 Cool, so good morning everyone, I am Pranay and I will be talking about crypt economics. So I work as a consultant in the blockchain space for the last 5-6 months and have consulted around 4-5 ICOs as of now. So as you all might know, bitcoins and ICOs are the craze now, but the real innovation according to me is in the blockchain space and how the blockchain technology is able to create the incentives so that people and the decentralized nodes can work together. So that is broadly the topic of crypt economics which we will be talking about. So before I go ahead, how many of you know about blockchain, just exploring, how many of you know what is consensus mechanism, raise of hands, good, cool, 50%, cool, so let's go ahead. So I guess all of you would have got a message something like this, that you have to submit your other details to your mobile provider or the bank account, otherwise bad things will happen to you, either government will penalize or things will not work. But when I see this, I wonder, why should I do this? I really have no incentive to get this thing done, go to a store and give my other details. But this is the way how all these centralized organizations work, they force you to do things because they say either you will be imposed penalty or there will be some legal actions against you. But this makes me wonder, how does bitcoin protocol work, why do the miners in bitcoin protocol still follow it the way it was designed originally by Satoshi Nakamoto, so Satoshi Nakamoto for whom don't know is the founder of bitcoin, we still don't know who is the person but is the name assigned to it. So why do bitcoin miners still follow that protocol, after all there is no governance, there is no legal action which can be taken against them, all mining nodes are independent and they act independently. So the answer to this is incentives, so incentives is the way through which different nodes in the network or different servers are incentivized in a way that they work together to achieve the objective or what the protocol wanted to do. So incentives are very carefully aligned in this network and that's what the broad area of crypto economics is. I will be talking about, this is the brief outline of my talk, so I will be talking about what is crypto economics, what are the features a crypto economic system should have. How we can model those crypto economic systems and then I will get into mechanism design which is a broader topic of how you can design incentives to make player work in a certain way and then I will get into examples of Casper protocol and some examples of token design in blockchain projects. So I will take around 5 minutes for each of the topics, so around 30-35 minutes I should be done and then we can break for Q&A, sounds good. So what is crypto economics? Crypto economics is the application of incentive mechanism design for information security problems. So this becomes particularly important for projects which involve cryptography because when they are decentralized nodes which are working which are not controlled by a single center server then it becomes very important because they need to trust each other and how do you ensure trust between those nodes. So that is the main area of crypto economics and Bitcoin is a great example of a crypto economic system. So what is the problem which Bitcoin is trying to address? It is trying to solve the problem of transferring value from one peer to another, one person to another or one node to another in a trustless and decentralized manner. So basically you don't need to have any central party who is orchestrating this like the banks and anybody can come up with a node and start transferring to each other. So that's the beauty of Bitcoin and that's the problem which is being solved through a careful design of the crypto economic system. Now for this to happen there needs to be few things which needs to happen. So there needs to be a global source of truth. So this is not so easy in case of a decentralized network because there is no central party which is controlling which node is there and how they are functioning. So the nodes can act in a very dishonest way. So this problem is addressed by different consensus mechanisms which we will talk later. But in Bitcoin the consensus mechanism is Nakamoto consensus. Basically what it says is that the source of truth is the longest chain of blocks and for making the chain of blocks for making each block a miner needs to solve some cryptographic problem. So he needs to prove that he has done some work before he adds to that source of truth which is the blockchain or the chain of blocks which are connected to each other. So now miners are basically providing a service to this system. They are helping maintain a source of truth for the system. So we need to incentivize them in some way. So in Bitcoin miners are incentivized through the Bitcoin tokens which is given to them for mining each block. So as of now I think 12.5 Bitcoins are given to each of the miners if they mine a block correctly. Now the other problem which arises in case of proof of work systems in case of decentralized network is the case of Sibyl attack. So Sibyl attack is nothing but because the network is decentralized anybody can come up with a new node and start spamming the network because there is nobody who is stopping them to do so. So proof of work helps here because now they have to do certain work to spam the network. Just add blocks to the source of truth. They have to prove that they have done some work which in a way acts as a disincentive for players who just want to act in a rogue manner. So only the correct players will do that work and it's in their incentive to act in the right manner. And the last part is that the protocol should be in equilibrium. So the players in the system should be incentivized in such a way that it's in their best interest to follow the protocol or follow how Bitcoin was designed to be functioning. We'll talk about equilibrium in a bit more. So these are the features which a crypto economic system should have. So it should be stable. Basically it means that the protocol should be in equilibrium. Equilibrium here is in the sense of Nash equilibrium which is a game theory theoretical concept which means that if there is a game setup in which there are multiple players with strategies and so there is in that setup there is no incentive for a single player to change his strategy if other players are not changing their strategy. So that's what Nash equilibrium is and for a protocol to work well it should be in that equilibrium so that each player is following that protocol. The second is persistence. That basically means that the protocol should fall into the equilibrium back even if it is disturbed a bit. So for example if there are changes outside the protocol. So for example if the rate of mining in a sick-minus increases certainly. So in that case the solving the proof-of-work problem becomes easier and then the blocks can be created at a quicker rate. But the Bitcoin protocol solves this by changing the difficulty level so that the blocks are created once in 10 minutes. So this ensures that even if there are external changes in the rate of hash mining the blocks are even now created at the 10 minute interval. So basically the block or the protocol returns back to the stable equilibrium. The next is optimality which basically means that the protocol should follow what it was designed to be done. So for Bitcoin it is the transfer of value in a trustless and decentralized manner. So if the protocol is able to achieve that then it's optimal. This is robustness which is a measure of how much perturbation a system can sustain before it goes out of equilibrium. So for example all of you might have heard of the 51% attack on Bitcoin. So Bitcoin protocol can sustain 49% of mining power or hash power colluding. But if it's more than 49% then the protocol falls out of equilibrium. So that 49% is the robustness of the system. Efficiency is basically how economically efficiently the protocol is able to achieve what it was designed to achieve. So in case of Bitcoin it's the amount of electricity basically which is consumed to enable that proof of work or to make the system work. So in a way Bitcoin protocol is inefficient because we are wasting a lot of energy in just running the protocol. So what have we learnt till now? We learnt that what is the crypto economic system, how Bitcoin is a good example of crypto economic system and what are the features a crypto economic system should have. So things like stability, robustness etc. So now I will introduce a small problem which is a token design problem and we will walk through it throughout the talk. So suppose I want to create a content platform where only good contents are rewarded. We are all tired of sensational content stuff like that. So you want to create a content platform where good content is rewarded and you want to do it in a decentralized way. That is there is no central server like Facebook which is controlling them. Anybody can contribute to this topic and they can start acting according to the protocol. So our objective is to design this so that people following the protocol, following the incentives are able to create good content in a way. So what are the features this protocol should have? It should be optimal. That means that the good news should get highlighted. If our system is not able to achieve that then we are failed. It should be stable as in that they should not be affected by troll armies of people acting in a malicious way to destroy the protocol and it should be robust. So the question is basically here would mean how much spam can the system sustain before it gets out of equilibrium. So cryptic economic system is also like any other system in the real world. It needs to have some features and there are certain ways in which we can model it. So for example when you go out to buy a car, you look for features like what's the top speed, what's the mileage. So in the same way cryptic economic system when you are designing a cryptic economic system to achieve something you should look for things like stability, robustness. Also any system can be modeled in different ways. So there can be components or parameters based on which we can model that system. So in that in the case of car it can be components like the engine or the tire. While in the case of cryptic economic systems there are components like incentive design, what is the consensus mechanism. So let's look into what are those components. So how we can model a cryptic economic system? What are the components? What are the things we should look out for? So the key things here are what is the incentive mechanism? How the consensus is being achieved? Basically how the network is able to achieve the source of truth? What is the level of coordination of participants? Basically how much the participant can talk to each other, collude with each other or what type of participants there are. Then we should also take care about the budget and cost which actors can have to attack the system. So different system based on their the domain in which they are operating people may have different sort of budget to attack the system or different incentives to attack the system. And then what are the attack models can it be subjected to? So we'll get into details in each or to each of them. So first is coordination level of participants. So this is basically how much the participants are able to coordinate with each other and are they able to talk to each other or not. In traditional fault tolerant research because it's generally distributed system we assume that most of the nodes are honest. So we can assume 51% of the participant being honest because these distributed systems are generally controlled by a single server which can ensure that honesty is there. But crypto economic systems are more complex. Here you can't assume that nodes are honest. The nodes will act in malicious ways so that they get the most outcome or most incentive out of it. The next is incentives. So incentives form the backbone of any crypto economic system because in these systems nobody knows each other, nobody trust each other. People act solely for incentives. In normal world people because they respect someone or follow certain thing they are more acting in a proper way. But in decentralized systems these incentives are the only thing which matters because they are not worrying about any legal action against them, any penalty against them. So what are the types of incentives which can be there? It can be payments which is basically the rewards which miners get on mining. So in Bitcoin protocol miners get a reward of 12.5 tokens for mining each block. Then it can or otherwise it can be privileges which is basically the right to collect the fees in each transaction. So in Bitcoin protocol if you create a block the fees attached to each transaction is given to the miner because he has successfully created that block. So incentives decide how the system will work. So it's very important to design it very carefully if you are making a new system to work for. The next is attack models. So attack models can be of many types. First is I'll just describe the broader type of attack models which are possible. First is uncoordinated majority model. In this model we assume that participants are acting independently of each other. They are not talking to each other, they are not colluding and they are acting in their own self-interest. Also the participants are making independent choices. They are not talking to someone and then making decisions in a group and they don't control more than a certain amount of the net. So they are small participants who take independent decisions. The important point here is that these participants can be dishonest. We can't assume them to work in an honest way because well of course in decentralized networks anybody can be dishonest. The next is coordinated choice models. In coordinated choice models the participants can talk to each other. They can collude and act in a certain way. So a good example of this is the 51% attack on Bitcoin basically because Bitcoin says that the longest chain is the source of truth. If a particular group of people get more than 51% of the hashing power they will mine blocks and that chain will become the longest chain. So that will ultimately become the source of truth. So if they are able to achieve that they can create transactions which they can basically censor transactions. They can only do those transactions which are beneficial to them. And the next is a bribing attack model. I will just explain this through a simple game. So this is a selling coin game which I will use to demonstrate the uncoordinated attack model and the bribing attack model. So suppose there is a game for the purpose of which to find true answer for a given question. So suppose the question is did A win the election or not. The answer can be yes or no that is 0 or 1. The rules are such that the majority answer is taken as correct. So suppose there are n participants so more than n by 2 plus 1 participants if they gave a certain answer that will be considered as correct. And everyone who voted with the majority will get a reward. So they will give a reward say P and others will get nothing. So basically this is the game the objective is to find the true answer to a given question. So let's say how it fares for a selling coin game with uncoordinated majority model. So this will be the payoff matrix for them. If you are participating in the game and you vote 0 and others vote 0 you get P and if you vote 0 while others vote 1 you get 0. And similarly if you vote 1 while others vote 0 you get 0. So in this game basically you have the incentive to speak the truth or vote for the truth because you think that everybody else will also vote the truth because you think that truth is the natural selling point or the natural convergence point for this game. Now why will everybody else vote the truth because they are also arguing in the same way in which you are arguing. So truth becomes the natural point of convergence and we are able to achieve the result which we wanted to because most of the people will vote for the truth and the game will be successful the outcomes will be successful or the correct outcomes will be there. But what if there is a briber present? So suppose there is a briber present who can talk to each of the participants and say that if you take certain action I can pay you something or give you some rewards. So suppose the briber wants to get the outcome as 1 irrespective of what was the actual outcome so he wants to influence the result of this game. So what he will say go to everyone and he will say vote for 1 and if others don't vote for 1 or if the majority is not 1 then I will compensate you by giving P and some more epsilon more than that. So basically he is saying that vote for 1 and I will compensate if you are not winning P. So for this game the payoff matrix becomes like this. So you vote 0, if you vote 0 and others vote 0 you get P but if you vote 1 and others vote 0 you get P plus epsilon and if you vote 1 and others vote 1 you get P. So as you can see in this case for both the whatever others do you have more incentive to vote for 1. So everybody you will decide and vote for 1 because in both cases you are in a more advantageous position. So this is the dominant strategy. Now other peoples are also arguing in the same way and so what happens is everybody basically votes for 1. So this becomes the output quadrant. Now the important point here is to note that the briber is able to influence the outcome without actually paying anything because if the outcome is this and everybody is voting 1 he doesn't need to pay anything. So even though he needs to have a budget of P plus epsilon to convince others to vote with him the game can be easily influenced without having any cost. So this is the bribing attack model which I was talking about. Just the presence of a briber can influence the game while in the case of uncoordinated majority the game works just fine. So let's recap what we saw in the attack models because that's very important. So in attack models we saw that this theory attack models uncoordinated majority, coordinated choice model and bribing attacker model. And just the presence of a briber can even influence the outcome of this of any game based on how the game is designed. So now let's look into consensus mechanisms. So consensus mechanism as we discussed earlier is also very important for crypto economic system design because this is what establishes the source of truth. There is no central server or database which we can refer to get a source of truth. So that's a thing which we need to get out of our mind that there is a central database which can always query. So designing this source of truth becomes very important. Now there are a few broad areas or broad techniques through which this consensus mechanism is achieved. First is proof of work. This basically considers that the longest change is the source of truth and basically Bitcoin uses proof of work as an example. But the important point to note here is that it never reaches finality because the longest change is the source of truth. Any one if he suddenly reveals that he has a longer chain and which was not shown to the network before that, that becomes the truth. So this protocol never achieves finality. Good examples of this are Bitcoin and Litecoin which you already might know. So Bitcoin and Litecoin once on compute intensive proof of work. So the nodes need to compute something to get consensus. While Zcash is an example of memory hard proof of work which is basically the difficult part is in the access of memory. So it's not, it doesn't get affected by the improvements in a sick miner technology. The other is PBFT based or practical bagentine fault tolerance method. So this is a, so this works based on replication of a state machine. So basically there are configurations and for each configuration a primary node is assigned and the other nodes are considered as replicas. So anybody who wants to get a source, get a question answered, he asks the primary and then he will relay that question to the replicas. And if the client or the questioner gets more than a certain number of replicas, answers from the replicas that is considered to be source of truth, that is considered to be the correct answer. So basically this achieves lot based on replication at every stage. Good examples of this are hyper ledger fabric, Stellar also uses this which is through the Stellar consensus protocol and NIO which is a Chinese based coin and they use a version of this which is called a delegated BFT. The other broad set of algos for consensus are proof of stake. In proof of stake you are asked, the participant asks to stake certain amount in the network and if he acts in a rogue manner, he will be penalized. So basically he deposits some money or any value. And if he acts in a rogue manner, he will be penalized. So for this to happen, which participants are acting in a rogue manner needs to agree. Like the network needs to know which are acting in a rogue manner. So good examples of this are Casper which is the Ethereum proof of stake which they are working on. The telegram open network ICO which many people would have heard of is also planning to use proof of stake. Because remember proof of stake has an advantage that it doesn't involve consumption of lot of electricity. So it's cheaper in that way. Also EOS which is a famous coin uses delegated proof of stake. So what have we learned till now? So we learned that what is the crypto economic systems? What are the features it can have? How you can model them? We can model them using incentive design, attack models. What are the different type of attack models which can be there? How the games can be affected using just the presence of MITRE. So let's see what happens to the content token design problem which we initially introduced. So now for this to work, we need to introduce certain incentives. So suppose we introduce the CP token which is the content platform token. And we say that users can post topics and if the topics get certain amount of likes or the more likes the topic gets, they will get more reward in terms of the CP token. Also users can back certain topics which they like and if those topics get more likes they will get more rewards. So this is the incentive mechanism which we have designed. Basically we are saying that the users will act in a such a way that the good answer is achieved. Now what can be the possible attack models in this? There can be coordinated attack because players can collude with each other and try to trend a particular topic and make it famous. But there is no possibility of a bribing attack here. Can you see why not? So basically because it's not a binary outcome game, there are many outcomes which are there. So to mount an attack, he will need to incentivize each outcome which will become very costly for him. So bribing attack is not possible here. Now this token design which we discussed is a subset of a broader subject which is called mechanism design which has been there even before blockchain came along or anything. So what is mechanism design? In mechanism design, the key question is how do you design a system which has strategic rational participants so that the system achieves a particular outcome? So this is basically the reverse of game theory. In game theory you are given a certain set of rules and you are told that ask to find what will be the outcome. But in mechanism design you are given an outcome which you want to achieve and you are asked to design the game. So auction theory is also a good example of mechanism design and Google adds heavily uses this theory to increase the revenue. Now let's take a few examples of mechanism design. So let's have a question here. So suppose we have a game where the objective is to and there is an item for sale and people can bid for it and it's a sealed bidding. Now objective is to give the items to player who has the highest valuation for item on sale. Now let's have two rules, suppose one and two. So in rule one, the highest bidder wins but the price they have to pay is equal to the amount they bid. And in rule two, the highest bidder wins but the price he has to pay is the second highest bid. So which rule according to you is correct? I'll give you one minute to think about it. So how many people say one? 50% around. How many people say two? So 40, 60 I think. One is 60, two is 40. So actually the correct answer is two. The intuition here is that in first price auction because you actually have to pay whatever you bid, you will never bid your actual valuation because if you bid your actual valuation you will not get any utility. Basically you're saying you're paying whatever you value it for. So you'll always value it for less than your actual valuation. While in second price auction you can actually bid with your correct valuation because you don't have to pay that valuation. You will have to pay the second highest bid. So there's an actual formal proof which says that the second price auction is the correct answer for this question. So if anybody is interested more in this, this topic called wikery auction you can look it up and it's a very famous auction mechanism which is used throughout. The other example is Casper. So Casper is the proof of stake mechanism design protocol which Ethereum network is trying to develop. So the main way through which it works is it's asked you to deposit certain amounts and if it's found that the violators are not working in the right way, they are penalized. So one of the goals of design of this protocol is to achieve things or the consensus without spending energy like proof of work. But the question is why is penalizing violators needed? Now proof of stake suffers from a problem called nothing at stake. So suppose there are two chains which are there. So a blockchain is getting built now suddenly there is a small fork. So there are two chains which are there. One chain has probability of getting correct, being correct with probability of 0.9. The other chain has probability of being correct with 0.1. Now suppose if a miner is mining blocks then if he votes on neither, so in proof of stake a validator can vote on one of the chains and give his vote to that chain. Saying that I think that this chain is the correct chain. So if the validator votes on none of the chain he gets a 0 outcome. So he will not do that. So if he votes on the chain A this one then he gets an expected value of 0.9. While if he votes on chain B it gets an expected value of 0.1. Suppose if there is no penalty then there is nothing stopping him from voting on both chains. So if he votes on both chains he gets an expected value of 0.9 plus 0.1 is equal to 1. So if there is no penalty he should actually vote on both chains. But that doesn't solve our problem because we are not able to ascertain which chain is correct or not. So it defeats the whole purpose of designing a consensus mechanism. Now proof of work solves this because it makes making the blocks costly. So if he votes on one first chain he has expected value of 0.9. If he votes on second chain he has expected value of 0.1. But if he wants to vote on both chains then he needs to devise his energy. So the probability of getting bounding blocks becomes hard. So basically it becomes 0.5. So in this case voting on the correct chain becomes the strategy for him. While in slasher basically if there is penalty involved then and suppose that this is a penalty of minus 5 if it is found that the validator is acting in a rogue manner. So if he votes on both chain his expected value becomes minus 4. While if he just votes on one chain his expected value is 0.9. So that becomes the correct. He will vote on this and so we are able to ensure that the validators are voting on the correct chain. So this in a way ensures that truth is maintained. So we saw for mechanism design we saw two examples. One was the auction theory where we saw how you can design the rules and designing those rules can have different impact. And then how Casper is being designed so that without even using electricity it can achieve source of truth by introducing penalties. Now let's visit the token design problem again. So the way we designed it as you might recall is that people can vote on topics and they get rewards based on the topics which they vote on how many likes they get. So this will be the scenario if suppose there is a topic 1 there is post 1 which gets 5 likes, post 2 which has 1 like and post 3 which has 2 likes. So now if a new person comes and tries to participate in the network he has incentive to vote on this 5 likes because he thinks that people will vote it more and this will become the this will earn him more tokens. So truth is not necessarily the selling point here. People will not think what is the truth rather they will just vote on things which are getting more likes thinking that it will give them more likes and hence more tokens. So people will stake money on the topics which they find are which they see people are voting more likes on. So in this case we are the more sensational content or the content which is getting more likes which will get highlighted. The truth content or the truth content which you wanted to promote is not getting highlighted. So basically the way we designed this mechanism has failed. So this is the example of bad mechanism design. So our objective was to create a system where people are voting on the truth and true content comes up. But this system design fails in achieving that. It basically promotes more sensational content. So this is a very popular coin call estimate which uses similar design if you are interested you can look into that. So that's all which I have to summarize incentives are very powerful tool and especially decentralized networks they can make or break your system. The way you design your incentives determine how the participants will act in it. Following the protocol should be in equilibrium. As we saw in certain cases if following the protocol is not in equilibrium then there can be attacks on it like the bribing attack and all. Also the protocol should be robust to external incentives. So as we saw in the bribing attack model even if there's a briber present who can bribe people the protocol falls out of equilibrium. The gain there was not able to achieve the outcome which we intended it to. And finally the protocol should achieve the intent. I mean that is the basic truth or basic goal which you should strive for. The content token design problem which you saw was not able to achieve the goal which you want. So incentive designs becomes very important in this case. If people are more interested they are their course. So this course in Stanford which on mechanism design which is very interesting if you are more interested. You can also look into proof of stake work by the CASPER team. They have done some excellent research on this topic. And I also included a reading list on crypt economics. Thank you. I am open to any questions. These are my contact details if you are if you have any questions.