 In this lecture, we're going to talk about alternatives to Bitcoin's existing proof-of-work mining puzzle. Mining puzzles are at the very core of Bitcoin because mining puzzles determine the incentive system in Bitcoin. Bitcoin miners get rewards for the puzzles that they solve. We expect that miners will spend considerable effort trying to find any shortcuts available to them to solve these puzzles faster or more efficiently. There's a faster way to solve puzzles we think they'll take it. Also, if there's extra stuff to do that might help the network but doesn't directly help them solve puzzles any faster, we expect that they might eventually not bother to do so at all. Therefore, the nature of the puzzle plays a very important role in steering and guiding participation in the network. Now, we've talked about some of the basic features that Bitcoin's existing SHA-2 hash-based mining puzzle already satisfies. So for example, it's fairly difficult to solve a whole bunch of puzzle solutions. This makes attacks on the Bitcoin network very costly or unlikely to succeed. On the other hand, puzzle solutions are found at a fairly predictable rate once every 10 minutes by someone. This means that honest miners to participate have some incentive to keep participating and compensate themselves for the resources that they put into the network. If we were going to design a new puzzle system from scratch or modify Bitcoin's puzzle system to be different somehow, what else could we design the puzzle to achieve? What other kinds of behaviors would we like to encourage or disincentivize? In this lecture, we're going to talk about a variety of possible alternative puzzle designs. Some of them are already used in practice and altcoins existing today. Others are research ideas that might turn out to be used in the future. The puzzles that we'll look at can achieve a variety of possible goals, such as ASIC resistance, which means leveling the playing field between users with ordinary computing equipment and users with special optimized custom hardware. We'll also look at puzzles that discourage users from delegating their participation to directors of large centralized pools. And we'll look at useful proofs of work that have some intrinsic social benefit. We'll also talk about some of the essential security requirements for mining puzzles. It doesn't do any good to have some fancy secondary feature if the puzzle doesn't still satisfy the basic requirements that it needs to keep Bitcoin secure. Before going into the alternate puzzle designs, let's talk a little bit about some of the essential requirements that any viable mining puzzle has to satisfy. Now there are many possible requirements. We've talked about some of them before. Mining puzzles need to be cheap to verify the solutions because every node on the network validates all of the puzzle solutions, even ones that aren't involved in mining directly. Puzzles also have to have adjustable difficulty so that the difficulty of the puzzle can be adjusted over time as new users join the network with increasing amounts of hash power contributed. I'm only going to talk in detail right now about one other essential requirement, which is a little bit subtle. This is that the chance of winning a puzzle solution in any unit of time should be roughly proportional to the hash power contributed. In particular, this means that really large miners with very powerful hardware should only have a proportional advantage in being the next miner to find a puzzle solution. Even small players should have some proportional chance of being successful in receiving compensation. To illustrate this point, let me show you an example of a bad puzzle that doesn't satisfy this requirement. Consider a mining puzzle that takes exactly n steps to find a solution. There are examples of puzzles like this, I don't need to go into details though, but consider these a sequential proof of work. A miner would be able to find one of these proof of work solutions by computing n steps in order in a sequence. Once it reaches n steps, finds a solution. Now the problem is that if it takes exactly n steps in a sequence to find a puzzle solution, then the fastest miner in the network will always be the one who wins the next reward. So consider a scenario with two equally powerful miners and a third miner that's slightly faster at making computational steps than the other two. For every step that the small miners take, the large miner takes two steps here. This means that the large miner finds its puzzle solution at the end of n steps while the smaller miners are still computing theirs. In this case, the fastest miner would be the only one who would receive any compensation at all. Therefore none of the other nodes would have any incentive to participate in the first place. So the alternative to this, a good puzzle, is one that gives every miner a chance of winning the next puzzle solution in proportion to the amount of hash power they contribute. This forms a weighted sample of all of the miners. So imagine throwing a dart at a board randomly at a board of different sized targets where the size of the target corresponds to the mining power. The more hash power you contribute, the better your chance of being the node that finds the next puzzle solution. A puzzle that has this property is sometimes called progress free. Now, this was just one of the requirements. There are others, but for now we're going to move on to types of alternative puzzles and we'll discuss essential requirements as they come up. We're going to start by talking about ASIC resistant mining puzzles. These are far and away the most widely discussed and sought after alternative mining puzzles. Now there are several reasons why we might want an ASIC resistant mining puzzle. If you recall from previous lectures, Bitcoin mining used to be done using ordinary computers like CPUs and GPUs. Then eventually moved towards customized FPGA devices. And now mining is mostly conducted using very powerful optimized ASIC chips, which are so vastly more effective than general purpose computing equipment that it doesn't even pay off to use an ordinary computer or a very old generation of mining equipment. But this is too bad in a way because it used to be very appealing that ordinary users could mine bitcoins out of thin air just by leaving their computer on overnight, a computer that they already had. This was really good for a low barrier to entry because it gave a compelling reason for ordinary users around the world to join the Bitcoin mining network and participate. So wouldn't it be nice if we could go back to the good old days when it was possible to mine bitcoins using ordinary general purpose computing equipment? So the approach to go back to this is to come up with a puzzle that reduces the gap between the most cost effective customized hardware and general purpose equipment that ordinary people already have. A separate goal is to try to prevent the very large ASIC manufacturers from dominating the Bitcoin mining game. There are only a few companies that are able to produce large semiconductor fabrication in order to actually produce the ASICs. So this represents a sort of consolidation of power. Now a lot of customers of Bitcoin mining ASICs have this concern that the manufacturers are going to delay the shipment of their mining devices in order for them to the manufacturers to use the mining devices themselves in order to use them for their own benefit to get their own rewards at the expense of their customers. Another concern is that if there is some breakthrough and there is a vastly more efficient ASIC design whoever comes up with that design might keep it a trade secret to themselves and use it to build their own very powerful industrial mining center then they would be able to dominate the network. So the approach here might be to build a puzzle that reduces the gap between potential future hardware ASIC designs and the ASICs that we already have which are largely distributed to ASIC mining customers. We're going to start by talking about the most widely used approach towards having an ASIC resistant puzzle. This is called a memory hard puzzle. Now the premise here is fairly simple and it's based on a well-known phenomena since the 80s about the change in the performance of computing equipment over time. Since the 80s, the performance of processing has increased at an exponential rate. You've probably heard of this referred to as Moore's Law. Now the performance of memory and storage have also increased at an exponential rate but this rate is much slower, much lower rate than that for processors. There's a performance gap between the most efficient processors and the most efficient memory and storage and this gap actually grows over time. This means that if we had a puzzle that required lots of memory to compute rather than just processing circuits then the potential improvement from next generation's optimized hardware and the current generation of optimized hardware or even general purpose computing equipment would be much lower and that's what we want. So we're going to talk now about the most popular instance of a memory hard puzzle. This is called Escript. Escript is actually a memory hard hash function and an Escript based mining puzzle is the same as the Bitcoin mining puzzle just replacing the SHA2 hash with the Escript hash. Escript is memory hard in the sense that it has a constant time memory trade-off. This means that the hash can be computed using a fixed amount of memory. It's possible to compute it using less memory but doing so increases the amount of time that it takes to compute. Now as I mentioned this puzzle is actually widely used in Bitcoin alternatives including the second most popular cryptocurrency Litecoin in a variety of others. One thing that is Descript's advantage is that this hash function is also used in other places in security, especially password hashing which has similar goals to ASIC resistance in Bitcoin mining. This gives extra confidence that if there are security problems with the hash function then other people are looking at them and might find them. Now the basic way that Escript works goes in two steps. The first step involves filling a large block of random access memory with random values and the second step involves reading from this memory in a random order. Now I'm going to give a detailed illustration of just how the Escript hash function works. Now the goal here is going to be to compute the Escript hash function of an input string x. This is going to be the first step. The goal is to fill a block of memory containing n cells with random values. Here n is 36. Now these values are going to be filled in in sequential order. The first value v1 is simply the hash of the input string x where the hash function h is an ordinary hash function like SHA2. Now the second value v2 is the hash SHA2 of the previous value v1. This is the same as the hash function applied to the input string x twice and so on. The third value v3 is the hash function applied to the input value x three times and so on. After n iterations all in memory cells are filled up with pseudo random values and the last value is the same as the hash function h applied to x n times. Now in the next step we're going to read back the values of memory in random order. Now we're going to begin by having an accumulator value a which involves computing the hash function h one more time on the last value. Now for n iterations we're going to use the current value of the accumulator a to pick an index i out of these n potential memory cells. Then we're going to read that value of memory. XOR with the current accumulator value a take the hash h once more of this value and replace the accumulator's value with this updated value. Now after n iterations the final value of the accumulator a is the output of this hash function. Now let me explain the intuition for why this s-script hash function is memory hard. Now you can compute this by using the n memory cells as described just before. It's also possible to compute the s-script hash value using less memory. Suppose you wanted to cut down the amount of memory you needed by half. You could do this by only storing every other value v in the table. Only the odd values in this case. Now what happens if you need to access one of the even numbered values of v which you aren't storing or you need to compute it from the values of v that you are storing. Now you can always compute vi by computing the hash h of vi minus one. Now this works and you got away with using less memory but you had to compute an extra value for h. Now this intuition holds up. On average if you wanted to reduce the amount of memory by half you would have to increase the amount of computation cycles you need by a factor of one and a half and so on. Now to talk a little bit about s-script used in practice there are a couple of disadvantages. One is that even though it has this advantage of being memory hard to compute the s-script based mining puzzle also requires an amount of memory and n cycles in order to check a proof of work puzzle solution. This puts a constraint on how large you can set n in other words how memory hard you can make it. Now a good question is is this memory hard puzzle actually ASIC resistant? And there's some uncertainty here. S-script ASICs are already available at least the first generation of these and they're at least somewhat faster than what you can do with general purpose computing equipment like CPUs and GPUs. There are several companies competing to make faster s-script ASICs and it's unclear how much better this performance gap will be able to get. There's some concern that in the altcoins that currently use s-script based mining puzzles that the parameter n hasn't been set correctly and this is one of the factors leading to ASICs arriving. Now this general approach of having a memory hard hash function is good because as I mentioned s-script is used in other applications like password hashing and so if there's any future improvements in password hashing then memory hard mining puzzles would be able to use these new password hashing functions and be able to achieve the desired effect. Now I'm going to talk about another approach to having a memory hard proof of work mining puzzle. This puzzle is called cuckoo hash cycles and the main advantage this has over s-script is that it doesn't require any random access memory to check a puzzle solution. Now we're going to look at how this works which involves for every mining attempt we're going to start with a potential solution x which you can think of as a random string and we're going to use the following procedure to determine whether or not x is a puzzle solution. For the first step we're going to select the E pseudo random edges in this graph. Now for each edge we're going to pick a random node from the top set of nodes and a random node from the bottom set of nodes. Now we do this by computing hash values using again the underlying hash value h which can just be an ordinary hash function. Now the edges are filled in the graph as illustrated below. Once the graph's completed we want to determine whether or not there's a cycle in the graph of size k. Now a cycle is a set of edges such that if you align the edges tip to tip or tip to end then they form a complete cycle. So here's what a cycle of size 4 would look like in this illustrated graph. Now k is another parameter of the puzzle. If the graph determined by input x has a cycle of size k then we say that this has a solution and we just output the input value x as well as the evidence that there was a cycle so the k indexes of the edges. Now it's not as intuitive why this is a memory hard function but the explanation is that this is a finding cycles in graphs is a fairly well studied problem and the best known algorithms for doing this do require a large amount of memory. Now what is really clear to see is that this puzzle is very easy to check. The only thing you need to do in order to check the puzzle solution is to re-compute what the edge endpoints would be for each of the k edges provided using the input value x. You only have to compute k hash functions and no random access memory is required. Now there are even more approaches towards building ASIC resistant mining puzzles. I'm only going to describe these really briefly. One is to simply build much more complicated hash functions than the ones that we've talked about so far. One example of this is the mining puzzle based on the x11 hash function which is simply 11 well-known hash functions strung together in a sequence. Another approach is to have a mining puzzle that's a moving target. Here you would have a mining puzzle that actually changes altogether every so often. This means that optimized mining hardware for one puzzle probably wouldn't be good at solving all of the puzzles even after the puzzle changes and customized mining hardware that's only good at solving one instance of the puzzle won't be very useful once the puzzle does change. Now it's unclear exactly how we would change the puzzle every so often in order to maintain the security requirements that we need. Now there's a counter argument that says that there's really no point in trying to make an ASIC resistant puzzle because the SHA-2 based mining puzzle that we already have is already good enough. The SHA-2 circuit is pretty well understood. We have a good idea of what's the optimal way of computing SHA-2. As a result, Bitcoin mining ASICs aren't changing very much and it seems unlikely that there's going to be a breakthrough in computing these proof-of-work solutions any faster. Now even as it is today, mining ASICs consist of multiple copies of the same basic SHA-2 circuit and the only difference between the largest ASICs and the smallest or cheapest ASICs is that they have more copies of the same essential circuit. This means that even the biggest mining ASICs are only a little bit more cost effective than the smaller ASICs. They compute puzzle solutions faster, but they're also more expensive. Now we're going to talk about another possible desired quality for puzzles which is for them to have some sort of socially beneficial intrinsic use. Now there's a sense in which it seems like Bitcoin mining is extremely wasteful. If you recall from previous lectures, we think that Bitcoin mining consumes about 150 to 900 megawatts of power in total and this is comparable to the power output of a really small hydroelectric power plant for example. Now this mining work is put towards computing these SHA-2 mining puzzles which don't serve any purpose outside the Bitcoin mining system. So this raises a very natural question. Is there some way that we could have a puzzle where computing the puzzle solution actually provides some sort of useful benefit to society while still satisfying the basic things that Bitcoin puzzles need? This would amount to something like recycling and it would have advantages such as lowering the overall cost of the Bitcoin system and potentially reducing Bitcoin's environmental impact. Now there are a bunch of natural candidates for this that seem like they might work. The general structure of these possible candidates are problems that involve finding a solution in a potentially very large solution space or the good solutions that you're looking for are very sparse within this space. This is like finding a needle in a haystack. Problems of this sort include protein folding where the goal is to find a 3D configuration of a molecule that has a very low potential energy or searching for aliens and signals from radio signals in space and looking for anomalous patterns that might indicate extraterrestrial life. Now for the same reason these seem like they might work as a Bitcoin mining puzzle these have been successfully used in the past as crowdsource distributed computing projects such as Folding at Home and SETI at Home. Now there are a bunch of challenges that would have to be solved in order to use a problem like this in Bitcoin. In the cases that I just described at home like Folding at Home and SETI at Home there's a trusted administrator of the distributed computing project that's able to choose which instances of problems all of the participants in the network are supposed to be working on. Now in Bitcoin there is no trusted administrator to choose the problems so instead instances of the problem have to be generated pseudo-randomly from public information such as the hash of the last block that was found. Now in order for these to be useful randomly generated puzzle instances of this sort would have to still be useful and also randomly generated puzzle solutions have to be hard. Now it's not known how to turn any of these problems into such a puzzle scheme. Now there is one example that seems to work and has already been implemented and is somewhat used in practice which is called Primecoin. Now the goal here is to have a mining puzzle where finding a puzzle solution involves finding a chain of very large prime numbers. In particular to find a puzzle solution in Primecoin you have to find a Cunningham chain. Now a Cunningham chain consists of a sequence of prime numbers p where each of the p's is of the form 2 to the power of some number times a constant a plus 1. Now each p in the sequence has to be a large probable prime where whether or not it's a probable prime uses a probabilistic prime checking algorithm. And also the first instance of the prime number p has to be a multiple of the hash function of the metadata for the block such as the hash of the previous block, the Merkle root of the transaction and a random nonce value that miners get to choose. Now this has been used in an altcoin called Primecoin and it's actually paid off in some sense. Many of the largest known Cunningham chains have come from miners in the Primecoin network. Now this is interesting because there have been distributed computing projects such as PrimeGrid which have also tried to find prime number chains of this sort. This also adds some confidence that this is truly a hard problem because a lot of other people are also interested in finding solutions to this sort of problem. So is this actually useful? Well possibly. There is at least one known use of Cunningham prime number chains but the kind of Cunningham chains that are found by Primecoin miners are actually entirely overkill for this application. Now there's another approach towards having a proof of useful work which is rather than focusing on the amount of power or work output of the network we might instead focus on the effect of investment in Bitcoin mining infrastructure. Now just as an estimate a lot more than a hundred million dollars have been spent on customized Bitcoin mining hardware overall. This includes designing new Bitcoin mining equipment as well as actually manufacturing it. Now this Bitcoin mining equipment is very good at computing SHA-2 hashes but this improvement in technology is only useful for the Bitcoin network. It has no other use otherwise. So the idea is what if we could design a puzzle where the investment in newer and better Bitcoin mining hardware would itself be useful even if the work that's done in the power output of the network is still wasted. Now here's one example of a proposal that has this quality. It's called Permacoin and the idea is to replace Bitcoin mining rigs which compute SHA-2 hash functions with storage devices such as hard drives and memory. Now the side effect of Bitcoin miners investing in better mining equipment would be a side effect of having a massively distributed replicated backup storage system. Now the way that Permacoin works begins by assuming that we have a large file F which everyone knows about and the goal of the network is going to be to store this file. Now for simplicity imagine that F is chosen globally by a trusted dealer at the beginning. Each user is going to store a random subset of this file. Now Permacoin is based on an alternative puzzle that uses storage. Now assume that you have the file F broken up into several blocks. The first part of Permacoin involves building a Merkle hash tree over each of the blocks of the file. Now every user is going to generate a key pair in order to mine which is going to include a public key pk. They're going to use their public pk to pseudo randomly select a subset of these file segments F that they're now responsible for storing. Now for each mining attempt the miner is going to select a random nonce value and they're going to compute a hash function h1 that includes the previous block hash the Merkle root of transactions their public key pk and the nonce value that they chose. Now rather than checking if this is a puzzle solution immediately they first have to fetch k pseudo randomly chosen file segments from the subset that they're storing which is determined from that hash value h1. Now they compute a second hash value h2 which includes all of the data used to compute the first hash as well as the actual contents of the file blocks F. Now from the second hash value h2 it's compared to a target in order to see if the puzzle solution is actually a valid solution. So the idea here is that the only way to make attempts at finding a puzzle solution and determine if an attempt is a valid puzzle solution requires you to store the random subset of file blocks that you were supposed to based on your public key. Here's one application of the permacoin storage puzzle. This involves a kind of subtle point about bitcoins incentives. There's a cost to being an honest miner in bitcoin. Remember that honest miners are supposed to validate every bitcoin transaction that's included in a block. However validating a transaction requires storing the unspent transaction outputs database which at the current time requires about 200 megabytes of storage. Now maintaining this unspent transaction output database doesn't help you find puzzle solutions any faster. It's a little bit like unpaid overtime. So the idea would be to use the permacoin storage base puzzle in order to reward miners for actually storing copies of the unspent transaction output database. This would reduce the marginal cost of being honest versus just mining for the sake of getting all of the rewards. So to summarize this section having a proof of useful work is a very natural goal but the challenge is to have this secondary side effect while still maintaining the essential security requirements. There's an argument that any benefit would have to be a pure public good because if there were a way for an individual miner to get the benefit of the useful work they were doing then this benefit would also benefit an attacker. So it would make attacks on the network subsidized to the same amount that it would add any secondary improvement to society. Now potentially viable approaches to this include storage and finding large trains of prime numbers but other potential approaches could be possible as well. So even though some of these useful proofs of work have been implemented in practice arguably the benefit to society so far from these is pretty minimal. Now we're going to talk about another topic for alternate puzzles which are puzzles that discourage consolidation of mining power. Now bitcoin miners mostly participate by joining mining pools rather than participating as independent individuals. Now this means that very large mining pools that are directed by a central pool administrator become a very large potential consolidation of power. Now bitcoin's core value is decentralization so this consolidation of power poses a big threat to bitcoin's core values. Now if the power is consolidated in a few large centrally managed pools then the large pool operators become a juicy target for attacks like coercion or hacking. So a point could be made that we might want to discourage the very large pools from forming. There's even an analogy to voting here. It's illegal in the United States for example to sell your vote to someone for money. Arguably by participating in a pool controlled by someone else it's akin to selling your vote in the bitcoin network. Now recently this has become a popular problem because the very largest bitcoin mining pool, gigahash.io has reached larger than 50% of the network's overall hash power. This has led to a bunch of public outcries explaining that this is a very big threat to bitcoin and spells doom or something to that effect and demanding technical solutions to this problem. Now the observation behind one technical approach to this problem is the observation that members in a bitcoin mining pool don't inherently trust each other. Actually pools can only form and become very large because members of the pool are able to prove to the pool operator that they're towing the line in doing mining work that can only benefit the pool as a whole. This works by using the shares protocol that was described in earlier lectures. Now recall that in a bitcoin mining pool there's typically a pool operator who has a well-known public key. Now each of the miners sends their near misses or their mining shares to the pool operator to show that they're mining on a puzzle that directs the reward to the pool operator's public key. When a solution is found the pool operator then distributes the rewards among the pool participants who have contributed to finding the solution. Now there's an interesting attack on bitcoin mining pools which we're going to call the vigilante attack. Suppose that there's a pool member who's very upset with a large mining pool. He can participate in the pool by mining and submitting his near miss share values to the pool operator just like normal. But in the event that he actually finds a bitcoin puzzle solution that would reward the pool he just throws that away and doesn't tell the pool operator about it. Now the effect of this attack is that the overall effective mining output of the mining pool is reduced. However the vigilante only loses a little bit. He still gets rewards for other puzzle solutions that are found. He gets a proportional reward due to the shares that he submits. Now one problem with this attack is that a vigilante still has to lose something and doesn't gain anything. And so it seems unwise to rely on vigilantes like this monitoring the network and rightfully choosing when to do this to only attack large pools. Here's an illustration of what the vigilante attack looks like. The vigilante still submits shares to the pool operator and if he finds a solution discards it. So the approach of a non outsourceable puzzle is to encourage the vigilante to perform this attack in the following way. We'd like to make it so that whoever actually finds the bitcoin puzzle solution is able to take the reward for themselves. Now the vigilante would have an incentive, a direct personal incentive to perform the same attack and harm the pool. Now the approach to having a puzzle that works this way is to have a puzzle where each puzzle attempt requires signing the puzzle solution value using a private public key pair. In particular each attempt at a puzzle solution requires knowledge of the private key and that same private key would then be used to spend the reward later. Now as an illustration of this, instead of the pool operator just having a key any of the mining pool participants who are contributing mining resources also have to have knowledge of the private key in order for their mining to be effective. If any one of them does find a solution then they would be able to take the money. A secondary goal is that we'd like to even provide the ability for mining pool members in this case to evade detection. Now I'm going to describe how a particular instance of a non outsourceable puzzle would work. Now a solution to this puzzle contains the same information as an ordinary bitcoin puzzle including the previous block hash, a merkle route which is a commitment to all of the transactions to be included in this block and an arbitrarily chosen nonce value. Now this also includes a public key pk which the miner would have to know the corresponding private key in order to find puzzle solutions. It's also going to include two signatures made using this key pair S1 and S2. Now the first step to determining whether a particular nonce value as a puzzle solution is to create a signature S1 using the key pair. Now this has to be a valid signature over the previous block hash as well as the nonce value that's been chosen. Now in order to tell if this nonce was a valid solution you have to compute the hash h over the string containing the previous block hash, the public key, the nonce and the signature S1 then you compare this hash value to a target just like in bitcoin's puzzle. Now only after you find out whether or not this nonce was a valid puzzle solution you then compute a second signature S2 using the same key pair and only in this signature do you include the merkle route of the transactions. So the idea here is that you need to be able to compute the signature value S1 using the private key in order to find out whether or not you found a puzzle solution and only if you found a puzzle solution do you then compute the second signature S2 in order to choose which transactions are going to be included. This means that to find a puzzle solution you have to know the private key and if you know the private key you get to choose transactions that will direct the reward to yourself. There are several potential concerns with this nonoutsourceable puzzle. One problem is that it basically throws the baby out with the bathwater. This nonoutsourceable puzzle would discourage all pools from forming not only the decentralized ones which were the original motivation for this but also the harmless decentralized mining pools like P2Pool which were discussed in previous lectures as well. Now the effect of this could be that if miners are discouraged from participating in any mining pool they might find themselves steered towards other forms of outsourcing which are even more harmful such as hiring hosted mining services to do their mining for them. Hosted mining services are potentially an even larger threat to the decentralization of Bitcoin's mining power because the hosted mining administrator is actually in physical possession of all of the Bitcoin mining rigs. Now there are potential approaches to addressing these concerns but that's an ongoing research project and I won't get into the details here. In this section we're going to talk about a technique called proof of stake mining puzzles and a variety of related techniques which all together I'll call virtual mining because they don't involve any computational work at all. Now the motivation for this is that Bitcoin mining seems to have an unnecessary step. If you look at the ecosystem of Bitcoin mining economics Bitcoin miners earn monetary rewards in the form of Bitcoins. They have to spend money buying power and equipment in order to operate their mining rigs and they use those mining rigs to find puzzle solutions which in turn give them reward. So what would happen if we removed the step of spending money on power and equipment? In this case you would have something that looks like the following which is what I mean by virtual mining. Instead of mining with computational hardware like Bitcoin mining rigs you could mine just by using the money that you would have spent on mining rigs directly within the system. Think of this as using your money and sending it to a special address and then a winner is chosen in order to have a mining reward based on the amount of money that miners have contributed by sending it to this special address. Now it would be possible in a virtual mining scheme like this to essentially recreate the same dynamics and reward structure as in current Bitcoin mining. The only thing that's removed is the external step of having to use real power and real hardware. Now there are a bunch of potential benefits to a virtual mining system like this. One is that it definitely would lower the overall cost of the Bitcoin mining system. Virtual mining since it doesn't involve using any power or manufacturing any special hardware would have no impact on the environment. Now you can think of the savings that would result from this as being distributed to all of the holders of coins in this system. There's another argument which is that holders of the Bitcoin currency are stakeholders in the currency. They have an incentive to do things that would benefit the Bitcoin currency system as a whole because it increases the value of the coins that they hold. So this argument is that the very people who are stakeholders in the currency have incentives aligned to be good stewards of the system. Now because there's no ASICs involved there would be no concern about an ASIC advantage so any virtual mining puzzle is also an ASIC resistant puzzle. And there's finally an argument that this approach would reduce the hazard of 51% attacks whereby the network is dominated by very large miners with extremely powerful equipment. Now let me describe this argument in a little more detail. The way the argument works is basically that the Bitcoin economy is smaller than the overall world economy. It's possible for an attacker who has a lot of wealth outside the Bitcoin network to be able to acquire very large mining rigs that they might not be able to acquire if they could only use their wealth inside the Bitcoin network. So to illustrate this imagine that there's a wealthy attacker like a nation state or just some very wealthy attacker on the network who's able to purchase very large mining equipment that's very powerful. Now all of their wealth is outside the system and they're able to acquire this mining resources and then they can use it to attack the Bitcoin economy. Now if mining were based on the coins that were inside the network then a wealthy attacker wouldn't be able to go outside the network and find more mining power. The only way they could acquire the amount of virtual mining power they would need to attack the network would be to buy up 51% of all of the coins in existence. This would require them to go to Bitcoin exchanges and exchange whatever form of wealth they already had for wealth measured in the tokens inside the system. This would likely raise the price of the coins within the system while they were doing so. It's arguably much more expensive to acquire half of the value of the bitcoins than it would be to acquire mining power that's larger than half the existing Bitcoin network. Now this provides an extra disincentive against conducting such a large scale attack. Now there are a bunch of variations of virtual mining and I'll describe some of these. The original one is called proof of stake which assigns to each coin in the system a stake value and the idea is that the stake value grows over time for every coin as long as the coin isn't used. Every time you spend a coin or make a transaction including a coin or enter a coin in a mining puzzle by using the coin to mine the stake value for that coin gets reset. Another alternative is called proof of burn and in this scenario when you decide to mine using a coin you actually have to send it to an unspendable address and the coin essentially is deleted or gone forever. On the other hand you do have a chance of winning a mining reward and then that would replace the coins that you put in. Another variation is called proof of deposit and this involves mining with your coins by depositing them in something like a time locked account where they aren't burned forever you'll be able to get them back eventually but only after some amount of time has passed. Effectively by choosing to mine with your coin in this scheme you're losing the opportunity cost of whatever else you could have done with your coin instead at that time. The last variation is proof of activity. In this variation everyone with a coin is automatically entered into the mining lottery. If one of your coins is chosen then you're responsible for choosing the next block and you have to respond by creating a signed message about the block that you choose within a certain amount of time. Now virtual mining puzzles like these are an active area of ongoing research and there's a large open problem which we don't know the answer to yet which goes like this Is there any form of security that you can only get by having a proof of work system that involves really burning real resources requiring real computational hardware and expending real electrical power in order to find puzzle solutions? If so, if there is some kind of security that you can only get by having a proof of work puzzle and not with virtual mining then the apparent waste of the proof of work system is actually just the cost of the security that you get. On the other hand, if it does turn out that virtual mining can provide exactly the same security or more that you can get by having a proof of work system then it seems likely that eventually proof of work systems because they're so much more expensive will eventually give way in favor of cheaper alternatives based on virtual mining. This question is as of yet unanswered. Let's conclude this lecture by summarizing some of the things we've just talked about. We've discussed a variety of approaches towards designing alternate Bitcoin mining puzzles that achieve a variety of different goals. These include preventing ASIC miners from becoming a consolidated source of power in the Bitcoin ecosystem. We've discussed puzzles that prevent large mining pools from becoming consolidations of power. We've also discussed puzzles that have some intrinsic usefulness that can help society and reduce waste. And we've looked at the option of a mining puzzle that doesn't require any computational hardware at all. Now for now the best trade-off between these puzzles is unclear. And our speculation about the future is that for the near future there will be many alternatives co-existing and it will continue to be unclear exactly which alternative is the best. Now in the next lecture we're going to talk about Bitcoin as a platform. This is going to include applications beyond just the currency that we've seen so far. This includes applications like use, prediction markets, smart contracts, financial derivatives, and many more.