Let's now look at mining economics, because we've said that it's quite expensive for miners to be in operation, because finding a single block takes computing about 10 to the 20 hashes. At the same time, we've also seen that the block reward is about 25 Bitcoins, which is quite a lot of money. So it really boils down to an economics question of whether or not it's profitable for a miner to mine. But we can write down a simple equation that represents what the inputs into this decision are. Fundamentally the mining reward that the miner gets is in terms of the block reward and transaction fees. The miner asks himself whether that's bigger than or less than their total expenditure, which is the hardware and electricity cost. In fact, Bitcoin mining is so expensive in terms of electricity that, that becomes a significant portion of the cost and not just the up front cost of the hardware. And if the rewards are greater than the cost, then the miner profits. If not, the miner incurs a loss. But there are some complications to this simple equation. The first is that, as you may have noticed, the hardware cost is a fixed cost. It's an up front cost. Where as the electricity cost is a variable cost that is incurred over time. Another complication is that, remember that a reward that a minor gets depends upon the rate at which they find blocks which depends on not just the power of their hardware, but in facts more accurately, as the ratio of the power of their hardware. As a fraction of the total global hash rate. So that makes it more complicated as well. Another complication is, note that the costs that the miner incurs are in terms of dollars or whatever currency that they're using. Whereas they're rewarded in terms of Bitcoins that are created or Bitcoins that are transaction fees. So this equation is really going to depend on what the exchange rate of Bitcoin is doing at any given time. And finally, so far we have assumed that the miner is interested in honestly following the protocol, but it could be the case that the miner could deploy some other mining strategy instead of always finding the next block that extends the longest valid branch. And so this equation doesn't capture all the nuances of the different strategies that the miner can employ. So even though we can write down the simple equation, actually analyzing what it makes sense for miners to do is a complicated game theory problem and we don't have simple answers to that. Okay, so now we've obtained a pretty good understanding of how a Bitcoin obtains decentralization. Let's put it all together now and do a little bit of a recap and understand some high level points in order to get an even better understanding. So what I'm gonna do is I'm gonna do a very quick recap of several of the major aspects of Bitcoin that we have learned so far. Let's start from identities, as we have learned there are no real world identities required to participate in the Bitcoin protocol. Any user can create a pseudonymous key pair at any moment, any number of them. And when Alice and Bob want to make a transaction, when Alice, for example, wants to know what address Bob wants to get paid at, that's not part of the Bitcoin protocol. That needs to be through some other process, for example, on Bob the merchant's website. So given these psudonymous key pairs as identities, transactions are basically messages that are broadcast to the Bitcoin peer-to-peer network that are instructions to transfer a coin from one address to another. And a coin really is just a chain of transactions to the extent that we can call anything in Bitcoin an actual coin. And this is something we will see in much more detail in future lectures. And so this peer to peer network that we've looked at, it's goal is to propagate all new transactions to all the Bitcoin peer nodes. As well as new blocks to the Bitcoin peer nodes. But it's just gonna do sort of the best effort that it can. The real security of the system doesn't come from the perfection of the peer-to-peer network. In fact, the underlying assumption that the network is, in fact, quite unreliable. But, instead, where the security comes from is from the block chain and the consensus protocol that we spent a lot of time looking at. So, what it means for your transaction to be in the block chain is that it achieves a lot of confirmations. It's not a fixed number, 6 is a commonly used heuristic, but the more confirmations your transaction has received, the more blocks are found that extend the block that contained your transaction, the more certain you can be that your transaction was part of the consensus chain. And now often there are going to be a variety of orphan blocks. These are blocks that don't make it into the consensus chain. This could represent an invalid transaction or a double spend attempt. It could simply represent the fact that there is latency in the network, and two miners competing to solve this proof of work puzzle. Simply ended up finding new blocks within just a few seconds of each other. And, so both of these blocks were broadcast nearly simultaneously onto the network. So another subtle point here is that if Alice and Bob were two different miners, and Alice has 100 times as much computing power as Bob. What that means is, not that Alice will always win the race against Bob to find the next block, but instead, Alice and Bob have a ratio, a probability ratio, of finding the next block in the proportion 100 to 1. So in the long term Bob will find, on average, 1% of the blocks that Alice does. So those are some of the basics of block chain and consensus, and where the security of system really comes from. And finally, we looked at hash puzzles and mining. Miners are a special type of nodes that bother to compete in this game of creating new blocks and they're rewarded for their efforts in terms of Bitcoins. And we expect that miners are going to be typically somewhere near the economic equilibrium of the expenditure that they incur, in terms of hardware and electricity, being somewhere equal to the rewards that they obtain in terms of the new block creation reward and the transaction fee based rewards. So that's a broad recap of the system. Let me show you in a pointed way how deeply this notion of distributed consensus permeates Bitcoin. Now in a traditional currency, consensus does come into to play in a limited extent. Which is we have a consensus process around what is the exchange of the currency. You can make a rough analogy to consensus and distributed systems. And that is certainly true in Bitcoin as well, we need consensus around the value, the exchange rate of Bitcoin. But consensus goes much deeper in Bitcoin than in other say fiat currencies. In fact, you need consensus around state, which is what the block chain accomplishes, that is a record of which transactions are valid or which transactions have even happened. So even the idea of how many Bitcoins you own is subjective consensus. What it means when I say I own a certain amount or number of Bitcoins, is that I mean that the Bitcoin peer to peer network as recorded in the block chain, considers me the sum total of all my addresses to own a certain number of bitcoins. That is sort of the ultimate nature of truth within Bitcoin. So ownership of Bitcoins is nothing more than other nodes thinking that I own a certain number of Bitcoins. And finally we need consensus about the rules of the system because occasionally the rules of the system have to change. There are things called soft forks and hard forks, and we are gonna see a little bit more detail of those in later lectures. Now I want to show you another subtle idea, which is very tricky, and its this very neat idea of bootstrapping that I really found intriguing the first time I encountered it. So I want to share this with you. So what do I mean by bootstrapping. I mean the tricky interplay between three things in Bitcoin, and what are these three things? Let's start from the security of the block chain. So obviously we want the block chain to be secure for Bitcoin to be a viable currency. But, what is necessary for the block chain to be secure? What this means is that an adversary shouldn't be able to overwhelm the consensus process. Shouldn't be able to create a lot of nodes and take over 50% or more of the new block creation. But when will that be true? What is the prerequisite for that? A prerequisite for that is having a healthy mining ecosystem made up of largely honest protocol following nodes. So that's a prerequisite for security of the block chain. But what's a prerequisite for that? When can we be sure that a lot of miners will put a lot of computing power into participating in this hash puzzle solving competition? Well, they're only gonna do that if the exchange rate of Bitcoin is pretty high. Why is that? Because they receive rewards denominated in Bitcoins, whereas their expenditure is in dollars, so the more the value of the currency goes up the more incentivized these miners are going to be. But what ensures a high and stable value of the currency? That can only happen if, users in general, people who want to buy Bitcoins, have trust in the security of the block chain. Because if they believe that the network could be overwhelmed at any moment by an attacker then Bitcoin is not going to have a lot of value as a currency. So you have this interlocking interdependence between these three things, all right? So the existence of each of these is predicated on the existence of another. So one might flip that around and imagine, at the beginning during Bitcoin's creation when none of these three things existed. When there were no miners other than what we believed to be Nakamoto himself or whoever the creator was running the mining software. And when Bitcoin didn't have a lot of value as a currency, and when the block chain was in fact insecure because there was not a lot of mining going on, and so anybody could easily overwhelm this process. How do you go from there, not having any of these three properties to having all three of them. That is what I mean by bootstrapping and it's this very tricky process of how all of these three characteristics we're required by the Bitcoin system in an interdependent manner with each other. And this was of course fueled by a lot of media attention as well. Because the more people hear about Bitcoin, the more they're gonna get interested in mining. And the more they get interested in mining, the more confidence people will have in the security of the blockchain because there's now more mining activity going on, and so on and so forth. And so Bitcoin went from having none of these properties to now having, in some large measure, all three of these properties. That's the interesting bootstrapping feature of Bitcoin, and every new Alt Coin that wants to succeed, also has to somehow solve this problem of pulling it self up by its boot straps. Okay, let me leave you now with one final thing. Which is that in order to understand consensus and what it's responsible for and what it's not responsible for, a good way to do that is to ask ourselves what would happen if consensus failed and there were in fact a 51% attacker, somehow, who controls 51% or more of the mining power in the Bitcoin network. So let's see what happens in that case, and let's list a whole variety of things, possible bad things, that we think might happen, and let's ask ourselves which of these are possible for a 51% attacker. First of all, can this attacker steal coins from an existing address? Well, you might guess that the answer is no because stealing from an existing address is not possible. Unless you subvert the cryptography, it's not enough to subvert the consensus process. This is a bit tricky, let's follow through this line of argument. Let's say that this 51% attacker, creates an invalid block that contains an invalid transaction. That represents stealing Bitcoins from an existing address that the attacker doesn't control and transferring them to his own address. Now this attacker can pretend that that's a valid transaction, and pretend that that's a valid block. And keep building upon this block. And even succeed in making that the longest branch. But the other honest nodes are simply not going to accept this invalid block, and are going to keep mining based on the last valid block that they found at the network. So what will happen is that there will be what we call a fork in the chain. Now imagine this. From the point of view of the attacker trying to spend these invalid coins and send them to some merchant, Bob, and buy something in exchange. Now, Bob will presumably be running a Bitcoin node himself and that will be an honest node. And that node is going to say, oh, this might be the longest branch but it's not a valid branch because it contains an invalid transaction because the crypto, the signatures, didn't check out. And so it's going to simply ignore this longest branch because it's an invalid branch. And because of that, subverting consensus is not enough, you have to subvert cryptography to steal coins from an existing address. So we conclude that this attack is not possible for a 51% attacker. By the way, in saying all of this I should note that this is somewhat hypothetical, somewhat a thought experiment because if there were, in fact, actual signs of a 51% attack, what will probably happen is that the developers will notice this, and will try to react to it. And will update the Bitcoin software, and we might expect that the rules of the system of the P2P network might change in some form, to make this attack more difficult to launch. But we can't quite predict that, so we're working in a simplified model where a 51% attack happens, but other than that, there are no changes or tweaks to the rules of the system. Okay, let's move on. Can the attacker suppress some transactions? Let's say there are some user, say Carol, whom the attacker really doesn't like. And the attacker knows some of Carols addresses and wants to make sure that no coins belonging to any of those address can possibly be spent. Is that possible? Well, let's think about this. The attacker, since he controls the consensus process of the block chain. Can simply refuse to create any new blocks that contain transactions from one of Carol's address, and can in fact also refuse to build upon blocks that contain such transactions, and the attacker will be successful at that. However the attacker can not prevent these transaction from even being broadcast to the peer-to-peer network. Because the peer to peer network doesn't depend on the block chain, doesn't depend on consensus, and we're assuming that the attacker doesn't fully control the network, so the transactions are still going to find a way to reach the majority of nodes. So even if the attacker tries this attack, it will be very clear that, that attack is happening because the peer to peer network will still receive these transactions. Okay, what about this one? Can the attacker change the block reward? Can the attacker start pretending that the block reward is instead of 25 Bitcoins, 100 Bitcoins or something like that? Well this sort of corresponds to changing the rules of the system and because of a reasoning similar to what we applied for stealing Bitcoins from an existing address. This is also not possible because the attacker doesn't control the copies of the Bitcoin software that all of the honest nodes are running. So that's also not possible. Finally let's ask ourselves if the attacker can somehow destroy confidence in Bitcoin. Well, let's imagine what would happen. If there were a variety of double spin attempts, and behaviour of not extending the longest valid branch and other such attempted attacks, then people are going to look at this and decide that Bitcoin is no longer acting as a decentralized ledger that they can trust. And so people will simply loose confidence in the currency and we might expect that the exchange rate of Bitcoin is going to plummet. In fact, if there is a 51% attacker, and this is known, even if the attacker is not necessarily trying to launch any attacks, it's possible that this might happen. So this we can classify as not only possible but in fact, likely that a 51% attacker of any sort will simply destroy confidence in the currency. And this last one is in fact the main practical threat if a 51% attack where ever to materialize. None of these others really, considering the amount of expenditure that the adversary would have to put into attacking Bitcoin and achieving a 51% majority, really makes sense from a financial point of view to try any of these other attacks. Great, so now hopefully you've obtained a really good understanding of how decentralization is achieved in Bitcoin. And understood identities, understood transactions, understood the peer-to-peer network, understood the blockchain and consensus, understood hatch puzzles and mining. So you should be at a really good point now and a good launching point for understanding a lot more of the subtle details and new ounces of Bitcoin which we're going to start seeing in the next few lectures. So the next lecture is gonna be by Joe Bonneau, where he will address a lot of questions that take off from the point where we've left off in this lecture. The first is, how do we get from consensus to currency? So this is an assumption that I've already made in this lecture. Not only are we solving a distributed consensus problem but also we're treating the result of distributed consensus as the currency, in order to incentivize participants. But a lot of details are missing. What exactly does it mean to be paid in Bitcoin, how does that happen, how are those transactions represented and so on. We're going to look at that, we're going to look at, what else can we do with consensus. I hinted at this a little bit, but it turns out that Bitcoin offers a lot in addition to just doing consensus. It has a whole scripting language, so there are a lot of interesting things to see there. And so Joe is gonna take it from there in the next lecture, thank you. [MUSIC]