 Okay, in this lecture we're going to be talking about Bitcoin as a platform. So we spent a lot of time developing all of the technical underpinnings of Bitcoin and showing how it can be used as a currency. In this lecture we're going to be talking about what else we can do with Bitcoin. There's a lot of exciting things that we can build either without any modifications to Bitcoin or with pretty small modifications. So some of those things in order that we'll talk about in this lecture, secure commitments, secure time stamping, issuing new types of digital tokens and tracking those things that aren't exactly currency, doing lotteries, generating randomness using Bitcoin, and finally prediction markets. So as a bit of a warning, these ideas are a little bit disparate, so there's going to be a lot of different things going on in this lecture. A little bit of a stew with lots of different interesting ingredients. We'll hop around a little bit, but hopefully the net result will be quite nice for you. So to start with, we're going to be talking about what we can do with the fact that Bitcoin is an append-only log. So remember, an append-only log means that it's a data structure that we can only write to, and once we've written data to it, the data will remain there forever. And we have a secure notion of time, so we can tell that certain things were written to the log before or after other things based on which block they're included in. So what we'd like to build using this is secure time stamping. And the goal here is that we want to be able to prove that we know some value x at a specific time t. We know it no later than time t. And oftentimes we're going to want to be able to prove that we know what x is without actually revealing it at time t, but revealing it later. And we want the evidence to be permanent. So we have a permanent record that we knew some information x at time t or earlier that nobody can ever destroy after the fact. So recall that we can use hash functions to commit to data. So instead of publishing the data x that we want to prove that we know, we publish the hash of x. And the properties of the hash function guarantee that we can't later find some other value x prime that has the same hash value as x. If we did, that would be a break of the cryptographic properties of the hash function. And we also have the nice property that the hash of x shouldn't reveal any information about x. With the caveat, of course, that that's only true if x comes from a large possible space. Otherwise, somebody who has x or somebody who has the hash of x can simply try different values. It's different potential values for x and see if any of them match. So the idea of doing secure time stamping with an append only log is that we can publish a commitment to x, the hash of x. And then later on we can reveal what x was. And anybody can look at this and say that we must have known x at the time we publish the hash of x. Cuz there's no other way to have generated that data. So what can we use this secure time stamping for? This idea that we publish the hash of something and later on we reveal what that data is to show that we knew it at that time. So one thing is proof of knowledge. If we want to prove, say that some idea that we file a patent on was actually in our heads months earlier, we can publish a hash, say of a design document or a schema for that idea, that thing that we would patent. That proves that we knew it at that time but we don't have to tell anybody. And then later on when we file our patent or when we publicize the idea, we can publish the information and anybody can look backwards in time and say, yes, they must have known it earlier when they published this commitment to it. We can also prove that we've received something. So if you're submitting data to a server, say something like a vote, the server can publish the hash of that vote and that serves as a commitment that they actually received it at a specific time. And that will prevent them from later claiming that they never received that information from you. A whole bunch of other interesting things can be built just off of secure time stamping. There's actually a whole signature scheme that just uses hash functions, doesn't use any of the normally relatively heavy weight cryptography required to do public key signatures. Just using hash functions in an append only log, that's called the Guy Fawkes signature scheme. Which we won't talk about anymore in this lecture. But the existence of stuff like that goes to show that this is a really powerful primitive that we can build a lot of interesting applications with. So one thing that we can't do that would be very nice if we could is prove clairvoyance, prove the ability to tell the future. So you might think that this secure time stamping would be a way to prove that we know something before other people, before it actually happens. And the idea here would be that we publish the commitment to an event that's about to happen, say the outcome of a sporting event or an election. And then later on we reveal that information and that proves that we knew the outcome ahead of time. So about a month ago during the World Cup final, it was thought that somebody had actually done this and they tried to prove that FIFA, the organization running the World Cup, was actually corrupt. And the way they did this is that they showed a Twitter account after the match was over that had tweeted a bunch of outcomes that happened during the game. For example, the fact that Germany won, the fact that Mario Goetze would score. And they proved that they had tweeted this before the game actually happened. And for a moment before you think about it, it looks like this proves that somehow this person either could tell the future or that the match was actually fixed and that they must have known what was going to happen ahead of time. But with a little bit of investigation, you can find out what they actually did is they had tweeted every possible outcome before the match started. So they had tweeted every single player involved in the match would score, all possible final scores, and a whole bunch of other information. And then before the match finished, they deleted all of the predictions that they had tweeted which turned out not to be true and they were left with only true predictions. So the same basic attack can be done against any secure messaging system where you simply commit to a bunch of possible outcomes and then you only reveal the commitments that turn out to be true. So if you want to prove that you can actually tell the future, if you have that ability, you have to prove that you aren't time stamping multiple predictions for the future. You have to prove that you're only time stamping one specific prediction and then it comes true. And normally if you're publishing a hash commitment, it's difficult to do that, especially in Bitcoin if we're writing hash commitments as our secure time stamping if they're not tied to any individual. It's easy to just publish a large number of them, never reveal the ones that are incorrect and then they won't be traceable back to you. So that was a long detour to say that you can't use secure time stamping to prove that you could tell the future, it would be interesting if you could. So before Bitcoin even existed, there was a solution to this basic problem, which was to publish a hash of predictions in a newspaper or some other media which is called widely witnessed media. So something that a lot of people see in a public place, there were a lot of records, newspapers get maintained in libraries and online, they're cashed all sorts of different places. So if you've taken the time to put a hash into the corner of the newspaper here or somewhere in the classified section, people have pretty high confidence that you actually put that hash the day that the newspaper was published, that serves as a pretty good time stamp. And for a relatively low cost, you can simply pay the newspaper as if this is an advertisement and you can put the hash of whatever data you want. And then after the newspaper has been published, whenever you want to reveal whatever you want to reveal the data that you committed to, you can just publish the data, people can refer back to the newspaper in the time and they'll know that you committed to it on that date. So this is a really simple solution, it works just fine offline. The question is how can we do this with Bitcoin? So the question is really where can we put our hash commitment in Bitcoin? What's the right place in the blockchain or in transactions to stuff this data which will represent the hash of some information that we're trying to time stamp? So the simplest idea that people came up with first is instead of sending money to the hash of a public key, just send it to the hash of your data. You can send a very small amount, say one Satoshi, the minimum possible transaction value in Bitcoin to that address. And of course it's in your interest to send as little as possible because you're never going to get the money back. Since that is a hash of data and not a public key, there's not going to be any way to ever spend the coin that you send to that address. So the advantage is that this is a really simple, easy way to do it. It's compatible with Bitcoin. But the disadvantage is that you're creating this transaction that you're never going to be able to redeem. And the Bitcoin miners have to track this as an unspent transaction output forever, and they have no way of knowing that this was actually a time stamp and not a valid transaction. So the Bitcoin community takes a pretty dim view of this approach because it creates these unspendable outputs that have to be tracked. So a more sophisticated way to do this is called commit coin. And this is a little protocol for finding public keys and signatures that have the data that you want to commit to embedded in the bits of the public key and the signature. So you have to do some brute force work here to find a special public key by simply trying to find a lot of public keys and a lot of signatures. So that the bits that you want, the bits that represent the hash of your data, are also the bits of a valid public key. And the advantage of doing this is that it's still compatible. It's invisible to miners. They can't tell that you're committing data. It looks just like any other valid public key. And you aren't actually adding any new unspendable transaction outputs. The downside of this is that it's more expensive to do. You have to do the brute forcing to find this key. And your data rate is going to be a little bit lower since it's more expensive to do this style of commitment. So the preferred way to do this now is with a provably unspendable output. And you include your data in the provably unspendable script that you're trying to commit to. And we talked about this earlier when we were talking about scripts, when we were talking about proof of burn, where you have this script with the op return, which can never be satisfied. And then you can push some arbitrary data. So the same way that you could use this to do proof of burn, you can use this to commit to some data. You just have a script that returns immediately. The return command, of course, throws an error. So this script can never be run successfully without an error. And you can include some data. So this is cheap. There's no bloat in the unspent transaction outputs. You only lose a little bit of money every time you do this. The only downside is that this still isn't a standard transaction. So it won't be relayed by default. But this is the preferred way to commit to data in the blockchain. And there are actually a bunch of startups that actually start up small websites that will do this for you. So they'll collect a lot of people's commitments into a large merkle tree and then publish one unspendable output that looks like this form that has all of the commitments that everybody wanted to make for the day. So in fact, you don't even need to spend the small value yourself. A lot of people can amortize that cost together. And this is another way to limit the amount of bloat that you're adding to the blockchain. So what's the data rate of a scheme like this? Well, mostly you can get a 40 byte commitment for the cost of one transaction fee, which is currently about $0.10,000 of the Bitcoin, or about $0.05 US. And that's enough to commit to the hash of whatever data you want. So essentially for about $0.05, you can commit to an arbitrary amount of data. So the downside of being able to write arbitrary data into the blockchain is that people might abuse this. And they might abuse it by trying to write illegal content into the blockchain. And in some countries, there are things that are very illegal. So think about child pornographic images, copyrighted material, or other things that you may face very stiff penalties if you're caught having that data. So sure enough, several people have tried to do this as a griefing action against the Bitcoin community simply to harass the community and try to bother people. They've at least claimed, I've never seen it actually verified, that they've published pornographic data into the Bitcoin blockchain. And the idea is that this makes it dangerous to download the blockchain onto your hard drive and to run a full node because you're now downloading this illegal material. So this is basically just an unfortunate fact of life. There's no good way to prevent people from writing arbitrary data into the Bitcoin blockchain. If you force everybody to use pay-to-script hash, that's one countermeasure that would make it a little bit more expensive to write this data in. But in general, there's no way to prevent people from writing arbitrary bits into Bitcoin if that's what they really want to do. So an observation on the positive side from the fact that we can write whatever data we want into Bitcoin is that we can actually build an entirely new currency system without developing a new consensus mechanism. We can just use Bitcoin as an append-only log that already exists and write all of the data that we need for our new system directly into the Bitcoin blockchain. So this is called an overlay currency. Bitcoin exists as the underlying substrate, if you will, and you just write your new data directly into the Bitcoin blockchain, formatted as these unspendable Bitcoin transaction outputs. Of course, you don't have the miners actually validating that what you're writing into the blockchain is valid under the rules of the new currency system anymore. So you have to develop a more complicated logic for understanding the new currency because you don't have miners policing what's written into the effectively the new overlay blockchain. Anybody can write anything in there who's willing to pay the Bitcoin transaction fees. So instead of having miners reject double spends, everybody as a community has to simply look at the history of what's been written and if two transactions attempt to spend the same coins, everybody has to understand that the second one is considered invalid. So the most prominent effort to actually do this is called master coin. So master coin is an overlay currency. It's built on top of Bitcoin. All of the master coin transactions are written into the Bitcoin blockchain and it supports a much larger, richer feature set than Bitcoin. So the idea is that they don't have to develop a new consensus algorithm and since the Bitcoin miners don't need to know about the master coin rules, they can support a lot more fancy features, more sophisticated smart property, smart contracts, user-defined currencies. Essentially the API is many times larger than the Bitcoin API because the miners don't have to understand it. They're willing to just blindly write anything into the blockchain which is formatted as a valid Bitcoin transaction and the master coin community has to look at all of that data and piece together valid ownership of master coins based on what's written into the Bitcoin blockchain. So this is very nice. You can develop a currency without having to create your own new consensus system. You don't need new miners. You can add more features. You can develop it faster. But you're inherently reliant on Bitcoin here and this can be somewhat inefficient because you might have to write a lot of data because you don't have miners policing to prevent invalid transactions from being written into the blockchain. And I believe that we'll talk a little bit more about master coin in lecture 11. All right, so now we're going to change gears. Like I said, we're gonna be changing gears quite a bit in this lecture and we're gonna talk about using Bitcoins to represent smart property. So using Bitcoins to represent something other than simply one unit of currency in the Bitcoin system. So recall from the lecture on anonymity especially, we talked about the transaction graph of Bitcoins and the fact that you can trace ownership of value in the Bitcoin system over time. So every Bitcoin has a history. Of course, keeping the caveat in mind that there's no such thing really as a Bitcoin just unspent transaction outputs but we'll think about them as coins. And every coin has this long history attached to it which anybody can view in the blockchain. A history of everybody who's owned any piece of a coin which through transfer and transactions with other coins has turned into that current unspent transaction output or that current Bitcoin that you may hold today. In fact, for any Bitcoin you can trace its history all the way back to some coin-based transactions when coins were originally minted. And of course there will be a bunch of other transactions that branch off that aren't included in this final Bitcoin but every Bitcoin has this history that carries around with it. And as we've said, and as we spent a whole lecture discussing this is bad for anonymity because you can try and track ownership of coins. And it also potentially enables blacklisting. If you want to blacklist coins owned by a specific person, you can do so using the fact that history is maintained as coins move around. So there's an interesting observation here which is that Bitcoins aren't fungible. And fungible is an economic term which means every Bitcoin has the same value as any other and they can be exchanged with no loss or change in value. So with Bitcoins that's not exactly true. Every Bitcoin is in fact unique and has a different history. And if the history is meaningful to people it may mean that my one Bitcoin is not the same as your one Bitcoin and maybe I'm not willing to trade you or maybe you're not willing to trade me because one of us likes the history of the coin we currently have more than the history of another coin we might exchange it for. So could this property be useful? I've argued that it's bad. It's bad in that it has problems for de-anonymizing people or for potentially blacklisting and that maybe it means Bitcoins aren't even fungible which is a very interesting property for a currency to have from an economic standpoint. But I'll actually be arguing in the rest of this section that this can be a very useful property if we give meaning to that history. So let's think about what this would look like offline. What if we wanted to add metadata to offline currency? So some people actually do this. They like to stamp various things on bank notes as I have some examples of here. And you'll notice that most of these are actually political protests talking about campaign finance or the fact that George Washington grew hemp. And the reason is that if anybody can stamp whatever they want on currency, it doesn't have that much value except as a form of speech. It's really just a novelty. So the question is, what if we could have authenticated metadata attached to our currency? So we wanna add some metadata to the currency that has some authenticity and not anybody can simply duplicate. And the way that we're gonna do this is to have a cryptographic signature on the metadata that we want tied to the serial number of the bank note. So somebody who has some authority and has a signing key is gonna sign the combination of some metadata plus the bank notes serial number. And that's gonna tie the metadata specifically to this note. How might this work? So let's say that a baseball team wants to start using dollar bills as tickets. So they don't want to go through the hassle of printing their own tickets anymore. They say we wanna just have bank notes function as tickets. So the Yankees would simply assert that this specific serial number now represents a ticket to a specific game, maybe with a specific seat, and that whoever is holding that note has the right at the gates of the stadium to come in and sit down and watch the game with no other questions asked. The bank note is their ticket. And to add some authenticity here, there's gonna be a signing key that the Yankees use or whichever team we happen to be talking about. And they're gonna sign that message saying the specific game number and the date and all that sort of information along with the serial number of the bill. And then they may wanna just stamp that right onto the bill. Say they use a 2D barcode to represent that signed data. Now if you show up to the gates of the stadium and hand that bill over, maybe somebody can look up in a database and say, ah, yes, there actually is a signature saying that this serial number of a bill is designated to function as a ticket for this specific game. And you wouldn't necessarily need to use a stamp. Another solution that works just fine here, which doesn't illustrate quite as well, is you could just have a database at the stadium that has a list of different serial numbers and which seats the holder of the note with that serial number is entitled to. And when you showed up at the gate, they would just look at the serial number on your bill and then look up in the database which seat you are allowed to sit in. So what has this bought us? Why would we wanna do this? Now currency can represent anything. So I had the example of a sports ticket, but we'll discuss more in a few slides. There's a lot of applications here. And we're inheriting the anti-counterfeiting properties that the bill already has. So if you believe that it's hard to duplicate the banknote and have the same serial number and there's a whole bunch of people in the Washington DC area who are working really hard to make sure that it's difficult to duplicate a banknote and have the same serial number because currency would certainly be very different if that property wasn't true. So if you trust that the anti-counterfeiting properties of the bill are pretty good, you get to use those for free because you simply tie that serial number to whichever metadata you want. And the other neat thing is that the underlying value of this bill as currency is maintained. So it may be a problem if everybody wants to physically stamp metadata on currency all the time, but if we use the database solution where you don't have to actually write anything on the currency, then you can have somebody use this dollar bill as a ticket to get into the baseball game, and then once they're in the game, they can use it to buy a soda. Of course, all of the authenticity here, all of the meaning in this new metadata is only as good as how much we trust the issuer that signed it. So everybody has to know that there's a specific key that's used to sign valid Yankees tickets or whatever other metadata you're interested in. Everybody else will look at this and just see a dollar bill. They may not realize that it's actually worth perhaps $100 if it's a lower box seat to a game, but that's okay, that's actually a desired property here because once it's fulfilled its mission as a ticket, it can go back into circulation as a regular bill. So can we do this digitally in Bitcoin? There's a bunch of reasons perhaps why this offline scheme with banknotes hasn't quite taken off, perhaps some legal reasons, or perhaps the cost of printing simply isn't that high, but can we do this in a digital way on top of Bitcoin, which will give us all of the cool features we like about Bitcoin, the ability to do online exchanges, the ability to use the system quickly and without trusting a bank, we could have all of those properties for any type of metadata that we want. So the idea here is that we want coins to track a specific color. So just like we were able to stamp that metadata onto currency, the idea here is that you can color in Bitcoins with the color of your choice. They still function as valid Bitcoins. You haven't taken away anything from the fact that they're valuable as Bitcoins, but you've added a little bit of extra color. And of course, in reality, that color will be the metadata that we care about, but for the purposes of this illustration or the metaphor that's commonly used, we think of it as just adding color. So how does that work? Well, in one transaction, we're going to insert a special extra bit of metadata that declares that some of the outputs have a specific color. So we'll say we're issuing five purple Bitcoins. And the remaining, the other output, is seven Bitcoins that continue to be normal Bitcoins with no color. And perhaps somebody else with a different signing key and a different transaction has issued four green Bitcoins. So now we have Bitcoins that have different colors attached to them. And we can do all the normal things that we do with Bitcoin transactions. So we could have one Bitcoin transaction that takes several inputs, some green coins, some purple coins, some uncolored coins, and it shuffles them around and has outputs which maintain the color. And there's going to be some metadata there to do all the bookkeeping and make sure the right color goes to the right coins. We can do all the other normal things that we'd want to do with a Bitcoin transaction. We can split a transaction output of four green coins into two smaller values. And later on, we could combine multiple transaction outputs with green coins to make one big transaction output with all of the incoming green coins. So the only thing that we've added here to the basic Bitcoin picture is the ability to add a little bit of metadata in transactions that designates some of the coins in one output transaction to have a certain color. And of course, there's going to need to be a signature in there somewhere so that not just anybody can use any color that they want. So the most popular proposal for actually implementing this is called Open Assets. And how does it work? Well, the issuance is done through a special pay to script hash address. So if you want to issue colored coins, you have to choose a pay to script hash address that will issue whatever color you want. And of course, the color might really be the fact that these are Yankee's tickets. And then any coin that transfers through that address that comes in without a color will leave with the color designated to that address. And you have to publicize that somewhere. So there's various exchanges that track which addresses infer which color onto coins. And it's fine for coins to have more than one color. That's really no problem. Now, every time that you have a transaction that involves colored coins, you have to insert a special marker output. So this is an unspendable output, kind of like in the case of commitments, that allows us to write some extra metadata into the transaction. And that metadata, which I'm not going to discuss in detail because it's fairly tedious, but it simply says of all the colored coins coming into this transaction and all the outputs of the transaction, how the color is divided between the different outputs. So just like in any Bitcoin transaction, the normal metadata specifies how the value of all the input transactions is divided amongst the output transactions. You need to add this marker output when you're dealing with colored coins to decide how you're going to divvy up the color. And you can add some extra metadata in there if you want, the protocol supports that. So what can we say about this system? Well, the advantages are that it's compatible with Bitcoin. You don't have to change anything. And it gives you the flexibility for anybody to declare any color that they want and start putting any metadata on any coin that they want. And the system will track that. And it's a good thing that since it's compatible with Bitcoin, the rest of the community will ignore this. So the miners won't take any position on who can issue which color or rules for transferring colors. So nobody can censor this. You don't have to ask any central authority for the right to start issuing coins of a new color. If anybody believes you and thinks that you have a good reason to do so, they can start trusting your signature in the form of sending the coins through that pay to script hash address. And if they respect the color that you're putting on coins, then they have some value. The disadvantages of this scheme is that we do have to put that unspendable marker output into every transaction that involves colored coins. So we're adding a little bit of overhead, losing a little bit of money in the form of regular Bitcoins every time we wanna trade colored coins. And because that marker output is special and the miners aren't enforcing any properties of it, it means that to verify that you actually own some colored coins, you have to check the entire transaction history. So it's not enough to just see that your colored coin transaction made it into the blockchain because the miners aren't verifying it. They don't understand colored coins and they don't care. And we've argued that that's an advantage of the system. But it means that you can't have a thin client doing SPV verification like we can for regular Bitcoin. If you wanna verify colored coins, you have to download the whole blockchain, every previous transaction, and trace the color of your coins from the time that they were originally issued that color. So this means that it's harder to use colored coins on very limited platforms, on phones, or on anything that can't store the entire blockchain and maintain an up-to-date copy. So what are some applications of colored coins? I mentioned the ticket example, so you could have colored coins represent tickets that give you admission to some event. Another popular example that people have proposed is to have colored coins represent stock in a company. So every time you want to issue some new stock, you pass some bitcoins through the pay to script dash address, which you say is issuing stock on behalf of my new corporation. And then people can trade the stock and you don't need a stock exchange or any of the infrastructure that is used in the offline world. People can just trade the stock in exchange for regular bitcoins. Of course, people have to trust that you're actually going to honor that stock, but assuming that they do, then you can do all of your stock trading just like regular Bitcoin transactions. And there's also the somewhat more outlandish idea that colored coins might actually represent a deed to some real world property. So maybe a colored coin says that you actually own a house or a car and maybe you have a very sophisticated car that actually tracks the blockchain and will start and drive for anybody who owns the specific coin that confers ownership of that car. And then you could sell a car with just one transaction in the Bitcoin blockchain. So maybe we're still a little bit, a little ways away from making that happen. And we'll be talking more in lecture 11 about some of the obstacles legally and socially to making that happen, but that's the dream of colored coins is that any real world property you can represent in the world of Bitcoin and you can trade just like any other Bitcoin. And finally, one more interesting example I think is ownership of domain names. So maybe you could trade ownership of a domain name and the ability to run a server there on the Bitcoin blockchain just like anything else. That has enough caveats and enough weird properties like you want to avoid people squatting on domain names and just buying up all of the good domain names that's actually been launched as a separate altcoin called Namecoin. And in the next lecture when we talk more about altcoins we'll talk a little bit more about Namecoin which is specifically launched to try to handle this property of domain name ownership. So you could do domain name ownership with simple colored coins, but in practice there's enough extra properties that you want to enforce that the community has been pursuing a separate altcoin for that. Okay, time to change gears again. Now we're going to talk about doing a multi-party lottery in Bitcoin and hopefully doing it in a secure way. So again, we'll start with the offline version of what we're trying to build here. How would we do a real world lottery between two people without any trust? And I'll get back to what without any trust means in a second. But there's a very simple solution for this. If Alice and Bob want to bet five bucks they'll both agree to a bet. Bob will flip a coin. One of them will call it hopefully while it's in the air. And then they'll both have a very clear understanding of who won and they'll trust that this was a random process and that neither of them was able to influence the outcome. So maybe betting on a coin flip is sort of boring but this is very easy to do in the offline world. And of course they have to trust that whoever loses is actually going to pay. Maybe this isn't actually legally enforceable so it's just an agreement of honor between Alice and Bob. That's a hard problem in the offline world. We'd like in the online world to do a lottery and solve both problems. So both the problem of generating randomness that both parties can agree is fair and having the party who loses actually be forced to pay. Okay, so how can we do that online? So if a network is between Alice and Bob they can't see the same physical coin in the same place but they want to bet on a coin flip. So Alice might say let's bet $5, I'll flip the coin. Here it is. Maybe she'll turn on her video camera or something. And Bob might say I don't know if I trust you here. I can't see your coin. Maybe you're showing me a video stream that you've already prerecorded. I'm out, I don't wanna do this. I don't have any trust that you're not gonna cheat me. So a solution is to use hash commitments. Our old friend from the first section of this lecture. So this is the same information. We remember that you can publish a hash commitment. We're not revealing any information and we can later reveal the input to the hash function to open the commitment and show what our data was. So how can we do this to build an online lottery? So we'll have three parties now, Alice, Bob and Carol who all wanna do a lottery together. So to start with all of them will choose a random number often called a nonsense cryptography and they're gonna keep that random number to themselves. And as long as each one chooses a random number they should trust that the final outcome is random and that nobody else is able to cheat them. Now there's gonna be two phases of communication in this protocol. In round one everybody is gonna publish a commitment to their random data. So all three parties are just gonna publish a hash of the random number that they chose. And remember this doesn't reveal anything about the random number as long as it's chosen from a large enough space. So say each one of them chooses 128 bit random string they can publish the hash of that no worries they haven't given away any useful information. Now we have to make sure that the second phase happens strictly after the first phase is over. So after everybody has committed to the randomness that they chose. Now we'll have a second round where everybody reveals the random number that they've committed to. And of course everybody should check that those values that they reveal actually match the hashers that they published earlier and that the commitment was actually valid. But assuming that happens now everybody has published this random number that they all chose independently. Now there's a fairly simple program that will determine who wins the lottery. There's a lot of ways to do this of course but the simplest way is we could just take all three random numbers, take the XOR of them which is gonna mix in bits from everybody's random number, then we'll take the hash of that divide it mod three and that will give us randomly one of three outcomes and we'll just assign each outcome to one of the participants and that will determine that either Alice, Bob, or Carol is the winner and everybody can run this protocol themselves and trust that this was a fair process. So an important property of that hash function is that it guarantees randomness. Nobody could try to choose their random number in such a way that it makes it more likely that the final outcome is them winning. Especially considering that they don't know the randomness that everybody else is choosing. So without getting into a long formal definition of randomness and pseudo-randomness in hash functions, it's safe to say that the way hash functions currently work with a good hash function, there's no way to cheat at this game. There's no better strategy than just choosing a random number which gives you a one-third chance of winning. So what happens if somebody fails to reveal their commitment? So let's go back to round two of the protocol and let's say that Alice and Bob each publish their commitments and then Carol looks at these and she says, if I publish my commitment, I'm gonna lose. I can see the random numbers that Alice and Bob chose and I know which random number I chose and I can run that script and tell that I'm not gonna win. So if Carol wants to be malicious here, what she can do is not publish her random number and just say, oh, I'm sorry, I forgot it or maybe she can go offline or for whatever other reason provide some plausible reason why she can't reveal what her random number is. And now it's impossible to run this final script because you don't have one of the inputs. And Alice and Bob can see this and they can say, Carol, that's not cool, you've just wrecked the lottery, you probably did this because you were gonna lose, you cheated us, but they don't have any real recourse here. So by itself, this protocol doesn't really work if any of the participants are malicious because whoever the last party is to reveal what their random number is can just refuse to do so if it's going to make them lose. So what we'd like is a scheme to publish a commitment that we have to reveal within some certain time and Bitcoin is gonna provide a really cool means for us to do that. So how can we do this? And again, the idea is we wanna force the party who's chosen this random number and committed to it to reveal what the random number was to open their commitment before time T. So let's say that Alice is trying to enter into a timed hash commitment with Bob. So Alice is gonna put up a bond and she's gonna have a transaction that will pay the bond in two cases. So if Alice and Bob both sign, that's enough to claim the bond or if Alice signs and reveals what her data was and you can check this in a Bitcoin script, you can check that there's a value in the redemption script, the script sig that includes that value X that has a certain hash. So Bitcoin without changing anything about the script allows us to include this property that you have to specify this data with a certain hash in order to claim payment. So in that case, Alice can claim the money all by herself but she has to reveal her chosen value, she has to open her hash. Okay, so now how can we use this funny, complicated transaction with two different ways to claim the money? Well, Alice and Bob are both going to sign a transaction that pays the entire value to Bob and they're gonna use this N lock time which we talked about earlier to ensure that Bob can't claim the bond before some time T. So now they've set up essentially a ticking time bomb where if Alice doesn't do anything else, Bob is going to get the value of that bond at time T. So as an alternative, Alice can publish a transaction before time T reclaiming her bond, sending the money back to herself but if she does that, she has to not only sign it, she has to reveal X. So I said that there were two ways to claim this original transaction and either one of them are valid outcomes of the protocol. So either Bob gets this bond, some money that Alice put up or Alice has to reveal her commitment. So it's not exactly forced. If Alice doesn't reveal her commitment, she's not going to be thrown in jail but she will lose this entire bond that she put up. So her guarantee that she will reveal the commitment is as strong as how much money she's willing to put behind it. So how can we use this primitive of timed hash commitments to do a more secure lottery? We'll have almost the exact same structure as before except instead of using the simple hash commitments, now everybody is going to use a timed commitment where if they don't reveal their random value by a certain time, there's a bond that the other two players will get to keep. So if we get into that same situation where Carol can look at the other two parties random values and say, I'm about to lose this lottery, the other possibility for Carol of not publishing is also not very appealing because if she refuses to publish her random value, she's going to lose her bond anyway. So if the bond is higher than the value that's at stake in the lottery, we expect that Carol will publish her value and the lottery will go on as usual and everybody will get their bond back. So this lottery in Bitcoin using timed commitments has been proposed and can actually be implemented on top of Bitcoin today. Now the downside is that this is fairly complicated. Doing those timed hash commitments requires multiple transactions and when you have N players in the lottery, it's actually an N squared algorithm and you also have to put money up in the form of a bond and the key property is that the bond money you put up has to be more than the amount that you're actually betting. So this isn't the most efficient way to do a lottery because you have to put up more money than is actually at stake in the lottery but it's pretty good and for a small number of people it might work okay. So we showed in the last section how multiple people could have a secure lottery on Bitcoin where each of them provide some randomness and we combine that to get group randomness and we use timed hash commitments to make that process fair. In this section we're gonna talk about using Bitcoin to generate public randomness. So the same situation we want to do a lottery but now maybe we have so many participants that it's impossible to have everybody send randomness in. Maybe that's not the most convincing protocol to the public or maybe it's just something that people aren't aware of yet. So what do I mean by a public randomness protocol? I'll go through a couple of examples to show how this is done in practice because this is already used for a large number of applications. So one example that happens every spring is the NBA draft lottery. So all 30 teams in the NBA get together and they randomly choose with some weighting based on how the teams did in the previous season who's gonna have the rights to draft the top amateur player in the country. So this was first done in 1985 and it was a little bit of controversy then because the New York Knicks won in the first year and they were able to select Patrick Ewing who was a very highly touted prospect. And almost immediately after that happened people alleged that there was a conspiracy and that this process was rigged so that the Knicks who happened to play in New York which is a large media market were able to select the best player. So if you go online you can find all manner of conspiracy theories for how the NBA rigged this process such as the famous bent corner theory which says that they pulled an envelope that had a bent corner out of the bowl of envelopes with different team names in them. And even today they do this lottery every year and there are a whole bunch of conspiracy theories that come out immediately every time they do it alleging that the process wasn't fair it wasn't truly a random draw. A more serious example comes from 1969 when there was a conscription lottery in the United States to determine which young men were going to be forced to join the armed services most of whom were sent to Vietnam. So this was a somewhat similar protocol several congressional representatives carried this out they dumped small capsules with every day of the year into a large plastic drum that you can see there and then they took turns reaching their hand and to pull the numbers out. And participants in the draft were given a priority number which determined how likely it was that they were going to be forced to join the military based on what day of the year their birthday fell on. So this is the first time that this was done in 1969 on a national scale and the goal was to make this process more fair and to demonstrate that this was a random process but unfortunately they botched it. So the statisticians looked at the results of this within a week after the lottery happened and they noticed a funny pattern that was while it's somewhat subtle it was very unlikely to have happened due to chance. And that was at most of the days late in the year where it received very low draft numbers. And the reason this happened when they went back and looked at the tape is that they turned the wheel over exactly an even number of times so that the capsules that started on top tended to stay on top. There wasn't sufficient mixing. So while there was some mixing and it was some random it didn't turn out to be a truly random draw. So both of those examples show that it's very hard to do public randomness and convince the public that you've actually done a good job. There's both the risk that the public will not believe you and the risk that you'll actually screw it up in the process of trying to do this physical display of randomness. So for a long time people have wondered could we do better cryptographically? Could we have a service that we call a cryptographic beacon? And the idea is that this beacon much like traditionally a beacon is like a lighthouse that sweeps out light at regular intervals. This cryptographic beacon will emit new random data at a regular rate. And the goal is that it will emit uniform randomness that nobody can predict in advance. So everybody agrees that there's no way to predict what values the beacon is going to output next. And yet every party can see the same values and agree on them. So if this perfect cryptographic beacon existed the NBA draft lottery or the Vietnam conscription lottery if you wanted to do a process like that or even if you just wanted to play bingo at your local social club you wouldn't need to use a large wheel or any physical display of randomness. If everybody trusted the beacon you would save a lot of effort from having to have these small physical displays of randomness. There's a whole bunch of applications besides just lotteries. So various applications of auditing and voting systems doing zero knowledge proofs cut and choose protocols throughout the security literature. There were a lot of examples of things that can be done much more simply and efficiently if you had a perfect cryptographic beacon that satisfied all of these nice properties. So unfortunately we haven't found a perfect solution for this yet. Like I said the public display of randomness are using a wheel, flipping coins, rolling dice, spinning a dreidel, what have you. That has been a solution that's been very popular throughout history because it's cheap and easy and everybody can see it and understand it. But this really doesn't scale to remote scenarios very well because it's very hard for people to audit even if they just see a video that you haven't been a magician. You haven't done some kind of sleight of hand where you swapped out the dice for weighted dice or you somehow rigged the process. So it's very hard to establish trust remotely in any kind of physical process which is basically the problem that the NBA has had for years trying to convince fans that they're doing a fair process and they've switched to a bunch of different technologies. They've done both the envelopes and ping pong balls bouncing around with fans and people can always come up with some outlandish scenario where there's somehow cheating and there's more to it than you can see on the video. So for the purposes of this lecture, I think we can rule out a public display of randomness as something that we could ever have a high level of trust in. So the National Institute of Standards and Technology, NIST, has started in the last few years to run their own beacon. And the way they generate the random numbers is through a very complicated setup involving two entangled photons that gives you very strong guarantees that you have randomness generated from a quantum mechanical phenomenon. And if you believe the Heisenberg uncertainty principle and other basic core tenets of physics, then this should be random and nobody can predict it. And NIST has set this up as a machine so every 60 seconds they publish a lot of random data and they sign it. So this is probably the most efficient thing to use. They just have a feed on the web. You can listen to their server broadcast this stuff and get all the randomness you want. And if you read their papers in the physics argument, there's a very strong argument that this is truly random and that there's no way anybody could predict it. Of course, you have to actually trust that NIST is doing this. You have to trust that somewhere in a building in Maryland they've actually built this and they aren't just making it up that they don't have the ability at a specific time if they want to overwrite the value with some other data that they happen to want. So this is sort of the limits in a sense of physical display of randomness and it still hasn't gotten around this problem that you have one trusted party doing it and unless you physically go there and observe the process yourself, it's very hard to have a high level of confidence that this was a fair process. So what if we use some natural phenomenon that everybody can observe? So examples might be sunspots or solar activity on the surface of the sun, things like the weather, what temperature is going to be tomorrow, how strong the wind will be, whether or not it will rain, or even cosmic background radiation which is just noise that you can listen to from any point on earth and everybody should be able to read the same values. So these are phenomenon that are happening at such a large scale that it's fairly easy to convince yourself that nobody is going to be rigging the process. It's somewhat far fetched to imagine that somebody would fly a spacecraft to the surface of the sun to modify what was going on in order to rig some lottery back on earth. So that's great that it's publicly observable and that in most cases we can accept the randomness here too. We have pretty good beliefs that enough days in advance it's impossible to predict low level weather phenomena. The problem with these approaches is that they're fairly slow. For example, if your random signal is what temperature, what the daily high temperature is going to be, you only get to read that once a day. The surface of the sun doesn't change too often and you essentially reinsert the trusted party problem because you need somebody to observe the event. So let's say that we tried to use as a random signal what the temperature will be tomorrow in Princeton, New Jersey. We might get into a problem if I have my own thermometer that says that it was 73 degrees and somebody else has a thermometer that says that it was 72 degrees and the difference between those two meant that a different person won the lottery or some other important outcome of the randomness. To get around that problem we would probably need to designate and say we're going to use one specific person's thermometer to actually measure this phenomenon or maybe we'll use the National Weather Service but at that point you've basically reinserted one trusted party who has control of the process. So a similar idea is to take financial data specifically stock market prices and say can we build a randomness beacon out of that? And again these are publicly observable and there's a fairly good argument based on a bunch of complicated financial models that says that it's very hard to predict the low level fluctuations of stock prices. If you could predict within a penny what the final price of a specific stock will be on the New York Stock Exchange tomorrow you could make a lot of profit as a day trader from that knowledge. So the randomness is good and it should be fairly costly to manipulate. You could try to rig this by say buying or selling stock to try to drive the stock price to a specific value that you want but that has a real cost that you can compute. But the problem again this is fairly slow because you can probably only read it once a day if you're reading one company's stock price and again it has this problem that there's a trusted party namely the stock exchange who has some control over the process. So even though the party running the stock market has a fairly strong incentive to establish that it's honest and that it's acting in good faith and reporting stock prices as they actually are based on market activity there is the risk that they might try to change the price by a penny or so if it let them rig a valuable lottery. So the theme here with almost all of these approaches is that no matter what you do it seems like you reinsert this one trusted party who has some control of the process. Of course a big theme of these lectures so far is that Bitcoin has been an amazing technology at removing central trust from protocols that we didn't think that was possible to do before. So can Bitcoin pull the same trick off for a randomness beacon? Can we extract random data from the Bitcoin blockchain with the same decentralized properties that make Bitcoin so attractive? If we recall the fact that miners have to find a random nonce for each block we think we might be in business here. Why can't we use the random nonces that miners are finding in the process of mining as a randomness beacon? So there's a fairly strong argument that you can't predict with high probability what the next nonce will be. If you could you'd have a mining shortcut. So if you had the capability to predict what the next nonce will be with a probability greater than one over D where D is the difficulty of finding a block then you would have a faster way to mine than just trying nonces at random. And remember that D is pretty high right now that's greater than two to the 66. So that means that every block that's mined in Bitcoin should have 66 bits of randomness that are impossible for anybody to predict. At least if Bitcoin is secure there should be no way for any of the miners or anybody else to predict what those random bits will be. So once we realize that it's fairly simple to turn the blockchain with minimal modifications into a randomness beacon. We simply take every block in the chain take the entire value of the block header and run it through an extractor function. And an extractor function without going into all the details here is sort of like a hash function and it's designed to squeeze all of the random data out into one uniformly random string. And that will give us a nice randomness beacon and every time a block is published in Bitcoin we have new output from the beacon. So how costly would it be to manipulate this? So any miner has the capability if they find a block to discard it to not relay it to the network, not publish it not let it be the next block in the sequence. And they could do this if they find a block and realize that it produces a beacon output that they don't want. And it might not be the miner that decides that it might be somebody who's trying to force the beacon to have a certain output who says that they're willing to bribe miners and if they find a block that's undesirable this attacker will bribe and pay them more than the block reward in exchange for not publishing this. So let's say that you're trying to force some beacon output with probability P. This is just gonna be a Bernoulli trial so you have to discard some number of blocks until you happen to hit success and the expected number of blocks that you'll have to discard is one over P minus one. And recall that discarding a block is pretty expensive you are gonna lose the entire block reward which is currently 25 Bitcoin or around $15,000 US at today's prices. So what's the practical cost of manipulation? So say that you're doing a single coin flip. Like I said, the expected number of blocks that you are gonna lose the reward for is one over P minus one. And with a single coin flip P is just a half. So you'll get that you have to discard about one block on average and eat that whole 25 Bitcoin cost. And if you have an end party lottery where it's fair between all end parties it's gonna be 25 times end minus one Bitcoins. So this process will be secure as long as the amount that you're betting is less than that cost of manipulation. So essentially if two people wanna have an even odds bet and they wanna use Bitcoin as the source of randomness this is going to be secure as long as they've wagered less than 25 Bitcoins or again about $15,000. So the advantages of this it's somewhat remarkable that this is the first proposal that's really out there for a fully decentralized beacon. So a beacon that has no central point of trust. And compared to some other processes it's actually fairly fast. It's not gonna output as often as say the NIST beacon which is designed to output as often as possible but about every 10 minutes you'll get new output from the beacon. And it's also nice that we can precisely analyze what the manipulation costs are here. So we have a fairly simple model and we can price the cost of manipulating the random output and how many block rewards you'll have to sacrifice. So the downside of using Bitcoin as a beacon compared to some of the alternatives is that the timing is a little bit imprecise. So suppose we wanna read the value of the beacon tomorrow at noon. We don't know exactly which block is going to be published tomorrow at noon because blocks are just published whenever they're found not in any specific schedule. So we'd have to guess based on the distribution in the average times what block index will be published around noon tomorrow but that will give us quite a bit of variance. And we'll also have to delay when we accept the result of the beacon based on the risk of a fork. So just like with anything else in Bitcoin we'll probably wanna have that roughly six block confirmation time before we accept that this really is the final beacon output. And the cost of manipulating this beacon may be too low for some applications that we care about. So if we're actually running the NBA draft and there are millions of dollars at stake it may suddenly look worthwhile for one of the teams to start paying Bitcoin miners to manipulate this process. So it's an open question if we can extend the security of this construction to make it secure in a case like that even when we have millions of dollars on the line. So one more really cool idea for what we could do with a beacon built off of Bitcoin. What if we extended the Bitcoin scripting language so that there was a special opcode to call the beacon? So currently there's no way to have any randomness in a Bitcoin script. That's by design because the miners have to be able to verify this and they wanna all be able to verify it and get the same thing. But if we use the beacon the public source of verifiable randomness then you could use the beacon to insert randomness into scripts in such a way that any miner could run and they would run the script in the same way. So what could we do with that? Well, if we had one opcode that would make a random decision based on say the beacon output of the block before we could replace that entire complicated lottery protocol with one script that just read the beacon once and based on the results of the beacon assign the output to one of three keys or end keys however many players we are and you'd be done. It wouldn't be a multi-round protocol. We wouldn't need bonds. We wouldn't need time patch commitments. We could just use the beacon. So this is somewhat out there idea but there are a lot of cool applications for what we could do with this. So for the final topic today we're gonna be talking about prediction markets and bringing real world data into Bitcoin. And this is gonna be another big change of direction and we're gonna stray a little bit far away from Bitcoin in this one perhaps but it should be a really fun topic. So how can we make assertions about the outside world within Bitcoin? So the idea is we'd like to add a mechanism to assert facts about the real world into Bitcoin. And those facts might be who won an election, who won a sports match, what the price of some commodity is on a certain day, any kind of real world data that is of importance to a lot of people. So if we had those kind of facts available in Bitcoin, say there was some script call that you could make that would just say what the current price of copper is on some common exchange, you could start doing all sorts of cool things with smart contracts. You could bet on the future price of commodities on who's gonna win a sports match. You could hedge and you could derive all of the things like forwards and futures that financial markets are built to buy and sell and trade. So wouldn't it be great if we could do all of this in the range of Bitcoin? Basically every variety of betting on the future. And the most general formulation of this is called a prediction market and we'll be talking about how to build a prediction market in Bitcoin since if you can build a prediction market, you can essentially build almost any other financial derivative that you'd be interested in. So what's a prediction market? Quite simply, it's a market where you can trade shares and potential future events. So you can have a share in some event. The event might be the Yankees win the World Series in 2014 and that share will be worth some price X if the event actually happens and it will be worth nothing if it doesn't happen. So before the event is certain during the season say, there will be some price at which that asset is trading and the price will indicate the probability that people have in their mind is the belief that they have of how likely the event is to actually occur. Okay, so let's take a look at an example which hopefully will make the concepts behind prediction markets make a lot more sense. Let's look at the 2014 World Cup which just wrapped up last month in Brazil. And let's say we had a market where you could buy and sell shares and teams and the idea is that these shares will be worth one only for the team that ultimately wins. Now going into the tournament, every team, of course I just have five examples here, every team would actually have some non-zero price but before the tournament starts every team shares will have some price based on what the market believes their chances of winning are. So over there on the left, you can see Germany, their shares are trading for about 12 cents which means that the market thinks they have a 12% chance of winning and so on for Argentina, Brazil, the US and England over here on the right which the market gives about a 5% chance of winning. So again, that price that the market assigns is equal to the probability that people believe that that team has to win. Now as the tournament goes on these prices are gonna fluctuate and that's gonna reflect the market's changing belief in how likely each team is to win. So after the group stage, we can see that England which was trading at five cents, a 5% chance to win before the tournament started has now gone to zero. So England was knocked out after the group stage, there's no way for them to win at this point and the price reflects that their shares are now worthless. Whereas the US team, which people thought didn't have a good chance of even surviving the group stage, hence the one cent price of the beginning of the tournament did fairly well to get out of a tough group in the group stage, so maybe they were trading for six cents after that point. And now here's the key insight, the most important thing to understand about prediction markets. If you had thought to buy US shares in the beginning when they were very cheap, when they were selling for one cent, you could sell them immediately after the group stage for six cents, you wouldn't have to wait till the end of the tournament. You could immediately profit not from the fact that the US team won the whole tournament, because they didn't in the end, just from the fact that people's belief that they had a chance to win the tournament went up after their strong performance in the group stage. So the tournament's gonna go on. When we get to the semifinals, there's only four teams left. Of course, sadly, the US has knocked out, so their share price has gone to zero along with England, but when there were four teams left, now they all have a relatively high price. And the Brazilian team was trading for a very high price going into the semifinals. People thought they were a strong team and they had a good chance to win. Of course, the German team actually defeated the Brazilians quite strongly, so Brazil's share price went to zero. And once again, you would have had a very strong chance to profit here if you took a short position. And there's a variety of ways to do that, but essentially you can set yourself up to profit if a share price goes down as well as going up. And within a span of a couple of hours, people's beliefs changed dramatically as the Brazilian team lost and lost decisively. And you could profit in a very short timeframe if you were confident going into that match that the Brazilian team was overvalued, not as good as people thought it was, and that the share price was about to decline. And of course, going into the finals, there's only two teams left. So at this point between the German and the Argentine team, the only two teams in the final, those two prices should add up to one because one of those teams have to win and probabilities should always sum to one. And after the whole tournament's over, everybody's ready to pack up and go home. The only shares that have any value are shares in the German team because the Germans were the team that actually won in the end. But the most important insight here is that one way to profit certainly would have been to buy shares in Germany at the beginning for 12 cents and hold them all the way to the end in which case you would make a dollar. And that would be basically equivalent to traditional sports betting where you place a bet before the tournament starts that Germany is going to win. But in a prediction market, there's lots of other ways to play and lots of other ways to profit. You don't have to just bet on the right team and hope that they win. You can invest in any team at any time or you can take a short position and you can profit just on the ability to predict that people's beliefs will change. Here's another example and this is from a real prediction market. This is the belief over time before the 2008 US presidential election and whether Barack Obama or John McCain would win. And now Barack Obama is represented in blue on the top and McCain represented in red on the bottom. And you can see that as the months unfold and various things and gaffes happen on the campaign trail, people's beliefs about who's gonna win the election fluctuate a little bit. And historically, you can go back to most of these fluctuations and trace them to a specific event. Either a candidate made a gaff or they did something good that made them more popular and then people's beliefs changed. And you can see that as of about September 2008, so about two months ago before the election all the way on the right side here, McCain almost got back up to a 50-50 chance with Obama. So at that point in time, the public really didn't know who was gonna win the election. It was still a toss up. But by the time the election actually happened, you can see that Obama was given a 90% chance to win the day before the election. So the market was well aware going into it based on polling that the election was basically over before votes were cast. At least it was very unlikely for Obama to lose the election. And this really demonstrates the power of prediction markets because you could read all the newspapers and watch all the news that you want and they'll offer a lot of expert opinions discussing either way who they think's gonna win. But if you just look at the prediction market where people have real money at stake, you could see that in the week leading up to the election, it was pretty clear that Obama was gonna win the thing. So that's why economists really love prediction markets. They reveal, they should reveal if you believe in an efficient market and a couple of other assumptions, they should reveal all the knowledge that the public has about the future. So that share price in different events should be the best encapsulation of everything we know about the future. So they're a great mechanism for revealing information and they allow you to profit from being able to make accurate predictions. So one description of prediction markets has been attacks on BS. So if you're saying things that aren't true or making predictions that are very unlikely to happen, if you have to actually put money behind them in a prediction market, that will be very costly. And it has been shown that in practice, prediction markets have pretty good predictive power. Collectively, they can often beat opinion polls or asking experts. But there's also been kind of a tortured regulatory history here. So in-trade was the most popular prediction market on the internet for a period of about 10 years and it ran into all sorts of regulatory issues in the US for a variety of reasons. I won't get into all of the legal details here, but in-trade was eventually shut down in 2013 and a lot of economists were sad about this because they believed that this valuable social tool that revealed information about the future was lost. So could we build a decentralized prediction market? Again, decentralization being the name of the game with Bitcoin. So there's a couple of tasks that we'll have to decentralize to make a decentralized prediction market work. So we need payment and we need enforcement of bets that people are making. That all has to be decentralized. We're gonna need decentralized arbitration. Arbitration is the process of asserting which outcomes have actually happened. Most of the time in the case of an election or a sports match, you may say it's pretty obvious who won and who lost, but there are gray areas and we need to decentralize order books. So a way for people to buy and sell shares for buyers to meet sellers that's decentralized and doesn't rely on a centralized clearinghouse. So we'll go through each of these challenges in order. So payment and settlement, this is the easiest given Bitcoin we can use Bitcoin to do payment and the simplest solution, maybe we could use trusted arbiters. So we could basically do escrow transactions and the arbiter will enforce the contract, the fact that if you bet on something that didn't happen, you lose money simply by not signing transactions. A better solution would be if we built an altcoin that had explicit support for prediction markets. So what would that look like? There's a proposal for doing this called Futurecoin. This isn't an altcoin, it hasn't actually been built that adds a couple of transaction types in addition to just normal sales of Bitcoin or any other cryptocurrency. So the transactions that are added specific to prediction markets let you buy a portfolio in some event. So the idea is that for $1 or one Futurecoin, you buy a share in every possible outcome. So say this is the World Cup, there's 32 teams entered. For one Futurecoin, you buy a share in every possible team. And then on the bottom here, there's a sell portfolio which lets you sell a share in every outcome to get one Futurecoin, one unit of currency back. So obviously those two match. So for one Futurecoin, you can buy a share in every outcome and you can turn a share in every outcome back into one Futurecoin. But you can also trade the shares one for one for each other which is much more interesting. So you can buy a share in every outcome and then you can sell the shares that you don't actually think you wanna hold. So the teams that you don't wanna bet on, you would sell to somebody else who did want those shares. And then you would end up with a position which wasn't just balanced on every team. Say you would buy a bunch of shares in the team that you actually wanted to back. And again, that would be one way of profiting. You could just buy a portfolio, wait for the prices to change and then sell all of the shares directly for Futurecoins which you could turn into Bitcoin or some other currency and profit that way. And the other way to profit would be to buy a portfolio, sell some of the shares and then eventually at the very end of the market there's this special close that happens at which point you can sell portfolio and you only need one share in the winning outcome. So how can we do arbitration? How can we assert who actually won so that we can do this close and let people redeem their winning shares to get their money back, to get their winnings? So the simplest model is to just have trusted arbiters. So we say anybody who wants to can define and open a new market. They can stand up and say, I'm opening a market on the World Cup, I will decide who won in the end and if you trust me, you should be willing to accept my signature that that's the correct outcome. And like many other things they would probably build up a reputation over time and they would have some incentive to arbitrate correctly to maintain their reputation but there's always the risk that they could have scond and this could be very dangerous in a prediction market. So for example, if one arbiter was in business for a long time and everybody trusted them they might wait until the World Cup and then they might assert say that Argentina won even though they lost in the final if they had bet on Argentina heavily and were trying to profit from it. So could we have a more decentralized arbitration model? This is a little bit tricky but there's a few ideas here. One is to have all of the users, all of the people who hold shares in the market vote on who won. And the idea wouldn't be really to vote as if there was a lot of uncertainty but just that everybody would vote in what happened in reality. And there's various ways you could try to incentivize users to vote correctly. So we could have users put up bonds or maintain a reputation and if they vote in a different direction than most other people vote they suffer some penalty. They lose their bond and their reputation goes down. And then everybody is incentivized at least to vote in the same way that everybody else is voting if not to vote in the way that reality actually happened. And you could set up a similar system where instead of the users voting you have the miners in your cryptocurrency voting. And again, miners would be incentivized to vote correctly because if they vote incorrectly future miners might fork and then they would lose their block reward. But this runs into the problem that miners may not know about every market that people are interested in and they may just not care about some. So it may be too high of a burden to put on miners if you expect them to be able to arbitrate every match that happens in the second tier Mongolian football league that somebody somewhere wants to bet on. So there's been one attempt to actually make this happen at least one attempt to make this happen which is a protocol called reality keys. And the idea with reality keys is that you can actually sign statements that are usable in Bitcoin that assert yes or no whether or not one of two outcomes happened. So this is fairly simple. It's not as complicated as some of the more sophisticated arbitration models we'd like to get to but this is a step toward having arbitration for a online prediction market. So there's a caveat here which is that sometimes reality is complicated. I had assumed that what actually happened in reality wasn't in dispute we just wanted to have a voting mechanism to insert the facts from reality into the digital world. Sometimes what happens in reality isn't quite so easy to discretize into a digital form. So my favorite example came from the Super Bowl this past year. There's an annual bet that a lot of people like to make in the Super Bowl which is what color Gatorade the winning team will dump on the winning head coach. So this is a tradition after every Super Bowl or lots of other big football games the winning team takes a bucket of Gatorade and dumps it on their coach. And you can actually make a bet on what color Gatorade they're gonna use for this purpose. You can see that clear was the odds on favorite but orange and yellow were also strong contenders. Those are popular colors and green, blue, red less likely to happen. So this bet has happened for probably 20 or 30 years. It's been just a popular fun bet. And in the last Super Bowl something went a little bit awry. So the Seattle Seahawks won, they celebrated, they dumped some orange Gatorade on their head coach Pete Carroll. And then a little later a few other players decided to do it again. And they used yellow Gatorade. So this had never happened before but the Seahawks decided they liked the dumping Gatorade on the head coach ritual so much that they would do it twice. And they used two different colors. So if you're running a prediction market where people had bet on this what do you do in this scenario? It's not clear if orange or yellow should win. What happened in practice with a lot of sports books is that they said we're actually gonna lose money and just to try to maintain our reputation with our customers as a show of good faith. If you bet on orange or if you bet on yellow either way you win. Of course in a decentralized prediction market you can't do that because you can't just create money out of thin air to pay both parties. So there's a couple of solutions here. Maybe you could say that orange and yellow both win they each win half of the winnings. So instead of closing at a value of one they close at a value of 0.5. But ideally you would define your contract a little bit more carefully next time. And you might say what will the first color of Gatorade be to be poured on the winning head coach. But the lesson here is that no matter how careful you are in defining what your market is there can always be some event that happens in reality that wasn't something that you predicted. So something that people didn't have shares and might actually happen in which case it's very tricky to know what to actually do. So the final piece to build is an order book. So in real prediction market or most financial markets there isn't truly one market price. There's the lowest price that anybody's willing to sell at and the highest price that anybody's willing to buy at. So this is an example from a small prediction market that's being run today using Bitcoin called Predictious. And they have a market here on whether or not Scotland will vote yes in their independence referendum which is scheduled two months from today. And you can see that there's a spread in each case there's a spread between what people are willing to sell at and what people are willing to buy at. And the goal of an order book is to match up those sellers and buyers that they make a trade and that they split the difference. Traditionally this has been done in a centralized way. So you have one order book they collect all of the orders they actually keep them secret. They match people up and they divide the difference down the middle. So the price you get is halfway between basically the lowest you are willing to sell for and the highest that the buyer was willing to buy for. And this has a couple of risks. So if the centralized order book is dishonest they might put their own orders in ahead of time to try to get a better deal for themselves. So this is called front running. It shows up in a variety of financial settings and it's considered a serious crime. So theoretically this is something that you go to jail for a long time if you're caught doing. And centralized order books require that legal enforcement to prevent front running and to keep the security model sound. So in a decentralized order book we're not gonna be able to have strong legal enforcement like that. But there's a clever idea which is to just forget about front running and say instead of having front running be a bug or a crime we're just gonna have it be a feature. And the way to do that is that everybody can submit orders to miners and the miners can match any possible trade and instead of splitting down the middle the miner actually keeps the entire spread as a transaction fee. And the beauty of doing this is that the miners now receive a transaction fee and they have no incentive to front run because front running will never be more profitable than just capturing the spread as a transaction fee. So this is a very nice elegant way of doing a decentralized order book. The only downside here is that you have to pay potentially a high fee to the miner if there's a high spread and to try to prevent paying that high fee people might submit much more conservative orders. And as a result this thing might be less efficient people might make trades more slowly as they slowly iterate towards each other they're not willing to they may not be willing to declare upfront their exact willingness to pay because doing so might lead to a large spread that the miner gets to capture. So it's not known yet how this will function in practice there's some fear that it will be a lot less efficient than a centralized order book but it seems to be a very promising approach to go. So to summarize in trying to build a prediction market what can we actually bolt on top of Bitcoin? So it looks like payment wise we're in good shape Bitcoin is a good currency to base a prediction market off of. In terms of doing settlement it's fairly hard you could draw up some contracts using reality keys where you have a position based on some future event but there's no way in Bitcoin to really trade that position. So we don't have a way to do decentralized trades. In terms of arbitration the only thing you can do is a trusted arbiter model again the reality key model the more sophisticated things where users or miners vote aren't going to be possible in Bitcoin you'd need an altcoin for those things. And finally order books there's no built in concept of an order book in Bitcoin so you'd be stuck with an external centralized order book. So this lecture was really all about building things on top of Bitcoin and it looks like we can't quite build a functioning prediction market at least not in the way we'd like directly on top of Bitcoin. This is something that we would really need an altcoin to build. And this is a lead-in to what was going to be covered in the next lecture which is altcoins. So the observation is that for some things like prediction markets Bitcoin only takes us so far it really doesn't get us where we want to go in terms of building a secure decentralized prediction market a decentralized order book and all those other things. So what if we could start again from scratch what if we could forget about soft forks and hard forks and how to bolt things on to Bitcoin and just say we've learned a lot since 2008 when Bitcoin first came out why don't we design a new cryptocurrency and everything will be better. So the next lecture will be all about altcoins which are attempts to do just that and we'll talk about all of the promising ideas people have and all of the challenges to starting a new currency at this point.