 I wanted to start this presentation with a kind of simple question, which is just what did Satoshi invent anyway, right? So who here has heard of Bitcoin? Who here is aware of the fact that Satoshi created Bitcoin? Okay, so Satoshi created Bitcoin, right? But what makes Bitcoin interesting? Now the way that you might hear a lot of people describing it is that Satoshi is the first person who solved this long, elusive 25-year-old computer science problem called the Byzantine Generals problem, right? You can find a bunch of people saying things like this, that the solution to the Byzantines Generals problem was developed by a man group, an open bracket identity unknown cause bracket who goes by the name Satoshi Nakamoto, the Byzantine Generals problem was quote unsolvable until Satoshi's side stepped it. Many authors have written about the decay of western civilization and how the loss of power causes societies to disintegrate, and Satoshi fixes this problem, apparently. So this is not true. The Byzantine Generals problem was solved by a wonderful fellow named Amalasui Lamport in 1982. So in the paper that introduced the Byzantine Generals problem, he basically provided algorithms for how a set of parties that all wants to agree on some piece of data, some kind of choice between some large set of choices can do so and can do so fairly easily, even under, assuming up to a third of them are malicious, and even assuming no assumptions about network synchrony and all of these things. So there's a bunch of different solutions to the Byzantine Generals problem and the Byzantine Generals problem paper, and I encourage people to read it. So if the Byzantine Generals problem was solved at the very beginning, and if there were a whole bunch of ways of doing decentralized consensus for 25 years before Bitcoin and 15 years before proof of work started to be used for anything, then what did Satoshi really invent? Satoshi invented crypto economics. So what is crypto economics? Crypto economics is basically use of economic incentives to provide guarantees about applications. So you can view crypto economics as being the use of appendage economics and game theoretic reasoning as a kind of appendage to cryptographic reasoning. So cryptographic reasoning allows you to believe certain things conditional on some assumptions that basically claim that the adversary does not have a computer that's bigger than the size of the observable universe, and that's all really nice. So that crypto economics allows you to have other kinds of guarantees that cryptography can't provide, but because of the types of guarantees that crypto economics is trying to provide, they're not cryptographic guarantees, instead they're guarantees conditional on certain kinds of economic assumptions. So for example, the assumption that a platform will continue running, liveness, also known as censorship resistance, is something that can be provided by economics, cannot be provided by cryptography. Even the assumption that a decentralized consensus system will come to consensus is something that cannot be guaranteed by cryptography, it can only be guaranteed by some kind of model that says things about the motivations of participants in the platform. So blockchains are crypto economic protocols. Here's a blockchain, you have blocks, and five of those blocks are in one chain, one of those blocks is kind of off to the side in the wrong chain. And in a blockchain, you want to encourage more miners to create blocks that extend the correct chain, and you do not want to encourage people to create blocks that just go off to the side and make a different chain and confuse people. So how do we do this? With economic incentives. It's actually a bit more subtle than just talking about incentives. Bitcoin uses crypto economics to solve two problems. The first problem is what I call the weight assignment problem, but you might also have heard about basically the same problem under the name civil resistance. So here's the problem. We've had these VFT algorithms for a long time. These algorithms that say you can get together 15 nodes, have them send a bunch of messages to each other, and as long as less than five of them are malicious, then the system is going to come to consensus. And if you can make assumptions about the maximum amount of time that messages will take to pass between these nodes, then instead of tolerating up to four malicious, you can tolerate up to seven malicious, and that's like even better. And it turns out that if you can allow even stronger, like really strong security assumptions, you can tolerate all the way up to 13 being malicious, but that's a topic for another day. So we've had these algorithms for a long time. And so we've had decentralized consensus. What's the problem? Like why hasn't this taken off? And the reason is ultimately that even in a system that has, say, 15 different parties, you have to have some mechanism for choosing who these 15 parties are. You could say, oh, it's like the 15 big major banks. Who here trusts at least 11 of the top 15 major banks? It could be 15 of the top world governments. Who here trusts at least 11 of the top 15 world governments? So this is a challenge, right? If you want to create a system that actually will be accepted by large constituencies around the world, then it's hard to kind of create this set of 15 people that everyone will agree that you actually can't trust at least a lot of them. It's hard to come up with a set of actors running the system that actually is kind of credibly neutral, right? And this is the problem that proof of work and proof of stake so cleverly solve, right? Basically what proof of work and proof of stake do is they say, well, instead of pre-selecting 15 people that will run the system, what we're going to kind of de facto do is we're going to say, anyone who publishes a certificate that kind of cryptographically proves that they've computed some large amount of mathematical work gets to join the set. So if you can solve like some extremely complicated mathematical problem and you publish a solution to this problem, tada, you're part of the set. Proof of stake, if you have a bunch of coins and you send those coins to the deposit contract, tada, you're part of the set. And so instead of pre-selecting 15 people that everyone trusts, we create this kind of open permissionless system where anyone can join and participate, but then we wait the participants by the number of economic resources that they contribute, right? So in proof of work, the kind of the weight of the impacts that you have on the consensus is proportional to the amount of computing power that you're bringing to the table, and in proof of stake it's proportional to the number of coins, and both of those things take a lot of economic resources to get. The reason we can't just allow everyone to join and give them one vote is because, well, on the internet nobody knows you're a dog and on the internet nobody knows you're a virtual machine inside of a computer with 10,000 virtual machines where that computer is run by a dog. So this is the problem that we're trying to solve, right? So economics actually does do a very good job of solving this problem of kind of creating this set of actors and this kind of set of assignments of voting power to basically an open permissionless set of actors that actually is very economically difficult to kind of take over and become 51% of. So this is what proof of work solves and this is basically the innovation that made Bitcoin possible, the innovation that makes Ethereum possible, and proof of stake is fundamentally in the exact same spirit, except instead of burning a bunch of electricity to prove that you have economic resources you just like points to the address where you deposited some coins into your contract. So this is the first problem and the second problem is the incentive problem, right? You have a bunch of permissionless actors and some of them might be wonderful people and some of them might be people in some country that can mine really cheaply that you have and you don't really understand what their psychology is. Some of them might be big corporations, some of them might be hobbyists, some of them might be hackers that gain access to computing resources. And these are kind of disparate groups of people and we can know kind of very little about what motivates them. Well, what's the thing that motivates a lot of people? Economic incentives, right? Like we know that people in all of these disparate regions like money and wants to gain more and generally people that don't like money and want to gain more are not going to be the ones that have the economic resources to make up 51% of the network in the first place. So we can kind of use economic incentives as a way of driving this wide disparate group of participants to participate in the network in good ways instead of participating in the network in bad ways. So these are both kind of use cases of crypto economics and they're used in Bitcoin, they're used in Ethereum, they're used in basically every major public blockchain. So incentives pretty clear, if you make a block that's part of the main chain, you get a reward and you have to pay some electricity cost to make a block, but the reward is going to be a bit bigger than the cost. And if you make a block that's not part of the main chain, you have to pay a cost. And so if you're making blocks, you have an incentive to kind of continue to extend the chain that everyone else is building on. Who here understands this? Yay. So crypto economics is great because cryptography lets us prove things with very minimal assumptions about behavior, actually without assumptions about behavior. Crypto economics let us prove things with kind of minimal assumptions about participants. So an assumption that they're motivated by economic incentives and actually systems can work even if people are not willing to kind of just motivated by economic incentives. All you need to assume is just an upper bound on basically how much money attackers have that they're willing to burn. And both of these assumptions are pretty ideal for decentralized interest minimize systems. So what are the security goals that we have in crypto economic systems, right? So first of all, we want the correct execution of the protocol to be a robust equilibrium. So you have Nash equilibrium that basically say if everyone is following the protocol, it should be in each individual participant's interest to also follow the protocol. Well, we need something that's even more robust. We want the incentive to follow the protocol honestly to be pretty substantial. And we want the equilibrium to survive even if some significant percentage of the participants start doing nasty things. Take into account kind of games that are perturbed by third parties like attackers making bribes, and also ideally to just maximize the cost of a successful attack. So if a successful attack happens, then someone who caused the attack to happen loses a lot of money. There's different security models that you can have. So for example, you can have different kinds of assumptions about participants. You can assume participants are honest. You can assume that they're rational, but they're not coordinated. So they want to make money, but they're not kind of colluding with each other to make as much money as possible. You could assume they are coordinated. Do your assumptions apply to a supermajority of participants, to a majority, just to a minority? Assumptions about the network is the network synchronous. Are messages guaranteed to get across within some very strict time bound? Is there a partial synchrony? Is there a complete asynchronous synchrony where you have no idea how long messages will take to arrive? Outside influences. So if there's an attacker that's willing to make economic rewards to participants already in the system, is there a bound on the budget, the amount they need to be willing to pay? Is there a bound on the amount that they actually have to pay if an attack happens? So one common critique of the crypto-economic approach, which focuses on incentives rather than focusing on honest majorities, is basically what about attackers that just have this really large extra protocol incentive, like participants that basically just wants to watch the world burn. This could be a competing blockchain. This could be a government. This could be just hackers that take over and want to have some fun. So the critique here basically says, well, we're assuming that you have these participants that are motivated by economic incentives. And what if there's people that just wants to break the thing, regardless of how much money is on the table if they don't break the thing? So there's two replies to this, right? One of them is that the traditional kind of honest majority-driven approach actually is even more unrealistic because it assumes, even more unrealistic because it assumes that the majority of the participants are kind of altruistically honest. They're honest even if they have incentives to be dishonest, which is even more unrealistic than the economic approach. It's basically saying that more than half of this network that in order to get into, you have to put in a huge pile of money with the expectation of getting more money. More than one half of these participants are going to just voluntarily forgo opportunities to save money. And this has already been falsified, right? So for example, a couple of years ago, there was this fork that happened on the Bitcoin blockchain where miners stopped verifying blocks because they just assumed that everyone else was verifying blocks. And so one invalid block got in and a bunch of other blocks got built on top of it, and about six blocks had to get thrown out, right? And so we know for a fact that participants in these networks are willing to be lazy if they can get away with it. And the second argument here is that, well, pushing the cost of attack as high as possible matters, right? Because the higher the cost of an attack, the lower the risk that there is an attacker with enough resources, so not just incentive, you also need resources, and enough will to kind of actually attack the system actually exists. So another kind of version of this critique basically says, well, you can't assume that people don't have an incentive to break the chain because if they have an incentive to break the chain, then you can just hedge on financial markets and you can basically make money on derivatives from watching the coin price drop. And so does it really matter if two million of your ETH get burned if you make your two million ETH back by doing a short on Bitfinex? And a lot of people say this as an argument for why kind of the economic model is broken. But the problem with this is that, first of all, there is some maximum amount that you can earn by breaking the chain. Financial markets are not infinitely deep and the attacker is motivated to already have taken this maximum trade. If an attacker is going to try to break the chain, they're going to be motivated to make not just enough money to cover their losses, but as much money as possible to benefit from the attack. And there is kind of some fixed number that is the amount of money that they can make. And so if the cost of attack is higher than this number, then you've won. And if the cost of attack is lower than this number, well, the lower it is, then the more of a risk that this kind of attack actually will happen, right? And so there is a very significant benefit to increasing the cost of attack and so increasing the amount of basically, kind of outside the system incentives you need to have in order to actually be willing to attack the chain. So for example, if you're going to attack the chain, then it's going to be fairly easy to make, say, a few thousand worth of ETH and profits anonymously on decentralized markets. But if the cost of attack goes up to a million ETH, then making the corresponding amount on financial markets anonymously and getting away with it is going to be vastly harder, right? So the more you push up the requirement for how much money they need to make to offset the cost of an attack, then the harder and the more unrealistic an attack becomes. So we can look at proof of work in a kind of crypto economic context, right? So you can look at like models that say the majority of the network is honest or the majority of the network is uncoordinated, or we can talk about the amount of budget an attacker needs to have to be able to make an attack or we can talk about the cost of an attack if it succeeds. And then we can also talk about kind of different assumptions about network synchrony. So do messages arrive immediately? Do they arrive after one minute? Do they arrive after 10 minutes? So the first column is just the usual kind of 51% argument. And the longer the network latency, the more the percentage goes up because the honest network sometimes accidentally makes tail blocks. The second column uncoordinated, the reason why that column kind of looks much harsher is because you have selfish mining. And the cost of an attack is zero because, well, if you make an attack and you succeed, then sure, you have to grind a bunch and like pay for a bunch of electricity to create the attacking blocks, which is what the budget is. But you get paid a block reward for all of the blocks that you make. And so actually the total cost of the attack after you factor in the rewards becomes either zero or negative. So we can look at different consensus algorithms in this way. And proof of stake is actually kind of in a large part about trying to take this chart and improve on it. One important concept in crypto economics is this distinction between attributable or uniquely attributable faults and not uniquely attributable faults. So a not uniquely attributable fault is a fault where you know that some mistake happened, but you have no idea who was responsible. So for example, if you have a blockchain and you have two different forks, then one of the two sides here is responsible, right? One of the two sides here built on top of an old block instead of building on top of a newer block. But you don't know which one. You don't know whether the top chain came first or whether the bottom chain came first. Like some people might know if they're watching the network closely, but there's no way of proving who did what first cryptographically. And so the fault here is not uniquely attributable. And the problem with not uniquely attributable faults is that there's a limit to how much you can penalize them because if you penalize not uniquely attributable faults too much, then there's a risk that innocent people will get caught, and so you're making the system much less attractive to participate in. Uniquely attributable faults are faults where if some actor misbehaves, it can be unambiguously shown that it was their fault. So if some protocol requires you to shelt the result of a calculation and someone shouts two plus two equals five, then that's something that you can kind of point to and say, look, this guy over here, and clearly it's definitely this guy over here who made a mistake and published a false statement, and you can give them a pretty large in protocol penalty. So this kind of gets us to the goals of Proof of Stake. So in Proof of Stake, validators have to make deposits. They have to put their ETH into a smart contract in order to participate. And the reason why those coins have to be locked up is so that if validators make uniquely attributable faults, if validators do wrong things that can be identified as specifically them doing wrong things, then you can have in protocol penalties, touch these deposits, and take away the deposits. And this is what leads to an extremely high cost of attacking Proof of Stake that you just do not get in a Proof of Work system. So finality, a block is finalized basically if validators make a series of messages supporting a block in such a way that in order to also finalize a competing block, at least one third of validators would basically have to publicly contradict themselves. So the kind of naive way to think about it is for a block to be finalized, two thirds of people have to vote for it, and so for a competing block to be finalized, then two thirds of people would also have to vote for the competing block, and so one third of validators would have to contradict themselves, and if a validator contradicts themselves, you can take the evidence of that, and you can use that to penalize them. In reality, it's more complex than one round of voting. It's kind of at least two rounds of voting using this clever algorithm called Casper FFG. I encourage people to learn more about Casper FFG by reading the paper on archive. Yay. So Proof of Stake is all about crypto economics at the core. Work is all about crypto economics at the core. There's a lot of other things that are also about crypto economics at the core. One interesting thing is that crypto economics can sometimes compete with cryptography, right? So for this one useful example to think about is interactive computation. So interactive computation is this kind of scalability primitive that basically is trying to allow blockchains to learn the results of complex facts about computations without actually doing the entire computation on a blockchain. So for example, suppose you have some function Y equals F of X, and it turns out that F, it can be decomposed into this format where it's like you start with X, then you apply F1, then you apply F2, then you apply F3, blah blah, then you apply F99, and then you apply F100, and basically you have a small value and you go through a series of small values and you get Y at the end. So here is a protocol for kind of how the blockchain can learn the result of this computation without executing all of it on chain. So you set the problem, you said here is F, here is X, we want to learn Y, then you have a smart contract that contains some reward. And the smart contract implements this protocol. Anyone has the ability to submit a sequence of values, basically X1, X2, X3, so all of the intermediate steps of the computation, and you can have the individual steps have quite a bit of computation in them, right? You just basically, each individual step has to be small enough that you can execute it inside of a block. So the proposer submits a sequence of values, X1, X2, X3, all the way up to X100, along with a deposit. So this is step one. Step two, you wait, right? And there's a challenge period. So suppose for example that as a simple example, the problem that we're gonna make the blockchain try to solve is we're gonna try to calculate two to the power of 10. And suppose we live in a universe where multiplying by two is really hard, and so you can only multiply by two once inside of a block. So how do you do interactive computation to compute two to the power of 10? Basically, you would have to submit all the intermediate values, right? You would submit these 10 intermediate values, you would submit one, two, four, eight, 16, blah, blah, and you would submit these values and then you would have this challenge period. And in this challenge period, basically anyone has the ability to kind of points to one particular value and say, wait, this value actually isn't two times the value before. So in this case, so like suppose we have this kind of evil smiley face guy and the evil smiley face guy is just really, really tired of this stupid idea that a kilobyte is 1,024 bytes instead of being 1,000 bytes. And so this guy wants to solve the problem by convincing the world that two to the power of 10 is not 1,024, it's actually 1,000. And the evil smiley face guy is gonna do this by submitting these 10 values, right? These are the powers of two. One, two, four, eight, 16, 32, 64, 128, 250, 500, 1,000. They're the powers of two. Each one is twice the other. The thing at the end is 1,000. What's the big deal? So within this challenge period, a challenger can say, hmm, someone is wrong on the blockchain. I disagree with that 250 there. I think 128 times two is 256. And the challenger can submit a transaction that points to this index. And when that happens, the calculation actually runs on the blockchain. That particular multiplication by two, 128 times two, is run on the blockchain. And the blockchain is like, wait, the actual answer is 256 and this guy submitted 250. So this guy's wrong. And so the original submitter's deposit gets destroyed and part of the deposit is given to the challenger as a reward. So this is a crypto economic protocol, right? Because the ability of this protocol to work relies on incentives. It relies on the penalty that the submitter gets if they submit a set of values where one of those values is wrong. And it also relies on this reward that the challenger can get if they detect that one of these values is wrong and they send each transaction that it kind of shows the blockchain which transaction is wrong, allows it to be verified and allows the submission to get rejected. Now, this crypto economic protocol basically is like in some ways the core of how optimistic rollup works, right? So if anyone has seen an optimistic rollup like the Unipig exchange thing that's been floating around recently, like this is the kind of fundamental that crypto economic math that that protocol works on basically how it allows scalability to happen by just doing computation off-chain by default unless someone complains about some particular transaction and some particular block being incorrect. So notice that interactive computation does the same thing as ZK Snarks, right? ZK Snarks are about doing computation off-chain, making a proof on-chain and allowing everyone else to just verify the proof instead of running the entire computation themselves. Interactive computation does the same thing. A few people run the computation off-chain and they run the crypto economic interactive protocol and the fact that this crypto economic interactive protocol happened in the clear on-chain and everyone saw this happening can convince people that the result of the computation is correct without them having to run the entire computation themselves and this is kind of the schism between ZK rollup versus optimistic rollup. Which is better? Well, they have different advantages, right? So Snarks do not require a challenge period. So with a Snark you can know the answer immediately whereas with an optimistic or interactive computation game you have to kind of wait for some period of time to make sure that nobody challenged the computation. Snarks are less efficient. So zero knowledge proofs have a very high computational overhead and with general purpose virtual machine execution the overhead goes way higher. Optimistic computation does not have this problem and interactive computation is also easier to implement. So if you do not want to have a challenge period if you do not want to have this fraud proof dependency then Snarks are better but otherwise kind of especially in the short term and especially for more complicated general purpose applications then you can also look at this optimistic approach. So crypto economics is used in Ethereum land for lots of things. It protects the base layer of the protocols that we all know and love. It protects our light clients. It protects the security of our glorious and sacred layer two games. Plasma, channels, optimistic rollup, Trubit. It can be used for dose resistance to improve security of off chain messaging protocols and so much more. So this really is kind of the bedrock of what large parts of our ecosystem are based on and by kind of planting the seed in 2009 Satoshi created a really interesting and great thing and now we're here building great things on top of it. Thank you.