 Let's start. So my name is Hasu and I'm here to talk to you about Bitcoin's long-term security model. A quick slide about me. I run the research desk for Deribit with Suzu and write a monthly column for CoinDesk. My main focus is on better understanding Bitcoin's proof-of-work security model. So we can have a system that is robust into the very far future because that is what I think our ambition should be. We should strive to build a system that can last 100 years or longer. For this talk, we'll be heavily leaning on a paper I published in 2019 with James Prestridge and Brendan Curtis called a model for Bitcoin security and the declining block subsidy. The topic of today's talk is Bitcoin secure after the block subsidy ends. We start by looking at where we are today. Bitcoin secures more than $150 billion and it has never had a dishonest majority. At this size you could argue there's a pretty large incentive to attack it and it's not exactly obscure anymore. So almost everyone in the world has heard of Bitcoin and governments know about Bitcoin and so on. So we are still not seeing any attacks and that tells me at least Bitcoin is empirically secure today. But does that mean it will be secure into the far future? And in my opinion, not necessarily because Bitcoin is secure for a specific reason or specific reasons and they are changing over time. Before we dive in, I want to give you two definitions that will be important to remember. The block reward is Bitcoin's block subsidy which is the coin-based reward that is pay-to-minus in every block and the transaction fees set by users. The security budget which I abbreviate with SB is the ratio of this block reward and the network value. So network value is just a different word for market capitalization. The security budget can be expressed in a dollar value but most commonly it would be expressed as a percentage. So one could say Bitcoin's security budget is 2% of its network value. And what that means is Bitcoin spends 2% of its network value for its security by paying it to minus. And this is Bitcoin's security budget over time. As you can see, it consists of the two parts that we discussed and the block subsidy part has been declining every four years. That's the halving. And the transaction fees have so far not replaced the block subsidy, they have not made up for that decline. Why do we need the block reward anyway? It comes down to what we think Bitcoin's value proposition is. Bitcoin's value proposition is to create distributed consensus between untrusted computers. For example, about the state of the ledger who owns how many Bitcoins right now. And that raises two problems, the first of which is how do we get everyone to accept the same updates in the same order? Updates are called blocks in Bitcoin. And before Bitcoin, there was really only a permissioned way to do this for computers to come to consensus because either the computers already trusted each other and then you could do a voting scheme or they all had someone in common who they trust and then you can use them as a leader so they can send transactions to them. That person processed the system transactions, updates the ledger and sends a new ledger state to everyone else. But we can already see without trust neither of the two schemes works. So in Bitcoin, the second option is clearly not a real option because we want to make a system that does not depend on any one trusted party. So you have to go with a sort of voting scheme which brings us to problem number two. It is very, very hard to do voting online. Why? Because you cannot prove your personhood online. One party can take an unlimited number of identities and sway any vote in their favor. That is called a civil attack. Bitcoin's solution to the civil attack is to use proof of work. A proof of work is a proof that someone spent money in the real world and such a proof can be appended to any message that can be sent online. So in Bitcoin, anyone can make a block and prove that it was costly to make. And that is the solution to problem number one. How do we all update at the same time? By using a so-called fork choice rule. Which means all of our computers use the exact same rule for what the next update should be when we choose from all the different updates that fly across the network. And the fork choice rule is what basically lets us distinguish between different updates and choose one that objectively looks the same to everyone. And that is we look at the cost. We all follow the most expensive to make chain. The consequence from this is that to undo any old blocks, one must redo all the proofs of work. Because due to the chain selection rule, if someone wanted the network to switch to their blockchain and they want to replace a block that's maybe an hour in the past, then they would have to make a chain that was more costly to make than the one we have right now. And that necessarily means replacing all the proofs that happened in between. The chain of proofs creates trust because they are expensive to redo. However, the network incentivizes the production of these proofs with a security budget. Why? Because miners only spend as much on proofs as we pay them for. So they don't spend more than they get paid from us in the security budget. They are profit maximizing. We hope that the block reward incentivizes a majority of them to behave honestly. Miners can really do, they're not forced to mine on the tip of the chain, include transactions and so on. If they're one, they can mine on any chain, including in the past, they can replace history, which would be called usually a double spend attack, or they can just stop mining any new transactions entirely and do a denial of service on Bitcoin. And there's nothing that full nodes or just users can do to prevent this. So I mentioned here full nodes because it is a very popular idea that full nodes secure Bitcoin, quote unquote. But there are only a few rules that full nodes can enforce and anything that is related to the time ordering of transactions, anything related to the history is entirely in the control of the miners. And the only thing that users can get miners to do what they want is to pay them for it. So me and others have argued that Bitcoin is protected by sunk costs in hardware, right? Because miners have to own billions of dollars worth of specialized hardware and that hardware will become worthless when Bitcoin disappears. So then send us a long-term reliant with Bitcoin because of that investment. And Satoshi knew that there's nothing that the, or that a greedy attacker could overpower the network at any time. This quote is from the white paper. Satoshi said he, the greedy attacker ought to find it more profitable to play by the rules than to deviate from him. So it is on us users to make it more profitable for miners, to be honest. Now, the last Bitcoin isn't mined until 2140. I hear that thrown around a lot, but this met us a lot sooner than you think. Yesterday Bitcoin security budget has dropped to just below 2%. In four years it could be below 1%. And I say could be because it also depends on the transaction fees. We don't know how high transaction fees will be in the future. But if they don't increase, then we know it will be below 1%. In eight years it will be below half a percent and so on. So how much security budget is enough? Well, it shouldn't be too low since then miners could find it profitable to attack. But it also shouldn't be too high since users have to pay for it in inflation and transaction fees. So there clearly is a Goldilocks zone somewhere, but we really don't know where it is. There are two primary schools in thinking about finding the zone. The first things security budget must be a certain value in relation to the network value. And the second sees it in relation to the transaction volume to the first school. The network value school is best understood by looking at a vault analogy. So the network value school thinks the vaults of a vault should be in some proportion to what is stored inside the vault. In the case of Bitcoin, there would be currently 150 billion dollars. And proof of work has this really nice property that the dollar value of the block reward scales proportionally with the dollar value of the network since the rewards are paid in BTC. So if we map this on the above analogy, then if the price of Bitcoin increases, then the amount that is stored in the vault increases. But the vaults of the vault also increase in thickness because the vaults are basically the security budget. And they all increase or decrease in lockstep if the price moves. But this property disappears as the block subsidy declines. So it eventually becomes less and less costly because less and less as a share of Bitcoin's network value to attack it. This is how mostly a nation state attacker would think about attacking Bitcoin because the state mostly cares about how much wealth is stored outside of his control. As it makes taxation a lot harder. And this will be especially true when taxation is more and more replaced with debt monetization or just straight up money printing, which seems to be the paradigm where we are going right now. And this paradigm kind of relies, at least to my knowledge, on the ability for the state to enforce some level of capital controls. The second school assumes that the incentive for miners to attack goes up as more people receive payments in Bitcoin because then miners have more opportunities to double spend. And this requires us to realize that an attacker is not just constrained to double spending a single party. He can double spend many parties at once. And the more people transact, the more people he could double spend. The risk of double spending is strongly mitigated when the receiver has legal recourse and knows the identity of the sender. So it is mostly the untrusted transactions where no other forms of recourse exist that add to this potential honey pot. This model would mostly apply to a private attacker because the attack is much easier to execute could be done by reorganizing as little as one or two blocks. You really don't need a lot of hash power to do this. Plus the rewards are paid out in BTC. So you would send BTC to someone and then you would steal the BTC back. Both models are correct as they represent the incentives of two different attacker types. It's not enough to be secured from any one of them. Bitcoin needs to be secure from both at the same time. Now to some wargaming exercises. We will go through the various options that could play out as Bitcoin subsidy declines. And for that we will lean on a very nice framework by Rafael Auer, which is called Bitcoin security trilemma. The trilemma posits that as the subsidy declines, Bitcoin's properties will suffer in at least one of three areas, either liquidity, decentralization or scarcity. And this makes logical sense as Bitcoin users will at that point be spending far less on security via inflation. So they spend less and they also get less in returns. So yeah, this is the trilemma and we will go through the three corners one by one. So the first option is that Bitcoin, as the block subsidy declines, transaction fees have to rise to generate the same amount of security. But fees are created by congestion, not by demand for security, giving rise to a tragedy of the common situation. Because if there are fee paying transactions, for example, in the mempool, then it is much more attractive to transact. It's much more secure to transact as well at the same time. But there's really no incentive to be the one who pays these transaction fees as long as there's no congestion. As a result, blocks, as we have talked about earlier with the block reward, blocks will become a lot cheaper to reverse. Which means users will have to wait longer to finality and will probably be afraid to make larger transactions at all. And this significantly weakens Bitcoin's medium of exchange qualities. The second option is that we break the strategy of the comments that people would really like to transact, but they don't want to be the one who pays for security for everyone else. The way you break this is by basically forcing users to pay. So if there are any economists or people interested in economics in the audience, so what you would do is, this is the typical way that you break a strategy of the comments by making it excludable. So you can now exclude people who are not contributing to the pot. There are three ways to implement this. You can extend the issuance schedule. You can do the merge or you can do coin rent. But the scenario, the result is really the same in all three cases. Bitcoin's stored value quality is what degrades. And finally, it could become less decentralized. Because if you look back at two slides earlier, if the settlement assurances of the blockchain weaken, then it becomes more attractive for users in comparison to use other forms of transfer. So for example, when you know you have to wait a really long time before transaction finalized on the blockchain, you might just transfer it via the Bitcoin bank or something like that. So more and more transfers would then have more chain. The second option is that mining itself institutionalizes. So something that we touched on is that we can really only incentivize miners to behave well because we don't have any recourse against them. We have to make sure they behave well by paying them for it. But if miners had their reputation known and we were in some kind of legal relationship with them, then there would be a lot less potential for misbehavior. So mining could institutionalize. So the miners would then be legal entities that are subject to state oversight and so on. And finally, something like that could also emerge in a more free market style where a group of miners basically forms a monopoly. And when you have a monopoly in a blockchain, then you can start charging monopoly prices. That is not possible without a monopoly. And the reason for that is of course that another miner could always accept transactions that don't pay a lot of fees. But if you have most of the hash power, then you can ignore all of those blocks that include these fees and therefore you can effectively exclude free riders. But in all three scenarios, I think Bitcoin users would agree that Bitcoin censorship resistance qualities are significantly degraded. Can we solve this dilemma? I think there are a few ways that shift the balance, a few options that shift the balance further in favor of the defenders. So counterattacks play a big role in that. Users can manually coordinate on what the right chain should be. So they don't have to use proof of work necessarily, right? But this is very hard and it's the reason we use proof of work in the first place. So it should be used very sparingly. It does not maybe make sense to do this like when there's a one block reorg, right? But if there's a hundred block reorg, then it's worth talking about it. Bitcoin users can also change the proof of work function or abandon Bitcoin altogether, which may not sound like something that's very effective, but just the mere threat of this means that a miner who would attack Bitcoin has to be willing to lose everything. The more we talk about these off-chain mechanisms before they are needed, the easier and cheaper they will be to execute. And now there's also a new class of counterattacks that has recently been studied by Moros et al. And it shows that when exchanges or other large merchants are willing to strike back, then the new equilibrium becomes not to attack. I give you a very brief example of that because it almost happened in Bitcoin in May 2019. So a hacker stole 7000 BTC from Binance and Binance briefly considered to create or publish a series of transactions that would have paid these 7000 BTC to miners instead. But these 7000, these transactions would have only worked in a chain where Binance still owns the coins. So it effectively would have been a bribe for miners to undo the hack and then instead of the coins being sent to the hacker, they would have been sent to the miners. So you could think that Binance is really no better off from this because they still lose the 7000 BTC. But the game theory behind it says that if Binance is willing to do such a thing, then it becomes a lot less attractive to attack them in the future. And if all exchanges do this, then it just becomes a lot less attractive to attack any one of them. The only downside is that it breaks some existing business logic and infrastructure in the software. So we have a lot more to learn about these kind of counterattacks. So the final option that I want to talk about is increasing miner capex. Capex stands for Capital Expenditures, so obviously the OPEX operating expenditures. Our paper found that security comes almost entirely from the capex part of a miner balance sheet. The OPEX is really more a bug than a feature because if you think about it, the chip energy is very unevenly distributed and exposes Bitcoin to geopolitical risk. For example, the incentives are aligned in such a way that almost 70% hash power is in China, but that's not even the biggest thing. It's really that miners only put capex pretty much on their balance sheet. If there was a class of mining algorithms that basically had more capex intensive, then miners would have to own more hardware, which means they basically have to dedicate more money to mining in advance. That is then lost if something happens to the coin. There is incidentally a new class of mining algorithms that does this, which is called optical proof of work. It uses photons instead of electrons to perform computation. As a result, it doesn't require a lot of energy. That ultimately means that miners would have more skin in the game. You have to add a benefit that mining can be done from anywhere in the world. There are some downsides as well to this particular proposal because it would sacrifice Bitcoin's pretty mature mining hardware space. It took Bitcoin a long time for the mining space to mature to the level where it is right now. We are now in a situation where the next generation of ASIC hardware is maybe 10% better, 20% better than the previous one. But it's impossible for there to be still a huge breakthrough. Whereas if we started with a green field in optics hardware, then there would be room for these huge breakthroughs and for a very dominant company to emerge. That's the sort of Bitmain 2.0 for optics. My conclusion is that Bitcoin will almost certainly look different in 10 to 15 years than it does today. The declining block subsidy will demand trade-offs and this shouldn't really be controversial since we are currently spending billions of dollars on security. If we stop spending that, then it is on us to choose what trade-offs we want to accept for that. We should continue to explore this problem and see how we can prevent a trail emmer from becoming a reality. Thank you.