Epicenter - Learn about Crypto, Blockchain, Ethereum, Bitcoin and Distributed Technologies - Ari Juels: Can AI Weaponize Blockchain Smart Contracts? - Chainlink
Episode Date: November 19, 2024A smart contract’s rigid rule system represents a double-edged sword. ‘The Code is Law’, but what happens when rogue large language models or AI agents bend the Law? Can smart contracts be weapo...nised to serve a criminal agenda? In his ‘Oracle’ novel, Ari Juels explores this thesis and issues an eery warning regarding the blockchain x AI intersection. In this imminent future, oracles play a crucial role, allowing LLMs to push data on-chain or smart contracts to pull off-chain data.Topics covered in this episode:Criminal Smart ContractsOracle x LLM convergencePreventing malicious intents through oracle systemsAI x crypto use casesDAOsEntropy in voting behavioursDark DAOsTEEs & private smart contractsMEV & proofs of transaction orderingFuture blockchain researchEpisode links:Ari Juels on Twitter'The Oracle: A Novel' by Ari JuelsChainlink on TwitterSponsors:Gnosis: Gnosis builds decentralized infrastructure for the Ethereum ecosystem, since 2015. This year marks the launch of Gnosis Pay— the world's first Decentralized Payment Network. Get started today at - gnosis.ioChorus One: Chorus One is one of the largest node operators worldwide, supporting more than 100,000 delegators, across 45 networks. The recently launched OPUS allows staking up to 8,000 ETH in a single transaction. Enjoy the highest yields and institutional grade security at - chorus.oneThis episode is hosted by Brian Fabian Crain.
Transcript
Discussion (0)
Broadly speaking, a rogue smart contract is a smart contract written for one of two purposes,
either to advertise criminal services or to solicit criminal services.
So how does the contract check that there's this correspondence between news reports
and this text description of the calling card?
For that purpose, you'd want to use some form of natural language processing.
You'd use an L&M like CHAPGPT.
How does the smart contract gain access to chat GPT?
He would naturally do that through an Oracle system.
Hello and welcome to App Center,
the show which talks about the technologies projects
and people driving decentralization and the blockchain revolution.
I'm Brian and I'm today here with R.A. Jules,
who is a professor at Cornell.
He is a co-director of the initiative for cryptocurrencies and contracts.
He's also a chief scientist at ChainLink.
and he's written a book recently called The Oracle, which I've read a few months ago.
So it's kind of a sci-fi novel that deals with smart contracts and the end oracles.
And he was a previous guest here.
Actually, a long time ago, we were just noting it's almost eight years that he was a guest.
So I'm really excited to speak with him.
But just before we get into that, I want to share a few words about our sponsors this week.
If you're looking to stake your crypto with confidence, look no further than Corse 1.
More than 150,000 delegates, including institutions like BitGo, Pintera Capital and Ledger trust
Coros 1 with their acids.
They support over 50 blockchains and are leaders in governance or networks like Cosmos, ensuring
your stake, is responsibly managed.
Thanks to their advanced MEV research, you can also enjoy the highest staking rewards.
You can stake directly from your preferred wallet, set up a white label note, restake your
assets on eigeneyer or symbiotic or use their SDK for multi-chain-saking in your app.
Learn more at chorus.1 and start staking today.
This episode is proudly brought to by NOSIS, a collective dedicated to advancing a decentralized
future.
NOSIS leads innovation with circles, NOSIS pay and Metri, reshaping, open banking, and money.
With Hashi and NOSIS VPN, they're building a more resilient privacy-focused internet.
If you're looking for an L1 to launch your project,
Nosis chain offers the same development environment as Ethereum with lower transaction fees.
It's supported by over 200,000 validators making NOSIS chain a reliable and credibly neutral
foundation for your applications.
NOSIS DAO drives NOSIS governance where every voice matters.
Join the NOSIS community in the NOSISDAO forum today.
Deploy on the EVM-compatible NOSIS chain or a security.
secure the network with just one GNO and affordable hardware.
Start your decentralization journey today at NOSIS. I.O.
Okay, well, thanks so much for coming on again, Ari.
So I don't know how many of our listeners remember you are aware of you,
but I mean, I think you've been in crypto for a long time and have had like, you know,
a big impact in many ways.
You've done work around smart contracts, trusted execution environments, DALS.
you were one of the co-author
also of the Flash Boys paper
which kind of kicked off
the whole M-E-B field
and they're more recently
a novelist so thanks so much for coming on again
I'm delighted to be here
thank you for having
so I actually looked at our old
summary of our episode we did
in January 2017
and even
Criminal Smart Contracts was mentioned there already
and the Criminal Smart Contract is also
kind of theme of the novel you wrote.
Maybe can you share a bit like what
motivated you to write this novel
and can you share a bit without maybe giving too much away
or no spoilers but a little bit
the theme of the novel?
Yeah, there were really two seeds for the novel
if you will. One of them is the paper
that you and I discussed on this show's, as he said, since seven years ago, criminal smart
contracts. In the book, I called on rogue smart contracts, those have a newfound relevance,
as we can discuss, given the advent of powerful LLMs like ChatGPT. That paper at the time
that was written was somewhat speculative, but it has become more real, and that became
a motivation for writing the book.
The second impetus for writing the book,
the sort of literary impetus, if you will,
was a bridge,
a sky bridge in Lower Manhattan.
The Cornell Tech campus,
based at Cornell Tech,
which is Cornell University and Tech Theon
applied sciences campus in New York City.
The campus used to be in what is now
the flagship Google building,
Lower Manhattan.
I used to commute there every day on the high line, this whole elevated railway.
And I passed this beautiful skybridge, windows on both sides.
And I thought, this would be the perfect office.
And I just sort of started to visualize the hero of the novel sitting there.
And that became, as I said, kind of second motivation to write in the book.
So for those who either haven't heard or don't remember, right,
a criminal smart contract episode.
What are rogue smart contracts?
How do you envision that?
Yeah.
So broadly speaking,
a rogue smart contract
is a smart contract
written for one of two purposes,
either to advertise
criminal services
or to solicit
criminal services.
And if
you construe the definition broadly
enough, rogue smart contracts
have already cropped up in practice.
mainly in the form of pyramid schemes, like the famous Orsage scheme.
But in the context of the novel and the paper, what was of interest was real-world crime.
So I can give a, I guess, a simple example to illustrate if that would be helpful how these things work, maybe.
So let's take, for example, I like to use this example, because this is a relatively benign one.
Let's take, for example, the Coenor diamond.
It's this famous diamond with a very controversial history.
It is part of the crown jewels,
belonged to the British royal family, sits in the Tower of London.
As I said, as a controversial history,
there are people who believe it should be repatriated to India.
There are a number of people who believe that it's cursed.
So you can imagine somebody would want this thing to be stolen,
just to have it disappeared,
not to own it because, as I said, it's cursed.
So how would you create a smart contract for this purpose?
You've got two challenges in creating such a contract.
The first is, how is the contract going to know if the diamond is stolen?
And the second is, even if the diamond is stolen,
how is it going to know whom to reward for the theft of the diamond?
Let's suppose that the smart contract is paying a bout to you,
$100,000 in cryptocurrency into this purpose.
So how's it going to know where to set the money?
The observation we made in the paper is that you can do the following.
You can have a would-be criminal, somebody who's signing up to steal the Kohinur diamond,
send to the contract in advance of the theft a brief description of some detail about the crime
that only the criminal could know.
And these details are sometimes referred to as calling cards in the criminal world.
A calling card is, often it's a physical object that's left at the scene of the crime to indicate who committed the crime.
So I like to reference as an example of a calling card.
The gloves monogrammed with a P left by the phantom, the jewel thief,
in the Pink Panther movies.
That would be an example of a calling card.
Let's say it's the first time a particular calling card was being used.
Let's suppose that the phantom is the one who is going to steal the co-eaned diamond.
What the phantom tells is send to the smart contract a brief text descriptor of the calling
card monogrammed P-gloves in advance of the crime in hidden form.
Cryptographly committed, encrypted.
I don't want to think about it, but concealed.
Then the crime gets committed, right?
Diamond disappears, and there's a famous diamond, as I mentioned.
So, you know, the theft is splashed across headlines on news sites.
And now the criminal comes back and decrypts reveals this description of the calling card, monogram Peklov.
And the smart contract now checks that news stories correspond to the calling card.
You can imagine that the news stories reporting the theft of the diamond would also report
the fact that a monogram Pete Glove had been left to the scene of the crime.
This is the criminal, of course, leaves this calling card in a place that would be visible,
prominent.
So the smart contract can check that the calling card was reported in news stories.
And presumably it's only, as I said, the thief knows in advance what the calling card is.
the calling card would be selected for that purpose.
So whoever revealed the correct description of a calling card here would be paid the money,
would be paid the $100,000.
This is an example of how these contracts like being constructed.
And so basically for the smart contract to be able to know,
okay, this was mentioned in a new story, then you'd have to,
have some kind of
I mean I guess I can
imagine different ways
to work right you could have
something like I mean
right you're in environmental of chain link
right so
there could be a bunch of
servers right that are parties
that maybe write such a data on there
or maybe could it be that like
I don't know
like in a trusted execution
environment
a search is executed or some commands are followed to then like verify such a condition or like
how would you imagine that that part to work?
Yeah, you put your finger on the nub of the problem here.
This is the really interesting part.
So how does the contract check that there's this correspondence between news reports
and this text description of calling card?
For that purpose, you would want to use some form of natural language processing.
You'd use an LLM like chat GPT.
How does the smart contract gain access to chat GPT?
We would naturally do that through an Oracle system.
You wouldn't be able to run an LLM efficiently on-chain.
We would run it off-chain, and an Oracle system would be the natural place for this.
So the whole scenario, in fact, depends upon a convergence of blockchain technology and AI, LLNs in particular,
for this example we're considering.
And the advent of CHAPT and powerful LLMs is what makes this scenario particularly relevant over the past couple of years.
At the time that we originally wrote our paper, this was hypothetical.
But now it's at least technically feasible.
And then this convergence of blockchains and LLMs, how would this work?
like technically?
So technically it could be
conceptually at least relatively simple.
You would run an LLN
ideally in a trusted execution environment
to ensure integrity
and to give you confidentiality where appropriate.
And you might have a single node do this
if you trust TEE sufficiently
or you would use a decentralized Oracle network
for this purpose.
And it would ingest
news stories, as pointed to by the smart contract, or I should say news sites, stories from news sites,
and this calling card, the text descriptor of the object left at the scene of the crime.
And the smart contract would ask, the LLN, does this calling card match these news stories?
And as I said, this is technically very feasible.
happily you can't just go and build one of these things today.
It's technically feasible but not realizable with a existing infrastructure.
So in some sense, the paper and the novel are warnings to the community
that this kind of danger is a real technical possibility.
We're not careful about how we engineer these systems,
about how oracles make AI functionality available to smart contracts.
because the way it would work is like let's say you'd have the smart contract and you say like
I specify some program that should be run in this TE as an example and then maybe anyone could go
and download this program and you know get access to Intel SCX server which you know
presumably is easy to do and then they would run this program in there and then they would run this program in there
and then they would write the result together with the proof
that that's what they did on-chain
and get some kind of economic reward.
Yeah, there are a few ways to do this.
So one would be to download the latest model model or whatever
and stand it up in a TEE, as a suggesting,
and that it would be executed by nodes in the Oracle network.
Or if you're happy just sending it off to a particular web service,
you could actually query chat GPD itself.
One of the benefits of standing up a model in a TE
is that you can provide what's known as an attestation,
certain forms of TE provide what's known as an attestation,
which tells you exactly what application you're running,
exactly what model, and exactly what the environment looks like.
If you go and query a service like chat GPT,
it's changing under the covers,
frequently, so you don't know precisely what you're interacting with.
And in the case of smart contracts, you really do want to have, in general, a precise
notion of how the smart contract is going to behave, and therefore how the Oracle
depends upon is going to behave.
So you mentioned we have to be careful in how, you know, Oracle's LLMs are engineered
so that something like that doesn't happen with these rogue smart contracts.
I mean, it seems, is that possible?
Or is this just something that would be like a fundamental capability of these systems?
Because that's like, or like how do you think the blockchain AI intersection should be approached to, you know, maybe prevent malicious use cases and allow us to leverage the most positive use cases?
That's a great question.
Of course, it extends beyond the intersection of blockchains and AI.
How do we prevent smart contracts or any kind of blockchain functionality that's doing harm
from continuing to run in an autonomous way?
And people have proposed various approaches, right, like security councils, in the case of Dow's,
which could be instantiated elsewhere.
One could imagine the techniques that are being developed for AI safety deployed
within an Oracle system.
So happily, the problem is broad enough
so that people are thinking about it in other contexts.
And I think also we can kind of turn this question on its head,
and rather than just thinking about Oracle systems
as a way of enabling this intersection potentially
in ways that are harmful, think about them as gatekeepers
and contemplate ways that they can help enforce AI.
safety. And this is one of the things I've started to think about recently. So for example,
I mentioned that it's very helpful for smart contracts to know exactly how an Oracle system is
operating, because that gives you the determinism, the precise notion you want about how a smart
contract in turn is going to behave. And so what we really want to have are what I would
refer to as pinned models, models whose specifications are made fully transparent to users
and can sort of be pinned down, locked in place, if you know, fixed.
And this, I think, can be very useful in ensuring that models don't behave in unexpected
ways, that we can at least have a good understanding of which model we're dealing with
and potentially test it to determine how vulnerable it is to say the adversarial examples
or how likely it is to produce hallucinations.
So that's one example of a way that we can build systems that have, with AI safety in mind.
So AI in crypto is an area where, you know, there seems to be a lot of, or there's a lot of interest in it at the moment.
At the same time, it's a little bit unclear, you know, what are, what is actually going to work,
what's actually going to be valuable.
Do you have a view on the kinds of use cases and applications that this AI plus
crypto or AI crypto intersection will be most suited for?
Yeah.
I mean, broadly speaking, one of the strengths of smart contracts is the fact that they're written
in code and therefore they provide rigid specifications of an agreement, a system that
users interact with. One of their weaknesses is the fact that they are written in code and therefore
are rigid, right? To give you this very specific interface that lacks flexibility. Flexibility can be
harmful and that it allows for adversarial behavior, but it can also be beneficial. And in fact,
the lack of precision in contracts written in natural language, ordinary legal contracts is actually regarded
by the legal community as a feature. It enables you to deal with unanticipated circumstances.
And this is something that smart contracts, as they're engineered today, can't do.
You can't bake into solidity very easily condition. It says,
contract will be canceled in the case of an act of God broadly defaunt, right?
You can only give a precise specification of when the contract is going to be canceled,
and you can't always anticipate all the reasonable circumstances that you might not
want to cancel it.
But if you combine smart contracts with machine learning models, with LLMs, for instance,
you can endow them with some of that flexibility we benefit from in the real world.
And that, I think, opens up a whole range of new use cases.
And furthermore, if you combine this with some of the privacy-enhancing technologies that have
been developed specifically for blockchains, or I should say have been catalyzed by blockchain
use cases, then I think the proposition becomes very powerful.
So, for example, today the rigidity of smart contracts when it comes to loans constrains us
to, for the most part, to over-collateralized lending, right?
Things like my thinker doubt.
But you can imagine a system in which users are, thanks to use of a privacy-preserving
Oracle system, able to import financial documents from trusted financial institutions,
trusted by a lending smart contract.
those documents get interpreted by an LLM to assess the creditworthiness of the user,
and the user gets up to take out a loan on that basis.
In other words, you can imagine a smart contract now looking more like a real-world lending facility or institution.
That's just a rough example, the type of thing you can do when you can bought in these two technologies.
Now, there are lots of challenges involved, like the ones that I alluded to earlier,
adversarial examples, in other words, malicious manipulation of machine learning models and
hallucinations, machine learning models of making stuff up. But I think this broad idea of endowing
smart contracts with useful flexibility is what makes the combination of the two technologies
so potentially transformative. So one thing that, I mean, you've done a ton of work on,
And it's probably, I mean, it was when I got into crypto, you know, it was from when I got in crypto, you know, 11 years ago or more, it was already like the most, one of the most, the ideas that excited people the most was the idea of dollars.
So the idea that you could have these organizations that are like on chain and, you know, people use tokens in some way to coordinate and they could be kind of, you know, replacement or successors to cooperate.
to corporations or cooperatives or nation states or like all kinds of, you know, existing legal
institutions that, you know, humans use to do things together.
Now, I think if you look at today, the state, I mean, probably most people, right,
if you, from back then, would be disappointed in the state of Dallas today, right?
to the extent to which they are used and do the extent to which they have traction,
like the places where we see traction today, you know, like stable coins,
defy stuff, they're generally different types of use cases.
So what do you see as like the state of Daos today and what are your thoughts on the role
that DaoS can play in the future?
Yeah, I find them really intriguing.
And we're doing this kind of grand experiment in governance across the blockchain community, thanks to Daos.
That experiment is taking stumbling steps at the moment.
And I think there are a few different reasons for that.
One of the challenges that my group has been looking at recently in particular, I think one of the stumbling blocks,
is not knowing how to measure whether or not a DAO is successful.
If we don't have objective measurements whether a DAO is functioning correctly, then we don't know how to conduct the experiment, if you will.
So in particular, we've been asking, what does the D and DAO really mean?
What is the, what is the decentralized part?
You can say the fact that a DAO is running a smart contract means it's decentralized.
But typically people are more interested in intuitive ideas like making sure that a diverse set of,
opinions are heard or credible neutrality.
It's raised one often hears.
So one would like to have these things in the Dow,
and I think we would in general regard these
as marks of success if achieved.
But again, we really need some way to measure these things.
That typically the way that people are measuring
decentralization in Dao's today is just to look
at token holdings across addresses.
You say that if tokens are spread broadly
and token holdings are more or less equal across a large number of addresses than the Dow is decentralized.
But this is kind of a simplistic way of viewing decentralization, and there are lots of things that can miss.
A simple example would be one user holding a multiplicity of addresses.
You could have a whale under the surface of the water, as it were, right?
And then this measure of decentralization would be completely wrong.
And in general, alignment, sort of hidden alignment among different voters would constitute a centralizing force.
And that's something we really need to take into account if we're going to measure the decentralization in Tao's effectively.
So what my group has done recently, and this is work led by my PhD student, Andres Fabrega, is to formulate a,
a new metric that we call voting block entropy.
And basically, the way it works is as follows.
Entropy is essentially a measure of how evenly distributed tokens are across addresses.
So when I said people look at distribution of tokens across addresses to determine what
the Dow is decentralized.
They're basically measuring entropy across addresses.
Step measuring entropy across addresses, we measure entropy across
across aligned sets of voters that we call voting blocks.
You can think of them as being like political parties.
And in this way, we can detect forms of alignment
in the community.
And that, we think, gives us a better handle
on how decentralization works.
And in fact, this idea we have found is rooted
in some of the principles and practices
of machine learning, believe it or not,
reinforcement learning.
in particular. We think of a DAO as a big organism that's trying to learn things. And it turns out that
diversity or decentralization has been shown experimentally to be important in the learning process.
If you conceptualize DAO's as a learning system. And so we can take ideas from reinforcement learning,
in particular multi-agent reinforcement learning, map them onto the DAO space. And now we have this metric in hand. And we think
that if you can measure decentralization effectively, then we can overcome some of the uncertainty
and challenges that the Dow landscape is confronting to there.
But you would take that from the voting behavior, it's just like some governance vote,
you'd be like how often people vote in the same way?
Or like...
Yeah, yeah, great question.
So in theory, you look at what we refer to as...
or what I referred to as the utility functions of the voters.
In other words, how much they tend to like particular proposals,
how they value particular proposals personally in regard to their own interests.
But of course, we don't know voters' utility functions.
Voters themselves often don't know their utility functions.
They don't know what their opinions are on questions you haven't asked them yet,
and sometimes even on questions you have asked them.
But we can observe how people have voted.
And a voting block in this view would be a collection of users that have tended to vote the same way historically.
That's something we can observe experimentally.
Yeah.
So you'd imagine that like those that have less of these voting blocks or people vote more in a variety of different ways,
presumably making more of their own decisions as maybe like I don't know, following some kind
of, you know, maybe following some leader or following some particular group that tends
have a big influence.
So you imagine those kind of DAOs would be more performant or, like, actually function better
over time?
That's what the theory suggests.
So again, if you think of a DAO as learning to improve some objective function, to achieve
some goal, say it's an investment DAO.
And so it's learning how to make profitable investments.
What the literature, the relevant reinforcement learning literature suggests is that a diversity of viewpoints,
taking into counter diversity of viewpoints, is going to make for more effective learning,
and therefore we'll make for more profitable doubt over time.
And in fact, we've stood up a dashboard on this metric.
It's called voting block entropy, as I said, or VVE for short.
So I use the term five.
So we've got this vibe dashboard that shows the relative vibes of different DAOs.
And we observe that some DAOs that are known for having communities particularly concerned
to achieve high levels of decentralization or to take differences of opinion into account,
like some of the prominent L2s, arbitral optimism, actually are exhibiting high vibe today.
In other words, accordionous metric have high levels of decentralization.
So there seems to be, even within the Dow community, some confirmation of this metric is helpful.
Yeah, great.
Yeah, and I just found that dashboard.
So I'm going to include it in the show notes.
Okay, so then you're measuring basically this kind of entropy.
And have you tried to correlate this with something?
What are the main metrics higher voting block entropy correlates with?
Well, as I said, at least in principle, it should correlate with a better functioning DAO,
in other words, a DAO that was better able to achieve its objectives.
At this point, the DAO community doesn't have a long enough history,
and we don't have a large enough set of DAO's to perform the type of experiment we would like to perform,
to see, for instance, if investment DAO's with higher vibe have performed better over time.
that ideally is an experiment we'd like to do,
and it may be that we find some form of natural experiment
within the blockchain community or elsewhere
that helps us confirm in this sense the value of Vod.
But as I said, the dashboard does seem to show that
Dow's that are known for having particularly vibrant communities
with a multiplicity of opinion
and exhibit higher levels of vibe today.
Right, right.
And now, what are dark dolls?
Yeah, so this is, well, as the name suggests,
the dark side of dows.
These are something that my group has been thinking about
for many years now,
and we've started to revisit in our research
because we've realized that the platforms
that realize dark dows are useful for other purposes,
and actually could have a pretty sweeping effect on the crypto ecosystem.
So dark Dow as originally conceived, and it was my then PhD student Phil Diane,
who was leading work on Dark Dow's at the time we were first considering.
As we were defining it then, Dark Dow's were Dows whose purpose was to disrupt or influence
the operation of victim dows, if you will.
And to do that through bribery, voting bribery.
They were dark in two senses.
Dark in the sense that they had this kind of malevolent or at least adversarial goal,
swing votes on proposals in the Dow.
Dark also in the sense that we showed that they could be constructed confidential.
And we were considering at the time the use of trusted exesies.
execution environments for this purpose.
So in principle, you can set up a DAO in a trust execution environment
whose operations and behavior are not visible on chain that orchestrates bribery,
allows voters in a particular DAO to go claim rewards if they commit to voting a particular way.
That was the idea in the nutshell.
As I said, this has more sweeping ramifications because it turns out that
the ways that you would enforce compliance with a bribery regime and a dark Dow can be used
to manipulate other systems as well. We can talk about some of the potential other impacts
of dark Dow-like approaches to control. So like an example here would be there is a you know
some community pool has some money in it and I make a proposal pay it to me
and I put up some bounty that anyone who votes in this direction can then, for example,
get a bunch of it.
Maybe I put like half of this payout in that fool,
and then people who vote that way can basically sort of get the money and plunder it.
Something like that would be like an example.
Yeah, so that's basically the idea.
And in fact, such bribery markets exist today for certain DFI
protocols.
It was basically a quarter billion dollar market in on-chain bribery protocols.
But the particular danger that a dark doubt poses is the fact that you can do this
confidentially.
And that means it's hard to orchestrate defenses against it.
The basic technique involved here is something we call key encumbrance.
Basically, the idea is that you hand over your private key to an application running in a trusted execution permit.
Think of it as a private smart contract.
So your key is now sitting in this private smart contract.
It's like a wallet contract.
And you can use this contract to commit to doing things, like voting a particular way in a doubt.
But you can also have this wallet contract, if you will, private wallet contract.
have you commit to doing other things or constrain uses of your keys in other ways
so that you can take the control you have over particular assets,
either governance tokens or something else,
and do a whole range of interesting things, lending them, selling them, renting them.
And that, as a set, can have pretty sweeping implications for the crypto-and-co system as a whole.
So to give an example here, let's say I'd have a token like Lido.
I would then basically, like let's say some kind of wallet would be created that presumably
that would be like maybe the code would be open source so I could inspect it and then it would run on some TEE and I would put my
my coins on there
and then for example
let's say they would be locked
there for a month I couldn't transfer them out
and someone else could
could just vote them but not
do anything else
so use them in governance and they compensate me for that
and then after a month I can sort of
like take them out again
something like that
exactly so you need to generate your key
inside this wallet
because if you generate it elsewhere
than you have control, individual control over it as opposed to having the wallet control of exclusively.
But yes, so you'd set up a wallet and indeed you can lend assets that way.
And you can do lots of other things.
So for instance, this is notion of soulbound tokens, which are credentials that a user is not supposed to lend to others, as the term soulbound suggests.
It's supposed to be associated with a single individual for an entire lifetime.
Well, if you had a solebound token in this environment, in this key encumbered environment,
confidential wallet environment, you could lend it out to someone else,
and the fact that you were lending it out would not be visible on chain.
And so you would basically be breaking the fundamental property of the sole bound token,
no longer be sold bound.
It's another example.
Yet another example would be pre-selling airdrops
or taking tokens that are supposed to be subject to a walking period
and unlocking them prematurely by transferring ownership
in this kind of hidden wallet off-chain.
She's a couple of other things you could do with this type of environment.
How would such a wallet be hosted?
because like somebody it is now in some server
let's say it runs Intel SGX
and I mean
presumably someone could just unplug that server
and maybe they can't like steal the money
but also they could sort of interrupt it from functioning
or would this have to be its own decentralized network
so there are a couple of options here
one is to use a
centralized system like a cloud provider. They have pretty good uptime and pretty strong
guarantees around the availability of resources to end users. But of course, they're not decentralized
systems. They don't give you the guarantees for a custom to Web 3. An alternative is to use
a TE-based blockchain like OASIS, or a secret network or something, which are designed
essentially for applications of this type, obviously not the malicious variety, but applications
that run the equivalent of smart contracts in trusted execution environments.
But like, let's say in the first example, if it's like on AWS or something, then well,
some party still has, you know, it's the owner of the AWS account and they could go in
that admin dashboard and be like, oh, stop this server from running.
Yeah, so that indeed would be a potential risk, right?
So you would need to find some way to prevent that from happening.
And not entirely clear how you do that, but you may be able to lock yourself out of your own account demonstrably,
or you can have a group administered service or something else.
The other example would be, like let's say the way.
Asis example you made, that I guess sort of ties, seems to tie in a little bit with this like chain abstraction topic, for example, right?
Because let's say Oasis is his own blockchain. If I would want to control some, let's say, LIDO token, right, which can vote on Ethereum or it's an Ethereum token, then I'd have to be able to generate like an Ethereum address in there, have an Ethereum contract, and then it could generate, emit this sign transaction from.
OASIS that then somehow somebody would take and broadcast on Ethereum?
Yep, and that's exactly what we're doing in a research project.
We'll be releasing a paper on imminently.
This is led by my PhD student, James Auskin.
We have created a system we call liquefaction that runs on Oasis,
but enables all these applications in Ethereum or on any blockchain of your choice.
So the key is encumbered or controlled in or sitting at a wallet in OASIS,
but the key is for assets on some other blockchain potentially, like a theory.
Cool, cool.
I mean, presumably also lots of non-nefarious utilities for this kind of application.
Yeah, so two important things to point out.
Number one, there are lots of beneficial applications as well.
So an example would be, for instance, a privacy preserving version of constitution
Do you remember Constitution Dow raised, you know, tens of millions of dollars to buy a copy of the U.S. Constitution at auction, but the project was completely transparent. So, you know, hedge fund manager was able to come along and easily outbid them. You could create a confidential version of Constitution Dow where investors get either no indication or only a very general indication of what funds have been raised up to a certain point.
could do that.
And there are lots of other potential applications as well.
We're basically talking about turning assets liquid, right?
And liquid staking, you might, depending on your perspective,
view as a positive application.
And liquefaction, if you will, liquefaction of other assets can be beneficial as well.
Second important point to make is that if you don't want your system to be subject to
liquefaction of this type, as you want a system whose assets can't be liquefied.
There is a countermeasure to key encumbrance, to use of TEs and those ones.
And that's something called complete knowledge.
And this is a system that, or idea that my group developed in collaboration with
Potholic Buteran.
And the idea essentially is that in order to use the system, you need to
proves that the key you're using, private key you're using to interact with it,
is not sitting in a TE application of the type we've been describe it.
It's not encumbered.
How do you do that?
Well, one simple way is to fight fire with fire.
You generate your key in a TE application that spits out the key
and then proves that it spit it out.
In other words, it demonstrates that you, the user, know the key
and therefore can't be controlled exclusively by one of these confidential wallets.
So it's a fairly practical countermeasure.
Could you run the TEE inside another TE or something to then prove that you discarded the spit-out key?
Yeah, so that would be a problem.
If you had nested TEs, then we'd be in trouble.
Or you would need a nested proof of complete knowledge.
Go down that path and things kept pretty tricky.
But you make an important point, which is that we're assuming at least in the initial development of these things, that there are no nested TEs sitting around anywhere.
Yeah.
Okay, okay, great.
I guess we are starting to see stuff like that.
I mean, I feel like probably the most, one of the most obvious use cases, right, for TEs, I do imagine is that kind of intersection, right, between, I mean, we've kind of talked about.
I started earlier with the Oracle thing, right, where you have some smart contract
and the smart contract wants to be able to use an LLM, right, and then have some kind of something,
you know, LLM is called off chain and the result is written back on chain.
And I mean, I think that could be interesting from the perspective of, you know, this AI
crypto merger, but maybe also actually very powerful to get
dolls really to the place where they become
more powerful and functional.
I mean, I know, for example, the topic of, you know,
prediction market is also one thing that people were,
you know, been very interested in since the beginning
and they've kind of haven't gotten too much traction,
maybe except some like very limited use cases like the elections.
But I know, for example, the Gnosis people that were working a lot of that,
they felt that like, well, if you can have like LLMs that are based,
basically playing, like that are betting in these prediction markets, maybe you can start
having, you can start actually using them for like fine-grained decisions somehow.
Yeah, so T's would be a good way to execute LLMs with strong trust assurances.
I mean, we do, T's are very powerful, and as you know, they're making real inroads into
the crypto community.
it is important to emphasize that historically they've had pretty serious security vulnerabilities.
And so, of course, a lot of people are skeptical ultimately about what sort of security we can afford.
And additionally, as you were pointing out earlier, a T on its own doesn't give you any kind
of wideness or censorship resistance guarantee.
For that, you need to have a network of T's in place.
You need to incorporate them into a blockchain or a decentralized Oracle system or something else.
But that said, I think they're an incredibly powerful and promising technology, and I would expect
them to have a huge impact on the crypto ecosystem if we can live with their potential vulnerabilities.
In fact, they are able to do essentially all of the fancy cryptography that has received so much
attention of late in the crypto community.
Zero knowledge proves, it would be an example, or secure multi-party computation.
All these things essentially get consumed by TE if you trust the TE.
Yeah, and they become much simpler, much more achievable in a short term,
and much cheaper and more scalable, right?
Because I guess with things like ZK, right,
very computationally intensive, slow,
and a lot of challenges around that.
Yep, exactly.
So TEs, I mean, we mentioned SGX a bunch of times.
I think that's as far as I am aware, I don't know,
but it was maybe like the first one or first one to get like traction,
so created by Intel.
But of course, always one of the concerns was like,
well, this is like, you know, one large company that controls these.
That could potentially, I think also like maybe,
I don't know if that's actually true,
if they could like sort of attest or declare things to be a TEE
that an Intel SGX server that actually is not.
is a lot of innovation happening there?
Do we see a lot of maybe open source TEs or alternatives where you're not as dependent on Intel?
Yeah, so a few things to note here.
Number one, the range of T.E. technologies available to the community is slowly growing.
Recently, Nvidia, for instance, has started to support.
It's actually an extension to the Intel trust domain in its GPUs.
AMD has a kind of variant of the Intel TE,
and in fact, Arm has begun to incorporate recently into its chipsets,
TEs that look like Intel TEEs.
Tees, to be clear, I've been around for a while,
and if you have an iPhone, you've got a TE,
but some of them, like the one in your iPhone,
lack what are known as attestation capabilities,
the ability to prove things to the third part is.
But all of the different variants I mentioned just a moment ago
have attestation capabilities.
So T.E.s with attestation capabilities
that become more widely available.
Those are still not open source.
There are attempts to create open source TEs
with attestation capabilities,
but that's a really challenging problem
that encompasses both computer science and physics.
And I don't have tremendous confidence
that we'll see anything of that kind of near future.
Maybe one more topic that we can touch on.
So, you know, I mentioned earlier,
you're working around the M.E.V.
You know, you co-authored with Phil Dianne,
who went on to start FlashBots,
the paper Flash Boys 2.0,
which was sort of the inception.
certainly in the mind or in the awareness of MEV.
And you've done some work around proof of fair transaction ordering.
Can you explain what does that mean?
And how does that work?
Yeah.
So since the Flashboy's 2.0 paper came out and since the rise of, in some cases,
exploitive forms of MEV extraction. Not all forms of
any of you are bad, of course, but there are
detrimental ones around. My group has been thinking about ways to
mitigate the impact of MED, ideally to get rid of most forms of
exploitive MEV. One of the approaches that we've been looking at is what we
call Thayer ordering, in particular share temporal ordering, which is
really just a fancy name for first come first serve ordering of
transactions. And that seems like a simple thing at first, right? You set up some machine and it just
orders transactions according to the time that it sees them. Turns out to be actually quite tricky
if you want to do it in a decentralized way. And the reason is that if you've got a network of,
say, 10 nodes receiving transactions, those nodes, depending on where they're sitting and where
the transactions originated, are going to see different transactions at different times and in different
orders and somehow they have to reconcile their disparate news of when transactions
have been received.
In addition, maybe some of those work nodes go rogue and cheat and try to order transactions
adversarial.
So we've developed some techniques that address this problem, achieving forms of fair
ordering that are resilient to some number of malicious nodes and provide some nice properties
even when nodes and transactions at different times.
And this is something we worked on for a few years.
The problem with the approaches we developed
was that they assumed that you've got a quorum,
significant majority of honest nodes.
And the question is, how do you enforce that?
We've seen that there's a willingness,
I mean, there's a monetary incentive
to order transactions in ways that support arbitrage
that allow users, to put it bluntly, that allow users' pockets to be picked.
If there's money on the table, somebody's going to pick it up.
So how do you ensure that nodes are actually ordering transactions fairly?
And we couldn't find a solution to this problem until recently
when we developed a system that we call PROF, which stands for protected order flow.
The concept behind PROF is pretty simple.
And again, it leverages trust execution environments, as we're discussing that.
very powerful, a number of different things.
So here's the idea.
Transactions get ordered,
let's just assume that some transactions get ordered fairly
and are incorporated into a bundle on the T.E.
And you can order them fairly however you like,
using the first-come-first server approach, I suggested,
or just have transactions enter the T-E encrypted form.
That can also ensure some degree of fairness,
or both the number of different ways you can do this.
But let's suppose you've got this bundle
of fairly ordered transaction.
transactions sitting in the TE. The question is now, how do you get those transactions on chain in a way that is going to carry the right incentives? How do you incentivize
validators not to muck with these transactions to accept the bundle in its fairly ordered form?
As a prop does this in a very simple way, it takes a block that was about to go to a validator and it basically adds to it into
internally this fairly ordered bundle. And it makes this take it or leave it proposition to the
validator. And I'm simple of calling things, of course, not in all the nuts and bolts infrastructure.
Offers this kind of take it or leave it deal the validative says, okay, you can take this
block that has this extra bundle attached. And if you do that, we're going to give you a little
extra reward, like an epsilon reward, say an extra pennant. So you can do that, but you have to
leave the bundle intact, and the T is going to make sure that you leave the bundle intact.
Or you can just not take the bundle. You get the original block and then you give up the penny.
Well, a rational validator, profit maximizing validator obviously is going to choose to allow this bundle that will
pended to the end of the block. It's better to have an extra penny than not.
And so this simple mechanism, we think, makes barely ordered transactions monetarily a
appealing within existing infrastructure, you know, within the PBS infrastructure and supply
change.
Okay, actually I didn't totally understand why that would be the case.
So you're a validator.
I'm giving you a choice between two blocks.
Give you block A, which was constructed by a builder somewhere, right?
So this is, oh, so you're assuming here the proposal builder separation, so this is?
Yeah, so we designed it to work with proposal builder.
separation, although it can work, it operates on a pretty general principle. So it could work
outside existing PBS infrastructure. But the idea is, you know, you can take this block A,
right, which is just constructed by a builder, constructed somehow, it doesn't really matter.
And you get a certain reward, you know, reward R, our dollars. Or you can take block B. What is
block B. Block B is block A plus this extra little bundle with a one penny additional incentive.
So if you take Block B, you get R dollars plus a penny. And obviously you as a validator, you want
to maximize your profits. You're going to take Block B. We'll take the extra penny. And in so doing,
you will accept this fairly ordered bundle that comes at the end of Block B. That's the idea in
the nutshell. Yeah. So I mean, actually at course, run, so the company I mainly run,
So we have done work on exactly that problem with the D-Y-D-X chain.
And basically the thing we did there, the solution or research team design,
which is the thing that ended up implementing,
was basically to say that, like, you know, each validator would have their own local.
I mean, there's no proposed builder separation, right?
All the transactions go to the validators directly.
but then each validator would basically, you know, have a local order of transactions as they receive it.
And then when the proposer creates a block, they would basically see like, oh, how much is the divergence of that from the other validators and sort of score that?
And then, you know, if the other, I mean, it basically accepts that there is like some divergence, right?
because validators will receive it in like somewhat of a different order,
but that if it was like, you know, too much of a divergence,
then basically, I mean, basically the block is scored in terms of how much it,
by each validate, how much it diverges from their own local view.
And then you basically have this kind of statistical thing, right,
where it could be like, okay, if they were to sort of mock with the transaction order,
you know, you'd start to see this divergence and then they could be slashed.
That's kind of like the approach.
that was taken there.
I see.
How do you prevent the validators from colluding
so that they're all ordering your transactions the same way
and they're indreducible?
Yeah, you couldn't, like,
you couldn't really prevent that if there's,
but you would have to probably have, like, a lot of validators colluding, right?
Or, like, I mean, it would still be detectable, I think.
Yeah, it depends, right?
If you have everyone colluding, of course,
they could obviously cheat this mechanism.
And if you have a majority colluding, then they could maybe make the ones who are actually honest look like the ones who are messing with the order, right?
But I think given that, I mean, this is also a little bit of a different dynamic, or what, given that, you know, the validators are chosen by the DydX token holders, you know, who have an interest in the health of the system.
That helps.
You know, it's very unlikely that you're going to have, you know, a bunch of malicious parties that basically,
control all the stake on and then collude against the network that just, you know,
it doesn't really, it's not very incentive, extremely unlikely to happen, I think.
Yeah, that makes sense.
In the Ethereum setting, of course, you can't just see that validators are not going to
collude.
That's what makes it especially challenging.
But in the setting you're describing, it makes sense that validators are chosen by the
community, they're more than to be honest. It's essentially permission to set.
Cool. So what are the, when you think of the next year or two years, what are the research
questions currently that, you know, you find most exciting or challenging or important that you're
focusing on? Well, one of them is thinking about how blockchain systems can be beneficial.
to AI in the way that we were discussing earlier,
rather than just thinking about what AI can do for blockchains.
People formulate a lot of answers to this question.
Some of them don't make a lot of sense to me,
like being able to distinguish Geetjakes and Neil Concurrent,
I'm not sure I buy.
But I do think that the tools that the community has developed
for both integrity and confidentiality
in the blockchain setting can be immensely used.
useful in machine learning setting.
So that's one of the things that I at least personally
thinking a lot about.
And my group, I think, will continue to explore
DAO's and figure out best practices for governments.
One of the things that we're trying to understand now
is what the mechanics of voting should look like.
Today, you know, typically happens in snapshot,
tally, whatever, and there are so
some peculiar things about the way that those systems are built from the perspective, at least
of the academic literature. One of them being that ballot secrecy isn't preserved throughout
the voting process. It would seem beneficial to ensure ballot secrecy, even through the
tallying process, at least from the perspective of classical voting systems. In blockchain
systems, there's a desire for some degree of transparency, though. So there's a real tension between
what voting DAOs want, Dow communities want, and these kind of foundational properties. And that's
something we're trying to figure out. And our hope is to design voting systems that preserve as
much privacy as is compatible with transparency objectives in Dow communities. And that turns out to be
quite tricky. That's another thing we're thinking about. And then this whole business of
liquefying assets and complete knowledge and figuring out the balance between those two,
that's something we're still wrestling with. And I think there's a lot of research to be done more,
a lot of interesting and impactful research.
Cool. Well, thank you so much, Ari. I think you continue working on some really, like,
interesting problems. And I think that definitely that whole TEE merging of
AI blockchain, I think that's going to end up being like a super vibrant area.
Actually, I was just a dinner a few days ago where I don't know if you heard of this thing called
goat and something terminal.
It's basically some kind of like AI, supposed AI that's kind of interacting with this
meme coin.
But like one of the challenges is actually that you cannot really,
like, you know, I'm challenged, I'm like, wow, but is it really the AI that's like doing these things?
Or is it like some, the person who, you know, because it's like off-chain, not verifiable.
But I think it kind of points to, it points to the things that like, because I think very soon you will be able to have it that like, you know, you can have an AI starting to do stuff, right?
And people interacting with the AI.
And I think this is going to give rise to some very fascinating and bizarre things.
For sure.
So yeah, thanks so much for coming on.
I really enjoyed the conversation.
And of course, for the people listening,
I think you definitely go check out the book, the Oracle.
I really enjoyed reading it.
I feel it sort of points to some of the exciting, dangerous, scary things
that will become possible with AI and crypto in the future.
So it was really well written too.
So if people like science fiction, then go check out the Oracle.
And yeah, thanks so much for coming on.
I'm excited to have you again on at some point in the future,
maybe before eight years have passed.
And we can talk about, you know, all the new things happening in crypto.
Thank you, Brian.
It was a real pleasure.
Thank you for having you.