 Anthony Zegger just came up to me a second ago and says, Peter, I don't want to stress you out, but there's someone commenting on the YouTube live stream who's claiming to be your mom. So I texted her, and sure enough, it is. So fingers crossed that she's not a small blocker. All right, so good morning, everybody, and thank you for the kind words, Terak. I really appreciate it. The title of my talk is Converging on Consensus. And the thesis that I'll be presenting is that we can further leverage proof of work to create a substructure or subchain within each block. This will improve scalability, reduce fees, and make transactions more reliable. I'll be focusing on this point today, and particularly the reliability of newly broadcast transactions, also known as zero-conf transactions, also known as instant transactions. Now, these transactions are very important. They're important for buying that cup of coffee on your way to work or purchasing that train ticket when you're late for the airport. They're the kind of transactions that have to work properly in order for Bitcoin to be cash. Now, speed is not the issue. Bitcoin cash transactions are already lightning fast. The transaction submitted to the network spreads out across the world in a couple seconds. And speaking with Tom Harding yesterday, it sounds like if we remove some of the changes that Bitcoin Core made, we can reduce that time down to 750 milliseconds. So that's really good. Where the concern is, is fraud. The possibility that someone could pay you and then later reverse that money back into their own wallet. So my talk today sort of takes off where Tom Harding's talk from yesterday ends. He was saying that it would be great if there were some kind of minor incentives so that miners would orphan blocks that contained obvious double spins. So I'm going to talk about that a bit. So we hear the term alignment of incentives a lot in Bitcoin. And the reason for that is when we're designing the system, we want to make doing the right thing the same as doing whatever is most profitable. We want dishonesty to hurt people in their pocketbooks. We don't want to rely, nor is it practical, to rely too heavily on altruism. Now, there's some confusion in the social media about the reliability of zero comp for Bitcoin cash. And I think that's because the incentives kind of break down for this type of transaction. To explain, I need to give you an example. So let's imagine that you're selling your laptop on Craigslist. So you meet with the buyer and they pay you $500 as a Bitcoin cash transaction. You give them your laptop and they leave. Since Bitcoin is permissionless, there's nothing preventing that buyer from getting in contact with the miners and bribing them with $100 if they can succeed in reversing that transaction back into the fraudsters wallet. Now, if the transaction had even a single confirmation, no miner in his right mind would accept such a bribe because he'd be risking thousands of dollars just to earn 100. But if the transaction were unconfirmed, miners would be at least a little bit tempted because on the one hand, if they succeed in facilitating this fraud, they're gonna be up $100. But if they don't succeed, they're just continuing mining as usual. There's really no penalty, no disincentive for that bad behavior. So that's the concern that the cost to attempt fraud against unconfirmed transactions is low. Now, I don't wanna scare you because today there are no significant groups of miners that are accepting bribes to facilitate that kind of fraud. And we have hard data to support that claim. Tom Harding presented some of that yesterday. But mining is permissionless and the mining landscape is always changing. Maybe five years from now, the miners won't be so altruistic. Wouldn't it be better if we were less reliant on altruism and more reliant on incentives? I think it's possible to improve. And in order to explain how, the first thing we need to do is get a clear mental picture of what's actually happening on the network when a double-spend attack like the one I mentioned earlier is underway. So let's start building this mental picture. So here is the last confirmed block with all of the confirmed transactions. So the network agrees that this is all good. So the miners start seeing new transactions come in, including this green transaction here that represents a transaction from the laptop buyer to you. So more transactions come in and the miners are looking for a proof of work to allow them to commit this new block of transactions into the blockchain. What does looking for a proof of work mean? Well, it involves three numbers, which I've shown up here in these three boxes. The first is just a reference to the block upon which the miner is mining. The third is a sort of digital fingerprint of the transactions the miner wants to commit to the blockchain. The middle number is the magic number that solves the Bitcoin proof of work mining puzzle. So the way this works is a miner sticks a zero in there and then he takes the hash of that block header and gets some other number out of it. So that did not solve the puzzle. So he tries the number one, it didn't solve the puzzle. He tries the number two, it didn't solve the puzzle. What is he looking for? Good, a bunch of zeros. So he's trying to find some nuts that went hashed results in a number that begins with a bunch of leading zeros, it's four in this case. And you can imagine it could take a lot of tries in order to find the solution to the puzzle. Okay, so back to the attack. We're gonna imagine that 90% of the miners are honest and didn't accept the bribe, so they're working on confirming the legitimate green transaction. That leaves 10% of the miners trying to confirm the fraudulent transaction that sends the coins back into the fraudster's wallet. So when you see the picture like this, it becomes clear that really what's happening is a race between the good guys and the bad guys. Now the good guys can hash nine times as fast so they're much more likely to solve the puzzle than the bad guys. But once in a while, the bad guys are gonna get lucky. So with these numbers, the colluding miners win 10% of the time and the fraud succeeds with a 10% probability. That's not exactly good odds for the fraudster, but the concern is that there's no cost to the colluding miners or the fraudster if the attack fails, they just continue to mine normally and no one is even aware that the attack was underway. Okay, so let's imagine that the fraudster's won so they found they were the first to find a hash that began with four leading zeros. And you might be saying, well, that's stupid. Why can't the honest miners just reject that block that contains this obvious double spend? Well, the answer is although the double spend is obvious to us, the miners don't have an omniscient point of view on what's going on on the network. The miners only know what they see with their own eyes. So we know that 90% are honest because I told you that, but the miners themselves, they don't know that. Okay, so now let's talk about how we could give the miners more information so they could actually see that the hash power majority was supporting this green transaction instead of this red transaction. So let's imagine everybody had access to all the hash attempts attempted everywhere on the network. I can't even fit all the hash attempts on the screen just for my little simulation finding four zeros in real Bitcoin, it would be vastly more than this. It's impossible to do, but what you would see is that the vast majority of the hashes are trying to confirm the legitimate green transaction. If instead we were to communicate all the hashes that had at least one leading zero, the same picture would come through. Most of the hash power is supporting the legitimate green transaction. Two leading zeros, it's still clear that green is good. Three leading zeros is becoming a bit less clear. Four leading zeros, well, only the colluding miners found a hash with four leading zeros. But when you see this in the context of all the information, it's really clear that the colluding miners just fluked out. They got lucky. So where I'm going with this is that we don't have to rely purely on that one proof of work. We can incorporate more finely grain proof of work information when coming to our decisions. So if instead of looking for only the proof of works that had at least four leading zeros, we look at all the proof of works that had at least three leading zeros, the data tells us a different picture. Now the colluding miners found only one proof of work like this, but the honest miners found nine. So with this new information, we can ask the statistical question. If the hash power majority was indeed working on that suspicious red transaction, what is the probability that out of those 10 proof of works, no more than one links back to that suspicious red transaction? So this is really a standard coin toss problem in disguise. It's the same as asking what is the probability of flipping a fair coin 10 times and heads coming up one or fewer times? This has a well-known answer. And for our data set, the probability would be 1%. So if the miners had that information, they could say, well, it's pretty clear that something fishy is going on with this block. If 1% is a good enough for you, you can imagine looking at all the proof of works that had at least two leading zeros. And you might find that the honest miners found 90 of those, the colluding miners found 10. So now the question is, what is the probability of flipping a fair coin 100 times and heads coming up 10 or fewer times? The answer to that is 10 to the minus 17. So basically never, so now it's really obvious that something funny is going on. Okay, so if there's one thing I want you to take away from my talk, it's the idea that if you have more access to the more finely grained proof of work information, you can make better estimates of what's actually going on on the network. And that's a good thing. So I've talked about how knowledge of those near miss proof of works is useful for deciding what's going on. Now let's talk about ideas for organizing that information into the blockchain or into the network so that that data is more publicly available. So one idea is called subchains and the idea behind subchains is really very simple. So here we have our last confirmed block and some new transactions are entering the network and the miners are trying to confirm that into a new block. Probably one of those miners is gonna have one of these near misses, a proof of work that's almost strong enough but not quite. So I'll show that here in green. So the idea in subchains is when that near miss happens, he doesn't just throw it away. Instead he propagates that proof of work along with the transactions he's working on as what I call a fast block or a weak block. The rest of the network, they accept that block, they check the proof of work, they check the transactions just like if it were a real block and if they're okay with it, they start adding all the new transactions that are coming in on top of that layer. Eventually another miner will find another near miss proof of work and he can extend the subchain. But now because everybody already knows about these two darker green transactions, the second miner only has to send these two lighter green transactions. So this saves him on propagation time. So this process continues and you can see that we're slowly building up this subchain structure within the block itself. Eventually a miner finds a proof of work that satisfies the real difficulty target and then he can propagate that block just by sending, maybe just the very last few transactions he's added. So his blocks propagate really quickly and that's a very good thing. So you can see how we've woven information about the near misses into the blockchain structure. So whether the near miss data is encoded in a self-contained way within each block or is external to the block, that's an implementation issue. Both are possible. But the big idea is just to make that data publicly available. Okay, so now back to Tom Harding's point about miner incentives to orphan blocks contain obvious double spins. So if we can observe fraud, can we do it? Can we orphan blocks that have obvious double spins? And I think the answer is yes, but it requires a soft forking change to the protocol. So the way a miner currently decides whether to mine on top of a new block is showing here. So when a new valid block comes in, he asks, does this result in a new longest chain tip? If the answer is no, then he saves up block for later in case that branch becomes the longest at some point of time in the future. If the answer is yes, then he immediately begins mining on top of it. So how this would change is as follows, shown in green. So now when a new block comes in that results in a new longest chain tip, the miner calculates that P value, the probability that this block was actually found by the majority of the hash rate. If that probability is too small, for instance, if the double spend is obvious, then we follow this path and save the block for later. But if it looks like the block did come from the honest majority, then we fully accept it and begin to mine on top of it as usual. Okay, so I did a little simulation of this new algorithm. And what I found was that if you set your parameter for detecting these fraud events too strict and you basically never reject blocks, even if it's really obvious that there's a double spend or something fishy going on, then the fraud success rate, this is with 10% colluding miners, stays about the same as it was originally and the window of opportunity for which these colluding miners could attempt fraud is 10 minutes as it is today. And the orphan rate, I'm assuming a six second communication latency is about 1%. Now, if the miners begin to reject blocks that have these obvious double spends in it based on that weak block data, based on that P value, well now we see that the fraud success rate drops considerably, along with the window of opportunity for which the miners can commit from. So this is a really nice thing and the orphan rate doesn't go up appreciably. If we start to become hyper-vigilant and reject the block on the slightest hint that something was fishy, again, you lower your fraud success rate, you lower your window opportunity, but now you start seeing this shooting up of the orphan rate. You start orphaning blocks because you think they might be fraudulent, but they actually aren't fraudulent. You don't want to do that. You don't want to be orphaning blocks that are coming from the legitimate miners. So I think this is pretty cool because there's kind of this win section in here where we reduce the fraud success rate and we've reduced the window of opportunity, but we haven't actually negatively impacted the orphan rate. So I think that's pretty cool and it should be explored more. And you might wonder why does the orphan rate increase at all with this idea? And the reason is because now there's two ways that a legitimate miner can have his block orphaned. He can have his block orphaned if someone else finds a block within around that six second window that I'm assuming it takes to propagate that block, but a miner can also have his block orphaned if the network finds, let's say four of these fast blocks in that six second window. Okay, the probability that someone on the network finds a strong block, a real block, within that six second window that I'm assuming is about 1%. So the fast blocks come 40 times faster. So you would think that the chances of finding four fast blocks in that same six second period would be like 10%. But it actually works out to only 0.1%, just the way random numbers add. So that's what gives you this win here that I'm talking about. It's very unlikely for the network to see four fast blocks within six seconds. Okay, so some concluding remarks. Subchains are no longer just an idea. They're now a real thing. You are many. He's active on Reddit, active on various Slack forums. He's an awesome job coding a prototype system of the subchain idea that's running successfully on the Gigablock testnet. And we've used that to propagate blocks over 100 megabytes in size. There's this cool website. I'm not sure if Tom mentioned this, but it's called doublespend.cash. And they're collecting all the information that they see on double spends that are happening in real time. And you can look through pages and pages of people trying to double spend. And it's really clear that very few of the double spend attempts are happening. And there's no evidence that this theoretical attack of talking about where you're bribing the miners is happening. So it looks like none of the miners are behaving badly right now. Lastly, I'm talking about the weaknesses in zero comp because I wanna make zero comp stronger. I think zero comp is already great for low value payments, but I would like to make it great for medium value payments as well. So on that note, thank you very much for listening. Thank you, Peter. That was amazing. Okay, they're good questions that reflect the quality of that presentation. Yes, there are. Okay, you got one over there. Yeah, I like what you did there. And I'm really looking forward to see how you're gonna get consensus on this. So, good job. I wanted to ask this question to Andrew because we had kind of a clash last night online. I'm wondering because there's a lot of discussion about upgroup, even miners commented about it. I'm wondering, are you guys at Bitcoin Unlimited confident enough about upgroup to eventually fork off in November if it doesn't happen for you? Okay, that question is not for this tat. That question is for the past chat. Can I get somebody to rise to the challenge? Are you serious? And give us a great question. Are you serious? I am very serious. Hold on a second here. First of all, I'm super impressed that you somehow created a real time presentation in the last 24 hours and ran a simulation. My question was having to do with sub chains. I noticed that, so let's say the first week block that comes in and you had two transactions there. Is there a way to, and suppose that one of those was one that other miners disagree with. They think that that was actually a bad transit double spend, obvious double spend, or bad in some other way. Do they have a way to, you had them adding on. Do they have a way to modify that or do they just have to basically orphan the week block? Yeah, the way on many as coded sub chains and the way I wrote about it is that sub chains are append only. So they can only add, if they want to orphan like a layer of transactions, they'd have to build off the previous layer. And I think that's a good thing because I think that increases censorship resistance but I could be swayed. Okay, yeah, well if it happened near the end it would be more expensive to do that but I can see that that might be a good trade off. Okay, thank you. All right, thank you, Tom. Can I ask a question, yeah. So I was gonna ask Tom this yesterday. Is there any attack vector against the miners, the honest miners, by somehow maybe spamming them with obvious, quote unquote obvious double spends in order to encourage the other honest miners to orphan the unintentionally offending miner is like an attack where you could encourage people to orphan that block. Right, but for them to, for the colluding miners to make a bunch of fast blocks really quickly like with enough statistical power to get the honest miners to change their decision it's basically impossible. It's the way the math work. It's actually less likely to be able to cause with the weak blocks or the fast blocks as it is now. Cool, thanks. Thank you, Peter. That was a great talk. I like sub chains a whole lot more. At the beginning of your presentation you mentioned this could reduce transaction fees and I was just wondering if you could comment on that. Right, so I don't know if you, maybe it was I guess 2015 I wrote a paper called a block size limit or a transaction fee market exists without a block size limit and it was basically showing that if you assume that the market is perfectly competitive the fee rate that miners will settle on depends on how long it takes blocks to propagate. So if you can propagate your blocks more quickly you can bring the fee rate down. Assuming that model is valid. So if you're in a regime where fees are driven by propagation times then making blocks propagate faster reduces fee rates. Thank you very much. I'm commenting on the first part of your talk. So one of the assumptions is that all miners mine the same candidate block. Like what is the probability in the Bitcoin network and the Bitcoin cash network for this? Yeah, so let me go ahead. So you're talking about here? Yes. Right, so yeah, so if there's nine different miners let's imagine they're all going to be mining slightly different blocks. But if Mempool is being emptied out basically every block all those miners are going to have this green transaction. So that's all that matters for the argument I was making. I was wondering if you've put any thought into the naming and marketing of this because zero confirmation still sounds kind of scary to people that don't know about what's going on and I don't have an answer for you but I'm hoping you have an answer or someone in this room. Maybe we should call it something that sounds less frightening than zero comp. Maybe something like broadcasted transaction or signed transaction or something like that. I'm wondering if you have any thoughts as far as the marketing of this thing so we can assure the public that zero confirmation transactions are safe and ready to go without making it sound scary. No, that's a really good point. I'm not a marketing person so I... I don't think I have a good answer for you there. But I agree, it would be better to come up with a better name. Yeah, hi. Yeah, hi. So... So on the slide you have 10% taking the bribe. Isn't it also true that some portion of honest miners may be working on the bribe unwittingly because they've seen it first? Yes. So I didn't really want to get into the fine details so in my model I'm assuming that the transactions are spreading out really quickly so that's a fairly low probability event. But yeah, that would change the math slightly but the same main point will still come through. Okay, thank you. Hi, great talk. I'm just wondering about the scenario where you do, let's say under a condition of congestion or spam, then you are heading up against the block size limit. Then your sub blocks or your micro blocks, you're unable to sort in those blocks or at least when you create the first one you have a low fee transaction and then how do you get that out so that you can, you know, it doesn't work under a condition of congestion. I'm not asking the question very well. No, I know what you mean. Yeah, so if you get to the end of the block and if the block size is limited and some transaction with a big juicy fee comes in, you'd really like to include that but you can't because your block is full. So the sub change doesn't really work very well in that case because the incentives and sub changes to only append to continually making your block bigger and bigger and bigger as more transactions come in. So how sub chains would behave if we're always bumping up against the block size limit? I don't think it would be very good. Okay, thanks. Final question. So I just want to make sure that my understanding is correct for this week's block. So it's basically, right now, the only winner, I mean, the older loser minors waste electricity, but this case, it seems like you're giving a reason or extra value for that to make it secure for the Zerotron con- Yeah, that's exactly it. Like there's so much electricity spent to improve of work mining and we're just throwing out all those hashes. Let's use some of them that have value to make better decisions about what's going on the network. Any extra cost for the minors? No, it will actually reduce the cost because the side effect is their blocks propagate faster so this reduces network orphan rates, which minors like. Thank you. Thank you, Peter, awesome presentation.