In October 2008, Satoshi Nakamoto published a paper that shook the online world. The paper proposed an alternative to the trust-based torrent system. The terms trust-based and online don’t seem to go together, and for a good reason: the torrent system had one major flaw. Torrent systems allowed anyone to share files in a decentralized network, trusting that users would download the files and share them with the network (“seed” the files) so other could download them, too. But users didn’t do this. Seeding took up space on their computers, and there was no economic incentive to do it.
The Satoshi paper offered a working cryptoeconomic model for bitcoin currency, which ran on blockchain technology. Blockchains are not regulated by a third party, but they are kept trustworthy, ironically, by mutual distrust and economic incentives. With bitcoin, users now had an economic incentive to follow the rules, allowing the technology to function despite (and because of) mutual distrust. This technology is possible because of cryptoeconomics.
What is cryptoeconomics? “Cryptoeconomics is the study of economic interaction in adversarial environments,” writes Nick Tomaino. “In decentralized P2P [peer-to-peer] systems that do not give control to any third party, one must assume that there will be bad actors looking to disrupt the system. Cryptoeconomic approaches combine cryptography and economics to create robust decentralized P2P networks that thrive over time despite adversaries attempting to disrupt the network.”
The word cryptoeconomics combines the words cryptography and economics, and each part plays a crucial, balancing role. Tomaino writes, “The cryptography underlying these systems is what makes the P2P communication within the networks secure and the economics is what incentivizes all actors to contribute to the network so that it thrives over time.”
Bitcoin and Cryptoeconomics
How does bitcoin run on cryptoeconomics? Here are the five basic principles:
Bitcoin uses blockchain technology. Each block holds information about the previous block, forming a connected chain.
Each block includes transactions, which may change the block’s state. For example, when a bitcoin transaction occurs, the block will change to show how many bitcoins the participants have after the transaction.
New blocks may be added, but existing blocks can’t be changed.
Invalid transactions should not be allowed.
Anyone can access blockchains to check transactions.
This is what a blockchain looks like:
Cryptoeconomics only works because of the security cryptography provides. Let’s talk about hashing, signatures, proof of work, and zero-knowledge proofs to see how they employ cryptography and factor into bitcoin technology.
“A hash function is a mathematical process that takes input data of any size, performs an operation on it, and returns output data of a fixed size,” says Corin Faife at Coindesk. The process should be quick. Any input will always have the same output when run through a hash function. The process should be transparent, so once the input data has been hashed, one should be able to determine what the input was. These features contribute to blockchain security.
Hash Pointers—Hash pointers are an essential element in the blockchain. Pointers, in general, are variables that include the addresses of the other variables. Hash pointers specifically take it a step further, not only holding the address of other variables but also the hash of the data in that variable. This property creates a blockchain’s immutability.
Immutability—Picture a chain of squares (“block”) each connected by a line. We’ll call this a blockchain. If someone were to tamper with Block A, Block A’s hash would also change. Then, because Block B holds the hash data of Block A, Block B’s information changes. Then Block B’s hash changes and the process would continue. This tampering would freeze up the chain, which, in a blockchain, is impossible. This impossibility makes blockchains immutable and tamper-proof.
Mining—Bitcoin mining is a service that some Bitcoin users choose to perform by “making computer hardware do mathematical calculations for the Bitcoin network to confirm transactions and increase security.” Bitcoin miners can collect bitcoins as a reward.
How does hashing fit into this? In bitcoin mining, miners look at the most recent transactions which have yet to be confirmed, changing parts of the input. As we established above, changing even a small part of the input for a hash function results in a totally different output. This property is crucial: as Faife puts it, to make a block more secure, miners “try to combine all of the inputs with their own arbitrary piece of input data in such a way that the resulting hash starts with a certain number of zeros.”
As a cryptographic tool, signatures are just what they sound like. They provide verification, they can’t easily be forged, and they make sure that the signer stands by what he or she has signed to (they are non-repudiable).
Signatures work by using “keys.” Each user has a public key (which anyone can know) and a private key (which only the user should know). When users send a message, they encrypt the message with their private key, and the recipient of the message can retrieve the message by inputting the sender’s public key.
Let’s say Gabriella want to send a message, “b,” to Isaac. Gabriella has a private key, Mt+, and a public key, Mt-. When she sends the message to Isaac, she will encrypt her message with her private key, so the message becomes Mt+(b). When Isaac receives the message, he can retrieve it by using Gabriella’s public key in an algebraic fashion: Mt-(Mt+(b))=b (the original message).
The process covers the three elements of a signature: Gabriella’s public and private keys work together verifying the message was sent by her; the signature is unforgeable, because only Gabriella’s public key would work to decrypt the message; and it is non-repudiable, because if Gabriella’s decides she wants to take the message back, she can’t—the two keys working together prove the message is sent by her.
Proof of Work
“Proof of work” is a consensus system by which miners prove that they have engaged in a significant amount of computational effort. They do this by applying a difficult-to-find nonce to the end of their code, ensuring that the entire block satisfies an arbitrary condition. In contrast to the difficulty of creating the proof of work, verifying it is relatively easy and quick for recipients.
Why do miners have to provide proof of work? Because it’s possible for messages and transactions to get intercepted and changed. But when miners attach the nonce to their block, it’s nearly impossible for interceptors to decipher and change the block. This keeps transactions safe for the intended recipients.
A zero-knowledge proof (ZKP) is a method used by one party (the prover) to prove to another party (the verifier) that a given statement is true, without revealing any information besides confirmation that the statement is true. This method provides additional protection for the prover’s privacy.
One way to do this is to use a ZK-Snark (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge), which proves a computational fact about the data without revealing the data itself. This method is popular among many blockchain-using technologies. Using ZKP maintains the integrity and privacy of transactions and maintains the abstraction of the transaction, making it more user-friendly.
Economics is essential to cryptoeconomics because it provides incentives to follow the rules; these incentives are how the blockchain differs from other decentralized peer-to-peer systems. All solid economic systems should have not only incentives for users to behave but also punishments for users who behave poorly. The blockchain employs both of these fundamental economic principles.
There are two sets of incentives for users of the blockchain:
First Incentive Set
Tokens: Users receive cryptocurrency for their active participation and contribution to the blockchain.
Privileges: Users receive the right to be in charge of a block, allowing them to charge rent, decide which transactions may occur in the block, and charge transaction fees.
Second Incentive Set
Rewards: Users who do well receive the power to make decisions or monetary rewards.
Punishments: Users who misbehave must either pay a fine or lose their rights.
How Cryptocurrencies Have Value
Cryptocurrencies do not have value like gold, which is a physical commodity, or dollars, which are legal tender. But people value and accept and trade in Bitcoin simply because other people do the same. When commodities are given value, that value changes according to two companion economic principles: supply and demand.
Supply and Demand
In economics, demand refers to the quantity of a product or service buyers want. Supply refers to how much of a product or service the market can offer. “The quantity demanded is the amount of a product people are willing to buy at a certain price,” says Adam Hayes, CFA. “The quantity supplied refers to the amount of a certain good producers are willing to supply when receiving a certain price.” Therefore, price directly reflects supply and demand. The aim of consumers and producers is to find a place of equilibrium at which the consumers’ demand is the same as the producers’ supply.
Supply and Demand in Bitcoin Technology
Like gold, the supply of bitcoins is limited and fixed. There are only 21 million bitcoins available to be mined. Because the number is finite, it’s possible that they will all eventually be in the market and lose value. There are two factors preventing this from happening:
Miners can’t add blocks as fast as they want. New blocks can only be added to the chain once every 10 minutes, giving a reward of 25 bitcoins.
Bitcoin mining is becoming more difficult. When miners are mining, they need to find the hash and the nonce, both of which need to be less than a specific number. This number starts with a certain number of zeros; the more zeros there are, the more difficult the block is to mine.
The demand for cryptocurrency depends on a few factors, including
the history of the currency,
the security of the currency,
whether it delivers results,
the potential of the currency, and
how popular it is.
How the Blockchain Keeps People Honest
As we’ve established, currency only has the value people give it; its value is not inherent. This is how malicious miners are not able to game the system and earn bitcoins in invalid ways. You see, any block considered invalid is invalid. Simple as that.
So let’s say a malicious miner attempts to hard fork for his or her own financial gain. Hard forking, according to Investopedia, is “splitting the path of a blockchain by invalidating transactions confirmed by nodes that have not been upgraded to the new version of the protocol software.” It eventually makes the original chain obsolete—but only if the new block is considered valid. Will the miners on the original chain stop what they’re doing and support the malicious miner in his or her quest for gain?
If the new block is considered invalid, they won’t. If the block is invalid, any currency the malicious miner gains will also be considered invalid. And since mining is such a time-consuming, expensive process, miners are incentivized to only spent time mining valid blocks for valid currency.
What if a group of miners decides the new block is valid and they band together to mine it? The blockchain doesn’t easily allow for communication, let alone coordinated efforts. Most miners choose to mine blocks that they know will generate the most profit, rather than search for blocks that may produce invalid profits.
In general, when someone commits a crime, they do it because they consider the rewards worth their trouble. If rewards are the only consequence of crimes, then it makes sense that everyone would want to do them. Of course, if everyone is committing crimes, only those on the receiving end of the crimes suffer. So what do we need? We need an anti-incentive. Punishment.
Theoretically, when punishment is enforced, crime decreases. The problem is that punishment requires a payment from society. (Think of taxes that pay for prisons.) If we want punishment to keep crime low, we are all “punished” by having to pay for the punishment system. And anyone who doesn’t participate in the punishment system by paying for it is considered a criminal and then has to be punished by the system anyway.
Blockchains don’t impose taxes on users, but misbehaving users are punished by having their privileges taken away and by facing social ostracization. If proof of stake is involved, the punishment becomes more severe. Because miners want to avoid these punishments, they remain honest.
Let’s review. The aim of incentives and punishments in blockchains is to keep miners behaving well. When miners successfully mine a block, they receive the reward of being temporary dictator of that block. They have control over the type and speed of transactions, and they can charge a transaction fee. So not only do successful miners receive rewards of currency (25 BTC in bitcoin and 5 Eth in Ethereum per block), they also get rewards of power.
To keep all bitcoins from entering the market and to keep the system fair for all miners, the mining difficulty changes occasionally. This means that block mining is more likely for a wider group of miners, not just a select few who have figured out the difficulty. Bitcoin mining is ultimately a zero-sum game, with both wins and losses being evenly spread among the miners as individuals and as a group.
The proof of work system is supposed to keep miners honest and maintain the zero-sum game. But unfortunately, this system may be at risk for what’s called the P+ epsilon attack.
The P+epsilon attack changes the blockchain from uncoordinated choice model to a coordinated choice model. In an uncoordinated choice model, none of the participants has an incentive to work with each other. They may work together, but the groups don’t become large or powerful, and there’s no real benefit for doing so. By contrast, in a coordinated choice model, all participants coordinate because of a common incentive.
The blockchain is an uncoordinated model, but the P+ epsilon attack introduces an incentive—a bribe—for miners to group together, threatening the integrity of the blockchain. The blockchain then changes from an uncoordinated model to a specific type of coordinated model called the bribing attacker model.
Bribing Attacker Model
Imagine the uncoordinated model of the blockchain, miners acting separately on their own blocks. But then an attacker enters the system bribing the miners to coordinate with each other. To place a bribe successfully, the attacker must have the following resources: a budget sufficient to incentivize miners to undertake the briber’s requested action and the cost, or the currency that the miner actually ends up paying. Projected budget and actual cost are distinct concepts that each affect how the P+ epsilon attack plays out.
Let’s use a simple game to illustrate how the P+ epsilon attack works. You are playing a group game and come to a part of the game where you need to elect a leader by voting. Players who vote for the candidate who ends up winning earn points (P); players who vote for the other candidate get no points. Players may also decide together to not vote at all until the next round; if none of them vote, then they all get the usual voting points. There are three choices, with two consequences: points or no points.
But before the vote, a briber enters the system to shake things up. He tells you that if you vote and convince everyone else not to vote, you will get the usual points for voting for the winning candidate and the briber will pay you some bonus points (P+ epsilon).
With this bribe, there are four possibilities:
You vote, as does everyone else; you all get the usual points (P).
You don’t vote, but others do; you get no points (0).
You vote, as do other people; you get the regular points, but you don’t get the bonus points (P).
You vote, but no one else does; you get the usual points and the bonus (P+ epsilon).
You can’t control the behavior of the group, but you vote because that’s your best chance at getting points. But everyone figures out the same thing: when you choose not to vote as a group, there’s always the chance that someone will lie and vote just to get the points, meaning you get no points. If you vote anyway, there’s a greater chance that you will get points. As the game goes on, the players stop agreeing not to vote, because they want their likelihood of earning points to increase.
Here’s where the briber’s attack benefits him. He only has to pay the bonus points (epsilon) when you vote and the others don’t. But everyone is voting! The briber got you to do what he wanted, and he didn’t even have to pay the bribe.
This attack obviously works very well in the briber’s favor. But now let’s see how this attack would work in the blockchain, especially regarding the proof-of-work system.
Let’s say the briber is a malicious miner who wants to hard fork an existing chain. He offers a bribe of epsilon to a group of miners, incentivizing them to coordinate and join the new chain. The budget—the proposed amount for the bribe—would need to be astronomical to convince miners to join in. But the briber attack model shows us that, in the end, the briber won’t even have to pay up. This possibility is a weakness of the proof of work system.
Proof of Stake as a Solution to the Briber Attack Problem
The proof of stake system can prevent P+ epsilon attacks. In this system, miners must invest a portion of their personal fortune in blocks that will be added to the main chain in the future. If miners misbehave, they are not only losing future earnings and responsibility—they are losing money they already own. This punishment incentivizes good behavior even more effectively than the other, less severe, punishments.
Proof of stake prevents P+ epsilon attacks because miners will behave in such a way that future blocks aren’t at risk. For example, Micah has a part of his fortune in a future block. Another miner bribes him with an extra payoff if he makes this future, fortune-infused block join the main chain. But Micah has to face this possibility: what if the chain doesn’t get approved? If the chain with Micah’s block isn’t approved, there’s a high possibility that Micah will lose the fortune invested in the block. And as we’ve learned about the P+ epsilon attack, he wouldn’t even end up with the bribe. So Micah declines the invitation, preferring to follow the rules and keep his fortune safe.
Before the Satoshi Nakamoto paper was published, who could have foreseen how cryptoeconomics would combine to make so many things possible? Cryptocurrency, the blockchain itself, internal systems like proof of work—all these things demonstrate a seamless union of cryptography and economics. Cryptoeconomics fosters security and fuels learning, making our online world ever more innovative.
Check out this diagram for a visual representation: