replacing proofs of work it interests me a lot of people working on that and doing so we all know that Bitcoin is consuming vast amounts of energy I think the last I heard it was consuming as much electricity as Switzerland to compute the proofs of work bits if you're in town we need to do something but there are people work not doing something about the most obvious solution to this is to replace the proven work with something that is cryptographic in nature where basically what we're doing is we have individual nodes signing these and those signing keys can be used to sign blocks or establish consensus between different parties how do we elect those nodes with assigning keys well that's currently on the table is to use proof of state which is to say that people have a lot of money when we trust it as the folks who can actually establish these connection sign blobs okay so how do we do this well the basic that you have all of these protocols is we first go through and we enumerate all the major stakeholders the protocol we make a list of them publicly revealing their identities and then we scale that list according to their stake and then we sample from the list where do we get the randomness to sample from the list we've got a nest do we get a random comm I think that's actually one of the things I have on a later slide no but seriously where do we get rent in the Bitcoin network or in any these networks this is this is kind of movement problems there are a handful of solutions to this there's a really excellent work on this particular problem that's happening here at Urich rep so in the session the other day there was a paper that actually dealt with a particular solution to this previous here there was another one this and I believe some version of this is currently deployed in a real currency called Cardinal right now the thing that is really fundamental about all of these systems is they require some kind of randomness to sample from the original Ouroboros I can't pronounce it using an interactive protocol between potentially hundreds or thousands of nodes to establish these random coins that we would use for sampling and the idea was we had a resilient protocol that could survive the loss of a certain number of people but what happens if too many people go away it's not really clear this protocols Network the latest version of the protocol deals with using a slightly different approach and it uses grinding resistant hash function which is based on the computational diffie-hellman it's based on the idea that yes what we're going to do is we're going to have individuals provide Inwood which we're gonna hash together to produce data produce this apparently but in these kind of protocols somebody always has to go last and that person can grind they can use their hash powers sample many different inputs to find one that biases the output of the random points and so these solutions try to build hash functions that actually prevent people from grinding and actually trying to find useful under strong assumptions about what kind of things might and the thing that's really interesting about this to me is it's the kind of result that you can improve on paper and I think it's really in but in order to see if it actually works he needs to deploy in experimental and so it's really exciting to me that cryptocurrencies are actually allowing us to do this kind of stuff so the last area that I want to kind of talk about as being really interesting to be as let's turn this problem around so far we've been talking about how cryptography can help with crypto currencies but maybe no Curtis are you raising your hand yes so meaning no currencies or block teams can actually help us build cryptographic systems so one of the things that people have been working on is including myself and some other folks as well is let's imagine that we have these trustworthy devices do we have trustworthy devices well okay so maybe we have secure hardware that we trust to be somewhat secure and there is this huge field that is gradually developing of building cryptographic computation techniques which in theory hypothetically some of them are hardware backed and some are peer software program obfuscation allows us to build hopefully trustworthy devices or circuits that can perform certain types of computation so let's assume we have one of these devices but let's assume that it has no ability to do state and this is a very realistic assumption particularly in the software program obviously because of course software has no ability to keep State at all these are these devices you know we can build them inexpensively from hardware and then we can get them from wherever we want and what we really want to do with these devices is compute multi-step interactive computations meaning I want to write a program on some input get the output run that program again another setting where this happens all the time is imagine we have a network of traveler the computing devices we're performing a single multi step program but the program is run on a different device at each step is there a setting where that matters will every smart contract system is already in that setting as are a lot of cerberus systems like amazon land AWS land other systems like that so the idea that we have a synchronized State is not really not a surprise idea so how we do it well the obvious solution is imagine we have a secure computing device that has a key I did always have a user send an inputs that's that computing device we can get an output as well as an encrypted version of whatever state needs to be captured by this broker and that's great next time I want to run the next input on the next step I just pass in that encrypted state and I get an output as well as a new attacker to state what's the problem here but it's trivial replay attack eating the divide has no the device has no internal ability to keep state it can always pass the third input along with one of the previous primitive States and I can get that devices to compute a new outlet for me and I can continue doing this as many times as I want if this is some sort of the interactive cryptographic protocol that's being run by the device I've been potentially completely undermined security of that protocol so what can we do let's imagine that what we have is something like a block so we have a publicly verifiable entry probably verify but this means we can pose the string to this ledger get it back something like a signature or some kind of verifiable proof that the string was posted you can also just get a copy of the full ledger and we can send that to the device so given this thank you really simple in Houston we can send our inputs to the ledger we can get back the ledger contents to prove we can set those ledger contests onward into the device and the device can then verify the ledger to see what step of the step it's on and can send that an output as well as an encrypted state and you know go into more detail about this you can basically build systems that are rewinding resistance simply by into the fact that they are interacting with some kind of lender and this is really more of a smart contract setting where we're dealing with private contract where we have kind of secure devices so I think this is really interesting I'm sort of curious to see what other things we can do particularly in the setting of cryptographic on East Asia okay I want to talk I want to shift from research topics to a couple I want to talk about some of the worst failures in crypto currencies now one of the hypotheses of us deploying all of this credito is that we are deploying it in a setting where smart people are going to break it accepting the biggest of all bounty in the world somebody could find a flaw or another you know they could come to us and they can actually tell us tell us anything they just steal our money this is probably the most embarrassing one I found bit Grill which is a real is they lost one hundred and seventy million dollars worth of nano XRP tokens because they place the balance checks for their system on the client side in JavaScript so this is this is probably the most embarrassing this one let me move on to one that's little more subtle okay so this is uh I mentioned you guys have missed you aren't totally wrong so there is a website called random.org random.org produces as you could imagine reduces verifiable randomness now random.org on January 4th this is a few years back switched to HTTPS from HTTP and what this meant was that people who are calling random mark in order to get readiness we're now getting in a 404 her and turned out when you serialized 404 it's not actually a very high entropy seat and for various reasons having to do with their implementation they were trying to mix or this together with some other secure form randomness they didn't do that placed it and so every single wallet every single public key that came out of this started with one benign re and a whole bunch of people lost a lot of money so this is the kind of thing that happens that just give you one more example along these lines my favorite etherium bug bounty submission was a case where somebody implements ec PSA but they wanted to make ECDSA nonsense more secure so they export the message being signed into the knots turns out that this produces a trivial bias that allows you to pull out key in about 256 signatures which a bunch of people that were seated and i want to kind of wrap up with my favourites cryptocurrency iota and I'm gonna skip past the part where I oh that's their own hash function and the skip past that the part where held embedded their hash function and invented their own artificial intelligence to adventure focus in on the iota signature I already uses hash based signatures nobody quite knows why but these hash these signatures are wintered in the signatures internet signatures have this really neat property that you start with a single seat your key backdrop at the top and you have to forward all the way down so you get the apology and the idea is let's say we're sunny - what I'm going to do is to sign any given bite and I'll start with a secret key and I'll hash forward a certain number of times with same side of the message 3 I'll have 4 over and 3 times until I get to a secret key and then output that has resulted as part of my signature and I'll move on to the next message well one of the problems that crops up with these signatures is that obviously if I get a message that has a bite 3 as its first bite anybody can hash forward to turn that bite into a for just hash tag away with a signature one time and you can change the message to a floor and everything is pretty easy signature to forge and the fix for this is to implement a separate checks on which you add on to the end of this message before you sign and the check sum has the property that you can't subtract sorry you can't increment any bite the signed message without invalidating the so it's really essential for the security of these signatures of the checks out well iota the normal checks on by the way is an addition iota invented their own channels and the way they invented their own checksum it does not seem like it actually guarantees asked us and as a result of that we should mention one thing these signatures are also used to sign messages that come from a centralized party that operates their network so if I have a message and and you can come up with another message my that is greater at every break position then then you should be able to pass forward until you get a valid signature on that message it would be very unlikely to find two such messages because they're out there the outputs of the hash function if they were long messages if they were let's say the output of a full hash function however it turns out that I only verifies one third of the message which turns out to be 27 they say that they use a Turner Inc yeah Theresa's 27th writes and so which is equivalent 20:27 bytes so this is not a terrific Lisa or signature I'm not sure exploitable bit like this is not a terribly insecure signature I'd already mentioned kind of my my most embarrassing but I want to show you one last slide which is that as a result of this hack so so my conclusions line was the slide that I was fixing so I won't show you that whatever I really included with is that cryptocurrencies you know this is sort of a fun talk but cryptocurrency is a really serious there's a lot of money out there a lot of people can get hurt if we don't do things right but this also kind of gives us a unique opportunity to do really interesting new crypto there are interesting problems out there that we have not had the opportunity to solve and we should be using our to solve those problems and actually deploy new I guess get your questions right I mean there's there's no there's because of people right there people who think this technology is amazing I didn't technologies amazing I think it's super amazing to be able to send money to people instantly but then there are other people who are excited about this just because they see it as a way to get rich and that's kind of a drag but one of the things that will be really nice is when these currency values all drop back down to nothing we can kind of go back to like just kind of play around [Applause] [Music] [Music] [Music] I think your superinduced is a really really good I think if you're you know they executed weather smart contracts you leave make sense or not I don't know but they they have a very strange idea of the accident they did a pretty good job I think the problem is when you see a lot of these of other bilkins but there are others that are I think much less justifiable for you you know maybe there's an application here but I don't see how I think that [Music] [Music] I think the number smart I think that there are a lot of there was a bug just a few months ago where if your signature had the letter M in it it would give you the secret key and my point is not that that was a particularly bad one that was really bad bad whatever my point is that that was in the code in a five billion dollar allegedly currency for at least months maybe more than months and so I think it's true that the great thing about Bitcoin is it is like the world's largest pen test where you know them it pays for itself but I think also we make a mistake when we deploy something we say it hasn't been attacked yet therefore it must work the reason that I get really nervous about that as new consensus algorithms in particular can work rains for years until they stop working and when your only real way to analyze that was disable rational after it wouldn't attack this nobody's rational in this world and so on top of that you the situation so I mean there has to be some kind of payment to support for permission was long-term we have some people mining you need some kind of payment to support that activity I don't know how else to do it for permission and blocked angel you have individual notes you know you just brought up a little consensus algorithm what's that you need incentives but like in private blockchains they call them lock takes it out really you have the same thing then you don't need incentive in that setting you can do something really interesting nice things and I think some people are going to deploy that I don't know whether it makes sense in every application sure so one of the most exciting areas that's really being worked on right now at conferences like these is the development of better non Interactive's your knowledge techniques and arguments I think that's really kind of one of the most exciting areas at least for me from a privacy perspective and so you mentioned for oops I think that's the output I guess brutal at all from last year's or maybe two years ago bureaucrats and that got you know kind of branded that is optimized a bit but these kind of non directives are not groups really exciting agenda building in any kind of privacy preserving technology so it all this stuff goes away and we just end up with a bunch of really great your knowledge proof implementations like I think that's a great outcome so that would be really cool I compare Manero is its own thing and they do things with a different kind of technology but I bet you in the end they're all going to converge on using pretty strong high-end Aniceto systems so if you have the most interesting systems crypto research that I would suggest you do for this area it would mean to develop really optimizing and then the networks for the underlying peer-to-peer networks that are that are supporting all these currencies because right now the best thing people have is to use tor and tourists on the tours not optimized for this because every time you make a connection to a Bitcoin network using you know you're using a specific protocol that identifies you so even if you do an overt or Yordy anonymizing yourself so building something I can handle a specific case of broadcast flooding and do this in a very privacy-preserving way at the network level would be a really really interesting project and there are a few people who've done things like this but what they don't say is that mining is really a different problem right if miners aren't private if everybody knows the miners are that's not great but it's also not the end of the world in the sense that if you mind currency you sell your currency if we can write was at least from that point I think that's pretty decent solution obviously [Applause]