 All right, welcome to the fifth lecture on Bitcoin. Today is gonna be all about mining. So to recap, what have we learned about the miners so far? Well, we've heard about the miners quite a bit and we know that Bitcoin depends on the miners pretty heavily to perform a couple of important roles. Of course, they validate every transaction. They build all the blocks and we know that the miners earn some reward. Who are the miners? How did they get into this? How do they operate? What's the business model like for miners? What impact are they having on the environment? We're gonna get to all those questions in today's lecture. So we'll start by talking about what Bitcoin miners actually have to do in order to be miners. And maybe before we get into that, we'll talk about some historical miners. So if you're thinking about becoming a Bitcoin miner, I wouldn't want to completely discourage you but I'd be remiss not to tell you that this is not a get rich quick scheme. This is a very long haul. So looking back at some historical gold rushes, they're full of stories of young people rushing off hoping to find fortune, a lot of them losing everything that they have, some of them making it really striking it rich but a lot of hardship along the way. This is probably my favorite example from the Klondike gold rush in Alaska in 1898. And this gold rush all happened within a matter of six months. So there was a huge rush to get there for the one summer mining season. And all of these people are trudging up this snowy mountain pass with all of their equipment at the same time. Doesn't look like the easiest way to get rich. And I'll argue that Bitcoin mining is starting to look like a similar proposition. So what do you have to do to be a Bitcoin miner in six easy steps? Well, you join the network, you become a Bitcoin node, you listen for all of the transactions that people are broadcasting. Of course you have to validate them. You listen for new blocks that people have found. You maintain a view of the current blockchain. Of course you want to validate all the blocks and all the transactions that are in those blocks. You start to assemble new valid blocks based on the transactions that you're hearing. Then you have to work really hard in step four here to find a non-set will make your block considered valid. That's the really difficult computational step where all of the difficulty really happens for the miners. Finally, if you're lucky enough to find a block, you have to hope that all of the other miners accept your block, that they validate it and start mining on top of it, and that they don't accept some competitor's block instead. And if all of that happens, in step six, you finally get to profit, currently to the tune of over 25 Bitcoins per block worth about $15,000 US. And so a couple of these steps, all of the validation in particular are what's actually useful to the Bitcoin network. So that's why we have mining at all. Miners perform this validation step. The rest of it, the profit and the race to find blocks, that's all just incentive to encourage the miners to do the validation which is necessary for Bitcoin to function as a currency. So what does the process look like for finding a valid block? Well, we'll have to look back to the data structure that we introduced two lectures ago and recall that there are two main hash-based data structures here. There's the block chain where each block header points to the previous block header in the chain. And then within each block, there's this Merkle tree, this hash-based binary tree of all of the transactions included within that block. So the first thing that you do as a miner as you assemble all of the transactions that you have from your pending transaction pool into this tree, you create a block with the right header that points to the previous block. And then you have to start searching over this nonce field to try to have the hash of the block header start with the required number of zeros. So you may start with a nonce of all zeros, that's a 32-bit integer. And when you try that, you'll get a hash that's incorrect. So you'll say, okay, let's move on to the next nonce, nonce number one, the hash is also incorrect. Step forward one more time, try hash two, also incorrect. So you can see where this is going. And in a lot of cases, you'll try every single possible value for that 32-bit integer. And in no case will the hash be correct. So at this point, you're gonna have to make further changes. And you'll notice that there's this parameter in the coin-based transaction. And remember that the coin-based transaction is where the miners are actually minting new coins and claiming them for themselves. There's also this extra nonce parameter in there. So after you've exhausted all possible nonces in the block header for the extra nonce in the coin-based transaction of all zeros, you'll step the extra nonce in the coin-based transaction up to one, and then you'll start searching nonces in the block header once again. And it's important to realize that when you change that one parameter in the coin-based transaction, the entire Merkle tree of transactions has to change. So that change will propagate all the way up. Changing the extra nonce in the coin-based transaction is much more expensive than changing the nonce in the header for that reason. So you do that as the outer loop, and the inner loop where you're really working hard is changing the nonce in the block header. Okay, but once again, our first try didn't work here, so we'll have to keep stepping that nonce. And again, this is a really difficult computation, so the vast, vast majority of nonces that you try aren't gonna work. But eventually, if you stay long enough, you'll find the right combination of the extra nonce in the coin-based transaction and the nonce in the header. And you'll find a block with a hash that starts with enough zeros to be considered valid. And this is when you wanna announce it as quickly as you can and hope that you can profit from it. So I said it was difficult. Exactly how difficult is it? Well, as of today, this is the mining difficulty target. So the hash of any valid block has to be below this value here. And this is a 256-bit hash output. We're using SHA-256, the hash function, which is appropriately named, it's 256 bits. Currently, at least the first 64 bits of the hash of any valid block have to be set to zero. Overall, the current difficulty is about two to the 66, which is a really huge number. If we try to write it out in decimal, that's what we get. That's 84 quintillion. And this number is so big, it's difficult to even imagine. One approximation for it that you can think about is it's about the population of the earth squared. So basically if every person on earth was themselves their own planet earth with seven billion people on it, the total number of people would be close to this number. Or another way to think about it is that if all seven billion people on earth shook hands with each other, fewer than two to the 66 total handshakes would have to take place. So this is a incomprehensibly huge number. So where did this number come from? How is the mining difficult set? It's actually chosen again every two weeks based on how efficient the miners were over the previous two weeks. So you simply take the amount of time that it took the miners to find the previous 2016 blocks and you divide that amount of time by two weeks. And then you multiply that ratio by whatever the previous difficulty value was to get the next difficulty value. So you're just scaling it to keep a constant property true, which is that blocks should be found by the network on average about once every 10 minutes. That's the fixed constant that was chosen at the beginning of time for Bitcoin. And every two weeks the difficulty is reset to ensure that that property is maintained. So you can see that over time the mining difficulty keeps increasing. It's not necessarily a steady linear increase or an exponential increase. It depends on activity in the market, how many new miners are getting into the game, which may be affected by the current exchange rate of Bitcoin. But generally more and more hash power comes online, more people are hashing, blocks are found faster and the difficulty is adjusted up so that it again takes 10 minutes to find blocks. And you can see that in the red line on the graph here, there's a step function of difficulty even though the overall network hash rate is growing smoothly because you only reset every two weeks, the difficulty steps up. Another way to view this is to look at how long it takes to find a block on average. So here you can see a graph of over time how many seconds elapsed between consecutive blocks in the blockchain. And you can see that this gradually goes down and then it jumps up again and then gradually goes down. And of course what's happening there is that every two weeks the difficulty resets and the average block time goes back up to about 10 minutes and then more and more power goes online. The difficulty stays the same so the miners are finding blocks faster and faster and then two weeks past the difficulty resets back up to 10 minutes and the process starts all over again. So in actuality, even though the goal was for a block to be found every 10 minutes, on average it's more close to about every nine minutes and at the end of the two week cycle it will get down to about every eight minutes. All right, so now we're going to talk about what hardware miners use to achieve this computation which I've just spent time telling you is really, really difficult to do. So first of all, what exactly is this computation? So we've mentioned hash functions and we've mentioned SHA-256 in particular. What exactly is SHA-256? Well, it's a general purpose cryptographic hash function. It's actually part of a bigger family of functions that was standardized in 2001. It did come out of the NSA, which has led to a couple of interesting conspiracy theories by some people about its relationship to Bitcoin but it's generally considered a fairly strong hash function. It's not broken cryptographically, although there are some theoretical weaknesses that are starting to show up. As a result, the replacement, the SHA-3 family, has already been picked actually and it's in the final stages of standardization today but it wasn't available at the time Bitcoin was designed. This was a good choice. This was the strongest general purpose cryptographic hash function available at the time. It is possible that it will become less secure over the lifetime of Bitcoin but for now it's pretty good. So what does it look like? This is a diagram of what the SHA-256 state looks like and we don't need to know all of the details of this to understand how Bitcoin works but I'll just give a high level overview to give an idea of the task that needs to be solved by the miners. So there's a 256-bit state in SHA-256. It's split up into eight 32-bit words. So this is very much optimized for 32-bit platforms and in each round some of those words are taken. There's four different tweaks that are applied to those words that are at the bit level. So each one of these is two or three bits being flipped or added together, basic logic operations. And then a number of words in the state are taken, some with these tweaks applied and added together mod 32 in a pipeline here. And then the result of all of these additions is wired over to the first word of the state and the entire state shifts over. So some of the design here, some of the design ideas date back to classic linear feedback shift registers which was one of the earliest approaches to cryptographic design. So all of this happens, this is just one round of the SHA compression function. And a complete computation of SHA-256 does this 80 times for 80 iterations. And in each iteration there are slightly different constants applied at that one step there so that every iteration isn't exactly the same. So this is the task ahead of miners to compute this specific function only this as fast as possible. And so you can see that to do this you need to be able to deal with 32 bit words, you need to be able to do 32 bit addition, and you need to also be able to do some bitwise logic. So the first generation of mining when Bitcoin was originally proposed was all done on general purpose computers, general purpose CPUs. In fact, it was as simple as this code here that simply searched over nonces in a linear fashion, computed SHA-256 in software and checked if the result was a valid block. And one quirk, which I haven't mentioned yet, this is probably a good time to mention it if there ever was one, is that for reasons that aren't completely specified, you actually compute the SHA-256 function twice. So it's just doubled up, that's a fact of life that miners have to live with. So how fast will this run on a general purpose computer? Well, if you're doing pretty well, if you have a high-end desktop PC, you might be able to do this at about two to the 24 hashes per second, which would be about 20 megahertz. Remember that even though hertz often are applied for processor speed, the basic idea of hertz is it just means something that you're doing that many times per second. Okay, so if you're hashing at a rate of 20 megahertz, what does that get you with today's difficulty? Well, it would actually take you over 100,000 years at this rate to find the block. So we talked about how mining was gonna be a difficult slog. If you're mining on a general-purpose PC today, it's a really, really big hill to get up because it's gonna take you that 140,000 years. So as a result, today, and even for the last few years, anybody trying to do mining on a CPU probably didn't understand how Bitcoin worked and were probably pretty disappointed that they never made any money doing it. So CPU mining was the first generation of mining. The second generation, when people started to get frustrated with how slow their CPUs were, was to try to use their graphics card, their graphics processing unit, or GPU. So what is a GPU? Almost every computer now has a GPU built in for high-performance graphics. They're designed to have high parallelism, which does help with Bitcoin mining because you can parallelize and compute multiple hashes at the same time for different nonces that you wanna try. And they're also designed for high throughput. So there's a highly pipeline design in graphics cards. And around 2010, the first implementation came out written in a language called OpenCL, which is a general-purpose language to do things other than graphics on a GPU. And it's a high-level language, so it took a little while before people started tweaking the code even further to run quickly on specific graphics cards. So what's the advantage of using a graphics card? Well, for one thing, they're easily available and they're easy for amateurs to set up. You can order graphics cards online. You can buy them now at most big consumer electronics stores. So they're just the most accessible high-end hardware that's available to most people. They also have some properties that make them specifically nice for Bitcoin. They're designed for parallelism, so they have a lot of arithmetic logic units, may all use that you can use in parallel to do different SHA-256 computations. And some of them also have some specific instructions to do bit fiddling that work out quite nicely for SHA-256. They also have the property that you can drive many graphics cards from one motherboard and CPU. So you could take your one computer and attach multiple graphics cards to it if you want. Most graphics cards can also be overclocked, which is a property that gamers demand, so you can run them faster than they're actually designed for if you wanna take the risk on. And with Bitcoin mining, it might be a good idea to run the chip much faster than it was designed for, even if you introduce some errors into the process. So there's a measure of mining success called goodput, which is the throughput how quickly you're finding blocks times the success rate. How often does the computation actually have errors? An interesting observation is that it may be worthwhile to go much faster, even if you make a large number of errors if it leads you to find valid blocks more quickly. So if you can tweak one knob and run your graphics card 50% faster, even if you have an error in the SHA-256 computation, 30% of the time, you just multiply 1.5 times 0.7 and you're still finding blocks faster than running the chip at normal speed with no error. So this is something that people spent a long time optimizing exactly how much should they overclock the chip and what errors it would introduce. So people started trying to scale this up. They said, ah, I have a graphics card, I'm mining faster than I was on my CPU. What's better than one graphics card? Lots of graphics cards. And you started to see these really interesting homebrew setups like this one here where people hand built their own racks. They had their own custom cooling setup which was often as simple as buying a bunch of fans or a bunch of air conditioning units and trying to run as many GPUs as possible in their basement or whatever other room was available to them. So this was obviously in the early days of Bitcoin when it was still mostly hobbyists who didn't know a lot about running a modern data center but they came up with some quite ingenious designs to pack a lot of graphics cards into a small place and try to keep them cool. Now what are the disadvantages of doing this? Well, GPUs actually have a lot of other hardware specifically for doing video. Specifically, they have floating point units that you don't use at all on SHA-256. So you're actually wasting a lot of the hardware from what the factory built. They also don't have the greatest cooling characteristics when you put a lot of graphics cards next to one another. They're not designed to be run all in a row like I showed on the previous slide. They're designed to be run one graphics card in one box doing graphics for one computer. They can also have a fairly large power draw. So a lot of electricity is being used by these relative to a computer. And initially there was the problem that you had to build your own board or buy expensive boards to actually house multiple graphics cards. So what's the upshot of this? What kind of performance can you get? Well, on a good card, a really high-end graphics card with a lot of aggressive tuning, you might get as high as 200 megahertz, which is about two to the 27 hashes per second. So that's up to an order of magnitude better than you would be doing in the CPU case. But even with that improved performance, and even if you're really aggressive and you say I wanna get 100 graphics cards together for my mining rig, that setup would still take you 174 years to find the block at the current difficulty. So it was a fun era while it lasted, but graphics cards for Bitcoin mining is basically dead. So what replaced graphics cards? Well, around 2011, people started to use FPGAs or field programmable gate arrays. That was around the time that the first implementation of Bitcoin mining came out in Verilog, which is the hardware design language that's used to program FPGAs. And FPGAs are something that maybe you've programmed before if you've taken a hardware design course. They're designed to have hardware-like performance, but to have customers or the owner of the card being able to customize it or reconfigure it in the field unlike a chip which is made in a factory and does the same thing forever. So they do offer better performance than graphics cards, particularly on some of the bit fiddling operations. That kind of stuff is very easy to spec out in FPGA. And if you know what you're doing, you can get the cooling to work out better with an FPGA. You're wasting a little bit less of the card than you would be with a graphics card and you can pack more of these together and drive them from one central unit. So just like with the graphics cards, people said, once I have the FPGA working, why don't I try getting a lot of FPGAs? And now this doesn't look quite as messy as the graphics card setup looked. This is a relatively neat rack with neat wires. You don't see the cooling setup here. You still needed a cooling setup with air conditioning or with fans. But it was possible to build a big array of FPGAs a little bit more neatly and cleanly than you could with graphics cards. The disadvantages of using FPGAs are that they were being driven harder for Bitcoin mining by being on all the time and working as hard as possible than a lot of consumer grade FPGAs were really designed for. So a lot of people found a number of errors and malfunctions in their FPGAs as they were doing Bitcoin mining. It was also, it turned out to be difficult to optimize the 32 bit ad step, which as we said is critical for doing SHA-256. They were also just less accessible for people. It's harder to buy an FPGA. You can't buy one at most stores. There are fewer people who know how to program FPGAs or know how to set them up. And it turned out that the cost, even though the performance on FPGAs went up, the cost per performance was only an incremental, very marginal gain over using graphics cards. So it was a pretty short-lived reign whereas people were mining on graphics cards and graphics cards were king for maybe a year or so. It was a much shorter matter of months where FPGAs were a popular solution for Bitcoin mining. But if you were using an FPGA and using it well, you might get up to about a gigahertz. And now it sounds like we're making some real progress. We're doing a billion hashes per second. But even with a one gigahertz setup on an FPGA, and even if you had a hundred boards, so again, even if you bought a lot of FPGAs and shoved them all into your amateur mining rig, it would still take you 25 years to find a Bitcoin block at that rate. So this is still not looking like a really attractive thing to jump into. And you might be asking if all of these solutions are so intractable today, what are people actually doing? Well, mining today is essentially dominated by Bitcoin A6 or application-specific integrated circuits. So these are chips that were designed and built from scratch to do nothing except mine Bitcoins. They were fabbed out at a factory, packaged up, and sold to a consumer solely to be Bitcoin miners. And if you go online today, you can find a lot of people willing to sell you Bitcoin mining A6. There's a couple of big vendors that now do this as a full-time product. So these companies have sprung up in the last two years and the main product, in some cases, the only product that they sell as a business is Bitcoin mining A6. And now you'll notice when you're buying an A6, you have a lot of options. You can choose between slightly bigger and more expensive models, more compact models. And they'll throw a lot of numbers at you in terms of what the performance is gonna be, the cost, how much power it's going to use. But the most important thing to look at in a lot of these cases is how quickly they're going to ship to you. So a lot of A6s have a pretty strong disclaimer that you have to pre-order them before they're even available and they don't make any firm guarantees on when they're going to be delivered. So again, since these are new companies selling the A6, they've had to be funded as they went, which means they need to essentially pay for the production run of A6 with consumers' pre-orders. And that means there's a lot of pressure on consumers to pay before the chip is ready. In a lot of cases, the chips have been shipped late and this has caused considerable consternation and a heartache for customers. There are a lot of dramatic complaints and stories and tales of woe of people who spent good money on a Bitcoin A6 and were hoping to really strike it rich when the thing came in the mail, only it came in the mail later than they were expected. Like I said, these are special purpose. They're designed to be run at full speed, constantly for life, to do nothing other than mine bitcoins. They require a lot of expertise and a long lead time to design, so much more complicated to actually tape out a chip than to just write an implementation in OpenCL or in Verilog. But the amazing thing about Bitcoin A6 is that as hard as they were to design, analysts who've looked at this have said this may be the fastest turnaround time, essentially in the history of integrated circuits for specifying a problem, which was mining bitcoins and turning it around to have a working chip in people's hands. So this was really a rush job. People realized the need to have Bitcoin mining A6 and the fact that they could sell them for a lot of money. They designed them extremely quickly and started shipping them to consumers. And as a result, you can probably expect there were a lot of bugs in the first few generations of these things. Some of them didn't deliver. In fact, most of them probably didn't deliver quite the performance that they were promising. Some of them, in fact, were quite buggy, but it's evolved a lot over the past year and they're now fairly reliable A6 being shipped. So what does it look like if you actually want to buy one of these things? So here's just a case study of something that's been available for about six months now. So it's already a little bit out of date, but this Terra Miner 4 is this nice, big, fancy box you see here, and this hashes at about two terahertz. So it's a thousand times faster than that hypothetical array of 100 really good FPGAs that we were talking about previously. So you'd have to pay about $6,000 for this. And even with this incredible performance, it would still take 14 months on average to find a block. So even if you think that you're investing in a fairly nice piece of hardware, it's still extremely difficult to mine a block. And the market dynamics are really interesting here. So most boards that have been coming on the market since A6 came out have been effectively obsolete in maybe six months. And on top of being obsolete within six months, the bulk of the profits are made upfront. Often in the first six weeks is when you'll make half of the expected profits in the lifetime of a mining rig. The fact that such a high proportion of the profits are made in the first six months means that there's an incredible premium on shipping speed. If your thing ships a week late, you may have lost one sixth of that optimum time. In fact, you'll have lost the most valuable week in the lifetime of the A6 because its value is only going to go down over time as mining gets more and more difficult. And this is really the motivation for why so many companies require pre-orders. The fact that there's so much competition to get the A6 first. And there's a lot of speculation that some companies have actually manufactured the A6, tried to run them themselves for a couple of weeks before shipping them and then ship them off to consumers. So the dynamics of this are still very unfavorable to the small miner who wants to go online, order an A6 and start making money. And in fact, in almost all cases, people who have placed orders for mining hardware should have lost money based on the calculation that they made at the time. Except for one thing, which is that the price of Bitcoin has been rising for most of the history of Bitcoin. It has leveled off a lot in the last six months or so, but during the period when prices were rising, the rising prices often bailed out miners who would have lost money if prices had stayed constant. So in effect, buying Bitcoin A6 has been an expensive and convoluted way to simply bet that the price of Bitcoin would rise. And a lot of miners, even though they've made money mining Bitcoins, would have been better off if they had just taken the money that they were going to spend on mining equipment, invested it in Bitcoins, held them all they appreciated in value and then sold the Bitcoins at the end. And now we're firmly in the era of professional mining. So the details are often pretty scant because companies doing this don't want to share exactly what their setup is, but it is known that there are some professional mining centers popping up around the world now. And here's just one picture that's been made available of one that came online in the last couple of months in the Republic of Georgia. So if you want to open a professional Bitcoin mining center, where should you go? You basically need three things. You need cheap electricity. You need good network connectivity so that you can hear about new boxes that are announced and not miss out. And ideally, you'd like a cool climate so that you don't have to pay too much in your cooling builds to cool all this equipment down. So in addition to Georgia, places like Iceland have been popular destinations for people to try to start their Bitcoin mining data center. So if we zoom out a little bit and we think about the evolution of mining, we can see really interesting parallels between Bitcoin mining and gold mining, or really any other kind of mining, but especially gold mining because it's led to the same kind of gold rush mentality when initially a lot of young amateur folks wanted to get into the business. So whereas with Bitcoin mining, we've seen the slow evolution from CPUs to GPUs to FPGAs to now A6. With gold mining, we saw the evolution from individual people with a gold pan to maybe a small team of people with a sluice box to placer mining, which was a big group of people blowing away hillsides with water to modern gold mining, which is a giant open pit extracting tons and tons of raw material from the earth. And in both cases, the friendliness to small people trying to jump into this has gone down. And there's been a consolidation with large companies owning most of the action over time. So a couple of questions for the future are, are small miners out of Bitcoin mining forever? Is there any way to make it as a small miner in this game? And does that violate the original spirit of Bitcoin? Does the existence of these A6 and these large mining centers go against the original vision of Satoshi Nakamoto, which was to have every individual in the network being a miner running on their own computer? So some people who think that this has been a violation of the original vision wonder, would we be better off if there were no mining A6 if the only way to mine Bitcoin was using your CPU like in the good old days? Well, we're gonna have a lecture later on in the series, which I'll point forward to a number of times in this lecture, where we look at alternative formulations of mining that might be possible. So I won't say anything more about how we could design mining to be less friendly for A6 here, but that will be a topic that will come up in the future that will be quite interesting. So in the last section we ended by showing how large professional mining data centers have taken over the business of Bitcoin mining. And we showed the parallel to traditional mining with those open pit mines on the bottom, which you may know have been a huge source of concern for environmentalists over the years asking how much damage are these pit mines doing to the environment? Now, Bitcoin is not quite at that level yet, but as I said, it is a very difficult computation with a lot of large players interested in competing now, and it is starting to use a significant amount of energy, which has become a topic of discussion. So in this section we'll talk about how much energy Bitcoin is using and what that might mean for the currency and for the planet. So to start with, we'll talk about why computation inherently requires some energy. So there's a principle developed by Rolf Landauer in the 1960s that any non-reversible computation must use a minimum amount of energy. So this is derived from basic physics, and we're not gonna go through the derivation here except to say that every time you flip one bit in a non-reversible computation, there's a minimum number of jewels that you have to use. And of course, if you remember some fundamental theorems of physics, energy is never destroyed, it's only converted from one form into another. In the case of computation, it's mostly that energy is transformed from electricity, which is very high-grade energy, into heat, which is dissipated into the environment. Now of course, SHA-256 being a hash function, which is the basis of Bitcoin, is not a reversible computation. And if you remember all the way back to lecture one, this was a basic requirement of hash functions that they're not reversible. So since I told you that any non-reversible computation has to use some energy, and SHA-256 is not reversible, energy consumption is an inevitable fact of doing Bitcoin mining. And it is worth saying that the limits provided by Land Hours principle are far, far below the amount of electricity that's being used today, by over a factor of 1,000. So we're nowhere close to the theoretical optimum efficiency of computing. But even if we did get to the theoretical optimum, we would still be using some energy to perform Bitcoin mining. So why does Bitcoin mining require energy? There are three steps in the process that require energy. First, you have to manufacture your Bitcoin mining equipment. So that requires both physical mining, digging up things out of the ground, especially rare earth metals and copper that go into integrated circuits. And then you have to manufacture it into a Bitcoin mining ASIC. So it takes a lot of energy to run fabs and to tune out chips. So all of that energy is called the embodied energy. As soon as you receive a Bitcoin mining ASIC in the mail that you order, you've already consumed a lot of energy, including the shipping energy of course, just to get that to you before you even turned it on and tried to mine Bitcoins. Then you'll plug it into the wall and turn it on. And of course, it will be drawing electricity constantly while it's on. And that's the electrical energy consumed in mining. And that's the step that no matter what happens, has to be consumed because of Land Hours principle. So hopefully over time, the embodied energy will go down as less and less new capacity comes online. Fewer people are going out to buy new mining ASICs. They're being obsolete less quickly. The existing fleet can last a long time. The embodied energy will be amortized over years and years of mining. But the electricity consumption, even though it will go down a little bit because rigs will get more efficient, that will be a fact of life forever. The other thing about both electricity and embodied energy is that both are probably less if you're operating at a large scale. If you're running a huge mining data center, you can do it more efficiently. It's cheaper to build ships that are designed to run in a large data center and you can deliver the power more efficiently because you don't need as many power supplies. You can deliver all of the electricity to one place and so on. But there's a third important component which is cooling off your equipment to make sure that it doesn't malfunction. So if you're operating your equipment in Antarctica, maybe your cooling budget is very small, but almost anywhere else you're gonna have to pay extra, usually electricity to cool off your equipment from all the waste heat that it's generating. An interesting aspect about cooling is that cooling actually costs more the bigger your scale is. So if you want to run a very large operation and have a lot of Bitcoin mining equipment all in one place, your cooling budget is going to increase because cooling that big mass is going to be much more difficult. There's less air for the heat to dissipate into surrounding your equipment. So how much energy is the entire system using? Well, there are two basic approaches to estimating how much energy Bitcoin miners are using collectively. The first approach is a top-down approach. So we'll start with the simple fact that every time a block is found today, 25 Bitcoins of rewards or about $15,000 are given to the miners. So on a second per second basis, that's about $25 every second being created out of thin air in the Bitcoin economy and given to the miners. So if we assume that they're taking all of that revenue and turning it directly into electricity, that electricity was the only cost that they had, how much electricity could they buy? Well, if we take an industrial electricity price at a US rate, which might be around 10 cents per kilowatt hour would be the advertised rate. Of course, the electricity rate varies a lot even state-to-state within the US or in different countries, but we'll go with 10 cents for a kilowatt hour. A kilowatt hour, of course, is this funky unit that was created to appeal to consumers. A much better unit is a mega-joule. But there's a fairly simple conversion. So at the same price, about three cents per mega-joule. So if the Bitcoin miners were spending all $25 per second buying electricity, well, it would be $25 converted into mega-joules per second, which are, of course, watts, and 900 mega-joules per second would be 900 watts. Oh, I should restart this because I messed that up badly. Okay, from the top on this slide. So how much energy is the entire Bitcoin network using? There are two basic approaches to trying to estimate how much energy the Bitcoin network is using. Of course, we can't compute this precisely because it's a decentralized network with miners operating all over the place who haven't documented exactly what they're doing. But we'll start with a really simple approximation strategy, which is to take the fact that about $15,000, and again, that's 25 Bitcoin, of reward are created with every block, which is found every 10 minutes. So if we convert that to revenue per second, we got about $25 US per second that are being minted and given to the mining community. Now, if the miners are turning all of those $25 per second into electricity, how much can they get? Well, at US industrial electricity prices, and this will vary from state to state or certainly from country to country, but we'll go with about 10 cents US per kilowatt hour. And kilowatt hour is kind of a funny marketing unit, so we'll go to the more standard scientific unit of the mega-joule. So if the miners took those $25 that they earn every second and converted it purely into electricity, they would get about 900 mega-joules every second. And of course, joules per second are just watts, so those 900 mega-joules per second are 900 megawatts or 900 million watts. A second way to estimate the same figure is to do a bottom-up approach. And to say, let's look at how many hashes the miners are actually computing, which we know by observing the difficulty of each block, and what is the best hardware that miners might be using. So if you look online at mining rigs that are being sold commercially today, one of the best performance figures that you'll see is rigs that are able to turn one watt of electricity into about one gigahertz of hashing. So they perform one billion hashes per second while consuming about one watt of power. And the total network hash rate is about 150 million gigahertz or 150 petahertz. Of course, that excludes all of the cooling energy and all of the embodied energy that's in those chips, but we're doing an optimal calculation here. So if the entire network was running at about the efficiency of generally the better chips on the market, what would we get? And we just multiply these two together, we would get about 150 megawatts to produce that many hashes per second at that efficiency. So again, last slide I said at a high end, using the top-down approach, we estimated about 900 megawatt. And using the bottom-up approach, this is a lower bound, about 150 megawatt. So maybe for the whole network today, somewhere between 100 megawatts and a gigawatt of electricity are being consumed. In reality, of course, it's probably somewhere in the middle and it's going to evolve over time, but that's a useful ballpark to think about right now. So how much is a megawatt? Well, we can look at what big power plants produce. So one of the largest power plants in the world, the Three Gorges Dam in China, is a 10,000 megawatt power plant. It actually has slightly higher capacity than that, but that's the average rate of power that's being produced. Whereas a typical large hydro plant is more like 1,000 megawatts. If you're interested in nuclear power, you can look at the largest nuclear plant in Japan, and that's about a 7,000 megawatt plant. Whereas the average nuclear power plant is more like 4,000 megawatt. Or back in the carbon-heavy way of producing electricity, we can look at a major large coal-fired plants and you might get 1,000 to 2,000 megawatts. So again, our high-end estimate was still that Bitcoin is consuming less than 1,000 megawatts. So the whole Bitcoin network is consuming less than a large power plant's worth of electricity. So it's not nothing, it still means that we have to essentially run a large power plant purely to power Bitcoin and not any of the other things that we need electricity for in the world. But it's not yet to the point where it's a large amount of electricity compared to all the other things that people are using electricity for on the planet. And it's certainly worth pointing out that any payment system is going to require energy and electricity. So we look at traditional currency. A lot of energy is consumed moving gold bullion around, guarding the gold bullion, running ATM machines, running coin sorting machines, running cash registers, transporting the money around in armored cars. All of that is energy consumed by the traditional money system. So sometimes people have a tendency to think that Bitcoin is wasting energy because the energy is being expended in this SHA-256 computation that doesn't serve any apparent purpose. But you could also look at all of the energy used in a traditional currency system and say that it's also wasted and that it doesn't serve any other purpose besides maintaining the currency system. So that's a really important disclaimer I think that just because Bitcoin uses electricity it's not necessarily wasted. If Bitcoin is a useful currency system then the electricity is essentially being used for that purpose. But we still might think is there something better that we could do with this electricity rather than just heating up air which is sent off into the atmosphere? And one pretty interesting idea is what if we tried to capture the heat that we're turning that electricity used in Bitcoin mining and use it for practical purposes. So this is called the data furnaces model and the basic idea is that you would go down to your local hardware store and instead of buying a traditional electric heater to heat your home or to heat water in your home you would buy a Bitcoin mining rig that you would plug in both to the electricity outlet and also to your internet connection. And your heater would essentially be doing Bitcoin mining and using the heat produced as a byproduct of that computation to heat your water or to eat your home, which is hopefully useful. And it turns out that the efficiency of doing this isn't actually that much worse than just buying an electric heater. So this seems to be a great idea and maybe it's a promising avenue to explore for the future. There's a couple of challenges here. For one, electric heaters are still much less efficient than gas heaters. So if you're in a really cold climate where people really need heat hopefully they'll have gas heating in their home anyway. It's also not clear what the ownership model is here. If you buy the Bitcoin data furnace do you own the Bitcoin mining rewards that you get or does the company that sold them to you? Most people don't have any interest in Bitcoin mining and probably never will so it might make more sense to buy this as an appliance and have the company that sold it to you keep the rewards. And then there's the really basic question of what happens if everybody turns off their Bitcoin mining rig in summer? Will the capacity of the Bitcoin network go way down seasonally based on how much heat people need? Will it go way down on days that happen to be warmer than average? This would be really interesting if the data furnace model actually caught on. So a couple of open questions related to Bitcoin's energy consumption. Does the fact that Bitcoin provides such a good way to turn electricity into cash mean that countries that have strong electricity subsidies will have to rethink that model? So right now in many countries around the world the government actually subsidizes electricity particularly industrial electricity. And one of the reasons they do so is to try and encourage industry to be located in their country as opposed to other countries. Now if one of the main things that Bitcoin miners need to be successful is cheap energy and you can mine Bitcoins basically anywhere it may not be stable to have countries subsidizing electricity heavily because all that will mean is that you're paying for a lot of Bitcoin miners to move into your country. There's also the interesting question of will the fact that you can turn electricity into money easily with Bitcoin mean that people have to start guarding their power outlets? Particularly around universities and corporations, large buildings with a lot of power outlets will they need security cameras to make sure that employees or students aren't trying to mine Bitcoins by plugging into unmonitored power outlets and just letting them run? And you might ask would we be better off if we didn't have this electricity consumption? Could we make a currency that didn't have proof of work and didn't have to use so much electricity? And again, I'm not gonna talk about that directly today but that's gonna be a topic that we'll talk about quite a bit in our future lecture on alternative mining. Now we're gonna talk about mining pools. So what is a mining pool? Well, let's look at the economics of being a small miner. So say you're an individual who spent $6,000 of your hard-earned money to buy a nice shiny new Bitcoin mining rig. Now, you expect that you'll find a block in about 14 months with this fancy new rig. And remember that a block is worth about $15,000 at today's prices. So if you amortize that, you could say that the expected revenue of this box is about $1,000 per month. And now maybe once you factor in electricity and your other costs of operating it, if you actually got a check in the mail every month for $1,000, that would make it worth it for you to buy this $6,000 mining rig. But remember that mining is a random process. You don't know when you're gonna find the next block. It's a completely random search and you could find your next block at any time. So if we look at the distribution of how many blocks you're likely to find in the first year with that hypothetical one-terrahertz box, the variance is pretty high because the expected number of blocks you're gonna find is so low. So if we just look at the distribution and this is a Poisson distribution, there's over a 40% chance that you won't find any blocks in the first year. In which case you might really be in trouble if you haven't earned any revenue in an entire year of running that $6,000 box that costs a lot of electricity to run. There's about a 36% chance that you'll find one block in the first year, in which case maybe you're barely scraping by. And then there's a slightly smaller chance that you'll find two or more blocks, in which case you'll really be making a profit with this thing. So again, on expectation, you might be just doing okay enough to make a return on your money but there's a big chance that you'll make nothing at all. So that means that for a small miner, mining is essentially a big game of roulette. Now historically, when small business people faced a lot of risk and they wanted to lower the risk, they got together and formed mutual insurance companies. So farmers would get together and agree that if any individual farmers barn burned down, they would share profits with that farmers that that farmer wouldn't go bankrupt. And the question is, can we have a mutual insurance model that works for small Bitcoin miners? So that's what a mining pool is. Now the goal of a mining pool is that a group of miners will get together, form a pool, and they'll all attempt to mine a block which pays the Coinbase, the newly minted coins to the same recipient. That recipient is going to be called the pool manager. So no matter who actually finds the block, the pool manager will control the rewards. And then the pool manager will take that revenue and distribute it to all of the participants in the pool based on how much work each participant actually output. Of course, the pool manager will also probably take some kind of cut for their service of managing the pool. So this sounds like a great idea. You can see why it would be attractive to Bitcoin miners to join a pool to lower their variance. But how does the pool manager know how much work each of the members of the pool is actually performing? Obviously the pool manager doesn't want to just take everybody's word for it because everybody would say that they're performing more work than they actually did. So there's a really powerful idea which is that miners can prove probabilistically how much work they're doing by outputting shares. And shares are blocks that are almost valid. So whereas it's pretty rare to find an actually valid block that starts with all 66 required zeros at the beginning of the output hash, there will be a lot more almost blocks that start with a lot of zeros, but not quite the 66 necessary to make it a valid block. So a common choice might be say 40 bits or maybe 50 bits, depending on what size the pool is designed for. Now if miners participating in the pool send in a bunch of these near valid blocks, the rate at which you're finding those near valid blocks should give the pool manager a very good statistical idea of who's doing how much work. And the other nice property of this is that there's no way to fake it. Because of the properties of the hash function, there's no way to find almost blocks without also finding actual blocks at the expected rate. So how does this whole setup look? So to start with in each round after the previous block is discovered, the pool manager which will be collecting transactions and assembling a block will tell all of the participants, here's the next block that we're all gonna work on. So they'll assemble the block header, they'll assemble a Merkle tree of transactions to be included in that block. And in particular, they'll make sure to put into that Merkle route of transactions the coin based transaction which creates new coins and assigns ownership to the pool itself. And now this block header will be sent to all of the participants in the pool and this is what they're asked to work on. And they have to prove that they've been working on it by sending in shares, showing that they've been hashing this block. Now once that gets sent out, all of the miners go about and do their work and they'll all slowly find almost valid blocks or shares until finally one of the miners, hopefully in the pool, finds a valid block that will then be published. Now, after this happens, all of the participants will send in all of the shares that they found to the pool manager, which should be pretty efficient for the pool manager to verify our valid shares that they found. And then the pool manager will take all of the revenue earned from that block that was published and distribute it back to the participants based on how much work they actually did. Now notice that this miner all the way on the right here who did happen to find the block actually receives less revenue than that miner on the left there who didn't find the ultimately valid block but they did find more shares. So there's no bonus for this miner on the right here that they actually found a valid share. They would have been better off if they just mined as an individual because they would have gotten to keep all of the revenue from that block. But of course for the miner on the left, they're sure going to be glad that they joined this pool because they would have gotten nothing if they just mined on their own because they happened to not find a valid block. So there are a bunch of variations on this model of exactly how you determine based on share submitted how much money each miner should get in mining rewards. So a couple of common ones, there's the pay per share model where the pool manager just announces, I'll pay a flat fee for every share above a certain difficulty that you're willing to send me based on this block. In some ways that's the best for miners because that's a guarantee. Every time they find a share, they'll get a certain amount of money. The pool manager is essentially absorbing all of the risk in that scheme. Of course, as a result, usually with pay per share, you pay the highest transaction fee to the pool manager. Another way to do it is a proportional model where instead of paying a flat fee per share, the amount per share depends on whether or not the pool actually found a valid block. So every time a valid block is found, the rewards from that block are distributed to the members proportional to how much work they actually did. So in this case, the miners still bear some risk proportional to the risk of the pool in general. So if the pool is large enough, the variance of how often the pool finds blocks will be fairly low. Proportional can still be a good approach and it will provide lower risk for the pool manager. And it gets around a problem that's inherent to pay per share, which is that with pay per share, the miners actually don't have any motivation to send in valid blocks. They don't have any motivation not to, but miners have the option when they find a valid block of just keeping it a secret. Now they're hurting the pool by doing that, so this is purely an act of vandalism, but they have no real motivation since they get a flat reward per share to actually send in the valid blocks. Whereas with a proportional scheme, the miners certainly want to send in the valid blocks because that triggers revenue coming back to them. And a final variation that I think is interesting and was popular for a while is that the pool owner actually collects no fee, but miners can't receive any revenue out until their balance is over one Bitcoin. So basically this means that new entrants to the pool don't make any money for a while and then they make money at an even rate without paying any fee to the mining pool manager. So essentially once you're established in a pool with this approach, it's a great place to be, but they're harder to break into. So this has become pretty advanced now. There are quite a few protocols to run mining pools and it's even been suggested that these mining pool protocols should be standardized as part of Bitcoin itself. So just like there's a Bitcoin protocol for running the peer-to-peer network, these protocols are an API for communicating from the pool manager to all of the members when to work on a new block, what that block should be, and for the miners to send back to the pool manager the shares that they're finding. Another reason why this is so important is that some mining hardware actually supports these protocols at the hardware level. Now this makes it very simple to buy a piece of mining hardware, plug it into the wall, both the electricity and your network connection, choose the pool and then it will start immediately getting instructions from the pool, mining and converting your electricity, hopefully into money. So mining pools first started around 2010, actually way back in the graphics card era of Bitcoin mining, which is several generations ago, and they were instantly very popular for obvious reasons because they lowered the variance for the participating miners. So by 2014, the vast majority of all miners are mining through pools. Very few miners mine on their own anymore. And a very interesting thing happened in June of this year, where the largest pool called g-hash.io got so big it actually had over 50% of the entire capacity of the Bitcoin network. Now this is something that people had feared for a long time, but essentially g-hash offered such a good deal to all the participating miners that everybody wanted to join. Now since then g-hash has gone down a little bit, partly by design, they've made their fees a little bit less attractive to try to get smaller. But you can see in this pie chart of the largest mining pools, they still have about a third of the power. And it's basically only two mining pools today that control about half of the power in the network. And then there's a nice smattering of other pools thrown in there. So are mining pools a good thing? Well, the advantages of mining pools are that they make mining more predictable for the participants, and they make it much easier for smaller miners to get involved in the game. Whereas the variance would simply make mining infeasible for economic reasons, if you didn't have mining pools, you can operate a much smaller mining rig profitably if you're part of a pool. Another advantage of mining pools is that since there's one central pool manager who's sitting on the network and assembling blocks, it actually makes it easier to upgrade the network because by upgrading the software that the mining pool manager is running, that effectively updates the software that all of the pool members are running. The disadvantages of mining pools, of course, is that this leads to centralization. It's an open question how much power the operators of a large mining pool actually have. Of course, miners are fairly free in theory to move between pools as much as they like. If you're making profit on one pool, you'll likely make very similar profit in another pool because the fees that they pay out have converged. They all offer about the same deal today, but in practice, miners don't switch very often simply because they're lazy and it's easier to keep using the pool that they've already signed up for. And another disadvantage of mining pools is that it lowers the population of people actually running a fully validated Bitcoin node. So previously, small miners all had to run their own fully validating node. They all had to store the entire blockchain and validate every transaction. Now, most miners offload that task to their pool manager. And this is one reason why a couple of lectures ago, I said the number of fully validating nodes may actually be going down in the Bitcoin network. So if you're concerned about this level of centralization, you might ask, could we redesign the mining process so that we don't have any pools so that everybody has to mine for themselves? And once again, that's gonna be a very interesting topic that we'll talk about in our lecture on alternative mining approaches. So the last topic in this lecture about mining will be mining incentives and strategies. So what do I mean by mining strategies? I've spent most of this lecture talking about how the main challenge of being a miner is to get some good hardware, get some cheap electricity, run as fast as you can, and hope for some good luck. But it turns out there's also some interesting strategic considerations that every miner has to make before they pick which blocks to work on. So in particular, miners get to choose which transactions they want to include in a block. The default strategy is to include any transaction that includes higher than some minimum transaction fee. Miners get to decide which block they want to mine on top of, and the default behavior there is to choose whatever the longest current chain is that's been announced. Miners have to choose how to decide between two colliding blocks when they get announced. So if two people find blocks around the same time, miners have to decide which block to extend because both will be the longest chain in history. And miners have to decide when to announce new blocks. They can choose to find a block and wait before actually announcing it to others. So in each case, there's a default strategy which is what most miners are currently doing because they run the default Bitcoin client. Remember, it's about 90% of fully validating nodes run the default client. It's not clear what proportion of mining power that represents, but it's safe to assume that it's probably a majority. So most miners are doing this default strategy. So what if you want to change some of those decisions? Can you make more money as a miner if you implement some other strategy besides the default one? Well, it's all gonna depend on how much mining power you actually have, and we'll express that with the parameter alpha from zero to one, which is the proportion of all the mining capacity in the world that you actually control. It turns out that for some alpha, yes, you can make more money by implementing a non-default strategy, although the analysis is still ongoing, so this is very much new underdevelopment stuff. So the simplest attack is a forking attack. And the idea here is to perform a double spend. So we have a valid state of the block chain here, and the miner will send money to some victim, Bob. So it may look as if that transaction sending money to Bob is in the valid longest chain. Now this forking miner is gonna then work on an earlier block, and to do this in practice, it would need to be about six blocks earlier based on the standard number of confirmations that people usually wait before accepting that a payment is final, and then the miner will insert an alternate payment where they keep the money for themselves by transferring it to a different address. Now at this point, that block won't be valid since it builds on an earlier point. In the blockchain, it doesn't represent the longest possible chain of blocks. But if you have a majority of hash power, if alpha is greater than 0.5, eventually your alternate chain will be longer than what was previously the longest chain. And at this point, your longest chain now becomes the valid blockchain. So you've rewritten history, you've removed that payment that you made to Bob, and you've now kept that money for yourself. And if your target had given you something in exchange for those bitcoins, preferably real currency or some kind of goods in the real world that they can't easily take back, then you've swindled them. And this is a way that you could profit if you have a majority of power in the network. So like I said, this attack is certainly possible if alpha is greater than a half, if you have the majority of the mining power, it might be possible in practice with a little bit less because of things like network overhead and the fact that as one mining pool, you shouldn't be working on colliding blocks on your alternate chain. So sometimes people talk about a 51% attacker in Bitcoin, but it's a mistake to think that that's a magical threshold where as soon as you cross it, all of a sudden you can do this attack. In reality, it's more of a gradient where the attack, it's easier the further over 50% you go. It's important to realize that this attack is detectable and it's possible that if you were doing it on a large scale that the community would decide to reverse it by refusing to accept your alternate chain even if it was longer. So it's not clear in practice that this would actually work. And it is also possible that doing this would completely crash the exchange rate of Bitcoin. So it might be that once a miner started trying to do this, people would lose so much confidence in the system that they would not want to buy into it and the amount of dollars that Bitcoin was, that Bitcoins were worth would go way down. In fact, if this was done on a large scale, it's possible it could destroy the currency completely by a dramatic loss of confidence. So who would want to do this? The conceivable scenario where people are worried about an attack like this has been referred to as a gold finger attack named after the famous villain in the James Bond movie, of course, whose goal in the movie was to irradiate all of the gold that the US government held at Fort Knox to make it valueless. So if your goal was to destroy Bitcoin, then you might be willing to do this forking attack in order to specifically to tank the market, make Bitcoins worthless, and possibly profit because you either shorted Bitcoin or because you had significant holdings in some competing currency. So beyond that threat model, it's not clear in which scenarios we would have to worry about a large scale forking attack. Although it's possible that the attack is easier than achieving that alpha greater than 0.5, all that hash power by simply buying it. So whereas it would be really expensive to buy enough mining capacity to have more than everybody else in the world, it might be possible to just bribe the people who do control that capacity to work on behalf of you. So there's a couple of ways you could pay the bribe to them, you could try to do it out of band, you could hand them an envelope full of cash, say, you could declare yourself to be a new mining pool and run it at a loss. You could say I'll pay out 1.01 or something that clearly wasn't sustainable, but enough to get miners to join your pool at the expense of all other pools, maybe that would push you over 50%. And there's some other subtle ways you could try to get people to work on your alternate chain, say by leaving big tips in the blockchain. But the idea is that instead of actually acquiring all the mining capacity yourself, you just pay the people who already have it to work on your fork. Now it might be a bad idea for those miners to actually participate, because by doing so, they would be hurting the currency that they've invested so much money in mining equipment hoping will stay sustainable. So why would anybody be subject to such bribery? Well, it would be an incentive problem. All of the miners together have an incentive in keeping the Bitcoin currency solvent, but individual miners would have the incentive to defect and accept a bribe if they thought they could make more money in the short term. So this would be a classic tragedy of the commons from an economic perspective. Now this hasn't happened, this is pure speculation, but it's an open problem if a bribery attack like this could actually be viable. So one defense that does exist in Bitcoin against forking attacks is checkpointing. So since 2010, each version of the default Bitcoin client ships with a specific checkpoint and will refuse to accept versions of the blockchain that don't date back to that version. And it's usually several hundred blocks before whatever the current longest chain is. So there's some questions about the implications for this in terms of how decentralized this is, because this now means that essentially a central party, the developers who maintain the core Bitcoin client are deciding something about the value of the valid blockchain, but this does serve as a good practical mitigation against the risk of a deep fork in the blockchain. Another type of attack that's quite interesting is a block withholding attack. So the idea here is that you don't want to announce your blocks right away as soon as you find them. Instead, you're gonna wanna try to get ahead. What do I mean by get ahead? Well, you wanna do a little bit of mining and hopefully find two blocks in a row before the rest of the network finds even one. And you keep these blocks to yourself as a secret. Now, why would you wanna do that? What would you gain from keeping blocks secret? Well, as long as you have those two blocks that are being held secret in your back pocket, the rest of the network is going to be trying to extend what they think is the current longest blockchain and all of that effort is going to be a waste for them. So while you're ahead by two blocks, all of the mining that you're doing is essentially unopposed. And the reason is that as soon as the rest of the network actually found a valid block, they would publish it and everybody would accept it, but then immediately, boom, you can drop the two blocks that you had in reserve and that would instantly be the new longest valid blockchain and that block that the rest of the network so hard to find would immediately be orphaned and cut off from the longest chain. So this approach has been called selfish mining, which I think is a little bit of a misnomer because all mining is inherently selfish, at least at this point, now that the hobbyist interest in mining has largely died down, mining is a business and people are in it to try to make money. So we should say that it's all in the game for miners to do this if they think that they'll make more profit. So what happens if you're trying this block with holding strategy and you're ahead by one when the rest of the network finds the next block. So instead of being two blocks ahead, you just have one secret block held in your back pocket and then the rest of the network announces what they think will be the next valid block. Well, if this happens, you're gonna want to immediately push your secret block out the door and now there's two versions of potentially the longest chain and every other miner is going to have to decide which version they wanna work on and we're in that race condition. So you basically have to race as soon as you hear somebody else finding a valid block to get your secret block out the door and hopefully get more miners to hear about your block first. So the viability of this block with holding approach is going to depend really heavily on your ability to win these races. So when is it a good idea to do a block with holding attack? Well, if you assume that you can win every race, every time there's competition for the next valid block, the rest of the network is going to accept yours, then no matter what alpha, no matter how much mining capacity you have, it's better to try selfish mining. By selfish mining, I mean this block with holding strategy that I've just described. So how would you try to win every race? Well, you could just fight really hard to have a good network position. You could try to peer with every node so that you'll announce some more nodes ahead of the legitimate flooding algorithm. Or you could try bribing people. And again, you could bribe by including small tips in your block so that it makes it more attractive for people to mine on top of you rather than the competing block. So if you assume that you only have a 50% chance of winning these races, which is about what the natural chances would be if you're competing fairly, then this block with holding strategy is an improvement if alpha is greater than 0.25. And again, this is a theoretical attack which is very interesting, but it hasn't actually been observed yet in practice and it should be something that you'd be able to tell by monitoring the blockchain and when miners are announcing new blocks. But even though it hasn't been observed in practice, it's very surprising that this is possible and it's contrary to the original idea of Bitcoin without alpha over 0.5 without a majority of the network, there was no better mining strategy than the default. So the very existence of this attack shows that it's not safe to assume that a miner who doesn't control 50% of the network doesn't have anything to gain by switching to an alternate strategy. Another interesting case is if miners want to do punitive forking. So specifically, if miners want a blacklist transactions from a specific address, which would freeze the money held by that address forever, they could announce that they'll refuse to mine on any chain with a transaction originating from address X. So the reason this is an extreme strategy is that if you have less than a majority of the network, by announcing that you'll refuse to mine on any chain that has the transaction from X, as soon as that chain exists that the majority of the network accepts that has that transaction from X, then you will have cut yourself off from the longest chain forever and all of the mining that you're doing is essentially wasted. So you could do this strategy, but very quickly you would just be mining on an orphaned fork and it would be a waste of all of your time and electricity. But there's a much more clever way to do punitive forking, which is called feather forking. And the idea here is that instead of announcing that you're going to fork forever, as soon as you see a block that has a transaction from address X, you announce very publicly that you're going to fork, you're going to try to mine an alternate longest chain if you see a block that has a transaction from address X, but you will give up after a while. Typically after one or two blocks confirm the transaction from address X, you'll go back to the longest chain. So your chance of actually pruning that block or orphaning that block that has the transaction from address X, if you give up after one confirmation is alpha squared. And the reason is because you'll have to find two consecutive blocks to get rid of the block with the transaction from address X before the rest of the network can find the next valid block. So alpha squared might not be very good. Say you're a 20% miner, alpha squared is going to be quite low. It's going to be only a 4% chance of actually getting rid of that transaction that you don't want to see in the blockchain, but you might motivate other miners to join you. Now, why is that? As long as you've been very public about this, other miners know that if they include a transaction from address X, they have an alpha squared chance that the block that they find will end up being orphaned because of your feather forking attack. And if they don't have any strong motivation to include that transaction from address X, and it only has a very low transaction fee, that alpha squared chance of losing their mining reward might be a much bigger incentive than including the transaction. So those other miners might rationally say, we have this person, this miner doing feather forking. It's in our interest to join them and just do the blacklist that they're demanding rather than run the risk that they'll feather fork away from the new block that we've just found. And the cool thing is that you can now enforce a blacklist even if alpha is less than 0.5, if you have less than a majority of the mining capacity. And your success in doing this is going to depend really heavily on how convincing you are to the other miners that you're definitely going to fork. So ideally what you would want to do is say, I've burned this into hardware, I have no choice, I have to do this, so no matter what you do, I'm going to be feather forking, in which case the miners would say, well, this miner really is going to go through with it, so maybe we should just give them what they want and do this blacklist. So why would you want to have a blacklist? Well, like I said, there's the ability to freeze money held by an individual, and if you're blacklisting successfully, you can keep them from ever spending that money. So maybe you could profit off of this by some sort of ransom or extortion demanding that the person you're blacklisting pay you in order to be taken off of your blacklist. It also might be something that you might want to do for legal reasons. Maybe certain addresses are designated by law enforcement as being bad, those assets are demanded to be frozen, in which case some proportion of miners, say those operating in the jurisdiction where the asset freezing has legal authority, will say, well, we really have to enforce this blacklist we're being demanded to by the government, therefore maybe we should feather fork to try to make it happen. But a much more interesting case is if miners do this to try to enforce a minimum transaction fee. So instead of a blacklist against a specific address, you want a blacklist against any transaction that doesn't include some minimum transaction fee that you think is fair to you as a miner for your hard work. So we haven't talked a lot about transaction fees in practice yet, we've said that they exist and we've said that there's the capacity in Bitcoin to pay transaction fees, but what are transaction fees? So this is the default policy for transaction fees, taken essentially right out of the Bitcoin code. Transactions are assigned to priority, which sums over all the inputs, the value of that input times how old the transaction is, how long ago that input was put on the blockchain, divided by the size of the transaction. So this basically means transactions that are larger, transactions that are spending older coins that haven't been moved in a while, and transactions that are smaller have higher priority. And by smaller I mean smaller in size of the transaction, which means they don't have a long complicated script. So the idea is to prioritize large transactions, people who don't move their coins very often and who do it in a simple way, whereas if you wanna move money quickly, if you wanna move small amounts, or if you wanna do complicated scripts, you have to pay a higher transaction fee. And currently by default, there's a magic number where miners accept with no transaction fee if the priority is higher than 0.576. And if you're sitting there thinking that seems pretty random, where did that number come from? I'd say you're right. It's a very arbitrary choice, but it's in the default client. So that's basically what you need to pay if you wanna move Bitcoin. So currently transaction fees don't matter that much. And the reason is that block rewards provide the vast majority well over 99% of all the revenue that miners are making. But keep in mind, we mentioned earlier, that the size of mining rewards is going down constantly over time. So every four years it's halving. So eventually in the distant future, the mining rewards, the fixed rewards by creating new coins are going to be much lower and transaction fees are gonna be the main game for miners. Gonna be where they're making all of their revenue. So it's an open question in that new world where transaction fees are everything for the miners. They really depend on transaction fees for their revenue. Are miners going to be more aggressive about enforcing minimum transaction fees? And how are they gonna enforce that? Will they need to form a cartel to enforce minimum transaction fees? Is that something that market concentration provided by mining pools will make easier to happen? These are really interesting long-term open questions about how Bitcoin will evolve. So in summary, miners are free to implement any strategy that they want. Although in practice in the wild, we've seen very little behavior of anything but implementing the default strategy. And I should stress that there's no complete model for miner behavior that says that the default strategy is optimal. We've seen that in a world where most miners do choose the default strategy, Bitcoin seems to work fairly well. So it seems to work fairly well. In practice, we're not sure if it works in theory yet. But even though it works in practice so far, the facts on the ground are going to change for Bitcoin. They're changing slowly because of more network hashing capacity. The miners are getting better and better. There's more centralization and professionalization of the miners. But even beyond those trends, they have to change in the long run because of the transition from fixed mining rewards to transaction fees. So overall, I'd say you should stay tuned to this space. Things might be about to get a lot more interesting for Bitcoin mining. And currently it's a very interesting research topic to try to play out using what we know from game theory. How is this going to evolve in the long term? So that's all on Bitcoin mining for now. A few lectures from now will have another lecture about mining, but about alternative models for mining. How could we redesign Bitcoin mining to have different properties? But before we get to that, in the immediate next lecture, we're going to look at anonymity in Bitcoin. How much anonymity does Bitcoin provide? If I use Bitcoin, well, people will be able to link my Bitcoin transactions to my real name. And what technologies are there to try to either strengthen anonymity in Bitcoin or design an alternate currency with more anonymity? That's all coming your way in the next lecture.