Lecture 22: Alternative Consensus Mechanisms

Flash and JavaScript are required for this feature.

Download the video from Internet Archive.

The following content is provided under a Creative Commons license. Your support will help MIT Open CourseWare continue to offer high-quality educational resources for free.

To make a donation or to view additional materials from hundreds of MIT courses, visit MIT Open CourseWare at ocw.mit.edu.

I'm going to talk about alternate consensus mechanisms. And there's a bunch of them. And some of them are variants on proof of work. Some of them are proof of stake-- all these different things.

So unique node lists-- this is something that Ripple and Stellar use. I'm not sure if there's others. Proof of stake is this huge research topic that lots of things fall under. There's lots of variance. One of them I'll talk about is delegated proof of stake.

Proof of space is an interesting thing that is basically a form of proof of work that doesn't use CPU as much. There's the idea of directed acyclic graphs, which IOTA is a great example of. And then one that I came up with a few years ago and is kind of fun-- proof of idol, which is sort of silly but some of these others are silly, too.

OK. And so disclaimer-- I'm OK with proof of work. So I think if you were at the class on Monday, it's a great segue into this, where, clearly, proof of work has, I don't know if you want to call it problems, but it's kind of crazy, right, all the stuff David was saying on Monday. It's not an egalitarian-- and I think in the Satoshi White Paper, he says one CPU, one vote.

Well, that's not really how it works. Define CPU. Maybe you have your own CPU. Someone else has a different view. And there's that huge industry of building all these chips.

So there's a lot of issues with proof of work. It's certainly not ideal.

That's probably not why most people don't like it. So I, generally, in academia, in a lot of business places, people don't like the Bitcoin proof of work mechanism-- not everyone, but it's a pretty widespread. Oh, Bitcoin is bad because it uses as much electricity as Denmark or something.

And I think that's a sort of early, I don't like it because it uses electricity. There's other reasons not to like it, which I think you have to go into much more depth. Like with David's talk yesterday, sure, it uses a lot of electricity. But it also uses a lot of fabrication plants, and it uses all these other distribution networks. So anyway, I get that there's a lot of-- one of the first things with Bitcoin is, OK, how can we improve upon this? How can we get rid of this huge energy sink?

On the other hand, I'm sort of OK with it, right? The first thing that I thought with Bitcoin is, wow, this is going to be huge. This is going to take a lot of electricity.

But it's kind of cool that it works that way.

So I'm sort of OK with people-- to me, you can't really get mad at people doing things you think are stupid because you'll just get mad all the time. People mine gold. People spend billions of dollars on diamonds. I think diamonds are really stupid. But hey, if you want to dig up diamonds, oh, whatever. Yeah. There's entire cultural areas that I just have no interest in. But hey.

OK. So I'll try to explain these other methods in a neutral way. But I do have my own biases, where I think like, hey, proof of work pretty much works. I think it's a cool system. And I'm somewhat skeptical of various different algorithms and mechanisms here.

And also, I'm most familiar with the proof of work system and all the intricacies of it. So like with David's talk yesterday, there was some new stuff, but I sort of knew because I've talked to these people for a long time, and this is how this system works.

Proof of stake-- I've seen it implemented in altcoins. But I haven't followed them that closely. So I don't know as intimately what goes wrong and all the weird details. Anyway.

OK. So the first one, UNL, or unique node list. This is, essentially, the consensus mechanism used by Ripple and Stellar. For history, Ripple started in 2013? No, 2011.

I don't know. It was a while ago.

AUDIENCE: [? Dennis ?] says [INAUDIBLE] January 1, 2013.

TADGE DRYJA: 2013, OK. So actually, the name Ripple and the idea of these debt obligations through this network actually predates Bitcoin. And then Jed McCaleb started the company.

He's also the guy who started Mt. Gox. So he started Mt. Gox, I believe, in 2011 or '10-- late 2010, sold it to the Mark Karpelés, started Ripple, hired a bunch of people, sort of got fired from Ripple.

There's a lot of bad-- everyone fighting. Because it was all these people who used to play Magic-- the Gathering and were friends. And now they're not friends anymore. And then, he started Stellar, which he called "Secret Bitcoin Project." And I was thinking of joining it, but he wouldn't tell me what it was. And also, I knew that other people knew what it was, like my friends, and if they weren't telling me because they're not supposed to, it was like, well, it must not be that cool. Because nobody can actually keep a secret if it's really cool.

[LAUGHING] So that was my, mm, I'll just go work somewhere else. And Stellar was, more or less, a copy of the Ripple code, which was open source, so it was totally fine to do this. And then it diverged, and they added their own different parts of the consensus algorithm than Ripple did.

So it's account-based, somewhat like Ethereum. Transactions have senders, receivers. What's interesting is in the Stellar case, and possibly Ripple, there's a minimum balance. So I actually had some Stellar last year, or up until last year, because I went to the initial release party, and they gave out Stellar. And I had some.

And then, it wasn't much. But then, last year, I looked, and it was like, oh, this is like $200 worth. I'll sell it. And I sold it and got some bitcoins. But it was weird because they enforced a minimum balance, which seems weird to me. Because you had to retain some number of stellar units in every account, which, to me, seems sort of weird.

Because that means those stellars, they're gone, in a way, in that if you open a new account and it must have 50 stellar in it forever. Well, so Stellar effectively destroyed, it just seemed-- which is a fine thing to do. It's sort of a transaction fee. But from a computer science database standpoint, it's like, why not just have it cost money to create a new account instead of have a minimum balance? So just interacting with it, it was like, huh.

So there's no work. But the idea is that nodes sign transactions that they've seen. Everyone makes blocks. And you sign them, so you've got some kind of identity. Your node has a key. When you start a new node, you've got a public key/private key pair. You can sign off on transactions.

This is not the case in Bitcoin, right? In Bitcoin, you have a full node. Your full node might have a wallet associated with it with public keys and private keys, but the node itself does not. Possibly in the future, there's BIP 150, I believe, which the idea is to have encrypted communications between nodes, which would have some kind of authentication.

There's BIP and BIP 151. I might have them backwards. 151, I believe, is just encryption, so for privacy, confidentiality. And then, BIT 150 is for authenticity. So you connect to a node. You're like, oh, this is the same node at the same IP address that I connected to before. They're not implemented yet that I'm aware of.

So right now, in Bitcoin, when you connect to people, you just use their IP address.

You don't really know who they are. There's no authentication there. But in these, in Ripple and Stellar, you do know. OK. I'm connecting to this node. It's got a key. It's got an identity.

So to sync, instead of verifying all the work, you verify the signatures on blocks. And the question is, whose signatures, right? So if you assume, OK, well, if we have a majority that's honest and is not trying to create transactions that are invalidated or something like that, then it might work. But majority is hard to define when you're subject to civil attacks, right?

The obvious attack is I just make thousands of nodes, or maybe these nodes don't even really exist. I just make thousands of key pairs, have them pretend to be nodes in my own subnetwork, and they all endorse blocks that are different than the rest of the network is endorsing.

So majority is the tricky part. How do you know who's the majority if you don't know who these people are? You need some kind of way to identify humans or computers, even.

And this is a problem akin to certificate authorities.

So a lot of the problems that you see in blockchain, bitcoin, these kind of things, are not exactly new problems and have sort of already been, quote unquote, "solved." So does everyone know how CAs work, or do people have some idea? Or who's like, what's a CA?

OK. So it's kind of interesting. I can give a little demo.

AUDIENCE: Did you say CA stands for certificate authority?

TADGE DRYJA: Yes. Uh-oh. This doesn't work. Hold on. OK. So if you have a computer, I don't know where it is in Windows, but I think in Mac and Linux, it's in the same place.

You go to etc and then-- shoot, I forget where it is. Yeah. Where's the certificates? Cert-- tru-- AUDIENCE: CA certificates right under the mouse.

TADGE DRYJA: There it is. OK. So in your computer, and whether you have Linux or Mac, you've got a folder somewhere, etc/ca-certificates. It's something like that in Mac, as well.

And, oh, no, that's not it. Where are they? Shoot. Wait, wait, wait-- what is in update.dn?

And there's nothing there.

Hold on. I need to find this. Because this is kind of cool. Where are X? Ah, SSL-- is that-- there we go. OK. So sorry. etc/ssl, and then you've got certs. And this folder has a bunch of certs.

I trust all of these entities. Well, my computer does and, by extension, my browsers and my computer, which is crazy because I have no idea who these people are. TURKTRUST? I don't really trust Turkey. Swisscom-- Swiss people seem nice, I guess. I don't know. OK. Staat-- they're in Netherlands somewhere.

There's a bunch of, just things you've never heard of. Hellenic Academic and Research Institute, Hong Kong Post. Well, Hong Kong Post Office seems trustworthy. Yeah?

AUDIENCE: On the TURKTRUST one, you pointed out they have [INAUDIBLE] certificates with google.com when they're not supposed to. [INAUDIBLE].

TADGE DRYJA: And then, CNNIC is one which is like-- is that still in here? Maybe they got rid of it. And then some of them just have these numbers, and you don't even know.

You have to go in.

AUDIENCE: [INAUDIBLE] TADGE DRYJA: Yeah. China Internet Network Information Center EB certificates root. I actually really don't trust them to endorse-- pseudo arm-- there we go. OK, it's gone-- solved it, solved the distributed internet trust problem.

AUDIENCE: Now part of the internet doesn't work for you.

TADGE DRYJA: Yeah, well, I might get invalid certificate errors for some Chinese sites now. I don't go to many Chinese sites. Anyway, so that's the basic idea of certificate authorities.

And this started in mid-'90s, when they wanted to make public key infrastructure for secure websites.

One of the problems is how do you know-- so you've got-- oh, we didn't talk about Diffie-Hellman, or maybe I mentioned it. But you've got public keys, private keys. You've got ways to do signatures. Diffie-Hellman is a way to do key exchange. So if I know you're a public key, and I give you my public key, we can form a third, basically, key that we can then use for encryption and secure messaging.

This works, but how do you know, given a key, who is on the other end? So that's the idea of certificate authorities. You have this sort of root of trust. And these certificate authorities sign certificates in websites and let you know, oh, this is the person who you think it is.

So for example, Google-- secure connection. Really? How do I know? Verified by Google Trust. Well, Google has verified that Google is trustworthy, which is somewhat circular.

But no, that's sort of how it works. Yeah, so Google Trust Services is a certificate authority. And they signed off their own certificate for their own website. That's maybe not the best example.

OK, The New York Times, they are certified by Comodo CA, who also has had-- Comodo has gotten in a lot of trouble for signing the wrong things. So yeah. New York Times does not have an EB cert. I think Washington Post does. So there's also EB certs where-- you've got now The Washington Post, WP Company LLC.

That's like an extended validation cert, which, then, the CA is saying, we didn't just check that they had an IP address and a domain name. We actually checked that they had some kind of legal corporate entity. And they sent it on their letterhead, and we, I don't know, emailed someone in Delaware to make sure they actually had a company. And this is verified by Entrust. OK. So Entrust, Comodo, those are all going to be in here. Yeah, there's Comodo.

So you've got these companies called CAs that have some kind of agreement with each other.

There's these standards where you make some kind of standards where, OK, don't sign the wrong thing. If you do, we're going to delete you. And then they all endorse entities' identity, usually for companies.

There's also stuff now-- Let's Encrypt, which does it for free and without really endorsing anything. This whole thing, it sort of felt like it was like the big scam of the late '90s because they made billions of dollars. But then again, we got Ubuntu out of it, right?

So yeah, Ubuntu was funded by Mark Shuttleworth, who started this one, I believe, and made a couple hundred million, went on the spaceship, went into orbit, had some fun. Eccentric billionaires are what fund a lot of technology development. And this is how we get them.

A lot of the people who work on Bitcoin and these systems feel that the current-- it's called X.509 is the name of this whole system with these certificate authorities-- and I also sort of feel that this is a suboptimal solution in that there's a lot of problems with certificates being signed inappropriately. It works, in a way. But it's not great.

So this is a problem. So the problem that these systems like Ripple and Stellar have to deal with are, in some ways, similar to the problem that is solved by CAs. So what they do is they say, we have a unique node list. We're not actually endorsing an identity from, here's a public key, here's a human name or a company name or something like that.

It's we're just saying that they're unique.

So it's more limited than a certificate authority. It's just saying we're certifying that these two keys belong to different people or different companies, which seems easier than the job of a CA, right? The CA has to verify that The Washington Post is actually-- whoever's presenting a public key is actually The Washington Post. So the actual certificate is just, basically, here's a pubkey, here's a name, and then the CA sign. And you can look at those and stuff.

OK. So for synchronization, you wait for a majority of nodes in your unique node list to sign and, if they've signed, accept. So there's some recent papers from Ripple. And in order to really get consensus, you need, basically, a 90% overlap in your own unique node list.

So if I have a unique node list of Alice and Bob and Carol, and you have a unique node list of Carol and Dave and Edna-- I don't know-- we might diverge. We might not agree on the same chain of transactions because we've got different people that were looking at their signatures. They may all be unique. But if we have different unique people we're looking to, it might not converge.

So they have a newer paper that reduces that to 60%-ish, where the overlap of what unique nodes everyone needs to look at is not as large but still quite large. And then, the real question is, OK, well, who provides the unique node list? Because that's not really a job I can do.

Maybe it is, in a way. If I know you, and we do some kind of web of trust thing where I'm like, oh, what's your Ripple nodes pubkey? OK. Cool, I know you. And what's your Ripple nodes pubkey? We meet in person. We sign each other's pubkeys. We do the whole PGP kind of thing, which I do. And the Bitcoin people actually do this.

So if I go to-- hold on. So I've got a bunch of keys, and everyone signed them. And there's Andrew Chow and Suhas and [INAUDIBLE] and all these Bitcoin people. And I've signed their keys and they've signed my keys because we meet in person and do that kind of thing.

So we've established not just a unique node list, but we've done a CA-free validation of each other's keys. We just meet in person, read each other's keys off.

So you can do that, in practice. It's really nerdy, and no one does that. And it would be cool if we could get it to be easier and maybe cooler somehow. But it's been an uphill battle.

So who provides the UNL? It's probably kind of obvious. Well, the Ripple company provides the UNL, right? So when you download Ripple, it has a list of unique nodes. Those are essentially de facto, the nodes that run Ripple. And at the current time, those nodes are run by the Ripple corporation, or Ripple apps.

Stellar, similarly, it comes with a default UNL. It sort of acts like the CAs, right?

It's sort of how when you start your computer, you've got this. This comes with your OS.

And you don't really have a choice. I just deleted the CNNIC one. But nobody looks at this stuff. Everyone just goes with the defaults. So that's the problem centralization-wise.

Yes?

AUDIENCE: You said Ripple or Stellar actually run the nodes? Because I understand that they might sign off on the UNL if you're saying that-- TADGE DRYJA: In Ripple's-- at least a year or two ago, and they may have changed that, I think they're trying to-- but in Ripple's case, yeah. They ran their own Ripple nodes.

AUDIENCE: So it's not these bank partners or anything?

TADGE DRYJA: They may have some. They may now. But I know that two years ago, it was just Ripple, or majority Ripple. Because they also put in things like they can freeze funds.

Because Ripple got in trouble with FinCEN. And part of the thing is they modified their code to be able to freeze people's funds if they did something bad.

That's definitely not something that the Bitcoin developers, or even the Ethereum Foundation-- it's not as direct, anyway. The Ethereum Foundation did freeze funds and move them against the rules of the system in the case of the Dow. But that was, in a lot of ways, with support of a lot of the people running Ethereum. With Ripple, they can do it without much brouhaha.

They just freeze these funds.

So it's fast. There's no work involved. There's no worry about propagating blocks and miners getting advantages. But there's also known identities, and so it's more susceptible to subpoenas and things like that.

In these cases, all the coins existed at the genesis block. So in the case of Ripple, I think it was 100 billion or something. And they just started with all the coins and distributed them as they saw fit.

Same with Stellar. Stellar had this thing where they had this party, and they would give them away if you signed up on Facebook. A really interesting article about people in Manila getting thousands of used SIM cards from the US, registering for new Facebook accounts, selling those Facebook accounts to people in China, the people in China then registering with Stellar as unique people to get more stellars.

When you incentivize things, weird things happen, be it either giant warehouses full of SHA256 chips or giant warehouses full of 20-year-old girls in Manila putting SIM cards in cell phones all day. Yeah. I should link to that article. It's really interesting.

So anyway, this is the Stellar one. And Stellar also had this thing where they were going to give 20% of the stellar to people who held bitcoin, sort of an airdrop. I didn't get any from that. I was sort of hoping. I'm like, hey, cool-- air drop. I have bitcoin. I'll get some stellar. I didn't because you basically had to KYC with them.

They said, OK, send in your-- I don't know if it was the social security number-- but send in your documents and prove that you have these bitcoins, and we will credit some stellar to the same keys. And I'm not going to do that. Yeah. Some people did. Some people got some stellar that way. Yeah. So anyway. Yeah?

AUDIENCE: If Stellar's just freezing coins-- TADGE DRYJA: No. I don't know if Stellar has that capability. Ripple does. Ripple put that in. Stellar is a different-- it's similar software. They certainly argue about how different they are.

Stellar had a bug in 2015, I believe, where the consensus broke. And then they said, oh, it's Ripple's code's fault. This is a fault with all this code base. And then Ripple said, no, no, no. It's because you changed it. And you don't know what you're doing.

AUDIENCE: I was talking about, I guess, the minimums. You said there was a minimum.

TADGE DRYJA: Yeah, there's a minimum account balance.

AUDIENCE: And if there's a set number of coins, then eventually, accounts will just get-- TADGE DRYJA: Yeah. It's a lot, though. Also, there's enough forever. There's a lot of coins.

But yeah. But the idea is not that you have UTXOs, like in Bitcoin, and you make new addresses each time. The idea is you have an address. You keep that forever. So why would you have multiple different addresses, that kind of thing.

Anyway. So it's a pretty different system. In some ways, you could argue it's one of the first ICOs-- Ripple-- because it was pretty early. They just came up with all their coins and gave them out and then started selling them. And they continue to do that to this day.

Stellar is a nonprofit, which is also sort of weird. Because if you make a billion dollars off of something, is it really a nonprofit? I don't know. The organization didn't directly make the money and then pay it to the employees or anything. But the people who have all the stellar tokens made a lot of money. Interesting sort of ways to do it.

So I think both Ripple and Stellar argue that it's decentralized, distributed. But I think a lot of people say, well, maybe to some extent. But on the spectrum of completely decentralized versus one server handles it all, it's a lot further on the centralized side.

And Bitcoin is also kind of centralized, too, like we were talking about on Monday. But I would argue these are more so. So anyway. Any questions about Ripple, Stellar? Pretty fun.

OK. Next, the big one-- proof of stake. So this we've mentioned a little bit. It's a popular alternative where people really don't like the proof of work stuff. So instead of proving work, have the people who hold coins sign the blocks. So that bootstraps, in a way, your unique node list or your list of who's who.

Well, you don't really care who they are. But if they have coins, if you already have a set of who owns what coins, you can use that to say, OK, well, the people who own coins now signed. And they, presumably, have incentives not to destroy the network they have coins in.

So if you have a given genesis block with some kind of initial distribution, you can make it deterministic. You can say, I'm just going to go with whatever has the most stake, whoever has the most coins, signing off on the next block. And given two or three different histories, you can see, OK, from the start, which has the most total stakes signing off on these things? So that seems pretty cool.

Here's some issues. Stake grinding-- so for example, let's say you have a system where the signer of the next block is determined by the public key nearest to the previous block hash. So for example, OK, I'm looking at the current block hash. Who gets to sign next? Well, whoever's key is closest. Use X or just treat the hash as a number and treat the pubkey as a number and see which is closest.

You can do that. But the problem is if the next hash is determined by the current signer, that current signer can make a new signature each time and try to make sure that the block after is also going to be one where they are, again, the next signer. And they can make a couple hundred different accounts with their keys and then keep grinding stake.

And this basically means that it turns into proof of work. Because if you can influence who's going to be the next block signer-- yourself-- keep trying different ways to sign, OK, that's basically proof of work, but instead of hashing, you're signing.

And this has happened in many altcoins. One that I think was kind of interesting was Nxt, which is the people who later went on to make IOTA. They said, OK, well, we have a deterministic signature scheme, and so this can't happen, right? Given a message and a private key, there's only one signature that can be produced.

And this is true. So Bitcoin uses this. It's called rfc6979. Basically, the random nonce can be deterministically created from your private key and message.

The problem is-- I don't know if they realized, probably not-- but you can't enforce this.

It's a policy that says, OK, I'm going to make a deterministic signature. But given a signature, you can't tell if someone did this or not, right? So it's up to you to obey this rule. But you can't verify that anyone did it.

So that one also quickly devolved into proof of work and in a tricky way because a lot of people read the documentation and said, OK, well, there is no way to keep signing.

Their function that they wrote, there's only one way to sign. When you sign a message with a public key, you get a single signature.

But people who knew how it worked under the hood said, oh, I can change this code. It will still be accepted as a valid signature even though I'm using a different signing scheme. So this is one issue, stake grinding. There's ways to get around it.

So let's say you make it deterministic. You have some way to enforce that a signer can only create one message. There are certain signature schemes where you can verifiably make sure that a single key can only make a single signature on a message.

Other ways to do it is to, say, have this big lead time, where the people who are signing the next block are determined by entropy created days or weeks ago. So it's hard to know what's going to happen in a week because it's a long period of time's worth of entropy going into it.

OK. There's another issue with proof of stake called nothing at stake. So rehash-- rehash-- ha ha. So in proof of work, this happens, right? This happens just by accident, where OK, there's a block. And then two people are mining on top of it. Oh, they both got this and then sometimes even this. That almost never happens in Bitcoin, but sometimes, where you just randomly get two split chains coming out at the same time.

But then this happens, right? Someone builds on this one. OK, you get rid of those two.

And that's just because this is a random process. You can mine on whichever you want. One of them is going to happen first.

You can mine on both. You can split your hash bar. If you have a billion hashes per second, you can say, well, I'll do 500 million here and 500 million here. You can equivocate.

It's sort of equivocation that way. But one of them will finish first, with very high probability. So eventually, this happens. And then everyone just starts building off this 00a3.

Proof of stake-- so this happens. Also, notice that the hashes don't-- they don't start with zeros. So this happens. But then this happens. And then this happens. And then it just keeps going. Because why not sign both, right?

I don't know which one's going to win, right? As a proof of stake miner or staker, I don't really know which one's going to win, which is the same case and proof of work. In proof of work, I just flip a coin and pick, right? I don't know what's going to win.

I think in bitcoin, the default is go with the one I saw first. Because whatever. It doesn't matter who wins, right? Basically, I win, whichever I pick. If I'm the next one making the block, I win.

But what I don't want is I don't want to be this this-- wait a sec. What I don't want to be in proof of work is I don't want to be 008a, right? I don't want to be the last one to make a block, and then something else comes out here.

So I'd rather be 00f2. But you don't know here, right? So you just pick one. OK. Well, we lost. In proof of stake, you don't have to worry about that. I'll just build both, right? It takes me no work to sign. So I just sign off on both of them and make parallel chain. And then everyone just keeps doing that. Because if I pick one, I might be wrong.

If I pick both, I can't be wrong.

So this is a problem called nothing at stake. You have no risk here. You're not actually doing any work. You might as well just keep going. So yeah. Faced with two blocks, why not sign both?

So the mitigations-- one of the ideas early in Ethereum was, OK, this thing called Slasher, where if you can prove that a signature from a different chain-- so the idea is on chain 00a3-- oh, wait-- oops. Sorry. On this chain, you say, hey, look. This guy equivocated.

He signed off on two blocks, one of which exists in my history that I can point to, one of which doesn't exist in my history, but I can provide that signature. I can say, look, here's two signatures at the same block height from the same person, but they're signing different things. Let's not invalidate this block, but let's take all the rewards from the person who signed.

OK. So yeah. This is called Slasher. I believe in Ethereum, like, 2014, they were saying, hey, we're going to do proof of stake. And then they tried all these things and sort of, oh, it's non-trivial. Let's start with proof of work, and then we'll move to proof of stake later. And that's currently their plan. So this was one of their early algorithms, their early ideas.

There's also issues with the mitigation because maybe it's hard to get this proof into the blockchain. Because the miners, or the stakers, are the ones who determine what gets in and what doesn't.

And so they certainly could say, look, if the person who created this block then sees in this block that there's a Slasher proof where, hey, I just now proved that you equivocated and destroy your account, well, the person who signed this doesn't build on this and instead forks off and builds their own, right? Why would I continue to mine on a chain where I just lost all my money?

So there's all sorts of weird-- and there's mitigations for that. So it's a little bit whack-a-mole, where there's all these weird problems, and you have to try to fix them.

And then fixing them introduces new weird things. So there's a lot of people working on it.

Yeah. Long-range attacks is another big one. Let's say you go back to the genesis block, and you rewrite history. In Bitcoin, you can also do this. It's just really hard, right?

You could say, I'm going to get a bunch of miners, rewrite all nine years of Bitcoin's blocks, and we know exactly how long that will take.

sipa has a nice graph of it, I think. And sometimes it's not very long. Sometimes it's actually pretty easy to do that. Yeah, that's the other site. Hash rate-- this-- wait-- yes. Bitcoin network proof of work equivalent days. That's this year. This is since the beginning.

What this means is, OK, given the current hash rate in Bitcoin, how long would it take to rewrite the entire history of Bitcoin? Because the hash rate goes up, right? And sometimes it goes up in-- so this is the all-time hash rate. It basically always looks like this because it's exponential. So if you looked at it three years ago, it would look pretty much the same.

And then this is a log chart. So this actually does show some interesting detail, where, OK, this is when the GPUs came out. This is when nothing much happened in 2012. This is when ASICs came out. And then it just keeps going up. And this is log scale, where each number is 100 or 1,000 times. So it's big.

So when you have these really sharp upticks, like in mid-2010, the current power of the network is so high-- that probably corresponds to this, the lowest point there, because that's the steepest slope, where I don't know what this is, a week?-- you could rewrite the entire history of Bitcoin in a week and destroy everyone's currency and have all the coins yourself if you had enough power under your control, which you could probably do.

And today, it sits at around 200, a little less than 200, so a little over six months where, if you devoted all the current hash power, you could rewrite all the previous history. Still, six months-- it's a lot. And it's interesting how this changes. This is, I guess, when the ASICs first came out, and then the slope [INAUDIBLE].

So that is an issue in proof of work that can happen. It's not clear what would happen.

The software, at least in theory, the idea is if something like that happens, where there's a reorg that spans nine years, well, extend this out to 500,000 and say, OK, all the stuff you've been dealing with the last nine years, it's out. We've got this new history now with one person owning all the money, presumably.

The software will do that, probably, or it'll just crash or something. It's sort of seen as like, well, if there's a reorg that spans weeks or months, the whole system's broken, kind of. But probably.

So this is an issue for Bitcoin. But it's a big issue in proof of stake because it seems possibly more feasible, right? In Bitcoin, there have been times when it's like, whoa, a week, yeah, that's feasible, whereas right now, it's like, OK, it would take all the hash power in existence maybe seven or eight months. So that means that Bitcoin would just halt for seven months, and then you'd see this reorg happen. And also, it assumes 51% of the miners are doing this.

However, proof of stake, it might not be that expensive, especially if you can get old keys.

So if you've got the keys from the genesis block in this proof of stake currency, you can rewrite a history from those with different transactions. So yeah. So a lot of the times, the solution is, OK, well, delete old keys and assume 50% honest.

That's tricky. Because old keys can be sold. And I know that people have asked, hey, can I buy your old Ethereum keys? Why do you want these? Well, if proof of stake happens, they might be worth something. Currently, if you have keys that are for addresses or accounts that don't have any money anymore, it's not very useful but possibly can be sold. Yeah?

AUDIENCE: Most proof of work schemes that I'm aware of use a [INAUDIBLE].

TADGE DRYJA: A proof of stake?

AUDIENCE: Yeah.

TADGE DRYJA: Yeah. So you checkpoint it. So basically, to prevent long-range attacks, the developers, usually, in GitHub, will just say, OK, well, the block hash here is this.

And so you can't reorg before that. But then, what's the mechanism for that? If it's the developers just sticking in a checkpoint, that's not really decentralized.

AUDIENCE: In the example of Aircoin, there's actually a checkpointing [? software ?] that, every few hours, forces a [INAUDIBLE].

TADGE DRYJA: OK. Well, that's even more not very decentralized. You've now got a pubkey hardcoded into the code, which then calls out to somewhere and says, OK, what's the correct block to be on? And then that key signs something, says, oh, go here. OK. Yeah.

That's pretty centralized.

So this is one that I think is-- it's hard, right? Because before these things happen, it's easy to dismiss as like, this is crazy. That's never going to happen. Who's going to go back and buy up all these old keys that people were supposed to have deleted? People probably did delete them. You can't assume that they haven't.

And even if they did and you made this big reorg, well, everyone would know in practice that that's not the right chain, similar to if there's a nine-year block reorg in Bitcoin, everyone would know, OK, come on. We all knew what the blocks were yesterday. You can't just tell me there's this entirely new history today.

And in practice, that's probably true, right? If there was a nine-year block reorg in Bitcoin, probably, people would just ignore it. Similarly, in these systems, probably, they would ignore it. But it's harder to reason about in these systems, I think.

But anyway. So proof of stake, there is a bunch of coins that use it. In a lot of cases, they have centralization that's hidden in certain ways. I like the term Greg Maxwell came up called trust laundering. It's not money laundering. It's trust laundering. You sort of move where you're trusting and try to hide it.

Yeah. So very common. But this also deals with, OK, who gets the initial coins? Because they have an enormous power over the system. So very common for altcoins-- less so now, I think-- was start with proof of work, then transition to proof of stake. Do they still?

Not as much.

AUDIENCE: Now you don't need to do that because you [INAUDIBLE].

TADGE DRYJA: Right. So you just do ERC-20. Yeah. But it used to be, like 2014, 2015, a lot of the coins would be, OK, proof of work for the first month, two months, whatever it was, with some weird algorithm and Comodo gravity well and all sorts of weird stuff.

And then it would switch at a certain point to proof of stake.

So that proof of work period builds out the list of who owns what in a sort of provable way. And then, from there, you can use proof of stake. Because you've got a, hopefully, fairly well distributed set of who owns what.

Yeah. Some things still do this. And some things have hybrid, where you still have to do work each block. But depending on how much stake you have, depending on how many coins you have, you have to do less work.

I think decred is something like that. That actually can make sense. Because you've still got work, and you can mix them in ways that negate some of the downsides of both.

Delegated proof of stake. Well, signing requires you to actually do something and be online.

So in a lot of proof of stake currencies, very few people actually stake because they don't care. And they leave money on the table, sure. But they don't want to run their own node. They don't want to deal with this stuff. They just buy it, keep it on exchange, or maybe keep it on their own computer.

So instead, you can endorse a leader by signing with your coins and saying, hey, I'm not going to actually sign off on blocks, but I'll sign off on a different key, who now can sign on my behalf. And so this can be called supernodes, masternodes. And then is it peer-to-peer, or is it client server is what it becomes.

So the current one that's pretty popular is called EOS, where I think they're doing this kind of thing. And they're like, well, there's 20 computers that run the network. And you can endorse one of them, and they'll give you some kind of profit back or something.

And you need a million dollars to run one of these computers. Because it's going to be super powerful, and you can do free transactions that way.

So this gets pretty far into client server territory, where you're not up here. You're just the client, and you ask them what is going on, which, in many cases, works, right?

But then again, it's not quite as interesting because that's sort of the system we already have with banks. So meh.

But in a lot of cases, yeah, that's what people want. I sort of joke that I should just make one called Central Coin, where there's just a nice server, and it just keeps track of who owns what, and then have an ICO. And people would use it. It's like, hey. So I think people would be into it. Anyway, so that's distributed proof of stake.

OK. So proof of stake, in general, it's hard to resolve conflicts using only the system itself. Proof of work has this really nice property where it's taking something from the external world, be it CPU time, be it chips, and using that to get a dead reckoning on the system itself. That's nice.

Proof of stake, the really difficult part is it's a closed system. You're trying to resolve conflicts within the system using no external data. That's really hard.

Another problem people complain about is that the rich get richer. I agree it's a problem.

It kind of sucks. But proof of work is the same. I don't feel like any of these systems will change the inherent Pareto distribution of wealth in the universe. That just seems to be how things work. It'd be cool if everyone had the same amount of money, I guess, maybe.

But I don't think it's going to happen.

Yeah. And then it relies on different assumptions. So the assumption in Bitcoin is 51% of miners can destroy the system. So in some cases, people say, well, you assume 51% honest in Bitcoin. Kind of. It's more like 51% rational. In Bitcoin, you could have miners with 51% attack the system, but they make more money by doing the right thing.

So there are certain cases in proof of stake where honesty is not as profitable. And if honesty is not profitable, well, maybe there's a lot more incentive to be not honest in the terms of the system, whereas in Bitcoin, it's like you've got this nice system where it seems like the honesty is not just enforced by people trying to be nice. It's enforced by people being greedy, which seems more common than being nice in the world.

So there's tons of research in proof of stake. Some of it's pretty interesting, pretty clever.

I'm not super hopeful. But the thing is it works until it doesn't. And so it's really hard to show security under different attacks.

So what I would worry about is you've got this proof of stake system. It seems to be working. And then something weird happens. And it's revealed as, oh, actually, this was a lot more centralized than it seemed to be, which is also a worry in proof of work. OK.

Any questions, proof of stake? Yes?

AUDIENCE: A quick one on the economics. Is the stake the nodes have. Yeah, right. So in essence, if it was on EOS, it's how many eos coins you have.

TADGE DRYJA: Yes, yes.

AUDIENCE: So then there's probably some economics where people who are not miners will lend their stake to get a return.

TADGE DRYJA: Basically, yeah. And a lot of coins, the majority of the coins, are held on different exchanges. And so that means the exchanges would possibly be able to then stake and get some kind of revenue.

AUDIENCE: Right. So they would be taking their customer funds that are in wallets-- they would have to be, probably, hot wallets-- and then the exchanges would have a leg up to be the miners.

TADGE DRYJA: Yes.

AUDIENCE: Or a [INAUDIBLE].

TADGE DRYJA: Yeah. And so that's also an issue, that there's all different ways to mitigate.

And you can say, oh, I'm in an exchange, but I get to sign and delegate my stake to someone else. And then I get some kind of revenue sharing from that.

But yeah. It's also tricky, how do you incentivize it in terms of how much new coins get issued to the people staking? If it's zero, then there's no real incentive to do it. You could have a lot of different chain ports.

If it's very high, then it's very, I don't know, Gini net curve goes way crazy because the rich really get richer. Because the more coins you have, you have an enormous amount of revenue. So you need a balance there that's also a bit difficult, economically.

That's also a problem in proof of work. I feel like one of the big issues with Bitcoin is half the coins came out in the first four years, where hardly anyone was aware of it.

And that makes people not want to adopt the system. Because it's like, well, wait. You guys just got all this coin for, basically, free. You were just running your computer in 2011. I'm not going to be part of that system.

So I feel like it would have been nicer if it was more of an S curve and less of a log curve. Because then, maybe it would ramp up to 2015, and then lots of coins were coming out. But anyway.

So Ripple or Stellar are sort of an extreme case of that, where all the coins were initially made by one entity. And so to me, I'm like, I don't want these. That's your money. You just made it up yourself.

I don't know. It just feels like kids being like, I have a bazillion dollars, and I write a bazillion dollars. It's like, OK. Well, you just wrote that. I'm not going to honor that.

Anyway. OK. So proof of stake, kind of interesting. Proof of space, there's a bunch of ideas here.

Some of them-- SpaceMint was some people here. I know Bram Cohen, who is the author of BitTorrent, right-- he made BitTorrent whatever 10, almost 15 years ago now-- he's now working on some of these kind of things.

He's working on a proof of space coin called Chia. And the idea, it's still similar to proof of work. But you're using some kind of memory or storage space, rather than your CPU. And the idea is the benefit is, well, maybe it doesn't use as much electricity.

And also, from talking to Bram with his, he's saying there's much more dead storage space than dead CPU. So every computer has a CPU, but the CPU here is not that powerful. It can't really compete with ASICs. But lots of people have empty hard drive space.

And you might have a terabyte of empty hard drive space, and one terabyte's as good as another. And it's also empty is what you need. Because you need to fill in space for these systems.

And so if you're like, well, I'm AWS, I've got tons of hard drives-- right, but people are using them. So you're not able to then just fill it in for these kinds of systems-- well, to some extent. They do have a lot of slack, and they can probably do it. But several ideas. Some are pretty cool.

So one example-- this is sort of an example idea. It's not fully fleshed out, but to give you an idea. So you buy a 10-terabyte drive, OK? You precompute 100 billion key pairs.

And this takes a long time. And this is work, right? You're doing 100 billion computations of coming up with the random private key, multiplying by G, getting the pubkey.

And you store it in a key-value store, like a database-- LevelDB or something-- on your hard drive. And the key is the pubkey. And the value is the private key. So you remember your key pairs. But you've sorted it in a way so that you can quickly go through the pubkeys, right? So you have logins, search time, some kind of binary tree-- whatever it is-- in your database.

And so then, the idea is, to create the next block, you want the key closest to the current block hash can sign. So a valid proof of work-- you have some threshold, maybe-- a valid proof of work is whoever's got a key that's very close to this, they're able to sign. And those keys do not exist on the network prior to the signing procedure. They exist just hidden on people's hard drives.

And so the idea is you could just try to keep computing keys till you find one and then sign with it. And that would just make it completely proof of work. So it is proof of work. But the idea is you can precompute. You can do all the work beforehand.

And then you can use that precomputed proof of work later on and possibly multiple times.

In practice, it's not going to be multiple times. Because you've got 100 billion, and you're never going to use the same key twice.

The idea is everyone does this, right? So you have trillions, quadrillions, however many keys out there that everyone's generated. And every block that comes out, someone will say, ah, I was lucky, and I made a key that can now sign the next block.

So it's work, but it's amortized over weeks, months, years. And it's basically how big is your storage. If you have a lot of storage, you can precompute a lot of this stuff and then use it. So it's kind of a cool system.

There's other asterisks that actually get a little more complex because you need some timing mechanisms, as well. But I think it's a cool idea. Hard drives then maybe get more expensive instead of graphics cards getting more expensive. I don't know.

But the idea is like, yeah. You use the work but later on. So I don't know. Any questions about that one? Kind of cool. There's a SpaceMint-- it's a cool paper-- about how to do this cryptographically.

And then Chia is another one doing this kind of idea. I like it because it doesn't really change the assumptions of proof of work, right? It is still a form of proof of work. But instead of burning electricity, you're using hard drives. Kind of cool.

AUDIENCE: Wouldn't you still have the same issues, like you'd have to have ASICs just filling racks and racks and racks of hard drives for keys. Is it different?

TADGE DRYJA: You already have that, right? There's server farms where they're just storage farms, and they just have tons of hard drives. So that's already a thing.

AUDIENCE: But I'm saying it isn't any different. You'd still be-- it would be [INAUDIBLE]-- TADGE DRYJA: I guess the idea is the economies of scale are not quite as bad in that hard drives are already, basically, optimal at doing this. And if you can make a system that's better at doing this, you've just made a better hard drive, which, hey, great. You made a better hard drive. Everyone can use it. So I guess the idea is it's not as specific because it's just, hey, store a bunch of data and then [? seq ?] quickly through it.

AUDIENCE: It still seems CPU-bound, right, compute-bound.

TADGE DRYJA: No. Once you generate this-- OK, generating this is compute-bound, right?

You need to populate your 10 terabyte drive. But that might only take a few hours, right?

To make 100 billion key pairs, I'm guessing less than a day, right? Yeah. And you can do that in parallel. So you make it. And then once you've made it, you leave it there. And then you're going to be able to mine with that forever.

AUDIENCE: But see, the winner would be whoever can fill the most number of keys per second going forward.

TADGE DRYJA: But you need something to fill. I think the hard drive cost is much higher than the cost to fill it, right? Because a 10 terabyte hard drive is going to be, like, $200. And with a cheap CPU, you can fill a 10 terabyte hard drive every few hours. So yeah, the CPU is a factor, but I think it's going to be smaller. Yeah?

AUDIENCE: At least from what I understand about SpaceMint, the idea is to make it not I/O bound [INAUDIBLE]. So if I have a better or faster hard drive, that's not [INAUDIBLE].

It's just [? another ?] space.

TADGE DRYJA: Because yeah. This is just a seq, right? And even a crummy hard drive, you just read through your binary trainer. You're like, oh, found it.

AUDIENCE: I think the point is that you're only supposed to do one with those pub [INAUDIBLE].

AUDIENCE: Yes. [INAUDIBLE].

TADGE DRYJA: So you look at, OK, here's the current block hash. What do I have that's close? Seq to that on my drive. Nope. I'm not going to win this one. OK. Let someone else do it. Or you seq, and you find it. You're like, hey, cool. I can sign. Yeah?

AUDIENCE: Is this also known as proof of space and time?

TADGE DRYJA: Yeah. So in Chia, they add this time component, which I'm not 100% clear on how it works. It's changed a little bit. But the idea of a time beacon is you want some function that cannot be parallelized so that if you have 100 computers doing it, it's not going to be any faster than one computer doing it. So basically, whoever's got the fastest single CPU will always win this. And that can be a time beacon for these space things.

Yeah?

AUDIENCE: Once you start to have a lot of storage, if you're in a search will find [INAUDIBLE], do you kind of go back to-- you're almost getting hurt. [INAUDIBLE] So what I'm saying, you're just doing the same thing again?

TADGE DRYJA: I think that's a [INAUDIBLE]. If you have tons of hard drives, and you want tons of key values, and you just want to find one or find the closest match, you can do that in log n time, even over a whole data center. Google, you just search, and it's like, hey. It comes up in a fraction of a second.

So that's doable. You need good software, and you need a good infrastructure to do it.

But I think it's doable. It scales pretty well, I think.

But yeah, it has the same issues where you just end up with people buying a whole bunch of hard drives. And what are the economies of scale there? There's arguments that it might be better than the economies of scale with, like, ASICs, that we heard about on Monday. Maybe not. I don't know. We'll see if this takes off. It's fairly new. It's an idea that's been talked about for a few years.

AUDIENCE: It's [INAUDIBLE] space. And they've been around for years in this [INAUDIBLE].

TADGE DRYJA: OK. Well, so there's different ideas. I don't know. It seems like one of the more interesting. There's cool math and cool crypto involved. OK. So it'll work but amortized.

So and perennial MIT favorite, IOTA, they use a directed acyclic graph. And now, a chain is also a DAG. Because it's directed. There's no cycles. It's a graph. But it's a pretty simple one. But the ideas have multiple parents, right?

So if you have a block, instead of just pointing to one, you could say, well, now, this can happen in Bitcoin, right, where you've got two blocks, both supporting the same thing.

But this cannot happen in Bitcoin, where you say, oh, I'm coming off, and I'm referring to both of these. But in a directed acyclic graph, you can do that.

So Ethereum actually does it. I think Joe Bonneau was mentioning that. And so what happens is you endorse one as the correct one and one as the uncle. So you're saying, no, this is the real one. But I also saw this one. And give this one a little bit of money, right, maybe not the whole reward they were hoping for. But they get something.

And so then, something like IOTA says, OK, we have lots. And every node points to two previous. And so you get this whole map. They could even point to different heights. So I can point to here and here. I don't really know why you'd do this.

So there's some ways it could reduce latency, right? So one of the trade-offs in Bitcoin is 10-minute block time seems fairly arbitrary. It's kind of slow. Latency-- people don't like latency because they have to wait. Fine.

The more important metric, I think, is that it leads to miner centralization and miner pools. Because if there's only 144 blocks a day, like in Bitcoin, if you have a millionth of the hash power of the network, you're just never going to find anything, right?

If you're just mining on your own, over the course of a year, you're probably not going to find a single block, and you'll have wasted all of that effort. So instead, you join a pool and try to pool with other people to distribute those rewards.

However, if there's, like in Ethereum, a block every 15 seconds, and there's millions of blocks that come out, if you have a millionth of the hash power, you might find a block.

The blocks have smaller rewards, but chopping it up more finely is a nice way to do it.

So like P2Pool, which you were gone, is a way to try to make that. And it's important to get it more decentralized. But it's hard. Yeah?

AUDIENCE: P2Pool does that?

TADGE DRYJA: Yeah. Yeah. P2Pool sort of does this as a layer on top. So it could help latency.

And then, it could help reduce the amount of orphans in the blockchain, which then helps miner centralization. So there are interesting ideas for it.

But it doesn't help scalability at all, right? It actually hurts scalability. Because now I have to keep track of all these things instead of just one chain. And I'm going to have to keep track of all the data, anyway, if I've got the UTXO set. I can't just ignore parts of it.

So it doesn't help scalability at all. And in the case of IOTA, their custom ternary hash functions also don't help much, either. So that was what we wrote about last year.

They made all their own weird stuff. I don't know.

So there are interesting ideas between directly acyclic graphs. But it feels like when they say, hey, this is more scalable, I get very suspicious. Because it doesn't seem to help scalability. It does possibly help some other things. Yeah?

AUDIENCE: Is, effectively, Bitcoin refreshing [? test? ?] They've made it so every block has min difficulty. And so the transactions are instant because, right, it doesn't change-- TADGE DRYJA: What, in IOTA, or in-- AUDIENCE: In any of these stack coins. So it doesn't cost much to make a new block and make a transaction. And if everyone's competing to do that, then they're just another ton of orphans, and [INAUDIBLE].

TADGE DRYJA: Yeah, yeah. So also, in the case of IOTA, the idea is-- well, they don't call it this-- but it's the equivalent of saying every block must have one and only one transaction.

The transactions themselves have proof of work on them, and they point to each other, which, basically, is the same as blocks have one transaction, and you do the work yourself instead of paying a miner to do it.

I think that's not a great deal. And they say that that means there's no fees. I think there's still fees. Because you're just doing the work yourself. I think that's equivalent to saying, there is a refrigerator at Home Depot that doesn't use electricity. So hey, it's electricity-free. But there's a crank on the back, and you have to crank it to make the refrigerator cold.

Yeah, you could make a refrigerator that way. I don't think people would want it. You're still doing the work. You just have to crank it instead of plugging in it. So the idea of you don't have to pay miners a fee to get into a block because you just mine the block yourself or, in this case, you mine the transaction yourself. Doesn't seem that useful.

Anyway, so IOTA's fun. We talked about them a while ago. OK. Last one, and it's fun-- proof of idle. It's an old idea that I wrote up four years ago, almost. It probably doesn't actually work that well. But a lot of these things don't work that well. Even if it works, it would just move the costs from opex to capex.

But what you do is you prove that you're not mining, and you get paid. And the other fun thing about this is it led to some of the ideas in Lightning Network. So the idea is, in Bitcoin, the difficulty adjusts so that blocks come out every 10 minutes, right? Every 2016 blocks, you look at the timestamps, adjust the difficulty.

So new miners coming in make it harder for the existing miners. So if you're a miner, you really don't want anyone else to start joining this network and mining. You really like it as it is. So if you have the first ASICs, you're good, and you don't want everyone to come in.

And this is why so many people buy mining equipment and lose money. Because they look at the current difficulty, and they say, hey, here's this device. Here's how much electricity it uses, how many coins it generates.

This is profitable. I'm going to buy this thing. And what they don't realize is that by the time they actually get it, or maybe a few weeks later, the difficulty is doubled.

And now it's making half as many coins for the exact same amount of electricity.

So yeah. And that's a fairly unique property of bitcoin that's not the case in, say, gold mining or other extractive industries. There's some kind of curve in gold mining where if you pay twice as much money to have twice as many people dig holes and mine gold, you won't get twice as much gold. Maybe you'll only get 10% more gold. But you will get some more, right? And if you drill for oil, you pay twice as much, you'll get some more. But yeah?

AUDIENCE: And it's worse than that. Because you're still obligated to mine. Because making $0.50, they're making half as much as they're going to make, it's still better than making nothing.

TADGE DRYJA: Yeah. So that happens, too. So yeah, in Bitcoin, two times the mining leads to 1X the coins mined, right? There is zero marginal product of labor in this system, which is weird and counterintuitive and doesn't really exist in normal life.

Most things have some kind of sublinear curve, where, yeah, the first low-hanging fruit-- if you're mining coal, and you start in Pittsburgh, and it's just sitting there on the hill, and you're like, hey, that was easy. And then, eventually, you have to start open pit mines and digging holes. And it's expensive, and you don't get as good. But you still, if you double your effort, you're going to get some extra stuff out.

Then again, there might be cases, I'm sure, in economics, where eventually, it goes negative, where if you continue adding members to an organization, eventually, they're just like deadweight, and they make it less efficient or something. But in Bitcoin, it doesn't matter how much you mine. You always get the same number of coins.

So the obvious thing there is, well, we should all just stop mining. And then we'll have zero electricity usage, and we'll still get the same amount of coins.

AUDIENCE: The example is Nobel prizes. It doesn't matter how many academics chase them, there's a unique number [INAUDIBLE].

TADGE DRYJA: OK, yeah. Yeah, that's another. Yeah. However good the science is, you just get one Nobel Prize. So OK. So let's say there's two miners. And there's, obviously, more.

And they're each mining with 2 gigawatts.

And they both think, well, wait. If we both turned our mining down 5%, we'd still get the same amount of coins, but we'd be using 5% less electricity. We should have a meeting, maybe some kind of cartel.

So this is sort of OPEC, right? This is a classic cartel. If we all restrict our output, we can raise prices and reduce our costs. In Bitcoin, it's the perfect cartel environment.

Because if we all reduce our output, we get the same output, sort of, right? If we all turned down mining 50%, we all still get the same number of coins. The network still works fine. Maybe nobody even knows we're doing this. This is ideal cartel scenario.

Problem for cartels, generally, is that cartels are hard to maintain, especially when there's not a lot of trust. Because there's so much profit in defecting and going against the rules of the cartel. And OPEC has this all the time, where one of the OPEC countries says, we're just going to pump a bunch of oil and sell it. Because everyone else reducing their output raises the prices. And now we can sell more with higher prices.

So in this kind of system, if all the miners said, hey, let's all turn down 50%, the one miner who then mines at full blast is going to make a lot of coins. So this is the problem.

In Bitcoin, nobody trusts anyone, right?

So the solution here is trustless collusion. And in the papers, I was like, well, is it collusion or cooperation? They both sort of mean the same thing. And collusion is just a bad word for cooperation. Cooperation's good. It's on Sesame Street.

OK. So the basic system is Alice pays Bob not to mine. So first thing, Alice needs to prove that Bob can mine. Because she doesn't want to pay Bob if Bob doesn't have any mining capacity that he's taking offline. She only wants to pay Bob for having the ability to mine and then not doing.

So A posts a block header at a specified time and says, OK, B, mine for 10 seconds, and give me your 100 best shots, right? So in Bitcoin, you have this fixed difficulty. And you just say, OK, anything below this block hash is valid.

But you could make one where you say, hey, give me your best 100, and I can then extrapolate, or interpolate, from that what your hash rate is. And you can get pretty accurate. So they have to do some work, right?

Bob does some work but for a brief period-- I don't know, 10 seconds. You don't want latency to be an issue, so maybe 10 seconds, maybe a minute-- whatever-- some small amount of work to prove that they have the capability to do the work. They respond with that. And Alice validates it and says, OK, you've got X amount of work capacity.

Alice then creates a 2 of 2 multisig transaction and sends one bitcoin to this address and builds two transactions with Bob. This is sort of like, how Lightning Network looks, Lightning Channels. But this predates it by a year or two.

So the idea is you've got this funding, and then you've got two transactions. They're both signed by both parties and held by both parties, although in practice the one that pays out to Alice, Bob doesn't really need to store. He doesn't like it. And the one that pays out to Bob, Alice doesn't need to store.

But the idea is they have conflicting locktimes. So in the transaction header, you can have a locktime, say, OK, this transaction is only valid after this point. So the one that pays Alice is height plus 144. So the current height of the blockchain plus 144, well, that should take about a day, right? If blocks come out every 10 minutes, 144 blocks is one day.

For Bob, Bob gets a coin with the current locktime plus 24 hours. So in Bitcoin, you can specify either Unix time or block height. And I think everything above 500 million is a time. Everything below 500 million is interpreted as a height, which means this whole system runs out in a couple thousand years.

So this is a race, right? There's two transactions. One of them can be broadcast first, depending on how fast blocks come up. So if blocks come out very quickly, this will be valid first-- 144 blocks. Maybe it only takes 20 hours, and these 144 blocks have come out. And Alice can post this transaction and get all of her money back, get her one coin back.

However, if blocks come out slowly and, after 24 hours, only 120 blocks have come out, Bob can post this transaction first. And it will be valid and confirmed, and Bob gets the coin.

So now Bob's incentives are, well, I'd like 144 blocks to take longer than 24 hours. Because then I'll get this coin.

And Bob has the means to influence this, right? Bob's a miner. So Bob can say, well, I'll just mine less. And if I mine such that, in 24 hours, only 130 blocks come out, I get the coin. Cool, right?

If blocks come out fast, on the other hand, Alice gets her money back. So Alice has no real risk here that Bob will run away with the money without doing his part of the job.

So Bob can slow down his mining in order to get the bounty coins. If Alice estimates incorrectly how much profitability Bob has, Bob just keeps mining. Alice gets her money back. This collusion didn't occur, at very little cost, right? Bob had to prove a little bit. There's some coordination costs. But basically, nobody loses the money.

So Alice can put whatever bounty she thinks is beneficial to her. OK, I'll pay you three coins not to mine as much. And you can chop this up. You can have a lot of different, smaller transactions and make a curve. If you mine a lot less, I'll pay you more-- things like that.

Yeah. So that's the idea behind proof of idle. It feels like it might happen, to some extent, long-term. It feels sort of like nuclear weapons, where everyone's got them, but they don't really use them. They just threaten.

So it feels like mining could be that kind of thing, where, well, we've all got all this mining capacity, but we just threaten each other with it, and we don't really mine. Because the mining's actually really expensive, and it's just the threat of mining that you need.

And if someone tries to do, say, a 51% attack and reorg, the existing mining infrastructure can spin up and say, oh, no. You thought you were 51%. You were actually 5.1%. And we're 90% offline. And we all come back online and reorg you out.

It's an interesting-- I think it's a fun idea. In practice, it doesn't work now because it's mostly capex. So this doesn't help if your main constraint is building the chips, which it sounds like it still is, from David's talk on Monday, right? Yeah, you need to get electricity, sure. But also, the really big problem is getting a supply of all these chips.

And this would just exacerbate that. This would make it so that I don't even need electricity.

I just get the chips. I don't really care how much I'm paying in electricity because most of the time, my chips sit off. I just need to occasionally prove I have them and have the ability to mine with them.

So it wouldn't solve the problem of proof of work in terms of people spending tons of money on it. But it would move it towards less electricity usage, more fabrication plant usage. Is that a good thing? Is that a bad? I don't know.

And in certain cases, it may be that it saves people money. It may be that, hey, if we can collude in this way, actually, we save money. And then we can use it to build more hash power.

So this might happen. I was sort of convinced in 2014. I'm like, oh, I think this is going to happen. I also thought that it would become predominantly opex in 2015 or '16. And it just didn't-- not even close. So who knows? But it's, I don't know, kind of a fun idea.

OK. So in general, lots of new ideas out there. Proof of work does seem to work. But I think one of the big issues is it's not really compatible with the Kurzweil/Roddenberry future idea.

Has anyone read Ray Kurzweil, like, Age of Spiritual Machines?

It's sort of this futurey AI is going to make everything great, and we're all going to live forever, and computers are going to be our best friends, and we're going to take over the universe. And Gene Roddenberry of Star Trek is sort of a popular, not quite as crazy-- maybe just as crazy-- view of that.

In Star Trek, they don't have money. They just sort of explore the universe and make the world a better place and stuff like that. And it's like, cool. And there's a lot of people who are into technology and research who are, maybe not consciously, but identify with these ideas, like, yeah, we're making the world a better place. Computers are going to help people, and it's going to be great.

And I think one of the issues with Bitcoin and proof of work is it doesn't fit into that, right? It's sort of dystopian, in a way. And then, it's like, wait. We're going to have giant server farms performing SHA256 for the next 50 years? Like how? How does the benevolent AI fit into this system?

So that's one of the reasons people-- the proof of idle idea was-- I was at University of Virginia, and Avi Shalot, who's now at Northeastern, he was like, I hate Bitcoin.

Because the whole point of SHA256 is that you can't find collisions. That was the design-- collision-resistant hash function.

And now, you've built this giant system, which the whole point of the system is to find collisions.

Like, ah. That's the opposite of what it was supposed to be. And so it was just sort of inelegant and ugly. And that was where I'm like, well, maybe you don't really have to mine that much. And so I wrote this thing about proof of idle.

But anyway, that's one of the issues that people have with proof of work. And that's, I think, one of the big motivating factors for all this other research into different consensus algorithms. And further research is required, maybe.

The interesting thing is a lot of the people doing proof of work are fine with it, right?

So like David, Monday, he's not interested in proof of stake. Despite the proof of work ecosystem being so crazy, he's just like, nope, this is what I'm doing.

So none of the miners are interested-- I mean, miners, their job is to mine. So they're usually not interested in proof of stake. And then Bitcoin, in general, a lot of it's like, no, this seems to work. We're OK with it. This is the cost we're willing to bear.

But other people want to do other systems. So further research is required, or not. But it's happening. There's tons of research into different consensus mechanisms. I would say in academic research, that's the biggest thing.

What I would like to see more of is more academic research in proof of work. Because there's a little bit, but there's all sorts of interesting things with proof of work where it's like, oh, something like proof of idle or something like the stuff David was talking about on Monday. There's not much economics research into this.

And I think it's a really interesting question, where you've got, hey, I've got a device that prints money, and I want to sell it to you. What? How does that work in terms of economics?

How much should I sell it for? How much should I buy it for-- things like that. So there's a lot of new research into new proof of stake, different consensus mechanisms, economics that way and not as much into new forms or how proof of work works, which I think is, actually, really interesting.

Free Downloads

Video


Caption

  • English-US (SRT)