 In this lecture, we're going to talk about altcoins and the much larger ecosystem of cryptocurrencies in which bitcoin actually just plays one important role. Let me start by giving you a sense of the sheer number and variety of altcoins that have launched since bitcoin began. Bitcoin was first launched in January 2009, and it wasn't for two years until the middle of 2011 that the first bitcoin-like derived system, namecoin, was launched. In the following months, a handful of other altcoins were launched, and the rate of altcoin launch didn't pick up until year 2013, and at the current time, several altcoins are launched every week. We're going to focus on only a few of the oldest and most well-established altcoins and talk about them more. Now, there's between, say, 150 and 500 altcoins that have been launched in total. This varies depending on what can you consider a launch of an altcoin. Some altcoins are simply launched, announced, and perhaps their codes released, but their genesis block hasn't been created yet. Some altcoins have been launched, but then died very quickly after their launch, and we'll talk a bit more about that in the future. Most altcoins share a lot in common with bitcoin. They begin with a genesis block and their own alternate view of transaction history from their beginning. Now, to give you some sense of the relative size or impact of bitcoin in the ecosystem of altcoins, there are a variety of metrics we can use, but I want to show you one which is market cap. This refers to the price of an individual unit of coin, measured at perhaps the most popular third-party exchanges, multiplied by the total number of units of currency in an altcoin thought to be in circulation. Now by this metric, bitcoin is by far the largest, accounting for perhaps 95 percent of the overall market cap of all of the cryptocurrencies combined. Bitcoin and Litecoin, the second largest currency by this metric, account for more than 99 percent of the total market cap of all of bitcoin in the altcoins. The relative ranking of the other altcoins tend to vary quite a lot and fairly rapidly. This diagram in particular is already a bit dated. It's from January 2014. The significance of this is that when we talk about altcoins, many of them are very small in terms of their user base or their total impact relative to the handful of most popular coins. Another way of getting a grasp for the ecosystem of altcoins and their relation to each other is the concept of altcoin genealogy. When an altcoin or a bitcoin-like system is launched, it typically isn't designed and implemented from scratch. Typically an altcoin is launched by preparing a reference client, so the software for a node that actually connects to the network, and this is prepared by forking from an existing code base of the reference client of a more well-established altcoin or bitcoin itself. So the top two most popular by market cap currencies, Litecoin and Bitcoin, are also the most widely forked code bases. Litecoin itself is also a fork of bitcoin. It's actually bitcoin's grandchild, in a sense, that Litecoin was forked from Tenebrics, which was a short-lived altcoin that itself was forked from bitcoin. Every altcoin has some kind of story to tell, which makes these fun to talk about. Most altcoins have something that distinguishes them from all of the others, or some reason for existing. In many cases, altcoins are distinguished by having some different technical feature, such as additions to the script language that express different kinds of transactions, or additional security. In some cases, the security can come from a different mining puzzle that discourages or encourages one kind of mining or another, or features that, for example, add additional anonymity and privacy for users' transactions. In many cases, an altcoin simply changes some of the built-in parameters to bitcoin. This includes things like the average time between blocks and a variety of parameters, which altogether I'd call monetary policy, which include things like the schedule of rewards being created, the overall inflation rate of the altcoin, and whether or not the inflation rate gradually caps out at some finite limit the way that bitcoin does. In many cases, altcoins are also launched with a theme or some sense of a community that the altcoin is targeted at or intended to support, or simply an interest or common interest that the altcoin should be associated with. I'll talk about some examples of these as I describe some of the major altcoins to date. The first altcoin we're going to look at in detail is Namecoin. This was the first altcoin that was launched, again, in the middle of 2011, April, roughly two years, a little more after bitcoin was launched. Namecoin is very interesting because it has a very new technical feature, which is domain name registration. Namecoin is actually intended to be a decentralized replacement for the domain name system, which is, as you know, an essential part of our internet and worldwide web infrastructure. Now, Namecoin actually works for that purpose. Now, you can't use this by default with an unmodified browser, but you can download a browser plugin for, say, Firefox or Chrome. That would allow you to type in an address like example.bit, any website name that ends in .bit, and it will automatically take you to the right location indicated by the registry stored on Namecoin. In order to register a name and Namecoin and maintain it, you send transactions to the Namecoin system, much as you would send a transaction to the Bitcoin network in order to move Bitcoin currency around. Namecoin mirrors a lot of aspects of the current domain name system. So for example, you can register a name that currently isn't taken by anyone by paying a small fee. Now, the fee to register an untaken name and Namecoin is only .01 of a Namecoin, which works out to about one cent in US dollars at the current price. This is, you know, a thousand times less than the cost of registering a domain name given the current system of DNS and registrars. Unlike the current domain name system, in Namecoin there's no renewal fee, but you do have to publish a transaction that pings your name every six months or so in order to keep your name under your control. Also like the domain name system, Namecoin features a hierarchy of names. So if you register a root domain like example.bit, you can give out subdomains like subdomain1.example.bit to other people. You can also transfer domain names and Namecoin that you own to other people. And you can in fact make transactions that are a transfer and sale of a domain. So you can make a transaction that transfers ownership of domain to a buyer and at the same time transfers units of the Namecoin currency from the buyer to the seller. One other interesting property of Namecoin is that this was the first altcoin to feature merge mining, which is a really clever technique that we're going to talk about a little later. And this has been part of its success. Next, we're going to talk about Litecoin. This was launched also in 2011 sometime after Namecoin. And Litecoin has for the past several years been the number two altcoin next to Bitcoin in terms of overall popularity and user base. The main technical distinction between Litecoin and Bitcoin is that it features a memory hard mining puzzle like the kind we talked about in lecture eight. Now when Litecoin was launched, Bitcoin mining was mostly done by GPUs at that time. And so the point of Litecoin's use of a memory hard mining puzzle was to actually be GPU resistant. So at the time Litecoin was launched, you could still mine on Litecoin with a CPU that you might have used to use to mine for Bitcoins. Now the technology for mining in Litecoin has lagged behind the technology in Bitcoin. So once Bitcoin mining moved from GPUs to FPGAs and then ASICs, Litecoin mining also moved from CPUs, which is originally intended to support up to GPUs. And now fairly recently the first Litecoin mining ASICs are being delivered. Now by most metrics, Litecoin is the second largest and most popular altcoin. In fact, it's the first most widely forked. And besides the memory hard mining puzzle, and a couple of small parameter changes, for example, blocks in Litecoin arrive four times faster than in Bitcoin every two and a half minutes. Besides that, Litecoin borrows as much from Bitcoin as possible in different ways. And in fact, its development has followed Bitcoin. So as patches and improvements have been made to Bitcoin, Litecoin has also adopted these. So for this reason, Litecoin occasionally uses the slogan, it's the silver to Bitcoin's gold. The next interesting altcoin to talk about is called Purecoin, sometimes called PPCoin. This was launched a little bit later towards the end of 2012. Purecoin is very interesting because it uses a very different mining puzzle. This is the first altcoin that featured a proof of stake, which if you remember from lecture eight is a form of mining that doesn't actually involve any computational work. Instead, it involves mining by making transactions using coins that you're already holding and the coins accumulate stake over time, as long as they aren't being moved. Now, Purecoin actually is a little more complicated than that and it uses a hybrid mining approach. This means that it is possible to mine purecoin blocks by using proof of work. You can mine for purecoins by using a shot to mining rig the same kind you would use in Bitcoin. However, the catch is that this only works for minting new currency. You can mine one of these blocks and get a purecoin reward. But the proofs of work in a mining block aren't actually included in the calculation to determine what's the longest or the main purecoin blockchain. This means that proof of work mining is used to distribute coins, but it doesn't have any impact on the security. More proof of work miners that join the purecoin network don't add any security to it. It also means that an attacker who has a lot of shot to mining equipment isn't able to have any advantage in launching an attack on purecoin. There's a third aspect of the hybrid mining strategy, which is somewhat controversial, which is that purecoin administrators have a trusted public key, which they use to assign checkpoints of blessed blocks every so often. This is intended to act as a safeguard against attacks. But the controversy is that it leads to a simple argument that this isn't truly decentralized because it has a position of trust in this administrator's public key. Now, this checkpoint system isn't inherent to its design. It could be removed in the future. The downside is that because of this, because it has the safety mechanism in place, we can't necessarily infer empirically that proof of stake has led to a very secure system. We don't know what would happen if this training wheel were removed. Next, we're going to talk about Dogecoin. This is a fun altcoin to talk about because it has a lot of fairly interesting and amusing differences to other altcoins that have come before it. Dogecoin is one of the newest altcoins. It's been launched less than a year ago at the end of 2013. Besides a few technical changes, the main thing Dogecoin has that distinguishes it is the founders of Dogecoin set the tone for a very clear community set of values that include things like tipping and generosity and not taking cryptocurrency so seriously. So while Bitcoin has an ethos of providing decentralized alternatives to centralized infrastructure to change the world, Dogecoin's culture begins with the notion of a sense of humor and having fun with cryptocurrency. Dogecoin's had a bunch of interesting and successful marketing campaigns or public relations events. One of them is that they sponsored a NASCAR driver who participated in a race at Talladega. So there's a NASCAR car that's covered in the Dogecoin mascot, which is the internet meme of a Shiba Inu and has Dogecoin logos over the car. Another interesting thing that the Dogecoin community did is they raised over $30,000 to support the Jamaican national bobsled team so that they could travel and compete in the 2014 winter Olympics. This is especially funny because it almost exactly mirrors the plot to the 90s movie cool runnings. All right, and because of these interesting things, Dogecoin has become very popular throughout its short time since launch. One of the interesting technical differences Dogecoin has or it had is a notion of random block rewards. The idea is that rather than having a fixed block reward or reward that's predictable and changes over time, each block bonus in Dogecoin should be random. Now the way that this was implemented has a flaw. The way that it's implemented is that the bonus given to the miner for each block depends on a pseudo random function of the hash of the previous block. Now the problem here is that miners of a Dogecoin block before their mining or while they're mining on a block know in advance the reward that they would get if they happen to find a correct puzzle solution. This means that if you know that the next Dogecoin block is going to have a very low value, you have an incentive to switch to mining on some other alt coin instead, which has a more predictable or ordinary value. Once this problem with the random block reward system was understood, the future was eventually removed really only a few months after it was launched. Another technical distinction of Dogecoin is that the rate of average block rewards decreases in half at a much higher rate than that of Bitcoin. So remember that in Bitcoin, the block reward is scheduled to decrease by half periodically over time. Originally Bitcoin blocks were worth 50 Bitcoins each. Now they're worth 25 coins each. This switch to cut in half at some point a year ago and the next halving event won't occur for a couple more years still. In Dogecoin, the mining rate is the reward rate is cut in half roughly every two months. So this is a timeline of Dogecoin's hash rate on its network for a period of time of about four months. So spanning from April 2014 up to the current date of August 2014. And there's a couple of points. So in late April and in mid July when the block reward for Dogecoin was cut in half and what happened is when it was cut in half each of these times the hash rate contributed to the network diminished quite substantially from either an amount of about 30% to 50% of its decline. Now from this first halving event on this timeline, once the hash rate dropped it eventually picked up again and reached a peak around where it was previously and just in time for the next halving event after which it reduced by half. Now in comparison over the same window the hash rate in Bitcoin has essentially steadily increased at a slow exponential rate. Well Dogecoin's hash rate has gone up and down. This indicates that the effect of having a much faster having time has a significant impact on the contributed hash power of an altcoin. Just to compare not all altcoins go up and down. Here's a timeline also of an altcoin that is was steadily in decline during the same period. This was a smaller altcoin. I'm not going to bother naming it for the sake of not embarrassing them. Hash power can be compared directly between two different altcoins that have the same mining puzzle. So for example the five tera hashes per second for the altcoin depicted on the bottom is roughly more than 10,000 times less than the hundred pedahashes per second of Bitcoin's hash rate. On the other hand it doesn't make sense to directly compare the hashes per second between two different mining puzzle schemes because it doesn't take the same amount of computational effort to compute the hashes. A customized device for computing straw two mining puzzle solutions isn't usable for computing S-crypt puzzle solutions or if it's usable it might only be so at a reduced rate of efficiency. Nonetheless besides comparing hashes per second in absolute terms it does make sense to compare the relative change in hash power over time because this is a reasonable measure of the amount of participation in the network. It's also possible to measure the price of units of currency in an altcoin as they change over time and in general this tends to correlate fairly well with the hash rate contributed to the network. So for example this top graph depicts the hash rate contributed to the litecoin network over time which again is steadily increasing at roughly an exponential rate and dogecoin's hash rate over time going up and down several times over the same time period as shown at the bottom of the top graph. In the bottom graph you see the relative exchange price at one of the largest third-party cryptocurrency exchanges what you can tell is that just as the relative hash rate contribution in the dogecoin network has diminished relative to litecoins so has the price of dogecoin diminished relative to litecoins. We've mentioned several metrics for comparing altcoins. I'm going to talk about it in a little more detail about a few of these and describe their relative disadvantages or weaknesses to each other. The standard one or perhaps most commonly used one is market cap which to recall is the price per unit of a currency at some current time measured typically at a third third-party exchange multiplied by the total number of units of this currency thought to be in circulation. Now this is almost certainly an overestimate but it's not clear how much. It's an overestimate for one reason because the price would change if you tried to sell coins. Suppose you had 1 million bitcoins this is around 10 percent of the current Bitcoin circulation supply. You wouldn't be able to sell all of those coins at the current price. Once you started trying to sell a fairly large amount of them the price would begin to drop as you introduced more coins to buyers who wanted to buy them. So it's not obvious how to account for the difference in available liquidity. Another thing that market caps hard to account for is how many coins are actually in circulation as opposed to out of circulation. One way that altcoin currency unit could go out of circulation is if the original holder of that coin loses their private key. They're no longer able to spend the coin so it's really become unusable but there isn't any way necessarily for the network to be able to tell whether or not this has happened. So a simple market cap calculation isn't able to account for this. One way of trying to measure the amount of activity on an altcoin is to look at its exchange volume. Now to do this you have to look at one of the large third-party currency exchanges and this introduces some uncertainty. It depends in some way on the nature of which exchange you're looking at. They sometimes have slightly different prices. It's also possible to move the price. It's possible to join a third party exchange and buy and sell units of the currency to yourself for a fairly low price but this has the effect of influencing the apparent exchange volume. You could also look at the transactions that are done on the network but a transaction on bitcoin or in most altcoins doesn't really mean that any change of value has taken place. It could just mean that users are automatically reshuffling the coins in their wallet for example. As we've looked at it there are ways of comparing the hash power of coins or looking at how the hash power of the network changes over time. This is especially useful for comparing networks with similar mining puzzles and it's difficult to compare in absolute terms puzzles with networks with different puzzles. Another more direct metric that you might want to use is some measure of merchant support or commerce being done. How many users are actually using their currency in an altcoin to do things like buy products or exchange them for other things of value and so on. This is very difficult to measure because it would rely quite heavily on some way of aggregating all this information from merchants. You would perhaps need the support from some of the large merchant tools or payment processors that handle both altcoins and bitcoins and in general large exchanges and payment processors are hesitant to accept new altcoins into their system and they only do so once an altcoin has already reached some level of status and it's perceived as being taken seriously. So far we've talked about just a small handful of altcoins. There are many more we could talk about and tell their stories as well. We're going to move on for now and we'll talk about a couple more altcoins as they come up. Next we're going to talk about some of the ways that Bitcoin and the altcoins in this ecosystem interact with each other. All the altcoins in Bitcoin in a sense compete with each other. They have rivalries and we've looked at some of the ways that they change in relative value and participation over time. It's also possible for them to interact in a more hostile or harmful way. So for example given the way that the proof of work mining system works it's possible if you have a lot of mining power to conduct various forms of attacks on Bitcoin or on an altcoin using this mining power. Now in particular this means that if there's a very large entity on a large network such as Bitcoin for example a powerful single miner or a large mining pool this miner mining entity would have a very large power relative to the participation of a very small coin that uses the same proof of work puzzle. This means that a large miner on a Bitcoin network could fairly easily attack any small altcoin if it wanted to. Now attacks like this have actually happened before in practice. There's a well known story of an altcoin called Coiled Coin which was quite small during time of 2012 and one of the large mining pools, Elijah's in Bitcoin, decided that Coiled Coin was a scam and an affront to the cryptocurrency ecosystem and a very bad idea and so the director of this Elijah's pool pointed his mining resources at Coiled Coin and launched an attack. This attack involved mining a lot of blocks that reversed days worth of transaction history and Coiled Coin reversing the user's transactions and as well as mining a long chain that had empty blocks containing no transactions at all effectively making a denial of service attack Coiled Coin users weren't able to make any transactions during that time. After a fairly short time of this siege all the users of Coiled Coin had left and moved on and the altcoin doesn't exist anymore as such. Similar attacks have also been conducted on other altcoins such as Teracoin and World Coin most recently although in these instances the attacks were a short and the altcoins did survive at least to some degree after the attack. I want to talk now about a technique called Merge Mining which I mentioned is a very clever technique and this involves a way that mining on two altcoins can be combined. Now ordinarily mining on an altcoin is exclusive to a particular altcoin. Each hash you compute each puzzle solution attempt you make has a chance of either being a solution for one altcoin or for Bitcoin but there's no chance of it being both. You can divert some of your mining resources to mining on one altcoin network or on another you can change it over time or you could split your resources but at any one time your hash power has to be divided from its total in this sense. Now this is an obstacle to bootstrapping. If you wanted to launch an altcoin and convince Bitcoin miners to participate in your network the Bitcoin miners would have to stop mining Bitcoin while they switched to your altcoin. So what if it were possible to mine both blocks on an altcoin and blocks on Bitcoin at the same time without having to sacrifice either. Now just illustrate this the reason why each puzzle solution attempt has a chance of being either a Bitcoin block or an altcoin block is because each hash you compute is over a string and the string contains in the case of Bitcoin the hash of a previous block the Merkle root of a tree containing a bunch of valid Bitcoin transactions and you have to compare it to Bitcoin's target difficulty in order to see if it wins. Now for a basic altcoin that would be just a fork of Bitcoin's code with a different genesis block but no other changes so the same mining puzzle each puzzle attempt for this altcoin would include the it would be a hash over a string including the hash of a previous altcoin block a Merkle root of altcoin transactions which would be different than Bitcoin transactions and you'd compare it to the altcoin's difficulty target which would be different than bitcoins as well. Each hash you compute either has the string of the top type or the string of the bottom type and there's no way for a single hash to give you information about both. So merge mining is a way of designing the mining puzzle for an altcoin such that every puzzle attempt in the altcoin is also a valid puzzle attempt in Bitcoin. Now the secret to this is that there are places where a miner can put data in a Bitcoin block that they're mining on. They can put arbitrary data that isn't validated by the Bitcoin network and it's up to them. So the approach will be to make the important data like transactions and previous block hash for the altcoin embedded in the Bitcoin block in this location. More specifically one of the places in Bitcoin where you can place arbitrary data is in the script SIG of the first transaction in the block the coin based transaction. The script SIG field isn't checked at all by Bitcoin so it can be arbitrary data and it would still be a valid Bitcoin block. So the approach for merge mining is to put all the data that you need for your altcoin encoded in the script SIG. This includes the previous block hash for your altcoin and the Merkle route of some transactions relative to your altcoin. Now then the merge mining puzzle is to compute the hash over the string including an entirely valid set of Bitcoin block data and just happens to contain the altcoin data and once you compute this one hash you can compare it even to a different difficulty target for the altcoin that's typically less than the difficulty in Bitcoin. Now notice that you can only compute one hash and yet it still has a chance of being either an altcoin solution or a Bitcoin solution or even both. Now what we've just illustrated is a way of merge mining an altcoin onto Bitcoin but it's possible to generalize this so that you can merge mine any number of altcoins at the same time as well. Now merge mining is a mixed blessing. It makes it a lot easier to recruit mining participants especially from a much larger existing network like Bitcoin because mining participants in Bitcoin don't have to stop mining Bitcoin in order to also merge mine on an altcoin. On the other hand it also makes this cheaper for attackers. So for example the coiled coin attack that I mentioned coiled coin was a merged mined altcoin. This meant that for a Bitcoin mining pool to attack coiled coin it doesn't even have to take the opportunity cost of stopping mining Bitcoin while it launches this attack. Another problem is that miners don't have an incentive directly to validate transactions thoroughly if they believe that the chance of there being an invalid transaction published is fairly low or if they delegate validating transactions to someone else such as the leader of a mining pool. So while it might not be too expensive to fully validate transactions for a single network if you wanted to merge mine on a very large number of different altcoins it would be expensive to thoroughly validate transactions on all of them. Therefore merge mining makes it more likely that only a smaller number of miners would actually perform transaction validation. Many large mining pools in Bitcoin actually provide the service of helping you merge mine many compatible coins at once. So for example the largest Bitcoin mining pool g-hash.io or giga-hash.io allows you to simultaneously mine on Bitcoin, name coin, IX coin and dev coin. So these become the most popular Bitcoin compatible merge mined altcoins. Next we're going to talk about a way that transactions into unrelated altcoin blockchains can actually be related and interdependent to each other. In general a transaction on one altcoin is entirely independent of and has no way of referring to a transaction that happens on some other altcoins transaction history. However there is a way to do something to this effect using a technique that we've discussed previously. Now the motivation here is suppose that Alice has one Bitcoin and Bob has one Litecoin and they would like to trade with each other. This means that Alice can make a transaction on the Bitcoin network that transfers for Bitcoin to Bob. Bob can make a transaction on the Litecoin network that transfers his Litecoin to Alice. But they have a problem if they don't trust each other. Which one of them is going to go first? If Alice sends for Bitcoin to Bob, Bob might not make a Litecoin transaction and Alice would never get the Litecoin, Bob would end up with both of them. What you would like is for an atomic transaction property where either both transactions the Litecoin transaction and the Bitcoin transaction both complete or neither of them do. Now the way that this technique is going to work is going to involve a couple of different steps. In the first step Alice is going to generate a secret key X. She's also going to compute the hash of X and we call that hash value H. Alice is going to start by creating a pair of transactions. The first one is a deposit. It's a Bitcoin transaction that deposits for Bitcoin such that the Bitcoin can be spent in one of two ways. One of the ways is for Bob to take it. This way is colored in green on this side. It only requires Bob's signature but it also has to involve publishing the secret value X such that the transaction can check that indeed the hash of X is actually H. This is the way of claiming the Bitcoin that will happen if the protocol completes. Now the other way of claiming Alice's Bitcoin requires a signature from both Alice and Bob. Now Alice generates this deposit transaction but she doesn't publish it yet. First she generates another transaction refund which refers to deposit and it contains both Alice and Bob's signature and it is time locked to a time in the future which we'll call T plus 2. Now once she gets Bob's signature on this refund transaction she can publish the deposit transaction. Now the important conditions here are that if Bob is able to learn the secret value X before time T plus 2 then he's able to take Alice's Bitcoin. This is what happens when the protocol completes normally. On the other hand if Alice never reveals her secret X then she knows that she will be able to reclaim her refund at time T plus 2. Now the second step involves Bob also creating a similar pair of transactions. Bob's going to create a deposit B transaction which contains his litecoin and his litecoin can be spent in one of two ways. Again one way is in the ordinary course of the protocol requires only Alice's signature so it will transfer the coin to Alice but it requires Alice to publish and reveal her secret string X which again is checked to the hash value H. Now Bob creates the deposit transaction but doesn't publish it immediately. First he creates his refund transaction. He has to collect Bob's his own signature and Alice's signature as well and this transaction is time locked to a time T plus 1 and this means that this transaction signed by Alice but it isn't valid until sometime after T plus 1. Once Bob has Alice's signature on this time lock transaction he's free to publish the deposit B transaction. Now the important qualities here are that if Bob is able to learn the secret value X because Alice reveals it before time T plus 1 then Alice is going to be able to take the litecoin from this transaction. This is how the protocol completes normally. On the other hand if Alice never revealed X then Bob can claim his refund at time T plus 1. So putting this together after all of the deposit transactions are published Alice reveals X and she creates a transaction that takes the litecoin from Bob but to do so she has to reveal X so when Bob learns X he can create the transaction that takes Alice's Bitcoin now the transaction is completed. Now the important logic about why this is secure is that if Alice doesn't reveal X then Bob gets to take his refund at time T plus 1. If Alice takes Bob's litecoin then the only way she can do that is if she does reveal X before time T plus 1. Alright in any case that Alice reveals X before time T plus 1 Bob will learn it and have time to take Alice's Bitcoin before time T plus 2 the final deadline. This guarantees that either both transactions complete or neither of them do which is the property we wanted out of this. So this is a clever transaction protocol it has the potential to provide liquidity between altcoins in a secure and decentralized way. On the other hand this technique hasn't been seen in the wild there are a few reasons for this. The disadvantages of this protocol are that it requires many transactions each of which typically has to carry a transaction fee or at the minimum take some amount of time to complete. Even though you're guaranteed that either both transactions complete or neither of them do there's still a risk of denial of service. If you try to do this protocol with a random stranger they might waste a lot of your time by starting protocols that end with everyone having to collect their refund at the time deadline. Because of these disadvantages almost all exchanges between altcoins are done using large centralized third-party exchanges or ad hoc transactions like local Bitcoin exchanges. So to summarize so far we've talked about Bitcoin and its role in the context of a large ecosystem of hundreds of altcoins. These altcoins compete and interact with each other in a variety of ways some cooperative and some hostile. We've also looked at two specific ways that altcoins can interact at a technical level. Looked at merge mining which is interesting because an altcoin can support merge mining without even explicitly having to have support from Bitcoin. Not only does Bitcoin not have to change for an altcoin to merge mine on it but it isn't even clear what Bitcoin could do to prevent merge mining like this from occurring. Similarly you can use the hash commit technique in order to have interdependent transactions even though they occur on entirely separate altcoins that have nothing to do with each other directly. This is possible with the existing script language that essentially every altcoin supports. Now we're going to talk about how to launch an altcoin and what happens to altcoins after their launch what's involved with this process. Now as we mentioned an altcoin generally involves creating a new reference client typically by forking the existing code base of some existing more well established altcoin or Bitcoin itself and the easy part is to add in a bunch of technical features or modified parameters you think will work out well. To get people to join your network you need to make this reference client available to them so they can download it. Typically this involves announcing the source code to your reference client on the popular Bitcoin talk forum. And that's the easy part. The hard part is actually bootstrapping your altcoin. The security and the value of an altcoin comes from this bootstrapping process of people who find it valuable. In order to get your altcoin bootstrapped you need to find people who will be miners. Miners are needed to join the network in order to make it resilient to attacks from other altcoins. For your altcoin to have any value there have to be people who are stakeholders who own units of the currency and consider them valuable or useful to them. An altcoin needs a development community because altcoins typically need to be modified to update to respond to bug fixes and to add new features and to increase the scalability and efficiency as your altcoin becomes popular and more transaction volume occurs on the altcoin network. It's also important for people to buy and sell altcoins to provide a liquid market so that people who want altcoins or want to sell them can find a place to buy them from. Just illustrate the point about the reference client being the easy part. I want to highlight a site that doesn't exist at the moment. It was only up for a short while and it might come back and it's called the coin gen beta and it's an automated service that generates modified altcoin for you as a service. It's a website where you can enter in a name of an altcoin that you'd like. You can make up a three-letter currency code abbreviation. You can upload an icon for whatever mascot or logo you want for your coin. There are check boxes so you can set a variety of different standard parameters. You can adjust some numeric parameters. After you've picked all of these settings you actually just click create my coin and you can download this modified fork of bitcoin and immediately release it and start running it. Typically you have to pay some fee to the service like 0.05 bitcoins for this. You can do this to very easily create any sort of altcoin so there's really no challenge in just creating a reference client so that clearly doesn't make the difference in whether an altcoin will be successful or not. Besides a reference client there's a lot of technical infrastructure that most altcoins have and altcoins seem to need in order to be successful. It's important to have some way of initially getting users to have coins. Some of the infrastructure that supports this in bitcoin and in many altcoins are things like tip bots or faucets. Tip bots allow you to give units of your altcoin to users who don't necessarily aren't already users of your network. You can deposit some of your altcoin in a tip bot and it will send this person a message telling them how many altcoins they have available and how to download the reference client and claim it as a way of introducing new users to the system. Another thing is a faucet like the bitcoin faucet that will give out small amounts of your altcoin units to anyone who shows up at a website maybe enters an email address. Almost all altcoins have some kind of distinctive marketing or branding that makes them memorable and easy to recognize. This includes logos or more comprehensive theme. Other infrastructure that's needed are exchanges or automated ways of exchanging bitcoins or altcoins for other kinds of currency or altcoins or exchanging altcoins for products or services for merchants. Now there are a lot of existing exchanges and payment processors that already support many altcoins so this is often a matter of just convincing them to include your new altcoin in their list of supported cryptocurrencies. Besides the reference client there are a lot of developer and diagnostic tools such as testing suites or an entire testing network version of your altcoin that people can experiment with and things like a block explorer that allow people to look at those transactions and the blocks as they arrive. Most altcoins now have some kind of steering foundation usually by the organizers or launchers of the altcoin in the first place. Now bitcoins founder the pseudonymous Satoshi Nakamoto just released the source code for the reference client and basically disappeared after that. There's now a bitcoin foundation that does provide some of the function of encouraging development and lobbying but it's in no way an official organization. Many altcoins it's actually the founders of the altcoin and the people who launched it who continue to maintain the altcoin after its launch and form some kind of organization to do that. Now a very important thing for an altcoin in a way of getting stakeholders initially is to provide some way of initially allocating units of the currency to individuals besides just the mining process so in every mining based coin some new coins are created and handed out to miners who solve proof of work puzzles and earn mining rewards but there are other ways of allocating coins as well. What is called a pre-mine which is where the founders of the currency reserve some portion of the money supply for themselves. They get a stash of the units of their own altcoin. Sometimes they say that these pre-mine amount is intended to be used for further development of the currency or to pay developers for example. Another way of allocating units of an altcoin initially is through a pre-sale. This is where the founders instead of taking these units of currency for themselves they sell them to individuals for some other currency like bitcoin or dollars or any other. Now the people who buy those currencies are the initial holders of them. On the other hand the founders get this revenue of ordinary money or bitcoins which they can also use to for example pay developers to build the currency. Another interesting way of getting an initial set of stakeholders in your altcoin is called proof of burn. Otherwise this is called unilateral pegging. The way that this works is that a user who destroys one unit of bitcoin that they own earns one unit of the currency in your altcoin. Now this is intended to have the effect that anyone who whoever ends up holding an altcoin believes that it's at least worth as much as the value of the bitcoin that they destroyed in order to get it. On the other hand there's no way to recover the bitcoin in this case it's actually destroyed. An alternative is to have bitcoin ownership grandfathered in. In other words if you had say a current date taken like a snapshot if at a current date you own one unit of bitcoin then at the time of this altcoin launch you also own one unit of the altcoin. In this case does the original bitcoin doesn't have to be destroyed. The final mechanism is called an airdrop which is if the altcoin is targeted at some kind of community or group then an initial allocation of coins isn't simply distributed to members of this group. Now I want to tell the story of an altcoin called a ruracoin which is fairly controversial it's been widely considered either the most successful scam or one of the least successful altcoin launches. Now the theme of a ruracoin is that it's intended to be an altcoin that supports citizens of the country of Iceland. The idea is to distribute units of a ruracoin to Iceland citizens who would be able to claim some fixed amount of ruracoins at some point. Now in total a ruracoin has a total supply of eventually 21 million coins some of half of which are given out to miners gradually and the other half of which 10.5 million are set aside and dedicated to be available for Iceland citizens to claim their fixed portion. Now Iceland has only about 330,000 people and at the time that the airdrop began the coins were not available for Iceland citizens to claim until several months after the coin was initially launched. Now what happened was during the time that the coin was launched and in between that time and when the distribution to Iceland citizens began the price fluctuated quite wildly. It reached a fairly high peak but by the time the airdrop occurred the price had diminished quite a lot and once the date of the distribution began the price dropped very rapidly very low and has never recovered since. Now what went into this? One explanation is that there's a very high uncertainty about the monetary supply. At the time that the airdrop began only a very small amount of the currency had been distributed to miners as rewards and it was very uncertain exactly how many Iceland citizens would actually go through the effort of claiming their aurora coins. This meant that the relative portion of the monetary supply that any miner would hold would either completely change or not change at all depending on how many citizens actually claimed the coin. Another reason for this uncertainty is that the process of distributing portions of coins fairly to individual citizens is a very difficult process. Presumably this could be done by checking something like their national identity cards but that would be a very difficult process even for someone who had planned it very well. The way that this was implemented was simply by the founder of the coin signing over units of the currency by making signed transactions with his public key. There was very little accountability or transparency into this which led to a fairly large suspicion that he was either being inundated with fraudulent requests of attackers trying to claim more than their fair share of aurora coins or that the founder himself ran away and simply made transactions that gave himself a large amount of the aurora coins and then he could sell them off at an exchange. There's no clear way to know whether this is what happened or not but the fact of this large amount of suspicion I think had a lot to do with the fact that the price very rapidly declined. Many altcoins are criticized as being pump and dump schemes. This is a phrase that refers to something that happens in small value ordinary company stocks all the time and it also happens in altcoins. To conduct a pump and dump you have to pick an altcoin that you're going to use as your target. This could be an altcoin that's about to launch or it can be an existing low-value altcoin that doesn't have a lot of participation and doesn't have a very high value. Now while the price is so low and while the value is so low it's easy for an attacker to acquire a large number of these altcoins. Now after that or around the same time the attacker would launch a targeted marketing campaign to convince the public that the reason for this acquisition of coins was because a lot of people are interested in the coin. The coin has a lot of grassroots support or it even has some big important technical merit that explains why it would become popular so rapidly. And at the peak of this excitement as more people in the public try to buy this coin the attacker would then sell all of his coins once the price is risen high enough. All right now once the marketing campaign ends because the attacker has left and people realize that there weren't actually a very large following of grassroots support or the technical merits were overstated the altcoins price drops and eventually declines and users move away. This is profitable for the attacker but it wastes a lot of cryptocurrency enthusiasts valuable money. Now there are many arguments against altcoins that essentially say altcoins are a bad idea and harmful to the overall cryptocurrency ecosystem. One of these arguments is that since altcoins rely on mining power for their security having a large number of competing altcoins with total mining power divided among them means that any one of those altcoins is relatively weaker against attacks than they would be if for example they were all consolidated. A related problem is that there's a dilution of scarcity. One of the reasons why Bitcoin is valuable is because it's perceived as having a fixed limited supply of these 21 million coins and even if that's true if it's very easy to create so many other altcoins that also have their own value then in a sense it dilutes the scarcity of cryptocurrencies as a whole. Another argument is that altcoins are very easy targets for these pump and dump schemes and potentially of all the hundreds of altcoins most of them can only be used as pump and dump schemes or only attract that kind of participation. On the other hand there are a lot of compelling arguments for altcoins as well that basically say that altcoins are an essential part of the crypto currency ecosystem. For example you could say that competition between altcoins leads to better systems overall. The best altcoin will that has the most technical quality and the best features will eventually be the one that's most successful and has the most value. A reason to use an altcoin rather than simply trying to build new features into Bitcoin or build up Bitcoin are that the Bitcoin community is somewhat risk averse to adopting new features. If you have a new feature you want to try out it's a lot easier to simply implement it in an altcoin and see how it fares than to try to convince the Bitcoin community to accept this as a change before it's been tested. In this sense altcoins are like a research and development testbed for new potentially new Bitcoin features. Another good thing about having a diverse variety of different altcoins with different technical composition is that if there's some uncertain event like a catastrophic failure of one altcoin it might not affect all of the other altcoins that have different makeup. This means that if one altcoin is taken out the world of cryptocurrencies can still continue. Another interesting point is that having multiple altcoins has the potential to be a safeguard against the concentration of wealth occurring in any one particular place. The ability to launch new altcoins creates the option of something like a jubilee which is a biblical kind of event where establishment of wealth is reset and debts are canceled or something like that. The ability to launch a new altcoin has the ability to start over again and measure wealth in new way based on currencies of a new altcoin. This could happen for example if it was decided that someone unscrupulous eventually accumulated all of the bitcoins or too many of the bitcoins. It's always possible to simply create a new altcoin and start over again from scratch. Now we're going to talk about a topic that's at the cutting edge of cryptocurrency research. It's not something that's possible with Bitcoin today but it's something that a modification to Bitcoin or to another altcoin could support. We've talked about several ways that a new altcoin could convince stakeholders of Bitcoin or another altcoin to become stakeholders of this new altcoin. Now two of the options that we've discussed are sort of two sides, two extreme sides of the same concept. In the grandfathering approach anyone who's a Bitcoin holder can become a holder of some units of this altcoin. On the other hand this doesn't involve any risk to the Bitcoin holder at all. If the altcoin crashes the Bitcoin holder is no worse off than he was before. He still has all of his bitcoins. On the other hand the unilateral exchange plan involves burning bitcoins in order to get units of the altcoin. This involves a lot of risk taken by the Bitcoin holder. If the altcoin crashes then there's no value in the altcoins here and but he also doesn't have the bitcoins that he started with since he deleted them in order to gain units of the altcoin currency. With the unilateral peg this means that one unit of Bitcoin is deleted forever in order to claim one unit of altcoin. There's no way to get a Bitcoin back. You could trade the altcoin with someone else who already has a Bitcoin but the Bitcoin that you had is already taken out of the money supply irreversibly. On the other hand instead of burning the Bitcoin it would be interesting if you could simply deposit the Bitcoin in some place where it was held in escrow of some kind. You'd be able to get one unit of this altcoin and then transact with it in different ways. But if eventually you wanted to get rid of your altcoin and have your original Bitcoin back you would have that as an option. You could take that Bitcoin that was deposited and retrieve it from its escrow storage. This would be called a bilateral peg. Now ordinarily one Bitcoin transaction can't refer to events that are happening in another altcoin blockchain. But a possible change would be to extend Bitcoin's transaction script language so that you could have all of the rules of an altcoin including validating all of the transactions and checking the altcoin's proofs of work actually encoded in the script of a Bitcoin transaction. You would be able to deposit a Bitcoin in such a way that the only way you can retrieve that Bitcoin is by presenting evidence meaning all the data of a blockchain showing that an altcoin had actually been deleted and you could get the Bitcoin back out. Now to implement this the direct way it would actually require a very complicated script language and it would require a lot of effort for Bitcoin validating nodes in order to check all of the data on every other altcoin. This would be way too complicated. Now there's an approach towards of proving the efficiency of this which involves using SPV proofs. Now if you recall SPV proofs are a way of allowing not full validating nodes so things like mobile clients which don't have enough resources to perform validation of the entire blockchain to nonetheless get some evidence that for example a transaction has occurred 10 blocks ago in the longest blockchain. A full validating node has to validate every transaction and is supposed to only mine for example on the longest valid blockchain where validating requires keeping track of all of the available transactions and checking all the transactions in every block. On the other hand a mobile client that assumes that the rest of the miners are doing their job a mobile client can become confident that a transaction has actually occurred just by looking at the proofs of work in a bunch of blocks and just checking that the transaction a single transaction that they care about is included in the Merkle tree of transactions including in a block that occurred sometime in the past. This is a lot faster because it only involves checking block headers and it's not a guarantee that this is the longest valid blockchain but it is evidence to this effect. So the approach to allowing things like bilateral peg is to have a bitcoin transaction script that's capable of doing SPV proofs about an arbitrary altcoin. Now altcoins often have different parameters like increased block rates. If an altcoin has a very fast block rate then this would mean that checking an SPV proof of all of the headers in a block all the headers in a blockchain could still be pretty slow. It would take for example n steps to check the proofs of work for n blocks in the altchain. If instead of just having blocks form a chain though what if we could store the blocks in a data structure that supported some more efficient kind of SPV proof. We'd like to get something along the lines of taking log n time to check a blockchain that has n blocks in this altcoin. Now one approach to this is based on the idea of a proof of work sample. Suppose that we have four blocks each with difficulty four bits. This means that every hash of these four blocks has at least four zero bits in the front of it. Now if all four blocks have at least four zero bits on average half of these blocks are actually going to also have at least a fifth other zero bit in the front. And even one of these four blocks on average should be expected to have a six zero bit so six bits of zero in the front and so on depending on the number of blocks. Now the average number of hashes that are needed to find four blocks with four bits of zero in them is four times two to the four. It would take on average 64 hashes to find these four blocks. This is exactly the same as the average number of hashes you need to compute to find just a single block that has six bits of zero in the front. So an idea is why not just check a single block the one that has the most bits and use that for your proof of work. Well even though the average number of hashes needed to compute these blocks is the same the precision of this estimate is different. Suppose an attacker computes only 32 hashes. This is half the expected number of hashes needed to find four blocks. The probability of finding these four blocks with four bits of zero each is actually only 14 percent. If a 14 percent chance of successfully finding four blocks and half the average amount of time it would take you to find those four blocks. On the other hand the probability of finding just a single block with six bits using only half the expected number of hashes it would take is much higher it's actually 40 percent. You can do these calculations using standard probability techniques. The number of blocks you find at a given difficulty level given a fixed number of attempts like 32 hashes comes from the binomial distribution. All right the upshot of this is that the more samples of proof of work you check the more precise your estimate is the closer to the average number of steps you can guarantee that it takes. This means that checking just a single proof of work might not be a good idea but it is plausible that you could check a much smaller number of blocks than the whole blockchain and still get a confident estimate about the proof of work in the total blockchain. Now to have a data structure that supports SPV proofs of this kind we can build something like a skip list. Suppose that our goal is to support compressed proofs of work that involve checking only a quarter of the blocks on average in a large blockchain of proofs of work. The way to do this is to have every block contain not just a pointer to the previous block all of which contain at least four bits of zero but also the hash of the block in the past that's most recent that has six or more bits of zero in the front. This would only incur an extra insignificant amount of cost to full nodes who are still going to validate every proof of work in every block but in order to check a compressed SPV proof it's only necessary to check the hashes that point backwards to the high value lucky blocks. You can just follow the red arrows on average in this case it would take an average of only a quarter of the blocks and proofs of work you would have to check. Now this basic approach can be generalized to an ordinary skip list where you could choose after the fact what kind of sample you would want to take and you could skip as far back as quickly as you like or get a more dense sample in order to have a more precise estimate. Let me conclude by talking a bit about side chains and the potential that this holds. With a suitable modification to Bitcoin or an altcoin you would have the potential to have other altcoins that hold units of other altcoins in reserve. All right this could be used to smoothen out the risk of launching a new altcoin. You don't necessarily have to allow altcoins to be redeemed back to Bitcoin at the same rate you could for example be guaranteed that if you spend a Bitcoin to get one unit of altcoin currency you can either keep that altcoin hopefully it rises in value or you might be guaranteed that you can reclaim it if you want for at least say half like one zero point five bitcoins of the value that you initially deposited. This could be a way of having a safeguard against losing all the value in an altcoin if the altcoin crashes shortly after its launch. All right now this isn't possible today and it would require some changes to Bitcoin in order to support this. For an altcoin to support this doesn't preclude any of the other options that we've talked about as well. The altcoin could either be merge mined with one of the coins that it uses as backing reserve or it could avoid merge mining by having a completely different incompatible mining puzzle. So to wrap up this lecture we've talked about how Bitcoin is an important part of a much larger ecosystem of cryptocurrencies and altcoins. They compete and interact in various ways, some cooperative, some harmful. There are also a lot of ways that they can technically interact with each other through techniques such as merge mining and hash linked transactions that are interdependent between different blockchains. And it's also possible that in the future there will be more technical ways that transactions in one blockchain can explicitly refer to transactions in another blockchain. There remain several open questions that we aren't able to decisively answer at this time. Are altcoins going to consolidate or stay consolidated where there are a few vastly largest altcoins or one largest altcoin or will they diversify further so that there are a plurality of equally popular and valuable altcoins? Is Bitcoin eventually going to be overtaken by some other altcoin like one of the ones that's been launched recently? Also is it a good idea to even encourage interaction between bitcoins or should interaction like this be discouraged for example by using incompatible mining puzzles rather than merge mining? We can't answer these questions right now but we've talked about all of the concepts you need to understand and appreciate the importance of this question. In the next lecture we're going to wrap up this lecture series by talking about the future of Bitcoin. Is Bitcoin going to bring about a new future society where all important infrastructure is decentralized? We're going to talk about several topics including autonomous agents and smart property.