On Tue, Dec 09, 2025 at 11:32:48AM -0800, Boris Nagaev wrote: > Hi waxwing/AdamISZ, > > On incentives: agreed that "good" only matters if it's an equilibrium. The > aim is to shape early design choices so the incentive-compatible > equilibrium includes DA and forced publication, rather than slipping into a > DA-weak equilibrium where only a few parties hold full data.
Exactly. Furthermore I want to be clear that in this context, the existence of strong ZK math is an *exploit* on the Bitcoin protocol, in much the same way that a mathematical advancement that could be used to break SHA256 preimage security is also an exploit on the Bitcoin protocol. It may be the case that the power of ZK techniques is sufficiently strong that Bitcoin needs to be redesigned to mitigate them; there is even a small chance that this is not possible and Lightning/HTLCs eventually become insecure due to it. No different than how there is a small chance that quantum computing relevant to cryptography turns out to be real and numerous protocols become insecure due to it. > > what if mining was done just on an accumulator over the utxo set, instead > of the utxo set itself? > > If miners and nodes only see an UTXO accumulator, how do HTLCs survive? The > HTLC success spend path needs the preimage to be revealed and readable. How > does this fit in an accumulator-only mining model, and what forces > publication so the payer can claim its incoming HTLC? More generally, if mining is just an accumulator, how do we preserve censorship resistence? It's unlikely that the underlying math of the accumulator allows anyone to mine a new block with exactly as much data as is required to verify the accumulator. Recently I met someone who told me that his company needed a full archival node of the Solana (IIRC) blockchain. That is, *all* Solana transactions going back in time, sufficient to verify everything. They had a very large budget for this, millions of dollars if necessary. Apparently after months of trying they concluded that the task was actually impossible, because the very few people who have that data set are unwilling to provide it under any circumstance short of just buying a company with a copy of the data. It's just too much data for the incentives of volunteer nodes to have held. ZK technology certainly could do the same thing to Bitcoin in the right circumstances, e.g. the attempts by the Knots crowd to completely remove certain transactions from Bitcoin. -- https://petertodd.org 'peter'[:-1]@petertodd.org -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/aTl8Y7p4qtYAsHbP%40petertodd.org.
signature.asc
Description: PGP signature
