We got dr. K. We're gonna be talking proof of work last week We were talking proof of stake and I got shoot out for that. Everybody thinks you know, I work for the Israeli government now I don't know what's going on.

I did one episode Like the Manero community is ruthless But we got dr. K on I think he's gonna be a strong representative proof of work Although people might yell at me because you're working on another cryptocurrency. I don't know that there's the Manero maxis out there So I'm sure I'll get shipped for that But dr. K, why don't you go ahead and introduce yourself and we'll get to it I honestly don't know much about you. So I'm curious as well. Who who is dr. K. Yeah, so gotten to crypto circa 2012 I Was actually getting my doctorate from University of Texas at the time. So as I was getting a degree in engineering I was also Kind of studying cryptocurrencies as my citing interest Ended up in what type of engineering? Material science and engineering. Oh nice. Yeah, I took some materials but go ahead. Oh, yeah So finished my degree in materials and decided I wanted to work full-time in crypto The entree into that at the time was working for consensus so I went to work there for a bit and then I Did a spin-out from consensus called grid plus where I was in charge of building the lattice one hardware wallet which is


 
and it looks like this. Oh, there we go. It's kind of like a little point of sale terminal type thing. It has like some little smart cards you can put in. So you can have many, many cards per device. So I did that for a couple years while I was working on that. I kind of came up with the idea of how to scale proof of work. I got a National Science Foundation grant on that. Worked with a prof that I knew at the University of Texas. This was after I was done with my doctorate, but kind of part-time, kind of doing this research project of how to scale proof of work.

Got that grant, had a few students work under that for a couple years, and then in 22 one of those students was able to raise money with Ollie Chain, which is to build Quiet Network, which is a scalable proof of work blockchain. So really my goal in crypto, I've been to build technologies that maybe lower the barriers to adoption. If that's the user interface so that people can easily self custodian and spend assets all at the lattice one and smart cards, or if that's guaranteeing that the system can provide transactions at a fixed low cost over time via something like Quiet Network. That's really been my focus is, is how do you make cryptocurrency accessible in a way that it can actually scale to be digital cash? And so that's really been my focus. Shit, man. I'm glad you're on this show. I'm glad you're on Monero Talk. You came to the right place. And you're into Monero as well, right? Yeah, yeah. So what's kind of your crypto story? Obviously you started your own crypto based on some of the things you've invented, but what's your overall crypto arch? Yeah, so I mean 2012 is when I've kind of got into Bitcoin, like when I first bought Bitcoin, you know, had some exposure to kind of early sort of ICOs and new tokens. One of those was X11 back in the day. 

 
I don't remember. I don't remember hearing that one. Wow. 

 
Well, so X11 is the precursor to Darkcoin, which is the precursor to Dash, right? Okay, yeah, Darkcoin I heard. I didn't know there was a precursor. I didn't know X11 came before it.

Wow. Yeah, yeah, so early there it was X11, right? That was funny because one of the early arcs in crypto was sort of the algorithm wars, if you will. So with SHA256, obviously, it started on CPUs and quickly moved to GPUs, then eventually ASICs. And so at the time, people were saying, oh, it should still be CPU friendly, not GPU friendly. So then Litecoin came about with script, and then that kind of evolved into... There was one called Vertcoin, which was like a dynamic version of script. And then X11 was like, we're just going to take all of the hash algorithms and we're going to stack them together, baby. 

 
Yeah. 

 
And that's I suppose pause never because they had 11 different hash. Oh my god on top of each other So they just chained them all together. They're like, it's more secure That might be the that might be the future of an arrow though. Who knows right at this rate Well, so the interesting thing was with x11 They they kind of did that as saying, you know, it was more secure but but just from the hashing algorithm But then they rebranded the dark coin because they started to look at privacy technologies So it wasn't one of the privacy projects that actually predated Monero and predated by soon By I think a couple years Obviously it predated by coin too.

Okay. Yeah. Yeah, and then bite coin came after that And then obviously Monero originally was a fork of by coin even though there it's so though so yeah, like by coin obviously Monero I coined Monero obviously all derived from the crypto note white paper. What was the white paper of of dark coin? What was kind of there? No, they were like the the original thing They blazed their own trails was to speak. So what we were attacked though, like they were proposing like like the basic so initially it was it was I Think it might have been like a Bitcoin fork but then they Were doing things with fixed denominations and they were doing things with Mixers and then they introduced something called a masternode and when they introduced masternodes, that's kind of when I checked out from the system because Effectively what they were trying to do is like the masternodes would sort of work as the pool if you will to like pull the Transactions or effectively like coin join them But that made a centralized block proposer Which wasn't sort of my favorite thing in the world I was like the second you launched this those things are all gonna get DDoS and the second they launched it everything out DDoS, of course, you know, right?

I mean they ended up working it out and you know You know dark coin is a thing. Obviously Monero has for exceeded what the dark coin, right? And then it became dash which uses the the masternodes to this day, but for governance not so much privacy Yeah so and then I Like to have like a funny story.

It's only so funny But then then there was kind of like that aetherium ICO thing and last week we're like becoming a thing And I know about this aetherium one, but my wife wanted to go on a spring break trip to California in 2014 and Just randomly I got on a plane and next to me this is before the ICO Seated next to me is this lanky? 19 year old That's metallic. Holy sir. Somehow. It's like chances of one in 80 million. I got sat next to italic right before the law ICO and I sat down and I asked him I was like so I got like 100 Bitcoin I'm gonna put into your ICO and at the time like a hundred Bitcoin was like 20 grand I don't know like 30 grand because I remember I remember I was gonna put one Bitcoin into the ICO and I was like No, I want to hold on to that one because that was a lot for even at that time I was like, I don't want to lose that one Bitcoin. You had a hundred and holy shit Oh, no, this story gets better and the story is way better. 

 
Oh my god, so so I talked to him I'm like, give me your best pitch and he's like, okay world computer programmable money I'm like, what can you do with programmable money? And he's like escrow contracts. I'm like, okay So like we talked for an hour and a half But then he pops his computer out and he starts working out the consensus code Like for the next hour and a half and I'm just the kind of watch him But I get off the plane and I tell my wife I'm like it's that's the guy It's like doing the the crypto that I got want to be scared.

Yeah, like he's way too artistic to ever pull it off Oh my god, that's hilarious That is the most expensive Break break and there is talking about an opportunity Staring you literally staring you in the face sitting next to you on the plane. That is incredible, man That is that is an incredible story Now I don't feel now I don't feel as bad as about not spending my one Bitcoin on the ethereum ICL which would have been one In feeling alien. Holy shit. So I think The universe has other plans for us because if I had done that I'm pretty sure I would have gotten real lazy afterwards Right? I do think of that with Monero, right? Like, obviously, I would love to see the price go up, but it's also, it's given me time to get so much more involved and do things in the space and force me to, like, work more in the space as I wait for the hopeful eventual rise, Monero. But that's the silver lining I see there, similar to what you're saying, I think.

Yeah, so it was... So then back to the general arch, though, of, like, where Monero came in. So you're aware of Dark Coin?

You missed the Ethereum ICO, even though it was literally almost sitting in your lap. Yeah, how about, where did Monero come in? Or any other significant crypto moments in your arch? Monero is something I discovered on Polanyaks. Okay. So I think I actually knew about Bitcoin first, and I wrote, or I read the crypto note paper, but, you know, one of the issues with Bitcoin is it was kind of not, I think, intentionally pre-mined, maybe intentionally or not, necessarily can subscribe motivation, but nobody knew about it for, like, two years. So there is just intense, like, overhanging supply. And then I don't know, I don't know if I knew about Monero pre- or post-launch, but I knew of it soon after, you know, and I mined some Monero. And then, you know, I was a big fan of Polanyaks at the time as well. And Polanyaks was cool because it was one of the only exchanges that really listed Monero initially. Yeah, I was aware of Polanyaks. It leaned into it, right? It had pairs, it had, you know, BTC pairs and XMR pairs. So, yeah, I was just, you know, on Polanyaks, I actually thought that was, like, peak crypto when they still had the troll box, because people would talk shit. We have the troll box on XMR Bazaar as a tribute. You know, people would talk crap to each other, often the troll box. Which was great. And you could actually, like, see the number of people online. And if the market was just, like, buzzing. And I want to say this is probably, you know, it's hard. 

 
Probably, like, 2017, I want to say if the numbers were just, like, enormous and Polanyaks was just, like, straining out of the way. It was, like, 40,000 people were, like, all online. But they displayed it at the bottom, and everyone was, like, talking crap to each other, the troll box. It was a lot of fun.

Right, and so 2017 was when I graduated, and I went to work for Consensus then, worked there for a bit, and then did that spin-out group plus where I focused on the hardware wallet. Okay. And so, obviously discovering Monero on Poloniex, and you go down the Monero rabbit hole with the technology, and obviously, you're very attached, yeah. Well, I've actually already known about it prior to that, right, because of like, right, so. Right, right, right, right, right. You know, Monero has its J, and I, you know, I don't want to like offend anybody, but as I remember it, and again, like, who knows if this is correct or not 10 years out, as I remember it, Monero was the example of kind of the fork winning, and it's like the only example of that, where you have like a sort of novel code base in crypto node, and then Monero kind of won the market just because bite one was effectively pre-mined for two years. So, but I knew about it prior to that, and then the other thing with Monero though is like, Monero doesn't really look like crypto node at all, it's been so many evolutions of the design over the last 10 years, it's almost hard to keep up with, right, and you know, that's one cool thing about Monero is that the miners and the boss contributors are constantly trying to evolve and improve the privacy in the system, right, and that's eventually full membership proofs.

So you know, I think with money and crypto, right, early on with Bitcoin, we kind of started to see that, and this is really early on, I mean, I'm talking like 2013, it was pretty obvious to anyone thinking about it, and talking on Bitcoin talk, that privacy was not a thing here. That it was going to be very, very traceable and trackable, given addresses and stats. You know, people started to try to do things with coin drawings, but based off how those work and the set and everything else, even that is not a great solution. And so that's one of the reasons I had really interested in Darkcoin and early interest in Bitcoin and then early interest in Monero, because, you know, I think for crypto to serve its purpose as being decentralized, censorship resistant money, it's not just the consensus mechanism, it's also the properties of the assets themselves that really give them, you know, those censorship resistant properties. And if you have money, monetary policy isn't controlled, something like Bitcoin, but it's perfectly sort of traceable, trackable, like Bitcoin, you're ultimately not going to have free speech. So like to have free speech and like a free society, you have to have private money. 

 
That's sort of a pretty obvious thing to me early on. And that's really where my interest stems.

Awesome. Preaching to the choir over here, man. That's awesome. So what is then your current take? Which crypto or cryptos do you think is doing the best job at being, you know, untraceable, uncensorable, surveillance ship proof digital cash? You know, it's I think I think ultimately like Monero clearly is the answer to that. Though I think there's challenges, as like we're seeing with, you know, cubic and everything. Roy's signature is another challenge. And ring signatures and poisonings and all that. I mean, you're moving a full membership proof, so when that does happen, that sort of goes away. You know, delistings, obviously, you know, markets vanishing overnight, that's not super helpful. So, you know, of all the privacy coins, it definitely like holds the holds the mantle at this point in time.

The thing that I don't think Monero does well, if we're talking specifically on cash, would be time to settlement and throughput. But yeah, even with dynamic blocks for throughput, I hear you with time with settlement. Well, so it depends on sort of what your definition of scale is. So with with crypto and just this concept of how do we get to peer to peer electronic cash, one thing that I haven't really heard people talk about is what is the number of transactions that are actually needed? Like, what is the demand side? When when I've tried to estimate it, I estimate it on the order of 100000 transactions per second of sort of economically meaningful transactions happening for people that have like access to smartphones and Internet is my estimate. I haven't actually seen anyone else try to estimate it. So when I'm talking about scale of being able to sort of make ubiquitous peer to peer cash, that's the scale that I'm talking about. 

 
Mm hmm. Yeah. 

 
and scaling the proof of work mechanism, obviously, is something that you're interested in. What got you going down that rabbit hole when you talk about wanting to make sure these things scaled? Why was it the proof of work aspect that you were interested in focusing on? I'm not a maximist in many things. I try to be first principles-based. But one of the things I've found myself being mostly a maximalist in is proof of work. And I think that there's several ways to interpret why that is, but there's almost like an intrinsic feeling. Convince me to be a proof of work. I'm open to becoming one. My overall take with everything that's going down is being open to, and we can get into this, is being open to considerations of adding something like a proof of stake finality layer, because I hear very intelligent people like Luke Parker proposing these ideas. But I'm not opposed to being convinced that there's some fundamental reason why we need to be 100% proof of work. I'm not there yet, though.

Let's see what you can do. Well, let me just express proof of work and my evolution in proof of work. But early on with Bitcoin, there was this sort of Neanderthal understanding that proof of work was better than proof of stake, just because it's hard, just like hard money. And that really stems from this concept of gold in some ways. When we actually talk about gold, where does the value of gold come from? The work it takes to mine it. That's right. So it's not that it's shiny, it's that it's a physical manifestation of expended energy. And that really is its value and its market price always converges back to that amount of effort in value. So it creates that concept of hard money.

So having a consensus mechanism and an issuance mechanism related to a hard feature like that in something like Bitcoin, was one of the really attractive pieces of proof of work. Now, that's just level one. Level two, and you have to actually start to think more deeply about that concept a little bit more, that analogy. If we look at proof of work and we look at Bitcoin being called digital gold, I would actually tell you that Bitcoin is not digital gold. And the reason that it's not digital gold is because the total value of the coins do not reflect the total amount of energy that went into making those coins. Bitcoin was designed to not be digital gold because it had a deflationary emissions policy. That deflationary emissions policy means instantaneously the value of a token being emitted should be roughly proportional to the energy going into it. But over time, because it's deflationary, the total value of this tokens is going up. So it's like a dividend to the early investors, so to speak. But it certainly is not gold in that if I put in my hundreds... It doesn't have the Manero tail emission. It doesn't have the Manero tail emission is what you're talking about. 

 
Yeah. Well, but the big thing is with gold is no matter where I exist in time or space, if I sort of put the same amount of work into it, I get like the one ounce out. So that's why gold is fair.

What Bitcoin specifically said is we're going to make it somewhat unfair by rewarding the people that could know about it and buy it in 2009, 10, 11, and 12 versus those that bought it later. And that was by design, and that's a fine design.

And obviously that makes the Bitcoin price go up, which is great. And every sort of cryptocurrency that has existed afterward has adopted that flywheel in some ways, but it's not digital gold. So do you think Manero better mimics it or even Manero still? What would mimic digital gold if you were to design? So digital gold would be creating an emissions policy such that... It goes up based on the amount of energy you're putting into it at any moment. Yep. That's right. So you're always roughly getting the same amount per mint. Right. Yeah. So in some ways, a mature Manero with a low tail emissions is maybe asymptotically approaching that, but the emissions curve still does not reflect gold-like properties, but the ongoing tail potentially does.

That would be a potentially fair statement. Now, one of the problems though, and this goes back to the whole cubic conversation, is that because Manero hasn't figured out how to scale to increase its transaction throughput with that low tail emissions, you don't have as high of a security budget. If every Manero block was full with 10,000 transactions, all paying a few cents on a fee, the security budget would actually be pretty good. And this wouldn't even be a discussion right now. So that's also one of the reasons when we're talking about proof of work, if we like proof of work, we also have to talk about scale because really the only way to design sustainable proof of work systems that have gold-like or deflationary monetary policies is to generate sufficient revenue through transaction fees to pay for the security budget.

So that's also like a viewpoint that I have. Once again, the dynamic block size in theory should do that better than at least what Bitcoin is doing. It may not... So dynamic blocks are great, but that in terms of scaling, in the scaling conversation, just increasing the block size is like the very first order of the problem.

There's like seven orders after that, but scaling blocks helps and that sort of takes away the first intrinsic or endogenous limit, I should say. But it doesn't let you keep going, so to speak. So there's a whole set of conversations about that. Just to get back to proof of work itself. So your primary arguments are one, proof of work fundamentally mimics heavy metals, this idea of mining, the amount of energy you put into it gives the thing its value. It takes energy to create it, extract it, and that creates the fundamental value for it.

And then so then what was your second proof of work? Yeah, that's like level zero for proof of work, level one. 

 
And I think early crypto people and early Bitcoiners all feel that, and maybe some can express it some better than others. But then the next order of business is that it actually creates immutability with time, which proof of stake fundamentally does not. When you do work, as the transaction gets deeper in the ledger, if you were to ever go to try to reverse or change the state of the ledger back in time, to do it with inside of consensus rules, you'd have to mine a longer chain. And that gets expensive to do.

And if anyone ever goes and tries to sort of change that record, everybody's going to be able to see it because you're not going to be able to sort of create the second system that is equally valid, right, without expending a ton of money, energy. And you potentially never win if you're using something like a longest chain. So it actually creates immutability at depth. I think that's a very like key quality of proof of work. The other thing that like the thermal dynamic argument, right? Right. So if I talk about proof of stake, proof of stake actually offers no finality at depth. Because for as far back as you have a plurality of stakers, for effectively zero cost outside of the social coordination cost, you can go back and mutate the ledger, right? Because it's just signatures. So there's no actual cost to changing anything for any period of time that you have a plurality of stake participants. Right. If somebody's basically able to take over the network with enough stake, that could erase all the history. Well, but it doesn't have to be same when you change the mistake, it actually gets way more subtle than that. It has to be somebody can coerce the plurality of stakers to do a thing. And what that actually looks like is probably regulatory. So it's not like so many. Well, yeah, okay. That's a means of doing it, it's effectively, it's all a certain percentage of stake being unified to do something, right? Yeah. So somebody doesn't need to come in and buy the majority of Ethereum to make Ethereum buy consensus be OFAC compliant. What they have to do is they have to look at the plurality of stakers that maybe exist in Coinbase and Kraken and some institutional players and say, hey, Treasury, we're going to say that these individuals need to only produce OFAC compliant blocks and only produce blocks on OFAC compliant blocks as the plurality of stakers and all of those companies businesses are related to their revenue is related to maintaining access to the US dollar system. So the Treasury, because they have to have access to the dollar based system, and then the majority stakers on the Ethereum network could potentially coerce the Ethereum network to just become OFAC compliant. And that actually is the biggest thing that everybody should be concerned about, because that's probably the most likely to happen. It's not somebody's hump opening. But then on the other end, and I want you to finish all your thoughts with why proof of work, all your layers of thought there. 

 
But on the other end, we see with proof of work, potential attacks where regulators could coerce and take over the proof of work mining industry. And granted, it's not as direct, but effectively, they can achieve the same thing in terms of blacklisting transactions and things like that.

Well, so it's a little bit different, right? So like, we see OFAC compliant, we've seen the implementation of OFAC compliant proof of work, Bitcoin mining. Right, right. But so I think the difference though, is that there's really an intrinsic property between proof of work and proof of stake. One is like opt in and one is opt out. So like in proof of stake, this is expressed as the nothing at stake problem, right? So if you actually like game theoretic run, like what's going to happen if someone's right, you got a rock, OFAC compliance and Ethereum, everyone's ultimately going to go along with it. For multiple reasons, one of them being stake, one of them being the amount of USDC that's on Ethereum. But ultimately, Ethereum is going to go with the banks, effectively. But with a proof of work based system, if you have a majority of the hash rate, under your direct controller, under sort of your influence, unless you actually fork the network, the hash rate can't prevent me from putting a transaction out there. So you might prevent me from getting in certain blocks, but you're not going to prevent me from getting in all blocks. If you want to prevent me from getting in all blocks, proof of work is a naturally an opt out system, right? So if you change, we have to immediately decide what we're doing. And there will be a fork. And some of the hash rate will attrition off onto its own. And everyone in the system is going to get value in both systems, right? So because of that, it's more resilient to attack, because then the stakeholders who hold the tokens get to decide where they're going to go. Okay, I like that. So I believe this to be a demonstrably different outcome than you would see in a proof of stake set. Okay, dude, we need to get you to Monero topia, by the way, on stage, done on a panel with the likes of Luke Parker and Arctic Mine and some of the zaddle guys who are pure proof of stake. Any any chance that that could happen? Where's Mexico City in February? Oh, yeah, yeah, that could potentially happen. I'm not a huge fan of traveling internationally after the pandemic, but it was not too far away. Yeah, Mexico City, Europe's area, man. They're like arresting people in England for tweets these days. Oh, yeah, yeah, watch out. Mexico, they don't really have their eye on what's going on over there. Like, yeah, they're like a socialist country. But there's a lot of freedom in the streets. Yeah, just haven't caught up to it yet. Maybe. So this is great. So I guess continue on on the thread of why proof of work, right? So you made your your kind of your two big points. 

 
So there's a couple points there. And then there's maybe another point, which is, I believe that proof of work is competitive sort of capitalism over time, whereas proof of stake is plutocratic. So basically, in our current system, we have a plutocratic system, which is whoever sort of had the most stake yesterday will have more stake tomorrow. So the distribution of wealth is such that it compounds the winners over time. And you get sort of a higher, a lower Gini coefficient and a higher degree of dispersion of wealth. So it's just like a bad system.

And that effectively over time in a proof of stake setting, there's going to be a very few number of parties that control the world and control that money system, right? It's, it's actually interesting if you look at money, and if we look at history and draw analogies, gold was proof of work money. And then we decided that it had some issues. So we allowed people to create receipts. Yeah, it's proof of stake. And then we eventually moved to proof of stake 100%. And we're living in the consequences of proof of stake where a couple holders control the system and arbitrarily manipulate the supply to their advantage.

So all the Monero proof of stake, a proof of work maxis are like, yeah, and I agree, it's very, very cogent. This is some of the best pro proof of work arguments, probably the best arguments I've heard, obviously very well thought out you, you are an expert in this area, you've been thinking about this for a very long time. And you have, you know, a deep physics background. This is this is my Arctic also ultimately is, is, is a proof of work maxi. That being said, Arctic does seem to be my Francisco Cabana. So I assume you're right, you're familiar with it's his work, his contributions to Monero. That being said, I think I think he's open to the exploration or researching like a proof of stake finality layer on Monero, which I want to get into, I want to get your opinion. But I guess continue on all your thoughts of why proof of work and then we'll get to that. Well, and so there's there's that issue. And then there's also the fact that proof of stake is permission. So it actually is much similar to how SSL certificates work, and it is an open system, wherein that you have a mission, you're saying it's not permission lists, like we're, you know, a five year old can plug in a CPU and get some Monero as opposed to it's not permission lists, because I need the plurality of the current parties to decide that I can participate with proof of work, I don't, I just throw the hash into the network, and I'm participating. Right. So when it is proof of work based, it is true, a truly open system. And when it's proof of stake based, it's not. Now, that that's kind of one of my favorite arguments with regards to proof of work is that it's makes it truly permission list by nature in terms of obtaining and participating in the network. 

 
Well, and that also reflects that opt in opt out, too. And then there's, you know, to play devil's advocate, if we look at the proof of stake camp, they're gonna say, well, in practice, look at all of these, you know, people that we want to participate in the systems that exist, they can easily join the network and everyone will let them join. But as long as we understand that they're letting them join, it is the benevolence of those people that are leaving the system open, it is not the design of the system itself. So as long as we know that there's a difference there, and we draw what that might lead to long term into our thinking, that right there kind of seems like the QED in terms of the argument to me.

And that, you know, if we know that proof of stake is plutocratic, we know that it wants to kind of centralize it over time. And then we know that it's fundamentally a permissioned layer by the plurality, then like, it seems to me over time, they're gonna say, oh, we have enough stakers in the set, we don't need to like, share our percentages with you anymore. Oh, our percentages are a little bit low, we want this to be a little higher. So on and so forth. And oh, look, this person bought this person out. So what was two stakers is now one sort of thing. It just seems like that's the evolution of the system. Whereas if proof of work, you plug in a computer, you contribute hash, you win the block, everyone's incentivized to go along with the improperly designed proof of work. 

Speaker 2 
Do you love coffee and Monero as much as we do? Consider making gratuitous.org your daily cup. Pay with Monero for premium fresh beans and if you like what you taste, send a digital cash tip directly to the farmers that made it possible.

Proceeds help us grow this channel, gratuitous and Monero. 

 
awesome. I hear you. I agree with everything. But how about the reality of the situation where we're seeing proof of work being manipulated with things like the cubic attack? Is it just tweaking that needs to be done? And ultimately proof of work will work. It will prevail.

I see. I guess you've already figured it out. You know the solution.

It's already implemented in kwai. And that's why I feel like I'm sitting next to Vitalik on the plane here. I know that guy. There's no way I'm buying kwai. Am I pronouncing it right? Come on now, I'm way less artistic than talent. I suppose not. You're very personable. You're very personable. So yeah, that's the point we're getting at. And then because the reality is we're having problems with the proof of work system that Monero is using right now. So let me just make this statement. So this hasn't been Monero's focus is how to do proof of work. Monero's focus has been privacy and the cryptography around that. There's been great, tremendous evolutions and work done in that area. They've never had to deal with the consensus area. They haven't been thinking about it before. This is not their area of expertise.

Well, other than going to ASIC resistance, right? I mean, that's related, right? Yeah, well, this is all part of this discussion. The only thing I've been thinking about for the last eight years is that. So the reason that we're talking is because I think I know the solution to proof of work as a statement. And we've already implemented it in QUI. And I'm actually working on a PR to let Monero adopt. And it will get Monero to the point that under a 51% hash rate, they won't have problems in the network.

There's still the issue, hold on, hold on. I was slightly distracted there. And so what is the proposal that you made the proposal? So I've put the proposal out in research in one of the initial threads. What is it called? So it's called work chairs. So it's something that we do in QUI. So just to give a little bit of background, I'm not trying to pitch too hard here. No, because this is completely off topic, completely relevant. I mean, is this one of the potential solutions Monero should be considering?

Yeah, so QUI is meant to be our focus is scalability and proof of work. And so our network is a merge-mind hierarchy of blockchains. So there's kind of this hierarchy of chains. And it allows us to shard in subnet work. And suffice it to say, the demands of operating in that environment are basically the highest that you can possibly have in a work-based setting. So that's why I've been focused on consensus and proof of work, because we're trying to get to scale and proof of work. And in this hierarchy of merge-mind blockchains, there's really no room to fuck it up. And so that's why we've been thinking about it so deeply for so long. Now, if we take the learnings that we have in this hierarchy of merge-mind blockchains that sort of optimizes proof of work consensus, it's easily and readily applyable to a single chain system like Monero. 

 
So we think we have the best form of consensus and proof of work, and we can take a nice little piece of that and just give it to Monero and it will fix the cubic problem. That's kind of the statement. And the proposal is something called a board shares. So basically, when we look at proof of work, proof of work is not sort of 51% resilient like we normally think about it. And cubic is proving this. So there was a paper authored by Irel Sir, maybe like eight years ago, nine years ago now, what basically says that proof of work sort of in this Bitcoin-like setting of longest chain or heaviest chain rule is actually about 30% resistant to attack. And so from the numbers that I've been seeing with cubic, they're getting upwards of maybe 32, 35% of the hash rate at some points in time, which is allowing them to sort of create these long five, six, seven block reorgs in the system. And that's why it's becoming problematic for Monero settlement times.

But the issue and the reason that, okay, let me try to like, I wanna try to communicate this in like the simplest way possible. So like everyone kind of just rocks it. So let me just, I'm not talking to consensus people. I'm just talking to people in Monero. So let me try to- I mean, frame it in terms of the problem that Monero is having, right? Like what our current system is, and you're considering, you know? Yeah, let me for that. Proof of work fundamentally is a measurement problem. The question of proof of work is what is the majority of the hash rate voting on? Okay, so let's just like think about this as just a measurement problem. Like it make it very simple to sort of conceptualize. So we have, you know, thousands of nodes around the world that are all mining to produce a block every two minutes, right? And what that block is doing is it's recording a vote in the system of where we think the hash rate is. Now the problem is a single sample has infinite variance. So if I only look at one sample at two minutes, I don't know if that represents, you know, 0.0000001% of the hash rate, or if it represents 100% of the hash rate. I have no idea. So statistically, like I don't know how to treat it because it's a sample of one. So the variance is very large. So then in proof of work, what you have to do is you have to wait for more samples to come in. And when you get a population of samples of say like six, eight, 10, you can then say that 51% of the hash statistically is pointing to things that were six, eight, or 10 blocks back. And that's how we get finalization and proof of work when we only take one sample per block, right? We have to wait, say six to 10 blocks before we even statistically begin to understand that that's 51% of the hash. And so what you're seeing with the cubic attack is that because there's variance in small population sizes, they can with less than 51% of the hash create a five, six block reward. But it just has to do with variance in a population. So the way you fix it is take more samples.

That's it, right? So work shares basically say, instead of saying taking one sample per block on what the hash rate is doing, we take a hundred samples a block. 

 
So we could just take a sample a second. It's not a block, it's just a header. And they're naturally produced when you mined anyway, you just sort of mine a share, just like you mine to a pool, right? So when you participate in a mining pool, you submit shares to the pool, right? And the shares are basically not a block, but they're a piece of work that is sub-block. But if they look at all of the shares submitted by all of the participants, they can then say when they do find a block, you did 10% of the hashing, you did 12% of the hashing, you did 15% of the hashing based on the shares that were presented, right? So it doesn't sort of record itself into a block, but it's a representation of what the work was doing intra-block, right? So all we have to do within Monero is take sub-block samples and then you eliminate the variance problem. So then the only way that they can screw with you sub-51, they can't screw with you sub-51%, that's the statement. So like if you just add work shares to the system, you're resilient then to 51% rather than the 30% that you're currently resilient to.

That's like the full proposal. And so what a work share is, it's like a share in a pool, but you actually record it in a block. And if you want it to be done in such a way that it's also fair, meaning you eliminate selfish mining, you don't pay blocks all of the reward, you should actually pay the shares. So you can solve selfish mining, you can solve the chain quality problem, and all you have to do is add what we call work shares into the system. So like that's what we do with QUI, we have much faster blocks, we have this like much more rigorous setting that we have to work within, but if Monero started adding like 10 shares per block, like this problem would go away a ton. If you had an 100 shares per block, it would go to zero. Okay, now you're doing a great job explaining all this. How does that, how would that effectively get implemented into Monero based on? Well, that's what I'm working on the PR. So I actually have a PR. What would that look like? I mean, is it, so obviously it's a hard fork. It'd be hard fork, it'd be hard fork. So there's different ways you can fully this idea, okay. And there's ways that like, depending on how you wanna do it, make more or less sense for what the Monero community wants to do. The whole implementation would be, you shouldn't pay blocks, you should pay shares and you should wait the block by the number of shares that are, and if you do those two things, you will not only have eliminated to selfish mining, but you will also ensure good chain quality against a sub 51% attacker. Now there's variations of that where you can say, well, we don't wanna pay shares and you can get into the nuance of like dividing it up. And there's ways that you can still improve without doing the full proposal. So this is actually the work, we've not only implemented this on QUI, we've actually written three different like peer reviewed, like formal proofs and papers on this subject, but there's different ways that you can implement different pieces. 

 
If you didn't want to say change the block reward, you could still add shares to figure out the weight of the block. And if you do that, depending on how you do it, you could also mitigate what cubic is doing to a large degree. The ultimate thing to make it both good chain quality and so you don't have selfish mining would be to pay shares. If you don't wanna pay shares, you can still get rid of the chain quality problem, but there's still technically a version of selfish mining.

What do you foresee as being the arguments against it? So still, you know, steel man it or whatever. I mean, what would Monero Dev say, do you think in response to this? They're gonna say that it is untested and unproofed that's really what they would say. And could it be proven? Obviously you're trying to implement it. To be fair, we have formal security proofs and we've tested and implemented it. The research has been done, the math has been done. Yeah, that's right. So the question that is- You go ahead, go ahead. Yeah, I mean, it's like the comfort level with the idea, but from an implementation perspective, it's taken me a little longer than I would have liked to kind of get this PR up because Monero doesn't have, it doesn't update the block proposal in Trub Clock, but with something like work shares, you have to actually keep updating the block proposal during the block production. So just tangent as a developer, right? That creates threads and synchronization things and whatnot. So it's not the most trivial thing to do.

I've done it, but it takes a little bit more effort. Is it being discussed in the MRL? I haven't seen it being discussed yet. I guess you've already officially proposed it. Yeah, so I proposed it in one of the threads and I've just been trying to get the PR to a point that I can just be like, here's your S and then we'll see what they say about it. Exciting man, you know, I'm obviously not the guy to be like, okay, all right, like, go ahead, let's greenlight it. But everything I'm hearing sounds great. What are some of the other potential crits? So you're saying, so what would make, you know, the Monero mines comfortable with it? What would they have, what would they have to see to be like, Oh, okay, no, that makes sense. What, you know, are there any like kind of foreseeable attacks, like other than, you know, yes, it's, it's, it's thwarting some things, but does it open the door for other things? Yeah, I mean, basically, like, Monero as it exists is Gen Zero proof of work, right? There's been no focus on the consensus piece of this. There are better ways to do proof of work that are provably more secure and have been demonstrated. The question is, if you want to upgrade proof of work to be resilient to that 51% attacker, there's ways to go about it. And work shares is one of those solutions.

Okay. Which, which in some ways, I think is less problematic or controversial in adding in a finality layer, because it's one thing to say, you want to add in a finality layer, but to do it properly, and to fully understand the implications of that,

 
I think is actually much, much, much more risky, difficult than just simply adding shares to blocks. Right. It's a it's a whole nother abstraction of what Monero already is, right? Yeah, well, I mean, you're trying to no longer purely proof of work. You're trying to marry two consensuses, which is a lot trickier than just saying, we have proof of work. Let's make proof of work a little bit better. So we get like our resiliency closer to 51%. And the cubic problems kind of go away. It seems honestly to be like the lighter path of those two options.

So for, you know, for the transaction, finality layer, so do you think it shouldn't even be, you know, Lucas proposing to do research on it? Zcash has done research on it? Do you think Monero shouldn't even be considering it investing time and whatever effort into looking into this as a long term potential option? It's, it's a non starter for you. It's a waste of resources effort. It's just fundamentally not going to work. Or do you think it's worth? Do you think it's worth researching? Because I'm getting shit for being like, Oh, no, Luke wants it. I think it that's seemed that seems reasonable to me that super intelligent Luke Parker wants to go research this thing. Obviously, I'm hearing all the arguments for why we need to be fundamentally proof of work all the time. But from Luke, I'm hearing all right, well, we still are going to be fundamentally proof of work. We're still work that's going to be done blocks are going to only be created through the process of proof of work. There's just this finality layer on top, but proof of work is still being done. Well, so so let me let me investigating researching. Let me let me steal man the proof of state argument. Okay. And as a first principles person, I've been thinking about this. And I think there is value to proof of stake, the value that proof of stake ads is that it creates a higher instantaneous attack cost, the proof of work.

Now, what do I mean by proof of stake? If we look at Bitcoin, Bitcoin is fundamentally has a component of proof of stake. Do you know what that is? I'm sorry, very, very ask it for coins fundamental. Yeah, we asked that. Bitcoin has an aspect of proof of stake. Do you know what it is? Yeah, only a six. That's right. So even within proof of work, you can have proof of stake depending on how you've designed the algorithm and what capital is going against that algorithm. And there's potentially a gradient based off how you design the algorithm in terms of its energy consumption, as well as the ability to make, say an ASIC for it. So CPUs are probably the least staky things that exist because they're ubiquitous, sort of everyone can operate them botnets can can do them. As you move up the chain, GPUs are a little bit more specific. And depending on how that algorithm is designed on a GPU, you know, maybe you could have like a very large DAG and prog pow, and you could only run that algorithm on an A100, which is starting to get more ASIC like, but it isn't quite an ASIC yet. 

 
So there is more sunk capital cost associated with it, which makes it harder to attack based off the limited supply of that type of system. And then the thing that gets to the most limited specific supply obviously is something like a Bitcoin ASIC. And then that capital, whatever the gradient is, is the proof of stake aspect that makes the instantaneous 51% attack more expensive. So got it.

And I agree. I totally agree with that. I mean, that's the argument to be made right now as to why Monero is more susceptible to what rank is doing versus. Right. But the question becomes, what's the right way to blend these things together? And that's a very, very difficult question. I think what we can take from this is the easiest way to blend it is to make the capital requirement a little bit different based off of, you know, what the work algorithm is. So and I'm not saying go strictly to ASICs, but if you went to ASICs, like this problem would go away, and there's a gradient between CPUs and ASICs that exists, and you could maybe choose where you want to sit in that gradient. And I'm not saying I know where optimality happened. In terms of actually trying to truly blend proof of stake and proof of work, I think that's almost trickier than that former question of how do you modify the algorithm to make it maybe a little bit less prone to this type of attack. What do you see as the most ideal path for Monero? Would it be maintaining its random X proof of work where it is one CPU, one vote, and then fixing it in the in this way you're talking about with implementing shares or tweak it so that you add an ASIC like element to it so it inherits some version of proof of stake?

My point is if you're going to have a proof of work component, you should add shares because it will make it the best proof of work component there is. Do you see that the positive in a random X so doing the one CPU, one vote, or do you see it as more of a weakness because it's lacking that proof of stake like element that prevents some of the. So I guess there's two elements of the question. So independent of any of the other sort of statements, you should implement word shares. Sure. Because like, if you're gonna do proof of work, it will work better. It won't fix a 51% attack. Right. Same. But what's the most ideal version work shares on Random X or work shares on a tight time. I'm a little less direct in in my like, this is an opinion. And it's like a very loosely held opinion. Right? Because because I don't have certainty on on where optimality lies here. It's something I'm actively thinking about. I do think it's further away from Random X though. Closer to a6. I don't know if it's all the way. Yeah, but then you start to lose some of the permission lists, right? I know you get right. Yeah, I get it. The pure permissionlessness is having the cell phone that could effectively mind Monero, right? It's a gradient. Right. But in term in terms of trying to get some to go from where we are to getting better resilience in the protocol, work shares is like an obvious thing. And then the next question is, how much stakiness do you need? 

 
And the more stakiness that you have, the more permissions you're going to get. So like right now, it's basically like, if you have a CPU, you're in the system, but maybe making it a certain type of GPU gets you far enough that like that works. Or maybe it's you need to go all the way to an ASIC. I'm less opinionated on that.

Obviously, if we look at proof of work and going to an ASIC, you have a very high degree of stakiness. And I invented that term, like, but it's, it's stakiness, right? Like, that's, that's the word. But it's a former stake, right? So, but the problem is with Bitcoin, like we've seen that that does create centralization, it creates centralization and how mining is done, it makes, you know, you have to have $20,000 to sort of get, you know, first step access in the network, efficiently, at least. It means that there's only, you know, one, maybe two creators of those chips. And then they take a lot of the profit, you know, out of the miners hands and really control the network at some level. So I'm also sympathetic to that.

I actually personally think the step to ASICs, the issues that I see, if, if we're talking about like, at least a longer term issue, maybe not immediate term issue is the geo strategic resilience of general purpose hardware versus application specific hardware. And that if cryptos actually do start to challenge nation state currencies at some point in time, one thing nation states will be able to manage is import exports for a very long time. So if Monero goes to like an ASIC, like a Bitcoin type ASIC, it would mean that, you know, countries could easily control the import exports of those ASICs and completely shut off access to that mining capability, you know, for that country. Whereas if it was a GPU, shutting off access to GPUs is effectively impossible, just like shutting off access to CPUs is effectively impossible.

So I think maybe an ASIC is one step too far. But I think that there is a degree, there's there's a gradient of stakiness. Meaning if you chose something that say, could only run on an A100, I think all of these problems would go away. I get that, no matter what we should be implementing, what is it called the share? What are we calling it? Work shares. Work shares. And I get this idea of stakiness that there actually is some positive attributes to having stakiness and you want a little bit of it, it's gonna it's gonna help, even though you might lose some permissionlessness.

But so how about the idea of this transaction finality layer? Once again, should I just want to get your opinion on whether or not you think it's even a road to go down and research because that's something that's being considered in Monero, not that it will not that it will get implemented, but putting time into considering it as an option. Do you think it should, it shouldn't even be on the table? Um, well, we're talking about adding proof of stake, basically, when you say transaction finality layers is what we're saying. Yeah, I don't know if you saw what Luke proposed generally that he wants to research. 

 
Are you talking about pop or like, a trailing finality layer, right? So you have proof of work. And then there's a proof of stake layer on top that does the viableization. Well, right now trailing finality isn't the issue, right?

Right now is the proof of work is broken at the tip with a sub 51% attacker. And if you say, okay, we have so the con, like, and trailing finality layer, like, how do you feel honestly, what you're actually looking for is a tit indication layer about like, who's an honest actor in the system, right? So, and okay, and just to preface this, all the things I said up into this point, I'm like, very confident about, like, as being true, and we should do, now we're moving into the more speculative, sort of free flowing conversation here.

Okay, yeah, nowhere. I mean, if you don't, if you don't have a strong opinion on that exact proposal, I don't want to like force you to, I would put, I would put, there's a couple opinions I do have, which is, it's very hard to marry proof of stake and proof of work. But doing it in trailing sense doesn't make sense. It would only make sense if you're doing it upfront, right? So if we talk about like the asa, you're, you're blending it with proof of work harmoniously, and you're making it instantaneous at the tip. So your stake is, is happening when you're producing the block, it's not sort of like taking place or your opinions taking place on the tail. So anytime, like we're talking about steak, like it has to affect the tip of production, not like the tail of production. So if you were to talking about like steak proposals, you could say to mine, not only do you have to have hash rate, you have to have a commensurate amount of steak relative to your hash to be able to produce valid blocks, you could do that. And that would give you stakiness to the tip of the chain. But like when we're talking about how to marry these things, you have to marry it at the front, not the back, marrying it at the back doesn't get you anything. It has to be at the point of production. All right. Yeah, I want to make you know, maybe, maybe and maybe I'm missing something there. And we'd love for you to just talk to Luke directly about it, because it's being proposed as something that would solve, you know, what we're seeing here with the cubic attack in the building, selfish, selfish mind. You have like a just a reference in like research labs that you're referring to, that I can look at real quick. And yeah, I mean, Z to Z cache, if you you know, if you literally just search a trailing finality layer, trailing finality layer is proposed by Z cache, obviously, you know, what Monero is looking to implement would be different, but it's effectively, I think analogous to what they proposed. So let's move on.

Let's move on from that, though. What do you what do you think? Are have you kept up with some of the things that have been proposed in terms of improving proof of work as it is, or actually even just thwarting the attack as it is? 

 
Because this this what you're what you're proposing with the work shares, obviously sounds sounds great. Is it something that can be done like quickly? Obviously, you're saying they'll be convincing that needs to be had with the Monero community, but the research has been done. Put it putting aside the time it takes to convince. Is it something that could effectively be done swiftly, you think?

Yeah, I mean, if I had another four hours, I'd have a PR. And so I'm wasting, I'm like, literally, you should just be working on that and sit out here bullshitting with me. Yeah, I mean, I've been spending time on and off over the last like two weeks on a PR. And then on the Monero end, it should, once people are on board, it's not like it shouldn't take much time to implement, right? Yeah, well, no, I'm doing like the implementation as the PR. Okay, that's amazing. So there's, you need a new message type, you need a share pool, and you need to update the block asynchronously. So Monero right now just kind of like proposes a block, and then you work the proposal and the whole block is found, and then you update, but with shares, to make shares efficient, you have to keep updating the block as you're mining. So there's some nuance to sort of how you have to orchestrate that to have like dead locks and you can do it asynchronously. So it, you know, I've done the work, but it's just, it's the concept of the share is actually very simple. It's the fact that Monero blocks don't get updated into a block that's like been a little bit trickier, like so Ethereum blocks, they get updated into a block, we kind of started with an Ethereum code base, so that's like a natural piece that we have in our system. So we, you know, I take that for granted, but I had to sort of re implement that in the Monero code base, which is more work than just sort of updating the concept of shares and including them in blocks with the waiting. Awesome. So yeah, I mean, yeah, you're not just talking the talk, you're what you are implementing it. So it's, it certainly can be done and it doesn't seem like it would take long to actually have it go live. It's just a matter of the political aspect of it and having people agree to implementing it. Yeah, I guess, I guess my like thought process here is I have been asking this question about what you can do with grateful work for so long and so few people have, right? There's like, yeah, you've been studying this problem for a long time. Yeah, well, and we've been writing papers about it. We've been implementing it. We've been testing it. We've been proving it. So there's like a handful of people that have like thought about this specific problem. It's like me, Andrew Miller, Deanie Sisendros, a couple of my other collaborators, maybe like Yonatan Simoliski and like that's it. There's like maybe 10 people that like think about proof of work. You know, in the papers that people are referencing in the Monero research labs, they're good references, but they're like eight years old. 

 
The better references are, you know, the ones that are like twenty, nineteen, twenty, two, three and four, not necessarily like the ones from seventeen. So, you know, someone is referencing, you know, pop, publish or perish. But, yeah, I mean, work here is as far superior to that. And it's far simpler, too.

And it's far more robust because you don't have to worry about, you know, effectively an attack or you set up a bunch of nodes, connect them and then lie about timestamps. So yeah, I mean, I think if you're going to do proof of work, the first step is like get the proof of work the best that it can be. And the best that you can make proof of work is just simply adding work chairs. I got to thank Joel for telling me to have you on, man. You're the right guy to bring on at this moment. And then and then if you want to explore stakiness, I'm not like, you know, objection to it. I'm a first principles guy. The question is, how do you blend it? The easiest way to blend it, for my thinking, is that you have to move up the capital stack in terms of the hardware that you use to mine. That's the simplest way to go about it. The other way to go about it is you cause people to stake or for another hash rate. That's like also like a very simple stake solution that would work. Those would be like the two that I would think of.

Awesome. Guys, we are about an hour and 17 in. I haven't gotten a Manero based Super Chat yet. Come on, guys. So I just I put the link in XMRchat.com slash Manero talk. Let's let's see if Manero is working. If are we getting are we getting selflessly mined right now? Are our transactions going through? Send a Manero based Super Chat. Let's see if it goes through XMRchat.com. Slash Manero talk. I do see some good questions coming up, but I prefer if you could send it as a Manero based Super Chat just so we could use Manero. You don't have to send a dollar. You send 10 cents, whatever it is. Nate Nate has been thrown in some good comments.

I think he also mentioned he wanted he wanted to chat with you. You want to do spaces with you. I don't know if you know who Nate is. He's he's asking how our work shares better than just decreasing the block time. So Nate, that's a good question. The thing that you have to look at when you're trying to ascertain the hash rate is if I take a work share, all that that's doing is telling me a vote, but it has no implications on processing really. So there's there's no state transitions in a work share, right? It's just a work header. There's no body. There's no anything in it. It's just this nice, singular hundred bytes that's easily verifiable. If I make blocks faster, I'm now impacting the computation of the system. So because every time I make a block, I have to have transactions. The block has some size. I have to be able to propagate that block. I have to be able to process that block. I have to be able to move on to the next block. So if we start stacking blocks more tightly, you will get more samples per second, so to speak. But you're also having an imposition of computational cost and doing that, which wasn't necessarily there with work. 

 
So work shares are free computationally where blocks are not in something like quiet, right? We've compressed our times to five seconds. We're actually talking about going to three. So like obviously in a global network, you can go faster than two minutes. And if you go faster than two minutes, like you will get better finality. But it is more computationally expensive to increase blocks. So like in QUI with five second blocks, we still add on average eight work shares per block. And that tells us that when we do a block, basically at N plus one, we have statistical finality because we have a sufficient number of samples to say that fifty one percent of the hash rate is actually voting on the chain at N plus one, which means we get five to eight second finality statistically, at least.

So you can compress the number of blocks. It just gets more expensive to do that. You get uncles based off how Monero works and how blocks are relayed. I think that's a much harder proposal to start compressing block times compared to just adding shares. Right. Work share solves the problems that come with going down that road. Right. Like, yeah, it gets you the same thing, but without the computational loss. Well, it gets it gets you different things. Right. So work shares gets you an understanding of the hash rate. It doesn't change your throughput and it doesn't change your note requirement. It doesn't change your network requirements and doesn't really change your finality times to, you know, getting included in some number of blocks. Now, what it will do is it's going to improve the chain quality. So if if we have, say, still like a cubic like attacker in the system and you put 100 work shares in a block, you could still get one block reorgs, but that's it. It would be like one in, you know, so it would also get two block reorgs. But that's as far as you could ever reorg the chain. So would it eliminate the Monero lock time or you would just have a much shorter one, but you still have one. Yeah, you would. What I'm basically saying is you would never get more than a one block reorg. No matter what, like, cubic does sub 51 percent. If you add work shares to the system, they can never produce more than one block.

That's amazing. So you would get you would get rid of the 20 minute time lock or 20 minute lock in Monero, right? You wouldn't need it. It would just be one block. Yeah, it would never be able to reorg more than one block. Sounds a little too good to be true, Dr. K. I don't know, man. That's like the magic of work shares, right? This is fantastic. But like if you just like step back and say like, what is it? You're just sampling. You're sampling faster. So like as an engineer, if I want to know about a process, just measure the process more quickly. And I'll know about the process more quickly. That's all work shares does.

It's like a very straightforward thing. And then to make it so that you don't have selfish mining, you also want to pay out proportional to that. And then you're also fair. So you can get chain quality and you can eliminate selfish mining. 

 
That work is actually something we call PRS or proportional reward splitting. You can find that paper up on archive. Yeah, and we implement it in QUI. Nate is then also asking, giving that cubic has a large portion of the hash rate already. I don't see how this solves the problem.

He doesn't see how. So last I understood cubic has some 51%. So right, it's like 35%. So as long as they're under 51%, given the two minute block times, if you have north of say 30 shares per block, they're still going to be restricted to a one block reward depth. If you implement work shares, I would recommend going to 100. That's like what I'm putting in the system, because you can easily do one share per second. Because the shares are only 100 bytes, right? They're tiny. And you don't have to include all of them, right? Some get attrition that doesn't really matter. So obviously, work shares sounds like you most certainly think it's the way to go from an arrow. I'm not in a position to push back enough. I'd love to hear what the devs have to say once you submit the proposal. Sounds very exciting.

Um, you mentioned publisher parish, because that's kind of like the top, top pick right now is what the Monero community is looking to do. The other thing is DNS checkpointing, which is just kind of like a temporary, you know, quick thing that can be done to the warts, not like a long term solution is my understanding. And it's really kind of an act of centralization. But yeah, I guess comment on the you're kind of already commented on the Polish repairs. But if you can't comment on those, and then it just in general, do you see any other good proposals coming out with regards to improving proof of work as it is? Or is it just guys, no brainer, we got to do work shares, that's the way to go? Yeah, well, is it so given the position that we've started in, which is like, we have, you know, the first generation proof of work as consensus. It's emergently obvious that like, you should just upgrade to poor chairs to sort of asymptotically approach the true 51% threshold. So if they sit here at 35%, like the things that they do will just get them losing money at 35%. And it won't compromise time to settlement or have any extraordinary locks on transactions in the network. And from all the proposals, it's the least centralized because you're just making work better. So that seems like the obvious thing to do, if we're talking about trying to get more than 51% resiliency, you're potentially going to create centralization, right, you're going to create some type of proof of stake, they're going to create some type of checkpointing, or you're going to change the algorithm in such a way that it becomes stakeier, as we discussed. Now, I do think that optimality here probably lies a little bit stakeier than it currently is. So I will concede that point. But I don't think that you want to remove proof of work, I think you just need to change its manifestation slightly. 

 
So the obvious thing is make it as good as it can be. And then the secondary question is how sticky do you want to make it after that? But those questions to me are a lot trickier than just making proof of work as good as it can be right now. That just seems like the obvious thing to start with.

In terms of publisher perish, work shares is effectively a version of publisher perish, but it does it in a way that doesn't require trust. And it's resilient to DDoS, because the production of the vote of time is a share. So if you actually think about what proof of work is, it's a clock. Fundamentally, proof of work is a clock. And if we only publish blocks, our clock has a lot of variance. When we go to do a transaction, sometimes it's a two minute block, sometimes it took 10 minutes to find that block, sometimes we found a block in 10 seconds. There's a ton of variance when we're only taking blocks as samples. But when you take shares as samples, that thing starts to look like a court's watch. So there's still, it does though, because like, there's still variance. But because we're taking a much finer grained sample, if we zoom in, there's still like that big variance. But if I look at like, you know, 10 or 20 samples, there's no variance, right? Within a 20 sample population, it looks exactly like any other 20 sample population. So now it's starting to tick, right? Rather than our ticks being like boop, and then like, boop, it's like, boop, boop, boop, boop, boop, boop, boop, boop, boop, and like the boops. I went from a sundial to a court's watch. Yeah, like, because if you take, if you take a 20 sample population, like that 20 sample populations, pretty much, if you actually look at like the variance in time, you're actually going to start to see the variance in time of generating your 20 samples, like plus or minus 5%, if that makes sense. So like, you're actually creating time from work is like what's kind of happening here. And so the better you can create time, the better you can have consensus. That's like another kind of way to think about it. Very cool. Very cool. And that like idea is actually, and again, this is like forward thinking, we haven't published anything on this, it has me thinking about potentially ways to improve upon proof of work beyond a 51% attack threshold. But haven't haven't like fully fleshed that out. But the concept of having decentralized time as work gets you a new property of coordination.

Privacy X tips, very generous tip. Wow, $67 and 30 cents. I recall reading paper about work shares or I was it was called fruits and and found it very interesting. Is that right? So fruit chains, fruit chains, I have heard that fruit chains of fruit chains have effectively work shares. Okay, it's, it's similar, but different in very important ways. So fruit chains basically said you can eliminate selfish mining, but from a practical perspective, the time to finalization is effectively infinite. 

 
So although academically interesting, practically useless, work shares adjusts fruit chains to make it useful is basically what it is. So so there are related quantity, but the manifestation of fruit chains makes it practically a useless concept.

Work shares makes it so that you can get fairness in the or eliminate selfish mining, while still having good finality times. Was fruits proposed before you created this concept of work shares? Yes. I mean, I mean, what, like, let's, let's be honest, they're like, what is a work share? A work share is just a share in a pool that you're recording on chain. So like, it's not about, like, who came up with the idea, it's just about what does the idea get you? Right, right. Yeah, but it's a novel way. Yeah, you know, it's a potential solution for. Yeah, I think it's the solution of how you do proof of work.

But that's kind of my stance on it. If you want to do proof of work, you should have blocks for shares. Now, are there any other cryptos? Oh, that's, that's, that's either a fun one from a decentralization perspective. If you do work shares, you actually get rid of pools. Okay, because it's basically everything is P to pool, like, by default, essentially. Right, right. So, so, oh, yeah, fair. Okay. But you're, you're, you don't have to participate in pools because your payouts are much higher, because you're paying out per share, not per block. So even if you're like a participant, you will get frequent payouts, even if you're not frequently finding blocks. So it actually democratizes like block finding quite a bit more.

Because I can get paid shares without having to find a full block. So does it so effectively does completely eliminate the need for pools then at that point? Or you'd still people so your part your cost of a pool, then is your incremental cost, or the incentive to operate against a pool is the incremental cost of running a node. If you're like incrementally willing to run a node, then you don't need to participate in a pool. Right? So like, if you if you're able to run a node, or you're willing to run a node, you don't have to go to a pool to get smooth payouts, any hash rate you have will pay you out almost every day, because of shares, right? And the number of shares you add to the system, the more frequent the payouts. So if you say added 100 per block, there'd be 100 payouts per Monero block, which means you could have like a computer and you're still gonna get a payment every like two days. Very cool. Right. And then there's there's actually another thing that you can do with work shares, we're still in the process of fully implementing it in quad, but we call it deep pools. So then for the people who don't want to incur the cost of running a node, there's actually a way where you can have nodes do proposing as like an endpoint. So like a like a block producer, and then provide that to a person mining. And they basically like inject their payout address, say 1% of the time, so they get paid for providing you blocks to work on. 

 
But you take 99% of the payout, they take 1% of the payout. And then you can use sort of an on chain analytic system to figure out if the nodes are being honest in terms of how they're providing share. So then, even if you're not willing to incrementally incur the cost of running a node, you could actually set up a system where I could point to any node in the network, and effectively use them as a pool like endpoint. But I don't actually have to have them take payments and then pay me, I can always get paid directly. Very cool.

So that those are secondary like effects of work shares. That's actually really cool. It like completely allows you to completely decentralized the mining process. That's that's amazing. I mean, that's ideal, right? Yeah. So are there any other cryptos that have implemented this other than quiet? Um, so so the one that's closest is Casper. The difference is, they use a block DAG. So from an information perspective, it's similar. From a computation perspective, I think it's a much worse design, because their computation complexity is n squared, whereas ours is not. Right. So like work shares is very cheap in computation, because a work share doesn't cause you to have to sort of recompute state. So taking a work share in is very, very inexpensive. With Casper, they take more blocks per second, which gives them a lot of information about the hash rate. But the penalty is the width of their DAG creates this n squared computation cost of figuring out the next state. So their node requirements go up, their bandwidth requirements go up, their computation requirements go up. So from an information standpoint, they're doing a good job. But from a computation standpoint, I think they're doing a bad job.

I do want to cover Nate's comments again, because I want to make sure, you know, we all fully understand this, because obviously, the biggest issue with Monero right now is the type of attack we're seeing with cubic where they're incentivizing people to come mine in their pool, right? So are you you're, are we sure that that goes away? Because they're saying, yeah, but the higher level 51% problem comes from the extra incentive cubits token, cubic can still do what they're doing to accumulate 51%. It will work share system. So saying that they could still use this incentive model where they pull people into their pool, because they're not just getting the shares that they would normally get by just mining Monero traditionally, but they're getting a cubic coin, which is worth more than supposedly more than if they were to just mine Monero directly. How does this work that right? So I'm an engineer. So when we talk about things, we want to do quantifications. And what we'll often find is when we try to start to quantify things, we'll, we'll see that two things are at odds with each other. So I think one way point in sort of very subjective quantification is that if we add stakiness to the system, it has negative implications on decentralization. I think that's a pretty uncontroversial statement. 

 
So if it's, you know, a stake weighted thing, or if it's a six, like that is more centralized than not having it or doing, you know, random X on CPUs, right? So what we're basically saying is we have this 51% problem. And we know that we need to add some degree of stakiness to solve it, which implies some degree of centralization. Like that happens if you're saying you want to improve or increase the cost of attack of a 51% attack, you're going to create more centralization if it's by changing the algorithm, or if it's by having a hybrid consensus model with stake. So we know that that is like a trade off that we're, we're going to have to make here.

The question though, is we obviously want to make maybe as minimalistic as a trade off as needed to accomplish the goal of not being attacked by cubic. So the way that we do that is we make the work as good as we can get the work to be. And that's effectively free for us, because it's not doing anything to our centralization or decentralization characteristic. And then if we say we still aren't good enough, now we have to go down a different gradient, which says, okay, we're going to increase the cost to a 51% attack, and we're going to sacrifice some amount of decentralization for that. And then we can choose how much but as if we improve the work as much as possible, there's less of a sacrifice that we have to make. That's okay. That's the same. Right. So so we don't know what would really like, theoretically, we could implement this tomorrow. And it may it, we there may still need to be more work that needs to be done changes that need to be made over for something like cubic like it's not not 100. Add some stakiness, we may need to staking. So for what what's currently happening, it would get rid of it. If you just did work shares tomorrow, the worst thing cubic could ever do is reorg one block, and they will do so unprofitable. And I don't know if you saw a body anarchists built a simulator, and I'm not too well versed on how and everything like what that could actually test. But I'm curious if the if it could attest, if it could test what you're proposing here with work shares. I'll be talking about it tomorrow. We do our Monero topia show tomorrow morning. I'm sure we'll be talking about this topic. So curious what he has to say about that if we could test your work shares implementation on the simulator that he's building.

This is great, man. Dr. K, this is fantastic. I'm really happy. I found my way to you. Once again, thanks to Joel, who put me in touch with you. He was like, just get this guy Dr. K on he's he's your proof of work maximalist that you're looking for. And man and Monero guy. This has been fantastic.

Yeah, I would love I'd love to get you down to Mexico City. Obviously, you know, it's what I guess we'll have to see. But that's not that's not like you're not saying no, you're not saying no. Well, like here real quick. 

 
Yeah, I'll let you plug your things as we close this out. But yeah, I just I just wanted to thank you. And once again, try to invite you to Monero topia. So I'll follow up with you because I think that'd be great to have you down there talking on stage with the likes of Luke Parker and Andre from Zanno. And I don't know whoever whoever else you get you get on by going to Monero topia. I think you're already on the list, Dr. K. You're sitting next to Vitalik on a plane in 20 2014. I mean, come on, man. You're already on the list.

I usually I want to wait. We do have some more questions coming in. Nate tipped $89.65. Thank you both. Wow. Very generous Monero. I actually more chats greatly appreciate that. Greatly appreciate that. Yeah. So to kind of give the the pitch a quai real quick. Yes, I appreciate having me on. So so quai is hierarchy approval, a hierarchy of mergemind proof of work blockchains that allows us to shard and subnet work so we can charge state without shorting work effectively, which allows us to ignore the 50,000 transactions per second at a work based system, which we believe to be the most decentralized. There also is a privacy token in it. Its primary purpose isn't necessarily privacy. It's called qi we actually call it an energy dollar. So going back to that conversation of digital gold, we emit qi proportional to the energy that goes into producing it. And we do that by Oracle ising it to the hash rate. So effectively, the idea is instead of having everyone using USD stablecoins to price goods and services and settle them, you can have this qi reference, which should have constant purchasing power over time, which will allow people to write contracts and price goods and services in qi. How is qi derived from quai? So it's the second token in the system. So in our system, we actually have two ledgers. We have an account-based ledger, which is QUI. It's EVM compatible. And then we have a UTXO-based ledger, which is Qi. So it works within consensus, but there's two separate state routes that are operating with two different tokens. And to get Qi to work and sort of maintain its energy dollar like characteristic, there's a mechanism in the system that allows you to burn Qi in mid-QUI or burn QUI in mid-QUI, sort of at a protocol offered to rate to allow the supply of Qi to be elastic, such that its price is inelastic, i.e. It maintains purchasing hour of a time. So Qi is really meant to be a competitor with the dollar more than something like Bitcoin or Monero because its point in life is to be stable. But then being on a UTXO-based system, we have done a number of tricks to imbue it with cash-like privacy properties. Now, the Moneroans there will tell me that we don't have perfect sender privacy. But what I'm going to say in response is when we envision people using this in commerce, the vast majority of times, they're not going to have sender privacy to begin with. 

 
So that component is not something we claim to have, but we also don't think it's a requirement if you're actually using Qi transactionally. If you're using it, if you want something like Monero, where you have other systems that can obfuscate the relation to the buyer and the seller, and you need perfect sender privacy, go to Monero. The issue that we see, though, and the way we kind of designed Qi the way we did, is if you want to do that at 50,000 TPS, any of the available privacy mechanisms that aren't kind of what we did that are very sort of old school, fixed denomination, UTXO, paynims, enforcing address hygiene on chain, things like this, there's no sort of cryptographic forms of privacy, like ring signatures or membership proofs that can computationally handle that like 50,000 TPS.

And that's kind of why we went with what is sort of like a compendium of more old school solutions with Qi. And what gives Qi its stable coin like nature? I mean, it's not an algorithmic stable coin. What is it allowing it to become more stable over time? So there's two mechanisms in the system. So the first mechanism with Qi is that it's midded proportional to hash. So effectively, as a miner, if the market price of Qi is above your production cost, you'll choose to mine more Qi until the market price converges to your production cost. This is all right. So this is mimicking gold at this point. Yeah, that's mimicking gold. That's correct. And then the second mechanism in the system is if the sort of market price of Qi is below the production cost, speculators can buy Qi up out of the market and then convert it to QUI by burning it. And the rate that's offered by the protocol is established by adjusting the rate until the market is neutral to the offered rate, which is basically saying there is a controller that, given efficient market participants, will cause the protocol rate to converge to the external market rate without having to have an oracle. The market participants become the oracle for the fair trade price of Qi to QUI. But that allows the supply of Qi to shrink in times of shrinking demand. And it also allows it to more aggressively expand in times of increased demand. But you need more dynamic supply response of this to allow Qi to keep relatively stable pricing. So that's the second mechanism in the system is being able to convert Qi to QUI and QUI to Qi. But between those two mechanisms, the market participants then as an aggregate market outcome price Qi, if that makes sense. So it's not like we're prescribing a price. We're just saying we're going to give you one Qi per 8 trillion hashes. That's like what the protocol says. And then the market figures out the pricing of what that means. And then it also figures out what the supply should be to kind of make that pricing make sense. Very cool, very cool. So it does, and I feel like you kind of went full circle. Because on the outset we talked about Bitcoin not actually mimicking gold, and this is what you've actually built here with Qi. 

 
Very, very cool, man. Dr. K, really, really glad I had you on today.

I actually, while we were chatting, I ordered a pizza with Monero from Runaway. Monero people that I've met on XMR Bazaar. That's pretty awesome. It's been waiting for me now. So we get the pizza. And I also have to, I need some baby time here. I think the baby is looking for daddy and me time. Thank you so much, man. I know we will stay in touch. Maybe we get you on a Monero topia, one of these points, if you're down to do that. But yeah, I would love to get you in person. And I look down at the conference itself, and I'll follow up with you on that. Anything else you want to leave the audience with in terms of things to show, where people can find you, now's the time to get that out there. Yeah, come trick us out. Come check out qi at qu.ai. Follow us on Twitter. I handles mechanical K, spelled K-A-L-K at the end. Yeah, but one thing I will say, and one reason that, one thing that I think we need to say at this juncture in history is people who stand for decentralized currencies, privacy, and freedom, we should not fight.

We are not each other's enemies. I have ideas about what it takes to make a truly parallel monetary system, and I think that is qi network. But obviously, I love what Monero does and what they have done in the past. And I am trying to help contribute what I know to make it better in my area of expertise. So we shouldn't fight within that movement because we have much bigger entities at play that we should be fighting. Right, we should be uniting against a common enemy, right? And the community of people that actually truly care about these things on a fundamental level, the way you're talking about it, the things that I care about truly wanting a global utility for untraceable digital cash, it's a very small community of people that actually care about those things. Some of them just happen to differ on the means right now in terms of how to get there, but we shouldn't be writing each other off. We should be uniting and bringing each other into one tent, working together, learning from each other. And competing, right? And made the best protocols win. Yeah, well, I'm taking time out of my day because this is such an extent attack on a very valuable resource that I think it's necessary and worthwhile to do. So, yeah, appreciate you having me on it. Yeah, awesome, and thank you so much. We'll leave it at that. We're almost at a two-hour show here, 850 live viewers. Thanks for everybody tuning in. Thanks for the large Monero XMR chats. Greatly appreciate that. Somebody noted that it was actually 0.33 XMR. Yes, I need to change it to show XMR instead of Fiat. I thought I switched that on the last episode, apparently not. Thank you to all. For those that want even more Monero talk, if this wasn't enough, tomorrow, we're doing our regular scheduled Monero-topia show at 11 a.m. Dr. K, thank you so much, man. Appreciate you. 

 
us. 

Speaker 2 
Yep. Hi, Monero Land. Thank you for joining us on this week's episode. We release new episodes every week.

You can find and subscribe to our show on YouTube, Odyssey, iTunes, Spotify, or wherever you listen to podcasts. Go to MoneroTalk.Live for a full list of places where you can watch and listen. If you want to interact with us, guests, or other podcast listeners, you can follow us on Twitter, Mastodon, or any of our social media platforms. MoneroTalk is also made possible from contributions by viewers and listeners like you, and supporting us is easier than ever by typing in MoneroTalk.Crypto in your Monero.com or cake wallet send address field to send us a tip. Once again, thanks so much for listening, and we look forward to being back next week.