waxwing

an interesting point about this: there's a reason bitcoin devs tried quite strenuously, and eventually succeeded several years ago, in removing all openssl dependency from the bitcoin project. it's the nature of some of the truly awful protocols (ASN1 , X509 and etc etc) that openssl had to, or chose to support. so yes a very natural and correct reaction is "holy shit what happens when people find similar bugs in the consensus layer of bitcoin" but it's also true that it's a very controlled and very stress-tested surface area that removed stuff that was problematic. It's also true that even 1 small bug could be catastrophic. I guess we'll see! 📝 8cdc5bd2…

I think we need a new word for the specific kind of mental anguish I experience when I scroll through twitter and find that every long post (the ones I always gravitated to, because it usually correlated with someone having something to say) is in the "that's not X - it's Y" prose style that is so transparently LLM speak. It really is painful at this point and it's completely endemic. I know we have "slop" but I never really liked that, it's not the content (sometimes, the content is interesting), it's the style and emotional timbre. I put up with it when an LLM is giving me some useful info in my interaction with it, but please for the love of god, write your prose yourself, even if all the info is coming from that source.

I'm not really sure about this, but I think I'm in a slowly growing group of people who are gravitating to this thesis: between witness encryption (WE), functional encryption (FE) and indistinguishability obfuscation (iO), listed in increasing order of power and decreasing closeness to actual existence, there is a slowly clarifying path to bitcoin becoming practical. It's "practical" already, to be clear, especially with Lightning (confident in saying so, as I actually use it, unlike all the influencers on twitter). But that's quite limited. The potential future is one that's a lot more fun and a lot less about arguing with each other ... a bit like the very early days where for a lot of people Bitcoin felt very "the sky's the limit" in terms of introducing whacky new schemes and systems. A lot of that was kind of deluded, but at least it *was* fun, something that's a bit lacking "here" nowadays (yes you have it on nostr, sure, but nostr is not money!). If we even get the simplest of the 3, witness encryption, with enough generality, it could obviate the need for lots of arguments about op_codes and people will be able to build genuinely interesting offchain constructions where people can do things like super-low cost txs without any setup or collateral, or engage in bets or smart contracts etc. etc. .. with WE it's clunky because of the background onchain plumbing being a bit messier. With FE you can have the same things, or better, and it's a lot more streamlined, I think. But FE only exists in sort of toy form for now (so called "inner product functional encryption" is very elegant but extremely limited, afaict). As for iO, it allows you to do .. basically exactly anything (every existing crypto primitive can be done with iO, and others too), which is probably why it remains just a theory for now. #bitcoin #cryptography

For those of you who never saw it: This post from *1999* on the cypherpunks mailing list pretty much described bitcoin; it was, interestingly, in response to Adam Back saying that the most essential feauture of ecash was not blinding, but non-confiscatability/bearer (reflecting that, unlike many, Back knows what "cash" actually means!). https://marc.info/?l=cypherpunks&m=95280154629912&w=2 Note that the post uses 2 spaces after the period :)

Posting from Yakihonne. Do people see this? I'm having trouble seeing updates on Amethyst last few days. Posts and notifications don't seem to show up reliably (slow to show up, then disappear/reappear).

Oh, and in case you were wondering, isn't something like witness discount similar? The answer is a resounding no! Think about it - what the witness discount controls is *how much stuff can go into a block* and is therefore a *global* consensus rule. If miners break it they fork off. Here what the ZIP is discussing is having everyone sing kumbaya and agree what kinds of fees are fair, reasonable and keep good privacy and ddos resistance for everyone. It'll work fine, until it doesn't. 📝 6feaeccb…

I discovered something quite remarkable today after seeing podcasts with Sean Bowe [1] describing the new tachyon system and then one today with Ying Tong [2] mentioning the fabled 'sandblasting attack' . It turns out that zcash put out a ZIP zips.z.cash/zip-0317 with what seems to me extraordinary content: it says not that there is some resource limit for blocks, but that individual transactions *should* be treated thusly: fee should be linear in number of ins/outs, but 2 outs should be treated like one (for a privacy reason), that certain types of transactions (their different shielded pools) should not be discriminated, and they disrecommend relay of transactions with other fees, and then give a long RECOMMENDED section to miners on how to construct blocks. This is totally nuts - the miner incentive is always to maximize fee revenue, and while it can be hard to work under that scenario sometimes, it's crazy to try to say things like randomize your candidate transactions and only take high paying txs in this ratio, or similar, as they do. Bear in mind that the sandblasting attack, which genuinely crippled the network afaik because they couldn't verify, in a normal node, as fast as the attacker could create transactions, happened because they had the insane idea of a flat fee for every individual transaction, no matter how big it was! (to be sure, they must have done that for better privacy, but it's an utterly broken concept). These are some of the very smartest cryptographers in the world, and I am not exaggerating for effect, there. How did they get such batshit insane ideas (or lack of ideas?) about how a permissionless p2p network works? [1] its on the recent Zero Knowledge podcast, look it up, [2] the recent BTCKVR podcast 'BitVM optimizations', around 35 minutes #cryptography #bitcoin #zcash

https://eprint.iacr.org/2022/1178 "We propose a new, unifying framework that yields an array of cryptographic primitives with certified deletion. These primitives enable a party in possession of a quantum ciphertext to generate a classical certificate that the encrypted plaintext has been information-theoretically deleted, and cannot be recovered even given unbounded computational resources." 🤯 #cryptography

https://files.catbox.moe/qgy1ni.pdf Perhaps it's a bit silly but I show here the full conversation I had yesterday with Claude, in which I asked it to teach me Groth16 (the most famous ZKP system). It's a little cheat-y in that I had already "overview" studied it, more than once, but I always found the existing explanatory materials difficult to work though and lost track at some point. This time, with Claude actively teaching me, I can confidently say I have a solid understanding of the whole system, after one single day. In my opinion LLMs are great for these things: Search, learning and language (incl. code). They can seem ludicrously brilliant at all of these, but in each case you have to be wary of different variants of the same flaw: their inability to notice their weakspots. In learning Spanish I get 97% perfect explanations/answers/translations, but with certain obscure slang it might resolutely refuse to accept the existence of the phrase I'm referring to. In this Groth16 conversation it slips up with a specific equation/algebraic notation (it says it was 'sloppy'; I'd say it was wrong) halfway through, in a way a human professor wouldn't. In search I'm not as sure as I don't use it as much, you could argue semantics and say it's not really the one doing the search, but I bet it slips up in a similar way there too. I don't think this kind of flaw is the real story, though. The real story is that if you frame your request properly, and you engage seriously and reflectively, you have access to a teacher that a decent simulation of a high-level expert, in a one-on-one session. If you actually want to learn something, I do think you should do as I did here and ask it to "teach me X based on the fact that my background is roughly Y (so it can pitch at the right level), and ask concept-checking questions along the way". (btw this is not a commentary about claude vs others .. i think this kind of job can be done ~ equally by all the latest models). I have to emphasize how natural this felt. I really felt like I was talking to a teacher that was listening carefully to my responses and engaging with them. Among a number of notable moments in the conversation, this one in particular, after the aforementioned algebra screwup, stood out to me: I asked "yes. back to Q13. rewrite it if necessary, otherwise I'll just keep thinking." and it responded after a few seconds: "{Claude:} The question stands as is. Take your time." A reasonable push-back on this example is that I chose something that has been described and discussed on the 'net a lot over the last 8+ years - certainly no other ZKP system has as much material. So it's showing the best it can be. If you discuss cutting-edge research with it, you're in *much* more dangerous territory.

A bit of an update/nuance on the below, after continuing to read more about this new field: it's a valuable correction to say "this is not just like a federated sidechain: you can get a 1 out of n trust model, not only a majority/quorum". indeed, you can, though i would caution that you have to reflect on the security limitations of having a designated set of verifiers, even if only 1 of them has to be honest (I think that model is not bad at all for setup, but for continuous operation it's not so great; think: "men with guns"). Also worth noting that a related paper was released shortly after, using a different trick (witness encryption, pretty exotic stuff) but based on the same general ideas: https://eprint.iacr.org/2026/065.pdf 📝 1c9f0cf3…

A second round of Glock review/reading to better .. grok? .. what the hell this stuff is. The TLDR is that, afaik, there is still no there there. I don't mean that this research isn't incredibly impressive and exciting; at least to my dumb eyes, it is. I mean that it hasn't created the dream scenario of verifying arbitrary off-chain contract execution with negligible onchain cost. It *almost* has done this: it allows you to verify a SNARK, post the proof somewhere offchain and have people be able to punish you onchain if you lie. All that happens without nasty onchain costs like in BitVM and similar. But there's a crucial detail: the SNARK we're talking about here is "designated verifier"; so it's not public verification, it's more like a sidechain where you trust an entity or a federation to enforce the rules. Obviously, that in itself is not really interesting to most people. The new follow-up "Argo MAC" paper ( https://eprint.iacr.org/2026/049.pdf ) is really in the weeds (though if like me you find Elliptic Curve endomorphisms interesting then .. it's fun!) but it *does* change the above crudely described system from "impractical" to "probably completely practical" - because the garbled circuit stuff suddenly went from 100s of GBs to 10s of MBs. But the DV- nature of the SNARK is not changed by it .. so the open question is "can you replace the DV-SNARK with a public verifiable SNARK" and I have no idea of the answer except, the verifier circuit has to be small and that's .. hard? if anyone out there (not *that* unlikely) can correct or refine that description, I'd be grateful. #cryptography #bitcoin

Maple.ai via Tor with anon account paid for with Lightning. I think this a decent tradeoff against the appalling reality of what most of us are doing giving personal data to OpenAI, Anthropic etc. The at-home build isn't viable for real work except if you pay like $20K and sink time into it (and even then). Also I'm not shilling maple here .. it probably can't give you the same level of convenience etc. But maybe close, I think? Opinions? #asknostr

Warning: do NOT use travala.com any more, if you did. They directly stole my money. Here is my response to the customer service agent: (Customer service agent), > Sorry for the delay, im ahmed from compliance department, for refund or either processing the booking, the verification is a mandatory step, we require the minimum and basic info for that, and you can pass it easily through the following link : <snipped> Let's establish the facts: I have been a regular customer of Travala for years, have done probably a hundred or more bookings through your site - mentioning this *not* to claim some status as a customer (which I do not want, and do not have), but to point out that ZERO times on the website or through any of those transactions was it mentioned that you could simply keep my money and provide no service - i.e. STEAL my money - if I did not pass a verification process -handing over extensive and intrusive personal documents - that you never documented anywhere. And indeed for this booking, again, no such advance warning was given. So you (that is to say Travala, not you personally!) act exactly as a kidnapper: to give me back the money which is mine, you insist that I hand over security sensitive information. Which I will not do. There are an endless stream of documented violent theft events of cryptocurrency holders, so spreading one's personal information is stupid, and any claim you make to "keep my data safe" is ridiculous, given the equally endless stream of reported hacking events. I do not trust your company with my personal information because I don't trust *any* company with it. I have been doing Bitcoin development work for over a decade, I will make sure that a lot of people in the community know that Travala steals its customers money, directly, with no apology. Feel free to pass this message to any management, I would appreciate that. (me)

Question for @Liana Wallet : why is the mnemonic stored unencrypted on the hard disk?

Phoenix can't be mentioned in the same sentence as the others. It's an actual self-custodial lightning wallet that works, seamlessly. "Outrageous fees": as an experiment, I went through my last 5 transactions. Tx1: $2.22 fee: 14 sats 2: $142 fee: 643 sats 3: $141 fee: 641 sats 4: $586 fee: 2644 sats 5: (deposit on chain) $1555 fee: 210 sats. Does that seem outrageous to you? The $586 payment had a high fee of a little over $2, which is like 0.3%; Lightning is like that, it's percentage based. But "high": this is way lower than many other payment methods, and it's instant, sovereign and mainly private. Overall it's crazy to me that for years now, every time I recommend Phoenix, saying the actual tradeoff is a slightly worse privacy model (but really not bad), I hear people dismiss it as "crazy fees". Just because immediate onboarding (which is a one-time event) to an actually self sovereign wallet costs a couple of bucks doesn't mean "crazy fees"! You don't get everything working perfectly for zero dollars, sheesh. 📝 d52a324a…

An ignored part of the current quantum computer fud^H^H debate, because it's a counterfactual: back in 2015-17 a lot of people got very excited about a proposal from Greg Maxwell to do "confidential transactions" on bitcoin. I was very much in the group of people both fascinated and excited about the prospect and went very deep down the rabbit hole on it, learning a lot about cryptography along the way. But the energy to even suggest a fork to include it slowly dissipated; my own personal reason for rejecting it was *not* the obvious "the range proofs are too large" (see: Bulletproofs, work that was heavily inspired by that scaling problem, though it ended up being far more significant w.r.t. "folding"). It was "pedersen commitments are only computationally binding" [1], to put it another way an EC break means we get unbounded, invisible inflation. At the time it was fun to predict that Zcash had this failure mode and indeed it was borne out (look up their history if you don't know). It felt weird justifying this to people sometimes: "I don't want a bitcoin where amounts are not visible because the total might not add up" sounds Luddite ... I remember being asked on a panel by Giulia Fanti "are you scared that P=NP or something?" ... it was not felt to be a quite logical thing to worry about this, since we rely on EC in Bitcoin anyway ... and if we trust EC, the math of homomorphic commitments *guarantees* it adds up! But a computational bound on that is not OK. i.e. i don't want *any* computer to be able to break it! not just normal computers! - and that's exactly where a quantum computer comes in. I am FAR more worried about breaking bitcoin's fixed supply than about a million old P2PK coins getting stolen. Stealing is not minting. [1] A counterpoint is that ElGamal commitments exist, at the cost of even more space. But hey, it's still less space, by a huge margin, than current post quantum signature schemes! Something worth considering? #cryptography #bitcoin

Linux desktop stuff is such a mystery to me. This honestly seems batshit insane, but in GTK3, it appears that if you use a FilePicker, something like (Rust here but w/e): rfd::FileDialog::new().set_directory(&my_specific_dir).pick_folder() ... it refuses to open the file picker in your specified directory. It just flat out ignores you, and *always* opens the dialog in its "Recent Items". So not complaining about a default (though it's a terrible one honestly), but the baffling decision to just ignore the developer's setting. I would love to find any justification of this anywhere, but I can't. This "documentation" ( https://docs.gtk.org/gtk3/method.FileChooser.set_current_… ) just points at a non-existent other documentation section to justify why you shouldn't use the function (Not "deprecated" but "warning, you'd better not use this function, but we won't tell you why!"). The code itself basically defaults to recent items, and that can *only* be overwritten with a GTK setting, outside of the developer's control, and here's the best bit: if you somehow get your user to override it, they can *only* change the location the FilePicker opens in, to $HOME! Your directory setting will still get ignored! Btw this restriction did not exist in the previous GTK version; they actively added it as an improvement. #linux

I did this. It worked. Cool software! 📝 2d392f77…

If you plan on creating a new tech/wallet/project in bitcoin, be sure to set aside several days to choose a name that isn't already taken by some altcoin or token.

Gave a presentation last week on "purecoin", showing basically how ~ 50% embedding rate in "pure" bitcoin transactions with no scripts is inevitable *even if* you force the outputs to prove they are not "fake". 'Fraid the audience had no idea what I was talking about, so I'll post the pdf here: https://files.catbox.moe/tpfc4x.pdf I must apologize for calling it a "very hard fork" because you could actually do it as a soft fork (thanks @Giacomo Zucco ) but it's hardly relevant. The point is that there is no version of Bitcoin, even a 99% crippled version of it that doesn't allow L2s, that does not allow data embedding, *except* one in which we completely change the cryptography to BLS (any deterministic signature scheme could in theory do it, but nobody is going to seriously suggest hash-based signatures or RSA FDH I think) (thanks @Zero-Knowledge Goof for thoughts on this), *and* totally cripple any programmability. And since quantum is coming (so they tell me!) I see basically no chance of this happening. #bitcoin #cryptography