Oh, and in case you were wondering, isn't something like witness discount similar? The answer is a resounding no! Think about it - what the witness discount controls is *how much stuff can go into a block* and is therefore a *global* consensus rule. If miners break it they fork off. Here what the ZIP is discussing is having everyone sing kumbaya and agree what kinds of fees are fair, reasonable and keep good privacy and ddos resistance for everyone. It'll work fine, until it doesn't.

I discovered something quite remarkable today after seeing podcasts with Sean Bowe [1] describing the new tachyon system and then one today with Ying Tong [2] mentioning the fabled 'sandblasting attack' . It turns out that zcash put out a ZIP zips.z.cash/zip-0317 with what seems to me extraordinary content: it says not that there is some resource limit for blocks, but that individual transactions *should* be treated thusly: fee should be linear in number of ins/outs, but 2 outs should be treated like one (for a privacy reason), that certain types of transactions (their different shielded pools) should not be discriminated, and they disrecommend relay of transactions with other fees, and then give a long RECOMMENDED section to miners on how to construct blocks. This is totally nuts - the miner incentive is always to maximize fee revenue, and while it can be hard to work under that scenario sometimes, it's crazy to try to say things like randomize your candidate transactions and only take high paying txs in this ratio, or similar, as they do. Bear in mind that the sandblasting attack, which genuinely crippled the network afaik because they couldn't verify, in a normal node, as fast as the attacker could create transactions, happened because they had the insane idea of a flat fee for every individual transaction, no matter how big it was! (to be sure, they must have done that for better privacy, but it's an utterly broken concept). These are some of the very smartest cryptographers in the world, and I am not exaggerating for effect, there. How did they get such batshit insane ideas (or lack of ideas?) about how a permissionless p2p network works? [1] its on the recent Zero Knowledge podcast, look it up, [2] the recent BTCKVR podcast 'BitVM optimizations', around 35 minutes #cryptography #bitcoin #zcash

Interesting for sure! But why is it described as AI powered? Is that an essential component?

About extreme scenarios like 80% of btc stolen (- I'm going to ignore the "how do you measure it" part, though I suspect that'll come back to bite us at some point!): i mean there is presumably a failure mode where trust breaks down, but it's not really about a specific number or ratio. It's about whether there's any credibility that going forward, the system will be trustworthy. Anything above 30-40% is presumably disaster-level and the project *might* just kind of fall apart. But I really don't know. I just know that if you violate the core principle of private property you've mostly already lost. Maybe I'm wrong and everyone would love it, but what's the point in bitcoin in that case, I don't see it.

https://eprint.iacr.org/2022/1178 "We propose a new, unifying framework that yields an array of cryptographic primitives with certified deletion. These primitives enable a party in possession of a quantum ciphertext to generate a classical certificate that the encrypted plaintext has been information-theoretically deleted, and cannot be recovered even given unbounded computational resources." 🤯 #cryptography

I hardly ever use gpg any more, but i remember the subkey thing being a major pain point in having a correct mental model of wtf is going on.

On the DAO,ETC,ETH and my "bet": excellent point to raise, there. There is no doubt that the opposite side to my argument won. At the time as you'll remember it was just as obvious that it wouldn't have happened in BTC because of the "DNA" of what bitcoin even is, being so tied to uncensorability (let's not forget that it's a bit murky whether anything like "consensus" was actually reached in the ETH community; it might even be possible to characterise it as the equivalent to the new york agreement winning in btc's case; but I'd be willing to cede the opposite is possible, that the DAO coin "reassignment" was a community consensus). The DAO disaster just showed that there was a profound divergence between the communities at a not just technical but philosophical level. So yeah, another project which has a different less pure concept of decentralization might reasonably define cutoff dates, but I don't think BTC should. It's against its nature and purpose. Concretely, the tradeoffs bitcoin's design makes (e.g. no onchain obfuscation; no onchain global state and complex contracting; slow block times; etc) are all in service of that. I know that this is a retelling of history - SN didn't seem to see it quite like that, but somehow designed it like that despite himself, lol.

https://files.catbox.moe/qgy1ni.pdf Perhaps it's a bit silly but I show here the full conversation I had yesterday with Claude, in which I asked it to teach me Groth16 (the most famous ZKP system). It's a little cheat-y in that I had already "overview" studied it, more than once, but I always found the existing explanatory materials difficult to work though and lost track at some point. This time, with Claude actively teaching me, I can confidently say I have a solid understanding of the whole system, after one single day. In my opinion LLMs are great for these things: Search, learning and language (incl. code). They can seem ludicrously brilliant at all of these, but in each case you have to be wary of different variants of the same flaw: their inability to notice their weakspots. In learning Spanish I get 97% perfect explanations/answers/translations, but with certain obscure slang it might resolutely refuse to accept the existence of the phrase I'm referring to. In this Groth16 conversation it slips up with a specific equation/algebraic notation (it says it was 'sloppy'; I'd say it was wrong) halfway through, in a way a human professor wouldn't. In search I'm not as sure as I don't use it as much, you could argue semantics and say it's not really the one doing the search, but I bet it slips up in a similar way there too. I don't think this kind of flaw is the real story, though. The real story is that if you frame your request properly, and you engage seriously and reflectively, you have access to a teacher that a decent simulation of a high-level expert, in a one-on-one session. If you actually want to learn something, I do think you should do as I did here and ask it to "teach me X based on the fact that my background is roughly Y (so it can pitch at the right level), and ask concept-checking questions along the way". (btw this is not a commentary about claude vs others .. i think this kind of job can be done ~ equally by all the latest models). I have to emphasize how natural this felt. I really felt like I was talking to a teacher that was listening carefully to my responses and engaging with them. Among a number of notable moments in the conversation, this one in particular, after the aforementioned algebra screwup, stood out to me: I asked "yes. back to Q13. rewrite it if necessary, otherwise I'll just keep thinking." and it responded after a few seconds: "{Claude:} The question stands as is. Take your time." A reasonable push-back on this example is that I chose something that has been described and discussed on the 'net a lot over the last 8+ years - certainly no other ZKP system has as much material. So it's showing the best it can be. If you discuss cutting-edge research with it, you're in *much* more dangerous territory.

I disagree about fork choice. People will choose a version of bitcoin where there is zero human governance over coin issuance and coin ownership. If my bet is wrong there is very little value left in bitcoin as a system. It doesn't matter if Bitcoin "looks like chumps" or whatever. It matters that it has integrity as a system. "Miraculously" it has somehow maintained that for a long time. I do agree though that it'll be a disaster if we don't have any viable migration by the time QC hits, but, meh, it seems ridiculously far off. Glad some people are working on it.

I think it depends how far it goes. At the extreme a perfectly trustless sidechain or rollup of some flavor will be the best way to transact with bitcoin. Actual scalability and privacy. What they're aiming at right now is, I agree, just a high tech implementation of a bridge with maybe better security properties than those that already exist.

I see several things wrong with this pov. First, stop assuming they're Satoshi's. We don't know that. Second, when/if they are spent, we won't know how the private key was known to the spender. Quantum's existence won't change that epistemic limitation. Third, there is no "we" to make such a choice. No group of people have the right to confiscate coins, no matter how rational the reason. And to *anyone* (not Matt specifically) who is worried about the market effect of huge selling, consider the market effect of the precedent of freezing coins at the protocol layer. Everything is a one-time exception until it isn't. Notice that that last point is not wrong because "if QC then all btc is worthless"; we are discussing the scenario of there being a migration path but old plain pubkey holders don't use it

Oh you said improve not remove. OK. Seems like a performance difference not a trust difference.

Warning: do NOT use travala.com any more, if you did. They directly stole my money. Here is my response to the customer service agent: (Customer service agent), > Sorry for the delay, im ahmed from compliance department, for refund or either processing the booking, the verification is a mandatory step, we require the minimum and basic info for that, and you can pass it easily through the following link : Let's establish the facts: I have been a regular customer of Travala for years, have done probably a hundred or more bookings through your site - mentioning this *not* to claim some status as a customer (which I do not want, and do not have), but to point out that ZERO times on the website or through any of those transactions was it mentioned that you could simply keep my money and provide no service - i.e. STEAL my money - if I did not pass a verification process -handing over extensive and intrusive personal documents - that you never documented anywhere. And indeed for this booking, again, no such advance warning was given. So you (that is to say Travala, not you personally!) act exactly as a kidnapper: to give me back the money which is mine, you insist that I hand over security sensitive information. Which I will not do. There are an endless stream of documented violent theft events of cryptocurrency holders, so spreading one's personal information is stupid, and any claim you make to "keep my data safe" is ridiculous, given the equally endless stream of reported hacking events. I do not trust your company with my personal information because I don't trust *any* company with it. I have been doing Bitcoin development work for over a decade, I will make sure that a lot of people in the community know that Travala steals its customers money, directly, with no apology. Feel free to pass this message to any management, I would appreciate that. (me)

Right. But does it actually remove the DV part? It's still describing a protocol between a prover and verifier, and it's still describing use of a 2PC between them, just the circuit they're garbling is a much different and simpler one (in fact so simple it's just a single multiplication). So the verifier's secret needs to be there at setup, so it's a DV. Correct me if I'm wrong. Paper is huge 😁

A bit of an update/nuance on the below, after continuing to read more about this new field: it's a valuable correction to say "this is not just like a federated sidechain: you can get a 1 out of n trust model, not only a majority/quorum". indeed, you can, though i would caution that you have to reflect on the security limitations of having a designated set of verifiers, even if only 1 of them has to be honest (I think that model is not bad at all for setup, but for continuous operation it's not so great; think: "men with guns"). Also worth noting that a related paper was released shortly after, using a different trick (witness encryption, pretty exotic stuff) but based on the same general ideas: https://eprint.iacr.org/2026/065.pdf

i disagree with that framing at the end, it feels illogical. it's not necessary for everyone to agree on what level of security to use, it's a lot more nuanced than that (trivial example: hashed addresses vs not, pre-QC consideration; it was never a trivial question. Remember Nicolas Courtois' scaremongering?). And there is no requirement for any specific users to move out of existing coins to be able to say "bitcoin has the functionality required to keep your coins secure". bitcoin has never yet required people to move their coins, don't forget. And to illustrate more concretely, the part you put in quotation marks: that describes me, I think that, but I don't agree with what follows: I don't prefer the fork "with fewer coins sold", I think that's a non sequitur (not that it can't follow, I mean that it doesn't logically follow), *and* I think it's the ethically wrong position, too, *and* I think long term it's a vector of failure for the project in its goals.