Abstract : Satoshi really invented crypto economics, bitcoin uses Cryptoeconomics to solve two problems: assignment problem and incentive problem. But the interesting thing is that cryptoeconomics can sometimes compete with cryptography.
The Devcon 5 was took place in Osaka, Japan from October 8 – 11, Vitalik Buterin made a great speech about crypto economics.
ChainDD Live Report in Devcon 5 视频
- The following is the transcript of the speech，edited by ChainDD：
What does Satoshi really invented？ what makes bitcoin really interesting?
You might heard a lot of people describing it as that Satoshi is the first person who solves this alone. The Byzantine Generals Problem was quote “unsolvable”. This is no true. The Byzantine Generals Problem was solved by a wonderful fellow named Leslie Lamport in 1982. Um, so in the paper that introduce The Byzantine Generals Problem, he basically provided algorithms for how a set of parties that all wants to agree on some piece of data, some kind of a choice between some of some large set of choices, can do so and can do so if you're easily even assuming up to a third of them are malicious, even assuming no assumptions about network synchrony and all of these things, Right?
So there's a bunch of different solutions to the Byzantine Generals Problem indeed is in The Byzantine Generals Problem paper and I encourage people to read it. So if The Byzantine Generals Problem was solved at the very begin. Decentralized consensus is twenty-five years before bitcoin and fifteen years before proof of work started to be used for anything.
Then What does Satoshi really invent? Satoshi invented cryptoeconomics.
So what is cryptoeconomics? crypto Economics is basically used of economic incentives to provide guarantees about applications. So you can view eth cryptoeconomics as being kind of the use of appended economics and game theoretic reasoning as a kind of appendage to cryptographic reasoning. So cryptographic reasoning allows you to believe certain things conditional on some assumptions that basically claim that the adversary does not have a computer that's bigger the size of the observable universe.
And that's all really nice. but cryptoeconomics allows you have other kinds of guarantee is that cryptography keeps providing, But because of the types of guarantee is that cryptoeconomics is trying to provide they're not cryptographic guarantees. Instead, they guarantee conditional on certain kinds of economic assumptions. For example, the assumption that applied form will continue running aliveness, it also is known as censorship persistence(resistance), is something that can be provided by economics, cannot be provided by cryptography. even the assumption that the decentralize consensus system will come to a consensus, is something that to not be guaranteed by cryptography. It can only be guaranteed by some kind of model that says things about the motivations of participants in what the platform.
So blockchains are crypto of economic protocols. Here's a blockchain. You have blocks, and five of those blocks are in one chain, one of those blocks kind of off to the side and the wrong chain. and in blockchain you want to encourage more miners to create blocks that extend the correct change and you did not wants to courage people to create blocks or just go off to the side and make a different chain and confuse people.
So how do we do this with crypt economic incentives? Now it's actually a little bit more subtle than just talking about incentives.
Bitcoin Uses Cryptoeconomics to solve two problems.
- The first problem is what I call the weight assignment problem.
But you might also have for about basically the same problem under the name Sybil resistance. So here's the problem, We've had these Bft algorithms for a one time. These algorithms can get together, Fifteen nodes have them send a bunch of messages to each other. And as long as less than five of them are malicious, then the system is going to come to consensus. if you can make assumptions about the maximum amount of time that messages can take the path between these nodes that instead of tolerancing up to four malicious, you can tolerant up to seven malicious. So that's like even better. And it turns out that if you can allow even stronger like really strong security assumptions, you can tolerant all the way up to thirteen malicious. But that's a topic for another day. So we had these algorithms for a long time. So we had decentralized consensus.
What's the problem? Like why hasn't this taken off? And the reason is ultimately that even in ETH system that has fifteen different parties, you have to have some mechanism for choosing who these fifteen parties are. You could say, oh, IT's like the fifteen big major of bags, who here trusts at least eleven of the top fifteen major banks? it could be fifteen of the top world governments, who here trusts the least eleven of the top fifteen governments? So this is a challenge, right? If he wants to create a system that actually is real been accepted by all around the world, then it's hard to kind of set of fifteen people that everyone will agree with that You actually can trust all of them.
This is the problem that proof of work and proof of stake so cleverly with self. Basically the proof of work and proof of stake can do things like instead of preselecting, fifteen people that will run this system. We're going to de factor do is we're going to say anyone who publishes a certificate, that cryptographic, proves the computer did some large amounts of mathematic work gets to join the set. So if you can solve like some extremely complicated mathematical problem, and you published a solution to this problem, you're part of the set. Proof of stake If you have a bunch of coins, and you send those coins to the deposit contract, you're right of the set. And so instead of look at a pre selecting fifteen people, everyone trusts recreated this kind of open permission of a system where anyone can join and participate.
We wait the participants by the number of economic resources of the contribute. Right. So in proof of work, wait the impacts that you have on consensus is proportional to the mount of computing power that you're bringing to the table, and the proof of stake is proportional to number of coins. And both of those things take our economic resources to get. the reason We can't just allow everyone to join and give them one vote is because, well, on the internet, nobody knows you're a dog, or a virtual machine, right? So this is the problem that we're trying to solve. Right?
Economics actually do a very good job of solving this problem of kind of created this set of actors of this kind of set of assignments of voting power to basically an open permissioned a set of actors that actually is very economically difficult to kind of take over and become fifty one percent of, this is the work we solved.
So Basically the innovation that makes bitcoin possible, the innovation that makes theory impossible. and proof of stake is fundamentally the exact same spirit, except instead of burning a bunch of electricity to proof that you have economic resources.
- The second problem is the incentive problem.
You have a bunch of permission list actors. Some of them might be wonderful people and some of them might be people in some country like combined really cheaply that you have, then you have like, don't really understand what their psychology is. Some of them might be big corporations. Some of them might be hobbyists. Some of them might be like hackers. They have access to computer resources. And like these are of disparate groups people. And we can know very litter about what their motivates are.
Well, what's the thing that motivates a lot of people?
Economic incentives, that we know the people in all these disparate regions like money and want the game on. And generally, people that don't like money and wants the game on are not going to be the ones that have the economic resources to be got fifty one percent of the network in the first place. So we can huge economic incentives as a way of drive around of driving this white disparate group of participants to participant in the network in a good ways instead of participant in the network in a bad ways. So these are both kind of the use cases of crypto economics and the use of bitcoin and the use of the major public blockchain. So incentives pretty clear.
If you make a block, that's part of the main chain, you get a reward, and you have to pay some electricity costs to make a block, But the reward is going to a bit big than the cost, and if you make a block that's not part of the main chain and You have to pay the cost. And so if you're making blocks, you have an incentive to continue to extend the chain that everyone else involved.
Crypto economics is great, because cryptography lets us prove things with very minimal assumptions about behavior, actually, without assumptions about behave. Crypto economics let us to proof things with kind of minimal assumptions about participant. So the assumption that, their motivated by economic incentives and actually systems can works even people are just motivated by economic incentives. All you need to assume is just an upper bound on like basically how much money attackers have. Both of those assumptions are pretty ideal for decentralized transmit minimize system.
So what are the security goals that we have in crypto economics system?
First of all, we want the correct execution of the protocol to be a robust equilibrium. You have Nash equilibrium, that basically say everyone is following the protocol, it should be in each of individual participants interest, also follow the protocol, Well, we need something that's even more robust, We want the incentive to follow the protocol honestly to be pretty substantial. And we want the equilibrium to survive even end some significant participants, start doing nasty things. Take into account perturbed games like briberies and also maximize the cost of a successful attack.
So if a successful attack happens, then someone who caused the attacks happened losses a lot of funny. There's different security models that you can have. for example, you can have different kinds of assumptions about participants, you can Assume participants are honest. You can assume that they're rational, but they're not coordinated, So they want to make money, but they're not coordinated with each other’s to make money as much as possible. you can assume that they are coordinated, do their assumptions apply to a super majority of participants still majority just do a minority.
Assumptions about the network is the network synchronous or message is guaranteed to get across within some like various tricks time bound is there a partial synchrony as their complete be synchrony no idea how long messages will take to arrive. Outside influences, so if there's an attacker that's willing to make economic rewards to participants already in the system, is there a balance on the budget email They need to willing to pay is their balance on the email that they actually have to pay if an attack happens.
One common of critique of the crypto economic approach, which focuses on incentives, rather than focusing on its majorities, is basically like what about a attackers that just have this real large extra protocol incentive like participants that basically just want to watch the world burn, This can be the government, hackers ect...
So the critique basically says, well, we're assuming that you have these participants that are motivated by economic incentives. And what if there's people that just wants to break the thing?
So there's two replies to this. One of them is that the traditional kind of honest majority driven approach actually is even more realistic, because it assume,even more under realistic because it assumes that the majority of the participants kind of altruistic honesty. They are honesty even if they have incentives to be dishonest, which is even more unrealistic than the economic approach. It is basically saying that more than half of this network, that in order to get into you have to like put in a huge pile of money with the expectation of getting more money. More than one half of these participants are going to just voluntarily for go opportunity to save money. This is already been falsified.
For example, a couple of years ago, there was this wars that happens on the bitcoin blockchain, where miners stopped verifying blocks because they just assumed that everyone else was verifying blocks. And so one invalid block in, and a bunch of blocks that build on top of it and about six blocks had to be thrown out. Right? So we know for a fact that participants of these networks are willing to be lazy if they can get away with it.
And the second argument here is that, well, pushing the cost of attack as high as possible matters. Because the higher the cost of an attack, the lower the risk that there is an attacker with enough resources, not just incentive, you also need resources and enough will to actually attack the system actually existence. So another kind of version of equilibrium basically says, well, you can't assume that people don't have an incentive to break the chain, because the evidence that if you break the chain, then you can just like hedge on financial markets. And you basically make money on derivatives from watching the coins price drop. And so does it really matter? Like two million of your ETH get burned. Like a lot of people say this right?
As an argument for why kind of economic model is broken. The problem with this is, that first of all, there are some maximum amount that you can earn by breaking the chain. The attacker is motivated to already have taken this maximum tree. If an attacker is going to try to break the chain, they are going to be motivated to like make not just enough money to cover the losses, but as much money as possible to benefit from the attack. There is kind of some fixed number that is the amount of money that they can make. And so if the cost of attack is higher than this number, then you've won. If the cost of attack is lower than this number, well, the lower it is, then more of a risk that this kind of attack actually will happen. So there is an a very significative benefit to increasing the cost of attack, and so increasing the amounts of basically kind of correspond outside the system incentives you need to have in order to actually be willing to attack the chain.
For example, if you're going to attack the chain, then it is going to be here easy to say a few thousand worth of eth an profits anonymously on decentralized markets. But If the cost of attack goes up to a million eth, then making the corresponding amount on financial markets anonymously in getting away with it is maybe vastly hard. Right? So the more you push up the requirement for how much money they need to make to offset the cost of an attack than the more unrealistic and attack becomes. so we can look the proof of work in economic context.
You can look at like models that say the majority of the network is honest, or the majority of the network is uncoordinated. Or we can talk about the amount of budget in attacker or needs to have to be to be able to make it attack and so on. We can also talk about kind of different assumptions about network singer. So two messages arriving immediately? Do they arrive after one minute? Do they arrive after ten minutes. So the first column is just the usual kind of fifty one percent argument. The longer the network currency, the more percentage goes up because the honest network like sometimes accidental make steel blocks.
The second called uncoordinated. The reason why that looks much harsher is that you have selfish mining. And the cost of an attacks zero because if you make an attack and you succeed, then sure you have to grind a bunch of like pay for a bunch of electricity to create the attacking blocks, which is where the budget is. but you get paid a block reward for all of the blocks that you make, so actually, the total cost of the attack after the rewards becomes either zero or negative.
We can look at different kids at these algorithms in this way. And the proof of steak is actually kind of in a large part of I try to take this chart and prove on it.one important concept in crypt economics. Is this distinction between unique attributable faults and not unique attributable faults. So a not unique attributable faults is a false where you know that some mistake happened, but You have no idea who was responsible.
For example, if you have a blockchain, you have two different forks. Then one of the two sides here is responsible. One of the two sides here build on top of an old block instead of building on top of your block. But you do not know which one, you don't know whether the top chain came first, or whether the bottom chain came first.
Some people might know if their blockchain the network closely, there's no way of proving who did what first cryptographic. And so the fault here is not unique attributable, and the problem with them, not unique attributable faults is that there's a limit to how much you can penalize them. Because if you penalized on the none unique attributable faults too much, then there is a risk that innocent people get caught. And so you're making the system much less attractive to participated. Unique attributable faults or faults that some actors misbehaving it could be unattributable shows it is your fault.
So if some protocol requires you to shelter result of a calculation, and someone shows two plus two equals five, that's something that you can kind of point to and say, look, this guy over here and clearly it's definitely this guy over here made a mistake and published a false statement. You can give them a pretty large protocol penalty. So this kind of gets us to the goals of proof of stake. Right? So in proof of stake, validators have to make deposits.
They have to put their eth into a smart contract in order to participate. And the reason why those coins have to be locked up is so that if validators make a unique attributable fault if validators do wrong things that they can be identified as specific doing wrong things. Then You can have in a protocol penalty touch these blocks and take away their deposits. this is what leads to an extremely high cost of attacking proof of stake. Just do not get anywhere works.
So finality, a block is finalized basically if validators kind of make a series of messages supporting a blog in such a way that in order to also finalize the competing block. So when we think about it is kind of if a block is to be finalized, two thirds of people have to vote for it. And so for a competing finalized, then two thirds of people would also have to vote for the competing block. And so one third of validators would have to contradict themselves that if a valid a to contradict themselves. You did not see the evidence of that and you can take that to analysis them. In reality is more complex than one round of voting. I encourage people to learn more about casparf g by reading the paper.
There’s a lot of other things that are also about crypt cent of core, you know, makes up the core. One interesting thing is that cryptoeconomics can sometimes compete with cryptography. So for this one useful example to think about is interactive computation. So interactive computation is this kind of scalability primitive to that basically is trying to allow blockchains to learn the results of complex facts about computations without actually do the entire computational on the blockchain.
For example, suppose you have some function, y equals f (x), and it turns out that f is to be decomposed into this format where it's like, you start with x then you apply f1. Then you apply f2, and you apply a f3 blah. Then you apply f 99. And then you apply f100. Basically, We have a small value, and you get y at the end. So here is a protocol for how the blockchain can learn the result of this computations, without executing all of it on chain. So you set the problem. You said, here is f here is x we want to learn Y, then you have a smart contract that contains some reward, and this Contrack to implement this protocol. anyone has the ability to submit a sequence of values, basically, x one, x two, x three. So all of the intermediate steps of the computation, you can have individual steps have a quite a bit of computation. You just basically each of the individual step has to be small enough that you can execute it inside of a block.so the propose a submit the sequence of values x one, x two, x three, all the way up to x one hundred, along with the deposit. So this is step one. step two, you wait. And there's a challenge.
A simple example, the problem that the we going to make the blockchain tried to solve is we're going to try to calculate two to the power of ten. And suppose we, the universe we're multiplying by two is really hard. And so, we can only multiply by two once inside of a block. So how do you do interactive computation to keep you to the power of ten? Basically, you would have to submit all the intermediate values. Submit These ten intermediate values, You would submit one, two, four, eight, sixteen, blah , you would submit These values, Then you would have this challenge period, in the challenge Period basically anyone has the ability to point to one particular value and say, wait, this value actually is two times than the value before. so in this case, like, suppose we have this kind of evil smiley face guy.
The evil smiley face guy is just really tired with the stupid idea. That that x kilobyte is a thousand and twenty-four bytes instead of a thousand bytes. And so this guy wants to solve the problem fixing the world that two to the power of ten is not a 1024. IT's actually1000. and the evil smiley face guy is going to do this by submitting these ten values. Right? These are the powers of two,1, 2, 4, 8, 16, 32, 64, 128, 250, 500,1000. There are powers of two, which one is place The other, at the end of the thousand? What's the big deal? So within this challenge period, a challenger can say someone is wrong on the blockchain I disagree. Well, I disagree with that 250 there, i think i will do 28 times two. IT's 256. The challenger can submit a transaction points to this index, one that happens to calculation, actually runs on the blockchain. That particular multiplication by 2, 128 times 2 is run under the blockchain, and the blockchain is like, wait, the actually is 256, but this guy is submitted 250, So this guy's wrong. And so the original submit as deposit gets destroyed, and part of the deposit is given to the challenger as a reward. So this is cryptoeconomic protocol.
Because the ability of this protocol to work relies on incentives. It relies on the penalty that the submit a get, if they submit a set of values, when one of those values is wrong. And it also relies of this reward that the challenger can get if the detective that One of these values is wrong in the senate, Ransack, coins, uh, we kind of which shows the blockchain in which transaction is wrong, allows it to be verified, and allows the submission to get rejected.
Now, cryptoeconomic basically is like in some ways the core of how optimistic roll up it worked. Right? So if anyone has seen optimistic roll up like the uni-pay exchange thing that's floating around Reasonably. This is the kind of fundamental that cryptoeconomic matter that protocol works on and basically how it allows scaleability to happen by just doing computation of chain by default, unless someone complains about some particular transaction in some particular block being incorrect.so notice that interactive competition does the same thing as ZK-SNARKs. ZK-SNARKs are about computational off-chain, making a proof on-chain, and allowing everyone else to just verify the proof instead of your run the entire of computation themselves. interactive computation does the same thing.
A few people run the competition of the chain. And they run this cryptoeconomic interactive protocol. and the fact that this cryptoeconomic interact protocol happens in nuclear on-chain and Everyone saw this happening. It can't convince people that the results of the competition is correct, without them having to run the entire computation themselves. This is better, they have a different energy. Right? So SNARKs do not require a challenging period.
So with a SNARKs , you can know the answer immediately. Whereas within an optimistic or interactive computation game, you have to kind of wait for some period have time to make sure the nobody will challenge the competition. SNARKs are less efficient. So a zero-knowledge proofs have a very high computational overhead. And with general purpose of the virtual machine execution, the overhead goes way higher. Optimistic computation does not have this problem. Interactive computation is also easier to implement. So if you do not want to have a challenge period, if you Do not want to have this broad group dependency, the Stocks are better, but otherwise kind of especially term, And especially for more complicated, general-purpose applications, then you can also look at this optimistic approach.
What can Crypto economics do?
Crypto economics is used for lots of things. It protects the base layer of the protocols that we all know and love. Um, it protects our light clients, it protects the security of our glories and secretly of L2 games, plasma, channels, optimistic role up, Truebit. it can be used for DoS resistance and prove the security of all chain messaging protocol and so much more. so, this really is kind of the bedrock of what large parts of our ecosystem are based on. By planting the seed in 2009, Satoshi created a really interesting and great thing and now we are building great things on top of it, thank you.