Last Notes
Oh, and in case you were wondering, isn't something like witness discount similar? The answer is a resounding no! Think about it - what the witness discount controls is *how much stuff can go into a block* and is therefore a *global* consensus rule. If miners break it they fork off. Here what the ZIP is discussing is having everyone sing kumbaya and agree what kinds of fees are fair, reasonable and keep good privacy and ddos resistance for everyone. It'll work fine, until it doesn't.
#nevent1q…4gl3
I discovered something quite remarkable today after seeing podcasts with Sean Bowe [1] describing the new tachyon system and then one today with Ying Tong [2] mentioning the fabled 'sandblasting attack' . It turns out that zcash put out a ZIP zips.z.cash/zip-0317 with what seems to me extraordinary content: it says not that there is some resource limit for blocks, but that individual transactions *should* be treated thusly: fee should be linear in number of ins/outs, but 2 outs should be treated like one (for a privacy reason), that certain types of transactions (their different shielded pools) should not be discriminated, and they disrecommend relay of transactions with other fees, and then give a long RECOMMENDED section to miners on how to construct blocks. This is totally nuts - the miner incentive is always to maximize fee revenue, and while it can be hard to work under that scenario sometimes, it's crazy to try to say things like randomize your candidate transactions and only take high paying txs in this ratio, or similar, as they do. Bear in mind that the sandblasting attack, which genuinely crippled the network afaik because they couldn't verify, in a normal node, as fast as the attacker could create transactions, happened because they had the insane idea of a flat fee for every individual transaction, no matter how big it was! (to be sure, they must have done that for better privacy, but it's an utterly broken concept).
These are some of the very smartest cryptographers in the world, and I am not exaggerating for effect, there. How did they get such batshit insane ideas (or lack of ideas?) about how a permissionless p2p network works?
[1] its on the recent Zero Knowledge podcast, look it up, [2] the recent BTCKVR podcast 'BitVM optimizations', around 35 minutes
#cryptography #bitcoin #zcash
Interesting for sure! But why is it described as AI powered? Is that an essential component?
https://eprint.iacr.org/2022/1178 "We propose a new, unifying framework that yields an array of cryptographic primitives with certified deletion. These primitives enable a party in possession of a quantum ciphertext to generate a classical certificate that the encrypted plaintext has been information-theoretically deleted, and cannot be recovered even given unbounded computational resources." 🤯
#cryptography
I hardly ever use gpg any more, but i remember the subkey thing being a major pain point in having a correct mental model of wtf is going on.
https://files.catbox.moe/qgy1ni.pdf
Perhaps it's a bit silly but I show here the full conversation I had yesterday with Claude, in which I asked it to teach me Groth16 (the most famous ZKP system). It's a little cheat-y in that I had already "overview" studied it, more than once, but I always found the existing explanatory materials difficult to work though and lost track at some point. This time, with Claude actively teaching me, I can confidently say I have a solid understanding of the whole system, after one single day.
In my opinion LLMs are great for these things: Search, learning and language (incl. code). They can seem ludicrously brilliant at all of these, but in each case you have to be wary of different variants of the same flaw: their inability to notice their weakspots. In learning Spanish I get 97% perfect explanations/answers/translations, but with certain obscure slang it might resolutely refuse to accept the existence of the phrase I'm referring to. In this Groth16 conversation it slips up with a specific equation/algebraic notation (it says it was 'sloppy'; I'd say it was wrong) halfway through, in a way a human professor wouldn't. In search I'm not as sure as I don't use it as much, you could argue semantics and say it's not really the one doing the search, but I bet it slips up in a similar way there too.
I don't think this kind of flaw is the real story, though. The real story is that if you frame your request properly, and you engage seriously and reflectively, you have access to a teacher that a decent simulation of a high-level expert, in a one-on-one session. If you actually want to learn something, I do think you should do as I did here and ask it to "teach me X based on the fact that my background is roughly Y (so it can pitch at the right level), and ask concept-checking questions along the way".
(btw this is not a commentary about claude vs others .. i think this kind of job can be done ~ equally by all the latest models).
I have to emphasize how natural this felt. I really felt like I was talking to a teacher that was listening carefully to my responses and engaging with them. Among a number of notable moments in the conversation, this one in particular, after the aforementioned algebra screwup, stood out to me: I asked "yes. back to Q13. rewrite it if necessary, otherwise I'll just keep thinking." and it responded after a few seconds: "{Claude:} The question stands as is. Take your time."
A reasonable push-back on this example is that I chose something that has been described and discussed on the 'net a lot over the last 8+ years - certainly no other ZKP system has as much material. So it's showing the best it can be. If you discuss cutting-edge research with it, you're in *much* more dangerous territory.
I think it depends how far it goes.
At the extreme a perfectly trustless sidechain or rollup of some flavor will be the best way to transact with bitcoin. Actual scalability and privacy.
What they're aiming at right now is, I agree, just a high tech implementation of a bridge with maybe better security properties than those that already exist.
Oh you said improve not remove. OK. Seems like a performance difference not a trust difference.
Right. But does it actually remove the DV part? It's still describing a protocol between a prover and verifier, and it's still describing use of a 2PC between them, just the circuit they're garbling is a much different and simpler one (in fact so simple it's just a single multiplication). So the verifier's secret needs to be there at setup, so it's a DV.
Correct me if I'm wrong. Paper is huge 😁
About extreme scenarios like 80% of btc stolen (- I'm going to ignore the "how do you measure it" part, though I suspect that'll come back to bite us at some point!): i mean there is presumably a failure mode where trust breaks down, but it's not really about a specific number or ratio. It's about whether there's any credibility that going forward, the system will be trustworthy. Anything above 30-40% is presumably disaster-level and the project *might* just kind of fall apart. But I really don't know. I just know that if you violate the core principle of private property you've mostly already lost. Maybe I'm wrong and everyone would love it, but what's the point in bitcoin in that case, I don't see it.
On the DAO,ETC,ETH and my "bet": excellent point to raise, there. There is no doubt that the opposite side to my argument won. At the time as you'll remember it was just as obvious that it wouldn't have happened in BTC because of the "DNA" of what bitcoin even is, being so tied to uncensorability (let's not forget that it's a bit murky whether anything like "consensus" was actually reached in the ETH community; it might even be possible to characterise it as the equivalent to the new york agreement winning in btc's case; but I'd be willing to cede the opposite is possible, that the DAO coin "reassignment" was a community consensus). The DAO disaster just showed that there was a profound divergence between the communities at a not just technical but philosophical level. So yeah, another project which has a different less pure concept of decentralization might reasonably define cutoff dates, but I don't think BTC should. It's against its nature and purpose. Concretely, the tradeoffs bitcoin's design makes (e.g. no onchain obfuscation; no onchain global state and complex contracting; slow block times; etc) are all in service of that. I know that this is a retelling of history - SN didn't seem to see it quite like that, but somehow designed it like that despite himself, lol.
A bit of an update/nuance on the below, after continuing to read more about this new field: it's a valuable correction to say "this is not just like a federated sidechain: you can get a 1 out of n trust model, not only a majority/quorum". indeed, you can, though i would caution that you have to reflect on the security limitations of having a designated set of verifiers, even if only 1 of them has to be honest (I think that model is not bad at all for setup, but for continuous operation it's not so great; think: "men with guns"). Also worth noting that a related paper was released shortly after, using a different trick (witness encryption, pretty exotic stuff) but based on the same general ideas: https://eprint.iacr.org/2026/065.pdf
#nevent1q…0dmy
Right. But it wasn't practically feasible. I think that's a fair statement.
i disagree with that framing at the end, it feels illogical. it's not necessary for everyone to agree on what level of security to use, it's a lot more nuanced than that (trivial example: hashed addresses vs not, pre-QC consideration; it was never a trivial question. Remember Nicolas Courtois' scaremongering?). And there is no requirement for any specific users to move out of existing coins to be able to say "bitcoin has the functionality required to keep your coins secure". bitcoin has never yet required people to move their coins, don't forget. And to illustrate more concretely, the part you put in quotation marks: that describes me, I think that, but I don't agree with what follows: I don't prefer the fork "with fewer coins sold", I think that's a non sequitur (not that it can't follow, I mean that it doesn't logically follow), *and* I think it's the ethically wrong position, too, *and* I think long term it's a vector of failure for the project in its goals.
I disagree about fork choice. People will choose a version of bitcoin where there is zero human governance over coin issuance and coin ownership. If my bet is wrong there is very little value left in bitcoin as a system.
It doesn't matter if Bitcoin "looks like chumps" or whatever. It matters that it has integrity as a system. "Miraculously" it has somehow maintained that for a long time.
I do agree though that it'll be a disaster if we don't have any viable migration by the time QC hits, but, meh, it seems ridiculously far off. Glad some people are working on it.
I see several things wrong with this pov. First, stop assuming they're Satoshi's. We don't know that. Second, when/if they are spent, we won't know how the private key was known to the spender. Quantum's existence won't change that epistemic limitation. Third, there is no "we" to make such a choice. No group of people have the right to confiscate coins, no matter how rational the reason.
And to *anyone* (not Matt specifically) who is worried about the market effect of huge selling, consider the market effect of the precedent of freezing coins at the protocol layer. Everything is a one-time exception until it isn't.
Notice that that last point is not wrong because "if QC then all btc is worthless"; we are discussing the scenario of there being a migration path but old plain pubkey holders don't use it
A second round of Glock review/reading to better .. grok? .. what the hell this stuff is. The TLDR is that, afaik, there is still no there there. I don't mean that this research isn't incredibly impressive and exciting; at least to my dumb eyes, it is. I mean that it hasn't created the dream scenario of verifying arbitrary off-chain contract execution with negligible onchain cost. It *almost* has done this: it allows you to verify a SNARK, post the proof somewhere offchain and have people be able to punish you onchain if you lie. All that happens without nasty onchain costs like in BitVM and similar. But there's a crucial detail: the SNARK we're talking about here is "designated verifier"; so it's not public verification, it's more like a sidechain where you trust an entity or a federation to enforce the rules. Obviously, that in itself is not really interesting to most people.
The new follow-up "Argo MAC" paper ( https://eprint.iacr.org/2026/049.pdf ) is really in the weeds (though if like me you find Elliptic Curve endomorphisms interesting then .. it's fun!) but it *does* change the above crudely described system from "impractical" to "probably completely practical" - because the garbled circuit stuff suddenly went from 100s of GBs to 10s of MBs. But the DV- nature of the SNARK is not changed by it .. so the open question is "can you replace the DV-SNARK with a public verifiable SNARK" and I have no idea of the answer except, the verifier circuit has to be small and that's .. hard?
if anyone out there (not *that* unlikely) can correct or refine that description, I'd be grateful.
#cryptography #bitcoin
https://old.reddit.com/r/LocalLLaMA/comments/1oqi4qp/comment/nofbwx1/
For completeness:
In response to "we will come back to this, but first, i'm disappointed that you have the same "AI slop" writing style as other commercial models (no real problem in communication, but stereotypical). i'm curious, what is the origin of this LLM model?" it said "Fair. I'm Claude 3.5 Sonnet, built by Anthropic. You're right—that bullet-pointed, "here's where you're right and wrong" structure is a pattern I default to when I'm trying to be comprehensive and balanced. It's the LLM equivalent of a corporate presentation: clear, but soulless."
Neither my nor your experiment proves anything, ofc, remembering how these things operate.
Not too surprising to see variation, in itself. I think I asked it which LLM it was, and it was quite specific ... Claude 3.5 from Anthropic.
Waiting for the Kratter video to educate me on where you went wrong here.
See #nevent1q…hzfw
... seems relevant!
I asked K2 what model it is and it said it was claude 3.5.
Is it like an open source version or something? Hmm that doesn't make sense.
Right. If the content is actually tied to your personal life it's gonna be super tough. There could still be value in separation between sessions though, so, tor could be something for that.
I have run open source LLMs locally for free. The performance can't match, not even in the same ballpark (hence me mentioning $20K etc) ... or did I misunderstand you?
Maple.ai via Tor with anon account paid for with Lightning.
I think this a decent tradeoff against the appalling reality of what most of us are doing giving personal data to OpenAI, Anthropic etc.
The at-home build isn't viable for real work except if you pay like $20K and sink time into it (and even then).
Also I'm not shilling maple here .. it probably can't give you the same level of convenience etc. But maybe close, I think?
Opinions?
#asknostr
Lol, yes, you got it. The gender bit is dropped :)
It's a mix of everything. There are a lot of pre-european naming, but then you have not only spanish influence but also italian (in the south) and even african. A good example might be aguacate for avocado, which is old Nahuatl, but it's palta in Argentina. Chocolate is another famous one that's from Nahuatl i think. Meanwhile 'green beans' have literally 4 completely different names, no joke.
English nouns are basically the x-only pubkeys of European languages.
That's cool. It reminds me of something interesting: even though the same language, across Latin America there are a huge variety of words for certain common fruits and vegetables. And some everyday items too like a straw. But i noticed it especially with vegetables.
I'll write something on the issue shortly.
I was a Linux user for years before I found out 😆
It will have mysteriously gone missing, so it'll be a moot point.
There's something hilarious about this: I went to kalshi.com out of curiosity to see how bets are set up. In their "Crypto" section they have a bet on whether Satoshi will move his coins. Never mind the ludicrous way in which everyone assumes they know which coins belong to Satoshi (I mean, apart from the origin of the Hal payment, that's pretty much the only one we know "for sure"), just look at the terms of the contract https://kalshi-public-docs.s3.amazonaws.com/contract_terms/SATOSHI.pdf (both the "Source Agent" - Coinbase and Kraken, wow! - and especially the "Contingency" at the bottom!). And here's the supposed source: https://intel.arkm.com/explorer/entity/satoshi-nakamoto . I guess people just like gambling on, well, anything.
Right, it's certainly fair to question everything from that perspective. Trump's is acting 95%+ from the perspective of US interests, which isn't going to (necessarily) align with Venezuelans' interests.
I live in south America and even before this event, the diaspora (which is enormous on this continent, guess why) were massively in favor of his removal by force.
'Do they care about Venezuelans?'. Do you? Are you paying attention to the reaction of Venezuelans?
Ha! I was just thinking this morning that I would expect this to have happened.
Insider trading is not a crime (I mean that in every sense except the literal one).
See Peter's reply. Very plausibly new EU regs are involved, though I'm just guessing.
Yeah sorry can't fix it rn.
Bit too much, prefer not to say more.
No, at least, they never did. Just email.
Yes, I am 90% sure this was the cause - though as you know, we are forced to guess!
about the LN fees: it's a bit more than a nice starter I think! it would make the system an order of magnitude more useful imo (no fee fingerprint on chain) but I'm curious what you have in mind for how it could work. The way I saw it you essentially would need something equivalent to a submarine swap but with privacy, which means adaptors, which means PTLC and taproot and Schnorr (I'm thinking: payment secret is revealed by publishing signature for coinjoin). Even if that line of thinking is coherent, it's not only complex to implement, but relies on things that don't exist. Perhaps it could be done with ECDSA adaptors, which do exist, but .. well I hope it's already obvious why I always saw it as kind of "out there". Do you have something simpler (or just, better) in mind?
Good question! After. I see what you mean, new regs right?
Ah some nice stuff in the README, like it!
Thoughts on Lightning network integration that you mentioned alongside CJXT, there? A number of different things are possible, I'm curious what you're most interested in.
I wish I could say no company in the past did this ... but at least you didn't use to hear about it so much with retail services like this. Sigh.
Nice to see! Apart from the code itself, did you have ideas about changing things architecturally? Thinking especially about the communication layer.
Well anyway I will read your repo a bit :)