a primer on economics for cryptocurrencies
play

A Primer on Economics for Cryptocurrencies School on Security & - PowerPoint PPT Presentation

A Primer on Economics for Cryptocurrencies School on Security & Privacy for Blockchains and Distributed Ledger Technologies Rainer Bhme Motivation We have tried quite some time ago to explain Bitcoin to economists: Bhme, R.,


  1. A Primer on Economics for Cryptocurrencies School on Security & Privacy for Blockchains and Distributed Ledger Technologies Rainer Böhme

  2. Motivation We have tried – quite some time ago – to explain Bitcoin to economists: • Böhme, R., Christin, N., Edelman, B., and Moore, T. Bitcoin: Economics, Technology, and Governance. Journal of Economic Perspectives , 29, 2 (2015), 213–238 • Today I am trying to do the opposite. Rainer Böhme, Vienna, 2 September 2019 4

  3. Outline 1. Rational Agents and Adversaries 2. Efficient Markets 3. Market Concentration Rainer Böhme, Vienna, 2 September 2019 6

  4. Economics predict behavior model Illustration: xkcd.com Rainer Böhme, Vienna, 2 September 2019 7

  5. Game Theory A mathematical approach to model strategic behavior Interpretation as generalizations of . . . a. Probability theory – replace uncertainty with rationality assumption b. Optimization – objective function anticipates optimal response Mechanism design (MD) “Reverse game theory”: define payouts to incentivize intended behavior The protocol is the mechanism. Users are agents – “players”. Rainer Böhme, Vienna, 2 September 2019 9

  6. Classification of Security Games Attacker vs Defender • for security investment and tactics • often zero sum Defender vs Defender • for security policy • often non-zero sum • attackers are “nature”, i. e., stochastic but not strategic Attacker vs Protocol Designer (less common) • “rational” protocol design inspired from “rational cryptography” • defenders are “nature” Garay, J. et al. Rational Protocol Design: Cryptography Against Incentive-driven Adversaries , 2013. Rainer Böhme, Vienna, 2 September 2019 11

  7. Weak Identities Games without central identity provider: Douceur, J. R. The Sybil Attack. In P . Druschel, F . Kaashoek und A. Rowstron (eds.), Peer-to-peer Systems . LNCS 2429, Springer, Berlin Heidelberg, 2002, 251–260. Rainer Böhme, Vienna, 2 September 2019 12

  8. Weak Identities Games without central identity provider: Douceur, J. R. The Sybil Attack. In P . Druschel, F . Kaashoek und A. Rowstron (eds.), Peer-to-peer Systems . LNCS 2429, Springer, Berlin Heidelberg, 2002, 251–260. Rainer Böhme, Vienna, 2 September 2019 12

  9. Weak Identities Games without central identity provider: Douceur, J. R. The Sybil Attack. In P . Druschel, F . Kaashoek und A. Rowstron (eds.), Peer-to-peer Systems . LNCS 2429, Springer, Berlin Heidelberg, 2002, 251–260. Rainer Böhme, Vienna, 2 September 2019 12

  10. Behavior-regulating Assumptions Building a bridge between distributed systems and economics: strong identities distributed systems textbook economics “Byzantine” rational blockchain systems weak identities Rainer Böhme, Vienna, 2 September 2019 13

  11. Principles of Economics Rational choice • Autonomous decision makers – agents – take actions to maximize their objective function – utility. u i ( a i ) Externality • Actions taken by one agent affect the utility of other agents. u j ( . . . , a i , . . . ) Social welfare – protocol objective • Global outcome from all local decisions. � u i ( . . . , a i , . . . ) i Rainer Böhme, Vienna, 2 September 2019 14

  12. Types of Goods Excludable Non-excludable (access control) Rivalrous Private good Common good (externality) blockchain read access Non-rivalrous Club good Public good Rainer Böhme, Vienna, 2 September 2019 15

  13. Technology Stack weak identities Pseudonyms (public keys) Execution Application environment State machine Ledger Consensus protocol Infrastructure Network weak identities · · · Nodes · · · (IP hosts) Rainer Böhme, Vienna, 2 September 2019 16

  14. Public Blockchains Need Cryptocurrencies A public distributed ledger has characteristics of a public good . • Cost: maintenance, in particular proof-of-work, born by nodes • Benefit: depends on application, enjoyed by pseudonyms • Mismatch in value, time, and parties ! Cross-layer incentive mechanism Blockchain systems need a payment method, so that pseudonyms can pay nodes. T wo common schemes (also in combination): 1. Money creation (“minting”) → all accounts pay by devaluation 2. Transaction tax (“fee”) → individuals pay for write access Note: Minting is often prescribed in the protocol, while fees are set (in principle) by market mechanisms at runtime. Rainer Böhme, Vienna, 2 September 2019 17

  15. Bitcoin Minting Rewards Nodes pay pseudonyms for the provision of a public good upper bound of money supply: 21 million BTC | | | 6.25 Bitcoin in circulation | 12.5 25 BTC/block | 50 BTC/block Blocks 0 210 K 420 K 630 K 840 K 1050 K 1260 K Time 2009 2013 2017 2021 2025 2029 2033 Rainer Böhme, Vienna, 2 September 2019 18

  16. Different Roles of Network Participants Satoshi’s likely working assumption network relay saver miner receiving paying party party Rainer Böhme, Vienna, 2 September 2019 19

  17. Different Roles of Network Participants Specialization in the real world wallets & pool network exchanges operators relay saver miner receiving paying party party payment services Rainer Böhme, Vienna, 2 September 2019 19

  18. The Enemy of Decentralization Proof-of-work Economies of scale force to concentration “fair” share of block rewards total cost progressive output fraction of mining cost The area under the diagonal (progressive) is not achievable with weak identities . Rainer Böhme, Vienna, 2 September 2019 20

  19. Incentive Compatibility w ( P ) > w ( P ) + s ( P ) (1) ∞ ∞ � E [ w t ( P )] δ t − t 0 > � � � δ t − t 0 w t ( P ) E (2) t = t 0 t = t 0 u P ( w ( P )) − c ( P ) > u P ( w ( P )) − c ( P ) + s ( P ) (3) P follow protocol w wealth in protocol coins P worst of all other actions (attacks) u utility, reflecting real-world preferences c cost in units of utility discount factor < 1, e.g., δ = . 97 δ s side-payment (“bribe”, in varying units) Rainer Böhme, Vienna, 2 September 2019 21

  20. The Fallacy’s Origin “The incentive may help encourage nodes to stay honest. If a greedy attacker is able to assemble more CPU power than all the honest nodes, he would have to choose between using it to defraud people [ . . . ], or using it to generate new coins. He ought to find it more profitable to play by the rules, [. . . ] than to undermine the system and the validity of his own wealth.” Satoshi Nakamoto 2008, p. 4 Rainer Böhme, Vienna, 2 September 2019 22

  21. Fallacy Continued “[I]n in our PoS based protocol, malicious slot leaders [ . . . ] not only risk to forego any potential profit they would earn from behaving honestly but may also risk to lose equity. Notice that slot leaders must have money invested in the system in order to be able to generate blocks and if an attack against the system is observed it might bring currency value down. [ . . . ] Currently our rationality model does not formally encompass this attack strategy [ . . . ].” A. Kiayias et al. CRYPTO 2017 (Ouroboros), p. 47 Rainer Böhme, Vienna, 2 September 2019 23

  22. Behavior-regulating Assumptions Building a bridge between distributed systems and economics: “Byzantine” rational attackers with payments and contracts Rainer Böhme, Vienna, 2 September 2019 25

  23. Secure Capacity Under the Longest Chain Rule λ bribe loading > 1 r block reward to miner (against one type of economic attack ⇒ lower bound) v double-spendable value v 0 v 1 v k . . . r 0 r 1 r k . . . 1’ k’ k+1’ Security condition: k − 6 k � � λ ( 1 + k − 1 ) v k < r i i = 1 i = 1 Bonneau, J. Why Buy When You Can Rent? FC Workshops, 2016; Gervais, A. et al. On the Security and Performance of Proof of Work Blockchains . ACM CCS, 2016; Budish, E. The Economic Limits of Bitcoin and the Blockchain . 2018; Auer, R. Beyond the Doomsday Economics of “Proof-of- Work” in Cryptocurrencies . BIS, 2019. (and others) Rainer Böhme, Vienna, 2 September 2019 27

  24. Types of Goods Excludable Non-excludable (access control) blockchain secure capacity Rivalrous Private good Common good (externality) Non-rivalrous Club good Public good Rainer Böhme, Vienna, 2 September 2019 28

  25. Outline 1. Rational Agents and Adversaries 2. Efficient Markets 3. Market Concentration Rainer Böhme, Vienna, 2 September 2019 29

  26. Motivation 28 October 2016: Zcash launched Source: coinwarz.com, accessed on 23 January 2017 Rainer Böhme, Vienna, 2 September 2019 30

  27. Mining Resource Allocation as a Game T wo chains with compatible proof-of-work puzzles and fixed solving capacity: Chain A Chain B expected utility 1 per period expected utility δ < 1 per period Player i allocates mining power a i ∈ [ 0 , 1 ] . Player i allocates mining power 1 − a i . Payoff function for two homogeneous and risk neutral miners i and ¬ i δ · ( 1 − a i ) a i y i = + a i + a ¬ i ( 1 − a i ) + ( 1 − a ¬ i ) utility = return in fiat currency; expectations over realizations of r. v. and in anticipation of difficulty adjustments Rainer Böhme, Vienna, 2 September 2019 31

Recommend


More recommend