The Steps to Understand Bitcoin, Then Saito - Without Any Prior Knowledge
I often find myself in a position to explain what Bitcoin is and how it works to people who would believe they should have no business understanding it. The beauty of Bitcoin is that the technological aspects are easily waived with simple metaphors about writing checks and guessing numbers - the crux of the invention, open & distributed consensus, can be explained without jargon.
The genius of Bitcoin is simple in this way, but simple genius is uniquely confusing - sometimes more-so when the logical leaps are made without apparent motivation or inspiration. If an invention cannot be explained in terms of the immediate problems it must solve, but instead must be justified by the fact that it works, then it was either a lucky guess to begin with or the explanation is relying on the existence of the invention itself! This piece assumes that most explanations of Bitcoin are heavily compressed, and seeks to expand the thought process such that one feels they might have invented Bitcoin themselves.
What often grants true intuition is a constructive explanation: a thought process the inventor could have believably taken to understand and motivate their decisions as the invention was conceived. A constructive view makes the process of reinvention possible at every step - if one knows intuitively the reason choices are made, they can reason about alternative designs with intent - and it is in those moments that innovation is born. It is in this vain that with a constructive explanation for the design choices in Bitcoin, and an important alteration of the most fundamental mechanism, one might eventually see how Satoshi Nakamoto may have invented the Saito Protocol.
The constructive journey for Bitcoin begins with simple motivation for which all should be able to understand. This is almost certainly not exactly what motivated Satoshi Nakamoto as per his own accounts, but it is a useful fiction which gets us to the same place and expands what was likely innate in his mind:
Suppose you and a friend want to keep tabs on money you owe each other; rather than constantly handing cash back and forth or initiating wire transfers you both keep an identical tally between each other about how much of money is owed in either direction, let's call it The Friend Coin Network. In this simple example, one single Friend Coin can be agreed to represent $1 for simplicity. If you wanted to 'send' some Friend Coin to your friend, you would write down how much you wanted to send and put your signature next to it, snap a picture and send it to your friend, then both update your tally, or 'ledger' to respect the most up to date transactions and balances.
But maybe you and your friend don't fully trust each other not to cheat. What happens if they send you several transactions for large sums and it turns they've ran their balance into the negative while getting you to exchange them real world goods or services? Well, instead of just accepting any new transaction with their signature, you both agree that a new transaction must agree with every previous transaction ever sent, such that one cannot keep spending forever and ever. Every time you receive a transaction from them, you update their total balance and reject future transactions which make their balance go below zero.
For every part of this step done by hand, a digital equivalent exists, even the signature - so the convenience of such a scheme is in reality greatly enhanced by computer programs which accelerate the cryptographic and accounting methods used to authenticate transactions - methods which are time-tested and not new to Friend Coin.
This system is convenient for you and your friend, and eventually a third person wants to join in - no problem, add his name to the list and when any balance changes between any two of you all three people receive the new transaction and verify it doesn't spend below that person's balance. It is important to understand that with three people, you cannot allow the other two to transact with one another without also learning about it if you are to be safe from fraud. If you, Alice and Bob are all part of this system, Alice may only have $100 worth of coin to send; she sends $100 to Bob without your knowledge, and then she sends that same $100 to you later, then with only $100 she has extracted $200 of value from you and Bob.
Again, this isn't a major issue yet. Bob isn't interested in letting Alice get value out of you when he rightfully should have had the purchasing power - whenever anyone receives a transaction from someone else, they let everyone else know so that there are no disputes later about who really owns the money. Any miscommunications between three people can be easily resolved socially, and since the money requires your signature to spend, you can be sure no one can spend that money on your behalf lest they make an obvious forgery - it is really just the duplicitous spending of one's own money that everyone else should worry about.
Where the real issues begin is when more people begin joining this system, and social consensus starts becoming difficult. Say twenty of you now transact in Friend Coin. You were all using a group chat to coordinate before, and then rented a server when you went digital, but with twenty people not everyone is on board with one of a few people being in charge of the server holding everyone's balances, as they could selectively censor transactions and scheme other exploits in their favor. Instead you all agree to send each other information directly so no one has more control than everyone else.
So when Timothy sends a $10 Friend Coin transaction addressed to you, you send that to everyone else. Now if Timothy begins spending past his available balance, the fact that you got his money early means you are entitled to it in case of a dispute with someone who got the same money later; this is easily resolved if everyone has recorded Tim's transaction to you before they receive any more from him which puts his balance in the negative (which they can reject). Now everyone is aware that you have $10 more than you had before which you can exchange with them. First come, first serve.
But Timothy is devious and clever, and decides he wants to disrupt the Friend Coin network. With a $50 balance, he simultaneously writes a transaction of $50 to you and $50 to someone else, and he sends one transaction to half the network and the other transaction to the other half. First come, first serve no longer works, as Timothy engineered a tie, and you now have a dispute with the other person over who has priority over that $50. But the rest of the Friend Coin network can't just sit idly by - if Timothy spent that money, they need to record it so he can't wrongfully spend it again; now your $50 dispute involves the entire friend coin network, and they also can't agree which transaction came first, because each half of them got it at the same time.
A personal dispute is now the entire network's business. You all agreed to get rid of the rented server so you could avoid any small party having too much power, but now without some authoritative decision making, it looks like the the whole network will have to debate on who is entitled to Timothy's $50. If this happens at all often, people become fed up and just elect leaders to decide, and with leaders comes the same corruption present when just one person hosted the network - those leaders can do the same disruptive strategy Timothy employed and choose themselves and their friends as winners while playing tricks on everyone else to scam them out of goods or services. The system breaks down, people stop using it, all because consensus could not be reached on a simple dispute.
But there is a solution, one which does not involve electing leaders. It begins solving these network-breaking transaction disputes by grouping transactions together before accepting them. One can still apply the rules that no transactions within a grouping should allow any account to go into a negative balance (in relationship to the previous grouping of transactions). This has the benefit of forcing participants in the network to exclude conflicting transactions in their groupings so that when it is time to select a grouping AKA a block of transactions, the resolution of a dispute over two different blocks will resolve all conflicting transactions between blocks rather than one transaction at a time.
Another benefit is that when two groupings, or blocks, of transactions are in dispute rather than individual transactions, there are more useful metrics the network can use to settle that dispute. An intuitive metric is how 'busy' a block is. If multiple parts of the network all have different blocks at the same time, they can have a previous agreement to settle their dispute by automatically selecting the block with the most transactions in it; if the chain of blocks one participant has is longer than another's, the person with the shorter chain of blocks will simply adopt the longer chain. This criteria for choosing blocks gives everyone an objective method to resolve disputes automatically while favoring blocks which include more of the work which the network was built to accomplish (adding transactions) .
Even in a prolonged dispute where both metrics remain tied, just by chance, one chain of blocks will end up longer than a disputing chain and the network all agrees again. The odds of chance stalemates from normal operation staying perfectly tied will decrease with time, so those using the Friend Coin network understand that by waiting long enough, they will see any old disputes resolved. The network now crudely settles disputes by favoring efficiency and being up to date.
But Timothy is devious and clever. If the longest chain of blocks is how everyone will agree about the network's future, then what's to stop him from secretly sending large quantities of money between multiple accounts he owns at such a high rate that he can make a far longer chain than what everyone else puts out with normal use? It won't cost him anything, since he is sending to money to himself, and at this point there are too many people to keep track of who is who without a leader.
Timothy can effectively use computer power to fabricate long and convincing chains of blocks and abuse the dispute settlement method. Now he can send you $100 of Friend Coin and allow you to wait however long you want to feel that any possible disputes have been settled - when you see that after a long while, that $100 transaction to you is buried underneath many more recent blocks, you deem it safely resolved and give Tim your old laptop in exchange.
Timothy then fires up that laptop, and uses his remaining balance and some simple, inexpensive automation to create an arbitrary number of blocks and transactions, sending money to himself over and over again. But he doesn't add those blocks to the most recent block in the chain, instead, he builds off the block in the chain from before he sent you $100. Now he races against that version of history (as far as the network is concerned) in which he paid you, and eventually his chain of blocks outpaces what you relied on to sell him the laptop. The network, clinging to its only method to solve disputes, adopts Timothy's chain for the simple reason that it is longer. On Timothy's version of the chain, he still has that $100 you thought you received, and now your laptop as well. Friend Coin isn't so friendly anymore.
For clarity, with typical Bitcoin terminology, these different versions of the chains are called 'forks.' A fork can happen at any point in the chain when nodes in the network have different ideas about what the next block, or chain of blocks, should be. What Timothy created to defraud you in the above example would be called a malicious fork, or a block-reorganization attack, commonly called a 51% attack.
But at this point Friend Coin is growing, and becoming a very useful network if not for the possibility of strangers to come in and exploit it in such a manner. If you and the rest of the network could come up with a solution, the network could include more people and be more useful - you all come to the conclusion that the potential utility is worth spending some money on. Previously everyone participated for free, but if adding some cost could somehow make the network secure against people like Timothy, you all decide it is worth it. With a cost imposition, an extra dimension of design choices is possible to settle disputes.
But 'settling' disputes is not the same as settling disputes. By agreeing to adopt the longest chain of blocks as the correct one, the network was able to 'settle' a dispute. The issue, of course, is with his laptop, Timothy could ensure that that decision would not remain settled. If compute power is the fundamental power allowing one to make long chains which prevents the network from changing its history, then the dispute resolution method should embrace that. In fact, it is already the case in Friend Coin so far that more than just Timothy can abuse this longest-chain rule. If everyone interested in the safety of the network also produced as many blocks as they could, but always collaborated to do so building off of the agreed upon chain (the longest public chain), and not a shorter, hidden chain that revises history, they could easily out-power Timothy who is working alone.
This of course, has two problems. The first is that this altruistic coalition are effectively the leaders of the group. Friend Coin decided there would be no centrally controlled server for a reason, and forming a coalition with the ability to make the longest-chain in a system where the longest-chain is always honored is exactly that same opening for corruption. The second is that producing as many blocks as possible and sharing with everyone in the network is just too chaotic and resource intensive - not only do thousands of blocks a second need to be produced, but the bandwidth required to distribute them is multiplied by the number of participants.
The important connection to make is that the longest chain is the truth, and that producing a longer chain requires computing power. Instead of measuring compute power by only looking at whose chain is longer, the network agrees that for every block added, a certain amount of computing power must have been spent creating just that single block. This is the beauty of Proof of Work - this compute power can be compressed into a tiny string within a block rather than thousands of individual blocks, and others in the network can verify extremely efficiently that the tiny string must have taken a lot of resources to come up with. It basically is a guessing game to produce what is called a 'hash,' a hash is a fixed-size string of characters which can be produced from any sized input string - the output is completely random, but the same input always leads to the same output.
The string one uses to produce a rare hash (or equivalently, and expensive proof of work) can't be just any random string, it must be the string of the previous block you wish to build on top of combined with your random guess. Now when spending money on work, you commit real world resources to one piece of history.
If you want to add a block onto another block, you must produce a rare hash including your view of, thus committing energy only to, the most recent block. Since hashes are random, the only way you can try and achieve these rare hashes is by guessing as quickly as possible. If you want to prove to someone that found the input string which produced such a rare hash, you can put your signature next to that string to show ownership and simply ask others to put that string into the same algorithm you used - since the same input always produces the same result, they can verify in a single go that the string does in fact produce a rare hash. Statistically, they can judge how much compute power must have been expended to eventually find that hash.
So now Friend Coin can measure the same thing that was really being measured by choosing the chain with the most blocks - it was really measuring compute power, but with hashes and Proof of Work, compute power can be proven within a single block. Now since every block requires the work it used to take to make a massive number of blocks, and proof of that work can be compressed into a small string, the network can settle disputes by once again choosing the longest chain, now knowing that if a malicious agent wants to make a new longest chain to revert some transaction(s), they will have to make new proofs of work for every block, which will get expensive.
That solves some problems, but others remain. A coalition can still get together and control the longest chain (that won't end up being fully solved by Bitcoin) if they are willing and able to spend the resources for compute power. Along the way to partially solving that, you would be prudent to notice that in order to progress to the next block in Friend Coin, people will have to spend money on computer power, and no one likes to work for free. Friend Coin is useful, and it's worth paying transaction fees for, so from now on whenever someone publishes a block, they earn all the transaction fees from that block to compensate and allow some profits against the energy costs used to compute the proof of work. But this does not mean every block pays - the block has to be accepted into the network to reflect that payment, so adding blocks to a chain others don't agree is the longest is a waste of money, further encouraging all participants to stay on the same page.
Now since there are profits to be made, participants in the network actually compete to add the next valid block. Those not competing still settle disputes by choosing the longest chain, but now the adversarial relationship between the miners competing to make the next block and earn the rewards can hold people like Timothy financially accountable for trying to cheat. Remember, signatures can't be forged and participants won't accept blocks with false data, so the only avenue for attack is through the ability to produce the longest chain; that allows attackers to confuse the network by maintaining a fork of the same length as the rest of the network, permanently fracturing participants on which fork they should accept, but even worse, it allows a range of attacks known as 51% or 'majoritarian' attacks which allow someone with more than half the compute power to produce 100% of the blocks.
But Bitcoin, and Friend Coin, are actually quite safe so long as nobody does have more than half the compute power. Say Timothy had 10% of the total compute power in the entire network, more than any other single person. He would earn the most blocks out of anyone, but if he wanted to try and make a longer chain than the rest of the network, he wouldn't be competing against them individually, but as a whole. While Timothy is off spending his 10% of power on a fork he hopes will eventually be longer, the 90% of the rest of the network behaving normally is out-powering him 9-to-1 - that chain will be nine times as long as what Timothy can make by himself. No miner wants to add on to Timmy's chain, because it would be very unlikely that the work in that chain would ever be accepted and pay off. It isn't until Timothy can produce a chain as long as the rest of the network combined (which now requires producing more proofs of work than the rest of the network combined) that he can commandeer the network like he could before.
Since every individual miner is burning money in the hopes of adding their block to the longest chain where it will be accepted as valid, they will not typically put themselves at a disadvantage arbitrarily selecting which fork they want to win - they will mine on top of the longest fork because it gives them the best odds of winning. Every self-interested miner piling onto a single version of history is what gives Bitcoin its security as a network and allows participants sending money back and forth to understand just how expensive it will be for one malicious party to rewrite a certain amount of blocks.
The reason having 51% or more of the compute power is a problem in Bitcoin is because of something called 'work orphaning.' All miners in Bitcoin mine atop what they believe is the longest chain so that their work has the greatest chance of being rewarded, accepted, by the rest of the network. Now, even with 51% of the mining power, the attacker can still only produce 51% of the valid solutions which are required for valid blocks, so how do they effectively erase the other 49% of work? Even though the other 49% can wait for the attacker to produce a block and then mine on top of it, the attacker at that point has a 51% chance of finding the next block while the rest only have 49%. This may seem like a slim difference, but if the attacker simply ignores all the blocks the 49% produce and carries on mining alone, they will produce blocks at a faster rate over time than the 49%. Even if the 49% get a lead by chance, the longer time passes the more likely the 51% will pull ahead on their solo chain.
And when the 51% pulls ahead and has the longer chain, every single block which was rewarding other miners starting where the attacker began ignoring the other 49% can be outpaced and replaced by the chain the attacker made. All the rewards and work in those blocks is erased, and the 49% have no choice but to start over at the new longest fork. If they are fortunate enough to catch the attacker revealing themselves, they at least have the option of capitulating before they continue spending money on a compromised network. But without majority control, attempting such an attack is prohibitively costly.
That is the basic design and security of Bitcoin. So where does Saito come in? Well, Saito takes a different branch in the path many steps back - all the way back when 'busy' was trying to be quantified. Remember how in the early days of Friend Coin disputes were settled by blocks which had more transactions? Eventually 'more transactions' was abstracted away to mean 'more blocks,' and 'more blocks' was abstracted away to mean 'more blocks with expensive guesses included.' You might see the disconnect in something beautiful here - when 'busyness' and transaction quantity was the metric, there was an inclination for the network to settle disputes by choosing the side which was more productive - that is, handled more people's transactions. This had to be largely abandoned in Friend Coin and Bitcoin when it was discovered that the metric can be cheaply and easily gamed by sending money to oneself in circles.
'Longest chain of blocks' ends up being an approximation of that productivity, but it comes with the assumption that blocks are full of 'useful' transactions. But remember Timothy's second attack? He produced thousands of blocks a second full of any junk data at all to get an advantage. The network could defend by doing the same, and to make that defense more efficient, the work was condensed into small proofs of work instead of thousands of bloated blocks. Switching from thousands of blocks to a small, but expensive proof of work that fits in a single block is an improvement, but ultimately it is a way to compress the action of adding many useless transactions such that the honest majority can fight back without adding masses of data to the chain. A beautiful optimization of Timothy's original, crude strategy: adding useless data, morphs into producing a much, much smaller amount of rare numbers. Data costs have been transformed into energy costs, but the dominant strategy remains: just add blocks - the actual transactions inside don't matter at all as far as dispute resolution is concerned, the 'busyness' metric for the network is completely disconnected from anything practical apart from security.
Saito takes a step back and asks: "How can we quantify genuine transactions as the fundamental value which settles disputes?" In the same way that miners in Bitcoin spends vast resources to produce the longest chain, if a metric which measures genuine transaction demand can replace it, the network will get its security against attack not from merely producing arbitrary work (a stand-in for the production of thousands of blocks a second, which is itself a gamable heuristic for value), but will instead get its security from servicing those transactions, from being efficient. If transactions are what are most important, not just arbitrary blocks, then the cost impetus shouldn't be attached to each block, it should be attached to each individual transaction.
Now instead of miners working to build arbitrary blocks, miners seek out transactions to provide them with enough work to be considered valid, and when a total sum of work collected into a group, or block, of transactions is past some threshold, that block can be considered valid. There is an efficiency to be adopted here: in the same way that Friend Coin started assigning proof of work to blocks rather than allowing participants to compete with extremely long chains to encapsulate the cost required, transactions themselves don't need to include proof of work to show that cost was imposed to create them, they can simply include transaction fees. Whether the transactions prove their validity through proof of work, or through transaction fees, an attacker making the longest chain has to spend money in some form.
Timothy's back, and he notices a flaw. If he wants to build the longest chain on Saito and he has enough tokens to cover the fees, he can spend all his money on fees in order to make blocks faster than others, and since this design so far pays those transaction fees to the block producer responsible for collecting them, he can earn all of his money back plus some fees from other people. Even worse, he can spend his tokens on one fork, but then go back in time to an older block and use those tokens again to rebuild a new fork past the main one. With the fees he earns he gets more power to dominate the network. Timothy might not even need to spend money setting this up - he can slowly build-up rewards for collecting transactions as normal and use that ever growing pool to gain attacking power.
So what makes Bitcoin different from this? Why can't a miner in Bitcoin just slowly build up rewards and then spend their own money to get it back? Part of the reason is that Bitcoin mining relies on cheap energy, and cheap energy is usually cheap because it is in low demand. Low demand means low supply, so miners either have to fight over existing cheap energy or build their own infrastructure around unused basins of energy. In addition to spending money buying, maintaining and replacing the mining computers, they have to flesh out new energy infrastructure if they want to continually expand. This means that even successful miners run on tight margins and limited supply when it comes to expanding their ability to produce valid blocks.
If the supply of cheap energy were ever to grow in accessibility and supply, then the dynamics would start showing the same issues this draft version of Saito-so-far has. This 'flat supply curve,' indicates that new supply (of access to Proof of Work) doesn't cost more than the existing supply. More on that later...
Right now transactions-as-work has another problem: there is no good reason to share transactions. If a group of transactions is what makes a valid block, and the maker of the block is who gets the money, then no rational economic actor is going to give their competitors a chance to claim the fees in the transactions he is hoping to get. In Friend Coin people would share transactions without much thought since the reward came from the blocks, but now it's a fight over transactions. Saito does something very clever: it doesn't reward for producing blocks, as that is just an approximation of collecting transactions - instead, it rewards specifically for collecting transactions - this means once you have collected a transaction and it is marked with your signature, you have nothing to lose, and often, something to gain, by sharing it with others.
Nodes in Saito earn their work from transactions sent to them. A node with their identifier signed into a transaction is now entitled to the reward from that transaction (in reality it is entitled to a lottery ticket proportional to the rewards in a block - this keeps payout data as small as possible, but the rewards over time average out the same). If a node receives a transaction and shares it, it can make it into a block more quickly, but must also share that reward with the nodes which helped route it. Users who sign for and send to multiple nodes force them to compete to get the transaction into a block; only one version of that transaction can make it into a block and only the group of nodes responsible for getting it there is rewarded, so it's a networking race.
Now that's useful. In our hypothetical Friend Coin (and Bitcoin in reality) the best measure we could use to settle disputes was a derivative of creating blocks, with the work required to make many blocks condensed such that making a single one is very difficult. A block is a rough approximation of something useful for the network, since they are supposed to have transactions in them, but it ends up being far removed and prone to exploit. With Saito, nodes with transactions sent to them get to claim the reward if that transaction makes it into a block, so they have motivation not only to get transactions, but to send them to whoever it takes to get them into a block first.
For those interested in some of the finer details:
The concept does go a bit deeper: if a node has claim to a transaction, they can do the same process the user did to send it to them - they pick node(s) they want to pass that transaction along to, mark those nodes' identifiers on each version, send send each their version. Now the transaction has two claimers, node 1 and node 2. This is important, because the following nodes do valuable work in getting the transaction into a block, so they should want part of that reward. The reward breaks down as follows: If the transaction fee is 10 Saito, the first node gets 10/10 from that fee. Once that transaction is marked for a second node, the denominator increases by half the base fee (10 Saito), so that the first node now gets 10/15 and the second gets 5/15. This can keep going... 2.5/17.5, 1.25/18.75... etc. The important concept is that nodes share their fees with other nodes who can get a transaction into a block for them, and the earliest nodes are rewarded the most.
But the problem still remains: a node can spend its own money to make its own block, not share any of the rewards from its own transactions, and simply churn out as many as fee paying transactions it takes to make a valid block before anyone else. Since they didn't share, they get all the money back and can instantly use it again - at least in Bitcoin mining has setup costs; this is instant and full repayment which means they can continuously attack in this manner.
And the another issue: now that producing blocks really just relies on having tokens, there is nothing stopping an attacker from spending tokens, getting something external (like a laptop) in return for them, and then going back to a block where they still had those tokens and using them to create a new fork to compete with the main chain (long-range attack). Since they are spent anyways the attacker has nothing real to lose in trying and can possibly take over the main chain and steal their money back. This is much different than in Bitcoin where proof of work demands real energy and therefore costs to rewrite history.
So even though Saito has a different measure of the work which makes the longest chain valid, it ultimately still needs proof of work somewhere to prevent the arbitrary use and re-use of transactions as work. But the Saito solution isn't to give the ability to make blocks to number crunching computers, as that would remove the beautiful incentive to collect and share transactions efficiently. Instead, proof of work is used to later unlock the rewards from those transactions, and take half of those rewards. This does mean that users now have to pay miners as well as the nodes which efficiently route transactions, but it is the cost required to make the most basic version of Saito more secure than a standard proof of work chain at half the mining cost.
Now if an attacker tries to spend their own Saito to produce a block before the rest of the network, half of what they spent doing so will go to miners instead of them. They can no longer attack forever as they will be constantly losing money to fill blocks with their arbitrary transactions which were only ever designed to attack the network by commandeering the longest chain. It also prevents an attacker from spending tokens they have previously sent to other parties, because going back in time and using them to take over their new version of the chain now requires real mining energy to pull off. This is because unless they complete the proof of work needed to unlock the rewards, they will quickly run out of those tokens - and if they do mine, they will spend real money mining and have to compete with all the miners on the main chain - just like Bitcoin.
At this point, it's shown that Saito can optimize for getting transaction data into the chain while incentivizing nodes to work together, but not waste resources - all while retaining the security guarantees of Bitcoin. The security actually ends up being better though, when thought through. In Bitcoin, an attacker with 51% or more of work could permanently maintain a fork the same length as the other half of the network, which means they could also do worse things like overwrite the rest of the network at any point and take 100% of the rewards. The question for Saito is: if an attacker had 51% of the work required to produce blocks (so more than half the transaction fees required to make a block) and they had 51% of the mining power, would they be able to do the same attack in Saito?
The answer, incredibly, is no - which is a first for blockchain; no 51% attack. The reasons are fairly simple. In Bitcoin, producing half of the blocks will earn you half of the rewards which is transaction fees plus newly minted Bitcoin (though newly minted Bitcoin will eventually run out, it doesn't change the end result). The attacker may have had to mine at a loss before they acquired half the mining power, but once they have half, they can, if they choose, get the rewards from 100% of the blocks since the other half of the network can't ever make a longer chain with their lesser half of the work. The attacker now earns twice as many rewards as the work they produce, if they so choose to. Other miners can't profit, and drop out, making the attack even easier; even if the attacker remains subtle, other miners' margins will shrink.
In Saito, the money the attacker has to spend to produce a block is through transaction fees, and then they must spend other resources mining in order to earn those fees back. The issue for them is that no matter how much Saito they have to spend on fees, or how much mining power they have, they always lose money. This is because they have to spend money to produce the fees for the block, and those fees are the maximum reward they can get back, but in order to get back all the tokens they just spent, they have to mine for it, which is costly - and that extra cost only gets them back what they spent in the first place, so no profits.
Compare it to Bitcoin if miners could only earn transaction fees there (as will eventually be the case). In that case, miners do not have to spend their money on fees, because the only test for a good and valid block is mining power. So miners can earn fees and produce blocks with the same action. In Saito, each action requires money - one in the form of transaction fees (to produce blocks) and the other in the form of mining (to unlock rewards). Users pay the additional cost of mining that nodes will demand because that is the cost of security. When an attacker uses their own Saito as fees to produce blocks in an attack? Well in that case, the attacker is sending money to themselves; they get no utility out of the security since they could have just done nothing and kept the money, but they still have to pay for that security through mining.
Because they pay that security fee, they lose money. Normal users pay the fee and in return get assurance that the network won't be revised later on. Attackers and honest users gain fundamentally different utility from posting transactions to blocks, but they both pay the same fee. This is a pure waste for attackers, because if they wanted to send themselves money, they might as well just not send it at all and pay no fees. Honest users don't expect to get those fees back, and they don't mind, because they get utility from sending money around securely - they have no reason or utility to gain to send mass amounts of money to themselves. Attackers, on the other hand, need money to sustain the attack but have to pay to get it all back. Since they aren't getting any economic utility from sending those transactions, the fees they pay are a pure waste for them; they go right into a mining paywall.
The game theory here is worth sitting with; it is simple in theory but genius in design, and it may take considerable effort to convince oneself of the security of it. In blockchain, many forms of security are trivially defended against: erasing data, impersonating wallets, breaking the rules of accounting are no big issue. Where the vulnerabilities in blockchain are concentrated is in getting everyone to agree and to remain in agreement. Disrupting this consensus allows personal trickery and the halting of the network's automatic functioning. In Bitcoin and other blockchains using Proof of Work or Proof of Stake, consensus, in the most charitable case, imposes costs on attack whenever one party can't control 51%. In Saito, profitable attacks are not feasible no matter how much money or mining power the attacker has - they must always spend money to produce blocks and then spend money again just to make up for that first cost.
Apart from the fact that in Saito the money required to produce blocks and earn rewards is greater than the money which can be earned back, Saito also solves the problem of work orphaning in Bitcoin. In Bitcoin, a 51% attacker can overwrite other blocks to waste and erase the resources put into them, but in Saito, work is in the transactions. Either the attacker is including every transaction (which means the network is working as intended), or those transactions are building up within competing nodes. Producing a block doesn't erase those transactions, which means the work the attacker must compete with grows as the attack goes on.
That attackers waste money while normal users do not, combined with the elimination of absolute work orphaning, allow Saito to be secure against 51% attacks. It is the former aspect which is far subtler. Sending transactions to oneself is in most cases useless, but sending transactions is required to grant the power to produce blocks. Keep in mind that it is really the attached fees which grant this power, and that half of these fees can only be earned for a cost. If producing blocks granted one all of these fees, then using them to produce blocks would have no costs - but it only grants one half the fees, which makes spending money for the purpose of producing blocks unsustainable. But spending that money to securely send money is a sustainable and rational decision. Saito taxes all transactions equally, but while the tax may be worth the security of genuinely sending data to the blockchain - that same tax becomes a pure cost when the intention is to use fees to take over the network by spamming it with redundant, self-serving fees.
It is this tiny detail, the difference in economics between paying a fee to send a genuine transaction and paying a fee to send to a junk transaction to game the system, which makes Saito so revolutionary. It is, in fact, more faithfully using Proof of Work as it was famously first employed: before Bitcoin, Adam Back invented 'HashCash,' an email spam detection protocol which required senders to attach small proofs of work to emails in order to make clear to recipients that they were not spam. If an untrusted address but genuine person needs to send an email to you, they can afford to attach the small proof of work which might cost ten cents to compute. Should that same proof be attached to every email in a spam campaign of say ten thousand emails, the total cost for the spammer would be $1,000. Spammers usually do not receive a $1,000 return for sending ten thousand emails.
Saito is an evolution of HashCash, more than it is an evolution of Proof of Work. Paying an extra few cents to get a payment to someone is worth it, but out-paying all the miner fees paid in a single block just to promptly publish a single block of your own is not. It is only by having these fees that control of the network can be exercised. By collecting them from users seeking the utility which makes that mining fee worth the cost, nodes can profit off their half of the reward and users are happy paying nodes and miners to get security. Attackers on the other hand pay that mining fee but get no utility out of it. To top it off, unlike Bitcoin, producing a block first doesn't allow one to render all competing work useless, just the published transactions which lost the race.
Interference can be bought, but increases in price with duration: sustained attacks thus require sustained costs - attackers must either let other nodes in on the rewards or continue to increase their own cost of attack by letting the rest of the network build up their own work. Even if an attacker naturally has an extreme amount of honest fees at their disposal, like 90%, they still have to deplete them for every block and allow the 10% minority build up their own fees - eventually that minority will have built up more than the 90% has remaining, and will be allowed to produce a block. If the 90% wants to overwrite that block, that attacker will have to spend their own money on fees to make up the difference, which means burning half of it to the miners.
For every time that the 10% catches up to the 90% (which will be about 1 in 10 blocks), that 90% will have to burn money in order to overwrite the 10%. Every single time the 10% of transactions are censored, they build up in the potential for a new block. This potential can grow infinitely, and as it grows the 90% will need to spend more and more money to continue censoring it, until it costs so much money to exclude the censored transactions that the 90% will go broke. This means even if the most powerful networks in the world decided to try and take over Saito in order to censor other block producers and transactions, the best they could do delay the inclusion of certain transactions until the cost to censor simply rose too high - eventually even the richest company on Earth would not have the resources to out-pay an ever-growing pile of censored transactions and their ripe fees.
There is more to Saito, and even still more to understand about the basic functioning of Bitcoin and Saito, but this general overview is enough to realize the core innovations of either. If what is written here can be confidently understood by you, then your foundations in thinking about blockchains are very solid. All other problems that need be solved are surface level specificities in comparison; implementation details - what this piece has dissected are the most fundamental problems in distributed consensus, and how they may be solved.