 Welcome to lecture 4, where we'll talk about how we store and use bitcoins in practice. In section 4.1, we'll talk about the simplest way of storing bitcoins, and that is simply putting them on a local device. Now, just to review, in order to spend a bitcoin, you need to know two kinds of things. First of all, you need to know some information that's stored on the public blockchain. You need to know what the identity of the coin is and how much it's worth, for example. And along with that, you also need to know the secret key of the owner of the bitcoin, presumably that's you. Now if you think about it, the first piece of information, being on the public blockchain, you don't need to worry too much about how to store it because you can always get it back when you need it. But the secret signing key is the thing that you'd better keep track of. So in practice, when we talk about how you store your bitcoins, what we're really talking about is how you store and manage your keys. And that's going to be the main topic when we talk about how to store bitcoins. So really, this lecture, which we titled How to Store and Use Bitcoins, might as well be called How to Store and Use Secret Keys, because that's really what it's about. Okay, now, when figuring out how we're going to store and manage our keys, there are three goals that we have in mind. The first goal is availability. You want to be sure that you can actually spend your coins when you want to. The second goal is security, and that is that nobody else can spend your coins. If someone gets the power to spend your coins, they could just send your coins to themselves and then you don't have the coins anymore. And the third goal is convenience, just that whatever you do, it's relatively easy to use. Okay, so the simplest approach to managing your keys, what to do with them, is just to take the key and store it in a file and put that file on your own local device, on your computer, on your phone, or on some other kind of gadget that you carry your own or control. And evaluating that method against our three goals, well, for convenience it's great. Using really nothing could be better than to have, say, an app on your phone where you can push a button or swipe something and spend your bitcoins. So for convenience it wins, but when it comes to availability and security, storing things on a local device in a simple way is not such a great idea. And the reason is first when you get to availability that your key, your coins, are no more available than your device. That means if you lose the device, if the device crashes and you have to wipe the disk, if your file gets corrupted or something like that, you're out of luck. The key is lost, therefore your coins are lost. Similarly for security, your keys, therefore your coins, are just as secure as your device. If somebody managed to break into your device to compromise it, if they can put malware on your device, a virus or something like that, then they can get the key, leak the key to themselves, and they can then send all of your coins to themselves. So although storing things locally is very convenient and very simple, it really isn't up to the task for availability and security. And the way to think about this is this is a lot like carrying around money in your wallet or your purse or in your pocket. It's useful to have some spending money, but you don't want to carry around your life savings because you worry that you might lose it or that somebody might steal it. And so what you typically do is store a little bit of information, a little bit of money in your wallet, and keep most of your money somewhere else. Now in order to do all of this, we typically, if we're going to follow the local storage approach, we typically use wallet software. And that's just software that manages all the details of keys and makes things convenient. It keeps track of your coins, it gives you a nice user interface. If you want to send $4.25 worth of bitcoins to your local Starbucks, the wallet software will give you some easy way to do that. And by the way, if you're using wallet software, once you're using software to manage keys and such, it's a nice trick, it's a useful trick to use a whole bunch of different addresses, a whole bunch of different keys. So rather than taking all of your coins and paying them to one address and controlling them with one key, you can have a separate address, a separate bitcoin address, and a separate key for each coin. That keeps things separated so that you get a maximum degree of anonymity or privacy, and you don't need, as an individual, to worry about the management of all these different keys and addresses. Your wallet software takes care of it for you and just gives you a very simple interface that says how much is in the wallet and lets you spend it. The wallet software figures out all the details of which keys need to be used and how to generate new addresses and all of that stuff. So one thing you need to do if you're going to be able to receive bitcoins in payment into your wallet or spend them to somebody else is you need to have a way of exchanging an address with somebody. So you can give them an address or receive an address so that payments can happen. And there are two main ways that addresses are encoded or conveyed in this way. The first one is as a text string and the second is as a QR code. So as a text string what we do is we take the bits of the key and we encode it as a number in base 58 notation. And then we use these 58 characters to encode the digits in our base 58 notation. So what this is basically is it's all of the digits and capital letters and small letters except that they've taken out a few that might be confusing or might look like each other. For example, capital O and 0 are both taken out because they look too much alike. But other than that most of the characters are here and you can encode in first in base 58 notation and then using this alphabet. The second method for encoding a Bitcoin address is as a QR code. Something like this, this is a simple 2D bar code. And you can do something like point your phone at this, take a picture and your phone can scan it and recover the bits of the address. And so this is the sort of thing you might use, for example, in a store or if you want to have a phone to phone communication. My phone might display a barcode like this which is my address on it and your phone might take a picture of it in order to get the address. So this down here actually is an active address and if you'd like to give me some Bitcoins, feel free to do so. In segment 4.2, we'll talk about hot storage and cold storage. Recall that in 4.1 we talked about how to store Bitcoins on your local computer, the equivalent of carrying money around in your wallet or your pocket. Now, the idea of hot and cold storage is that you're going to have some storage which is hot or online as on your phone or in your local computer. And as we covered before, storing Bitcoins in that way is convenient, but it's also somewhat risky. You keep some money in hot storage and you keep some money in cold storage. Cold storage is offline, it's locked away somewhere, it's not connected to the internet. And it's archival, it's more secure, it's safer, but of course it's not as convenient. So this is similar to how you carry some money around on your person, but you don't keep your life savings on your person, you put that somewhere safer. And so when we're using this strategy of hot and cold storage, we're going to have separate keys and separate addresses for the coins that are stored either on the hot side or the cold side. And so the main topic of discussion here, the main thing we need to go over is how you move coins back and forth between the hot and cold sides and what the relationship is between the sides. Okay, so obviously you're going to have to have separate secret keys to control the coins on the hot side and the cold side. The whole point of cold storage is that the coins that are in cold storage are not vulnerable to attack or loss if the hot storage is compromised. And so you need to have separate private keys for hot versus cold storage. And of course, each side needs to know the addresses that the other side is using because you want to be able to transfer money back and forth between the different sides, between the hot side and the cold side. And so each side knows its own secret keys and it also knows the addresses at which the other side will accept transfers. And that lets you do transfers back and forth. Now in practice, of course, the cold storage is not online. And so the hot storage and the cold storage won't be able to connect to each other across any network. So you can think of the cold storage as being locked up somewhere, while the hot storage is operating. Now the good news here is that even if the cold storage is offline and not connected to anything, the hot storage still knows the addresses at which the cold storage is willing to accept coins. And that means that the hot storage can send coins across to the cold storage even while the cold storage is offline. And that's very nice that any time if the amount of money in your wallet, in your hot wallet becomes uncomfortably large, you can just transfer a chunk of it over into cold storage. You don't need to put your cold storage at risk by connecting it, in order to receive that money on the cold side. Next time the cold storage connects, it will be able to receive from the blockchain information about those transfers to it. And then the cold storage will be able to do what it wants with those coins. Okay, but now we have a little bit of a problem if you think about it, which is how we manage these addresses. On the one hand, as I said in segment 4.1, we want for privacy reasons and for other reasons to be able to receive each coin at a separate address and to be able to manage the different secret keys that are used at that address. And so whenever we transfer a coin from the hot side to the cold side, we'd like to use a fresh cold address for that purpose. But because the cold side is not online, we have to have some way for the hot side to find out about those addresses. And that's the problem that we need to solve. Now there's a kind of awkward solution to this, which would work, but we'd prefer not to use. And that is this, that we have the cold side generate a big batch of addresses all at once, we transfer those addresses over to the hot side, and then we use them up one by one. And the drawback of that is that we're periodically going to have to reconnect the cold side in order to transfer more addresses. And we might worry that while we're out and about spending our bitcoins in the night on the town that the hot wallet will run out of these addresses and that could be a problem. So that's an awkward solution generating them in batches. What's a better solution, a more effective solution is to use a hierarchical wallet, but that requires a little bit of cryptographic trickery. So let me explain the trick behind hierarchical wallets. So just to review, previously when we talked about key generation, when we talked about digital signatures back in lecture one, we talked about an API operation called Generate Keys, which generates a public key and a secret key. The public key in a Bitcoin context corresponds to the Bitcoin address that can receive coins, and the private key, we still call a private key, and that's the key that allows us to spend or control the coins that are sent to the corresponding address. So this is how things normally would work if we generated keys in the standard way. But with hierarchical key generation, we do things a little bit differently. Rather than just doing generate keys, we do a hierarchical key generation operation. And this generates two things. It generates rather than an address, it generates what we'll call address generation info. And rather than generating private key, it generates what we'll call private key generation info. And now we can take this information and generate multiple keys. For example, given the address generation info, we can apply a gen address operation and give it the address generation info and some integer i. And that will generate the i-th address in a whole series of addresses. And we can do this for any integer i, any integer i we can generate the i-th address in the sequence given only that integer and the address generation info. Similarly, on the private key side, we can take this private key generating info and use it to generate a key, again using any integer i. And what we get is the i-th key in the sequence, right? Now what makes this useful is that it has two important properties. First, that the i-th address and the i-th key match up and correspond to each other just as if they were generated the old fashioned way. And what I mean by that is that a coin that's transferred to the i-th address will be spendable and controllable by somebody who knows the i-th key. So these behave just like a regular address and a regular key. The other thing that's important is that we have a security property. And the security property is this, that the address generation info doesn't leak keys. That is, it doesn't leak any information about what the keys might be. And that means that it's safe to give the address generation info to anybody and so that anybody can be enabled to generate the i-th key. Now, not all digital signature schemes that exist can be modified in a way like this to support hierarchical key generation. Some can and some can't. But the good news is that the digital signature scheme used by Bitcoin, which is called ECDSA, does support hierarchical key generation and so we can do this trick. And the reason this is useful for hot and cold storage is that we can take this operation and split it up between the hot side and cold side of our storage, like this. Everything that has a blue background here is done on the cold side and everything that has a red background is done on the hot side. And so what we do is at the very beginning, on the cold side, we do the generate keys hierarchical operation. We then take the private key generation info that that makes and keep it on the cold side and we take the address generation info that that makes and pass it across to the hot side. Then, once we've done that, the hot side can generate the entire sequence of addresses on its own without needing any further communication with the cold side. We can generate an arbitrarily long string of addresses or at least long enough that we'd never have to worry about running out. And on the private side, we can generate the corresponding keys again without needing to communicate. We can generate that later. So if we do things this way, there's only one passage of information from the cold side to the hot side about keys and addresses. That happens once at the very beginning of the situation. And once that's done, then no further connection is required. And so this lets us use separate keys and separate addresses for every coin that's passed across to the cold side but without requiring a lot of back-and-forth communication and critically for security without requiring the cold side to connect to the net or pass information out in any way, except once at the beginning. Okay, so with that in place, we can talk about the different ways in which cold information can be stored. I said earlier that information on the cold side, whether it's a key or key generation info or something else, is stored offline. But let's get more specific about exactly how it is stored. The first way we can store it is to store the information in some kind of a device and just put that device in a safe. It might be a laptop computer, it might be a mobile phone or tablet, or it might just be a thumb drive. But whatever it is, we store the information on that device, we turn the device off, we lock the device up. And now obviously if somebody wants to steal this, they have to get into our locked storage and get that device away from us. The second method we can use is called a brain wallet. And in a brain wallet, what we're doing is we are taking the information that we wanna protect and we're encrypting it under some kind of passphrase or password that a user remembers. Then in order to get the information back later, we're going to ask the user to give us the passphrase and then we'll be able to decrypt. If we do this, and if the crypto is done correctly, and if the user picked a good passphrase, then the security of this will be as good as the security of the passphrase. And as long as the user isn't tricked or coerced into giving up the passphrase, and as long as the adversary can't guess the passphrase, then our data is going to be secure. But this of course is subject to the same kind of attacks that passwords typically are. The third thing we can do to protect information offline is what's called a paper wallet. We can take the information and we can print it out onto paper and then we can put that paper in some safe or secure place. We can lock it in a safe deposit box or something like that. Now, the benefit of doing that obviously is that again, just like with a device, the security of this is just as good as the physical security of the paper that we're using. This is a Bitcoin paper wallet. They come in different shapes and sizes, but this is one example. What you see over here is the public address, the address of this wallet. And this is shown in two ways. First as a 2D barcode as a QR code. And then second down here, you see it as a character string in the base 58 notation. Now, originally this side over here was sealed because it has the private key within it and you don't wanna give away the private key too easily. We can open this up. Originally we would have broken a seal and we have this stuff here that's designed to frustrate scanners and people looking through and so on. And eventually we open it up and we see over here this which is a 2D barcode which contains the private key that controls access to this wallet. Now, this particular wallet doesn't have any coins in it. I wouldn't be showing you the private key if it had any coins of mine in it. But this is the experience that you would have. And this is a thing that you can hand out to someone. And in fact this was handed out at a conference as an example. So this shows how you can take a Bitcoin wallet and encode it as a paper artifact. You could take this thing, I could seal it up, put it in an envelope and put it in a safe deposit box and it would be relatively safe there. The fourth way that we can store offline information is to put it in some kind of tamper proof device, some sort of device that resists tampering. The idea is that we either put the key into the device or the device generates the key and then the device is designed so that there's no way it will output or divulge the key. The device might sign a statement with the key when we say press a button or give it some kind of password but the device is designed so that it doesn't give out the key. And the advantage of that is that again, the security of the key is we hope as good as the security of the device. And in particular, if we lose the device or if it's stolen, we'll know it. Unlike the theft of information about a key where we might not know that someone has learned our key, if the key is built into a device and the device can never divulge the key, then if someone has stolen the key, they will necessarily have stolen the device and we'll know that the device is missing. So this has some advantages as well. Now in general, people may use a combination of all four of these methods in order to secure their keys for hot storage and especially for hot storage holding large amounts of bitcoins. People are willing to work pretty hard and come up with novel security schemes in order to protect them. And we'll talk a little bit about one of those more advanced schemes in the next segment. In segment 4.3, we'll talk about how to share and split keys. Up to now, we've talked about different ways of storing and managing the secret keys that control bitcoins but we've always put a key in a single place, whether that's locked in a safe or in software or on paper, it's in one place. And storing the key in one place leaves us with a single point of failure so that if something goes wrong with that single storage place, then we're in trouble. So here, what we'd like to do now is be able to take a key and split it up into pieces and share those pieces around so that we avoid the single point of failure problem. And so we're gonna introduce a cryptographic trick called secret sharing. The idea is we're gonna take some secret, in our case a secret key, and we're gonna divide it up into some number n of pieces. And we're gonna do that in such a way that if we're given any k of those pieces, then we'll be able to reconstruct the original secret. But if we're given fewer than k pieces, then we won't be able to learn anything about the original secret. So for example, we might have n equals two and k equals two. That means we're dividing the secret into two pieces and you need both pieces to put them together. And a specific way of getting n equals two, k equals two secret sharing like this is as illustrated here. That first we're gonna generate a number p, which is a large prime number, it doesn't need to be secret or anything, just really big. S is gonna be the secret and the secret has to be between zero and p minus one inclusive. And then we're gonna generate a random value r secretly, which is also within the range of between zero and p minus one. And now we're gonna split our secret into two pieces, x one and x two. Piece x one is gonna be s plus r modulo p. And remember that modulo is the operation that's sometimes written with the percent sign in programming languages. It just means take this value s plus r and divide it by p and keep the remainder when we do that division. That's s plus r modulo p. So that'll be x one, our first share. And the other share x two is gonna be s plus two r modulo p. Okay, and now if we have both of these shares, x one and x two, we can combine them to reconstruct the secret s. What we do is we compute two times x one minus x two modulo p. So two times x one is two s plus two r and x two, which we're subtracting off is s plus two r. And so we have two s minus s, that leaves us with an s. We have two r minus two r. And so the two r's cancel out and we're left just with s mod p, which is equal to s because s is less than p. And so we can reconstruct the secret in this way. So given two shares, we can reconstruct. But given only one of the shares, it turns out we don't learn anything. And to see why that is, consider x one. We took s, which is the secret, but we added to it a random number, which could take on any value between zero and p minus one with equal likelihood. And if you think about it, you can convince yourself that the result then of s plus r modulo p is equally likely to take on any value between zero and p minus one. And that's true regardless of what s was. And so this share by itself just looks like a purely random number and doesn't convey anything about what the value of s might have been. Similarly, this share by itself is also equally likely to take on any value between zero and p minus one and therefore doesn't convey any information about s. So that's n equals two, k equals two. Given both shares, we can get back the secret. Given one share, we can't. Okay, now in general, we can talk about how to get higher values of n and k. For example, let's talk about how to get higher values of n where k equals two. That is, we're going to want to require two shares to be put together to reconstruct the secret, but we're gonna make more than two shares that are eligible for use in this way. And so the way we'll do that is to draw our x standard, x and y axis here, and we're gonna add a point here at zero comma s where s is the secret. And so obviously if somebody can learn what this point is, then they will have reconstructed the secret. Okay, now we're gonna draw a line and we're gonna draw a line that has a random slope r. R is gonna be generated randomly and so we get a line like this. And now we can give out shares. The first share is this point here at x equals one and y is s plus r. The second share is here at x equals two and y turns out to be s plus two r. The third share is here, x equals three and y is s plus three r and so on. We can go as far up this line as we want and generate as many shares as we want. Okay, now, if you think about it, you can convince yourself that given any two points, you can interpolate and find s, right? That's a property of a line. Given any two points on a line, you can interpolate the line. Imagine setting down a ruler that exactly touches, say these two points and then you can just draw a straight line along that ruler. So given any two points, you can reconstruct what this line is. You can see where the line crosses the y axis. That will be zero comma s and that will give you back the secret. But given just one point, you don't really know anything because if you have, say, this point, well, the line might be sloped like this but equally likely it might be sloped like this. It could be sloped any way at all and so given just this point, you don't really know anything about where this line might cross the y axis so you don't know anything about s. And in fact, you can prove that if you do this arithmetic, modulo a large prime p like we did before in the previous slide, that in fact you can prove that any two points are sufficient to interpolate and find s and fewer than two points don't tell you anything about s. And so this gives us n equals any value and k equals two. All right, but now what if we wanted to require more than two points? Well, for two points we drew a line because any two points are sufficient to uniquely specify a line. If we wanna require three points, what we're going to do is use a quadratic function because any three points are sufficient to reconstruct a quadratic function. And so we can use this table to understand what's going on. So if we use the equation s plus rx mod p with the random parameter r, that's the slope that we saw in the previous slide, then you need two points to recover the s because you need two points to interpolate a line. If on the other hand, if then you use a quadratic, that is s plus some random value r one times x plus some other random value r two times x squared, then there are two random parameters r one and r two. And with any three points, you can uniquely interpolate a quadratic and get back s. And we can just go up the ladder here. If we use a cubic function, there are three random parameters, we need four points. And in any case, you can generate as many points as you want on the line or the quadratic or the cubic. And therefore you can get any value of n and you see how you can get any value of k by just going to higher and higher order polynomials. And so this scheme will let you take any secret and split it into n shares, such that k shares or more are needed to reconstruct. And that turns out to be a really useful thing because now you can take a secret key or other secret information and split it up in this way. Support k out of n splitting for any k and n. So let's talk about the good and bad that we get out of this process. The good part is that we can store the shares separately and the adversary needs to be able to recover k shares in order to get back what the secret was. And that's a good news, right? That means that if we use, say, k equals three n equals four, the adversary needs to get break into three separate places. And if we're clever about storing those separate shares in places that are far apart and independently secured, then we can make the adversary's job much more difficult. And indeed, if we notice that the adversary has compromised one of those places, we can then race out and try to recover the other shares and address the problem. The other thing that's good about this is that we can afford to lose some of the shares. If we do three out of four secret splitting, then we can lose one share and we'll still have three left. And so we can put those three remaining ones together and still get back the key. So even though we're spreading out the information, there are more places where information might be lost. We can also tolerate the loss of some of those. In general, we can tolerate the loss of n minus k of them. Now that's the good news. The bad news is that if we take a key and we split it up in this way, and we then want to go back and use the key to sign something, we still need to bring the shares together and recalculate the initial secret in order to be able to sign with that key. And that point where we bring all the shares together and recombine them is still a single point of vulnerability where an adversary might be able to attack us. And that's the bad news. So although this is useful, it's not a panacea. And there's something else that we'd like, which is the ability to generate separate shares and use those shares separately in order to sign. And that's what's behind the concept of multisig that we saw earlier in lecture three. So if you recall multisig in lecture three, it lets you keep the shares or the different pieces that need to sign a particular transaction apart and to allow them to approve the transaction separately without needing to reassemble the key at any point. So just as an example of application of that, suppose that Andrew, Arvind, Ed, and Joseph are coworkers. Let's say they're co-founders of a company. And the company has a lot of bitcoins. Hey, you know, we can dream. Now, what we might want to do is use multisig to protect our large store of bitcoins. So what we're going to do is have each of the four of us generate a key pair. And we're going to, for our company's cold storage, store the coins so that we require multisig with three out of the four keys signing. Now, the result of that is that we know that we're relatively secure if the four of us keep our keys separately and secure them differently, that someone would have to compromise three out of the four keys. That if some employee or even two employees go rogue, those rogue employees can't steal all of the company's coins because you would need a conspiracy of three out of four to do that. And we also know that if something goes wrong, if one of us loses our key, or if one of us gets run over by a bus and our brain wallet is lost, the others can still get the coins back and transfer them over to a new place. And so multisig allows you or helps you to manage large bodies of cold stored coins in a way that's relatively secure and that requires action by multiple people before anything drastic happens. In segment 4.4, we'll move on to talk about online wallets and exchanges. Thus far, we've talked about ways in which you could store and manage your bitcoins yourself. Now we'll talk about ways in which you can use other people's services to help you do that. So the first thing you could do is to use an online wallet. An online wallet is kind of like a local wallet that you might manage yourself, except that the information is stored in the cloud. And so you have some kind of, say, web-based interface like this. This is from one called Blockchain, but there are plenty of other online wallet services. You might have a website that you use on your computer. You might have an app that you use on your phone. So it's like a local wallet that's in the cloud. It might typically run in your browser, which means the site sends the code that does all of the operations. The site will store your keys. At least it will have the ability to access your keys. Ideally, the site will encrypt those keys under a password that only you know. But of course, you have to trust them to do that. You have to trust their code to not leak that key or leak that password. And then, of course, you would log in in order to access the wallet. OK. So an online wallet has certain trade-offs compared to doing things yourself. One of the big advantages is that it's convenient. You don't have to install anything on your computer in order to be able to use an online wallet in your browser. On your phone, you maybe just have to install an app once. It'll work across multiple devices. You can have one wallet that you access on your desktop and on your phone. And it will just work because the real wallet lives in the cloud. But there are security worries. If the site or the people who operate the site turn out to be malicious or are compromised somehow, now you have to worry about the information of yours that they're storing. You have to worry about the fact that they're supplying code that has its grubby fingers on your bitcoins. And there are things that can go wrong if there's a compromise or malice at the service provider. Ideally, you would hope that the site or the service is run by security professionals who are better trained or perhaps more diligent than you in protecting the security of things. And so you hope that they do a better job and that your coins are actually more secure. But at the end of the day, you have to trust them and you have to rely that they won't be compromised. Now, another approach instead of an online wallet is something that functions rather more like a bank in the real world. And to set context for this, let's talk about how banks or bank-like services operate in the traditional economy. So this is pretty simple, right? You give the bank some money, that's a deposit. And then the bank in exchange promises to give you back that money later. And of course, crucially, the bank doesn't actually just take your money and put it in a box in the back room. All the bank does is promise that if you show up and ask for the money, they'll give it back. The bank will typically take that money, put it somewhere else, they'll invest it or something else like that. The bank will probably keep some money around in reserve in order to make sure that they can pay out the demand for withdrawals that they'll face on a typical day or maybe even an unusual day. And many banks typically use something called fractional reserve, where they keep a certain fraction of all of the demand deposits on reserve just in case. Now, Bitcoin exchanges are businesses that at least from a user interface standpoint function in a way that's similar to banks. That is, they accept deposits of Bitcoins, you can transfer your Bitcoins to an exchange and they will, just like a bank, promise you that they will give them back on demand later. You can also transfer fee-out currency, that is, traditional currencies like dollars or euros or similar into an exchange by doing a transfer from your bank account. And so you can make deposits of both of these sorts of things and they promise to pay back either or both of them on demand. And what they then let you do is, again, various banking-like things. They let you make and receive Bitcoin payments. You can direct the exchange to pay out some Bitcoins to a particular party or you can ask someone else to deposit funds into a particular exchange on your behalf, put them into your account. And they also let you exchange Bitcoins for for fee-out currency or vice versa. And typically the way they do that is they find some customer who wants to buy Bitcoins with dollars and some other customer who wants to sell Bitcoins for dollars and they try to match them up. That is, they try to find customers who are willing to take opposite positions in a transaction so that there's a mutually acceptable price and then they will consummate that transaction. Now it's important to understand what happens if you buy or sell Bitcoins in an exchange. So suppose my account at some exchange starts holding $5,000 in three Bitcoins and I use the exchange I put in an order to buy two Bitcoins for $580 each and eventually the exchange finds someone who's willing to take the other side of that transaction and the transaction happens. So the result of that is that my account is different. Now I have five Bitcoins instead of three and I also have $3,840. That is, that's my 5,000 initial dollars minus $580 each times two Bitcoins. That's 3840. So now that's what's in my account. But the important thing to note here is that when this transaction happened involving me and another customer of the same exchange that no transaction actually happened on the Bitcoin blockchain because the exchange didn't need to go to the blockchain in order to transfer from my account into that other person's account, some dollars or in the other direction, some Bitcoins. So all that happens in this transaction is that the exchange is now making a different promise to me than they were making before. Before they said we'll give you $5,000 in three Bitcoins now they're saying we'll give you $3,840 in five Bitcoins. It's just a change in their promise, no actual movement of money through the dollar economy or through the Bitcoin blockchain. And of course the other person has had there the exchange as promised to them change in the corresponding opposite way. Now there are pros and cons to using exchanges. One of the big pros is that exchanges help to connect the Bitcoin economy and the flows of Bitcoins with the fiat currency economy, the dollar and euro and other national currency economy. So that it's easy to transfer value back and forth. If I have an accountant in exchange and I have a bunch of dollars and a bunch of Bitcoins I can trade back and forth between dollars and Bitcoins pretty easily. And that's really helpful. The con is risk that because an exchange functions in some ways like a bank that is that it is accepting demand deposits that it's accepting payments of money to it in exchange for a promise to pay money back later that you have the same kinds of risks that you face with banks. And those risks really fall into three categories. The first risk is the risk of a bank run. This of course is a famous scene from the movie It's a Wonderful Life. Jimmy Stewart is running a credit union and other bank-like business and all of these people have shown up and they want their money back. This is a bank run. And Jimmy Stewart explains to them I don't have your money in the back room. I lent out your money to Fred so he could open his hardware store and so on. So one of the risks is that even if the bank is solvent on paper that you might show up and want your money back and the bank might be unable to produce it. And there's a danger of a kind of panic behavior where once the rumor starts to get around that a bank or exchange might be in trouble and they might be getting close to not honoring withdrawals then people stampede in to try to withdraw their money ahead of the crowd and you get a kind of avalanche. And that's what Jimmy Stewart was able to stave off with his eloquence in the movie. The second risk is that the owners of the banks might just be crooks. This is Charles Ponzi, inventor of the Ponzi scheme. A Ponzi scheme is a scheme where he would get people to give him money in exchange for wonderful, wonderful profits in the future. Only he would actually take their money and use them to pay out the wonderful, wonderful profits to people who bought previously. And so his schemes were always insolvent and were doomed to eventually fail and lose a lot of people a lot of money which is why he went to prison. And so there's the risk that the people who run the exchange are just crooks. The third risk is the risk of a cyber attack. The risk that someone will manage to penetrate the security of the exchange. Exchanges have large numbers of bitcoins. That means that they store key information that controls large numbers of bitcoins and they need to be really careful about their procedures and how they manage their cold and hot storage and all of that. And if something goes wrong, if that key information is compromised, if a suitable quorum of employees is compromised, then your money could get stolen from the exchange. And all of these things have happened. We have seen exchanges that failed due to the equivalent of a bank run. We've seen exchanges that fail due to the operators of the exchange being crooks and we've seen exchanges that failed due to break-ins. And in fact, the studies on this are not encouraging. The best study I think shows that, at least as of the time of the study, something like 45% of Bitcoin exchanges had ended up closing due to some failure, some inability to pay out the money that the exchange had promised to pay out. The most famous example of this, of course, is Mt. Gox. Mt. Gox was at one time the largest Bitcoin exchange and it eventually found itself insolvent. That is unable to pay out the money that it owed. And Mt. Gox was a Japanese company and it ended up declaring bankruptcy, leaving a lot of people, including these two gentlemen, wondering where their money had gone. Right now Mt. Gox and the bankruptcy of Mt. Gox is tangled up in the Japanese and American courts and it's gonna be a while, I think, before we know exactly where the money went. The one thing we know is that there's a lot of it and Mt. Gox doesn't have it anymore. So this is a cautionary tale about the use of exchanges. Now, connecting this back to banks, we don't see a 45% failure rate for banks in most developed countries. And the reason for that partly is because of regulation. For traditional banks, government regulates in various ways. The first thing that governments do is they often impose a minimum reserve requirement. In the US, this is typically 3% to 10% of demand deposits. A bank is required to have in liquid form so that it can deal with a surge of withdrawals if that happens. Second, the regulators often regulate the types of investments and money management methods that banks can use to make sure that the banks' assets are invested in places that are relatively low risk because those are really the assets of the depositors in some sense. Now, in exchange for these forms of regulation, governments typically do things to help banks or at least protect their depositors. First, governments will issue deposit insurance. That is that they'll tell depositors that if you deposit your money in a bank that follows these rules, then we the government guarantee that if the bank goes under, we will make good on at least part of those deposits for you. And the other thing that governments sometimes do is act as a lender of last resort. And what that means is that if a bank gets itself into a tough spot, but it's basically solvent, that the government may step in and loan that bank money in order to tide it over until it can move money around as necessary to get itself out of the woods. So traditional banks are regulated in this way. Bitcoin exchanges are not. The question of whether or how Bitcoin exchanges or other Bitcoin businesses should be regulated is a topic that we'll come back to in lecture seven. Now, there is one interesting thing that a Bitcoin exchange or somebody else who holds Bitcoins can do, which relies on some cryptographic tricks to give users or customers some amount of comfort about where the money went or where the money is that those people deposited into the Bitcoin business. And that's what's called a proof of reserve. So let me explain how that works. The idea, the goal here is that a Bitcoin exchange or some other business that's holding Bitcoins can prove that it has a fractional reserve. It can prove that we have at least let's say 25% or maybe that we have 100% of the deposits that people have made with us available and under our control if need be. And so the way that proof of reserve works is you break the problem into two pieces. First, you prove how much reserve you're holding. That's the relatively easy part. So the company publishes a valid payment to self-transaction of that amount. That is, if they claim to have 100,000 Bitcoins, they create a transaction in which they pay 100,000 Bitcoins to themselves and show that that transaction is valid. Then they sign some challenge string. That is some random string of bits that was generated by some impartial party. And they sign that challenge string with the very same private key that was used to validate that payment to self-transaction. That proves that someone who knew that private key was participating in this proof of reserve. Now, strictly speaking, that's not a proof that the party who's claiming to own the reserve owns it. All this proves is that whoever does own that 100,000 Bitcoins is willing to cooperate in this process. But nonetheless, this looks like a proof. This looks something like a proof that somebody controls or knows someone who controls the given amount of money. So the first piece is to prove how much reserve you have. And the second piece is to prove how many demand deposits the group holds. And if you can prove those two things, then somebody can simply divide those two numbers and that's what your fractional reserve is. One more thing to note before we go on and talk about how you prove how many demand deposits you hold, that's the tricky part, is that in proving how much reserve you're holding, you could underclaim. That is, the organization might have 150,000 Bitcoins but choose to make a payment to self of only 100,000. And so this proof of reserve doesn't prove that this is all you have, but it proves that you have at least that much. Okay, now how do you prove how many demand deposits you hold? In order to do that, we're going to use a trick that relates to the Merkle trees that we talked about in lecture one. And if you recall, a Merkle tree is a binary tree that's built with hash pointers so that each one of these pointers not only says where we can get a piece of information but also what the cryptographic hash of that information is. Now we're going to add to each one of these hash pointers another field or attribute. So we're going to add to each hash pointer a total value that is a total monetary value in Bitcoins of all of the things that are underneath that hash pointer in the tree. So for example, this hash pointer here would be tagged with the total value in this entire left subtree, right? Now down here at the bottom, we're going to have one item for each user, for each user's or customer's account. And we're going to combine these up the tree so that each node, the hash pointer coming out of it will be labeled with the sum of the values on the two hash pointers down below. So that will be a valid total for the subtree. So that's so we can construct that structure and then the exchange that wants to do the proof of reserve can cryptographically sign the root hash pointer here which is making a claim that this is a valid tree and that everybody is down here, okay? Now each customer can then go to the organization and they say, okay, prove it to me. If this is, prove that my account is included in your tree. And so I can go to the exchange, I can make that, I can make that demand and they can show me this partial tree. I can see that this, that up here that the hash pointer is the same hash pointer that they signed. I can see that the hash pointers are consistent all the way down and that is that the hash stored in this hash pointer actually is the hash of this, the cryptographic hash of this node and so on for each hash pointer all the way down. And so just like with the Merkle tree that proves that my account here was in the tree that they initially committed to. I also am going to verify that the amounts in the hash pointers add up all the way down. So for example, the amount, the total value in this hash pointer adds up to the same total as this hash pointer plus this hash pointer which is included in this node. And I make sure that on this path down to my account that the totals add up all the way. Now if you think about it, if everybody does this, if everybody makes a demand to see their own account then every branch of this tree is going to get explored and someone is going to verify that for every node in the tree that the value of the hash pointer pointing to that node is equal to the sum of the value on these two children. And so if everyone does this then they will collectively prove over the whole tree that the values are added correctly going up the tree. And so this is the scheme that first the exchange builds a tree like this that includes all their customers' accounts at the bottom and sums the total values going up the top then all customers or really realistically those customers who are willing to go to the trouble demand to see the partial subtree that includes their account and verify that everything adds up. And if that works then we can believe that the organization is correctly reporting all of the accounts that they have. Or actually to be a little bit more precise they can claim to have more accounts than they really have. All they're proving is that every actual account appears somewhere in the tree. Now let's review. So first they've proven that they have at least X amount of reserve currency by doing a self transaction of X amount. Then they've proven that their customers have at most an amount Y deposited. And of course they can claim that in the other direction as well. So what that means is that the reserve fraction is if they reported exactly accurately it's X over Y. If in fact X is larger then the reserve fraction is larger than they're claiming. Or if Y is smaller then the reserve fraction also because this is in the denominator is also larger than they're claiming. And so when they prove an X and prove a Y this way you can guarantee that the actual reserve fraction they're holding is at least as big as what they're claiming. And therefore they can prove a reserve to you. And what that means is that if a Bitcoin exchange wants to prove that they hold 25% reserves on all deposits or 100% they can do that in a way that's independently verifiable by anybody. And no central regulator is required. So that's an aspect of regulation that Bitcoin exchanges can prove voluntarily but other aspects of regulation as we'll see in a later lecture are harder to guarantee. In segment 4.5 we'll talk about payment services. Thus far we've talked about how you can store and manage your Bitcoins. Now we're gonna talk about how a merchant can accept payment in Bitcoins in a practical way. So the scenario here is that we have a merchant. Maybe it's an online seller of some kind of goods or services. Maybe it's a local retail merchant. And they wanna be able to receive payments in Bitcoins. Now the reason they wanna be able to receive payments in Bitcoins let's say is not that the merchant is so excited about Bitcoins but simply because their customers wanna be able to pay in Bitcoins. What the merchant wants is to receive dollars or local fiat currency whatever that is at the end of the day. They wanna have some way of receiving payments in Bitcoins which is easy for them to deploy so they don't have to worry a lot about technology changing their website or building some kind of point of sale technology. And they also want low risk. There are various risks associated with receiving payments in Bitcoins and the merchant doesn't wanna have to worry about those. So they don't wanna have to worry about technology risk. That is the risk that by changing their technology something will go wrong, their website will go down, something will malfunction and that will cost them money. They don't wanna deal with the security risks of handling Bitcoins. The possibility that someone will break into their hot wallet or some employee will make off with their Bitcoins. And they don't wanna deal with the exchange rate risk. That the value of a Bitcoin in dollars may fluctuate from time to time and the merchant who might wanna sell a pizza for $12 wants to know that they're gonna get $12 or something close to it and that the value of the Bitcoins that they received in exchange for that pizza won't drop drastically before they can get it before they can exchange those Bitcoins for dollars. So the merchant wants to be isolated from all of that. And so the reason that we have payment services is fundamentally to allow both of these parties to be happy and get what they want while someone else takes care of bridging the gap between these different desires. So the process by which a merchant might arrange to accept Bitcoin payments on their site through a payment service would work something like this. The merchant would first go to the payment services website and they'd fill out a form that looks something like this. This particular form comes from a service called Coinbase. And so the merchant says, all right, I want to display a button on my webpage. I want it to be a buy now button. I want the button to look like this. Here's the name of the item that is being bought. Here's the sale price amount, which can be in either Bitcoins or dollars or some other currency. And then here's where the funds should be sent when the customer buys. The merchant then having filled that out presses this button to generate button code and out will come a bunch of HTML code that the merchant can just drop into their website. The merchant will put that into their website and what will appear on the website to the customer will be a button that looks like whatever they chose. When the customer pushes that button, then a bunch of payment magic will happen and the merchant will eventually get a confirmation saying that, yeah, a payment was made by this customer for alpaca socks in such and such amount. So the way that that actually works or one typical way that the mechanism might work for a payment is illustrated here. Here we have down at the bottom a user who wants to buy something from the merchant who's up here and we have over here the payment service. Okay, so the user goes to the merchant's website, they shop, they pick out an item they wanna buy and when it comes time to pay, the merchant will deliver a webpage which will contain the pay with Bitcoin button and it will contain some other information. It will contain a transaction ID that is some identifier that is meaningful to the merchant in their own accounting system along with an amount that they wanna be paid. And this will basically be the magic HTML code that was provided earlier by the payment service. The user, if they wanna pay with Bitcoins, will click that button. That will cause information to be sent to the payment service as an HTTPS ideally request which says that that button was clicked. Here's the transaction ID from the merchant, here's the amount and of course the identity of the merchant is implicit here. When that happens, now the payment service knows that this customer, whoever they are, wants to pay a certain amount of Bitcoins and so the payment service will pop up some kind of a box or do some kind of an interaction with the user in which the user will receive information about how to pay and the user will then initiate a Bitcoin transfer to the payment service. Once the user has created that payment, then the payment service will send back information, might be a redirect of some kind, maybe an HTTP redirect or something else that comes back to the user's browser and causes the user's browser to send a message onto the merchant from the payment service saying it looks okay so far. And then later, the payment service will directly send a confirmation saying that yes, in correspondence with this transaction ID that you the merchant created, the following amount was spent that this is fully confirmed in the Bitcoin blockchain and the payment service will confirm that it's giving you the money at the end of the day. So once that happens, now the merchant knows that the payment is confirmed and they can go ahead and allow whatever the item is that this user bought to be shipped out to the user. And then the user will eventually get the item and everyone is happy. So this is a typical kind of flow, details of the flow might work a little differently depending on which payment service you're using but that's the idea. From the merchant's standpoint, what happens is they include this blob of HTML in their website that eventually they get this this tentative okay, things are going ahead and eventually a firm confirmation from the payment service. They use this transaction ID to match up the purchase of this particular snuggie by this particular user in their accounting system and they use the confirmation to know they got paid. And now the final step is the one in which the payment service actually gives money to the merchant. Okay, so the end result of this whole process is the following. That the customer pays bitcoins, some number of bitcoins, that the merchant gets dollars, that's what the merchant wanted. They wanted to sell that item for a particular number of dollars or whatever their local fiat currency is. The merchant gets the number of dollars they ask for minus a small percentage. The payment service is going to take a small percentage as a fee, maybe a couple of percent. And the payment service does everything else. The payment service receives the bitcoins that the customer paid. It pays out the dollars maybe at the end of every day. It makes a deposit into the merchant's bank account of all of the payments that came in that day. And of course it keeps a small percentage and that's how it makes its profit. And the payment service absorbs all of the risks involved in this process. It absorbs the security risk so it has to have good management of the bitcoins, of its cold storage and all of that. It absorbs the exchange rate risk because it's receiving bitcoins and paying out dollars. If the price of dollars against bitcoins fluctuates wildly, the payment service might be unhappy. Then again, if it fluctuates wildly in the other direction, the payment service might be happy. But that risk, that uncertainty is part of, and absorbing it is part of what the payment service does. One thing to note here is that the payment service, if it's operating at large scale, is receiving large numbers of bitcoins and paying out large numbers of dollars. And therefore it's going to have a constant need to exchange the bitcoins it's receiving for more dollars so that it can keep this whole cycle going. And so a payment service is going to be an active participant in the exchange markets that link together, in this case, the dollar economy and the bitcoin economy. And that's another thing that they need to worry about, not just what is the price of exchange, but how can we manage to exchange currency in this large volume? But in exchange for doing all of this stuff, the payment service gets their fee. And so this is potentially a lucrative business because it solves the mismatch between the customer's desire to pay bitcoins and the merchant's desire to just get dollars and concentrate on selling goods. In segment 4.6, we'll talk about transaction fees. This is a topic that has come up before in a previous lecture and it will come up again later in a later lecture. And transaction fees are one of the bits of how the engine room of bitcoin works, if you will. And it touches a bunch of different topics. So what I want to talk about here today is the practical details of how transaction fees are set in bitcoin today. We've talked about storage in this lecture, we've talked about payment services, we've talked about exchanges. But bottom line is whenever a transaction is put into the bitcoin blockchain, that transaction might pay transaction fees. Now recall from a previous lecture that a transaction fee is just defined to be the difference between the total value of coins that go into a transaction minus the total value of coins that come out. The inputs have to be always at least as big as the outputs because a regular transaction can't create coins. But if the inputs are a little bigger than the outputs, then the difference is deemed to be a transaction fee. And that transaction fee goes to the miner who recorded this transaction, the miner who made the block that records this transaction. The economics of transaction fees are interesting and we'll come back to this in a later lecture. But what I want to talk about today is how transaction fees are actually set in bitcoin as it operates as of the time of this filming. These things do change from time to time but we'll give you a snapshot of what's going on right now. Okay, so why are transaction fees exist at all? Well, the reason is that there's some cost that someone has to incur in order to relay your transaction. The nodes in the bitcoin peer-to-peer network need to relay your transaction. And ultimately a miner needs to build your transaction into their block and it costs them a little bit of computational effort to do that. And the time that they spend calculating a block that's slightly larger because it contains your transaction is time that they could otherwise have spent trying to make a block and get a block reward. So there is a cost both to the peers in the peer-to-peer network and to the miners of incorporating your transaction. So the idea of a transaction fee is to somehow compensate people for those costs that they incur because your transaction exists. Generally, you're free to set the transaction fee to whatever you want it to be. You can pay no fee or you can pay a high fee but as a general matter, if you pay a higher transaction fee, it's natural that your transaction will be relayed and recorded more quickly and more reliably. So the current consensus transaction fees are as follows. First of all, no fee is charged if the transaction is less than 1,000 bytes in size, in total size, if all of the outputs of the transaction are one 100th of a bitcoin or larger, that's currently worth about five or $6 US and if the priority of the transaction according to a certain formula is large enough. The priority formula works like this. You look at all of the inputs to the transaction and for each one, you add up the product of the age of that input times the value of that input in bitcoins. You add that up over all the inputs, then you divide by the transaction size. So if you meet these three requirements, then no fee will typically be charged and your transaction will be relayed and it will be recorded in the blockchain without a fee. Otherwise a fee is charged and that fee is about 0.001 bitcoins per 1,000 bytes and that's a fraction of a US penny per 1,000 bytes. Now just as an aside, the approximate size of a transaction based on the number of inputs and the number of outputs is about 148 bytes per each input plus about 34 bytes for each output plus about 10 bytes for other information. And so a transaction that's of small size has maybe two inputs and two outputs. Its size would be four to 500 bytes. All right, now the current status quo is that most miners enforce the consensus fee structure which means that they will either not service or will service last transactions that don't meet the consensus fee structure. So if you don't pay the consensus fee, your transactions will typically take longer to be recorded. It's worth noting that if you pay a small fee that because of the way the priority calculation works, the priority includes age of your bitcoins, the longer your transaction sits without being recorded, the higher its priority will get because its bitcoins get slowly older. But in any case, if you haven't paid the consensus fee, your transactions will probably take longer to find their way into the blockchain. Maybe that's okay with you. Most miners prioritize transaction based on the fees that are paid and based on the priority formula and I'm not gonna go into the details of how that works but if you pay more or if your priority is higher according to the formula, then your transaction probably gets memorialized first. Now finally, I said this was the consensus and that most miners do it. But in fact, there are other miners who don't enforce these rules and who will record and operate on a transaction even if it pays a smaller fee or no fee at all. So if you make a transaction that doesn't meet the fee requirements, it will probably find its way into the blockchain anyway. But the way to get your transaction recorded more quickly and more reliably is to pay the consensus fee and that's why most wallet software and most payment services include the consensus fee structure in the payments that go on. And so you'll see a little bit of money raked off for transaction fees when you engage in everyday Bitcoin business. In segment 4.7, we're going to look at currency exchange markets. That is markets on which you can trade bitcoins against fiat currencies like dollars and euros, et cetera. We've talked earlier about Bitcoin exchanges and other types of businesses that are involved in trading between Bitcoins and fiat currencies. But now we want to look at this as a market. We want to look at the size of it, the extent of it and how it operates and we'll look a little bit at the economics of this market. The first thing to understand about this if you're new to it is that it operates in many ways like the market between two fiat currencies, like the market between dollars and euros. The price will fluctuate back and forth depending on how badly people want to buy euros versus how badly people want to buy dollars on a particular day. So in the Bitcoin markets, we can look at data and in fact, there are sites like Bitcoin charts. This is the Bitcoin markets page on Bitcoin charts which shows exchanges that trade dollars against Bitcoins. And you can see there's a list of different exchanges or different places where you can trade dollars against Bitcoins here from top to bottom. Up here at the top, we have Bitstamp which on this particular day had the highest volume. For each one, there's the current price for Bitstamp. On the day I took this screenshot, it was $582.54. You can get graphs, you can look at the average, the volume, et cetera. You can look, the 24 hour average price was $585. The volume was about 6,100 Bitcoins or about $3.6 million over the previous 24 hours. So you can see there's a lot of trading here. And if you go to this site live, you can see the prices move in real time as trades get made. So this is an active market, it's a liquid market, and there are plenty of places you can go to to buy or sell Bitcoins. Another place you can go besides an online exchange if you want to buy or sell Bitcoins is that you can use sites that help you meet people to trade Bitcoins in real life. So here I went to localbitcoins.com. It's an example. I said I wanna buy Bitcoins in Princeton, New Jersey, United States, and it gave me a bunch of results. A bunch of people who on this particular day were willing to sell me Bitcoins for what price and for how many. And so I could then contact these people, I could arrange to meet them at a coffee shop somewhere or in a park or wherever it is, and I could give them dollars and in exchange they would give me Bitcoins. And so this is another way to do it. You can just find a person near you or you can find somebody you know. The very first Bitcoins I bought, I bought from one of my students who owned some Bitcoins. I just gave him some dollars and he paid some Bitcoins into my digital wallet. Another thing you can do is you can go to a physical place. There are some places in the world or some regular meetups where it's known that people go to trade Bitcoins. And so you can go to a certain park, a certain street corner on a particular day and you know that there will be people standing around wanting to buy or sell Bitcoins and you can do business with them. And here you see a bunch of people at one of these meetups looking at their phones with their apps to transfer or verify transfer of Bitcoins. And so these are all the ways that you can trade or the popular ways that you can trade Bitcoins against dollars. Okay, now this is a market as I said and the market matches buyers who wanna do one thing with sellers who are willing to do the opposite thing. It's a relatively large market, meaning millions of US dollars per day pass through it. It's not like the New York Stock Exchange or it's not like the dollars to euros market which is vastly larger. But it's relatively large so that there is a notion of a consensus price and that a person who wants to come into this market to buy or sell a modest amount at least will always be able to find a counterparty. The price of this market, this consensus price, like the price of anything in a liquid market will be set by supply and demand. That is what is the supply of Bitcoins that might potentially be sold and what is the demand for Bitcoins by people who have dollars. The price through this market mechanism will be set to the level that matches supply and demand. But let's dig into that a little bit more. First of all, let's talk about what is the supply of Bitcoins? The supply of Bitcoins, that is the Bitcoins that you might possibly buy in one of these markets, is first of all equal to the supply of Bitcoins that are in circulation. Currently, of course there's a fixed number of Bitcoins in circulation. At the time of this filming it's about 13.1 million and the rules of Bitcoin as they currently stand say that this number will slowly go up and hit a limit of 21 million eventually. But you might also sometimes include demand deposits of Bitcoins. That is, if someone has put money into their account in a Bitcoin exchange and the account doesn't keep a full reserve to meet every single deposit, then you'll have demand deposits at that exchange that are larger than the number of coins that the exchange is holding. And depending on exactly what question you're asking about the market, it might or might not be correct to include demand deposits in the supply. So when should you include demand deposits? Well, basically you should include demand deposits in a market analysis when demand deposited money can be sold in that market. So for example, if you're talking about exchange of dollars for Bitcoins that can happen in an exchange, if I have Bitcoins demand deposited in an exchange, I can trade those for dollars. And so if that's the scenario you're looking at, it would make sense to include demand deposits in that exchange as part of the supply. It's worth noting as well that when economists conventionally talk about the supply of a fiat currency, they typically include in the money supply not only the currency that's in circulation, that is the actual paper and metal money, but also the total amount of demand deposits. And that's for the logical reason that people can actually spend their demand deposited money to buy stuff. And so although it's tempting to say that the supply of Bitcoins is fixed at 13.1 million currently or 21 million eventually, for some purposes we have to include demand deposits where those demand deposits function like money. And so the supply might not be fixed in the way that some Bitcoin advocates claim. And we need to look at the circumstances of the particular market we're talking about in order to understand what the proper money supply is. But let's assume we've agreed on what supply we're using based on what market we're analyzing. Let's now look at demand. There are really two main sources of demand for Bitcoins. There's demand for Bitcoins as a way of mediating fiat currency transactions, and there's demand for Bitcoins as an investment. So first let's look at mediating fiat currency transactions. So here's the scenario. Imagine that Alice wants to buy something from Bob or wants to pay some money to Bob. And Alice and Bob want to transfer, let's say a certain number of dollars, but they find it convenient to use Bitcoin to do this transfer. Perhaps they're at a distance. Alice wants to be able to email the money to Bob. Perhaps they like the fact that they can have very low transaction fees in Bitcoin and lower than some other service, whatever the reason they want to use Bitcoins to mediate this transaction. So the way that works is this, that first Alice buys Bitcoins for dollars, Alice then sends those Bitcoins to Bob as a Bitcoin transaction. Once that transaction is recorded in the blockchain and it's confirmed to Bob's satisfaction, Bob will sell those Bitcoins for dollars and get the dollars back. So Alice starts by putting in dollars, Bob ends by getting out dollars. But the key thing for the purpose of Bitcoin demand is that the Bitcoins that are mediating this transaction that are bought by Alice in step one and sold by Bob in step three have to be taken out of circulation and they're devoted to serving this transaction during the time that the transaction's going on. And that creates a demand for those Bitcoins. If there are a lot of people who want to mediate transactions like this, whether those are fiat currency transactions or other transactions, if they want to mediate transactions, that will generate demand for Bitcoins. So that's the first source of demand. The second source of demand is that Bitcoin is sometimes demanded as an investment. That is somebody wants to buy Bitcoins and hold them in the hope that the price of Bitcoins will go up in the future and that they'll be able to sell them. So to the extent that people are buying and holding those Bitcoins, those Bitcoins are out of circulation, but there's a demand to buy Bitcoins, at least depending on the price. When the price is low, you might expect a lot of people to want to buy Bitcoins as an investment, but if the price goes up very high, then the demand for Bitcoins as an investment won't be as high. So that's the second source of demand. Now, we can do some simple economic modeling to understand how these markets will behave. And I'm not going to do a full model here, although that's an interesting exercise. What I want to do is look specifically at the effect of this transaction mediation demand and what effect that might have on the price of Bitcoins. And we can build a simple model for doing that. So here's a simple model of the demand that's driven by transactions, by transaction mediation and what it tells us about what the price should be. So we're going to assume some parameters here. First, we're going to say T is equal to the total transaction value that's going to be mediated via Bitcoins by everyone who's participating in the market. And that's going to be measured in dollars per second. We're going to assume for simplicity that the people who want to mediate these transactions have in mind a certain dollar value of the transactions or if it's some other fiat currency will translate it into dollars for simplicity. So there's a certain number of dollars per second of transactions that need to be mediated. We're going to say D is equal to the duration of time that Bitcoins need to be held out of circulation in order to mediate a transaction. That's the time from when the payer buys the Bitcoins to when the receiver is able to sell them back into the market and we'll measure that in seconds. And then S is going to be the supply of Bitcoins that are available for this purchase. And so that's going to be all the Bitcoins that exist. That is all of the hard currency Bitcoins, all of the 13.1 million or eventually up to 21 million Bitcoins, not including those that are held out by people as long-term investments. So at any point in time there's some supply of Bitcoins that are sloshing around and available for this purpose. Okay, and now we can do some calculations. The first thing we'll do is we'll calculate how many Bitcoins become available in order to service transactions per second. Well, there are S Bitcoins in total that are used and because they're available for it because they're taken out of circulation for a time of D seconds, then every second about one over D fraction of those Bitcoins will become newly available because they'll emerge from that out-of-circulation state. And so on average, S over D Bitcoins will become available for mediating transactions every second. That's the supply side. On the demand side, the number of Bitcoins per second that are needed to mediate transactions, well, we have T dollars worth of transactions to mediate and in order to mediate one dollar worth of transaction, we need one over P Bitcoins. That is, we need to take this T, which is measured in dollars per second and divided by the price in dollars per Bitcoin and the result we get is Bitcoins per second. These are the number of Bitcoins per second that are needed in order to serve all the transactions that people wanna serve. Okay, so if you look at a particular second of time for that second, there's a supply of Bitcoins of S over D and there is a demand of T over P. And now, if you think about the dynamics of this market, it behaves like many markets in that the price will fluctuate in order to bring supply into line with demand. If the supply is higher than the demand, then there are Bitcoins that are going unsold and so the people who are selling Bitcoins will be willing to lower their price to try to sell those Bitcoins and so the price will come down if supply is higher than demand. And when the price comes down, that will cause demand actually to go up because P, the price, is in the denominator of demand. So if supply is bigger than demand, then demand will be pulled up. On the other hand, if demand is higher than supply, that means that there are people who want to get Bitcoins to mediate a transaction who can't get them because there aren't enough Bitcoins around. And so those people will bid more in order to get their Bitcoins. They'll have to bid more because there'll be a lot of competition for the limited supply of Bitcoins. And so if the demand is higher than the supply, the result is that price will go up. And when price goes up, then because price is in the denominator of the demand, that means demand will come back down. Demand for Bitcoins will come back down as the price goes up. So if we have supply here and demand here, then the demand will be pulled down toward the supply, right? And so if the supply is at some point that the demand we've argued will always be pulled toward the supply. And in fact, the two will come into equilibrium. And so the equilibrium condition, the point where you'll end up in this market is where this supply S over D is equal to the demand T over P. And so if you set those two expressions equal to each other, and then you solve for P, the price, what you get is this, that in equilibrium, the price should be equal to T times D divided by S. All right, so what does this mean? Well, one thing we can conclude about this is that if you think of D as being, D the duration as not changing, because probably the duration that you need to hold the Bitcoin to do a transaction is not gonna change. So if D doesn't change, and if S the supply is not changing, then what this tells us is that the price is gonna be proportional to the demand for transaction mediation as measured in dollars. And so if the demand for transaction mediation in dollars doubles, then the price of Bitcoins should double. And we could in fact graph the price against some estimate of the demand for transaction mediation and see whether they match up. And when economists do this, they do tend to match up pretty well. So we could graph the price of Bitcoins against the demand for transaction mediation as you can best estimate it in dollars per second. And those things should tend to be proportional over time. And when economists do that, they do tend to match up pretty well. The other thing we can note is that supply is in the denominator here, and that supply includes only the Bitcoins that aren't being held as investments. And so what that tells us is if more people are buying Bitcoin as an investment, the result will be that coins are withdrawn from this status where they're available to mediate transactions. And so the S that we're using here will go down. So that if investors are buying a lot of Bitcoins, it will drive down S and therefore P will go up. And so that makes sense. If there's more demand on the investment side, then the price that you need to pay to mediate a transaction will go up. Now, this is not a full model of the market. In order to have a full model, we need to take into account the activities of investors. We need to bear in mind that investors will demand Bitcoins when they believe that the price will be higher in the future. And so we need to think about investors' expectations. And investors' expectations, of course, have something to do with what is the expected total transaction value demand in the future. And we could build a model that's more complex. I'm not going to do that here, but you get a flavor of the kind of thing that you can do. So the bottom line here is that there is a market between Bitcoins and dollars or Bitcoins and other fiat currencies that that market has enough liquidity that you can buy or sell in modest quantities in a reliable way, although the price does go up and down, and that it's possible to do economic modeling and get some idea of how supply and demand interact in this market and predict what the market might do. As long as you understand unknowable things like how much are people going to want to use Bitcoin to mediate transactions in the future. That kind of economic modeling is important to do and very informative, and I'm sure that there are people who are doing it in some detail today. But a detailed economic model of this market is beyond the scope of this course.