To install click the Add extension button. That's it.

The source code for the WIKI 2 extension is being checked by specialists of the Mozilla Foundation, Google, and Apple. You could also do it yourself at any point in time.

4,5
Kelly Slayton
Congratulations on this excellent venture… what a great idea!
Alexander Grigorievskiy
I use WIKI 2 every day and almost forgot how the original Wikipedia looks like.
Live Statistics
English Articles
Improved in 24 Hours
Added in 24 Hours
What we do. Every page goes through several hundred of perfecting techniques; in live mode. Quite the same Wikipedia. Just better.
.
Leo
Newton
Brights
Milds

Washington at Princeton

From Wikipedia, the free encyclopedia

US Senate copy of Washington at Princeton
US Senate copy of Washington at Princeton

Washington at Princeton is a painting by Charles Willson Peale. The original was commissioned by the Supreme Executive Council of Pennsylvania for its council chamber in Independence Hall in Philadelphia. Peale made eight copies of the painting. The original, now owned by the Pennsylvania Academy of the Fine Arts, was completed in early 1779, when Washington sat for Peale in Philadelphia. In January 2005, the painting sold for $21.3 million - setting a record for the highest price paid for an American portrait. Six of the paintings are in United States institutions including the United States Senate; the Metropolitan Museum of Art; Yale University Art Gallery; National Portrait Gallery; Colonial Williamsburg; Pennsylvania Academy of the Fine Arts; and Princeton University Art Museum.

YouTube Encyclopedic

  • 1/3
    Views:
    485
    42 692
    537
  • ✪ UW Allen School Colloquium: Arvind Narayanan (Princeton University)
  • ✪ Top 10 Universities In USA Where You Can Study For Free | Study in USA for Free | Scholarships
  • ✪ She Roars - A Conversation with the Justices October 5, 2018

Transcription

(piano music) - Welcome to the first colloquium for winter quarter. It's a great pleasure to introduce Arvind Narayanan from Princeton University. Arvind has very broad interest in security, and privacy, and, most recently, fairness in machine learning. He's co-author of The Book on Bitcoin and Cryptocurrencies, as well as he had a MOOC, and done all kinds of great work in the area. So, it's a pleasure to have you. - Thank you, Anna, thank you, everyone, for being here. I'm happy to be here, I'm actually lucky to be here. You may have heard of the apocalyptic weather in the Northeast and my flight was one of the last to leave, and it turns out I might be here for longer than anticipated. (audience laughing) But I'm here today to tell you about new games and new markets. What do I mean by those? When talking about cryptocurrencies, you may have heard a number of competing opinions. There's hype on the one hand and there's a lot of skepticism on the other hand. So, I'll try to take you on a scientific tour through the potential for cryptocurrencies, but also what we have yet to know and what needs to be done in order to realize that potential. So, I do think there's a lot of potential. Cryptocurrencies may enable new types of markets and commerce, and I'll tell you what I mean by that. But even though incentives are at the heart of cryptocurrencies, our understanding of those incentives, and the science of designing those incentives, is still at its infancy. And I'm gonna show you many ways in which failure could occur and ways in which catastrophic failure has actually occurred. And I'm gonna argue for a new kind of research that combines rigorous theory coming from algorithmic game theory. Some of you I think work on that, but also merging that with empirical work, measurement work, taking advantage of the fact that we have hundreds of gigabytes of data on these public blockchains about the behavior of people when you incentivize them in certain ways using monetary incentives. So, there's a huge new opportunity here for doing research and for building new kinds of systems, and that's what I wanna tell you about. In other words, my talk is about the game theory and economics of cryptocurrencies. And when we're talking about this, I want to address the elephant in the room right away, which is that if you've been following the news about cryptocurrencies, there's a lot of craziness going on. You can see at the top there that the total market capitalization of cryptocurrencies is nearing $1 trillion. Whether or not this is a bubble in the financial sense, I can tell you that I think it is a bubble in the sense that the amount of social value that has been produced out of these systems so far is no where near $1 trillion. The question that you might ask when we're talking about the game theory of cryptocurrencies is that a lot of this work is based on rational models of actors. Does that even make a lot of sense when there's this irrationality going on? There are hundreds of these tokens being created every month. And I ask that question to myself sometimes, and I gotta be honest with you, sometimes doing research on cryptocurrencies might feel like trying to meditate in the middle of Time Square. There's a lot of pandemonium around you, but you're trying to ignore all that, and you're trying to do rigorous science. And, in particular, when we're talking about the long-term game-theoretic security of cryptocurrencies, we're talking about a world where a lot of this irrationality has quieted down, and we are able to make good predictions using rational models. So, I'll make a case for that kind of research, but do keep in mind that temporarily a lot of craziness might be going on in the markets, and we wanna look past that, and if we wanna design secure protocols, we have to take a longer-term view, and that's where research can be really effective. So, that's the background for all of this, and the other quick piece of background that I'll throw out before diving into the details is that this is a little bit of a overview talk based on a bunch of these papers. I'm gonna be showing you the references, again, when I talk about the specific results and insights, and you're welcome to look them up. And a lot of this is also based on our textbook that Anna mentioned and our MOOC, as well, where we had some new models for analyzing these things. I'll do my best to explain the concepts as I go along, since many of you may have heard of cryptocurrencies and blockchain technology in the press, but may not have looked into the computer science behind them. Without further ado, let me start with the following motivation. You can think of cryptocurrencies as a way to cut out central points of coordination, that is governments and banks, from something that is very fundamental to digital commerce, namely currencies. So, when cryptocurrencies became successful, people began to ask, "What else can we apply this principle to? "Can we apply it to things other than currencies? "Is it possible to use this technology "to eliminate single points of failure "from other aspects of internet technology "from fundamental aspects of the internet infrastructure?" And when people started asking that question, one of the prime targets was the Domain Name System. Because, unlike TCP/IP, the Domain Name System is very much hierarchical and very much has single points of coordination. So, people asked, "Can we imagine a different type "of Domain Name System in which you don't need ICANN "to be the one entity running the system? "Can we use blockchain technology to do this?" And I'm gonna show you a little bit of a simplified version of why people think that's possible, and what some of the efforts have been to build systems like that, and what are some of the pitfalls in building such systems. So, the starting point for this is the observation that a simplified view of DNS is very much a simplification, but you can imagine it just as a system, a global key-value database that maps these domain names to IP addresses. It doesn't matter really that these are domain names and IP addresses; they can be any keys and values. Before cryptocurrencies and blockchain technology, it was widely believed that you absolutely need a central authority to run this kind of global key-value database where anybody can choose the keys and values and choose to insert them into that database. You need that in order to resolve conflicts. So, what do I mean by conflicts? There can be two types of conflicts. One type of conflict is simply that coincidentally two users both decide that they want Alice.com, or something like that. They wanna register that, and this can create a need for somebody to resolve which of those two users should be allowed to do that. And this is a distributed systems problem. So, far we haven't talked about incentives at all. But the DNS also does something else, which is that it creates a market because you need to pay for these domain names; and that market exists not simply to make ICANN money, but it also serves a function here. It prevents malicious behavior, such as being able to squat on a large number of domain names, all of the domain names that anybody might pay a high premium for. If somebody were to squat on all of that valuable real estate, so to speak, that would greatly decrease the value of the system. So, this is algorithmic game theory problem, and the field of algorithmic game theory and mechanism design studies this kind of question. So, how do you design a market here, how do you design an auction or some other mechanism so that the incentives of individuals are aligned with the goals of the overall system that you might have? So, this is what DNS does at a simplified level, and the key insight behind why people wanted to use blockchain technology to build a decentralized kind of DNS is a realization that at least the first of those problems, the distributed systems problem, is actually fairly easily solved using blockchain technology. And the reason for that is that public blockchains, you can think of them as decentralized key-value stores, basically. Bitcoin's blockchain contains a record of all transactions that have ever been made in the system, and its main function is to create global consensus around the order of those transactions. But, in fact, you can generalize from transactions to any mapping between keys and values, it turns out in a relatively straightforward way. And, if you do that, you have global consensus around which keys map to which values. It's, in fact, straightforward to modify Bitcoin to do this, and there is a system called Namecoin, it's called alt-coin, or alternative cryptocurrency, that does exactly that. So, it's actually a simple code change to Bitcoin, and this was done starting in 2011, and the code change is the following. The rule for transaction validation in Bitcoin says you wanna verify that a coin that somebody is trying to spend has not been spent previously, and you wanna verify the signature corresponding to that transaction. Namecoin replaces that with a rule that says for the name registration transaction, you want to validate that the name has not been previously registered in the system, and also that it's accompanied by the signature that allows the person proposing that name to, in fact, insert that transaction into the system. That's pretty much it, with a conceptually, relatively simple change, you can take Bitcoin, you can this cryptocurrency, and you can repurpose that as a global key-value store, which will resolve these conflicts resulting between race conditions between different users, and you can use that as a global key-value store. Now I haven't addressed the incentives question at all. I haven't told you how the system tries to prevent one person squatting on a large number of names, but, at a technical level at least, this distributed systems problem is easily solvable using blockchain technology. I'm not claiming it's a very efficient solution. For example, miners have to store the entire blockchain; so every user of the system would essentially have to store a record of all the domain names and IP addresses that have been registered. And we can try to improve the efficiency of that, but the baseline is this kind of massive replication. I'm not claiming it's very efficient, but conceptually it's possible. And this was a powerful realization a few years ago, that you can use public blockchain technology in order to do other things and not about currencies, and potentially create decentralized versions of important existing systems. So, just to give you a little bit more a concrete idea of what happens in Namecoin is if Alice registers Alice.bit, mapping to a particular IP address, what you would have to do is you would have to install a browser extension, for example, or a proxy, and configure your browser so that when you type in a .bit domain name, instead of consulting the ICANN Domain Name System, it should, instead, consult this public Namecoin blockchain, and use that to retrieve the IP address corresponding to this .bit value. And, as long as you install that simple browser extension, what we have is an actually functioning business system you can use now. This is a DNS replacement, if you will, that does not involve a centralized authority. So, it's pretty cool that we can do this at a technical level. So, I'll come back to the incentive issues around the particular Namecoin system that I'm describing here, but before I do that, I wanna give you some mental intuition, some mental tools, to think about the system that we have just discussed. The system we have discussed is an example of a smart contract. Smart contract is a term that you may heard a lot. Let me explain to you why this is a smart contract, and how to think about it. There are many ways to think about it. I'll give you one that I found to be very useful. Here's how you can think about it. Think about an agent in the cloud, if you will, if you will pardon the buzz word. A smart contract is a kind of algorithmic agent. It's not analogous to an algorithmic agent; it's exactly an algorithmic agent. And the manifestation, the realization of this agent is that the code for the agent is being executed in tandem by all of the nodes in this distributed system, in particular the nodes that are doing the mining operation for the network. And there can be hundreds or thousands of them based on the system. The reason that this is a powerful abstraction is that an algorithmic agent, over there on the right, it's something whose code you can examine. Its code resides on this public blockchain. It means that its actions are algorithmically specified and they are fixed. Unlike a human agent, you can look at its code, and know that it's going to behave exactly in the way that it's specified. And it's decentralized, nobody controls it, not even the creator of the algorithmic agent. They can't retrospectively change the rules that have been programmed into it. And, so, here's the functionality of the agent for the specific Namecoin system. Alice, a user, contacts the agent and says, "I wanna purchase Alice.bit," and the agent says, "Okay, costs you .05 Bitcoins." And Alice says, "Okay, here are .05 Bitcoins." And she transfers that money to the agent. She transfers it to this virtual entity. It's not a particular user that's controlling the agent. Once she does that transfer, it's not an individual user, not even the creator of the agent that owns the money. The piece of code, the smart contract, that's executing in the cloud, that is executing in tandem by all of the miners in the system, that is now the agent that owns that money that Al has paid in exchange for that domain name. And the functionality of the agent, the pre-programmed functionality of the agent, is that it will take Alice's money, and it will put her name and value into it's global database that anybody can then consult. They don't have to interact with the agent to consult that value, it's just a public data source, so they can simply look up that piece of data. And one caveat to remember here is that there are no private memory or communication channels. When Alice is communicating to the agent, in reality she's communicating with a peer-to-peer network, so anybody can intercept that communication, and anybody can know what Alice is interacting with the system. Let me know if this mental model makes sense. Smart contracts are described in various ways, but to me this is the most powerful way to understand them. It also explains why people are so excited about this. Anything you can put into the behavior of the agent with code, you can realize using these smart contract platforms, question? - [Student] Who's executing that algorithmic agent? I didn't quite catch the term-- - Pardon me, if you're familiar with Bitcoin miners, who are doing these hash computations, the question was who are the agents that are actually doing the computation of the agent? So, it's going to be people who are running mining software, and all of the people who are running mining software are gonna be all executing the actions of every single agent that's programmed into the system, and they're all checking the outputs of each other's computations, and that's where you get security from. And that's how anybody who's looking at the code can be ensured that the agent is going to behave exactly as programmed. So, this is the technical behavior of this agent, but this agent also creates a market. And, in this particular example, it creates a primary market and a secondary market. So, let me explain that now. What the agent has the power to do is it can execute any kind of algorithm to determine what is the cost for purchasing Alice.bit. For example, it might look at the length of the domain name. Shorter domain names are more valuable, something like that. It might run an actual auction between different users. Everybody who wants to purchase Alice.bit, puts in a bid, and you have an auction. And, so, as people pay the agent, the agent accrues the money, and it can be programmed in various ways. For example, it can be programmed to return revenue to shareholders. People can own shares in this agent. These shares are just tokens, similar to Bitcoins, or any other digital currency token. And the agent can be programmed to return revenues to shareholders in proportion to their share ownership of it. Interestingly, this is a side not, but this is the revenue model that's built into all of these smart contracts, that's really caused this frenzy of, initial coin offerings is a term that you may have heard. You hear a new one every day, and a lot of these have market caps of billions of dollars. If people are hoping to make money using these things, this is one of the main ways because you can program them to return revenue to their shareholders. That creates a frenzy for people to go and purchase shares in these new things. So, that's the primary market. That means how does somebody initially acquire a name in this system. And there's also a secondary market, and this is really cool, you may not have seen this, and this is one of the key features of what you can do in terms of new types of markets in the title of my talk, Using Cryptocurrencies. Let's say that Alice is done with Alice.bit, she doesn't want it anymore. Bob wants to purchase it. In any normal market, even if it's a digital good, if Alice and Bob don't trust each other, neither of them wants to pay first, and, so, you need an intermediary who's going to facilitate that transfer for you, somebody who is trusted by both Alice and Bob. In these cryptocurrency frameworks, you actually don't need that. You can create a single transaction that binds together Alice's transfer of her digital property to Bob, and Bob's payments back to Alice. And this network gives you the guarantee that either both of those transactions will execute or none of them will. So, what we've achieved here is we've kicked out the intermediary from this simple transfer of digital goods in exchange for value. And this is considered to be very powerful because it gives you a platform on top of which you can build various types of markets that don't have intermediaries, where people can actually transact in a peer-to-peer fashion. So, this is the reason that have people have gotten excited about it. There is a vision here about markets as well as commerce. Without gatekeepers, we don't have to worry about banks and other institutions determining some types of transactions are okay and others are not. There's also a dark side to it. It allows you to escape a lot of government regulations, so people have very different opinions on whether this is a good thing or a bad thing. But from a purely technical perspective, we can appreciate that this is a new thing that is now possible that was not possible before, and one utopian vision for what's going on here is that, just like the internet removed intermediaries from the transmission of information, this type of technology is removing intermediaries from commerce. Any two people can have any type of financial transaction that they are both comfortable with, without having to trust the motivations of each other. Question in the back? - So, you say without gatekeepers, and I've heard this phrase used a lot in reference to Bitcoin and other cryptocurrencies, but this code that's running this agent that you keep talking about, it's running somewhere, right, in many multiple somewheres. People control these systems, right? In the end, someone is doing the gatekeeping. - Yes and no. Yes, because that code is running on physical computers, but let me clarify this. I didn't say this explicitly before. The security guarantee that you get is nobody, not even the creator of that piece of code, can change its behavior without overrunning the security properties of the entire system. Anybody who is technically capable of modifying the behavior of that code will also be able to crash the entire Bitcoin currency, or whatever other platform this is running on. You have to create an attack on the entire system. The security of one piece of code is coupled now to the security of the entire system, and also we can quantify that. I'm gonna tell you later in this talk that Bitcoin's energy consumption for mining is around 10 gigawatts, and that is an incredible amount of power that you have to purchase to do that amount of mining to overrun the security of the system, but we'll come to that later. We looked at the system Namecoin in a paper, and the first thing that we wanted to do was, there were these loose incentive arguments about squatting, and so on, but we wanted to make that more concrete. So, we first said, "Can we write down the different parties "in the system and what are their incentives?" And we came up with a number of observations. Here is one example of an observation. There could be two potential reasons why squatting is a thing. For example, one of them is that let's say BankofAmerica.bit is very valuable, it's a very valuable domain name, but this agent, because it's programmatically generating the price for each domain name, is only charging one Bitcoin for it. A lot of people just wanna buy up BankofAmerica.bit, and hope to resell that to Bank of America, the bank, later. So, that is analogous to scalping, and depending on what your views are on this question, you might think scalping is perfectly okay, it actually makes the system more efficient, et cetera, you might be okay with that. There might be another reason for squatting, though, which is that the system Namecoin, I mean, who's even heard of it? Probably 10 of you. So, people are just waiting and watching the system. They don't know right now if BankofAmerica.bit is valuable or not, and therefore currently they don't have a lot of utility for this domain name. But if Namecoin the system becomes very popular, then it's going to be worth a lot. So, they're speculating that the value will increase in the future. And this analogous of land speculation in new areas of land that have become available. This later one is much more problematic, and one particular reason this might be problematic is that if you look at the collective behavior of all of the participants, you might have the following problem. You might have everybody is squatting on one or two domain names, not actually making use of it, hoping that the system is going to become popular in the future, but precisely because all of the valuable names are being squatted by people who are not actually making use of them, that destroys the utility of the system, and it prevents the very speculation that you're betting on which is that the price of the system will increase in the future. So, these are some of the incentive issues that we explored in our paper, and at a meta level, we had the observation that domain names are gonna have very different utilities to different players at different times. And here was the key thing, we looked at the actual pricing function in Namecoin, and we realized right away that it's way too crude. It doesn't nearly have enough nuance to capture the actual utilities of the different players and participants. So, our hypothesis going into this was that the system can't properly function really well if you have these adversarially-motivated players, and we didn't think this was a good mechanism. So, we wanted to study this empirically, so we built a bunch of tools for looking at the public Namecoin blockchain data, and analyzing how are these names being used, and also we wanted to analyze the marketplace of these transactions. So, two sets of results. I'm gonna go over those very briefly, but you can look up the paper if you're interested. One of the things that we found was that of the 200,000 names that had been registered at that time, we filtered them in a variety of ways to ignore trivial uses of the system, and we found that out of 200,000, only 28 had non-trivial content that was not duplicated by other content on the broader internet. And that was a really shocking number. We didn't think the system was working so well, but we did not expect to find that it was a complete ghost town. It kind of validated our hypothesis that we went in with, which is that the system doesn't have nearly enough protections against this kind of squatting behavior by adversarial players. And we had other ways to measure this, as well. We found that at least 75% of names had been squatted, and we looked at the secondary market. We found a way to identify transactions that might represent transfers of names from Alice to Bob in this kind of decentralized setting that I was talking about. And we found that that feature had been used, at most, an upperbound of 250 times in the several-year lifetime of the system. So, this seemed like it was a pretty clear cut case of a mechanism design failure. A lot of these mechanism designs are being done by people who have not heard the term mechanism design. That was one of the key motivations for me to get involved in this research area. There's a lot of room for doing this in a more rigorous way, in such a way that these systems will achieve not only the technical properties that they were supposed to achieve, but also the properties of incentivizing participants to act in a way that preserves the overall health of the system. So, going back to the theme of how to think about smart contracts, let me give you one more analogy that might be useful. This machine is the Bombe Machine. It was used in World War II, it was related to cryptography and cryptanalysis. It was a special-purpose computer. And this is analogous to Namecoin. You have a whole cryptocurrency, a dedicated cryptocurrency, which has its own market, and trades, and everything, that is purely dedicated for this one smart contract, whose function is to map these domain names to IP addresses. So, that was the old style. Namecoin was started in 2011, but the new style of smart contracts is to have a single platform, and that's analogous to a Turing machine, and today the main such platform is Ethereum. And a Ethereum is a smart contract programming platform. It exposes a Turing complete programming language to anybody and you can go do this yourself. You can easily put your own smart contracts into the blockchain, and if you wanted to replicate Namecoin's functionality, that's only about eight lines of code. And we discussed that in our book, and it's a pretty powerful thing you can do. Sure, the incentive questions are hard, but the basic technical functionality of achieving a lot of these things without centralized intermediaries, the fact that there is one single platform today, on top of which you can quickly and easily write a smart contract, that I think is something really powerful. I do wanna offer the caveat that with Ethereum, it's only become easier than ever to shoot yourself in the foot. There have been, this one for example, the Dow is something you may have heard of from last year, where people have the smart contract, and they had great visions along with it, and it turned out that there were a number of just basic security bugs in there, but also incentive problems in that smart contract. And there was a heist to the $250 million at the time, and now it's worth much more, probably something like $1 billion today. So, there's all this craziness going on. There's clearly a lot of potential here, people experimenting with this, but not fully trained in security or mechanism design, and, so, there have been a lot of failures of this nature. Let me tell you about fundamental issues that I think still need to be solved in figuring out the science of how to build smart contracts. And this is from a different paper, where we did a case study of prediction markets. You've probably heard of prediction markets, if you haven't, here's a visualization, again, using this agent-in-the-cloud model that I like to think of. Let's say Alice and Bob are in their own filter bubbles. Imagine before the 2016 election, and Alice was completely sure that Clinton will win, and, so, she's willing to give anybody 60-40 odds, and she's willing to bet that Clinton is going to win. And Bob has the opposite belief over there in his filter bubble. And, so, a prediction market is a really good tool, and economists love prediction markets, when you're in a situation like this, when people have very different beliefs, and maybe different pieces of information about what's going on in the country. Allowing them to bet on the outcome of events forces them to put their money where their mouth is, and it's considered to be a really good way to crowdsource information about probabilities of future events. And when people compare prediction markets with polling, and experts, and so on, they have a pretty good track record. And there are regulatory issues with prediction markets in the US. They're considered to be similar to gambling, and this is one of the reasons why people are very excited about using these cryptocurrency platforms for prediction markets, kind of as a way around regulation. And one comment about the morality of that, but we did a paper on what that would take technically, and we came to the conclusion that this agent here in a prediction market would have two main roles. It would have to pair these trades with each other, it would have to find that Alice and Bob wanted to trade on the same thing and there was an opportunity for them to trade and it would have to make that trade happen, and, also, it would have to adjudicate. When this event actually happened in the real world, the agent would have to make a decision about whether Alice gets the money or Bob gets the money. I want you to think about this for a second. So, some event has happened in the world, everybody has agreed today that Trump has won, even the people holding the not-my-president signs, but if you're doing this in a blockchain context, there is a tricky problem. This agent that's executing in this virtual world, the only inputs that are available to it, this is not a normal piece of code, it's limited to this smart contract environment, the only inputs that are available to it is the data that's presents on the public blockchain, the Ethereum blockchain, or whichever blockchain you're executing on. And that blockchain has no guaranteed with information about the result of the election, or really anything else unrelated to these financial transactions. So, this is one of the key problems that people have been trying to solve. How do you important real-world data into blockchains so that you can have smart contracts that can actually use them as inputs to do interesting things? And, so, this is an ongoing area of research. We had something about it in our paper, different ways of doing it. Can you use voting, does that increase the trustworthiness of that feed, et cetera? This concept is called a data feed, though. There are a number of companies who are offering those kind of services, and there's also research on these, as well. We also looked at the other aspect of this, which is how do you design a decentralized order book. An order book is what happens when the New York Stock Exchange, for example, is matching people's trades to each other. I'll skip the details of this, you can look it up in the paper, but what we concluded was that doing those decentralized order book is going to have some interesting differences with how order books execute in the real world. And, so, the meta lesson from this here is that I do think there is a great potential for making these kinds of things happen, but, even if they do, the markets that result from them are going to be subtly different from the markets that we have today, and which we're familiar with, and which there have been a legion of economists who have been working on analyzing them. And, so, that's why I'm calling for a need for a lot of new theory here, as well as measurement of what is actually going on in these new decentralized marketplaces that already exist, in many cases. I'm gonna pivot to the second part of my talk, but if there's anything I can clarify, I'd be happy to do that now. Okay great, so far what I've told you about is assuming that the smart contract platform works perfectly, works as specified, how could you design these actual smart contracts on top of that? But that's not the only question, because, as the person in the back asked, ultimately, these computations are being run by real people, real miners. And, so, to consider the security of these things, we have to consider the security of the mining process, as well. How confident are we that the whole mining process will not collapse because the incentive questions in the underlying cryptocurrency itself are perhaps misaligned? So, we did a paper about that and specifically we looked at what's going to happen when Bitcoin's block reward changes, in particular, diminishes and goes away. This is something you might be familiar with in Bitcoin, and many other cryptocurrencies, there are two types of monetary rewards. What is called the block reward is a fixed amount of new Bitcoins that are generated and distributed for every new block that is created, and that's the blue line here that halves every four years. You also have transaction fees that are like tips that people leave for the miners, and that number, as you can see on the bottom right, has been rapidly increasingly and the projections are that within a few years most of the revenues are actually gonna come from these transaction fees. And, so, one of the things that we found is that Bitcoin's game theoretic stability could break down as this block reward dwindles and goes towards zero. So, I'll give you piece of intuition for this for how to think about this. So, what's happening today is that the majority of mining revenue is coming from this reward for new blocks. Currently the value of that is 12.5 Bitcoins. So, that's what you see in this picture here. Most of the revenue comes from this big circle over here, which is the fixed reward for each block, and there is some variable amount of revenue, depending on the number of transactions on the block, but that still comprises today a small portion of the revenue that a miner makes. It's around 25 to 30% today. So, the variance in much money a miner makes, whether it's 12.5 Bitcoins plus .5 Bitcoins in transaction fees, or 12.5 Bitcoins plus .1 Bitcoins in transaction fees doesn't really matter. For each block, each miner makes roughly the same amount of money. But, in the future, the situation is going to flip. Some blocks are gonna be very lucrative, and some blocks are gonna be relatively impoverished. So, when this variance increases, we concluded that a lot of the incentive alignment in Bitcoin might go haywire. Miners might be incentivized to actually go against the interest of the overall system. And let me show you visually an example of that. And, so, this high variance is the key assumption here. So, imagine the scenario where block one in the system has maybe seven Bitcoins in transaction fees, simply because a small number of transactions made it into that block. The following block which extends it is a much wealthier block and has 15 Bitcoins in transaction fees, question in the back? - [Student] Justify the notion that there would be a high variance in transaction fees? - Yes, we can actually observe that right now, even the transaction fees that exist today, and the reason for that is, pardon me, can you hear me in the back? - Yeah, yeah. - Okay, great, and so the reason for that is that unlike a normal market or an auction, the miners are not charging a fixed amount to compensate for putting transactions into a block. Instead, what's happening is that users are independently guessing what the next miner might expect in terms of transaction fees. So, each user's wallet is actually running a predictive algorithm. When you do a measurement, and this is how measurement and theory feed into each other, when you do a measurement, you find that people's estimates tend to be widely different, and also based on their priority for their transaction. If somebody really, really wants to get their transaction into the very next block, they're gonna include a much higher transaction fee. So, for all of these reason, empirically we find that the variance is high. Another reason, another important reason, just to complete that, is that blocks are not found at constant intervals. One block can be found in one minute, another can take 20 minutes. And, so, the amount of transactions that have accrued in one minute is much smaller than the amount in 20 minutes. So, those are the reasons. So, we have the situation, and now here's a question I wanna ask you. This block has been found with 15 Bitcoins of transaction fees in it. A few more transactions have accumulated. So, five Bitcoins of transaction fees are available to the next miner. The obvious thing you might expect them to do is to create a new block that extends the longest chain, as you are supposed to do in Bitcoin, and then capture those five Bitcoins in transaction fees. We're claiming that they might not always do that. So, that's option number one, to extend the latest block, but option number two is actually to fork the latest block and mine on top of the previous block. Why might a miner wanna do that? Why might they wanna do that, even though today they don't have an incentive to do it? And here's where the difference between a fixed block reward and a variable block reward becomes crucial. Because in option two, what the miner might be able to cleverly do is not just fork the most recent block, but, in fact, undercut the previous miner. What do I mean by this? Even though there are 20 Bitcoins in transaction fees available for them, they won't put all of the transactions into the block; they will deliberately leave money on the table. In fact, what they will do here is they'll only put 10 Bitcoins into this new block that they create, and leave 10 Bitcoins totally unclaimed, in the hope that when the following miner is now contemplating a similar dilemma, whether to build on top of the 15 or build on top of the 10, they're gonna choose the 10 because they now have 10 new Bitcoins that are available for them to claim. So, what we discovered is that this deviant strategy of forking might actually be more profitable than following the rules in the Bitcoin Rulebook. Something similar to this had been discussed by the Bitcoin developers under the name fee sniping. Feel free to take a look at that later, if you'd like. We did a lot of game theory starting from this basic observation, and we concluded that rational mining is gonna lead to a security breakdown in the system. And what we tried to analyze in the paper is the fundamental tension that the miner is struggling with which is do you take as much as you can, or do you try to leave some on the table in order to prevent other miners from undercutting you? So, the paper had two components. There was a theory component and there was a simulation component. And we were pleasantly surprised actually to find that they matched up really, really well, and I'm gonna show you an example of that. But what I wanna show you on the next slide is an example, for those of you who are thinking about this as a research area, is a good example of how you can use things that are well known, and the algorithmic game theory have dozens of papers behind them, and use that, tweak them a little bit, and use them in a new context. We were able to model those types of strategic mining as no regret learning, which is a term that you might know from game theory, and that is what allowed us to apply this existing theory to this new area, and we think there is a vast potential application here. A lot of the people designing cryptocurrencies have not looked at this literature on auctions, and learning, and so on. And, so, there's a huge untapped area for research. This is an example of how there's a striking agreement between theory and simulation. I wanna offer a word of caution here. The theoretically best predicted strategy, which is based on the Lambert-W function, it doesn't matter what that is, we found that there is an agreement. The simulator found that the same strategy is the best performing one. But it only started to win out after something like 250,000 or 300,000 games here. And each game is a number of blocks. So, in real time, this is years and years of time here. So, it's an interesting question. What does it mean when we have theory that predicts something and it's born out by simulation, but you need a really long time scale to observe this. Are miners going to be rational on these kinds of time scales? So, these are questions where we don't have a good handle theoretically and it's worth thinking about. But the meta result here, regardless, yeah, question? - So, when you discover these compatible incentives, it seems like what you said before conflicts with this, where no one person is controlling the algorithms that do this. How does something like this get fixed? - So, no one person is controlling these algorithms, definitely, however there are people who are widely respected in the community and are acknowledged to be the developers of the Bitcoin Core software. And, so, when they put out a rule change, if everybody agrees that it's to the benefit of the community overall, then most miners are likely to adopt that software update. But if it's something that splits the community into two, for example, whether or not to increase the block size, that affects different people differently. There are economic winners and losers from that proposal, so people couldn't come to consensus on that. So, the entire cryptocurrency forked. You have Bitcoin and Bitcoin Cash, and you have a new one called Bitcoin Gold, and people are coming up with new ones all the time. And, so, it really depends on whether you have social consensus or not that a particular rule change is in the interest of every participant in the system. If it is in everybody's interest, everybody will upgrade; if there are differences in opinion, the currency will fork. And one Bitcoin in the old system will result in one Bitcoin each in each of the two new systems, which is something interesting to think about, as well. Does that mean you've doubled your money? Not quite, but the answer is not as obvious as you might think. So, the lessons from each of these papers, so I'm gonna be coming to the same lesson, which is don't rely on intuition, use a combination of theory and either a simulation or a measurement, as the case may be. So, let me come to the last thing that I wanted to show you, but before that, let me offer this caveat. So far it's not that meaningful to apply these models of rationality to the miners so much because the reason that miners have been profiting, so far, is mostly because of the exchange rate. The exchange rate has been dramatically increasingly. This graph doesn't look that dramatic over the last two years, until you realize that it's a logarithmic scale. (audience laughing) This is a huge factor of orders of magnitude increase over the last two years. And, so, miners have been de facto speculators. They've been mining Bitcoins and they've been holding on to them, and that's the reason why mining so far has been profitable. So, really the theoretical models will make more sense when we're talking about a future where the price is stable, and you actually have to worry about those strategies that you're using, instead of simply using mining as a way to speculate on Bitcoin. So, let me offer that caveat, and that ties into my next point, which is that one concern that people have with a lot of this is that there's so much of this mining activity going on, and mining wastes electricity. And I put wastes in quote because it's a waste in the sense that it's not doing useful computation, but it's not a waste in the sense that that's the reason the blockchain is secure. If it were not for this waste, you wouldn't have the security properties in the blockchain. But, with that caveat in mind, what I wanna show you is a model for estimating Bitcoin's electricity consumption. Think about what you think in your mind this is, and I'll show you how we estimated this. We were able to come up with both an upperbound and a lowerbound. Let me start with the upperbound. For the upperbound we assumed, we made assumptions that all of the possible revenue that's being put into electricity consumption for mining is actually being put in electricity consumption for mining. In other words, all of the mining revenues that are being made through mining Bitcoins are being reinvested in terms of electricity purchased for new mining hardware. This is the absolute best-case assumption we can make for how much electricity is being used on mining, so that gives you an upperbound. But with this assumption, we can estimate this pretty accurately. We know how much revenue's being made through mining Bitcoins. And, as of today's numbers, that's roughly a little bit over $1 million per hour. And how much electricity can you buy using that, using US electricity prices. This depends a little bit on the country. That's about 15 gigawatts. That's roughly in the order of ballpark of the Three Gorges Dam in China, which is I think the largest hydroelectric powerplant. So, that's how much energy is being used in Bitcoin mining. This is an upperbound. But how accurate is it, can we also do a lowerbound? It turns out, yes, you can do a lowerbound. You can assume that all mining is being done using maximally efficient hardware. That leads to the least amount of electricity consumption. So, we know what the maximally efficient hardware is based on published specifications, that's something called AntMiner S9. And this number here is for the previous version of AntMiner, AntMiner S7, and we know what its specs are. For each joule of energy, it can give you four billion hashes. And we know from public data how many hashes per second are being computer. It's over 10 to the 15 hashes, and when we plug that in here, we get a number of four gigawatts. This is actually in a remarkably close to that estimate that I had early of about 15 gigawatts. These two very disparate ways of estimating electricity consumption using vastly different assumptions. Very optimistic and very pessimistic assumptions give you numbers that only differ by a factor of four. So, I would say that's a pretty good estimate. Maybe somewhere around 10 gigawatts is the amount of energy that's being used for mining Bitcoin. Question? - When you computed the lowerbound, did you include the cost of building the hardware in the data centers? - We deliberately did not and that's why it's a lowerbound because when you take all of that into account, pardon me, I think that's more relevant to the upperbound. For the lowerbound, we don't need to take that into account because all that we're saying is we can measure the number of hashes that are being computed per second, and all of those hashes have to be computed using various hardware with various efficiency characteristics, and we're using the best known efficiency characteristic, and that immediately gives you a lowerbound. Question over there? - For the upperbound, can't people put their own capital into this hardware, if they're only getting the money that they, which you get from mining? - Absolutely, so then they would just be losing money on mining, so you could assume that, but you gotta make some assumptions to gain a meaningful number out of it. - Question, sorry, you said earlier that you were speculating, though, miners are essentially speculating on the future value of Bitcoin. So, if I'm speculating, I don't mind take a little loss in the short term. - Yes, yes, that is fair enough. However, a lot of miners have been in business over a long period of time, and, yeah, I'm not necessarily defending those assumptions. Let's just say that these numbers are subject to those assumptions. It depends on how much credibility we wanna put into those assumptions. That's a fair point, yeah? - So, I guess according to this, if I were to build a maximally efficient Bitcoin mining center, for about $9.6 million per day, I could have the majority of the power on the computing power of the network, and essentially get control of it, right? - It would be, what is this number here, $1.5 million per hour, yes, absolutely, yeah. And that is an important weakness of Bitcoin to keep in mind. One other factor there is that you might not able to purchase that amount of mining hardware on the open market, so that's the other thing to keep in mind, it's not only, yeah? - This question is regarding the upperbound, so do you account for the transaction fees? Do you have a model that you guys-- - [Arvind] We can measure the transaction fees. - No, in the future. - [Arvind] In the future? - I think your estimate was basically predicting the amount of global blockchains all of them get, and things like that. - So, for this number for $1.5 million per hour, I'm looking at the actual blockchain, and I have an actual measurement that the average block today gives you a revenue of, if I remember correctly, 16.2 Bitcoins and that's the number that I plugged into this. Let me keep moving in the interest of time, and hopefully we'll have some more time for questions at the end. I just wanna give you an aside here that the evolution of mining hardware has been really fascinating. It started with CPUs, of course, and then CPUs became too inefficient because other people were coming in with more efficient hardware and it's a competitive process. So, people started using GPUs, and then they moved to FPGAs, and all today's mining is done using ASICs, these Application Specific Integrated Circuits, and you have huge data centers full of these mining hardware that are doing these computations billions of times per second. And the funny thing about this is that there's a strong parallel to this in another process historically, which is actual gold mining, which started with individuals using these gold pans. And as more individuals started coming in, more gold was mined, and the price of gold dropped, and, so, individual gold miners couldn't compete anymore, and, so, you had to go to more advanced technologies, sluice box, and then groups of people using placer mining, and today gold mining is done in these massive open mine pits, as massive commercial operations. So, it's interesting to see that parallel between these two widely disparate technologies. Just an interesting digression. But this helps me motivate the last thing I wanna tell you about, which is proof-of-stake, which is motivated in this fashion. So, here's how you can think about Bitcoin mining, and this gets to some of the questions that you've been asking. Here's the lifecycle. So, you buy mining hardware, you but electricity. You use that to generate lots of hashes. When you find a puzzle solution, when you find a valid block, you send it out to the network, and then the network gives you a mining reward, and you get that mining reward back in Bitcoins. What do you do next? You convert that into dollars, you use that to order new mining hardware and purchase electricity, and that completes the loop here. So, this is essentially what's happening in Bitcoin mining. So, people have the idea, hold on, wait a minute, all that's happening is that people are making mining revenue, and using that as a way to signal how much hash power they have in the network by using that mining revenue to buy more mining hardware. So, what if we cut out this entire process on the right of interacting with the real world, which is you just build a technological way of using your Bitcoins, or using your cryptocurrencies, to signal how much wealth you have, in other words, how much mining hardware you could buy if you wanted to buy mining hardware? And that would simply count as your proof-of-stake, as it's called in the system, and that would result in the creation of valid blocks. So, this is the motivation behind proof-of-stake. You cut out this whole messy interaction with the real world and, so, you don't have to waste electricity anymore. This has been a tantalizing prospect. You can get the same security properties, presumably, but without having to waste so much electricity. A lot of people have been working on proof-of-stake, and just the last thing I'll say is that we have a work in progress. This is not out yet, but feel free to email us for a copy. This is in collaboration with algorithmic game theory people at Princeton. We have a so-called impossibility theorem for proof-of-stake. This has to be taken with a grain of salt. We showed that in any proof-of-stake system, one of several undesirable things must happen, and there are compromises that you have to make to the security of the system in one way or another. I don't think this is the end of the conversation, but I think this is a new and previously underappreciated point about proof-of-stake, and we think there are gonna be challenges for proof-of-stake systems. It's not gonna be as straightforward as was once imagined. So, let me leave you with this kind of vision here, as I hope I've shown you throughout this talk, is that you can have this virtuous feedback loop between increasing our theoretical understanding, using that to build better mechanisms, and then once people are actually using that, we have this incredible positive feedback loop because you can design a new mechanism. You can write 10 lines of code as a smart contract, you can put it out there, and people will start using it. There's an incredible amount of energy in the system around these new innovations. So, that gives you data from the public blockchain to study the behavior of participants when you incentivize them in certain ways. This has almost never before been possible from previous applications of algorithmic game theory, this kind of public data. And, so, I'm hoping that this can lead to a new model for collaboration and a rapid advance in our understanding of the science of incentives. One quick advertisement, we built a tool called BlockSci, do exactly this kind of measurement, and we've been using it very successfully. It's an open source piece of software; there's a lot of people using it. Feel free to check it out. But I'll just put up this vision slide here, again, and I'll end here, and thank you for your attention. (audience applauding) - Questions? - Yeah? - So, you mentioned a couple of times, like moral or ethical questions around things about blockchain, particularly like prediction markets, and they're not necessarily legal in the United States, but you work on mechanism designs for them. And I was wondering to what extent do you think that we as computer scientists need to engage the moral side of what we're building, what we use it for? - Yeah, absolutely, that's a great point. So, I wanted this to be a technical talk, but, in general, I think that's a super important question to engage on. And certainly in our own work, we have made certain decisions driven by our moral boundaries, what we felt comfortable with. For example, when we developed a new anonymity system for cryptocurrencies, I personally didn't feel comfortable developing an implementation of that. And we put out a paper, and we thought it was an interesting idea to discuss, but until we could better understand the ethics of these systems, we weren't comfortable building that and releasing that to the world. That was several years ago. Today we hae a better understanding of the ethics of anonymity of cryptocurrencies, and also what law enforcement can and cannot do. One of the things I've realized is that even if transactions on the blockchain for certain cryptocurrencies are not necessarily traceable, the interface between real currency and digital currency is very much a regulated space, and there are a lot of existing regulations that apply. You have to have a money transmitter license to be that kind of business. You have to abide by know your customer laws, and so on, and that gives law enforcement a very powerful avenue to go after bad actors. And I have some perspective, some interaction with law enforcement agencies in several cases, where they have been able to be successful using a variety of techniques because just based on the fact that the cryptocurrency space is not a parallel space; ultimately you have to interact with the real world. So, that's been encouraging to see, and I think there is room for finding a good balance that allows personal privacy through cryptocurrencies, but also allows law enforcement to do their effort. So, that's just one example of how I've had a productive experience in engaging with these ethical questions, but, yes, I think for every research project it's our responsibility to do that, in some way. In the back. - I'm gonna try to ask a longwinded question pretty quickly. So, in terms of security properties we want for Bitcoin, you can think of them as safety and liveness properties in general. I don't see how safety properties, like trying to forge something clever be hindering because then everyone just agrees that this is worthless, and moves on. But liveness properties, you might think of some attacks, which are global, they're like double spinned attacks. Then you could also imagine some attacks would just target, like I don't want Alice to be able to pay Bob. What sorts of attacks do you think practically today are actually possible given the current mining setup? How do you look at what the game theory says, and also what that means for the current distributed mining power given 80% of it is in China, and the Chinese Government can do kind of what it wants? - It's a little bit hard to say what is possible in practice today because that really depends on modeling. Actors like the Chinese Government, for example, on whom we don't have a lot of empirical data to suggest what they might or might not do. But two of the attacks that people worry about, off the top of my head, there are probably more, one is an eclipse attack. It's what happens when you partition a node or a set of nodes, and you confuse their view of the system, how can you take advantage of that situation. Another attack that comes to mind selfish mining is one that's been talking about a lot. When miners deviate from the protocol, how can that lead to an unraveling of incentives in the system. So, there are certainly a lot of attacks that have gotten a lot of attention. We don't have good data on what is possible in terms of the overall security of cryptocurrencies. - Let's thank Arvind. - Thank You. (audience applauding) (piano music)

External links

This page was last edited on 15 January 2019, at 11:02
Basis of this page is in Wikipedia. Text is available under the CC BY-SA 3.0 Unported License. Non-text media are available under their specified licenses. Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc. WIKI 2 is an independent company and has no affiliation with Wikimedia Foundation.