 Hello, and welcome to the final lecture of the series on Bitcoin and cryptocurrencies, titled, perhaps appropriately enough, The Future of Bitcoin. And you'll see that I had a question mark there, and I put a question mark there for two reasons. One is that I'm not claiming to have any special insight into what the future of Bitcoin is going to be. I'm not going to make any predictions. You can think of this as possibilities for the future of Bitcoin, perhaps. But another more important reason that I wanted to have a question mark there is that a lot of these ideas for where Bitcoin is going to go and where cryptocurrency technologies are going to go and where blockchain technologies are going to go has come from entrepreneurs and developers and hobbyists, et cetera. And that's great. One of the consequences it's had is that this conversation has tended to be a little bit breathless at times of how blockchain technologies are going to revolutionize the world. It's great to see that kind of enthusiasm, but as an academic researcher, one of my roles is to consider all of these proposals and to categorize them, analyze their pluses and minuses, and necessarily almost take a little bit of a skeptical view and so on. So I'll be doing that in this lecture as well. And that's the other reason I had the question mark in there. So we're going to be taking a look at these technologies, but also sort of analyzing them critically. Okay. So the future of Bitcoin, that could be interpreted in a few different ways. One is thinking about how the Bitcoin system itself is going to change. Are there going to be major forks, and we've seen hard forks and soft forks before. We've seen what that would look like potentially. One could think about whether that's going to happen and what new features would go on if that were to happen. One could talk about efficiency and scalability improvements and so on. So modifications to the Bitcoin system itself. That's not quite the sort of thing that I'm interested in in this lecture. In particular, what I mean when I say the future of Bitcoin is a set of ways in which blockchain technology can be used. It's been proposed to decentralize a variety of things. Stocks, bonds, even property, whatever that means. We'll see. So in other words, people have looked at Bitcoin and went, hmm, we managed to decentralize currency. That actually worked. Let's decentralize everything. So it's this notion of decentralizing everything that we're going to drill pretty deep into. We're going to look at the technology and we're also going to try to understand if that's a good idea for society. Is it a good idea economically, et cetera? Okay. So what do I mean by this? More specifically, let's look at blockchain as a vehicle for decentralization and I'm going to have a motivating example that I'm going to use to begin talking about this, but also come back to again and again in this lecture. It's going to be our running example. And this is something that's called smart property. Smart property is something that's been proposed, been around as an idea even before Bitcoin, but now it's taken on a much more concrete form. So let's look at what smart property is and how that would work and how that would be integrated with the Bitcoin blockchain. So here's the idea. Let's look at it through the example of a car and car ownership and selling a car and so on. So the first key idea is that the car is controlled by a cryptographic key. You have a digital key that opens your car, but further there is some crypto that's built into it. How does that crypto work? The car has a public key that's hard coded into it. And your key is going to have the corresponding private key corresponding to this public key. And therefore, perhaps when you approach the car, your key is going to automatically send a signed message to the car using, for example, Bluetooth. And the car having the right public key is able to recognize the authorized signature. And since only your specific key has the right private key embedded into it, nobody else will be able to fake that signature. And so you'll be able to approach and enter the car. So this is a foundational idea of smart property that we're going to take it to the next step, but this is where it starts. And this, I have to say, if you are going to make a digital car key, this is probably a really good way to do it. This is much better than a solution, for example, where the car has a secret number encoded into it, and your key also has a secret number, and your key simply sends that secret number to the car, which verifies if it gots the right secret number. This is, of course, really insecure because it's subject to replay attacks and so on, but instead, a asymmetric cryptography-based solution is a good way for authorizing the owner to enter the car. So let's assume that we have a car that works in this fashion. What can we do with this? In particular, what does it mean to integrate this with the blockchain? Let me show you. So the next step in this design is that instead of having this public key hard-coded, what this car is going to do is it's going to dynamically update its public key based on what's going on in the blockchain. So what does that mean? When the car rolls out of the factory, it might have a particular transaction in the blockchain hard-coded into it. So with the understanding that whoever owns the private key corresponding to the output address of that transaction basically controls the car. So in other words, the public key that the car uses to authorize the right owner corresponds to the public key that's the output address of this bitcoin transaction. So you'd have to have some specific types of crypto to make it work. The signature scheme that the car is using should be the same as the signature scheme that bitcoin uses and so on. But those are technical details that we can assume can be easily worked out. And the car, you have to assume, is running a bitcoin node and is constantly listening to the blockchain and using that to update its key. So how might that work? So this is a block in the blockchain. The next block rolls around. Nothing of particular interest happens. And now we have one more block, but here there is something interesting. We have a transaction in the new block which consists of transferring this particular transaction to a new address. And that new address, let's say, happens to be the public key of Bob. And so what will happen now is that the car will automatically update its public key upon noticing this transaction to be this new public key. And whoever has the private key corresponding to this public key will now be able to send the appropriate authorized signed message to the car in order to activate it. And that's going to be Bob now. So Bob's key now activates the car. And in this universe, there is no distinction between ownership of the car and the technical ability to open the car or activate the car by sending the right signature. So if we make that assumption, this bitcoin transaction actually constitutes a change in ownership of the car. So that sounds pretty crazy, but now we're actually going to take it to the next level of technical sophistication. What we're going to do is it's not enough to just have a way to transfer ownership of the car. For this to be meaningful in the real world, you have to have something that represents what a sale of the car might look like, sale of the used car from Alice to Bob. So what's necessary there? Not merely transfer of ownership of the car, but also transfer of payment from Bob to Alice. But here is the key technical problem, even if we assume that Alice and Bob managed to get to the same physical place at the same time, which in the car example is natural, but of course we might want to use this technology for other things like selling something over the internet. But let's not even get to that level of complexity. Even if Alice and Bob are in the same place over the same time, these ownership transfers or transfers of payments are things that are happening purely in the blockchain with no physical record on real paper or their actual signatures or anything like that. But one of them has to go first. If Alice transfers her car ownership to Bob, Bob might claim that's the end of the transaction and walk away without making the payment. So how will Alice prove to somebody if she say wants to sue Bob that Bob didn't hold up his end of the transaction? That seems like a problem. So we actually want to find a technological solution to this. So to solve this problem of Alice and Bob being able to pay each other, but with neither of them being able to quit the transaction once the other one has done their half of the transaction, here's the technical solution that we can use. We're going to create a single Bitcoin transaction that combines Bob's payment to Alice with Alice's ownership transfer to Bob. And recall that this is a technique that we've used before. We've used it before in CoinJoin to create a single transaction that combines different parties' funds together to get it out in a different order. And we're using the same technique here. Now this transaction has two inputs and two outputs. The first input and the first output corresponds to what the car understands to be representations of ownership of the car. But the second input and the second output corresponds to the Bitcoin payment that Bob is making to Alice in exchange for the car. Now to be sure, these inputs, this input and this output will also correspond to actual Bitcoin value, but it will be minuscule Bitcoin value, probably a Satoshi, probably something very little, so it doesn't really matter. The only financial aspect of this transaction that matters is this input and this output that will correspond to the car payment. So as we saw in CoinJoin, you can create a transaction like this and both parties can separately put their signature on it. So that's exactly what Alice and Bob will do. It no longer matters if they're in the same physical place or not. One of them will construct the transaction, sign it, send it to the other, and the other party will not be able to change any of the parameters of the transaction without violating the first party's signature. And so the only option that the other party has is either to quit the transaction, in which case no transfer has happened, either of ownership or of payment, or to put their own signature on the transaction and to broadcast it to the blockchain. And once it gets confirmed to the blockchain, when it has six transactions or whatever number that the car is looking for in order to signal a transfer of ownership, both of these will happen simultaneously. The car will switch owners, at least in the sense of who can control activation of the car, as well as money will switch hands. So we've accomplished something remarkable here and this has some far-reaching consequences. And we're gonna keep coming back to this example and understand this in better detail and talk about the different aspects of what we've seen. But let's start with something basic. So this is a technological way of representing ownership and transferring ownership. But what is the real-world analog exactly that it replaced? And how does this constitute a form of decentralization? Now, if you think about for a real car, as things happen now, what constitutes ownership? It's clearly the title document. So we've gone from this world where the title document represents ownership. And let's be clear, this is a centralized form of ownership. What does that mean? The title document only has meaning to the extent that the DMV recognizes it. And to really drive home that point, when you sell a car, it's not enough to physically transfer this document to somebody else. One of you has to actually go and register that with the DMV. So there has to be a record of this in the centralized database. That's what it means for a car to change hands. So it's that inherently centralized system controlled by the state. And so we've taken the state out of that whole equation and we've made it a purely technological process of what it means for a car to have a certain owner. And furthermore, we've done this pretty cool thing, which is to inherently couple the transfer of ownership of the car and the transfer of the payment. And all this is a completely decentralized process in that there is no intermediary anymore. So we've achieved decentralization in the sense of decentralization. This is one of the types or levels of decentralization that we're gonna see in this lecture and there are going to be several more. So this is the first of many examples that we'll see in this lecture that allows us to use blockchain technologies to decentralize one of any number, any variety of different types of real world analogs and we'll achieve different types of decentralization but two technical features that are gonna be common to most or all of these examples are what are called representation and atomicity. And we're gonna keep coming back to representation and atomicity, what are these? So representation is the question of how do you encode some sort of complex transaction from the real world into something that can be understood in the blockchain? In the example that we saw, the way that we did this is we took the idea of a public key that the car uses in order to look for the right signature to authorize the owner and we simply represented that public key as a Bitcoin address. So we sort of used this hack, this equivalence to solve the problem of representation. Atomicity is the other technical concept which is how do you couple the different sides of a transaction so that they all have to happen together or none of them at all? Atomicity is an important security feature. It's not the only security feature, we're gonna see some others and the sort of thing can happen without atomicity but it's a particularly important one and in general when we talk about a particular way to use blockchain technologies for decentralization it's not really going to be viable unless it supports some form of atomicity. All right, so let's put these questions here that we're gonna use to frame the rest of the lecture. One obvious thing we can ask is what else can we decentralize this way? And we can ask, can this be done using the Bitcoin blockchain itself or does it require an alternative blockchain? And we can talk about what are those other alternatives to atomicity that I alluded to in the previous slide? And finally, something that interests me a lot is it actually a good idea to do commerce like this? What problems does it solve compared to the real world? Does it introduce any new problems? Is it good for society? Is it going to be feasible in a business sense? So these are all questions that I'd like to take up. The first thing to look at though is what are the different routes to blockchain integration? So a lot of different routes to blockchain integration have been proposed and in the Bitcoin community you'll find people who are quite partial to one way or another. So let's look at four different avenues and let's get a quick look at what some of the advantages and disadvantages of these routes are. The first one, sort of the obvious default one is to directly use the Bitcoin blockchain itself. And this is the one that we saw in the smart property example as we walk through the steps. The advantage of course is that it's easy to deploy, the blockchain is here, it has all this minor power behind it so we know that it's something that's very secure, the consensus process cannot be easily disrupted. On the other hand, even though we were able to use some hacks in this example to achieve representation and atomicity, it's not always the case, there's no fundamental reason to believe that if you have some arbitrarily complex contract between different parties that it can be represented adequately on the blockchain and that you can execute it atomically. So to get a better idea of what this might look like and what some of the challenges to atomicity and representation are, let's look at a couple more examples in how you might try to decentralize them directly on the blockchain. So the next one we'll look at is the notion of crowdfunding, Kickstarter style for example, but without actually having a centralized intermediary like Kickstarter. So in other words, here's what we wanna happen. We want a completely decentralized system where some entrepreneur can ask for donations or contributions, but we should be technologically assured without the existence of an intermediary that entrepreneur is only able to spend that money if they collect enough of it to reach a certain pre-specified threshold. So here's how we can accomplish that technically just using Bitcoin. What the entrepreneur will do is create a single transaction with an arbitrary number of inputs that can vary as the process continues in a single output for let's say a value of 1,000. And they'll send this around and try to collect contributions. And so of course any Bitcoin transaction has the property that it's spendable only if the sum of the inputs is greater than the sum of the outputs or the single output in this case. And what will happen is that this transaction will gradually accrue signatures from people contributing different amounts of money. And each of the parties will only sign her own input and the overall output. And this uses some features of Bitcoin, some little used features of Bitcoin in order to achieve a transaction where you can produce only this limited form of signature. So the entrepreneur will go collecting these signatures, but the Bitcoin transaction will only be spendable if the sum of the inputs eventually reaches greater than or equal to the output value that's been pre-specified. So this is something that you can actually achieve today on Bitcoin, but already we see that it starts to get into some little known corners of Bitcoin. It's not the everyday type of Bitcoin transaction. But now let's look at another example which starts to get even more confusing. And here's what I'm talking about. This is something called paying for a proof. And let me explain it in this way. Let's say that there's a hash function H and Alice claims to know some input X such that hashing X results in some constancy that's known to everybody. In other words, she knows the hash preimage of some value. And now Bob would like to pay Alice in exchange for knowing this value of X. Maybe this number X is the solution to some very valuable proof of work computation. But it doesn't need to be a hash function. It doesn't need to be an input to a hash function that Bob is paying Alice for. It could be the solution to any pure function really. There is some arbitrary function F. Alice claims to know some input X such that F of X equals some known value and Bob would like to pay her for knowledge of this value. But of course, once again, security is a problem. This transaction happens over the internet. We wanna make sure that if Bob does pay Alice, then Alice is necessarily forced to transfer knowledge of X to Bob. And one way in which we can achieve that is we can atomically couple Bob's payment with Alice's publication of X onto the blockchain. So here she's not secretly sending X specifically to Bob, but instead she's publishing it onto the blockchain. But maybe that's acceptable to Bob. So this is also something that can be accomplished. But it starts to get quite unwieldy with regular Bitcoin. All right, so now let's move to the second possible route, which I'm gonna call embedding and is also quite popular. And what embedding is all about is it still uses the actual Bitcoin blockchain, but instead it comes up with some sort of arbitrary, maybe quite complex representation scheme for encoding different real-world semantics into the Bitcoin blockchain. So one example of this is colored coins, which you saw in lecture nine. It's colored coins are sort of similar to the representation of car ownership and transfer that we saw in the smart property example, but it's a little bit more elaborate in that in the car ownership example, the car doesn't need to scan the entire history of the blockchain. It just comes hard coded with a particular transaction out of the factory and then it merely watches each block to see if that transaction gets transferred. Colored coins are a little bit more than that. The color of a coin, as it were, is defined by its entire history and where its genesis comes from. And so colored coins are a little bit more sophisticated to implement, but at the same time, it perhaps gives you a bit more. In particular, one interesting thing that it gives you is that everybody can agree upon what sort of transaction corresponds to transfer of car ownership and there can be something else for ownership of some other type of objects and you can define as many of these colors as you want. So everybody can look at the blockchain and know that a car sale has happened and how much was paid for it, but of course they don't necessarily know the participant identities. This could be regarded as an advantage or a disadvantage. And then there is also master coin, which is also an example of embedding. It turns out there are a variety of ways in which creative ways in which you can embed arbitrary data into the Bitcoin blockchain. A Bitcoin has something called opera turn, which is a type of script that allows 40 bytes of arbitrary data to be encoded. You can also use fake transactions with non-existent addresses. You can exploit multi-signature, et cetera, et cetera. So these are all possible ways in which you can encode data into the blockchain and thus embed your arbitrary transactions into the Bitcoin blockchain itself. Again, it has some advantages and disadvantages, more complex representations obviously. But normally one might think that for getting more complex representations you'd have to use an altcoin and an entirely separate chain altogether that allows those representations, but instead what embedding allows you to do is combine the idea of getting complex representations with utilizing the security of the Bitcoin blockchain with all the mining hash power behind it. On the other hand, the scripting and atomicity are limited by that of Bitcoin itself. But the scripting could get even more limited than just using Bitcoin because these new features that you have defined, these new representations might not interact well with Bitcoin's existing atomicity and scripting properties. Another thing to think about is that it results in unwanted transactions in the Bitcoin blockchain. Now, unwanted is a contentious word. This is a controversial property. Some people say that this is just fine, but some people say that you're using the Bitcoin blockchain for unintended purposes, for purposes other than currency, and so they try to discourage this kind of use. I'm not necessarily taking a moral stance on this, but just pointing out that these are the things that one wants to think about if you're using embedding as a vehicle for decentralization. Now, let's move to the third route, which is something called side chains, which you saw in lecture 10. I'll just summarize it, what you learned about in a single sentence. These are, a side chain is a merge mined alternative chain, so it still utilizes some or all of the mining power behind Bitcoin. And the value of the currency represented by the side chain is pegged in a one-to-one fashion, because a proof of burn in either chain allows you to redeem coins in the other chain. And the typical use that it's been proposed for is a Bitcoin testbed. People want to try out different interesting modifications to Bitcoin, and they want to do that without messing with the Bitcoin system itself, but still have interoperability of currency between these two systems. But perhaps we can use side chains with enhanced scripting properties, let's say, in order to achieve some of these complex contracts and other things that one wants to decentralize. The advantage, of course, compared to embedding, which it's somewhat similar to, is that you're not polluting the blockchain. But the downside is that in order to even support the notion of a side chain, Bitcoin modifications are necessary. So who knows if this is going to happen, but if it does happen, it could provide another interesting alternate route. So now let's get to the final route for decentralization, which is having a totally separate alternate chain. And the best example of this is Ethereum, which is really intended from the ground up as a platform, as a general framework for this kind of ledger-based consensus, which you can use for all kinds of things, even creating your own currencies. And what Ethereum does, the key feature, is that instead of Bitcoin's limited, stock-based scripting language, it provides a Turing-complete scripts. So this seems weird at first, because it can lead to all kinds of problems. A mining node is trying to execute a script and it could get stuck in an infinite loop, for example. So Ethereum has a neat solution for this problem, which is that minor computation will be paid for using an internal currency called gas by entities within Ethereum. In particular, Ethereum has this notion of a long-lived contract, which is sort of a program with a minimal amount of state that lives within the Ethereum blockchain. It gets activated when a transaction is sent to it, it executes for a little bit on the minor nodes and then it shuts down. So contracts are these long-lived things that have their own accounts and their balances and so on. And so they use that to pay for computation from miners. Now, if you can achieve something like Ethereum, then it's pretty much a dream situation for complex representations and atomicity. You can take arbitrarily complex contracts and make sure you can represent them and execute them in an atomic manner. But the concerns, the challenges are more practical. Is something like this even possible? And since it's an alternative chain, will it ever have the sort of mining power necessary to make it really secure, at least in relation to using Bitcoin? And given that you're allowing Turing-complete scripts, what sort of unexpected security problems does that open you up to? So those are the things to think about when one is talking about a totally altcoin-based solution like Ethereum. I should point out that Ethereum mostly exists in an idea stage at this point, so it remains to be seen to what extent it will be realized as a practical system. But nevertheless, at least as a thought experiment, Ethereum is fascinating in thinking about what sorts of powerful contracts can be decentralized using blockchain technologies. Coming back to smart property though, let's think about which of these approaches might be best. Well, from a conceptual point of view, any of these is powerful enough to accomplish what we wanted. But when you start to get to more powerful contracts, then there are gonna be a lot of differences between the four approaches and the level of power and flexibility that they offer. But another practical consideration also to keep in mind is that various things like SPV, simplified payment verification proofs are gonna be more or less feasible in some approaches compared to the others. All right, now let's go back to the car sale example and ask what happens if there is a dispute about the sale of a car. Perhaps the seller sold a lemon car to the buyer and now they're not happy with it and they want to reverse the transaction. Recall from one of the early lectures that we learned about escrow transactions, particularly a two out of three escrow, where in addition to the buyer and the seller, there is a judge or a mediator who's involved. And how might an escrow payment look like? So the buyer is going to transfer bitcoins not directly to the seller, but instead to a two out of three address which is controlled jointly by the buyer, the seller and some mediator or a judge. And the two out of three account has a property that if any two of them agree, then they can get the payment out of this intermediate holding address and get it back to either the seller if the transaction goes through smoothly or back to the buyer if there is a dispute and the transaction needs to be reversed. But in no case to the mediators account, they can't steal the money. So that seems like a pretty good technical solution that we can use to build some sort of dispute resolution mechanism on top of it. But you might notice that this seems to lose atomicity. This is a two out of three escrow only for the payment. But as we saw earlier, what we ideally wanted was to couple the payments with the transfer of car ownership itself. That also can be accomplished, but it really starts to get a little bit unwieldy at that point. Nevertheless, let's look at this sort of escrow and dispute mediation and compare that to the traditional real world solution and see what that gives us. So how would dispute mediation happen in the physical world with an actual dispute about car sale? It would probably go through the court system. The court system is a, again, a centralized state controlled mediation process. But what this gives you is the freedom to choose the mediator. This is an entirely a private contract between these two parties and they can choose that mediator to be whoever they want. And this could be a good thing in some situations. In particular, you can argue that this notion of an intermediary for dispute resolution, which is the court system, has now been changed from a single entity that everybody must use matatorially. To a market, a private market, where different entities, different intermediaries can compete based on the perceived fairness, for example, of their dispute mediation process, as well as efficiency, low costs, et cetera, et cetera. There are, of course, a lot of challenges. This sort of situation immediately gives rise to huge conflicts of incentive between the mediator and one of the participants. They could be bribed, for example. So those are things to think about. But one key disadvantage I'll point to is that in the escrow process, forget about even how the dispute mediation happens. In the escrow process that you must use in Bitcoin to even enable dispute mediation to take hold, you have to tie up the funds for the period during which either of the parties is allowed to dispute the transaction. And that's a little bit of a problem. It's not a problem that you have in the traditional system. And the reason for that is that in the court system, if there is a dispute and one of the parties refuses to pay up, you have law enforcement, you can go after them, you have their identity. And that's something that's lacking in this system as well as in any of the alternative routes that we've looked at in order to achieve decentralization and we'll return to this point again. But the broader point I wanted to make here is that while earlier, we saw an example of decentralization through a decentralized mediation, completely getting rid of an intermediary. This is also a different form of decentralization, but it's not this intermediation. Instead, we've replaced a single mandatory intermediary with the freedom to choose your own intermediary. And we've seen this before. We've seen this in a different context. In a previous lecture, you saw the notion of decentralizing prediction markets and what we did in that situation is also we allowed, instead of a single party like Intrade running everybody's prediction market, we said anybody can now start a market. Let's really lower the barrier to entry. If somebody wants to run a prediction market for in the next presidential election, go for it. And someone else wants to run a prediction market for the Super Bowl, they're free to do so. In fact, multiple people can run different prediction markets for the same event. There's nobody stopping them. So you have this competitive market for intermediaries. So that's another sense of the word decentralization. Okay, so let's put what we've seen in a spectrum. On the one end, in terms of the most centralized system as a single mandatory intermediary, we also just looked at multiple competing intermediaries. And there's one more intermediate step which I'm calling a threshold of intermediaries. We haven't looked at that so far. We'll see that near the end. But finally, what we started out seeing with smart property is complete disintermediation, no intermediary. So I would put all of these on a spectrum. It's not a completely distinct categories but it's useful conceptually to sort of think of them that way. Now let's think about another aspect of all of the protocols that we've seen so far, which is security. We started out by saying atomicity is a very important way to achieve security. It's not the only one. We said there are gonna be some alternatives. So what are they? So here are some ways of improving security. We've seen two of these, the ones in the middle, escrow with the dispute mediation as well as atomic exchange which completely automates the process. But there are others. And in fact, the most obvious one perhaps is reputation where you don't have any particular technological security enhancing mechanism but instead these intermediaries or whoever the parties that you're interacting with build up reputations over the long term and so they build some trust in that manner. Reputation is okay in the absence of other security alternatives like atomic exchange but it has some problems. First of all, the entity has to build up this reputation over the long run. If whoever is the entity you're interacting with is completely pseudonymous or anonymous then reputation doesn't even apply. And we see this problem even with real world reputation systems. For example, restaurants or other businesses that obtain really bad reviews on Yelp might close and reopen maybe in the same location maybe in a different location but simply rebranded. So that's a problem in general with reputation systems. Also, for the party to crew positive or negative reputation there should be a way for establishing what they did right or wrong that just goes beyond he said she said. So looking at Yelp again it does work on a he said she said model which sort of works okay because there are real identities in Yelp and people sort of have to use their real names and of course businesses operate under their real identities but here we're talking about a universe in which everybody wants to be pseudonymous and so this sort of model where it's one person's word against another might end up really becoming a non-starter. There are also problems with escrow and dispute mediation. We saw a couple in the way that escrow is done on Bitcoin you have to actually tie up your funds and they become unusable during the time when either party has even the ability to challenge the transaction and of course dispute mediation leads to conflicts of interest and so forth. We've seen atomic exchange whenever it is technically feasible then it's probably a good idea and the last thing another thing that's been proposed is trusted hardware. It's not always applicable but in some cases for example it's applicable when the service that you want to pay for is something that's entirely a software program and so what the developer can do is publish the code and execute it on a trusted hardware module and so the people who are subscribing to that service or paying for that service can be assured that the code that they can look at and audit is the same code that's executing and providing them the service. But what is really common to all of these ways for improving security in terms of the blockchain-based decentralization paradigm is that ultimately there is no real world enforcement there are no physical identities there's no law enforcement there's no going after people and so that means two things one is there can be no debt. If we want to do dispute mediation the lack of the ability for debt is the reason why you have to put in sort of a deposit and lock up those funds during the period when you want dispute mediation to be possible. Also there are no punitive measures for misbehavior so this really limits the sort of things you can do. So these are important limitations to keep in mind. Okay, one little thing that I want to point to is that in terms of the vocabulary of security some people use the word trust minimization. I don't like this term at all I feel that there is often a confusion between two things one is the fact that cryptography is often used in contexts where unfortunately there is not much trust between entities and so the lack of trust is a starting point and cryptography is a solution this often becomes confused with oh now we have this hammer of cryptography let's try to use this to move to a world where nobody has to trust anyone anymore and so trust minimization is not the goal. Lack of trust is not the model that we're hoping to move to it is instead our unfortunate starting point but really trust is not really the right lens to look at it it's not whether you trust the motives of some individual but whether they're going to behave in the manner that they have specified and it could be because not only because they're untrusted but because they got hacked et cetera et cetera so let's not really use the word trust and instead talk about security. All right, so let's summarize a lot of what we've seen so far. One of the things that we want to talk about in terms of decentralization is what is being decentralized we've looked at a couple of examples smart property, pay for proof and so on but we're gonna see a lot more so we haven't really talked about the first bullet and said the three things that we've talked about in this section are what type of blockchain integration we saw four examples directly on blockchain embedding sidechains and totally different alternative chain altogether we talked about levels of decentralization again we talked about four points on a spectrum ranging from completely disintermediated to completely centralized and finally we talked about different ways of enhancing security. So a key point that I wanna make in this lecture and you'll see through the next several slides is that asking these four questions gives you a powerful and generic decentralization template that can be used to understand and succinctly represent almost any of the proposals that you see in the Bitcoin community for blockchain based decentralization. Let's go ahead and see some examples of this let's go back to smart property once again so what is smart property? It decentralizes the notion of property ownership and trading which are two related but somewhat distinct things and it decentralizes in the sense of disintermediation you don't need an intermediary anymore like the state or the DMV and in the example that we saw it was achieved using the Bitcoin blockchain itself but you could achieve it using any of the other three methods and finally the key security principle that we used was atomicity in tying together the payment with the transfer of the car ownership. Now let's look at another example which is also something we alluded to a bit earlier in the lecture which is prediction markets so of course it decentralizes a centralized prediction market like Intrade and it does so in the sense of competition it doesn't get rid of the need for some entity to run a prediction market but instead it allows anybody to do that it lowers the barrier to entry and different people can run different prediction markets and it was done using an altcoin and again the security property was atomicity in that the two parties to a trade of a share in a prediction market are coupled together using this atomic property that ties together the transfer of the share with the transfer of payment. Now let's look at a quite different example this is something that's called storage A proposed by Greg Maxwell who claims it should be proposed storage but I'm gonna ignore that because it's gonna be just confusing if I call it storage. So what this is is it's sort of an agent that lives in the cloud and what do I mean by agent or at least what Greg Maxwell means by agent is that it has some level of independent decision-making ability it's not full-fledged AI but it decides some things for itself what it's going to do is it's going to rent cloud computing services and it's going to use that to run itself but the service it provides to consumers is that you can pay this agent to store a file for a certain period of time say 24 hours and when you do that it's going to receive payment in bitcoins store this file keep it for 24 hours and then delete it unless you keep making payments. It also has some other very interesting aspects such as reproduction it can take a copy of the codes upon a new instance and try to make improvements to it pay somebody to write new improvements or modules and so on but we'll ignore those aspects for now and just talk about this aspect of it. So what is storage AI and can we look at it through the lens of decentralization? It turns out that we can't so storage AI decentralizes the notion of file storage and retrieval which you can do today through a Dropbox for example. It's decentralized in the sense of competition you still need an intermediary very much which is this agent and the payment is done using Bitcoin and finally the security mechanism that you have is just reputation. There is nothing in particular in the storage AI proposal that for example atomically couples your payment for storage with the actual act of retrieving the file. So that's storage AI let's look at more examples in fact we can even consider a zero coin for example which we saw in a previous lecture through this lens. So zero coin is a way to decentralize the notion of mixing instead of having a centralized mixing service where you put in your coins and just hope that you get it back. It's decentralized in the sense of disintermediation. There is no mixing intermediary anymore. The mixing is accomplished purely through cryptography. You don't need to trust anyone it's enforced just by math and by consensus and it's done using an alt coin it's not quite compatible with Bitcoin unless there is a fork to Bitcoin and the security property is atomicity. What does this mean? The notion of burning a base coin and zero coin and actually getting a zero coin in exchange for it are atomically coupled through the same transaction and the same goes for later redeeming a zero coin and that's where the security comes from. That's why you don't need to trust anybody and that is of course accomplished through zero knowledge proofs. So we've seen this powerful template that incorporates these four factors and we've seen some examples of how systems that we've already looked at fall into this pattern of decentralization. In the next part of this lecture we're going to look at a variety of new examples of things that people have proposed can be decentralized using blockchain technology and we're going to use this sort of template to analyze them. So we've talked a lot about how to decentralize now I'm going to give you a taxonomy of the different things that we can decentralize at least we know technical solutions for how to do these things and this is where a lot of the excitement is around for using blockchain technologies. So the first category is things that are purely digital and perhaps the most basic example of this is name mapping what do I mean by this name coin is a good example it's a mapping between human readable names and addresses and so as long as you have something that's purely digital it's a simple matter to use consensus technologies so that different participants can enter new values into the system change values and so on or read values back and the blockchain can be used as a record of the current state of that mapping. So the next two are storage and proof which we've seen earlier in this lecture storage A and the pay for proof idea that we saw earlier and these are sort of compliments of each other one is paying for storage of course and the other is paying for computation. You can also have a random number generation of what does this mean this is something you saw in a previous lecture using Bitcoin as a beacon so a beacon is something that ahead of time nobody should be able to predict but once the beacon value has been generated everybody should be convinced that the value is in fact generated truly randomly. So again Bitcoin is a good vehicle for doing that and lotteries at least if you're talking about lotteries where the payment and payout is denominated in the currency of the blockchain itself then running a lottery reduces to a random number generation problem of picking one of two input addresses for of a transaction to use as its output of trust basically that's what it translates to and so you have a centralized Bitcoin lottery systems like Satoshi dice but certainly it's fairly easy to imagine doing these in a decentralized manner as well. Let's move on to the next category which is things that aren't inherently digital but can be represented digitally. This is a big category real world currencies of all kinds stocks bonds and other assets and so on and this is where perhaps a huge amount of the excitement is of how to use blockchains for other things and so what does this mean? Let's say let's look at colored coins as one example of the specific mechanisms that you might use for decentralization. If a particular color were to represent a particular currency and other some other color were to represent a stock of a particular company et cetera, et cetera, then you have all these assets that you can transfer between participants and you can pay for and so on. And so you have a trading of any of these assets and also you can have atomicity between the trade of the asset and the transfer of payment. That all sounds well and good but here's the real problem. What is the mechanism to ensure that what you're calling $1 in terms of colored coins is actually worth $1? That could happen if some bank or some consortium of banks agrees that they will back using their deposits to their physical bank accounts, the corresponding colored coin. If there is some entity that promises that one-to-one pegging then you're good. Similarly, if there is a company that agrees to actually release stock in a digital form or agrees that they will treat that digital stock as equivalence to their physical or real-world stock, then you're good. But otherwise, all that you've done is invented some new thing that you're simply calling dollars, for example, but whose price is floating freely with respect to actual dollars. So in other words, you've just invented a new currency and inventing a new currency is not an accomplishment at this point. In fact, we have a surfeit of these things using blockchain technologies and so that's the real challenge here. It's not so much representation but this economic problem of actually ensuring an equivalence to the real-world analog of this. And most of the proposed solutions for this don't solve that harder problem except maybe one which we'll look at near the end. Let's look at the third category, which is a property ownership and a trade, which is what we started by looking at. We can decentralize that using smart property and atomic exchange. And these two are ownership and trade are related. They're not quite the same thing but you can't completely separate them either. And hopefully the discussion at the beginning of the lecture has given you a good understanding of how to decentralize this. Now the fourth category is going to be more complex contracts. Trade can be thought of as a very simple contract. You give me this object in exchange for a certain amount of money but you can have more complex contracts like crowdfunding, which is also something we've seen, but also financial derivatives which is another big area of excitement. So what are financial derivatives? Derivatives have an underlying asset and the value of the derivative depends in some way on the price movements of the underlying asset. The key thing about a derivative you can think of it as sort of a conditional statement that depends upon the price of the underlying asset, some time in the future and so forth. And using this kind of language you can express quite complex statements. An example would be you can have a contract between two parties that says for this asset, if the value goes beyond five dollars past a certain date, then for every dollar that it rises above five dollars, you owe me two dollars. So that would be a way to hedge your belief that the value of this asset is not going to rise beyond five dollars. So again, you can do financial derivatives using some of these systems, especially some of the more expressive altcoin-based systems are a great vehicle for this. Now one nuance to note is that these conditional statements depend upon the price of the underlying asset. And so whatever script or other mechanism that you have in your blockchain system that depends upon this price should have a secure way of knowing what this price is. And this is called the data feed that you saw a bit earlier. We're gonna see again later in this lecture. But one possible way of getting around this need for a data feed is if the underlying asset itself is traded on the same blockchain using the asset decentralization idea that we saw a couple of slides earlier. And so if that is happening, then some sort of price discovery might be possible. But again, you have to worry about whether this price that you're discovering through the blockchain itself is reliable or whether it could be hacked by somebody creating artificial transactions and taking both sides of it, for example. So this is all not quite fully understood, but there's a lot of excitement around it, a lot of proposals. And it's certainly possible that sometime into the future this is going to get much better worked out. And we might have some sort of working system for trading in these things. So the next one is something that's even more in the sort of vague idea or proposal stage, but also there's a lot of excitement, which is decentralized markets. So let's talk about markets and auctions for a second. Let's forget about decentralization. Let's look at some real world examples of things that act as markets and see exactly what features they provide in order to gain a better understanding of what it means to decentralize them. In fact, let's look at four examples. A used bike store is basically where you go and sell your bike and so you have a separate transaction with them selling your bike for money and then they have a separate transaction with somebody else reselling that bike and you don't directly interact with the person who eventually rides away with your bike. So that's one model. Another model is eBay, which only matches participants and routes payments. PayPal is a payment processor. They don't match participants, but another function they perform is that they do a limited level of dispute mediation. And finally, you have the Craigslist model where they're not actually involved in the exchange at all in any way except for matching participants together. So we've identified several different functions that these markets give participants and let's see what we know so far about how to decentralize each of these functions and what to do about the rest of them. So the most obvious one is payments and of course we have cryptocurrencies for doing those. We have transfer of actual goods, which we can use smart property for. And further, we can leverage atomicity to couple the transfer of ownership of goods with the transfer of the payment. And we know how to do a limited form of dispute mediation using this escrow process. But what we've not seen so far at all is how to match participants who want to take different sides of a trade. And that's what I wanna tell you about now. So now I'm gonna show you a not fully fleshed out idea, but hopefully enough to give you an intuition and idea for how to do this kind of decentralized matching. Let's go back to the car example. Let's say Alice wants to sell a car. What she's going to do is she'll create a transaction a partial transaction, not a fully complete one yet that contains the necessary information for transfer of ownership, as well as the sale price that she wants, the minimum price that she'll accept and broadcast it onto the network. It's not a complete transaction yet. It won't get onto the blockchain, but it will get broadcast nevertheless. Now the counterparty, someone who wants to buy the car is going to find the transaction, determine that it meets their criteria for a car that they wanna buy. Perhaps this transaction has encoded information that has a webpage or just within the encoding itself, all the things you need to know about the car that you want to buy. So as I said, it's not a fully fleshed out idea. So this counterparty completes the transaction, they assign it, and then they broadcast it once again onto the network. At this point, the transaction is complete. It has all the information that it needs to get onto the blockchain. And so the transaction is automatically complete. Of course, this is a bit of a crude idea. It's hopefully enough for you to get the picture. One wouldn't necessarily want to do it this way. For one, it's very inefficient. Every partial transaction that represents somebody wanting to sell something needs to be broadcast to everybody in the network. But other than that, there's not a whole lot of control in the matching process, but it's something. It's a basic way to decentralize this idea of a buyer finding a seller. There is a variant you can use, which is that instead of partial transactions being simply broadcast onto the peer-to-peer network, you can have partial transactions under your chosen representation, but nevertheless, are complete transactions in terms of the underlying encoding onto Bitcoin. And so you can have these offers for the car, for example, be an actual complete Bitcoin transaction that gets onto the blockchain. And so only when it gets into the blockchain will it get noticed by potential sellers. And then they will continue to process that and take it to the next stage. A variant of this is the auction, where you create your transaction in such a way that the buyer cannot simply complete the transaction broadcasted onto the network and finalize it. Instead, what they'll have to do is they'll have to sign it and then return it back to the seller or the auction creator who will then further need to sign the transaction in order to be fully valid to then complete that transaction. And this allows the seller to acquire different bids from different potential buyers and pick the one that she likes best. Another interesting variant of this is the double auction. A double auction happens when you're buying and selling stocks, for example, where the offers are coming from both sides, the offers and bids. And so what you need is some party in the center that's matching these offers and bids together. So one way in which you can achieve that is you can actually have the miners to match these orders that are being broadcast onto the P2P network. And you can allow the miners to keep the bid ask spread, which is the difference between the bid and the ask. And one good property of doing it this way is that it avoids miner front running. What does that mean? It means that when the miner finds a really good offer, then they can ignore the bid that's coming from some other participant in the network, create their own bid and complete the transaction and get a better deal than they otherwise might have. All right, so now let's move on to data feeds. We looked at this a little bit earlier. Let's look at it in a bit more detail. You've also seen it in a previous lecture. Data feeds are a way for what we'll call arbiters to assert real-world facts into the Bitcoin blockchain. And there are some very natural applications of this. If you have a feed of price movements that allows you to implement derivatives, if you have feeds representing outcomes of events that allows you to implement prediction markets and so on. So data feeds are not necessarily interesting for their own sake, but for the things that they can help you implement. So allowing these arbiters to assert these facts is already a step better than having a single designated entity that's going to create all of these data feeds. So this is a form of decentralization in the sense of competition between arbiters. And this is what we saw in the example of decentralizing prediction markets. There are also other means that one can use in order to improve security here. You can use trusted hardware. For example, you can write a script that parses finance data, for example, from finance.google.com and uses that to create a data feed of stock movements. And what you can do is you can put that on trusted hardware so that anybody can verify that the script is actually doing what it's claiming to do. This still leaves other things that you have to take on trust, for example, that Google is not lying to you or somebody is not tapping the connection between the script and Google. You have to rely on HTTPS for security, et cetera, et cetera. So those are not perfect solutions. There are no perfect solutions here. Ultimately, data feed require somebody to actually do the act of importing from the real world into the blockchain. But here's something interesting we can do. With data feeds, we can have a threshold of different arbiters. And that's particularly useful because inherently there are big incentives to lie for these arbiters when the data feeds that they're putting onto the blockchain affect the outcome of contracts, for instance. So what do I mean by a threshold of arbiters? Let's look at a concrete example. Here is one way to implement a data feed. A centralized version, or a somewhat centralized version where you still have individual arbiters, there's competition between arbiters and so on. How that might work is, let's say there is an event E with outcomes X, Y, and Z, corresponding to maybe the presidential election or something like that. Then this event E corresponds to this transaction in the blockchain. Everybody agrees upon this representation. And when an outcome happens, this transaction will be transferred to one of three different addresses corresponding to X, Y, and Z. And of course it'll be signed, this transaction will be signed by the Arbiter A. And by looking at which public here, which address the transaction was then transferred to, you can figure out which outcome happened. So this is one way of implementing a data feed. How can we decentralize this data feed in terms of a threshold of arbiters? Let's say that we want these arbiters to be able to declare an outcome only if two of three such designated arbiters agree that X is actually the outcome that happened and not Y or Z. So how can we implement that? Recall that Bitcoin has a multi-signature feature. So what we would do is we would make sure that this transaction output is a two out of three multi-signature address that is controlled by these three different arbiters, A, B, and C. Each of them has one of their corresponding private keys. And so if only if two of them agree, let's say A and C, then they will be able to create this transfer transaction. So that's a way of decentralizing this notion of a data feed. So now we can go back to the picture that we had earlier of the spectrum of levels of decentralization. So now we've seen an example of what it means to have a threshold of intermediaries, which is a distinct concept from having multiple competing intermediaries. Let's now move on to another thing you can use blockchain technologies to decentralize. This is something there's been a huge amount of hype about called autonomous agents. What are autonomous agents? Different people have proposed this and so in different conceptions there have been different set of features that have been proposed, but here is a good set to focus on. One is that these agents will be able to enter into contracts with other participants. They will have data feeds from the real world as a way of having real-world input into these contracts. And these agents might perhaps have shareholders or some other manner in which humans can vote in order to change the rules by which the agent operates. So that's a key distinguishing factor from many of the ideas that we've seen before. And some variants of this notion of an agent also has some idea of reproduction, mutating the code and improving with time, et cetera. This is again a quite hypothetical concept. There are a number of challenges to realizing this in practice. One challenge is going to be, is this agent something that needs to keep private state or is it something that will purely execute on a transient basis on the minor notes? And if it does need to keep private state, where is that going to come from and how can we decentralize that? Is it even meaningful to talk about decentralizing it? Another challenge is this funny problem of sort of a hostile takeover. If there is this notion of voting to change the rules, then is it possible that whatever constitutes shares of ownership of these agents, somebody could buy it up, acquire 51% of the shares and then vote to change the rules so that all of the agents of the asset, for example, will be transferred to this party who is doing the hostile takeover? And is this a problem? Should there be defenses against this? So there are a number of open questions here. I will make one point, though. People call these decentralized autonomous agents, the decentralized vision or the version of this. They also call it decentralized autonomous corporation. This is not a technology that I like very much. I feel that this vision of decentralized agents misses all of the important or salient features of a corporation, which is all the legal backing that goes into it. And so it gives it a certain kind of rights and responsibilities in the real world, whereas we're in this parallel universe where everything has to be defined and enforced by technology. So I don't feel it makes a lot of sense to call it a corporation. Agent is the term that I prefer. All right, here's the final category that I want to tell you about. And this is quite interesting because at first sight, it might look like there's really no way of achieving decentralization here. So what are we talking about? Exchanges. What do I mean by exchanges? It's all well and good to represent some sort of colored coin, for example, as representing US dollars and then to trade that. But ultimately, if you want actual exchange between whatever you're calling US dollars and real world US dollars, you need something more. And that can be illustrated using this problem. Alice would like dollars in exchange for bitcoins and Carol would like the opposite. It seems like they should be able to trade with each other. But there's no real way of doing it over the internet in a situation where they don't trust each other because one of them has to send the other bitcoins and then hope that this person is going to mail them cash or use PayPal or whatever other way of transferring real money. What do we do about this? Well, maybe they have a mutual friend, Bob. Then this simplifies things a lot. What they can do is Alice can have a separate transaction with Bob. And since Alice and Bob are friends, Alice can send Bob bitcoins and trust Bob to send dollars over some other mechanism or even meet in person later and send dollars. And then Bob can do a similar transaction with Carol. So this intermediary has neatly solved the problem. But this still seems to have a lot of limitations because they need to have this mutual friend with each other. What if they're on opposite sides of the world? So here's how we can solve that. First of all, we can make this a bit more efficient instead of calling this a transaction where Alice sends Bob bitcoins and Bob sends US dollars back to Alice. What we can say is that Bob simply sends Alice some kind of digital token representing the fact that he now owes her some amount of money, let's say $100. And we know really well how to do this. This is exactly the same as some sort of digital asset. We know how to represent this in a variety of blockchain-based technologies. And similarly, Bob can have this transaction with Carol. So the only thing that would actually happen is bitcoins changing hands as well as this new relationship of debts being represented in the system. So this gives us a starting point for scaling this up to an arbitrary scale even to the scale of the whole world. Let's imagine a social network that represents the trust relationship between all pairs of friends. And so what could happen here is there could be a complex chain of interactions through which a node here exchanges bitcoins with a node here in exchange for US dollars or whatever currency. And it would simply be represented in the system as a series of IOUs. And what would make all this work is that in the system, pairs of friends must pre-declare how much debt they're willing to extend to each friend they have. So Alice might be willing to trust Bob to owe her $100 and be confident that he will repay her that amount. She might have a different relationship with Dave and other users and so on. Another neat feature of this whole system is that if there are a variety of these debts that are expressed in terms of the edges of this graph, let's say you have a triangle of users successively owing each other, then you might be able to simply cancel out that debt within the system. And so if you have a reasonable number of trust relationships and if you have a good amount of liquidity in the system, you might be able to go a long time and keep doing a lot of these transactions and not accrue too much debt overall in the system because a lot of these debts are going to cancel out in the long run. So that could make the system quite efficient in the long run. So this is a simplified version of what Ripple does. Ripple is what you might call an altcoin, but it's a bit more than that. It has its own consensus mechanism. It's not exactly based on proof of work, but this notion of trust relationships and IOUs is something that's central to Ripple and what it allows you to do is disintermediate the notion of a currency exchange. So in other words, we have decentralized a currency exchange in the sense of disintermediation using an altcoin and the key property that we've used. Earlier we saw atomicity and so forth. We use none of that here. We use something different. We started with a limited amount of trust and we use the transitive property of trust to take that up to the level where it can scale to all of the participants in the world. And in Ripple, as it currently exists, at least as I understand it, most of these participants are not individuals, but instead banks and other institutions, but you can certainly imagine the exact same kind of network working for individuals as well. So far in this lecture, we've learned about a fascinating set of technologies for using the blockchain for decentralizing as you've seen a whole spectrum of things. And occasionally I've hinted at questions about when is this a good idea? Is it economically feasible? How does it compare to the traditional centralized system that it's replacing and so on? But now let's really get into that question. And I've deliberately used the word decentralization and framed it in technical terms and avoided mentioning the political dimension, but now let's be very explicit about that. So what we're really talking about when we say decentralization and replacing these traditional systems is in a sentence, we're talking about technological purely or largely technological alternatives to a variety of human institutions, legal and social and financial, banks, law enforcement, a lot of these centralized service providers for various things, the court system, et cetera. And so this set of ideas really takes Bitcoin back to its cypherpunk roots. And this was the original dream of the cypherpunks. And now, given that we have the blockchain, a lot of these have started to seem to be much more closely within reach. So let's talk about whether or not this is a good idea. And as usual, let's go back to the car example. And let's ask the question, what are really the problems with car ownership and trade? And when I say problems, I don't mean problems like servicing your car or is your car environmentally friendly, but problems inherent to the notion of ownership and trade that a Bitcoin based system could potentially improve or conceivably make worse. And so we can identify two concrete things. One is security in the sense of theft. And more generally, we can express this as how to assert and enforce the ownership of the property. And the other one is dispute about the sale terms. Did somebody sell you a lemon car? Was there a genuine misunderstanding about what you were getting when you bought the car in terms of the condition of the car? And as you might see, both of these, what they have in common is not what happens when everything goes right, but what happens when something goes wrong. And so the real questions that we wanna ask are on these two dimensions, how does the new smart property system or smart property model that we've seen compared to what it seeks to replace? Let's think about this in a bit more detail. Let's talk about the theft problem first. Theft, whether you're talking about theft of cars or in the traditional banking system, security in general has three components. And those three components are called preventive, detective, and corrective. Preventive is when you stop something bad happening before it happens. Detective is when you realize that something bad has happened. And corrective is when you take measures to reverse the bad thing that happened and maybe to also have some punitive measures. So a car alarm system is a good example of what would that be, a detective measure. A preventive system would be your car lock or your steering wheel lock or something like that. And corrective control would be law enforcement and getting your car back and so on. So in the real world, security relies heavily on the latter two, but only a little bit on the first type of control. The reason your car is secure is only a small part because of its locking mechanism and largely because law enforcement exists and you can get your car back if it's stolen. And of course there is punishment in terms of the law for stealing a car. And this is what makes the whole system tick. If you lived in a completely lawless environment, the idea of parking your car overnight would simply be ridiculous because it would immediately get stolen. So that's the model that we started from. And of course the real world solution relies pretty heavily on law enforcement for a number of these things. And we want to move to this smart property based model where if you think about it, most of the focus is going to be on preventive measures. Because the notion of ownership becomes almost identical to the notion of who has the right private key to control the car, assets expressed in the blockchain. So it becomes quite hard to imagine how any of these systems would work at least in the way that we describe things. And this seems like a bit of a problem. We're taking this complex notion of security that relies on several different factors and putting most of the onus on preventive measures. It's actually a bit worse than that because now we've also introduced the software security problem, the problem of actually keeping your Bitcoin wallet or your Bitcoin key or the key that controls ownership of the car, secret and protected. So what we have is that is, we have to live with the fact that Bitcoin security is going to be an unsolved problem for the foreseeable future. Why? Because it's partly a human problem. Software security is partly a human problem because writing bug-free code is something that we've endeavored to get to for decades but made very little progress. It's also partly a human problem because it relies on users being very careful about security. And what this boils down to is introducing a new problem of software security to the traditional security problem of physical theft of the car. And so if you rely on this excessively, of course it can cause serious problems. You might end up in a situation where a loss of your key that protects ownership of your car now results in your car turning into a brick. Of course there are solutions to that. Of course you can have fallback mechanisms but inevitably these fallback mechanisms seem to take us toward intermediaries, toward decentralized systems and thereby chipping away at the putative benefits of this decentralized model that we move to. So let's go to the other aspect which is what happens when there is a dispute about the sale of Terps. So as we saw earlier, in the real world this is resolved through the court system. And this is not only complex but also fundamentally a human problem, not just partly a human problem but it's fundamentally a human problem. And the court system has evolved over a long time and it's really good at this. And I want to tell you a personal story and I found this out for myself in a very practical way one day many years ago when I went to pay a parking ticket and after I paid the ticket I noticed a sign that said court is in progress, keep your voice down. And I was curious about that. I asked the clerk what was going on enough if I could go and sit in on the court session. See she seemed a bit amused by the request but she said sure it's open to the public go on in. So I went in and funnily enough the court was in session and it was a case about a lemon card that had been sold. And only the two parties who were litigating the case were in the room and of course the judge. And I was sitting in the back, nobody paid me any attention. I sat there over the course of the next hour or so and it was just a fascinating learning experience. And the judge went through the details of every single email that the two parties had sent to each other probed them for the meaning of what they had in mind when they said something and how the other person interpreted it and so on and come to a very nuanced understanding and a ruling of whether or not that sale was legitimate. And I realized at that moment that even legal contract terms as verbose as they might seem don't even come close to capturing the complexity of what goes on in a real physical transaction between human beings. And ultimately you need a very highly evolved dispute mediation process with real experts like a judge who are trained to look for these things and study these things to be able to render decisions that everybody is going to accept and be satisfied with. And so in this model we're proposing that we're going to do dispute mediation in very different ways and certainly this new model has certain advantages. You can choose your own mediator and so on but you have to ask, what are we giving up here and how big a problem is that going to be? Let me give you one more example of what I mean when I say that security and dispute mediation are human problems. We looked at crowdfunding earlier and the security property that we wanted was that if a variety of people send money to the entrepreneur, the entrepreneur should not be able to cash in on that unless the sum total that has been contributed exceeds the pre-specified output amount. Well, that's all well and good but if the entrepreneur does meet that amount then they can still take the money and run. Ultimately, if you don't trust them to deliver on their promise then the system doesn't work and you cannot technologically enforce that they will actually provide the public good or whatever it is that they promise to give you. So that seems like a problem and so the technology only seems to be solving a small part of the problem here and not even the interesting part of the problem. So let's recap a little bit what we've seen so far. In the smart property way of doing things, it looks like the interesting problems are social problems, things that are triggered when something goes wrong and technology doesn't seem to solve that aspect of the problem. It's really good at taking what happens when everything is going according to plan and maybe making that more efficient. In fact, it seems to have made some of these hard problems even harder to solve by moving to an automated model where it's quite hard to even lay around dispute mediation and other human processes that we might want to have in the picture and even worse, it seems to have introduced new problems for example, software security in addition to the physical security of your car. Now, let me be very clear. I deliberately picked this car security and car sale example as sort of an extreme way of illustrating why we really need these human institutions. I'm not saying that anyone in the Bitcoin community is suggesting that we should sell our cars this way although the technical idea has certainly been discussed a lot and I also wanna be clear that this model certainly does have some advantages. Let's look at what some of those advantages are and in what kind of context it might apply. So here are some possible benefits of smart property. The first one is certainly efficiency and this might be particularly useful for small transactions. If you're selling, for example, your smartphone, your laptop or something like that, not something as valuable as a car, then if there is a dispute, you're very unlikely to actually litigate that and so if you have a purely technological enforcement mechanism that gives you something that's a stronger sense of security than simply shipping goods to someone over the internet and hoping for payment back, then that's a little bit of a win. You also get anonymity and privacy. Maybe it's important for you to ship something to someone without actually knowing their identity and that's not really possible to do in the centralized, intermediated model because for any sort of mediation, you need to have people's identities. And third, this is something we discussed earlier, the freedom to choose a mediator. Now, I contrasted with the court system which is this very sophisticated and very trusted process that we've all agreed upon and judges go through a very rigorous evaluation. They have conflict of interest rules to abide by and so on. So maybe that's not the right comparison. There are other contexts today in which, for example, PayPal acts as your mediator and they're a private company and they have a near monopoly over certain types of payment processing and so you're stuck with this mediator that's a private company that's not subject to public oversight or scrutiny but at the same time, you're forced to accept a result of that mediation. Maybe if we take that situation and introduce this notion of competition between mediators, then maybe that's a win. So these are some possible benefits. Let's now take a step back and let's look at this idea of crypto in the state and what I mean is the traditional way of doing things through human institutions and this new technology mediated cryptographically enforced, blockchain-based way of doing things. So one way in which people have explained the emergence of the modern state really is that it's a way to scale society past these small groups where everybody knows and trusts each other. The curious thing about that is that it's very similar to the benefits that are touted for the cryptographic way of doing things in that you can have these transactions over the internet where you don't necessarily trust the other person. So the state and crypto really are delivering a very similar kind of benefit at the end of the day even though through very, very different mechanisms. Now the thing to realize is that dismantling the state is not an option and a lot of the discussion around it frames the technological way of doing things necessarily in opposition with the traditional way of doing things. A good example of this is in our smart property discussion. Let's say you redefine ownership to be cryptographic control of activating the car. Now what happens if you sell your car to someone under these new rules? And that person, after having completed the sale, is still holding on to the title because the buyer doesn't care about these old fashioned way of doing things. Now it goes to the court and claims that their car has been stolen. So unless you have some way of interoperating with the state you've not made any progress because in a democratically elected society people want these human institutions that are not okay with dismantling them and moving to this new model regardless of what the benefits and disadvantages are. And so what we should try to do is to try to make the two work together. And that I want to leave you with as the final thought is where I think is the really big opportunity for these Bitcoin based decentralization solutions. First of all, we want to find compelling use cases for decentralization. It's simple to say that something will get decentralized simply because the technology exists but that's not how it happens in practice. You have to have a compelling economic case for it and in particular from a political perspective there are certain use cases that one might look for when a state regulation of some market is particularly inefficient for example or when there is a state abuse of power in certain contexts or too much inefficiency. A good example of something like this actually happening today is in various countries in Africa cell phone minutes acting as a replacement for currency and this happened because the state mediated system simply became too laborious to use for most people. And so a disintermediated decentralized system can really act as a hedge against abuses of power in this sort of context. So we want to look for these compelling use cases for decentralization. We want to see how these new automated cryptographic ways of doing things can integrate into existing systems instead of trying to replace them and finally we want to co-opt legal and regulatory practices and these traditional defenses that we have in society instead of saying we're offering an alternative to those things. And in fact if you look at the recent history of Bitcoin itself I would argue that the new friendliness of the Bitcoin community with regulators is partly a reason for the success for the commercial success that it's enjoyed recently. We've covered a lot of ground in this lecture series. We started with the cryptographic building blocks and then some basic underlying concepts of cryptocurrencies and then built up the technical complexity all the way to the cutting edge. And we also looked at how Bitcoin is a platform for enabling a variety of other things and we looked at the community regulation, politics, ethical aspects and so on. I for one am very optimistic about Bitcoin as a technology and I think I can say this for the other lecturers as well. We've all spent a lot of our time studying and researching and teaching Bitcoin cryptocurrencies. I feel that Bitcoin is going to be more and more powerful the more and more it gets integrated into society and that's what I'm hoping is going to happen in the next years and decades. In the online accompanying notes to this lecture series we have a variety of information for you of where to find assignments, how to get more involved in the community and development and research and so on and I hope you make use of these. Thank you.