Monday, July 2, 2018

Brief Lessons from Being a CEO in the Cryptocurrency Space

Professionally, I've been in the space since 2013 and almost all of that experience has been in some form of a leadership role (usually the CEO or director of something). After some reflections- thanks to my many long haul flights crossing either the Atlantic or the Pacific oceans-  I've decided to write down some thoughts on lessons I've learned.

The cryptocurrency space is an unusual animal in that it's not entirely a field of technology adhering to some leadership variant of a silicon valley startup or an established research group like DARPA. Rather it's an aggregation of a political movement, disgust of current systems, academic research, frustration over middlemen of necessity, a religion with cyperpunk roots, and a series of open source projects- I probably missed a few others.

Thus, one is left with contradictory leadership demands. For example, research is a slow, methodical process often laced with regressions and many alternative threads subject to strong opinions by brilliant, but somewhat difficult, people. Whereas the political and quasi-religious elements of the space demand sweeping statements, adherence to strict principles and a more emotional side that can sometimes bend facts in strange directions.

It's utterly unsatisfying to say it depends or suggest that decentralization might not be the best solution. One has to wrap this up in prose, obfuscated arguments or some other method (from Bitcoin to Burning Man is one such example). Yet, in practice, we all seem to converge to this pragmatism when building products and protocols. It's seldom said, but always felt that a large percentage of all cryptocurrency is held by third parties at exchanges or cloud wallets.

The point of our movement has been to develop better tools to identify when and how we can remove middlemen we don't want; not to blindly kill all middlemen for the sake of killing them. Centralization or federation can dramatically reduce costs, improve efficiency and sometimes is necessary to improve privacy.

For example, Lastpass provides a great solution for me to manage my many, many password, but doesn't actually have access to my passwords. I'm sure such a solution could be decentralized, but I don't see a point. Replicating an encrypted dataset, which I could already store locally anyway doesn't improve my security. It just seems to drive up costs and reduce user experience.

And frankly there are hundreds more examples. Abstracting my point, it's not about decentralization; it's about control. People want more control over their data, identity, reputation, assets and commercial relationships. Decentralization is a tool that can be used- with other tools- to achieve these ends, but isn't an end in itself.

The political side of our movement touches a different thread that gets conflated in the discussion. There are many whom hold libertarian or anarchist philosophies. They view this technology as a way of fundamentally restructuring society. Yes control over data, money and identity being decentralized is nice, but the point is these things are stepping stones in gradually reducing the relevance and power in institutions these factions see as immoral or even dangerous.

This philosophy has nothing to do with running an open source project. This philosophy has nothing to do with building more resilient and better customer experiences for consumers of digital products and services, but it's bundled into the movement itself and the business requirements of many of the cryptocurrencies.

Therein lies the conflict we are facing in this space. CEOs are forced to either pick a side or wear masks as they travel from crowd to crowd. Either you're a decentralize everything fanatic or a blockchain advocate who's here for the technology. Or you publicly moderate with some winks and a I feel your pain smile.

I cannot see such things being sustainable long term. Protocols being biased to political ends seldom has a good outcome. It's almost a design by political committee. We've already seen the impact with Bitcoin's evolution where very sensible proposals couldn't gain traction and very sensible people were demonized, silenced or even driven out of the space.

Furthermore, this statement might surprise some, but it turns out that many of the brightest minds in the world disagree with the decentralize everything movement. They don't share libertarian or anarchistic ideology. Should we be so quick to dismiss their contributions with such zeal because they aren't in the club?

During my tenure as the CEO of IOHK, I've been fortunate enough to carve out a fairly diverse enclave of thought. Some of our employees are hardcore socialists. Some are conservatives. Some, like myself, are libertarians. But we share common goals in trying to understand the problems our space can actually solve.

A particular thread has been our quest to develop sustainable, secure and incentives reasonable proof of stake protocols. This effort has now spanned millions of dollars, a half dozen papers, peer review at Crypto, EuroCrypt and other venues as well as collaboration from people at more than ten institutions.

As one could imagine, there is a massive difference of opinion on where and how such a protocol ought to be deployed. Even the Hyperledger Fabric guys want to get a piece of the project. Yet the common goals are clear and non-philosophical. We have a series of real attacks that have been discovered by engineers, researchers and those who study incentives that need to be addressed from nothing at stake to the honest majority problem.

Questions like what incentive does one have to be in the honest majority and how should slot leader selection be decided are meta to the underlying model. They are specific to the deployment of the protocol and the realities of the users of the protocol. The team deploying the protocol has to make a choice that will ultimately determine the level of centralization and the economics of the system.

The point is that such things ought to be explicitly discussed. They shouldn't be embedded within the underlying design of the protocol and silently accepted by those who adopt it. It's perfectly ok to say we are ruled by a plutocracy if the users of the protocol accept that structure. It's not ok to say your protocol is decentralized, but then economic realities provide all but the richest and best connected from participating.

Thus my first major lesson has been to try to extract the politics and philosophy from the objectively scientific and engineering problems and then be honest about choices we have made in our particular deployments. I wish more projects and their leadership would be honest here. 500,000 transactions per second is not a revolutionary new capability. It's either an artifact of deceptive marketing or architectural choices leading to massive centralization and trust.

Second, I've learned that it's extremely important to clearly understand relationships and commitments as early as possible. The nature of our space is that we are scattered throughout the planet. Modern communication tools are incredibly good at keeping us all connected and informed, but they are useless for promoting empathy, building real relationships or proactively communicating implicit concerns.

With Ethereum, I spent a huge amount of time worrying about the legal structure and how the project was going to be lawfully funded. Only a handful of people were directly involved in this effort out of commonsense and expertise. This meant that I only interacted with a handful of the hundreds of people involved with the project on a daily basis. The rest had to just assume I was doing stuff and hope it was for the best. In the absence of communication, opinion and speculation dominated yielding the aftermath many today are all to familiar with.

With IOHK, I invested much more time in simply building relationships with the people I work with directly or indirectly. This includes traveling throughout the world to see my employees in person. Sometimes a beer and a good conversation is all that is needed to build common ground and empathy. It seems simple, but it's so powerful and undervalued.

We also clearly define the roles and relationships for each new member of the team. It's a huge overhead for HR and line managers, but it resolves tons of issues before they even exist. Yet this model does not work for open source development. One cannot ask an engineer independently fixing an issue listed on GitHub to sign an NCA, NDA and report to a line manager.

The point of open source development is to move forward with both professionals and volunteers. Many of the most successful projects are completely built and maintained by unpaid volunteers. When a traditional open source project forks, it's usually a cultural, technological or philosophical difference (Robles and Barahona even wrote a paper about it). But what happens when one introduces concepts like tokens, premines and ICOs? Incentives and relationships change.

Investors of cryptocurrencies are addicted to the prospect of strong, centralized and reliable management of the development of the protocol as it has the potential to yield the greatest returns, but this management style is at odds with the point of cryptocurrencies, which ultimately require governance by the many and in the open to be sustainable.

Furthermore, the existence of premines, ICO funds and other stores of value create a goldrush of crypto-lamprey fish seeking to attach themselves to a project to extract tokens rather than make contributions. Add some demagoguery and buzzword salad and you have your standard crypto-evangelist.

These actors bring me to my third lesson. Conflict, pain and principles are a prerequisite to success. I learned this most directly with the Ethereum Classic (ETC) project. To me, ETC is Ethereum. The original social contract was that we were proposing the world's most expensive and inefficient computer in exchange for absolute certainty that the code deployed wouldn't be modified due to outcome on some group whether it be a company or government.

Suddenly the DAO hack occurs and the social contract was changed to well it will run as written except this time because it's just too painful to this particular group. Nevermind that group blindly gave $150 million dollars to an unaudited smart contract with no checks and balances. Nevermind the lack of consumer protection put into the offering- likely due to a crude attempt to evade regulation.

People made a poor choice. The point of cryptocurrencies is to let people make poor choices and to force them to accept the consequences of their actions. This clearly is no longer the point of Ethereum. So those that wanted to keep it that way created ETC.

During the early days, there was tons of chaos. Some of the more colorful community members even attempted to hijack ETC for some purpose or another. But yet, the community stuck to its principles and now has stabilized around a very decentralized group of leaders. No one is in control. Reasonable software is being maintained. ETC just keeps living.

The value of ETC is no longer about carrying out the mission of Ethereum. It now seems to be a sandbox to figure out how to move forward without anyone having a mandate to do so. Unlike Bitcoin, there isn't a 100 billion dollars to protect nor thousands of companies pulling in different directions. Rather it looks much more like a normal open source project.

There was a lot of conflict and pain in getting to this state, but it was achieved only by keeping with a set of principles. Maybe they are too harsh for normal people. Maybe they won't allow the protocol to grow beyond a certain critical mass. Ultimately the market will decide, yet that doesn't make ETC any less meaningful as a project to the people who use it.

This last point I feel is the most valuable our space has demonstrated. Ultimately cryptocurrencies are composed of people who agree to something. While these agreements might be entombed in code and protected by clever mathematics, they are used by people.

People decided that the original vision of Ethereum made sense to keep alive and thus we have ETC. People can just as easily abandon it as they have hundreds of failed projects. A good leader in this space has the ability to rally people to a common cause and give them the tools to decide what to do about it. A bad leader tries to inflict his personal view on the masses for their greater good.

In a way, I think this gives some justification to the enormous market capitalization we are seeing alongside the cult like enthusiasm. From a practical sense nothing has been produced by Bitcoin or any other project to justify a cumulative valuation greater than some of the world's largest companies and even countries. From a social view, how much is the freedom to re-imagine the entire fabric of the world's marketplaces worth?

Money and governments are artifacts of promises and future commitments. They don't actually exist, but the belief in their power is what actually gives them power. It seems the belief that Bitcoin is worth a 100 billion dollars or that one social contract is superior to another is all that is really needed to actually realize it.

Thus to all future leaders of our space, I'd like to say separate your objective from subjective, clarify relationships as well as understand conflicts of interest and stick to your principles even in the face of conflict. And try to have fun while riding the roller coaster, it's sure to be an exciting journey.



Friday, April 6, 2018

A Brief Update on Cardano

After returning from my yearly global Sojourn, I wanted to update the Cardano community on the status of the project. Since the beginning of the year a lot has happened. Cardano continues to grow at a rapid pace and the project is evolving into a new stage.

The Byron release back in September of 2017 was an experiment for IOHK. It's the first cryptocurrency we have launched as a company. It's the first time we've had to manage public release cycles, segregated stakeholders (general public, exchanges, developers, etc). Furthermore, the Cardano project has a half dozen software companies collaborating thus we are forced to invest a huge amount of time in coordinating, communication and timezone overheads.

Since the September release, we've learned a huge amount about all of these processes and also in dealing with the needs of our broader community. We certainly haven't achieved a Nirvana like state of perfection, but processes have definitely improved.

I'd like to share some of these improvements as they are mostly hidden from the general public, yet have a huge impact on our ability to deliver a long term roadmap. First, since September, IOHK has built a tremendous amount of project management capacity led by Elieen Fitzgerald: and

Under her department, Eileen has managed to capture business requirements, draft project charters, improve our resource allocation and budgeting processes, improve development estimates, get better weekly reporting and manage the inter-dependencies between projects. We also have had an increasingly easier time managing third party relationships like our partnership with Runtime Verification on the K framework, IELE and smart contract research.

Some of the outputs of these processes are that we are moving to regular release cycles for Cardano with the first cycle starting next week on Friday. Our hope is to cut a develop branch for release and then run the release through a rigorous QA cycle currently planned for one month. Over time, this cycle can be shortened through automation and parallel processes speeding up delivery. Thus updates will become more frequent, higher quality and encumber less user disruptions.

The goal of the PMO department is to ensure when we give a date for delivering a feature, a release or a major update that the date and quality is met. This goal is one of the hardest to achieve for a software company and much more so given the nature of software we build, but it's also incredibly important for those who rely upon us for their own commercial interests.

Over time our project management methodology will become increasingly public and eventually be ported into a public github repository. We'd like for IOHK's approach to be a creative commons process that other software companies and projects in our space can benefit from and add to as they pursue their projects. Also, we'd like to explore lighter weight versions of the processes for DApp development so that our developer community can follow best practices.

Second, dealing with exchanges and other actors such as Ledger, we've been systematically redesigning Cardano's architecture, APIs and other components to be more friendly for those who wish to use our software. For example, you can see our new APIs here.

Another output has been moving our development towards a specification driven process. The first component of Cardano SL to be ported is our wallet backend with the following formal specification:

Figure 1: Cardano SL's Formal Wallet Specification

The goal is that each part of Cardano will be specified in a format similar to the one above. These specifications are implementation independent, will eventually be analyzed using formal methods and can be used as a basis for test suites and improvement proposals. 

We are also aware that many want to build their own mobile clients or modified software. To this end, we've been exploring the best way of discussing a unified backend architecture. I would personally like to see dozens of wallets and great user experiences for Cardano materialize, but I'd also like to make sure that these experiences are useful, secure and easy to deploy if possible.  

Over the coming months, large chunks of Cardano's code will be ported over to- or replaced with- these specification driven designs. This likely won't be directly felt by our users. Rather just indirect symptoms such as things getting faster like recovery from seed, less issues connecting to the network, smaller memory and disk footprint as well as other improvements.

As we now have the talent, processes and clear roadmap, Byron will continue to rapidly improve and become more feature rich. The release we are cutting next week to QA will include paper wallets, much faster wallet restoration and numerous other fixes. We expect it to clear QA in mid-May and for updates to be released monthly thereafter to our users. 

Third, the most anticipated upcoming release is Shelley. Shelley is a massive project with many workstreams and scientific dependencies. It also contains many social processes involving community coordination and management. Effectively, Shelley is about turning over the network fully to the users thereby decentralizing as much as possible. 

The work we have done with Byron has given us operationally a great deal of knowledge about the best way of iterating towards Shelley; however, special care has to be placed in the consensus side of things. IOHK developed a custom proof of stake protocol called Ouroboros for Cardano. It has never been used in a cryptocurrency before and has a completely original design. 

Thus we have been extremely focused on a proper deployment of Ouroboros to the general public. Byron is running a version of Ouroboros with delegation locked to core nodes under the control of IOHK, CF and Emurgo and block rewards turned off, but when Shelley comes this cannot continue. Staking rights will be returned to the ada holders and delegation will be fully under their control. 

To be clear, Ouroboros isn't a forced delegated proof of stake protocol like EOS or Bitshares. It's a pure proof of stake protocol where every active Ada account is factored in for epoch elections. Anyone who holds Ada in a normal address in the global UTXO has a probability of being elected as a slot leader regardless of the amount of Ada they hold.   

However, the reality is that most will not want or have the ability to host consensus nodes and consistently show up to fill the slots they have been elected to commit. Thus, we developed a delegation system and the concept of stake pools for those users. 

Concisely, anyone can run  a stake pool. There isn't a minimum threshold of Ada or a special club. Rather there will be a blockchain based registration system and a special transaction type to register a stake pool on-chain. Registered pools will be listed in the delegation center of Daedalus and pulled directed from the Cardano blockchain thereby preventing censorship or bias. 

Over the last few months, we've had to invest a huge amount of careful design and security thought into the process of delegation. It turns out there are dozens of factors and scenarios to consider from cold staking to automation of rewards. But we have converged on a reasonable design for the Shelley release, which will be released soon on eprint. 

The summary is that Ada holders can create a delegation certificate for their Ada they hold and register it on the Cardano blockchain. This process effectively separates stake rights from the spending keys for their Ada addresses. Thus the delegation certificates can live in Daedalus, but the spending keys could be key offline on a paper wallet or ledger device for example. 

Delegation will be done via a special transaction and from a user experience viewpoint via the delegation center in Daedalus. One will find a stake pool they want to delegate to, select it, and click a delegate button. It's just that simple. As we launch Shelley testnets, we'll experiment with different user experience flows from length of delegation to partial delegation (splitting stake between pools).

Another advantage of this process is that unlike Bitcoin mining pools, as our protocol natively understands delegation, it can automatically pay rewards to those who delegated without trusting the pool operator. At the end of each Epoch, our goal is to close the reward pool via a special transaction paying all those who delegated proportionally to their delegation amounts.

Some benchmarks and threshold will have to be conducted over the coming months to optimize for space and prevent penny-flooding attacks. We will also need to explore different user experiences including notifications and other UI considerations. 

A natural question to ask is how will we ensure that when Shelley launches there will be enough stake pools to ensure a reasonable amount of decentralization? How will these pools establish their brand and reputation? We considered these concerns and decided to open enrollment for a collection of beta testing stake pool operators. 

The goal with this process is to identify a set of 50-100 independent entities geographically well distributed who would like to run a stake pool as a business. We will progress as follows:

  1. Collect as many applications as possible via: until the end of April
  2. Process and winnow applications until we have a good set of 50-100 candidates
  3. Invite the candidates into the IOHK slack and begin discussions about hardware configurations, deployment strategy, docker images, etc etc 
  4. When the Shelley testnet is launched, invite the stake pools to register and work closely with them to beta test various scenarios and experiences 
These beta testers will not get a special advantage or consideration when Shelley launches. They are just necessary to test Shelley's design and ensure our assumptions and choices are reasonable as well as improve deployment strategy and documentation. When Shelley launches, there will be a grace period where all those who desire to register a stake pool can do so and Ada holders will be free to choose to delegate to anyone they want. 

Once the grace period expires, auto-delegation will be turned off and rewards turned on. Cardano will be fully decentralized. 

In closing, Cardano is a huge project. There are so many brilliant minds, great engineers and parallel efforts that it's difficult to capture all of it in a single post much less just convey our progress. What's amazing to me is that we have really gotten great processes established and are daily moving forward (a fan made a great website showing our daily commits: 

What's also amazing to me is how quickly our scientific research is moving from the lab to code. Ouroboros has gone through over a dozen revisions and now is converging to a state where we can bootstrap from the genesis block without a checkpoint (an industry first for proof of stake). Our sidechains research is state of the art with a paper coming soon in May. 

We have also brought game theorists and programming language theory experts together. The output has been incredibly innovative with new accounting languages like Marlowe:

Figure 2: The Marlowe Programming Language

And an increasingly richer theory for incentives for stake pools, network maintenance other other topics requiring an honest majority for Cryptocurrencies to run properly.

I'm astounded how we are able to think in systems now and by the quality of the people on the Cardano project. It's taken years to build this team and go from dream to regular status reports. I look forward to achieving our milestones and seeing Cardano change the world. 



Sunday, March 11, 2018


Chantal Westby's Maelstrom
Recently there has been a controversy over a tweet from one of IOHK's employees named Darryl McAdams. The tweet commented on her desire for IOHK to recruit more female and transsexual employees. This opinion has raised broader questions about IOHK's hiring practices and overall philosophy on diversity, inclusion and other social topics. 

First, to state very directly, IOHK does not maintain or endorse quotas, bias or an archetypal vision of an ideal contractor or employee. We are- and forever will be- a merit based organization. I have a fiduciary obligation as the leader of my company to always hire the most qualified person for the job regardless of where they come from.  

Second, as the CEO of IOHK, I have never wanted to lead an organization that takes it upon itself to promote a particular political cause such as social justice. It isn't our place or even within our power in a global free market to somehow cure the evils of racism, inequity or other sins perceived or actual.

Third, IOHK- and frankly all adherents to a free society- need to reserve the right to be offensive to others. Rational thought, change and challenges to existing power structures requires the ability to irritate and invoke wrath. I feel that I must elaborate on this point in more detail. 

It wasn't too long ago when concepts such as evolution, a heliocentric view of the universe, free speech and democracy were considered preposterous, revolutionary ideas that were inherently dangerous. Those who held these beliefs were and some are still persecuted within certain circles.

The reality is that all of humanity has a common journey. We are chained by biological shells programmed by a process we have little control over. The genetics we inherited have tremendous influence over our intelligence, appearance, preferences and overall ability to succeed in life. 

Some win the genetic lottery being given profound gifts. Others are cursed to suffer the indignity of physical and mental disorders disorders so severe that they can never enjoy the world as most of us do. 

While fortune toils away, another byproduct of evolution is our cognitive powers. Properly harnessed, they have allowed us to transcend parts of our biological cages to collectively become more than we were meant to be. 

In under 10,000 years, mankind has enjoyed an ascendancy that now moves to the stars and mastery over life. Soon we will be making modifications to our genetic code, adding new senses and merging our minds with computers. Nature's paintbrush is slipping into our hands. 

Another byproduct of the powers of our cognition is that some have become unhappy with the hardware and cultural programming that nature and their respective societies have endowed them with. Some have developed exotic sexual tastes (see furries). Some have embraced lifestyles that are foreign at best to utterly alien and even repulsive at worst. As an extreme example, one could look to the flesh eating Aghori monks in Varanasi.   

As a matter of pragmatism, there is what we are comfortable with and what technological advancements and globalism will force us to accept as we travel this century. For example, millions of people are living digital fantasy lives in MMORPGs like World of Warcraft, more comfortable with their avatars and their virtual connections than their own flesh and blood lives. Hollywood is even kind enough to give us Ready Player One as a visual case study.  

Characters such as Joi in Blade Runner 2049 or Her's Samantha appeal to legions of fans. To this end, capitalism has been summoned to attempt to build a crude simulacrum (see Azuma Hikari [1][2]). Should we be so naive to believe that this trend is just a fad on par with the pet rock? 

When is this Love?

The reality is that we are using our cognition to change ourselves and redefine relationships. And like prior centuries having to decide whether to embrace other cultures, ideas and religions, we are facing the equivalent of our time, but now armed with computers and profoundly advanced technology.

Thus it's reasonable to assume that mankind is going to explore depths that we haven't seen as a species before. Exploration of this nature cannot be familiar or painless. It's going to break conventional society and force a fundamentally re-evaluation of concepts like relationships, gender and even physical presence. 

Did Snowden attended the conference? What if the robot had a female face?
I am the builder of digital infrastructure. The protocols that could eventually yield control over our identity, financial lives, voting rights and property. These protocols cannot belong to a particular culture or group. They also cannot discriminate against the weak and misunderstood. Roads cannot be biased against the creatures who walk them.

Therefore, I've attempted to construct a company that welcomes a diverse group of opinions, beliefs and geographies. We never censor our employees nor ask them to remain silent on the issues that are most important to them. 

As a company, IOHK tries to embrace neutrality. It frankly isn't IOHK's place to choose sides in these debates. It's just our place to ensure they don't consume our business operations and fiduciary obligations.

Part of this creed is also accepting that people associated with my company could say things (myself especially included) that will, at times, deeply offend others. For example, I have repeatedly- at times harshly- expressed my dismay over police brutality within the United States. I have no doubt that this position is hurtful to police officers and their families. 

And this brings me to my final point, I've become gravely concerned over the attempts to de-platform opinions. Those with ideas, beliefs or even objective data contrary to particular agendas are often maligned, ostracized, banned from speaking and even physically threatened or attacked at times. 

These tactics are nothing new. They have been employed by radical movements as a means of silencing critics and rational thought in order to inflict a fanatical philosophy upon society as a whole. In my mind, there is no difference between the communist commissars and the student protesters shouting down the latest conservative speaking at a college campus. Both are trying to prevent us from hearing an opposing argument.

Part of the reason why I so admire blockchain technology is that it protects us against the revision of history, the censorship of inconvenient truths and the power of centralized actors to sculpt our view of reality. Citing fake news or social justice, I can imagine a time when Facebook or YouTube become weaponized tools of a regime to a deploy well crafted propaganda in order to preserve power and social order. 

I would be an utter hypocrite to say such things ought to be stopped, but then ask my employees to censor their opinions. I just ask for respect, dignity and reason. But I cannot ask them to avoid offending others. 

Politically I'm a libertarian; I loath taxes, regulation and socialism, but I will not mock those who collaborate with me for having a difference of opinion. Along the same token, while I at times cannot fully understand particular preferences or lifestyle choices, all I ask for is they are conducted with respect, dignity and empathy for others.

Leading an organization, I can fully appreciate why some CEOs have chosen the easy road of attempting to hide behind empty platitudes and vacuous diversity theater. It's simply better for business and one's partnerships to try to be as least offensive as possible. But that's not reality; it's a Dilbert cartoon. 

The reality of life is that as a condition of our culture, upbringing, religions (or lack thereof) and geography we are going to act in ways that create strife. While the curse of cognition is that we must endure the pain this strife brings, it's gift is that in embracing the maelstrom, we often find a creative destruction of old ideas refreshed with far superior ones.

By avoiding this process, we are losing part of what has made humanity so collectively strong and also draining authenticity from the workplace. IOHK collaborates with some of the brightest minds- Darryl McAdam's included. They simply don't have to be here if they don't want to be. If given a choice, would you rather work somewhere that accepts you or forces you to live in a gilded cage like an amusement park character? 

I didn't sign up to build Disneyland; I signed up to change the world. So that's what we are going to do as we march towards an esoteric, ever more authentic and I hope better future. Forgive us for breaking a few vases along the way.  







Sunday, March 4, 2018

An Ode to Critics (IOTA and DCI)

Recently I heard there is the possibility that one or more actors associated with the IOTA project suggested the possibility of some form of legal action against members of the DCI responsible for an unfavorable analysis of IOTA's core technology. Rather than rehash the entire affair here, I'd recommend these sources as a reference points (DCI Audit Report)(Blog Post)(IOTA Response) to bring everyone up to speed.

What is provoking me to draft a blog post on this topic is that I offered to pay legal fees DCI actors would encumber as a result of their audit of IOTA in the event an agent of the IOTA Foundation or its associates decide to sue a member of the DCI. This offer was immediate and without preconditions. It also isn't connected to an opinion of the soundness- or potential lack thereof- of IOTA's technology.

To be frank, I could care less whether IOTA works, accomplishes its commercial goals or how it manages its ecosystem and community. What concerns me far more as a developer of cryptocurrencies is the relationship between security and cryptographic researchers and protocols we develop for our space.

The reality is that we have a symbiotic relationship. Researchers enjoy spending countless hours attempting to find flaws (theoretical and practical) in the philosophy, design and implementation of our work. These hours are seldom glorified or even compensated. They are generally ignored by the mainstream public outside of an occasional sensational headline by a low information journalist. But they are absolutely necessary to evolve our work.

For the researchers, they gain academic credit, the occasional job and the intellectual joy of resolving a problem. These perks aren't exclusive to a particular protocol or even the cryptocurrency space. Inflicting havoc on Ed25519 yields just as many brownie points as finding an issue in Ethereum's network protocol.

Having paid private firms literally hundreds of thousands of dollars in consulting fees to audit code IOHK writes, I fully appreciate the value of this foundational work. In fact, often one simply cannot hire the top minds as they are only interested in university affairs. Thus their time and effort is not only valuable, it can even be simply irreplaceable.

If a member of our space begins to attack researchers he feels have been unfair in their assessment or criticism, then this event cascades far beyond the immediate actors involved. It fundamentally damages the vital symbiotic environment between researchers and protocol developers. In other words, it directly hurts Cardano, Ethereum, Zcash and every other project.

Most graduate students, postdocs and professors do not have extensive resources to defend themselves against well capitalized cryptocurrency projects that don't actually have to win a case in order to massively disrupt the lives of these researchers. Going to court is expensive, emotionally exhausting and takes a huge amount of time. If a security researcher feels his work could provoke this event - even if it's objectively true, then they will simply choose a different topic.

I also can fully appreciate the discomfort of criticism that members of the IOTA community and the developers themselves are enduring. I have first hand experience with the blatant unfairness of constant attacks over social media, blog posts, at events and through other channels where lies, half truths and baseless innuendo replace an effective dialogue. It's always painful and often crosses the threshold to malicious slander.

But it's extremely important to understand that not all criticism is unfair and even within the set that is unfair, the actors levying it ought to be considered. The academic world is tightly regulated via credentials, unspoken rules and a strong emphasis on reputation. Attacking someone unfairly isn't a pattern that can be repeated without severe career consequences.

Thus the most common response to attacks coming from the academia is to prepare a fact based rebuttal. It doesn't necessarily mean the attack will be deflected or withdrawn, but it forces the critic to acknowledge your rebuttal and provide additional context and clarity.

This process is on display for the entire academic community to form opinions. If a researcher is dishonest, has conflicts of interest or is omitting/missing key points, then it will eventually be discovered. If it's a common pattern, the researcher will be socially exiled from academia.

A prominent example in the cryptographic world comes from Dr. Neal Koblitz. He levied an aggressive series of attacks on the concept of provable security. Neal's credentials are impeccable having created elliptic curve cryptography and being a Harvard educated Putnam fellow. Despite his enormous contributions to the field of cryptography, he wasn't given a pass on what many feel is unfair criticism. And it has had career consequences.

Escalation to courts is generally only done in cases of known fraud and institutional cover-up. For example, the falsification of collected data to skew results to some desired outcome. The consequences are always brutal once discovered. As particular examples, one can review the Schön scandal and also Paolo Macchiarini affair.

Nothing in this audit seems to deserve an escalation of this nature. A researcher made a claim and provided an argument with a set of evidence. The developer says this claim is false. It's an argument and it has an objective answer for the world to see.

Thus, I have no choice but to apply some of my personal resources as a counterbalance to protect the integrity of the system I have so benefited from throughout my academic and professional career. I would recommend that the IOTA community exercise the stoicism of the person who created the heart of their protocol as he continued to teach while students rudely interrupted his class.

I'd also like to remind them that MIT and the broader academic community isn't going away. Direct attacks- even if victorious- will have Pyrrhic consequences.

I hope the matter is closed and everyone can move on to better things. 


Saturday, January 6, 2018

The Price of Craftsmanship and the Zen of Protocol Design

Having read the comments of a former business partner of mine, which will be addressed later in a dedicated blog post, I’ve decided to draft my thoughts on how IOHK approaches the design of Cardano and by extension all the cryptocurrencies it works on. As this space has become polarized with the politics of personal destruction, financial incentives to lie and a stunning lack of respect for critical analysis, I’ll try not to mention project names- just my opinion on what good design principles ought to look like. I freely admit, I could be misguided or stuck in my ways.

First, we have to define what is the point of our labor. What goals are we trying to achieve and who needs the solution? It’s stunning to me how we are littered with solutions seeking problems connected to a token actively trading. Decentralized computation, storage and other services need an audience in order to be useful and they need a necessary edge in order to survive beyond hype.

For example, replicated computation that is byzantine resistant is what Ethereum brough to the table. We freely admitted that market demand was unclear and that use cases would materialize after we launched (the field of dreams gamble). Whether those uses are economically viable or optimal, was and still is an open question being explored and forcing enhancements.

What is undeniably valuable was the beginning of a conversation about outsourcing computation in a way where the server couldn’t be trusted; either couldn’t trusted to return a correct result or not trusted to de-prioritize a particular program due to some agenda. The net neutrality debate is highlighting this concern most directly.

There seems to be an audience that likes the problems that Ethereum is trying to solve. Thus it begs the question what is the best way of doing so? What tools do we have in our bag and who are the craftsman who ought to weld them?

The point of the Cardano project has always been to build something from first principles using a functional programming approach, embracing formal methods, and checking our progress through peer review. We chose these three pillars because experience tells us that humans are good at self-deception, forming personality cults and making extremely subtle mistakes that eventually cascade (heartbleed is a great example).

Functional programming is getting code close to math. It’s saying scientists draft a beautiful blueprint and then let’s pull that blueprint directly into reality. There are some wonderful lectures from the Clojure community on the elegance of functional programming techniques (1)(2), but the broader point is that simplicity, modularity and conciseness matters more than performance.

Machines keep getting faster; legacy code is like a tattoo. You’re going to have to live with it so make it pretty. We chose Haskell because it has the perfect intersection between practicality and theory. It gives us wonderful libraries like Cloud Haskell and a community that’s extremely smart and supportive of new techniques and ideas as they become necessary.

Formal methods are an acknowledgement of the semantic gap. Humans and computers are fundamentally different animals and until Ray Kurzweil delivers us to the Singularity, we will be quite distinct. This axiom extends down to the computer’s understanding of our intent versus our own.

The DAO hack is a recent textbook example. The engineers who wrote the contract had a clear understanding of intent, but it differed slightly in code and as a consequence a hacker could cause havoc. The point of formal methods is to close the gap between man and machine.

Specification captures the intent of the scientists who spend countless hours of rigorous labor carefully writing mathematical proofs. These proofs are riddled with ideal functionality and ambiguity from an implementation perspective. Basically, such papers are the inky equivalent of the spirit Billiken- the god of things as they should be instead of what they are.

A formal specification process is slow, uncomfortable, pedantic and requires exotic languages and skills. As a consequence, it’s also terribly expensive and not fun for most people. But such techniques save lives (think planes and trains), money (think Mars Rover) and dramatically enhance our understanding of the protocols we wish to deploy (lies melt).

We’ve written some blog posts on techniques (1)(2)(3) and the philosophy we follow as well as have done a whiteboard video. As most of our work is transparent, the specification of Ouroboros Praos is no different. The repo can be seen here. Like a fine painting requiring exhaustively small brush strokes to gradually make the whole, we are paying that price of craftsmanship.

Finally, there is peer review. It somehow is conflated, misunderstood or in some cases discarded as an unnecessary formality to appease irrelevant ivory towers out of touch with the plight of normal man. I counter every single one of these attacks with a single question: can you understand the papers cryptographers write?

Humility will yield an answer of no for the majority of the populate. This statement isn’t self-serving arrogance. It’s respect for a language born from decades of careful study. Medicine has research. Physics has research.

Why is it so controversial to state that a paper like this is outside of the ken of most people? It isn’t elitism; it’s an acknowledgement that the people who wrote it spent decades of their lives learning how to write that paper and think like they do.

Somehow in the cryptocurrency space, we have forgotten that our underlying technology is constructed upon foundations of cryptography, distributed systems, game theory and programming language theory amongst other considerations. The people who study these fields literally have invested tens of thousands of hours to become proficient- meaning they can read and understand the papers- and that’s not even making a statement about meaningful and original contributions.

The question we ought to ask isn’t can I understand the papers. That’s like asking the public to understand the US Federal Budget. The question ought to be what process should this work go through in order for it to be considered correct?

Peer review via IACR conferences is an excellent option. The conferences are managed by domain experts who don’t have a financial incentive to like or dislike any particular work. The review process is double blind. The conferences hold high standards where most submissions are rejected. And acceptance means you have to show up and discuss the work with your peers.

It isn’t a perfect process by any means, but it’s a standard of quality that is objective. It’s a benchmark to start a conversation with and provide some assurance that the work meets basic standards. That someone who actually can read the paper, has read the paper and thinks it’s ok.

Like all good science, one needs to continue evolving, continue pushing the boundaries and continue asking difficult and often uncomfortable questions. The ultimate point of peer review is to acknowledge you aren’t an island and you don’t want to go on that journey alone. It’s asking for help from fellow travelers who are just as capable if not more so than you.      

As an outside observer, many of which who are directly investing their hard earned money, one should be actively asking about processes that produce truth. We chose peer review because it’s the best tool in our box that we know how to use to check our claims. It has given us modern medicine. It has given us modern physics. There is no reason it can’t be used to help give us better money.

As a final point, both Algorand and Snow White carry similar structural properties to Ouroboros. The exact same criticisms that my former business partner naively applies to Ouroboros could be applied to them - meaning that a Turing prize winner and Cornell are both inferior as well given that logic.

There also was a lack of appreciation for the holistic nature of protocol design. Raw TPS isn’t an end, it’s a necessity of large scale use. Yet there are other considerations such as network performance and the ability to store with high availability the eventual exabytes of data these systems will demand.

The Zen of protocol design is understanding that all things have to flow from a common source. That this source needs to be on bedrock, simple and secure. That this source needs to be perfectly balanced and grow naturally to meet the needs of its users. When a protocol achieves this state, like TCP/IP did, the results are magical. Others like PGP have failed despite their brilliance.

The point of how we have gone about designing Cardano is to seek this balance in our design. Ouroboros was built very carefully and in the most general way we could understand. It can be tuned to operate like many conventional protocols or run in new modes.

It will eventually include modifications to dramatically scale performance when it is necessary. We’ve even broadened the discussion to include topics like RINA and Delta-Q because they are absolutely required for natural scaling.

Yet in all these things, we are doing it with principles, craftsmanship and honesty. It’s a long and very hard journey, but has been a fun one.

Thanks for reading


Sunday, December 24, 2017

A Crypto on the Edge of Forever

Now that the dust has settled from more than twenty countries of travel, dozens of conferences, major events and community meet and greets this year, I’ve finally had the time to reflect on the progress of the Cardano project as well as some of the lessons I’ve learned. It’s honestly been the most challenging year of my life filled with drama, stress, death and some unbelievably cruel people.

It’s also been one of the most rewarding and joyful having the chance to meet thousands of passionate and kind fans, technologists and scientists- I can see the inspiration that Charles Dickens had when he said it was the best of times and the worst of times.

The reality is that the internet and in particular the cryptocurrency space can be a really toxic place if you allow it to get to you. There were times after reading some blog post or comment on reddit that I seriously questioned if this effort was worth it. I can understand why Mike Hearn left Bitcoin.

But I’ve never been here for the short term, it’s always been the dream of finding a way to get financial services to the three billion people who don’t have them using technology that was only a dream a generation ago. And I think we are making great progress there.

In January of 2017, Cardano was still mostly in a very early alpha stage. We had tremendous engineering difficulty getting Haskell, our devops and the new protocols such as Ouroboros and Scrape to play nicely together. Rather it was a constant learning curve of how to tame the three headed dragon of research, decentralized teams and exotic programming languages while managing the expectations of a huge community.

As an aside, Cardano has one of the fastest growing and most intelligent fanbases. We actively invited people who care about formal methods, peer review and functional programming to come see what we are working on. These people aren’t swayed by jargon or flashing marketing. They were born with bullshit detectors in their cribs

I’ve gained significant strength and a much needed boost in morale from interacting with our community. For example, one member asked about how we were verifying the proofs in the Ouroboros paper and I posted a link to Kawin’s Isabelle repo. Most would simply say that’s nice and move on. This member took the time to read the code and mentioned we have a long way to go with specific examples.

For most people, Isabelle is a name followed by a lake in Minnesota. For our community, some can actually read the code and comment on it. That’s a rare gift and it’s the privilege of a lifetime to be in this kind of environment (we ending up hiring the person who commented on the code).

Moving through the months, Cardano moved from the lab to a series of testnets to eventually being released in September. Dealing with these transitions gave us a newfound appreciation for just how many different computer and network configurations exist. I can almost feel a windows force ghost whispering “I told you so” in a smug voice.

We designed the Byron (the September release of Cardano) to be the minimum viable product necessary to test the concepts Cardano is built upon. We wanted to run Ouroboros in a production setting to see epochs function properly. We wanted extensive logging of both the edge nodes and relays to see how our network is being used. We wanted to have third parties play with our APIs and tell us where we screwed up (boy did they ever!). We wanted to test the update system a few times.

Overall, the experiment has been a tremendous success. There are several thousand edge nodes concurrently connected to the network. There are several exchanges and other third parties using our software in the harshest possible way. There is a wealth of data flowing in that is giving us a much better sense of what we need to do to make Cardano better.

Since launch, we’ve already pushed three updates to the network without incident. We’ve started a very rapid redesign of our middleware and its associated APIs to make it easier for third parties to integrate. We’ve started a series of systematic improvements to our network stack that will be finished with the Shelley release that should dramatically improve things.

However, what excites me most about 2018 is that Cardano is starting to open up to the world. Delegation and staking will be rolled out all throughout Q1 and Q2 in coordination with the community. Soon we’ll have a testnet running IELE allowing developers to play around with our smart contract model for the first time. And we’ll be deploying our first verified protocol with Praos thereby engaging the formal methods community.

Constantly living in the moment, one tends to eschew Cardano’s vast scope in exchange for the problem of the week. But looking at our ever growing whiteboard series demonstrates how many brilliant people wake up every morning thinking about how to solve the problems of scalability, interoperability and sustainability. These aren’t just hypothetical lectures. They are backed by papers, funding and developers working full time.

Then there are the new things. Professor Rosu’s and Runtime Verification’s work on K and semantics based compilation isn’t just really smart competitive differentiation, it’s literally moving the chains of the entire field of programming language theory. The Cardano project is creating a financial incentive to have correct by construction infrastructure from virtual machines to compilers. Our success means you don’t have to hand write this code ever again- not just in a cryptocurrency context; in a general context.

Our research efforts at Tokyo Tech under Professors Mario Larangeira and Bernardo David with multiparty computation is rapidly bringing these protocols into practical use. Kaleidoscope and Royale are case studies on how to achieve everything that Ethereum does off chain, in a low latency setting, privately and at a scale of millions of concurrent users each in their own domain. Further abstractions will push this work into more useful domains like decentralized exchange. And eventually DApp developers will be able to integrate these protocols into their code via libraries.

Professor Bingsheng Zhang’s research on treasuries and voting is groundbreaking. It’s giving our project the ability to have a discussion about how should changes to cryptocurrencies be proposed, debated, approved and funded. What’s most special here is the interdisciplinary nature of the effort that can draw from political science, game theory, sociology, open source software governance and computer science. There is something for everybody.    

Moving into 2018, we are going to open this discussion up by both engaging the community directly and by holding a conference in Switzerland. More details will be published later, but the basic idea is that this area isn’t a Cardano problem. It’s a cryptocurrency problem. And there are many great projects from Dash to Pivx who are trying to solve it in a novel way. We ought to talk to each other.

I could continue enumerate our research efforts (there’s a lot more to write), but I think the point has been made. Cardano isn’t a cryptocurrency as much as it is a movement of minds who are frustrated with the way technology works in practice.

The functional programming community has had for decades great solutions to many of the problems plaguing modern developers, but they have been historically ignored. Our RINA guys if given a chance could build a much better and more fair internet. Layering protocol development with formal methods extracts a much cleaner and more meaningful design process where ambiguity and hand waving is slain.

What Cardano has given us is a chance to answer if only the world worked this way with why not? We have the freedom to dream again and the freedom to try new things without asking permission. I even have a chance to work with my heroes like Phil Wadler. 2018 is going to be one hell of a year.

Thanks for reading


Phil Wadler and Me hanging out at Edinburgh