Intro to Cryptoeconomics — Part II
In Part I of the series, we’ve learned why cryptoeconomics is important and what assumptions (security models) and goals it usually considers.
Outline Part II:
6. The Two Pillars of Cryptoeconomics
7. Cryptographic Tools
8. Economic Tools: tokens, consensus mechanisms
9. Other Cryptoeconomic Concepts
10. Possible Attacks to the network
12. Further readings
The Two Pillars of Cryptoeconomics
As already mentioned above, cryptoeconomics splits into two pillars:
- Cryptography: techniques that keep messages secure
- Economic incentives: rules and rewards that encourage you to add value to the network
As mentioned above, cryptographic tools are techniques that keep messages secure and immutable. They are a vital part of Bitcoin and other blockchains and thus of cryptoeconomics. Some of the most basic cryptographic tools (called cryptographic primitives) are hash functions and digital signatures. I will lay out the basics of these two cryptographic primitives because they are so fundamental to blockchain.
A hash function is a function that takes an input of any size x and gives you an output with a fixed size H(x). Bitcoin uses the hash function SHA-256, which was designed by the NSA on the basis of the Merkle-Damgard function.
It satisfies three important qualities:
- 1. Collision resistance: A hash function is collision resistant if it is hard to find two different inputs that would hash to the same output. That is, we want to avoid this: H(x) = H(y) while x≠ y.
Without collision resistance, an attacker might be able to substitute one original message “a” with a fake one “b” if it produces the same hash H(a) = H(b).
- 2. Hiding: A hash function is hiding if there’s no feasible way to deduct the original input x in H(x). The problem is that if the input comes from a very small range, e.g. it’s one of two possible values, someone could just hash the two possible values and easily guess what the original input x was. So, if we can hide the input x by concatenating it with another input that is from a very large range, it is infeasible to find out x. H (r||x) is hiding where r is a random value.
- 3. Puzzle-friendliness: A hash function is puzzle-friendly if we know a random part of the input and we know the hash H(x), but it is hard to find the rest of the input. We have to try every possibility randomly to find the rest of the input. This property is necessary for Bitcoin mining — miners try to solve for cryptographic puzzles in order to decide the next block.
For more information about hash functions, you can read an easy-to-digest blog post by Hang Lu Su.
A digital signature mimics an analog handwritten signature. A signature binds our identity to a message (e.g. it shows that it is indeed me, Anami Nguyen, who has written a check in your favor). A digital signature has practically the same function in a decentralized p2p network. It helps us identify that certain messages (transactions) come indeed from a certain identity. A digital signature satisfies these three requirements:
1) Only you can make your signature.
(Real life analogy: when I write my name down in a certain way, I hope that nobody can write it the same way.)
2) Anyone can verify your signature.
(Real life analogy: a random bank employee should be able to verify that the signature is indeed from Anami Nguyen. If they are not able to do so, then the signature is practically useless.)
3) The signature is tied to a specific document.
(Real life analogy: my signature can’t be cut off from the check I’ve written and pasted to another document.)
There are three algorithms that comprise a digital signature:
1. (sk, pk):=generateKeys(keysize)
The generateKeys method takes a key size and generates a key pair:
- sk is the secret key that you keep privately to sign messages.
- pk is the public key that’s used to verify the signature by anyone.
Application: The public key is your public identity (or, your address in Bitcoin). In order for someone to speak in the name of the identity pk, they must know the corresponding secret key, sk. It’s much like a username and password. That way we avoid that someone claims someone else’s identity and sends messages (and makes transactions) on their behalf.
2. sig := sign(sk, message)
The sign method takes a message and a secret key, sk, as its input. Then it outputs a signature for message under sk.
Application: As mentioned above, your signature should only be valid for a certain document. The sign method ensures that.
3. isValid := verify(pk, message, sig)
The verify method takes a message, a signature, and a public key pk as its input. It returns a boolean value(true/false value), isValid, that will be true if sig is a valid signature for message under public key pk, and false otherwise.
Application: this method combines the above components. Anyone should be able to verify whether a certain message (e.g. transaction) was indeed signed by your public key.
Therefore, a valid signature must show that:
verify(pk, message, sig(sk, message))== true
For more detail on hash functions and digital signatures, check out Chapter 1 of Princeton’s Bitcoin book. There are further cryptographic tools that help us keep the blockchain secure but they would be beyond the scope of this article. If you are inclined to learn much more about cryptography, Stanford has a free online class Cryptography I.
Now that we know more about some basic cryptographic tools, let’s get to the second part of cryptoeconomics. Economic tools are incentives that encourage and discourage certain behavior amongst network participants.
The most basic economic tool is the use of tokens and consensus mechanisms.
Tokens are exchangeable goods within the decentralized p2p network. The most famous token in the crypto world is Bitcoin.
Beyond Bitcoin, tokens can be exchanged for a variety of goods and services. For example, you can rent out your excess CPU/GPU cycles via the Golem Network and get paid by the GNT (Golem Network Token) as a reward for your service. The presence of tokens creates a shared value amongst network participants, which makes decentralized p2p networks more like separate economies or ecosystems.
Now let’s see how tokens are used to incentivize desirable behavior in the Bitcoin network.
Let’s say you are a node that creates a new block to be included in the Bitcoin blockchain. You are rewarded for your work by being allowed to include a special transaction (coinbase transaction). This transaction allows you to send a block reward to your own address. Currently (June 2018) miners receive a block reward of 12.5 bitcoins. (The block reward decreases at a set rate, which you can explore here. I might write more about the whole deflation/inflation issue later, stay tuned!)
You will only be able to reap the reward if the new block is accepted by the rest of the network. Other nodes express their acceptance by including your new block’s hash in the next block they create. This incentivizes them to only include blocks with valid transactions. Because you believe they won’t accept your new block if you include faulty transactions, you are incentivized to include only valid transactions if you want the block reward.
As I mentioned above, the block reward for creating new blocks decreases at a set rate, which means that there is a finite amount of bitcoins. But what incentivizes participants to continue building the Bitcoin blockchain and to execute transactions if they don’t get rewarded by being able to mine new bitcoin? Simple: they receive transaction fees for each transaction they include in their block.
Transaction fees also disincentivize participants from slowing down the network by sending transactions from and to their own accounts.
Participants in a decentralized p2p network need to agree — they need to reach consensus — about the state of the network and about what blocks and transactions to include on the blockchain. We need a mechanism that helps eliminate issues that arise from decentralization and the possible presence of adversaries.
A consensus mechanism is a protocol on top of the blockchain that takes each node’s proposed block as an input and selects a valid block as an output.
Let’s take a look at Bitcoin’s Proof-of-Work consensus mechanism. Simply put, miners must expend a great amount of computational power to prove they have “skin in the game” and then they are allowed to propose a new block. They expend this computational power by solving hash puzzles that are based on the properties of hash functions I’ve mentioned earlier. I’m not going to dive into the technical details of these hash puzzles but you can read more on pages 64–67 of the Princeton Bitcoin book. From a cryptoeconomics perspective, it is important to note that miners must expense fiat currency to buy computing power (nowadays in the form of highly specialized and high-performance ASIC chips). With that, they have expensed significant resources that they would lose if their block wouldn’t be included on the blockchain.
Another popular consensus mechanism is Proof-of-stake. Generally, this consensus mechanism works by having a set of validators take turns proposing and voting on the next block, and the weight of each validator’s vote depends on the size of their staked deposit. They lose their stake if the block is not included in the blockchain and are therefore incentivized to vote on blocks that include only valid transactions. If you want to read more about Proof-of-Stake, I suggest perusing the writings of Vlad Zamfir and Vitalik Buterin, who are championing PoS for Ethereum (which currently runs on PoW).
Possible Attacks to the Network
What are attacks? An attack to the blockchain happens when someone threatens the security, credibility and worth of the blockchain by trying to include faulty transactions (e.g. double-spend transactions). Alternatively, someone could try to attack a blockchain out of pure malice or political reasons. I will give a brief overview of some hypothetical attacks to the Bitcoin blockchain.
51% attack (Honest Majority Level)
One of the most straightforward ways of enabling double-spend or faulty transactions is to fork the blockchain and then to include or exclude certain transactions. For this, nodes must accept the new block that includes faulty transactions and build on top of it. The forked chain must overtake the current chain by growing faster and becoming longer because nodes usually place new blocks on top of the longest blockchain. This attack can happen if someone has a majority — over 50% — of the hashing power. We assume the Bitcoin blockchain is secure because we assume an Honest Majority Model in which over 50% of participants are honest. It is the most well-known theoretical attack to the Bitcoin blockchain. There are many nuances to be considered in reality. For one, an attack might work even if the attacker has less than 50% of the hashing power.
Theoretically, an attacker who is purely after economic gain should be deterred from performing a 51% attack because the network value (Bitcoin/fiat exchange rate) would crash immediately after the attack. The attacker would basically shoot themselves in their own foot. However, someone might be motivated by ideological or political reasons to destroy the Bitcoin blockchain. Or, they could short Bitcoin and then launch the attack to profit from the Bitcoin crash. There are many other factors to consider and analyses to be made… unfortunately, they are outside of the scope of this article.
The reality is that nobody who owns bitcoin should want the blockchain to be attacked because it would hurt them. However, a typical Tragedy of the Commons could occur if everyone acts on their own selfish incentives and accepts a bribe, which eventually leads to long term losses for all network participants. The Tragedy is that nobody wants to harm the network but it happens anyway.
In a P+ε Attack, someone can bribe network participants at no cost. Let’s say everyone needs to vote on whether 2+2=4 is true, so they’d vote Yes or No. Of course, the honest vote is Yes. If you vote like the majority of the participants, you receive a reward P. If your vote is in the minority, you receive 0. Everyone thinks that the other will vote Yes and therefore everyone votes Yes. We are experiencing a so-called Nash Equilibrium, in which everyone gets what they want.
However, imagine an attacker wants you to vote No. You’d be foolish to do so because everyone else will vote Yes, so your vote will be in the minority and you don’t gain reward P. However, the attacker commits credibly (e.g. via Ethereum contract) to pay you a reward worth P+ε (the original reward plus a little extra) if you vote No and if you’re in the minority. Suddenly, it is in your best interest to vote No: If you’re in the majority, you’ll win P and if you’re in the minority you’ll win P+ε. On the other hand, if you vote Yes, you’ll only win if you’re in the majority but you’ll lose if you’re in the minority. Now, because of the bribe, everyone will vote No. Suddenly, No-voters are in the majority and the attacker doesn’t even have to pay any No-voter because they’re in the majority.
In decentralized p2p networks that maintain a blockchain the vote concerns whether to include faulty transactions or not. Participants should not want to include faulty transactions or double-spends but might be bribed to do that.
You can check out some possible ways to mitigate this risk in Vitalik Buterin‘s blogpost.
Maybe you have noticed that most problems I have described can be of technical and/or economic nature. Problems that arise from rational human greed (e.g. Tragedy of the Commons) can be solved with cryptography. Byzantine Fault Tolerance, which is a technical issue, can be solved with economic incentives. I find this intersection of technology and economics particularly challenging and fascinating.
We’ve learned that cryptoeconomics is the backbone of decentralized p2p networks. Cryptoeconomics combines cryptography with economic incentives to keep the network secure and incentivize participation. We’ve learned that there are assumptions we make about the state of the world when designing crypto networks that are called security models (e.g. Uncoordinated Choice Model, Honest Majority Model, etc). Some of the most basic cryptographic concepts are hash functions and digital signatures, which help prevent security attacks amongst other functions. On the economic incentive side, we might use tokens and consensus mechanisms (like Proof-of-Work) to secure the network and to motivate participants to contribute to it, e.g. by spending USD on computational power to mine Bitcoin. There are many possibilities to attack a decentralized p2p network, like the 51% attack and the P+epsilon attack. As a new and basically non-academic field within the crypto community, cryptoeconomics is constantly evolving and depends on the theorizing and problem-solving skills of everyone in the crypto community. The combination of cryptography and economic incentives makes decentralized p2p networks secure, valuable and trustworthy.
Wait! There is much more to read and learn…
- Vitalik Buterin’s 1hr presentation about cryptoeconomics discusses further cryptoeconomics that I didn’t include here.
- Princeton’s 300 page Bitcoin book
- Unchained: 1hr Podcast about cryptoeconomics with Olaf Carlson Wee and Ryan Zurrer
- Examples 2 and 3 of this article about cryptoeconomics
- Vlad Zamfir’s “History of Casper” article series — Casper is a PoS consensus mechanism, which is currently in the works
- Did I miss some other great further readings? Let me know!