I’ve thought about it this. Probably the best counterargument is just that bitcoin is still too small to matter to fiat inflation/deflation/whatever. We’re still the fly on the elephant’s back.
This will change, and when it does, Saif’s smooth transition seems very plausible, and hopeful too. It’s contra “the system must collapse” which is a terrible message.
The idea that bitcoin puts competitive pressure on fiat to “get more hard” makes a ton of sense.
Thanks for posting this. I’ve not heard this and just listened. I find the logic sound. Would love to hear a counter argument.
One nitpick - this scenario would be disinflationary (inflation but slower rate) not actually deflationary (negative rate).
Point taken. But then miners couldn’t verify such a block in 10 minutes either, so it would never be added.
IBD has taken too long for awhile now. ZK rollups are a real solution.
5s is just meant to mean “way to long” for any computer, 5000ms is an eternity.
https://github.com/kayabaNerve/fcmp-ringct/blob/develop/fcmp%2B%2B.pdf
New paper from some Monero researchers (really new it seems - update date is last week!), in which they're proposing to use CurveTrees (the same construct I put into aut-ct as per my recent work) to get much larger anonymity sets (and I do mean *much larger*, from like 10ish to 100000000!).
One very notable thing (to me) is that the very easy and natural secp/secq 2-cycle (you realistically need a 2 cycle of curves for CurveTrees), has to be replaced with something more complex, because their DJB ed25519 curve has a cofactor of 8 (yet again non prime order curve biting them on the ass, lol).
Another interesting tidbit is that they propose to use Liam Eagan's recent work https://eprint.iacr.org/2022/596 (posted almost contemporaneously with Curve Trees); I remember Andrew Poelstra pointing me at this work in '22 and I said to him "I don't understand this" and he responded "yeah it was difficult so I got Liam to come round to my house and explain it" 😁 .. so yeah i'm sure some people can follow the ideas there but I am alas not yet one of them :)
They've also done a review of the generalized bulletproofs construction that Kamp et al used in their CurveTrees implementation: https://github.com/cypherstack/generalized-bulletproofs
Also interesting is that they talk about acheiving a "forward secrecy" property here, which linkable ring signatures can't have, by design: if a future ECDL breaker is found, it can always see the trace of payments in prior Monero because the linking tag reveals the private key if you can crack ECDLP. I'm not sure how this works but I believe it's to do with the Liam Eagan research just mentioned.
Finally, the extremely esoteric and dense mathematical concepts aside, it's worth mention a 1000 ft view: this proposal ditches ring signatures (and somehow they get backwards compatibility for the historical chain, though I absolutely don't understand that yet), and goes to a full ZKP proving system (bulletproofs arithmetic circuits) for full anon set. I can't help wondering if this direction makes sense - if we look at Zcash, they do the same thing, but using bilinear pairings they can get far more performant proof, proof size and verification stats, I believe (but, curvetrees can be very efficient so I'm not 100% sure about the details here). Ring sigs, as I've observed elsewhere, even with the fanciest algorithms, never quite cut it at the verification step to be able to support huge anonymity sets. If you're going to ditch them, you may just as well go with a Zcash style design, no?
Zcash points the way. ZK txns are the privacy endgame. Who’s thinking about how to do this on bitcoin L1?? We needed it yesterday.
I don’t get the fear. Bitcoin script is sandboxed in memory (520) and compute (5 sec). No OPs could possibly harm the network. So what’s wrong?
Configuration by conversation — it’s coming.
