4. Blockchain Basics & Consensus

published on July 13, 2020

The following content is provided under a Creative Commons license Your support will help MIT OpenCourseWare continue to offer high quality educational resources for free To make a donation or to view additional materials from hundreds of MIT courses, visit MIT OpenCourseWare

At ocwmitedu GARY GENSLER: Hello, everybody Good weekend? Everybody staying dry, I hope

So we're going to dive back in to blockchain, money And we didn't lose too many people when we did cryptographic hash functions and digital signatures last week So I thank you for all being back So what were today's study questions again?

What's the Byzantine Generals problem? Anybody want to tell me what the Byzantine Generals problem is? Ben AUDIENCE: So, the Byzantine General problem is this sort of general mathematical puzzle And basically, what it is is, how do you coordinate actors

When they may be an actor who's not acting in the best interests of the group– how do you sort of get a good actor on that then? GARY GENSLER: So there– it might be how to coordinate when somebody is not acting in good faith as a malicious actor

But it also might be just somebody that doesn't get the communication Somebody that– there's a thought, whether it's malicious or not How we doing, Alene? Yeah

How does proof of work and mining in Bitcoin address it? We're going to walk through this, and I'm going to give you my sense of it But does anybody want to give a short version– prepared for a–

Brodush AUDIENCE: So the proposed way solves it in a probabilistic way, rather than a deterministic way, using amount of CPU power to solve a problem of certain complexity to prove that one consensus has been reached by a majority of the participants

GARY GENSLER: All right So what Brodush said is it's probabilistic instead of deterministic That you use CPU power to form some consensus I think that's what you said I'm going to walk through this in more detail

But does anybody want to give another shot at it? AUDIENCE: I could say so when a transaction happens, it is posted And then miners get in, and that they try to compete in solving this And whoever gets it first, then he claims the award

I would also say it requires a lot of CPU processing power I'm quoting the So it needs to be powered Big computers So there is a question around GARY GENSLER: So remind me your first name?

AUDIENCE: Riham GARY GENSLER: Riham AUDIENCE: Yes GARY GENSLER: Riham says it's about people called miners or computers called miners, which we'll talk about today, using computer power again

But transactions were part of that as well as to how it comes together I'm not going to torture you and ask a bunch more but, Addy? AUDIENCE: I think one of the other important ideas is that even though solving the problem is really hard, validating that the solution is correct is easy

So what is ensured is that even though miners are thinking about the computing power to solve ,, it can propagate it and then validate it GARY GENSLER: So a key point that Addy– Addy raises is that once somebody solves the puzzle, it can be propagated across a network

And then others on the network can validate it So what we'll talk about a little bit later is that it's a hard puzzle to solve, but an easy puzzle to verify And this is an important asymmetry in essence, that there's a lot of resources to solve a puzzle,

But once knowing the answer, there's very limited resources to verify that it's the right answer If it was not asymmetric, it would not work as well So it's a key part of the design of many cryptographic things, but particularly, Adam Back's sort of novelty in the 1990s of proof of work

I don't know if that's just a relaxed bit for you, or you have your hands up, Derek AUDIENCE: Ah, no That's– GARY GENSLER: That's just a relaxed pose I like it

We're going to talk about other consensus protocols as well Proof of work is not the only consensus protocol, but how to address ourselves to Byzantine fault tolerance And then some of the economic incentives, so we'll talk about the native currency What's the native currency of the first blockchain

Application? AUDIENCE: Bitcoin GARY GENSLER: Bitcoin How many of you in this room have owned a Bitcoin at some point in time? So you've all owned the native currency

That helps a blockchain You got the opportunity to read a paper that a group of us here at MIT co-authored I hope some of you actually were able to download it and– good Apparently, even when you write something,

It still goes behind a copyright wall So I'm glad to know that it was actually available And then back to the National Institute of Standards and Technology paper as well– this time the next chapters And then a paper from about 25 years ago

On the Byzantine Generals problem itself So what are we going to do today? We're going to go back through the design We're going to talk about consensus through proof of work Bitcoin mining– it's important

It's relevant But it's kind of some fun facts about that as well The native currency– of course, Bitcoin of the first But there's now at least 1600 different native currencies What does it mean to have a network? And why do networks matter particularly for blockchain?

Some of the other consensus protocols, and then just wrap up So just going back to the review, and this is what we talked about a bit on Thursday But I think it's relevant to just kind of bring it back I found when I was first learning this,

It's hard to keep all the moving parts Remember, there's– that graphic, you'll see all semester But it's all the different blocks And it's append only What does append only mean?

Andrew Why does that matter, this word append only that we talked about last Thursday? AUDIENCE: Yeah So that it's immutable It cannot be changed

GARY GENSLER: Right So it's immutable Now, of course, because cryptography maybe can be broken, but we use the word immutable that it cannot be changed, except for maybe as Alene so– I like that that's in his book

You all have to see this This is very clever You know, a little– how to do a flag Maybe it's immutable except for one out of 10

To the 40th times it could be broken or something AUDIENCE: Can I interject and actually say that it's not that good, actually So technically, Bitcoin and all of these permissionless cryptocurrencies, one way to attack them is to mine–

To get a lot of mining power and mine But another way to attack them is to just take control over the actual network, like the internet So if you're an internet service provider, or if you're China, you can actually fork Bitcoin with zero mining power

By just controlling the network So there's actually an assumption behind how this thing works, which is that the network works Because everybody sees the messages GARY GENSLER: I agree with you

But there's also some assumptions– let's say that China, or any state actor, chose to fork one of these If it's considerably less than a majority– AUDIENCE: No Zero mining

You can fork with zero mining You won't get any mining charge, if you control the network GARY GENSLER: If you control the worldwide network, or just the network– AUDIENCE: Not the mining network The actual internet

GARY GENSLER: I understand Are you talking about the worldwide internet, or you're talking about one country's internet? AUDIENCE: Let's say you're in China There's 50% of Chinese miners in China I forbid these Chinese miners to broadcast with blocks

They find a block that goes here, and they find another block that goes here, it goes here, and it goes there The rest of the world will find the block that goes here I have a fork It goes here and here, and I have two forks

They don't see each other GARY GENSLER: So we're going to talk about forks a little later Can we hold Alene's point until then? AUDIENCE: Sure Sure

GARY GENSLER: And then I'm going to share with you what Satoshi Nakamoto wrote about this very issue back in 2010 AUDIENCE: And he was writing back where you have mining power He was assuming the network works Again, just to clarify

GARY GENSLER: Alene's raising a point as to whether somebody captures part of the internet And if the internet itself, by capturing part of the internet, you fork the blockchain And what I was just–

Said I would hold for later, but instead I'll cover now, is this question was raised in an email exchange with whomever Satoshi Nakamoto was back in around 2010 And his answer to Alene's question that I'm just helping share with you all, is that as long as that part of the internet that

Was walled off was less than a majority, and in fact, if it was China, because that was in the example even eight years ago, it would be considerably less than 50%, that within a reasonable amount of time, maybe it would take a few hours, but within a reasonable amount of time, one chain would be where

The majority of the mining power was And that it could take a while, but the other one would probably stop, that people would stop investing electricity and CPU time within China, because they would realize some way Now, that was the theory at least

AUDIENCE: And just to add onto that, something to realize is like if you– I mean, like, you said we'll go into forks But just for people who don't know, like if you go in one fork, then anything after that you go in all forks

So like if you lose connection to the main Bitcoin network, you'll still have that, as long as you have your private keys So if somebody in China realizes that they're on the wrong chain, it's not like you've lost your actual bitcoin GARY GENSLER: That's correct

They won't lose it up to, if I can use the term, prior to the fork AUDIENCE: Correct GARY GENSLER: Was a question? Brodush

AUDIENCE: So just to add to Alene's point, essentially So the way he said– GARY GENSLER: Since you're in the back of the room, speak up AUDIENCE: Yeah So to add to Alene's point actually So there's an assumption, underlying assumption,

For the– that the real problem in the context of blockchain is– you have the assumption that the network can actually verify that the– what is being– what the network is actually valid information

So that is kind of an underlying assumption If the network is contaminated, then the premise on which the problem is being solved, or the protocol that is being given here as a solution to the problem, is actually not valid if the network is contaminated

So that way, it is indeed a underlying GARY GENSLER: So I think, because I didn't pick up every word, you're just saying that there is an underlying assumption that the network protocol, the communication protocol of the internet, is not compromised or walled off

But also, that it's working It creates a database We've talked about it through hash functions and digital signatures, and then consensus So what were the technical features? I thought about it a little bit from our last class

To help just thinking through in three buckets– the cryptography and timestamping that we talked about last Thursday; what we're going to talk about today, the decentralized consensus protocols and the network, of course, and the native currency;

And then lastly, transaction script that we're going to talk about this coming Thursday Now, it's not just three buckets because it's three lectures But it's three buckets because they have something to do with each other The cryptography, which is at the core of cryptocurrencies

And blockchains, and is the core of a lot of things on the internet today, the consensus mechanism, and then the transaction script itself Cryptography, as we've talked about– communications in the presence of adversaries– also, a form of ways to make commitments and secure

Computation Hash functions, if you recall what we talked about What's the key of a hash function? Here Joaquin AUDIENCE: The key of hash function?

GARY GENSLER: One– the elevator pitch You just have to make sure that your sibling knows you What's that? AUDIENCE: If you have two, the private and the public key GARY GENSLER: All right That's a good– that's cryptography,

But not a hash function AUDIENCE: OK AUDIENCE: It's a fingerprint of a fixed length of any amount of data GARY GENSLER: I like that

One way data compression– a crossword puzzle Anybody here do the New York Times crossword puzzle on a mobile app? Good So if you do a Wednesday's New York Times crossword puzzle,

Does it tell you whether you're correct on Wednesday? Or does it not tell you you're correct? When does it– I don't do the New York Times crossword puzzles But–

AUDIENCE: Erin GARY GENSLER: Erin AUDIENCE: I'm actually– I usually do ones in the past But I think it will tell you maybe either that day or the next day, or maybe GARY GENSLER: Stephanie

AUDIENCE: So it tells you as soon as you finish the puzzle whether or not you have any errors But it won't– but you can't actually check what the errors are unless you want to invalidate your streak for that day So basically, you get a streak every time you

GARY GENSLER: I don't actually know if the New York Times use hash functions But they could They could, because they could stick the whole entire crossword puzzle into a hash, and it's a commitment scheme

And remember, if you change even one thing in the input data, the hash will come out differently So the New York Times could use a hash function, so that Stephanie could find out, right? Because you can only push to see if it's correct when you finish the whole

And it either tells you you have it or not, right? So I'm just– I'm bringing it to real life that a hash function– just think of the New York Times crossword puzzle And if you don't remember, ask Stephanie We talked about append-only logs

And recall that in blockchain, in Bitcoin, there is a bunch of information in the head of the block And that which is in the head of the block is put together like the New York Times crossword puzzle And we have a chain of blocks

Most of the data, though, is stored efficiently in something called a Merkle tree Again, it uses a whole lot of hash functions And so it's a way to be efficient,

But it's also a way to secure the data So now, we're going to get back to your favorite thing– digital signatures So what's a digital signature do? AUDIENCE: You can prove that you're signing something like a transaction with your private key

And the other person on the outside could prove that you are the one that signed it with your public key GARY GENSLER: Perfect So it guards against tampering and impersonation

I didn't go through this last Thursday, but think of digital signatures two different ways– a digital signature that you use without a hash, and in Bitcoin and blockchain, often it's actually– it's combined with a hash So as Joaquin just went through, you

Can have a private key that you sign something with, the sender's public key, and a signature, and exactly that But it's also able to do it where you have a hash as well You take all the data, all the message, and you've put it into it with a signature And this is a little bit too complex,

And it was last Thursday's lecture, but it's important to know that what blockchain is basically doing, most blockchains do, is they take a lot of information, a transaction for instance, hash that information And why do we hash it again?

Kelly? AUDIENCE: To protect it from other users of the network, sort of like we talked about Alice and Bob, and how one has to be aware of each other's key, and then back verify the incoming message GARY GENSLER: Right

And it also compresses some of the data But it's a commitment scheme It's like this is it This is actually the New York Times crossword puzzle that answers all the questions

So usually it first hashes it, meaning it's a commitment And then put a digital signature on it And there was one last thing we talked about last week What are Bitcoin addresses?

Isabella, can you tell me when a Bitcoin address is? AUDIENCE: Umm Is that what– like, I guess tells you where the Bitcoins being sent GARY GENSLER: So it tells you where Bitcoin is being sent Ben, you want to help out a little

AUDIENCE: So it's the public hash, public key? Public hash of the– GARY GENSLER: It's close So it's basically that– between Isabelle and Ben, you've got it It's basically how any of the native currency–

Bitcoin– can be identified But it is a public key with a couple extra hashes, and a little bit other fancy footwork to make it compressed and smaller But it is literally what you can send Bitcoins to So it's determined by the public key, but it's not identical to

And I found a fancy little chart to define it A private key leads to a public key through some form And in Bitcoin, it's called elliptic curve multiplication But there are other forms of public and private keys The public key, then it gets hashed And then it goes through a code that makes it shorter, which

Is the Bitcoin address Part of the reason it was hashed, and part of the reason it goes through that extra code, is to make it even more secure It's not the only reason

It also compresses it a bit more But those of you who have ever owned Bitcoin, you have a wallet And the wallet keeps those Bitcoin addresses All right So now let's talk about decentralized networks,

The topic of today Any questions about the review for last Thursday? I know it was quick Alon? AUDIENCE: I have a question about the double hash part Does that mean that it's now less feasible to be,

Like, less immutable? Because if you take a 24-digit hash, and you contract it to a 4-digit hash, there's fewer options GARY GENSLER: I think that you're– the question is, is if the output of a hash function is shorter,

Is it possibly more breakable? I think mathematically, that might be correct However, this actually goes through two hashes– one, which is this mechanism called SHA-256 And the other one, I'm going to mispronounce, but down to 160

So I think because it's going through two different hashes, the answer is it's even harder to break both Does that– AUDIENCE: That makes sense GARY GENSLER: Any other questions about the review? No

Please Derek AUDIENCE: So you said hashing the public key makes it more secure I'm just wondering, because the public key is for the public So what is the– where does the added security come from?

GARY GENSLER: So the only thing that you're actually showing is a Bitcoin address Until later– and we'll talk a lot about this on Thursday– when you actually do a transaction, you have to then disclose your public key So initially, the storage is around Bitcoin addresses

And some will advise– and it's why many wallets do this– that you should never use the same public key twice Though, numerous people do in blockchains But to be most secure, you would constantly be creating new public key/private key pairs

And once you've used it, move on and get a new set of keys Got it? AUDIENCE: Yeah GARY GENSLER: So distributed networks– we talked about Byzantine Generals problem So I found some Byzantine generals

They want to all attack that castle Or what if only three of them do, and two of them say retreat? That's the visual That's the problem The only way to win in this mathematical game

Theory, a paper that was written some 25 years ago, is if they all said attack, or all said retreat But the same thing sort of came to computers And the core thing about a permissionless system is there is no central authority And if there's no central authority,

How does a distributed network, like the distributed set of generals, come to some agreement? Do we attack? Do we retreat? Well, it's based on a consensus protocol and a native currency That's the key innovation of Satoshi Nakamoto,

Is to pull it all together But it was built on the backs of other people Adam Back, in 1997, he proposed a way to address email spam and other types of computer problems called denial of service attacks

Now, it ultimately wasn't used I mean, he proposed it It was used for a short while, and then it wasn't subsequently used But it's important to understand that the proof of work

In the middle of Bitcoin was created 11 or 12 years before the Bitcoin paper And the key was basically require a bunch of computational work using hash functions And so the email, or the header of the email– this is Adam Back's, not Bitcoin

But the email, or the header of the email, went into the hash function, creates a hash But the difficulty of finding whether it's confirmed was was it in a certain range of hashes? And he did that by the quote, "leading zeros" Does anybody want to guess why he did it this way?

Or Alene's just going to tell us probably and not guess, but– who hasn't spoken yet? Emily, you want to try it out? AUDIENCE: I'm not totally sure GARY GENSLER: Daniel? AUDIENCE: I mean, I guess just, like, preserve some privacy

Around the emails? GARY GENSLER: Well, so it definitely preserved privacy But he was trying to put some computational work Every email that would be sent would take one to two or three seconds of computational work That was in his original paper

It would take a few seconds AUDIENCE: The fact that we– earlier we were talking about the fact that we need a way in which we have to make the puzzles difficult to solve, but easy to validate

This is exactly how the whole thing is accomplished, by setting the hash into a fixed characteristic, like leading– a number of leading zeros, what you get is to modify a small piece of the whole information, and try and try until you get that specific hash And that makes it really computational intensive,

But validating is just running one hashing function So– GARY GENSLER: Do you have a– AUDIENCE: I mean, it comes back to what we talked about last time with the nonces You need to try out a bunch of different random numbers

In order to get the right number of leading zeros And it could be– I don't know I think it could be like leading anything But he chose zero because it's nice But you need to try to get the numbers in order

To get the right number GARY GENSLER: And in the email circumstance, his thought was it will take two or three seconds for anyone sending an email to do this proof of work But it will take a nanosecond or less to confirm it But if you were sending spam, and you

Had a computer to send millions of spam times two or three seconds apiece, that would be too much for the spammer That was it So any one person– any person sending one email, it won't be too bad

Anyone sending millions of emails, it would be lousy And so that's why this concept was in the midst of emails And it could be efficiently proved So back to blockchain, the innovation was basically, how do we do this with a chain? How do we do this with a chain set of works?

And remember, Stuart Haber, that whole thing about the blockchain and what's in the New York Times was that chain of information But here, why don't we do a proof of work between the chain? And I found a little graphic

But the SHA-256, that's the formula which is used to hash the header– the previous hash, the transaction hash, a time stamp, and a nonce Can you find a hash that has a certain number of leading

Zeros? This was the key innovation In a sense, or maybe Satoshi Nakamoto was just taking Adam Back's email proof of work Remember the reading for last week of blocks?

This is colored green because each of them have hashes that in this case have leading, if I'm right– is this leading four zeros? Leading four zeros What if we change one thing?

What's going to happen? Is it Alfa? AUDIENCE: Yeah GARY GENSLER: What happens if we change one thing? AUDIENCE: The hash should change completely

GARY GENSLER: The hash will change completely So what happened? What did we change? Here, I'll go back and forth AUDIENCE: You changed the color

GARY GENSLER: What's that? Zan? AUDIENCE: You changed the coinbase transaction, so that $100, I guess in this example, went to you instead of GARY GENSLER: Well, why shouldn't I

Be able to get $100 for free? AUDIENCE: Well, in this example, I guess the coinbase is for the miner, right? So there's one transaction dedicated for whoever validates the block, gets, right now, 12 and 1/2 Bitcoin

And so you add that in addition to all the other transactions that you're validating But in this case, you're not actually this miner So you shouldn't be getting that much GARY GENSLER: So the little 18-minute video that was assigned for last Thursday, I just went in, and I was trying

To– I was trying to get– I was trying to get the money for me And it invalidated the rest of the chain And that's really– that's the sort of innovation or genius is, is if you try to go into a former block,

Whether it's the last block or a block 100,000 blocks away, and change one little whisker of information, or one letter on that crossword puzzle, it's going to change the entire blockchain And I bring it back to the crossword puzzles, or a whisker on a cat

It's just any little bit of information So an innovation about hash functions became, and an innovation about timestamp blocks, all of a sudden came together with this proof of work innovation So now to the chains themselves

The consensus of blockchains– and many people would say that, in fact, the reality of blockchains is only the longest chain is the one that other miners, other people, will build upon As I understand, though, it's not

Written into the base computational code It's really just a consensus that comes about This is an example– the purple block and the black blocks The purple blocks are kind of stale blocks They were mined

They were computationally solved a proof of work But nobody mined on top of them And if somebody doesn't mine on top of them, then eventually they're ignored Some people call them orphan blocks But I'll call them stale blocks, because they

Were actually created But the information that's in them is kind of worthless It's not needed In the actual Bitcoin technology, this happens from time to time But it hasn't happened in over a year

The technology, it's– and you can look on various websites to find this out Probably at the maximum, the longest stale chain goes out to two or three blocks But it's very, very rare

So back to Alene's question of what if China carved off and had the presumption– it may not work– but the presumption is, let's say, China is the purple blocks Because China's walled off its entire network The presumption is there'll be some communication

Outside of the network It might be on television It might be by courier, that the Chinese miners would know that they're not in the majority, and they would stop expending electricity to even mine in that circumstance

Because whether it's a few hours or a few weeks or a few months, they know that their expenditures would be worthless Tom AUDIENCE: In these stale blocks, these

Forked blocks, are the miners receiving Bitcoins? GARY GENSLER: So in the purple blocks, there will be, if I can go back to this, there will be a coinbase transaction But it will be worthless Because it's a coinbase transaction in a block

That's not on the main block And it won't be usable later But in Bitcoin itself, there's software that says you cannot use a coinbase output for 100 blocks It's written right into the base code

And it has been since the beginning AUDIENCE: So can you not verify though that– so in the situation where network is walled off People start mining on top of this segmented block Would they not realize that their Bitcoins are invalid for 100 blocks, save for some external knowledge

GARY GENSLER: Yes Let me just go back to the– sorry– the chain You're saying if– Tom's question is, is what if the purple side chain goes on for 100 blocks

What happens? And in fact, we have circumstances of that Bitcoin has split between Bitcoin and Bitcoin Cash It was called a hard fork last year And for a moment, let's call the purple chain Bitcoin Cash It's not only gone on for 100 blocks,

It's now gone on for tens of thousands of blocks It is now its own native currency Within that community that purple blockchain is so long now, that people have found value in that And it is its own native currency And the reason I share that is to Tom's question of,

Well, what if China was walled off so long, it's plausible– unlikely, but plausible– that there would become some value and call it the Bitcoin China blockchain versus the Bitcoin global blockchain It would be– what is money, but a social consensus? AUDIENCE: How does this society work?

I mean, is it based on supply and demand, the amount of forks out there? And then the other question that I have Who decides it? So if it's supply and demand, is it community? And what is the form of reward?

GARY GENSLER: The question is, is the reward– I'm going to hold a part of it for a little bit when we talk about native currency But the reward is, in nearly every blockchain is a new native currency of that blockchain

Bitcoin for Bitcoin ETH, or E-T-H, for the Ethereum XRP For each blockchain there's a native currency

Who– the second question was, who decides it? It's generally, but not always, hard programmed into the first release of that blockchain AUDIENCE: Yeah So back to the question on Bitcoin and Bitcoin Cash If the Bitcoin Cash is the purple line that we see

On the chart here, does that mean– because it's shorter, compared to the block– Bitcoin chain Does that mean that under the assumption of the majority consensus, the value of which is essentially zero? GARY GENSLER: So the question is is if it's shorter, does it–

AUDIENCE: So there's no validity in that chain And therefore, the value becomes zero GARY GENSLER: So there's two– using this chart just as an example There's two ways– there was– the main point of this chart was to say

That the black chain, as represented in black, is the main chain And that is where the social consensus will stay That's where the consensus is And generally speaking, the stale blocks don't mean anything, and the stale blocks go away

Occasionally, there is something called a hard fork, where the social consensus continues to maintain And I was using this chart as a rough answer to Tom's earlier question about Bitcoin Cash And if the purple chain kept going for thousands of blocks,

And there was a social consensus to keep both chains going, you'd start to see separate currencies, as you've seen with Bitcoin Cash Does that help? So I was using a graphic to answer a separate question I'm going to take two more questions,

And then go to native currencies I haven't heard from Daniel yet AUDIENCE: So my question is similar to the mining So if your transaction is on one of the blocks, does that transaction become void, so to speak? GARY GENSLER: It's not so much void

It's just– it's meaningless It's– yes, in a sense, effectively, it's void AUDIENCE: So I guess would somebody– if you initiated that transaction, would you be aware of that and reinitiate it? GARY GENSLER: Very good question

The transactions will still be in what's called the memory pool of anybody who's mining on the main chain So transactions– which we'll talk a lot about on Thursday, this coming lecture– go in through the network

They're propagated through the network to the entire node network In Bitcoin, there's about 10,000 nodes And they will receive those coins and those proposed transactions So anything on the purple chain will still

Be in the other chain's memory pool One more, and then I'm going to– AUDIENCE: In the case of the hash– GARY GENSLER: Your first name is? AUDIENCE: Iash GARY GENSLER: Iash

AUDIENCE: In the case of the hard fork, so between Bitcoin and Bitcoin Cash, what are the differences? And what about the differences in value between those two? GARY GENSLER: That's a much longer question The question is, is what are the differences

Of value between Bitcoin and Bitcoin Cash? And though, I think Bitcoin is trading around $6,300, and Bitcoin Cash is– AUDIENCE: It's about $435 GARY GENSLER: –$435 Thank you, Zan

That gives you the monetary difference of about 15 to 1 But it would take more conversations about why that happened and background and so forth So let me talk about the difficulty factor

So proof of work, at least in Bitcoin's case, has a difficulty factor with regard to these leading zeros in the hash And Satoshi Nakamoto said, let's change that every 10 minutes Let's ensure that every block comes on average every 10 minutes

And to do that, define how many leading zeros there needs to be And it adjusts about every two weeks Every blockchain can be different It doesn't have to adjust every two weeks This is just what Bitcoin did

This is what Nakamoto did to maintain an average of 10 minutes So what has happened? Currently it takes 18 leading zeros

And because this is in a 60– it's in a hexadecimal character system Every decimal is– what's that? AUDIENCE: Four bits So it's 64 leading zeros in bits, and 18 in hexadecimal Is it?

GARY GENSLER: So it's 2 to the 64th AUDIENCE: But the probability of finding a block is 1 over 2 to the minuses GARY GENSLER: So what Alene just said was that it's a very small chance of finding a block,

Because this is the equivalent of 18 leading zeros– so that's more than 64 It's 18 times 4 AUDIENCE: Oh Yeah I know

I'm sorry I can't do arithmetic GARY GENSLER: Yeah PhD in computer science, but can't do arithmetic So this is the most recent block I grabbed off the blockchain

This morning And it has 18 leading zeros, and then all those other digits That's block number 541,974 18 leading zeros The genesis block, the very first block in January of 2009, had 10 leading zeros

But the requirement that Satoshi Nakamoto actually put into the computer code was you only needed eight leading zeros So the probabilities have gone way up So let me take it off of fancy numbers like that, and just say this is the actual Bitcoin mining difficulties

On a logarithmic scale Because if it weren't logarithmic, you couldn't really read it The difficulty was set at one This is all scaled to how difficult was it for the first year and a half of mining in 2009

And early 2010, one And now, it is at one trillion It's actually more than one trillion because it's logarithmic It's at about seven trillion It is currently seven trillion times harder

To find the answer to the puzzle than it was in 2009 And that's because there's a lot of computers trying to hash all of this stuff AUDIENCE: So is that where the– GARY GENSLER: Kelly AUDIENCE: –the collectors in the pools of mining nodes

Work to be able to achieve this at a more efficient rate? GARY GENSLER: Correct Correct And the hash rate is now somewhere around 50– it's not terahashes

I'm trying to remember what the– what's that? AUDIENCE: Hexahash GARY GENSLER: 50 hexahash per second, which is like 1,000 trillion hashes Because a terahash is a trillion hashes

Zan AUDIENCE: I think it's worth noting, though, it didn't scale linearly as, like, number of computers got on the network It's also the hardware has gotten incredibly more sophisticated

So it's not that you can just assume there's 15 trillion number of people that are mining Bitcoin It's just the same people that are doing it better GARY GENSLER: I can't ask for a better setup than that Bitcoin mining evolution– did you see my slides? AUDIENCE: I just read your mind

GARY GENSLER: So what what's the evolution? So it started with central processing units And CPUs– and I'm not sure my numbers are accurate, because I might be using CPU power today, and not CPU power in 2009 Apologies for those who know CPU power better than mine

You could do about 2 to 20 million hashes a second on a CPU properly geared, apparently They didn't last that long By 2010, some folks figured out there was something faster, and it was called a graphics processing unit We all use GPUs all day long, because that's

What gives us all our quick graphics if you live stream something on your laptop And graphics processing units, somebody figured out you can use that, and you could hash faster And then all of a sudden, hobbyists started to wire the GPUs together

And they could figure out a way to get between 20 million hashes to 300 million hashes a second I'm told that even today you could maybe get up closer to a thousand million hashes a second, or a billion hashes a second, if you did a GPU rig But that's yesteryear on Bitcoin

Now there's something called an application-specific integrated circuit, an ASIC Just think about a circuit that the only thing the circuit does is create hashes In fact, the circuit is wired– I use the word wired, because I'm

Old enough to remember wires But it's– the circuit board is manufactured in a way that all it does is the SHA-256 hash function to Bitcoin mine And the first ASICs, which are dedicated circuit boards to do this mining, came out in 2013 And even since then, they have moved up the scale

The most expensive that sells for about $3,000 or $4,000 in ASIC could do 16 terahashes per second, or at least that's what it's rated for if you go on Amazon and try to buy it And you could do that But you'd be competing with something that looks like this

A modern map mining factory for Bitcoin has thousands of ASICs They have water cooling systems to keep it cooled down And they're probably buying their electricity for less than 3 kilowatts, $003 per kilowatt And they might even be paying off the local government officials, and not even paying the electricity company,

And just bribing to get their electricity Emily AUDIENCE: This might be a dumb question, but is there an economic opportunity cost of using all this processing power just for mining Bitcoin?

Like, is there a more efficient allocation of that processing capability in terms of like more– for a more stable economic usage? GARY GENSLER: There are certainly trade-offs here And the aggregate electricity for all of Bitcoin mining, now that it's seven trillion times harder than it

Was in 2009, has been compared to the electricity use of countries like Ireland, on the way to the electricity use of countries like Denmark, I think It's somewhere between Ireland and Denmark See ya, Larry

Alon AUDIENCE: Well, add to that the cost is– let's assume it's in dollars or whatever currency, and the reward is in Bitcoin, the volatility of Bitcoin makes it hard to answer that question Because you don't know if there's

An economic value for you, because you don't know what will happen to Bitcoin GARY GENSLER: So I said in our first class, I'm neither a blockchain maximalist or a blockchain minimalist And you all will have a chance through this course

To form your own views But one of the debates is, all right, Emily's Is this a good use of economic– a good use of resources? But I would note that all strong currencies, strong monies, for centuries have had something to limit the supply

And so now we're doing it electronically and through this mining That doesn't mean it's the best use I'm just saying it's another way Extracting gold out of the ground is very hard And in the 19th century, to have big vault doors and security

Guards with rifles was a way to insure it And one could even say that having central banks takes cost So I think of it as a trade-off of how you ensure a currency as a harder currency to create But it doesn't mean that proof of work

Is the best way, which is, of course, then, the setup to the question of, are there other ways to do consensus? So one other thing is all of this hashing, how is it distributed? And this, I pulled off the internet this morning

You can see these statistics every day Proof of work and mining has formed mining pools And these mining pools come together for simple economic reason that it's so unlikely to solve the riddle, solve the puzzle of mining,

That if you can only solve it once a year, or maybe even once every 10 years, you weren't going to invest in mining So mining pools started around 2010 to smooth out the revenue So if Amanda doesn't want to get it once every 10 years, she might say, well, why doesn't all the 80 people in this room–

You might, Amanda, I don't know– say, why don't we all form a pool, and we'll all going to use our laptops And now this is still 2009 or 2010, when you could mine Bitcoin on your laptop But we could say, why don't we all do that together?

And then all of us could say, well, Amanda, that's a bright idea, but could you create the Merkle root for us? Could you do some other things so that our computer doesn't have to do all that other fancy stuff?

So then Amanda might say, well, I want to charge all of you a little bit How about if I charge you 1% of the take? And Amanda would call herself a mining pool operator That's what's happened, is basically the economics of mining have clumped

Around mining pool operators And the standard fees range from 1% to 3% That the mining pool operator provides a number of services to the miners themselves, and those services are compensated, as I say, somewhere between 1% and 3% of the returns

But mostly, it smooths out the economics for all the miners It does some other things as well, but that's the primary AUDIENCE: So I also had one question You laid out the difficulty, as mining has become increasing difficult And the cost of the electricity– the break even point

Has actually become lower and lower in terms of the electricity cost So with that in mind, over the next couple of years, if that's the case, people will start to lose incentive in keep doing the mining And once that happens– once that happens,

GARY GENSLER: Well, it could go either way As we said– just Bitcoin, this is– Bitcoin adjusts the difficulty of mining every two weeks So if there's fewer people mining, the difficulty will go down And if you remember, I said you had to have 18 leading zeros

It might go back to 17 leading zeros or 16 leading zeros And every two weeks, it adjusts based upon the prior 2016 blocks Did it average 10 minutes? If it averaged, for instance, 14 minutes, then it will lower the difficulty

If it averages six minutes, it will increase the difficulty Kelly AUDIENCE: So is this where the proof of stake comes in? Does BTC always get their 19% because they have the largest stake in the system?

GARY GENSLER: So Kelly is asking whether this is where proof of stake comes in What is proof of stake? Anybody who read the Coindesk article? See, you when you hide your first name, I can just call you US Air Force

It's true Bo's name card says US Air Force AUDIENCE: That's true So proof of stake is the coins– all the coins are already dispersed onto the network, and the verification allocation is allocated based on–

GARY GENSLER: So proof of stake is an alternative consensus mechanism And Bo described it well But Kelly, it's not related to this chart here This is all proof of work BTC has 19% of the hash rate

That means that they literally have about– if the total hash power on Bitcoin is 60 hexa– do I have the word– AUDIENCE: It starts with an e-x– exa GARY GENSLER: Exahash– then 19% of that, or about 12

AUDIENCE: That's what they're attempting to do That's not the stake that they already have GARY GENSLER: Correct Most Bitcoin miners sell their coins So the coins that are created– the coins that are created each year

Are sold into the broad community Very few miners hold onto their coins for great lengths of time I mean, they might for days That might for– they might keep some for all sorts of reasons And as I truly believe, but can't factually prove,

A number of the biggest mining pools or miners are in places where they're doing illicit activity They're getting their electricity for less than what it's really costing on the grid by bad actors

But nonetheless, they have a choice whether to sell their coins or keep their coins Got a question over here, and then I want to keep going AUDIENCE: If the mining industry is like so formalized, like you've so many pools, what prevents all the pools from coming together and saying that,

Let's just solve lesser puzzles so that the value becomes lower, and then the charge is much lower for each and every one? GARY GENSLER: So the question is, is what happens if the mining pools collude and come together, either, as says, to, let's

Say, well, why should we have so much mining capacity? Let's, as a cartel– like OPEC, the oil cartel– say we should constrain supply and so forth I think what constrains that is it's an open system But it's possible

It's plausible I think the bigger question, and there's been numerous academic papers around this, is what happens if the mining pools come together and try to do what's called a 51% attack, and try to take over the blockchain?

And that's a more interesting challenge And we'll talk about that throughout the semester It hasn't happened as of yet Let me talk about the native currencies Native currency helps do all this What Nakamoto said, is it was an incentive system

There was an incentive system, but it was also a peer-to-peer way to create a new money And embedded in most blockchains, not 100% of them, there is something, I put quotes around it, monetary policy, in essence, that limits the supply of the currency Not every blockchain has this, but the vast majority do

And when we start talking about initial coin offerings, you'll find some that don't But Bitcoin limits it And I'm just going to say what it is It's created in a coinbase transaction in each block

It was initially 50 Bitcoins per block But now, because it's halved every 210,000 blocks, it's just 12 and one half Bitcoins That's the number of Bitcoins you earn each time if you mine a block that's approximately $75,000 US dollars in value today, give or take,

Or $80,000, roughly, to mine a block The inflation rate for Bitcoin right now is 41% So think– for any of you that have taken monetary policy courses or financial courses that talk about the Federal Reserve, Bitcoin is growing about 4% a year right now But it halves every 210,000 blocks

So the inflation rate will go down to 2%, and then later to about 1%, and later about a half a percent And it caps around the year 2040 So whether Satoshi was one person or a team of people, back in 2008 they put in place a monetary policy that is hard-coded into the computer base code,

And is supposedly going to be there forever to cap Bitcoin at 21 million Bitcoin I'm going to throw up Ether just because it's an alternative Currently, that mines three ETH per block And the inflation rate's about 7 and 1/2% It's a different stage of development,

Different inflation rate But there has been a proposal recently to literally– it was a proposal by the programmers, we should really lower the inflation rate And if it's accepted, it will be adopted in November

The fees in Ethereum are largely paid in something called Gas Gas is just a small unit of Ethereum What's the small unit of Bitcoin? AUDIENCE: Satoshi GARY GENSLER: Satoshi So Gas and Satoshi are very similar

Brodush AUDIENCE: I think the limit of 21 million has switched to 2140, not 2040 GARY GENSLER: It's not 2040? AUDIENCE: It's 2140 GARY GENSLER: Yes

Wait You think it's 2140? AUDIENCE: GARY GENSLER: What's that? AUDIENCE: I also GARY GENSLER: All right

So I typed poorly Aviva, did you have a question? No Alene AUDIENCE: So this is– Bitcoin is a deflationary currency?

AUDIENCE: Yes GARY GENSLER: Well, Alene says is Bitcoin a deflationary currency, depending upon your use of that word But others have written that Bitcoin is a deflationary currency because it's not growing

If the economy is growing at x percent, and x percent is bigger than how Bitcoin is growing, that would sort of define it as deflationary I would just note that those who are fond– and there's a lot of academic literature And this goes back decades, if not centuries

For hard currencies, where monetary policy is absolutely formula-driven, whether it's the Taylor rule or other rules– rule-based monetary policy would have a fondness for what you could maybe put in computer code Those who think that humans should be involved, and many people think there is a need

For some human involvement, would say this is too hard-coded, and you'd want something where you can modify it and change it And that would be dangerous in times of war, in times of stress, in times of economic peril Or like the 2008 crisis, that this would make a crisis worse

And so the academic literature and the real life reality of the last couple of hundred years of hard currencies, hard monetary policies versus human involvement and some judgment, is kind of an interesting debate that goes right in the middle of all of this AUDIENCE: question

Would you consider this as being currency? Or is it an asset– it's a class of asset that has some aspect of a currency GARY GENSLER: So the question is, is this is a real currency, or is it just an asset that has aspects of a currency? Ben, what do you think?

AUDIENCE: So there were three roles of– well, three ways that you could define a currency It was the unit of account, stored value, and medium of exchange So I guess this has all of those attributes So you could call it a currency

GARY GENSLER: You're saying if it has all of those AUDIENCE: It does have those attributes GARY GENSLER: Oh, it does All right So Ben thinks yes How many people are with Ben as of September 18, 2018,

Not 2118? So Isabella's there Zan, Joaquin? How many people– Tom How many people think not?

I don't– I think that you all get to decide yourself Mark Carney, who's the governor of the Bank of England, gave a speech earlier in the year, which is assigned in a later class And he says, I don't think we should

Call them cryptocurrencies They should be called cryptoassets They're not yet evidencing all three of these So that's Mark Carney, who I have great respect for But there are others that say, no, it's evidencing enough I would say this, though

It's plausible that they will– and this– if you take nothing else from the class, it's plausible in my view that they could provide You could have digital currency that does not have a central authority I mean, I think that innovation is there

Whether you call it a cryptocurrency or cryptoasset at this point in time, I leave to all of you There won't be a right answer to that on any paper you submit You can use whichever term you think fits your thinking I want to talk about the network We only have 10 minutes

But the network is important And a lot of times when you talk about Bitcoin and blockchain, folks aren't going to talk about it But I want to quickly hit eight or nine players on the network There are full nodes A full node is a group–

Is a computer, I should say– that stores the full blockchain, and is able to validate all transactions It doesn't have to It's a volunteer thing But it can validate all transactions

A pruning node– you're not going to read a lot about it, but I just have it It prunes transactions once they've validated, and they have a certain age They're saying, all of those early transactions, we're not going to focus

There's been probably six times the number of transactions that have happened compared to the actual extant transactions right now So all the transactions that have ever happened, five, six of them have already been used They're not around anymore

Why do we have to lug it around in our data set? So you could have a pruning node Lightweight nodes, which if any of you have a Bitcoin wallet or any other wallet, you probably have a lightweight– some form of lightweight node, or what's called an SPV node

It stores just those blockchain headers, rather than all this detail underneath– a lot less storage But a lightweight node has to rely on the full nodes for verification, because the lightweight node's not going to be doing that on it's own

Miners– we talked about miners I want to just mention, miners don't have to be full nodes Amanda, you're running this mining operation for the whole class And we're paying you 1% to 3% But you're Sloan, right?

You're probably charging at the high end, right? So do you think that Amanda, as a mining pool operator's, operating a full node? Tom? AUDIENCE: Yes

GARY GENSLER: You're saying it tentatively But Tom, you're paying Amanda 2% of your fees Don't you want to make sure she's validating everything? AUDIENCE: Just lost a whole percent GARY GENSLER: What's that? AUDIENCE: She thinks 3%

GARY GENSLER: Oh She thinks 3% AUDIENCE: Yes GARY GENSLER: But any of you who are just miners, remember Amanda's our pool operator Anybody who's– Andrew, do you think you need a full node

If Amanda– AUDIENCE: No GARY GENSLER: No So a lot of miners are not operating full nodes They've got all those racks of ASICs They're running all their electricity,

And they're paying Amanda to check on it Don't let them down Alene? AUDIENCE: I think this is a terrible thing Because in principle, we have 20, 30 mining pools, which means you have 20, 30 computers which validates

The newly proposed block And the thing that everybody wants to believe is that these systems are decentralized, and you have thousands of contributors GARY GENSLER: So I might start calling you Nouriel Roubini, but I won't

But Nouriel Roubini, who's an economist– he's sometimes called Dr Doom And he likes that phrase, because he caused downturns in the markets There's a later reading, and I might have even done a video of–

Roubini has this view, that it's not decentralized, and mining pools are an Achilles heel of the system But the full nodes, the 10,000 nodes, actually still do validation And there's an interesting social construct where there's a lot of nodes doing,

In essence, noncompensated work validating transactions beyond Amanda And any miner– Andrew could validate if he wants to So there's a lot of free riding that goes along, and the economics of free riding

And then there's wallets, which probably 30 or 40 of you have on your computer somewhere They store and view and send all the transactions But importantly, also create the key pairs So a lot to cover

There's one that's not a node itself at all It's called the mempool, or the memory pool And we're going to talk about this more on Thursday But the memory pool stores all the unconfirmed, but yet, already validated So they've been validated by somebody

A transaction goes out into the network A full node validates it, and it's put in a memory pool And Amanda grabs the memory pool, and sends it out to everybody in this class in a block And then we mine it

We're not going to chat much about these right now But we talked about– there was a Coindesk article How many of you actually skimmed it, looked at it? Did it mean anything to you, or just meant that there's some alternative?

What's that, Prya? AUDIENCE: Just that there's some alternative GARY GENSLER: There's some alternative That's what it meant to me the first time I looked into this about six months ago But I want to just mention what the alternatives come down to

They generally randomized or delegate the selection So rather than saying any one of 10,000 nodes can prove that this works, they use various mathematical means– randomized or delegated And sometimes they do a little bit

Of delegation and randomization to pick who's going to validate the next block It all comes down to who is picking the next block Is it by Adam Back's sort of, as Satoshi Nakamoto put out there, we'll call it Nakamoto consensus, proof of work? And you'll have a paper for Thursday

That talks about Nakamoto Consensus, the Clark paper But– or is there some other randomized, delegated way to do it? In some of them, they have a second check If there's a delegated person to validate something,

They put a second check in there that there's another group that officiates and says whether it's correct And so there's proof of stake, which is based on the stake you have in the underlying currency There's proof of activity, which is kind of a hybrid of proof of work and proof of stake

Proof of burn– are you willing to give up coins? Proof of capacity– do you have storage capacity? And you might have a tiered system The major permissionless blockchains all use proof of work And the reason is nobody's really solved–

All of these other alternatives, no one's really solved for a couple of problems in them But they usually find a way to be more efficient through delegation and randomization, and might have a backup set of checks on it DASH and NEO will say that they use proof of stake

But they're actually kind of using some form of masternodes or set up professional nodes But DASH and NEO are kind of, I think, the 13th and 15th largest market value cryptos, which means everything else kind of– And Ripple doesn't–

Ripple's really almost like a permission system rather than permissionless I mean, they would say they're permissionless But it's a confirmed set of nodes in the node system So that's it for today We're going to do transactions on Thursday

I moved that study question And then I'm going to ask you to read through the Clark paper, which is really the academic pedigree Where is this built on? What's the background?

But I think it's a good way to bring it all together And remember on Thursday, you all come in to answer this question– your own view as to who Satoshi Nakamoto is There is no right answer But if MIT's Blockchain and Money class can answer that,

I'm sure that we'll get a write-up somewhere about it

Related Videos

24. Conclusion

1 year ago
The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high quality educational resour...

23. Digital ID

1 year ago
The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high quality educational resour...
The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high quality educational resour...
The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high quality educational resour...
The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high-quality educational resour...
The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high quality educational resour...
The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high-quality educational resour...
The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high quality educational resour...
The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high-quality educational resour...
The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high quality educational resour...
The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high quality educational resour...
The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high quality educational resour...
The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high-quality educational resour...
The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high quality educational resour...
The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high quality educational resour...
The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high quality educational resour...
The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high-quality educational resour...
The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high-quality educational resour...
The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high quality educational resour...
The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high quality educational resour...