Interview: Shai Wyborski

On October 20, the Quantum Canary team sat down with quantum cryptographer and former Kaspa contributor Shai Wyborski to discuss his research and his opinions on quantum computing as it relates to crypto security. 

Alex:
We have a handful of topics that we're going to be discussing today about blockchain and quantum and some of your academic work, and a few things that are in between. I know your background is in quantum cryptography, and you've worked in the academic space with Dr. Orr Sattath, who we interviewed last month, as well as contributing to Kaspa in the past. For our readers who may not know too much about you, could you give a quick intro to who you are, what your research focuses on, and what are your work interests right now?

Shai Wyborski:
Hi, my name is Shai Wyborski, but many friends call me Desha. I was always fascinated with math and science to some degree, but it took for me a while to start pursuing it, because I dropped out of school in ninth grade. I lost interest in any formal education, because I didn't have a good experience with the school system, and I forgot that I liked math. 

Then I was called into the office at my job, and they told me they wanted to promote me and to start training for a specific job in IT and network engineering. I worked in a huge data center, and they said they wanted to send me to workshops, to become an expert in security. So I told them that I'll think about it, and I came back the next day and quit.  I realized that if I'm going to pursue this path, then that's going to be my life. And I wanted to go to school, I wanted to get a degree. 

I started a BSc in engineering. During the first year, I realized that I didn't like the engineering classes. In the physics classes, I like the theory, but not as much the practical side. It kind of paled in comparison to when I studied a lot of math, and it really drew me in. 

I enjoyed it very much but math is full of revolutions that are unfortunately inaccessible to a lot of people. One of these revolutions is that people realized in the 1980s that you can use a branch of mathematical logic called the model theory to solve problems in geometry and even some problems in analysis and differential equations. I learned of the existence of proofs that some systems do not have a solution that relies on logic, which I thought was extremely cool, so I dove in. 

…I finished my master's, and I needed a change of pace. Some people told me that you shouldn't choose a topic, you should choose an advisor. And of course, the advisor should work on stuff that you find interesting, but first of all, you need a very, very good advisor. I went to Professor Dorit Aharonov, who was also Dr. Orr Sattath's PhD supervisor, and she's a big name. I remember that I really liked her as a teacher when I attended classes that she lectured. And some of them were interesting classes that had this twist [dealing with the model theory]. 

At first, I was worried that quantum computation would be kind of dry. Computational complexity is one of these topics that I really, really like the results. I like the topic, but I don't like the math at all. Still, I was assured that no matter what type of math you enjoy, you can find it in a quantum computation. I said, “okay, let's give it a chance.” 

We started working together and started to try and find a nice research project, butI hit a dead end everywhere I went for like two, two and a half years. I was kind of deflated and unmotivated, and I was actually on the brink of quitting. 

As a Hail Mary, I decided to send Dr. Orr Sattath an email, because I knew him as Dorit's grad student, or post-doc student, who had become a faculty member. I approached him, and I told him what I'm going through, and that every project I try is at the end. He said, okay, I have a few things I'm working on here, and maybe we can work on them together.  We started having meetings, and it expanded into things that actually look like results.  

We [Dorit, Sattath, and I] had two projects together that I like. One was about quantum money, and the other was about post-quantum migration, and those two together were enough to have a formidable PhD.  I graduated, and I moved on with my life. But during this time, I also found myself contributing to this new technology, and this company that someone I knew formed called DAGLabs, I joined it. I contributed to the development of the protocol with analysis of the GHOSTDAG protocol, and then I helped resolve all sorts of issues with the implementation of what would eventually become the Kaspa cryptocurrency.

Alex:
Can you tell us a little bit about GHOSTDAG and Phantom GHOSTDAG? In 2021, you co-authored a paper on this. 

Shai Wyborski:
The paper was officially published in 2021, but the idea was laid out in 2016 or 2017, before I joined. Even though I'm a co-author on the paper, it's very important to me to clarify that I didn't have anything to do with inventing the protocol. I wasn't part of his conception; I joined later. 

The original paper that they tried to publish had a faulty security argument that turned out wrong. I did the security analysis [and] realized that the security statement itself is not correct as it is, so I found a way to correct it and to prove the corrected statement. In GHOSTDAG, I wasn't an innovator as much as I was like a security analyst. I understood the protocol and why it is secure. 

The GHOSTDAG protocol itself, however, is very interesting. It essentially allows many blocks to be created simultaneously, which in general causes a lot of mess. You have this one chain of blocks, and a block can't conflict whatever is written in the blocks that preceded it. 

Once you have a few blocks in parallel that are unaware of each other, the GHOSTDAG trick is to find there is this mathematical criterion which very nicely isolated a large group of blocks that are very well connected together, so they must have been produced by a majority. It uses this [criterion] to take this whole mess and turn it into a string of blocks to complete the ordering in a way that is respectful. It gives precedence as much as possible to what we considered honest blocks, and it can be made to converge very, very fast. 

What you get is essentially the first proof-of-work-based cryptocurrency where the reaction times of the network, the time it takes you post-transaction until you know that it is sufficiently irreversible, is dominated by the speed of the network. 

Now the question is what you're doing with it. The obvious answer is you can use it as a payment system and it would be faster than Visa, but this is not a very lucrative point because a) Visa is fast enough for most people, b) people are comfy with Visa; people like the fact that they have credit, and that if someone steals their money, they have recourse, which is something, you know, just using a crypto coin on-chain can't provide.

One application of [some of my work on GHOSTDAG in] Kaspa that really excites me is to use it as what we call a “sequencer.” It's essentially this very, very, very trusted machine in a sense that it's decentralized, so you know it's very hard to coerce, and it just logs events, and you would forever know the order of these events, which sounds kind of abstract, but then you can use this to implement all sorts of cool stuff without having to rely on a central entity to tell you to in what order of things.  It allows decentralization of a lot of things, and it also allows to create more sophisticated smart contracts that, say, implement a means of payment, a medium of exchange, that also happens to give you on a higher level in a centralized way.  It could give you credit, it could give you contingencies, but still keep the transactions themselves decentralized.  

You can technically do these cool things with existing chains like Ethereum, but Kaspa just provides this unprecedented performance in terms of speed and in terms of how easy and cheap it is to run nodes and extend the network and mine and all sorts. I can give you a three-hour talk just about how cool Kaspa is. But unfortunately, I don't identify as a part of Kaspa anymore. I don't see myself affiliated, because as much as I love the protocol on a technological level, and as much as I appreciate the technical and theoretical acumen of the people who are still working on it, there are personal and professional differences that I find completely irreconcilable, and I completely disagree with some of the paths the project seem to be following. I think it has a leadership crisis, and after a while of trying to help this, and meeting constant resistance, and I would even say some degrees of personal abuse, I decided that it's time to move on, to work with less toxic people.

Alex:
I don't blame you. What did you think about the future direction of Kaspa?  

Shai Wyborski:
Look, it's a terrific technology, and it still could have a bright future — it definitely could. I haven't sold any of my Kaspa. I still believe it as an investment, but I am concerned about the current state of leadership or like the role.

Alex:
I think it's a common problem in cryptocurrency, where the underlying technology is different than the social technology that we have to layer on top of it to govern the system. On that note, let's change gears to talk a little bit about Bitcoin and the threat posed to it by quantum computing.  

Can you explain what exactly is the threat posed to Bitcoin by quantum computers? Could it affect mining, enable double spending, seizing control of arbitrary wallets, or anything else? 

Shai Wyborski:
Quantum mining is very, very interesting in theory, but I think most of us will agree that it's not a pressing concern right now. It's more of a curiosity because quantum mining requires your miner to be comparable, you know, at the most, three or four orders of magnitude below the size of the entire network. When you talk about huge networks like Bitcoin with so many miners, you just need an extremely powerful computer. If you talk about breaking encryption, on the other hand, if you have an efficient way to break encryption with a quantum computer, then it doesn't care even that it is a blockchain. It definitely doesn't care about how many people mine it. 

I think the more pressing problem is definitely that Bitcoin and a lot of the world actually uses a type of signature scheme that is going to be completely broken once quantum computers hit the cryptographically relevant scale. Now, there are differences in the estimates about how fast this is going to happen, and you have polls that show that they surveyed a few dozens of the leading researchers on the topic, and they found that about half of them, at least more than half of them, believe that we will see that there is at least a 50% chance that we will see cryptographically relevant computers in a decade, by 2035. I thought this was a bit alarmist. There are companies that actually claim they're going to have enough qubits by 2028 or 2029, and I don't really believe that. I don't really believe it's going to happen by 2035, but I think it's a good timeline in a sense.  

We want to find a solution, agree on it, implement it, and launch it by 2035. The problem is essentially in Bitcoin, the way that you identify the owner of a coin is that when they spend this coin, they sign the request to spend it with a public signature. The information of what is the corresponding public key is available in one way or another. This is how we know that this money actually belongs to the person who tries to spend it because they have a legitimate signature.  

But this assumes that you can't forge signatures, even if you know the public key for verifying signatures. And even if you know a lot of signatures created by the corresponding secret key, you can't in any way feasibly find the secret key or forge signatures or anything like that. Well, quantum computers apparently can forge signatures very, very fast in this encryption scheme. Again, the details kind of vary. It depends if we are talking about Schnorr signatures versus the ECDSA signatures. But in both cases, if I have the public key, like the verification key, I can reverse engineer the secret key, the signature key, very, very efficiently on a quantum computer. 

People enjoy the sport of just looking at the literature and finding the paper that says, “we can do it with n qubits” for the smallest n they can find. And then they're like, “ha ha, you only need 800 qubits.” What they don't realize is that this is a trade-off. People find ways to narrow the amount of needed memory, but they pay for it in increasing the depth of the computation. So, okay, you need less qubits, but now you need more coherence time. You need to do more computations in a fault-tolerance way. It's not really just about the number of qubits, but I think that if we have scalable computers that can handle 5,000 qubits, 4,000 qubits -- and I'm talking about perfect logical qubits, not about noisy qubits -- then we will already have a problem.  

In centralized contexts, it's actually easier to deal with this problem. It's not trivial at all, but it's easier because you can just implement a new scheme, which is post-quantum. We have schemes that are post-quantum. And then just force your entire organization to migrate. 

Now, these things are not easy at all. They released the WEP and Wi-Fi standard when Wi-Fi just started being common. And about five minutes later, people found a break and we upgraded to WPA.  10 years later, there were still some corporations that were found to still use WEP. I think there were actual thefts because of that. It's hard to mobilize people, but it's still extremely easy in a centralized environment. You can do stuff like just implementing this new signature scheme and say that starting this date, signed documents which are signed by a pre-quantum scheme are not considered valid anymore on the policy level.  

So there's all sorts of stuff you can do. In Bitcoin, there are two problems with that. One is that whatever you want to do, you need everyone to agree on it, because everyone can fork and implement their solution. The challenge is to find a solution that you could rally most of the community behind. 

But the other problem is that there is quantum loot on the chain that arguably there is no way to migrate because the keys are likely lost. So what are you doing about this? If you burn this money, then some people would not tolerate this kind of intervention in other people's wallets. They say, you can't go and hardwire the fact that this money is no longer good. It's just that the entire point of decentralization is that this is impossible. 

Other people will say, but you have to do it, because if you don't, quantum computers will arrive, and then they will steal the money. You would know that someone now has like 10% of Bitcoin, and you don't even know who they are. You just know that they are powerful enough to build the first scalable quantum computer. So now you've given them even more power.  Even if you do agree on how to burn this money, how do you agree on when the line should be? Is it too early? Is it too late? 

There are all sorts of problems you need to have answers for in order for this migration to be successful. You have to rally everyone because if sufficiently many people are not cooperating, then either you split the economy in two or you do not, but people don't really use this solution and things remain compromised. 

Or and myself, the project that we did together, we asked ourselves a very specific question. In Bitcoin, you essentially have two types of addresses, one where the address of the coin is the actual public key, and then any large enough quantum computer can see this address and recover the secret key. This is not common at all, and only very, very early transactions use this format, but unfortunately, these transactions also include huge stashes of millions of Bitcoins that nobody knows who they belong to and if the keys even still exist.

Alex:
So, just to clarify, most of the Satoshi blocks would fall into that bucket, right?

Shai Wyborski:
All of them, that would be easily crackable. 

The first few weeks or months of addresses on the network before the new format was introduced. The other format is called P2PK, Pay2PublicKey. The new format is Pay2PublicKeyHash. It means that in your address, you don't reveal your public key. You just include a commitment to the public key. A commitment just means that I can retroactively prove to you what this public key was supposed to be in a way that is unforgeable. It's called a commitment scheme. 

I can give you this thing that looks like a random string. Five years from now, I can prove to you that I was able to create this random string because I know the correct key. Then only when I spend the money, do I reveal the key. So there is a window of opportunity for an attacker to look at your public key, create a competing transaction which pays more, and then front run it. And so this is a real problem. 

The critics would say that it requires a much faster quantum computer, and they are absolutely correct, but it's still a problem. This means that we have these people who are in this limbo. Say that you went to take a nap, and you took a nap for 25 years, and then you woke up in 2050 to realize that everyone in the world has a scalable quantum computer in their garage. Nobody stole your Bitcoin, because it was secured by P2PKH. And so nobody knows how to take this hash, this small random string, and recover your key from it, but you still can't use it, because once you try to tell miners what your key actually is, so they could verify you, then anyone could take this key and use it to steal your money.  

This is what we call a quantum procrastinator, a person that still relies on pre-quantum cryptography. As long as they don't do anything, their stuff is still safe, but they are stuck. They can't do anything, because this would compromise their money. Our question was, how could we help them? 

We started off with a protocol from 2014, it's called Foxcoin. It has different motivations, but it was also stated as a post-quantum alternative for Bitcoin. Foxcoin is a really cool idea, but there is a big problem with it in the sense that it there are keys that you commit to a transaction and then you reveal it later. So because of that, a miner doesn't have the window of opportunity anymore because they have to delay you for like a hundred blocks or something. 

Who pays the fee for posting a commitment? It sounds like this very technical question, which is just a detail, but it's actually extremely crucial because paying fees is what makes the Bitcoin network unspammable. The reason that nobody right now goes and bombards the Bitcoin chain with a lot of garbage is because this space costs a lot of money. The more they bombard, the more money it will cost. So if you don't have a way to collect fees and you don't have a way to prevent this, then either there is no way to post a commitment, or there is a way, but it's exploitable, and anyone can DDoS your network and choke it to death.

There wasn't a reasonable solution for that at the time, but there's an old paper, it's from 2014, by Bonu and Miller. Using some technology that didn't exist at the time, a very cool zero-knowledge scheme called Picnic, we managed to take these two ideas together, and create this thing that we call the lifted Foxcoin, which solves this problem, and it's a trade-off. In exchange for the solution, the confirmation times become slow, and it would take hours to days to confirm a transaction, not minutes to hours. But it does allow to safely spend money that is pre-quantum, even if quantum adversaries are hovering around trying to steal money. It's cool because it's kind of a modular solution. It allows you to do very cool things, and you can choose how cool you want the functions to be, because the cooler the functions that you give, the more severe drawbacks you get in return. 

If you are willing to do all of the sacrifices, like you're willing to do a hard fork, and you're willing to require users to be occasionally periodically online or their money might be compromised, if you're willing to take these drawbacks, then in exchange you get all sorts of cool features, which include even an ability to restore money where the keys were completely lost. That sounds like magic, but if you look carefully, there is this slight break of symmetry because the person who lost the key knows that the key was lost, but the person who tries to steal the money isn't. If you're clever with this, in the sense that if you think that the key was lost, but apparently it wasn't, then you lose a lot of money.  

When you hear that the key was lost, you can't even tell if it was really lost, or if someone is trying to bait you to try to steal the money so they will take your large deposit. If you play on this idea, you can actually create a protocol where you don't have cryptographic assurances, you can't have them because on the level of knowledge, you both know pretty much the same things, but you get this game theoretic sort of assurances that people will not try to steal. This is just an example of one of the cool byproducts of this research. We didn't intend to find a solution for this, but we found something.

Some people may argue that it's not secure enough. That's fine. I think it's cool on a theoretical level, and that's enough for me. This is the main work I did on Bitcoin, and it contains all sorts of other nice things. For example, I noticed that your magazine is called Quantum Canary, and one of the things we did in this paper is to specify quantum canaries. 

I think Justin Drake coined the term. But you can see this idea manifest even by Peter Todd in 2011. And Peter Todd, what he did is he created stashes of Bitcoin, like wallets of Bitcoin, that the only way you can spend from these wallets, like the condition you have to satisfy, is to demonstrate collisions, non-hash functions, like demonstrate cryptographic vulnerabilities. And so this is kind of like creating this decentralized bounty program, whose rewards are guaranteed, because they are already in this address, and you know that the only thing you need to release the money is to find the vulnerability and demonstrate it. 

We extended this idea a bit to quantum canaries, and we're extending this idea in a way that is specialized for detecting when a quantum commuter becomes available.  The idea essentially is to create a formidable bounty, like 10,000 Bitcoin or something, which is a nice amount of money, but it's not comparable to the amount of money that a quantum adversary can steal. We then locked it, but instead of using the regular elliptical schemes that are used in Bitcoin, deliberately make it slightly weaker. 

It should be strong enough so that contemporary classical computers couldn't break it, but it should be weak enough so that the scale of a quantum computer that you need to break it is smaller than what you need to break the actual signatures. Currently Bitcoin signatures have what we call 128 bits of security, which means that we assume that the classical computer will need 2^128 operations to break them.

What if you take 110 bits of security on a smaller curve? Because the curve is smaller, then you need a smaller computer. If you have someone that reached enough qubits to steal this bounty, then they have two options. They could either take the bounty, and then it happens on-chain. So you don't even have to have people react. You can even set the protocol such that the minute this canary is killed, the minute this bounty is claimed, automatically everything, quantum, stopped working at this point or four weeks after this point or whatever. Or, they could not claim the bounty and instead keep improving the quantum computer until it's large enough to steal all of the other loot everywhere. 

But if they do that, they take the risk that by the time they become large enough to steal the loot, someone else will become large enough to steal the bounty. And then someone else will take the bounty, and they will be left with nothing. So we did this rudimentary game theoretic analysis of this dynamic between two players. It shouldn't be taken too seriously. But it does demonstrate that if you set up things correctly, then in all situations, you see that the equilibrium is, if you have two competitors vying for the bounty, the optimal move for both of them is to take the bounty. 

I think this is an acute analysis, and it's there to address the problem of when do you put the cutoff for migration? Because the more arbitrary things you need to agree on, the less chance you have to reach a consensus and to reach an agreement. So if you put this canary, you say, okay, we don't need to draw a line in the side. Now we have this automatized mechanism that will give us a warning, and we only need to decide how to react to this warning, saying any transaction which was created more than 1,000 blocks after the canary was killed and is not post-quantum is invalid, for example.

Alex:
That's really interesting. Do you know of anyone in Bitcoin Core that has seen this research? What is the state of the discourse around this? Because it seems like this is a really great, ingenious approach that could have a very positive impact on the protocol.

Shai Wyborski:
One is that [Bitcoin Core developers] are huge fans of small incremental changes. We are talking about a community that has gone to bloody mortal wars about op-code cuts. Getting them to decide to change the entire way of how money is spent and completely modify the protocol, it's not a favorable position. People are looking for gentler approaches, and it's to be expected. 

We didn't write this paper expecting that Bitcoin would implement it as is, but we thought that maybe our analysis will inspire further ideas. We tried to make it as modular as possible, so you could mix and match. For example, you can use the canary without using anything else in this work. It's a completely independent component. So I know that some people have seen it, and there is a thread on it in the Bitcoin developer mailing list. 

There was this discussion initiated quite recently, like a few weeks ago, maybe a couple of months ago, by Peter Todd, who is working on a new BIP.  You know there is BIP 360, which is the BIP for implementing post-quantum signature? His plan is, this BIP is supposed to be about what's the next step after BIP 360 is implemented. It's about migration and it's about setting up a timeline for not allowing pre-quantum transactions to appear. I haven't felt like any of the people who commented on [our quantum canary method] really took the time to understand what's going on. 

The feedback we got was very superficial and kind of missed the point of the work we did, but okay; these are busy people, it's a technical paper, it's not an easy read. Maybe when they start diving deeper, someone with influence will pick it up and say, “hey, guys, there are some interesting ideas here.” Again, I don't expect anyone to implement it as it is, at least not on Bitcoin, maybe on a separate chain. But I think there is room for Bitcoin core to give a more serious look into the work that we did. If they do, they do. If they don't, they don't. And it is what it is.

Alex:
If Bitcoin did one PQC mitigation step next year, what, in your opinion, should it be?

Shai Wyborski:
I think the first thing needs to be to implement post-quantum signatures. If you don't have them, you don't really have anything.  Okay, technically there are a few things you can do without having post-quantum signatures whatsoever, but I think this is like the first building block. This is what you want to build around it. 

You have a post-quantum option and then think about what to do with people who don't use this option, if there are procrastinators, if it's lost funds, if it's whatever.  But first, I think BIP 360 should become live. I'm not sure if next year is a good timeline. There is a tension here. If you want to do it fast or to do it slow. I think that you actually want to take your time a little bit here because you're only going to get one chance. If you try to rally the community and you move everyone and you implement a post-quantum signature scheme and you've got many, many people to move their coins, and after you've did all that, someone finds a vulnerability in this particular scheme, you would probably have to face a lot of friction if you want to do it again. If the point is just to implement a chosen signature scheme, then maybe we should wait for a bit more scrutiny.  

Now, these schemes are heavily standardized by really smart people. People all over the world contribute to scrutinize them as much as possible and try to break them in every conceivable way. But the fact is that even though no such scheme was completely broken, there were some examples of disconcerting vulnerabilities that had to be patched up. Again, this is another example of the advantage of centralization; if you are an enterprise, then you can just update all of the computers that control, but in the decentralized setting, if you made a huge effort to rally everyone to migrate their coins and then you find a bug, then you're kind of screwed. 

There is this whole world, it's called cryptographic agility, which talks about how you can, instead of implementing this scheme or that, create an abstract layer that doesn't care what scheme it uses, and then below it will allow you, give your interface, it will allow you to switch. But again, who controls what protocols are permitted, and what implementation is used? Everywhere you go, you find that there is decision making that would be terribly difficult in a decentralized setting.  

But that being said, I do think that pursuing this direction of having, first having a post-quantum signature is good. First, because you first want to have the functionality and then worry about migrating to the functionality. And second, because, as I said, Jameson Lopp is already leading the effort to find migration solutions. He decided that the best approach would be to follow BIP 360 and not to create an alternative. 

Alex:
That makes a lot of sense to me. This will be my last question. 

I know you have a lot of thoughts on proof of work, and you're actually writing an open book that covers proof of work, among other topics. But one thing that stood out to me was how you said something about how there are a lot of misconceptions about how proof of work works, what it is, and what it does.  Could you just give me a little overview there? What do you think that people are getting wrong about it, and how does that pertain to Bitcoin and cryptocurrency in general?

Shai Wyborski:
I think the biggest misconception is that people think that in proof of work, you need to have some level of mining, and if you don't have it, then you don't have security. Once there are enough miners, you have this security, and you need X miners, and that's not how it works. It's a market; the amount of money, the amount of mining that is put into mining Bitcoin, the amount of effort, money, hardware that is put into mining Bitcoin is only defined as the amount of money and effort people are willing to put into Bitcoin. 

There isn't any other measure, and how secure is your network? It depends on how many people mine it. The more people mine it, the more secure it is. But it's not like you need to burn X lumps of coal to get this level of security. It doesn't work this way. And I think it is a huge misconception. 

The second misconception is that people think that proof of work can't be scaled. That it's an inherently unscalable technology. Kaspa is a living proof that they are wrong. I mean, Kaspa exists and operates today as a pure proof of work, which gives you the same security as Bitcoin, with performances that beat proof of stake in terms of both throughput and responsiveness. And with all of this the full node can run on $100 hardware. I mean, I think this already proves that you have this, that it is possible to scale proof of work very well if you know what you're doing.  

In general, there are a lot of drawbacks that are specific to Bitcoin or to blockchains that are not generally true for proof of work. In proof of work, you can technically revert any transactions. Any proof of work can be overtaken by a large enough country. There are all sorts of criticisms, which some apply fully to proof of work, and others apply only to specific proofs of work, like Bitcoin, but they aren't universal truths. 

The book in itself has three purposes. One is to get people excited about proof of work because proof of work is beautiful, the theory is beautiful, the ideas are beautiful, and I just want people to appreciate them properly. 

The second is to build this kind of a universal vocabulary that people could use to assess particular projects, because right now there is no vocabulary, there is no standard, and essentially, every project reinvents the language in a way that suits their narrative. There should be some agreed-upon criteria and terminology of how do you assess the security and the responsiveness and the confirmation times and all other properties of a proof-of-work network, and this vocabulary should be independent of any particular network. You have a checklist, you have tools, you have definitions. My book is far from providing this, but it starts to. 

The third reason I'm writing this book is because when you have this general universal vocabulary that isn't anchored in any specific chains, then you can really talk about what's possible and what's impossible.  Then you can say, “okay, we see that all of the proof-of-work chains, none of them scale.” Is there this universal property that doesn't allow us to scale? Well, it's a very difficult question. It's a theoretical, deep mathematical question, but at least you have a starting point to start grasping it. Even if you wouldn't be able to answer it, you would be able to understand the nuances of this question much better, much much better. You would understand what the question even means, what it means to be scalable, which I think is very important. 

These are my motivations. I have restructured my schedule now with the purpose of allowing myself more time to work on this book.  I'm hoping that starting in mid-November, I will resume periodic constant updates.

Alex:
Thank you so much for your time, Shai. 

People can follow Shai on X, and check out his book at his website.