zeek rollups can enable full blockchain scalability and full blockchain privacy

The fundamental strength of the blockchain architecture is that it is a immutable public ledger. The fundamental flaw of the blockchain architecture is that it is an immutable public ledger.

This is a problem for privacy and fungibility, but what is really biting is scalability, the sheer size of the thing. Every full peer has to download every transaction that anyone ever did, evaluate that transaction for validity, and store it forever. And we are running hard into the physical limits of that. Every full peer on the blockchain has to know every transaction and every output of every transaction that ever there was.

As someone said when Satoshi first proposed what became bitcoin: “it does not seem to scale to the required size.”

And here we are now, fourteen years later, at rather close to that scaling limit. And for fourteen years, very smart people have been looking for a way to scale without limits.

And, at about the same time as we are hitting scalability limits, “public” is becoming a problem for fungibility. The fungibility crisis and the scalability crisis are hitting at about the same time. The fungibility crisis is hitting eth and is threatening bitcoin.

That the ledger is public enables the blood diamonds attack on crypto currency. Some transaction outputs could be deemed dirty, and rendered unspendable by centralized power, and to eventually, to avoid being blocked, you have to make everything KYC, and then even though you are fully compliant, you are apt to get arbitrarily and capriciously blocked because the government, people in quasi government institutions, or random criminals on the revolving door between regulators and regulated decide they do not like you for some whimsical reason. I have from time to time lost small amounts of totally legitimate fiat money in this fashion, as an international transactions become ever more difficult and dangerous, and recently lost an enormous amount of totally legitimate fiat money in this fashion.

Eth is highly centralized, and the full extent that it is centralized and in bed with the state is now being revealed, as tornado eth gets demonetized.

Some people in eth are resisting this attack. Some are not.

Bitcoiners have long accused eth of being a shitcoin, which accusation is obviously false. With the blood diamonds attack under way on eth, likely to become true. It is not a shitcoin, but I have long regarded it as likely to become one. Which expectation may well come true shortly.

A highly centralized crypto currency is closer to being an unregulated bank than a crypto currency. Shitcoins are fraudulent unregulated banks posing as crypto currencies. Eth may well be about to turn into a regulated bank. When bitcoiners accuse eth of being a shitcoin, the truth in their accusation is dangerous centralization, and dangerous closeness to the authorities.

The advantage of crypto currency is that as elite virtue collapses, the regulated banking system becomes ever more lawless, arbitrary, corrupt, and unpredictable. An immutable ledger ensures honest conduct. But if a central authority has too much power over the crypto currency, they get to retroactively decide what the ledger means. Centralization is a central point of failure, and in world of ever more morally debased and degenerate elites, will fail. Maybe Eth is failing now. If not, will likely fail by and by.

Eth is full of enemies, but it is also the leading edge of blockchain scaling technology.

Zk-starks and zk-snarks

Zk-snark stands for “Zero-Knowledge Succinct Non-interactive Argument of Knowledge.”

A zk-stark is the same thing, except “Transparent”, meaning it does not have the “toxic waste problem”, a potential secret backdoor. Whenever you create zk-snark parameters, you create a backdoor, and how do third parties know that this backdoor has been forever erased?

zk-stark stands for Zero-Knowledge Scalable Transparent ARguments of Knowledge, where “scalable” means the same thing as “succinct”

Ok, what is this knowledge that a zk-stark is an argument of?

Bob can prove to Carol that he knows a set of boolean values that simultaneously satisfy certain boolean constraints.

This is zero knowledge because he proves this to Carol without revealing what those values are, and it is “succinct” or “scalable”, because he can prove knowledge of a truly enormous set of values that satisfy a truly enormous set of constraints, with a proof that remains roughly the same reasonably small size regardless of how enormous the set of values and constraints are, and Carol can check the proof in a reasonably short time, even if it takes Bob an enormous time to evaluate all those constraints over all those booleans.

Which means that Carol could potentially check the validity of the blockchain without having to wade through terabytes of other people’s data in which she has absolutely no interest.

Which means that peers on the blockchain would not have to download the entire blockchain, keep it all around, and evaluate from the beginning. They could just keep around the bits they cared about.

Unfortunately producing a zk-stark of such an enormous pile of data, with such an enormous pile of constraints, could never be done, because the blockchain grows faster than you can generate the zk-snark.

So, zk-rollups, zeek rollups.

zk-stark rollups, zeek rollups

Zk-stark rollups are a privacy technology and a scaling technology.

Fundamentally a ZK-stark proves to the verifier that the prover who generated the zk-stark knows a solution to an np complete problem. Unfortunately the proof is quite large, and the relationship between that problem, and anything that anyone cares about, extremely elaborate and indirect. The proof is large and costly to generate, even if not that costly to verify, not that costly to transmit, not that costly to store.

So you need a language that will generate such a relationship. And then you can prove, for example, that a hash is the hash of a valid transaction output, without revealing the value of that output, or the transaction inputs.

But if you have to have such a proof for every output, that is a mighty big pile of proofs, costly to evaluate, costly to store the vast pile of data. If you have a lot of zk-snarks, you have too many.

So, rollups.

Instead of proving that you know an enormous pile of data satisfying an enormous pile of constraints, you prove you know two zk-starks.

Each of which proves that someone else knows two more zk-starks. And the generation of all these zk-starks can be distributed over all the peers of the entire blockchain. At the bottom of this enormous pile of zk-starks is an enormous pile of transactions, with no one person or one computer knowing all of them, or even very many of them.

Instead of Bob proving to Carol that he knows every transaction that ever there was, and that they are all valid, Bob proves that for every transaction that ever there was, someone knew that that transaction was valid. Neither Carol nor Bob know who knew, or what was in that transaction.

You produce a proof that you verified a pile of proofs. You organize the information about which you want to prove stuff into a merkle tree, and the root of the merkle tree is associated with a proof that you verified the proofs of the direct children of that root vertex. And proof of each of the children of that root vertex proves that someone verified their children. And so forth all the way down to the bottom of the tree, the origin of the blockchain, proofs about proofs about proofs about proofs.

And then, to prove that a hash is a hash of a valid transaction output, you just produce the hash path linking that transaction to the root of the merkle tree. So with every new block, everyone has to just verify one proof once. All the child proofs get thrown away eventually.

Which means that peers do not have to keep every transaction and every output around forever. They just keep some recent roots of the blockchain around, plus the transactions and transaction outputs that they care about. So the blockchain can scale without limit.

ZK-stark rollups are a scaling technology plus a privacy technology. If you are not securing peoples privacy, you are keeping an enormous pile of data around that nobody cares about, (except a hostile government) which means your scaling does not scale.

And, as we are seeing with Tornado, some people Eth do not want that vast pile of data thrown away.

To optimize scaling to the max, you optimize privacy to the max. You want all data hidden as soon as possible as completely as possible, so that everyone on the blockchain is not drowning in other people’s data. The less anyone reveals, and the fewer the people they reveal it to, the better it scales, and the faster and cheaper the blockchain can do transactions, because you are pushing the generation of zk-starks down to the parties who are themselves directly doing the transaction. Optimizing for privacy is almost the same thing as optimizing for scalability.

State of the art

We are not there yet.

In principle we know how to create a zk-stark that can prove successful execution of an arbitrary turing machine. In practice we do not.

In principle we know how to create a zk-stark that can prove verification of several other zk-starks. In practice we do not.

We have a vast multitude of zk-snark systems that can prove particular things, for example that the inputs to a transaction are equal to the outputs without revealing the transaction.

We need a turing complete zk-stark engine, one that can produce a proof that any algorithm was performed with the expected result, and do not yet have one. There are people that claim to have built them, but their source is closed.

correction added seventeenth of September


“Earlier this year, Polygon announced Plonky2, a zero-knowledge proving system that represents a major breakthrough for ZK tech. Plonky2 offers two main benefits: incredibly fast proofs and extremely efficient recursive proofs. It’s a huge leap forward for the ZK space, and we’ve been blown away by the response from the developer community: people want to build on Plonky2.

Today we’re proud to announce that Plonky2 and Starky are open source. They are now dual-licensed under the MIT license and Apache2.”

This is wonderful and unexpected news, but I am overwhelmed by real life events, and cannot take advantage of it until 2023

As of today, all blockchains that do not use zk-rollups are obsolete, all blockchains that rely on everyone verifying everything are obsolete. We now have the solution to the enormous and ever growing blockchain, and the enormous amount of private information it makes dangerously public.

Someone said when Satoshi first proposed what became bitcoin: “it does not seem to scale to the required size.” And ever since then people have been struggling to solve that problem. Now we have a solution.

A closed source zk-stark system is not a zk-stark system, because when Carol applies her verifier to Bob’s argument of knowledge, how can she know what it is verifying?

Further, closed source cryptography seldom actually works. When hostile outsiders take a look at it, usually falls over. They may think they have what they claim to have, but do not necessarily actually have it. They may think that their verifier is verifying the zk-stark produced by their prover, when it is actually verifying something far weaker.

We need a compiler, that, given code for an arbitrary algorithm in a language for the virtual machine, produces a prover that executes the code in virtual machine and also produces a zk-stark proving that the code was executed with the expected result, and the compiler also produces a verifier that verifies the zk-stark. And that compiler has to be open source, without magic secret unexplained codes in it.

A closed source blockchain is not a blockchain, but an unregulated bank, because those who have the closed source could do anything, and a closed source zk-stark system is not a zk-stark system, because not an argument of knowledge, but a mere claim of authority.

We know know in principle how to produce a fully scalable blockchain – but actually doing so is another thing altogether.

How a fully scalable blockchain running on zeek rollups would work

A blockchain is of course a chain of blocks, and at scale, each block would be far too immense for any one peer to store or process, let alone the entire chain.

Each block would be a Merkle patricia tree, or a Merkle tree of a number of Merkle patricia trees, because we want the block to be broad and flat, rather than deep and narrow, so that it can be produced in a massively parallel way, created in parallel by an immense number of peers. Each block would contain a proof that it was validly derived from the previous block, and that the previous block’s similar proof was verified. A chain is narrow and deep, but that does not matter, because the proofs are “scalable”. No one has to verify all the proofs from the beginning, they just have to verify the latest proofs.

Each peer would keep around the actual data and actual proofs that it cared about, and the chain of hashes linking the data it cared about to Merkle root of the latest block.

All the immense amount of data in the immense blockchain that anyone cares about would exist somewhere, but it would not have to exist everywhere, and everyone would have a proof that the tiny part of the blockchain that they keep around is consistent with all the other tiny parts of the blockchain that everyone else is keeping around.

103 Responses to “zeek rollups can enable full blockchain scalability and full blockchain privacy”

  1. ATouchOfHumoue says:

    So… blockchain proofs inside zk-stark proofs inside zeek rollup proofs… perhaps this Canadian Prime Minister was ahead of his time?


  2. Fidelis says:

    Am I seeing things or is this an open source stark VM prover


    • jim says:

      “WARNING: This project is in an alpha stage. It has not been audited and may contain bugs and security flaws. This implementation is NOT ready for production use.”

      Looking it over, I would call it pre-alpha – lots of necessary features not only not begun, but not mocked up nor clearly envisaged.

      But it is a start. Rust is a good language for a compiler for a stark vm compiler.

      But I find statements such as “Miden VM supports read-write random-access memory.” troubling. I don’t think that is even meaningful for a vm stark prover. If it means something, needs considerably more explanation. They may be trying to implement a design that cannot in fact ever work – which is a mighty common failure mode at the bleeding edge. You think there are bugs in your code, and there are actually bugs in your intention for what the code is supposed to accomplish and how it will accomplish it. I have done that before, and it cost me much.

      • Fidelis says:

        Plonky2 prover and verifier is open source as of a few weeks ago, it looks like.

        • jim says:


          “Earlier this year, Polygon announced Plonky2, a zero-knowledge proving system that represents a major breakthrough for ZK tech. Plonky2 offers two main benefits: incredibly fast proofs and extremely efficient recursive proofs. It’s a huge leap forward for the ZK space, and we’ve been blown away by the response from the developer community: people want to build on Plonky2.

          Today we’re proud to announce that Plonky2 and Starky are open source. They are now dual-licensed under the MIT license and Apache2.”

          This is wonderful and unexpected news, but I am overwhelmed by real life events, and cannot take advantage of it until 2023

  3. Rexy Sexy says:

    I returned to check up on my “prick” comment. It doesn’t appear.

    “and recently lost an enormous amount of totally legitimate fiat money in this fashion”

    Hundreds of thousands or millions?

    • jim says:

      Some of your comments are not worth anyone’s time. I similarly silently deleted your criticism of crypto currency.

  4. Pseudo-Chrysostom says:

    Kiev Occupation Government launching rockets at nuclear power plants in hopes a detectable fart of isotopes is kicked up in the air; of course they are assured the running dogs in GAE lugenpresse are all lined up ready to blame Russia for a ‘NEW CHERNOBYL!111!@!’ upon such an eventuality.

    The sheer level of clownworld one sometimes finds themselves faced with never fails to be staggering, even after all these years of time-loops.

    • Kunning Druegger says:

      The State Department is hellbent on a Nuclear New-Normal pervading the subconscious of its global citizenry. It sounds trite to type it out, but they really just want to extirpate whites, and they will use any and all tools to achieve that goal.

  5. Dr. Faust says:


    I keep seeing all of these stories from different media writing about the army of IRS agents being employed right now. At ZH they seem to think this army will be targeting low-income houses for audits. Apparently the number is somewhere around 87k new employees which seems like a huge number.

    Beyond the ostensible is this the army they’re preparing for a purge? Is this similar to how Canada shut down the trucker convoy by freezing assets of protesters? Will, when, and how will it be used to target thought crime?

    • The Cominator says:

      My opinion they will target the following groups in addition to percieved political opponents

      1) People with small businesses especially cash businesses (targets of extortion with a lot of money but also generally they have accountants and lawyers)

      2) Tipped and cash employees, waiters/waitresses, bartenders, hospitality workers, strippers etc. (not a ton of money except some strippers… and generally they don’t have lawyers or accountants)

      • Fidelis says:

        My expectation is they will start on the upper middle class and eventually find themselves investigating various political opponents of all stripes.

    • Neurotoxin says:

      It has nothing to do with audits. They’re hiring new people with the requirement that job applicants be licensed to carry firearms and willing to use “deadly force.”

      That is, to kill.

      After an online uproar the IRS eliminated that part of the job posting, but that just means they’re not talking about it any more. It doesn’t mean they’ve changed their plans.

      BTW none of this account is sourced from “right-wing” sources; I read the basics at faithfully leftist Newsweek.

  6. Johnny Guitar says:

    They’re making fun of you guys on Twitter, soyjack-style: https://twitter.com/AussaressesFan/status/1560016033091551232

    • jim says:

      All publicity is good publicity so long as they spell your name right. Soyjack is being given truth to speak – the implication being that truth is absurd.

      But truth is never absurd.

      He is complaining that chicks fuck Jeremy Meeks, and wish they could fuck General Buck Naked. Which everyone knows is the truth, and all good men are unhappy about and deeply disturbed by.

      • Rexy Sexy says:

        His post has 11 likes.

        • jim says:

          Some are smiling because they hear a truth they are not allowed to say, and some are, like yourself, robotically following a script that tells them they like to hear the truth ridiculed.

    • Kunning Druegger says:

      Look at that massive amount of people consuming well crafted memes lol. Guaranteed it’s some cuckservative shill who is angry that we saw through the Desantis Op, but is unable to play battletoads here with the big boys.

      • The Cominator says:

        Don’t argue that there is universal agreement on DeSantis here. I don’t think the left will let either Trump or DeSantis become president but i think if DeSantis was president he’d be more effective.

        • Kunning Druegger says:

          There is no consensus on Desantis the man, but can you agree that he, though he may be a good man and the right man at *some* juncture, could be lured into forwarding the outer-party agenda, that being the perpetuation of the status quo and the pursuit of a return to normalcy?

          I wrote it elsewhere, but in summary: if Desantis continues his good and necessary works in Florida, we can honestly consider him /ourguy/, and if he allows himself or his brand to be used to derail the Trump Train, he is at best a useful idiot of RINOs and at worst he is the messiah of the RINOS. VP Desantis is a wildcard, but I would be inclined to believe /ourguy/ in that case.

          • The Cominator says:

            Trump will be Epsteined before 2024… they are going to derail the train by murdering him.

            • Kunning Druegger says:

              Quite possibly, but that just supports my assertion that he should have gone loud with the Feds and forcibly defended Mar-A-Lago with his State Paramilitary.

              The circumstances are such that any conservative elite with power and men behind him (…or her *shudders*) that chooses to relent, submit, or not fight has fished in the Rubicon. I think the Cathedral is banking on the inability of extant conservatives to choose any path but Grasping The Nettle. It is never going to be “the right time” or “the perfect time” to go loud. Desantis, or any other in-power conservative elite, will have to take the plunge at some point.

              • The Cominator says:

                In my opinion that would not have saved Trump, it would have doomed DeSantis though.

    • yewotm8 says:

      It has been implied that I resemble a soyjak by a nobody on the internet. How will I ever recover?

    • Pax Imperialis says:

      He summarized Hollywood and the porn industry pretty good.

      Millions of women actively flock to be “FUCKED and GANGBANGED by drug dealers” only to traumatically find out they get Harvey Weinstein instead before being thrown to the curb.

      Many such cases. Much angst. Many left barren and with cats.

      How sad.

  7. Ryan says:

    On another topic, those of you wanting women to own should consider looking in the BDSM sphere. Most women are naturally submissive and happiest being owned by a strong man. In our sexually liberated modern world, this natural desire has found expression in the popular dynamic of Dominants and submissives who identify as such, aka D/s.

    Specifically, there are a good number of women looking for a 24/7 D/s relationship aka ‘Total Power Exchange’ or a Master/slave contract, meaning permanent and total ownership. They tend to be higher IQ and classy, and with luck you can find one with a low bodycount as they can have high standards.

    You will need to be pretty high status to attract a 24/7 sub/slave (aka the old definition of wife), and ideally you can financially support them so they don’t need to work, although both are common. If you want and can handle multiple wives, it isn’t uncommon for a Master to have multiple slaves, and this is probably the easiest and least illegal/heretical way to achieve it (outside islamic marriage).

    Extreme or degenerate sex acts are superfluous and girls looking for them should be avoided, but some bondage is good to reinforce a feeling of being owned, and spanking/paddling is a useful discipline tool. Don’t associate with a local BDSM ‘scene’ as degeneracy like wifeswapping is practiced. Secure the woman then remove bad ideas and influences.

    I didn’t use this route myself, but rather have pushed my existing wife towards joyful acceptance of my headship using both a religious/traditionalist moral frame and D/s tips and tricks. She wants me to shape her into the perfect woman, and accepts that I will discipline her as necessary to get there.

    Once she is yours, it should be easy to use her to perpetuate our neo-patriarchy, as well as giving you an easy and pleasurable life, although enforcing discipline and holding frame 24/7 is a challenge. Do check that she isn’t against having children before starting though.

    • Globalist Power Terminated II says:

      wtf did i just read.

    • Kunning Drueger says:

      You could do 5 more paragraphs of flowery prose that paints BDSM culture in the most positive light possible, and you could do this for 5 days in a row, and it would all come crashing down after 5 minutes of contact with actual VDSM people. Not only are the majority of the women ugly and dishonest, but the whole “community” is lousy with sodomites and empowered women. Both the dominance and the submission are acts, not actual. Infidelity and “experimentation” are the order of the day, and I am pretty sure BDSM is just a cover for unowned older women to have sex with sodomites. GIRDS crossover occured in the Boldly Depraved Sexually Moronic crowd, and so too will GroomerPoxx.

      There’s is one tool that converts women into GNON compliant spouses: motherhood. That’s it. Anything that is not conducive to this maturation process is at best irrelevant and more likely counterproductive. Nothing about BDSM is actually conducive to birth and children. If you want to truss your wife up and whip her ass before you do what God commands, by all means. But hanging out with a bunch of faggots and fatties (this is easily 80% of BDSM people) and roleplaying perverted traditional mating dynamics is fucking gay.

      • Ryan says:

        Childlessness leads to insanity, but I know plenty of mothers who are far from GNON compliant so it isn’t sufficient. Having a wife who is fully trusting, obedient and loves to serve you by taking care of the children and household as you decree is very much conducive to having a large healthy family.
        If your wife doesn’t accept and live your patriarchal authority, your children are unlikely to.

        A virgin from a good traditionalist family you meet in a non-pozzed church is your best bet of course, but they are rare, especially where the expectation in marriage is total submission. I’m just pointing out that there are a lot of girls out there actively looking to be owned. I agree that the ‘community’ should be avoided. Girls who are new to it and not too corrupted are a much better prospect for turning into a good wife than the average modern woman IMO.

        • Kunning Drueger says:

          Your OP sounded like a brochure, and now you seem like you’re back pedalling.

          >Girls who are new to it and not too corrupted are a much better prospect for turning into a good wife than the average modern woman IMO.
          >Bros, I can fix her

          GTFO of here with your stale shillory dillory newfag. You are literally advocating for dumpster diving the haunt of faggots and fatties. It is bad advice and bad tactics. I have never once fucked a woman that didn’t want to be restrained, didn’t enjoy me spanking them, pinioning them, or being “verbally abusive” by “demeaning them” as my sexual plaything. Every leftist woman is submissive in bed, because that’s the only place they feel able to be what they actually are, which is actual women.

          Prancing around in leather and masks while larping as some kind of sadistic dungeon master is hellagay, my dude.

          • Ryan says:

            Of course they like to be submissive in bed, but would they accept total obedience and ownership beyond that? I agree that leather, fetish stuff and sadism are gay. I’m just suggesting people consider the women who are already accepting and desiring being owned.

            Lots seem to want a very ‘normal’ man (idealised as a handsome successful man in a suit) whom they can dedicate themselves to. They want a patriarch, a civilized alpha who enforces rules and pre-emptively passes shit tests. Sadly this is illegal in the mainstream culture, but the demand is there and is being re-routed through the BDSM counterculture. It isn’t ideal, but may be ONE practical option in the present.

            • Kunning Druegger says:

              You seem to be arguing in good faith, so I will return the gesture without my usual insulting banter.

              First off, and most importantly, all females subconsciously cry out for alpha ownership. It is a genetic disposition. Some communities, cultures, ethnicities, and races have more access to natural law’s mating dance, or are allowed to indulge in aspects of it, or are isolated enough to participate in their version of it without intervention. In the Occident, the only possible way to get close to the Natural Law way is to be a negro in a slum, an Amish in an enclave, or some other secluded, isolated, or protected socio-economic arrangement in a confined area.

              For everyone else, contact with Natural Law mating dance is fictionalized, bastardized, mutilated, suppressed, or forbidden. Curiously, and disgustingly evilly, sodomites have pretty much free reign to pursue and devour children, acting on the male side of it to an unnatural and thoroughly disgusting end (just to be perfectly clear, so no one thinks I am in any way supportive of sodomites: every living one must pay for these sins, and none shall be spared in minecraft). BDSM is a honey pot intended to transmit sodomite plagues into the normal sexual by capturing women who are, as you say, seeking male ownership for whatever reason. If there’s is a positive story of some strong marriage that is generating many kids, many more grandkids, and a legion of great grandkids (a story like this: https://stormer-daily.rw/woman-who-has-11-children-and-56-grandchildren-welcomes-her-100th-great-grandchild/ ), please give us a link. Don’t waste too much time looking, as it doesn’t exist.

              BDSM is a dead end with disease, poor health, and defiled souls at the end. It is not an option for young man, and should not at all be considered one. It ruins women, turns men gay-positive, destroys marriages, and normalizes the inherent sadism of sodomy.

              There’s only one kind of BDSM we support here, m8:

              Bible based
              Discipline intended to
              Slap the stupid out of
              Malevolent hoes

              • Ryan says:

                I agree that the BDSM community is very pozzed, and that contaminates the healthy aspects of female household submission. From a Christian frame/tradition, there are ‘taken in hand’ marriages that give divine backup to the authority to the husband and include domestic discipline etc. That is probably the best route if you already have a Christian wife. I don’t know if there are lots of women looking for that type of relationship though.

            • jim says:

              BDSM, to be allowed, has to be gay. Safe words are gay. But it represents an unfilled demand for the normal sexual relationship between straight men and straight women.

            • jim says:

              > Of course they like to be submissive in bed, but would they accept total obedience and ownership beyond that?

              That, of course, is the shit test. Whores give you shit tests only General Buck Naked could pass. Being a gay parody of the mating dance, BDSM is full of whores. Try to give them what they are looking for, you will be hit with a shit test that you will need an AK-47 and a necklace of fresh human eyeballs to pass.

              • X says:

                How do you write a comment with a block quote like that? Is there a place we can learn how to format comments here?

                • jim says:

                  > How do you write a comment with a block quote like that? Is there a place we can learn how to format comments here?

                  Standard html formatting.

                  Like this:

                  <blockquote>&gt; How do you write a comment with a block quote like that? Is there a place we can learn how to format comments here?</blockquote>

                  Links like this: your comment

                  Links like this: <a href=”https://blog.reaction.la/crypto/zeek-rollups-can-enable-full-blockchain-scalability-and-full-blockchain-privacy/#comment-2848791″ rel=”noopener” target=”_blank”>your comment</a>



                  <img src=”https://blog.reaction.la/images/total_fertility_rate_england_and_wales.gif” />

                • X says:

                  Thanks! Testing:

                  > Standard html formatting.

                • X says:

                  Test 2:

                  Standard html formatting.

                • Globalist Power Terminated II says:


                • Globalist Power Terminated II says:

                  (testpoasting two…)

                • Kunning Druegger says:

                  This is a test

                  This is a test, this is a test, this is a test, This is a test, this is a test, this is a test, This is a test, this is a test, this is a test

                  This is a test

                  This is a test:

                  You are all free to mock me if I fucked it up royally 🙂

                • Kunning Druegger says:

                  Hmm, image didn’t work…

                  Here’s another: words on screen

                  And one more test:

                • jim says:

                  > Here’s another: <a href=”https://www.isegoria.net/2022/08/it-is-descended-from-bipedal-dinosaurs/” / rel=”nofollow ugc”> words on screen

                  Obvious error.

                • Anonymous says:

                  While I get that tags can be allowed on a case-by-case basis, I’m surprised that the blog allows users to inject HTML directly into the comment.

      • jim says:

        The BDSM culture is gay compliant, has to be get social acceptance. It is straights pretending to be gays, sometimes, often, not pretending. It is thus severely degenerate, and full of degenerates. It is a manifestation of a hunger, that, for social acceptance, it promises to not fullfill.

    • Aidan says:

      Everyone in the BDSM scene is ugly, old, or broken. BDSM is entirely made up of people incapable of actually performing the mating dance of male dominance and female submission, so they LARP an exaggerated version of it, in the same way that fags larp a dynamic of masculinity and boyishness.

      • Ryan says:

        I did say you shouldn’t associate with the ‘scene’.
        But the concept has become mainstream with 50 Shades (however shit it is), and rather than letting naturally submissive women get sucked into the scene, which is degenerate as you say, we should claim them ourselves. More ‘normal’ and attractive women are getting interested.
        It might be a good option for older and more stable guys, versus being a bronze age conqueror chad like yourself.

        • Kunning Druegger says:

          I can get behind a campaign to paint BDSM as cucked and inferior to

          Bible thumping
          Dudes who
          Slap female butts during
          Mating for procreation


          Defenders of
          Sexual intercourse for


          “Bend over hoe, I
          Demand you
          Submit to

    • X says:

      > “I didn’t use this route myself …”

  8. Basil says:

    Japan’s occupation policy towards Korea and Taiwan was not actually different, but for some reason, Taiwan does not suffer from hatred towards the Japanese, unlike the Koreans. Why is the Korean elite spreading hatred towards Japan and why is the Taiwan elite not doing so?

    If you read some things, you may get the impression that immediately after the war, Korea was much more pro-Japanese. What can I say that even among the well-known kamikaze were not only the Japanese, but the Koreans, which in our time is perceived as incredible.

    • skippy says:

      Pre-KMT Taiwanese used Japanese against the “invader” much like how HK people fly British flags against the PRC today.

      While Korea was taken over by Americans/Soviets wholesale, decided to join third world decolonized state “good guys” “winners” rather than stick with evil old imperialist losers.

    • Pax Imperialis says:

      “Why is the Korean elite spreading hatred towards Japan and why is the Taiwan elite not doing so?”

      The Korean left are for several different reasons.

      Very different geopolitical realities between Taiwan and SK. Historical geopolitical norm for Korea is being trapped between Japan and China acting as the fulcrum of the balance of power. That’s a fairly uncomfortable position to be in especially when you can trust neither party. Suspicions and paranoia run abound. For Taiwan, Japan is fairly distant whereas China is a looming threat. They are going to have massively different priorities.

      S Korea is stuck in a cold civil war that never really ended both with the North and internally. Reunification isn’t going to happen on right wing/American/Japanese/SK terms because that would require regime change in the North meaning war. The leftist dream is thus to achieve reunification of the Korean people under NK terms via confederation. Obviously for that to happen they need to kick the America/Japanese out and purge the right. Anti US sentiment is generally held by the same people with Anti Japanese sentiment as both are seen as being in the way of reunification under NK terms.

      Historical grievances against the Pro US faction. The SK military governments did multiple purges of the suspected communists. The military governments were tightly aligned with the US/Japanese alliance for security reasons. Thus enemy of my enemy mentality takes over among the left. Blood runs thick in Korea.

      Historical grievances against the Japanese. Korea had far more overt anti Japanese activity during the occupation than Taiwan did. Those memories don’t go away anytime soon. The right was interested in burying the past to get Japanese support against the communists.


      So what does American State Department do? They stab the Korean right wing in the back and then wonder why there is anti American sentiment. They support the communists and then wonder why SK government aids NK to bypass the sanctions. They fly LGBT flags in Seoul and denounce conservative groups as fascists and then when all the right wing elites are purged wonder why South Korean elites are so anti Japanese.

  9. h says:

    Bravo for a succinct and accessible summary of the state of ZK research. This could be understood by someone with a very passing familiarity with blockchains and smart contracts, which excuses any minor inaccuracies.

    The emphases in your conclusion feel slightly misplaced; perhaps a matter of taste, but also potentially misleading as to (i) where the next big developments in crypto are coming from, or (ii) what the next contests between competing approaches will be.

    The first Turing-complete instruction set for generating ZK proofs was CAIRO, from Starkware. Currently the CAIRO toolchain and the verifier are open source, prover closed source. The risk of closed-source ZK verification is very real, but this is understood to be a provisional business maneuver rather than inability to withstand scrutiny. Starkware needs to set up a network to capture the value before they release source under Polaris license: https://starkware.co/starkware-polaris-prover-license/ – lotta people worked on the code, business is business. The reason to be confident that Starkware will do this isn’t faith in the good character of Starkware, but the large number of projects working on Turing-complete ZK verification microarchitectures coming down the pike. They all say they will open source their provers, so Starkware will have to to stay in business. There are also existing zkEVM implementations (EVM so Turing-complete but not STARKs), some are already open source, creates same business pressure. So reasonable to conclude Starkware is not joking about permissionless provers. (NB, Starkware has discussed the mathematics they implement extensively, it is the basis for all other ZK research, personally I’d be more worried about backdoors than bad crypto.)

    The design challenge facing zkSTARKs, and likely driver of competition between rival ZK, is more likely to be performance. Think: next year if not sooner all this tech will be in production, traditional finance will still be using boomer traditional brokers and exchanges, why? Speed, cost. That is the challenge. Additionally further features like true privacy (à la Tornado or Z-Cash) have known solutions at additional computational overhead, so better performance will allow ZKRUs to acquire many additional features as deployed contracts.

    Another possible area for competition between rival visions of ZK is what is called “data availability”. This property is a necessary condition for ZKRUs. You do not mention it, but are likely familiar with it. ZK proofs refer to compressed summaries of state, but proofs concerning these compressed arguments get you surprisingly little if you don’t have a way to determine whether all the uncompressed data is available, independently of the prover asserting that it is. There is mathematical method to do this; there are also k of n trust procedures that assume once a certain number of people have seen the data (that is, they say they have seen the data) that is “good enough”. From the tenor of your post, I suspect like me you would prefer the former solution, but many intelligent people believe (in good faith!) that good enough is good enough, and it is quite likely this difference will drive competition between different ZK architectures, because there are real costs to (trustless) proofs of DA.

    In terms of the desirability of Ethereum as the settlement layer for ZKRUs, four observations.

    (1) The consensus of the Ethereum blockchain is not centralized. Provision of tokenized stablecoins is highly centralized. On any permissionless blockchain that supports smart contracts, people can offer custodial tokens pegged to the dollar, others can choose those stablecoins as a unit of account, and the parties managing the peg will become subject in varying degrees to government pressure. Any successful and reliable L1 would attract pegs, and therefore government pressure, therefore an incentive to fork chain in order to honor a stablecoin peg on government-subservient fork, and crash it to zero on the other.

    (2) Ethereum has both consensus design features and maturity/scale needed to deter that type of greed-fork (which would give e.g. stablecoin issuers veto power). Exigencies of development make all new alt-L1s more, not less, centralized and custodial than 2022 Eth. So if we do need a better answer to centralization risk at the L1 level, I would eyeball time to (test the better solution + reach maturity) at 4-12 years.

    (3) Experiments would be fun to see, but the main feature that would make a rival L1 competitive to Eth L1 (IMHO) would be end-to-end privacy: comparable to what Z-Cash permits, but mandatory. Even a trustless setup, however, would entail the opacity risks you highlight.

    (4) Ethereum has a rigorous approach to data availability. Few alternative L1s even recognize DA as a problem they should aim to solve. A small, new network might also have difficulty as a vehicle for rigorous mathematical DA because this is an additional level of security on top of robust consensus, and it would be burdensome to implement a solution prior to large-scale adoption.

    I think it would be very fun to see fractal rollup architecture with ZK scaling anchored in data availability sampling, different governance and consensus, and mandatory fully shielded state transitions. However even with all this, I suspect the real problem is stablecoins. Until you figure out what stable fully collateralized unit of account people can do business in without provoking the 21st c Inquisition, any successful settlement layer is at risk of a hard fork to “the same chain, but castrated to save USDC”.

    • jim says:

      > Additionally further features like true privacy (à la Tornado or Z-Cash) have known solutions at additional computational overhead.

      Not so.

      True privacy is that you push the generation of zeeks (zero knowledge succinct proofs of knowledge) down to the people doing the transaction, and roll up those zeeks into substantially fewer zeeks before the knowledge that they even exist spreads very far through the network.

      That Tornado and Z-cash have undesirable overheads is because they do not, and cannot, rollup zeeks into zeeks, so you get a great big pile of proofs of knowledge, which, when combined with transaction metadata from other sources, reveals much. And that the zeeks are not rolled up, and everyone gets to see them, creates threats to privacy from outside the threat model that Tornado and Z-cash address. Plus the sheer size of the pile results in everyone imposing costs on everyone.

      More privacy, better scaling and lower costs. More scaling and lower costs, better privacy. zeek rollups, zk-starks proving verification of zk-snarks, is a vastly more effective technology for privacy than zk-snarks in themselves.

      The big hole in privacy currencies is that the transaction metadata goes over ssl, which zk-snarks do nothing to solve.

      With unlimited scaling, and people only keeping the part of the blockchain that they care about, and what they keep invisible to everyone else, we can put everything on the blockchain, including the transaction metadata.

    • Fidelis says:

      To endlessly repeat myself:

      It would require some complex engineering but monero is your best bet for a settlement L1, far better than ethereum. Very mature, very good privacy, very robust node system. RandomX and p2pool are works of art in and of themselves, the huge anonymity set on L1 another bonus.

      Use txdata to push proofs and state roots onto monero chain, have some second less trusted more complex layer use these to secure consensus and actually operate the proving system. Likely going to be nested to allow asynchronicity and horizontal scaling.

      • Fidelis says:

        Stablecoins can be pegged via an exchange rate system with an oracle service, like RAI/DAI. Reminds me a lot of how governments would set fiat/bullion exchange rates. Securing the oracle is very hard, but not untenable. Gives you a stable unit of account where the only attachment to the outside world is the information flow of the exchange rate.

        Then the problem becomes a total war on crypto, total illegalization of uncontrolled chains, which could be messy at first even if I believe the final outcome is determined.

    • jim says:

      > Starkware needs to set up a network to capture the value before they release source under Polaris license:

      The Polaris license forbids the use of their source to create a system for transferring value by anyone other than them. If someone sets up a shop selling rubber duckies, and accepts a crypto currency that uses their source, violation of the license.

      On the other hand, if they release source, someone can reverse engineer their algorithms and know whether it does what it is supposed to be doing, so in this sense, genuinely open source, and someone else can reverse engineer and release genuinely open source that uses the same ideas and equivalent algorithms, done his way.

    • jim says:

      Data availability is the opposite of the point and purpose of what I am idiosyncratically calling zeeks (zk-starks, zk-snarks, and zk-snarks and zk-snarks that can do rollups, proofs of verification of proofs of verification)

      The point of data availability is that everyone has all the information needed to verify that the new block was validly derived from the old. Which is apt to be far too much information (privacy and fungibility problem, scaling problem, every peer imposing ever growing costs on every other peer)

      The point of zeeks is to prove that the new block was validly derived from the old, without any one peer knowing or caring much about what has changed, except for those changes that the person or people running that peer have a direct financial interest in.

      The point of data availability is also to make sure that the government can run you in for not paying taxes, doing international transactions without complying with a mysterious, unknown, and ever growing pile of regulations, or buying stuff or selling stuff from Russians, or anyone else on their shit list.

      Data availability is what we want to get rid of.

      • Eugine Nier says:

        How would zk-rollup solve double spend?

        Solving double spend requires proving a negative, namely that I haven’t spent this coin in any of the rolled up zeeks. Hard to do If I don’t even know what those zeeks are.

        • jim says:

          you roll up the zeeks, not the spent and unspent transaction outputs.

          But the fact that you have a rolled up zeek proving the validity of all those zeeks, which prove the validity of all those transactions, means though the peers as a whole have to keep all those transactions around, no one peer has to keep all the transactions around. Just the ones that that peer cares about.

          Because each transaction output has to be in a particular place, a particular branch, in a Merkle-patricia tree of outputs, if you have that branch, you can prove no double spend.

          There are several ways of proving no-double spend with rolled up zeeks. The one that corresponds most closely to the way Bitcoin does it is that you have a Merkle-patricia tree of hashes of transaction outputs that were valid at a certain block, and the most recent block before the new block that the peers are forming has a Merkle-patricia tree of hashes of commitments of valid unspent transaction outputs to particular transactions, all commitments up to and including that block, those previous commitments rendering those transaction outputs no longer valid for new commitments for new transactions in subsequent blocks. That is a potentially enormous Merkle-patricia tree, a potentially enormous sequence of potentially enormous Merkle-patricia trees, but it is distributed over all the peers. It is public and widely shared, but does not reveal the contents of transactions, or the contents of transaction outputs, only their hashes. And though it proves that a spent transaction output was committed to a particular transaction, one particular transaction, it does not publicly reveal which transaction – the public cannot see which transaction outputs were all spent to one particular transaction, but the man that spent them knows, and can prove that all the inputs to his transaction were publicly committed, and thus committed only once.

          It has a zeek for every vertex and leaf of the tree, but if you have the root zeek, which proves the validity of all those zeeks, you don’t care about all those other zeeks. The lower vertex zeeks are not widely shared and are not public. You widely share zeeks proving the existence and validity of the zeeks you care about, which prove the existence and validity of zeeks narrowly shared, which prove the existence and validity of zeeks only known to the parties to the transaction, which prove the existence and validity of zeeks only known to one party to the transaction.

          You keep around the branches for your transaction outputs, so when you want to commit a transaction output to a new transaction in a new block, you can prove it has not already been committed in any previous block, because you have that branch of the enormous, public, and widely shared Merkle-patricia tree.

          The tree is not rolled up, but it is distributed, and constructed by massive parallelism over all the peers. When the tree is small, each of the peers will have, and participate in forming, all of it. It is a public Merkle-patricia tree, nothing secret about it, composed of public hashes of secret information, which reveal nothing about the secret information except that it existed somewhere and was known by someone, and is valid. As it grows larger, each separate peer will only have and know some of it. As it grows larger still, each peer will only have, and only participate in forming, a tiny part of it.

          So when you spend, you commit the old transaction outputs, the inputs to your new transaction, in the new block. And then you can prove that your new transaction outputs are valid for blocks following the new block, because they have not yet appeared in the Merkle-patricia tree of committed transaction outputs, but the inputs to the transaction that created them did appear, once and only once, in the Merkle-patricia tree of committed transaction outputs. You prove they were in that tree, and that they were committed to this particular transaction, but you do not reveal what they were, or what the transaction was, or what other outputs it has – you prove that this particular output comes from a valid transaction, and you separately prove that for each of the other outputs.

          And in fact you do not even know all the outputs from your new transaction:

          Carol wants to be paid by Bob for something, and Bob wants something from Carol, for which he will pay. (They have to directly communicate, transactions are formed bilaterally between the parties, not unilaterally by one party as in most existing crypto currencies.) They agree to a transaction which will have an output known to Carol, and a change output known to Bob. Bob does not know the key, public or private, of Carol’s output, meaning he does not know where in the Merkle-patricia tree it is going to appear, and similarly, Carol does not know the key of Bob’s change output. After the new block has been formed, Bob proves to Carol that he has committed certain outputs to this transaction, but not the keys of those outputs, not where in the Merkle-patricia tree of spent outputs they were committed. Bob and Carol now each have partial information about a valid transaction, and between the two of them they have, and can prove, the transaction valid, and all its inputs committed once and only once, committed to this transaction, and thus can prove that the outputs from this transaction that each of them knows about are valid for all blocks subsequent to the block that they just participated, with all the other peers, in forming.

          So when Carol spends the output from the transaction that Bob supplied the inputs to, Bob does not know that she spent it. But he can prove that the party that promised certain services has, or at least had, a transaction output worth that money.

  10. Fidelis says:

    How are you going to determine these merkle paths? How is this hierarchical compilation of proofs actually executed on real machines in way that you can determine a minimal level of consensus? How does one enter into the system de novo? Is losing your merkle path going to be equivalent to losing your private key, how do you propose a less technical user manage their participation?

    What about cross-ledger transactions (this is how they are selling these data collection layers for extant zk rollup players, “well you need to be able to prove your balance to transfer back to mainchain or a different rollup you see”). Would you be able to do atomic swaps with these compiled zk constructions? Do you envision this system as a ‘digital money only’ scheme?

    I personally envision the future of these things being incredibly heterogenous with a few relay chain endpoints. So your public ledger youtube replacement and your big zk rollup payment network both push state roots to the same blocks produced and checked by some very simple but very secure set of validators. This way you can make deals between the video chain and the payment chain without one or the other forking away from the agreed upon state, and gain the benefits of specialized execution, state transition, etc.

    • jim says:

      The proposal that these guys are selling is a zero knowledge layer resting on the Ether layer 1.

      But if it is a real zero knowledge blockchain, open source resting on an open source zk-stark or zk-snark engine, or some combination of the two (polygon seems to be describing a zk-snark vm running inside a zk-stark vm) Ether is not going to like that. Ether will demand a closed source, closed entry system, an unregulated bank (regulated by the Ether layer one crowd, themselves regulated by the state)

      The technology, if open sourced, obsoletes the old layer one, because it accomplishes the same thing, scalably.

      • Fidelis says:

        >The proposal that these guys are selling is a zero knowledge layer resting on the Ether layer 1.

        Yeah but I am not buying. Eth is shit, the core team moves slow as fuck, and the ecosystem is soylent.

        However, the framework itself makes sense. You want a general purpose zkvm and prover running on something very much like an L1. You need a clever scheme to shard the set of proof validators to create this tree, but the final merkle roots are going to be on an L1.

        You also need eventually some way of making these validator nodes lightweight, capable of running on a laptop if need be. They need to have asynchronous finality, or something like it, that splinternet does not kill it. You also need to somehow shield the identity of this validator set to prevent coercion.

        I keep coming back to a heterogeneous system of relay chains running on randomx and a staking mechanism, with many different sets of docked chains pushing state roots to these relays. Probably nested. So you have some layer 1 chain, I personally would like to see something like monero as this L1 due to stable PoW with p2pool and anonymous transactions and nodes, and then you have a PoS-PoW zk system that pushes threshold signed state roots to the L1 as a finality that aggregates st/nark proofs. Hopefully many heterogeneous systems like this, some nested within each other, some public ledgers for things like ML weight sets, new social media, etc. With the L1 coordinating state roots you can prevent these systems forking away from each other, so atomic swaps and other forms of message passing become possible.

  11. Kunning Druegger says:

    Rapid fire questions:

    -Does “someone” need to keep the whole thing, as in the whole pile of proofs of proofs, “somewhere,” due to a need to audit or for diagnostics/bug hunting/etc?- Answered in last paragraph.

    This problem, from a very simplistic point of view, is reminiscent of a dictionary attack to crack a password, but the dictionary is the whole of Maths and the password is less of a code and more of an optimization method. Could not the problem be solved by taking the time to program the parameters/necessities and let machine learning generate methods for generating zk-rollups? Wouldn’t this add another layer of defense, as the ML process is [purported to be] somewhat of a blackbox process?

    If I copy /pasted this whole essay to a “conventional” online space where they discuss blockchain technology, what do you think their reactions might be? I realize that 80% of all online response is at best tangential and most often irrelevant, but I wonder if anyone else is working on the problem, is able to even see the problem, or if the expansion of political positioning necessity has made actual technical discussion impossible…

    Is there anything the less technologically inclined can do to help, or must we sit back and wait for the biggest brains to do their thing?

    • h says:

      >If I copy /pasted this whole essay to a “conventional” online space where they discuss blockchain technology, what do you think their reactions might be?

      They would think the objections to Eth “centralization” are hyperbolic and exaggerated, would nitpick details, and would probably pick a (misguided but understandable?) semantic quarrel over the use of “privacy” to refer to data retention instead of transaction opacity. If they really wanted to be uncharitable, they might impute a real misunderstanding of how STARKs work. (I think Jim knows they do shield transactions like Tornado Cash and Z-Cash; but a preference for idiosyncratic definitions creates misunderstandings.)

      But basically it’s pretty decent. There are a few other points I’ll make as a top-level comment.

      • jim says:

        > they do shield transactions like Tornado Cash and Z-Cash;

        That shielding is what I referred to as the problem of keeping a great big pile of Zk-snarks around.

        The mere existence of that pile leaks information, the shielding reveals that someone is shielding something, and if you put that information together with other information, that the system necessarily leaks because transactions metadata goes over SSL, you can figure out who is shielding what and why.

        And they are even bigger than the underlying transactions, and harder to compute, so worsen the scaling problem.

        To genuinely solve the scaling and privacy problem, the big pile has to be rolled up into a single zk-snark.

        Z-Cash does not protect your privacy. It protects against its threat model, but the enemy is not constrained to use your threat model.

        Tornado cash, used correctly, does protect your privacy, but is non trivial to use correctly. Wasabi is not all that easy to use correctly either. For scaling and privacy, need fully decentralized rollups, zk-starks that prove the verification of zk-starks, zk-starks that get rolled up as fast as possible, rather than being propagated far and wide.

        And no one who knows how to do rollups, if anyone does know, is revealing how they do it.

        • Mike in Boston says:

          Z-Cash does not protect your privacy. It protects against its threat model, but the enemy is not constrained to use your threat model

          I have more invested in Z-Cash than I should, so I would be really grateful if you could expand on why that is the case.

          • jim says:

            Zcash, because it uses zk-snarks and cannot roll them up, makes zk-snarks optional. When you use that option, the metadata about the fact that you are using that option goes over ssl, painting a big target on everything connected to that transaction. It conceals the information it conceals, and advertises the fact that you are concealing it.

            The cryptographic phrase for this problem is “small privacy set”.

  12. Basil says:

    Labor migrants went to the record

    In the second quarter of 2022, a record number of labor migrants entered Russia, according to a review by the consulting company FinExpertiza, based on migration statistics from the Ministry of Internal Affairs. In April-June of this year, their number reached 3.12 million people, which exceeds the figures for the same period over the past six years.

    • jim says:

      The interesting question is: What is in fact happening with the Russian economy?

      The effect of the sanctions has been to impose national capitalism on Russia from outside.

      It is hard to tell, even for Russians, how national capitalism is working out in practice. In America, people voting with their feet, the great decentralization to the former rust belt, showed that Trump’s national capitalism worked really well.

      How are people voting with their feet in Russia?

      • Basil says:

        If we are talking about internal migration, people vote for big cities, primarily Moscow and St. Petersburg. You can also say about the gradual shrinking of the population to the south. Krasnodar is one of the fastest growing in Russia. The village was actually killed by the Soviet collectivization, until now, people living in the countryside are called “kolkhoznik”, which is a low status (much worse than “farmer” in the USA or Australia)

        If we are talking about external migration, then I doubt that the massive arrival of Pakistanis in Britain somehow refutes the thesis that Britain is in a state of decline, and also this influx of Pakistanis determines the state of the economy in the future.

        Russia obviously faced an outflow of specialists (brains) and capital. If we are not talking about the luminous cases of Pavel Durov, who received the citizenship of the Emirates, or Abramovich, who bought the citizenship of Portugal, or the soybean opposition in Georgia, I mainly heard about the migration of students to the Czech Republic and the middle class remote work in Turkey. Although Western propaganda exaggerates the significance of this outflow, and the Western nomenclature, by virtue of its madness, creates barriers to this. You can get great guys for yourself by bleeding the opponent along the way, while fighting racism and discrimination along the way (if your political environment requires such rhetoric) Damn, this is so annoying.

        • jim says:

          > Russia obviously faced an outflow of specialists (brains) and capital

          It did indeed.

          The imposition of national capitalism from outside, however, creates opportunities for brains and capital in Russia.

          Is this having an impact? I recall in the US how Trump’s national capitalism reversed the great centralization. I am hearing anecdotes of Russian businessmen who were formerly appendages of foreign businesses stepping into the vacated shoes.

    • Basil says:

      – Russia is in 15th place in the world since the end (out of 236) in terms of the increase in total mortality – 38%, or 675 thousand superdeaths.
      – According to the total death of the population, Russia is in the sad first place in the world – minus 740 thousand people.
      – In terms of absolute control growth, Russia ranks second in the world after the United States. We have a lot of congregations coming to us.
      – In terms of fertility per woman, Russia ranks 193rd in the world (1.49 children in total) and even 30th in Europe (out of 48 countries).
      – In terms of deaths under 40, Russia ranks 158th in the world and last in Europe.
      – By death under 60, Russia is in 179th place in the world. The last one in Europe.
      – In terms of deaths between the ages of 15 and 60, Russia is in 191st place in the world, and among men – in 212th. Above us, even the poor of Burundi, Djibouti, Angola, DR Congo (formerly Zaire), Liberia, Mali, Ghana, Gabon.
      – According to the total mortality rate, Russia is in 230th place in the world, or in 6th place from the bottom.

      In general, demographic Russia looks like a gathering society already almost in the stage of catastrophes – especially in the field of mortality. An old, sick, dying society. Expanding empires are not built in such societies; on the contrary, demographically, such societies “shrink” in order to save their remnants.

  13. TheDividualist says:

    *Blinks*. Maybe the man who invented Urbit would be able to solve this…

    • Kunning Druegger says:

      Why do you think so? The Manhattan Project wouldn’t have cured cancer just because they systematized the accretion of fissile material.

  14. Aidan says:

    I admit that I don’t understand the mathematical elements of cryptography, but could an existing open-source language be repurposed to act as the compiler that produces and verifies the zk-stark, saving you a lot of effort?

    • Fidelis says:

      The issue is these zk things are not computers, not CPUs, they are circuits. Programming languages, roughly, compile to CPU instruction sets. People are building these virtual CPUs made of zk circuits, so that you can have a specialized programming language that compiles to a zkCPU/zk vitrual machine target.

      • Kunning Druegger says:

        Is the VM a necessary part of this, like the actual circuits are not possible IRL, or is it cost/time saving because you “simulate” the circuits instead of actually fabricating them?

        I want to say real quick, though I hope the discussion doesn’t end any time soon, I really appreciate you, Jim, and the other actual boffins taking the time to explain stuff and answer questions. I will not be offended if I ask a dumb question (as in, irrelevant and distant from reality) and you just say so. This stuff is fascinating but very, very murky for me.

        • Fidelis says:

          When you are running a program you have state and operations on that state, such as adding substracting, swapping, etc. Circuits define operations, but if you have no way to update state during execution you have a very complex and narrow use case circuit. The zkVM has a way of keeping state as you execute a program, it emulates a real CPU architecture in a way that programs can be compiled to the instruction set.

          That’s why a circuit alone is not enough, need a set of circuits and a way to buffer state during execution. To understand zk proofs though, you have to understand that what we are doing is making a proof, which is basically a sort of verifiable string of bytes, that a given input and circuit were faithfully executed. To make this proof the numbers actually being calculated are not the raw bit values, not the same numbers that if it were a regular program would be represented on the physical CPU you have. They’re projected into some prime field. So yes it is a sort of simulation in a mathematical space that allows the creation of a proof that you did everything faithfully.

          • Kunning Druegger says:

            “Buffering state” is the technical term for “remembering what has happened/been input before the current moment” right?

            Are circuits “logic gates,” or more precisely, a series of intentionally arrayed logic gates that have some kind of computational (mathematical sense) capability, in this discussion? Are they static, as in they are constructed a certain way to perform the same thing repeatedly, or are they dynamic and can perform different things depending on instruction or some other variable?

            >it emulates a real CPU architecture in a way that programs can be compiled to the instruction set.
            So, the VM is acting as a kind of “rearview mirror” or forecast of what the actual machine has done and/or what it is going to do?

            That is very vague and brief, and the page for defining “field” is massive and, from the reference material, quite old. Are Prime Fields “newer” math, or just something that is hard to define simply for the uninitiated?

            This will quickly devolve into Computers 101, because I have a storyteller’s command of the subject, which is lots of disconnected bits of info and no real understanding.

            Don’t waste too much time on my questions bro, I’m just really fascinated with the whole subject, but at the level of my son watching me clean guns or build a chicken coop; the tools and noises and process is immensely interesting and entertaining, but I am not really getting any of it, not in a way that I could constructively contribute. I am an information vampire, and I will keep asking questions until you instruct me to stop, JSYK.

            • Fidelis says:

              At this level of detail you should just read the papers and docs


            • jim says:

              > So, the VM is acting as a kind of “rearview mirror” or forecast of what the actual machine has done and/or what it is going to do?

              In practice, you cheat by “non deterministic computation” (solving the problem by conventional methods in a conventional language), and then you have the prover have the vm execute a program that proves that magically guessed computation is correct, and the prover that executes the vm program generates relatively short proof that it executed this possibly very large program.

              The vm language does not actually execute anything, but rather is a collection of assertions about a very large pile of immutable values, which very large pile of immutable values you generated outside the vm in some conventional language, any conventional language. For this to be expressed as an amount of code small enough to be intelligible, these assertions have to have loops and recursion.

              Cairo is defined as if it is a procedural language, but it is not, is more analogous to Haskell. (Albeit Haskell is really a procedural language, due to monads, that relies heavily on functional language.) While Haskell is a procedural language heavily disguised as a purely functional language, Cairo is a purely functional language heavily disguised as a procedural language. Whether this is a good idea will be discovered when we have competing open sourced languages for zk-stark engines.

              The Cairo engine is closed source. Until and unless it is open source, and its cryptography has been examined by unsympathetic eyes, it is not something that can create a crypto currency that anyone should trust.

    • jim says:

      Not really, the underlying virtual machine is too different.

      And the DSL is going to be a language for operating on Merkle trees and Merkle patricia trees, so it is likely to have a great deal in common with SQL. But is not going to be SQL.

  15. Mister Grumpus says:

    I’m very glad that you’ve made such a discovery, and come to such a definitive conclusion about it, that you felt like posting about it here in this way. I am encouraged by this progress, even from out here, this far away on the IQ curve.

    What hunches do you have as to what the key elements might be for such a snark-o-matic engine? A new language? Involving what? A new hardware Lisp machine or something?

    Like for example, Elon’s hunch was that his Starship needed to be made of stainless steel. Not because stainless is inherently awesome, but because it was cheap and could be welded, and thus would probably crucially allow fast enough iteration to get to the end before going broke.

    What hunches, like that, do you have for the snark-o-matic?

    • alf says:

      Same. The idea sounds obvious enough right — you don’t need the whole ledger, just the relevant parts. But to know that there is, in theory at least, a path from here to there, that ‘s pretty cool.

      • The Count of Montecristo says:

        Curious to hear anyone’s take on uqbar.network, which is built on a zk-rollup of Nock, (or Zock) built on Urbit VM. Especially Jim’s take given his expertise.

        • jim says:

          Uqbar plans to do all these really great things, and if it did them, it would be wonderful. Those things need to be done, we now know how to do them, and no one is doing them yet.

          But the initial rollout has not happened yet, and when it does happen it will not at first do these really great things, but will be a permissioned system operating in an environment controlled by our enemies, which is exactly why permissioned systems are bad, they offer a point of enemy attack. They intend to transition to not being a permissioned system, by doing all these really great things, but they have not yet done them, and will be issuing their token before they have done them.

          Which is rather similar to what I plan to do, hard to avoid, you make promises and hope that people will buy your token before you make good on the promises, which is on the surface indistinguishable from what ten thousand shitcoin scammers are doing, but at least I do not plan a permissioned system, nor to do it an environment controlled by enemies. My initial release will not do all the great cool things I plan, but at least it will not be doing the very bad things that the initial release of Uqbar will be doing.

          That said, good to see people selling plans to do what now can be done and needs doing. I like their plans, but if those plans are sincere, they need a lot more paranoid hostility for those plans to succeed. Even if their intentions are honest, and their intentions probably are honest, our enemies are likely to turn it into yet another shitcoin scam, of so many shitcoin scams.

          • The Count of Montecristo says:

            By “a permissioned system operating in an environment controlled by our enemies”, are you referring to their initial planned dependence on ethereum? Are you still hoping to deploy your solution in 2023?

            • jim says:

              It is going to be, at least at first, a permissioned system operating under the ethereum umbrella, but ethereum is unlikely to be friendly to actually accomplishing the objectives.

              And a permissioned system is the opposite of the objectives. You need to start out in the direction of your destination, but the fact is, starting out in that direction would be difficult under ethereum. Well, if starting out in the direction of your destination is likely to be difficult, actually reaching the destination likely to be a good deal more difficult. Ethereum rules favor centralization of power. And if your objective is decentralization, well, it is not impossible, but is apt to be complicated.

              I claim that Ethereum is a politically hostile environment for this sort of project. Other people disagree, and have no end of excellent arguments that I am wrong. But that they are starting out with a permissioned system does not fill me with confidence.

  16. someDude says:

    > > As someone said when Satoshi first proposed what became bitcoin: “it does not seem to scale to the required size.”

    I wonder who this someone is. Legend has it that this someone is now operating the last standing citadel of resistance against the Hordes of Sauron. Other contending claims are that he has gone underground, to outer space, that he is actually an AI that has become sentient, that he is actually several people and so on and so forth.

    I’ve tried very hard to locate this someone and after a long gruelling search, concluded that you don’t find him. He finds you.

    Still, during the dark long tropical nights, I can’t help wondering about this someone

    • Kunning Druegger says:

      In every epic fiction, the protagonist sets off to find some truth, or power, or person, that is desperately needed by him for some personal reason. When he finds it, the path he has taken has changed him to the point that he realizes it is more important to defend the truth/power/person than to obtain/use it for his own purposes. This does not mean his original intentions were petty or incorrect, it’s just that undertaking an epic journey always expands the consciousness and perspective of the journeyer. In this way, the protagonist becomes the very thing some other young adventurer will someday seek. This is what traps the guru on the mountaintop: the knowledge that one day, he will look into the face of a stranger and see himself.

    • Globalist Power Terminated II says:

      Satoshi and his tight-knit band of battle-hardened veterans are probably working on the next Big Thing (TM) from one of many hideouts in the Himalayans…

    • Neurotoxin says:

      Who is John Galt?

    • someDude says:

      Hahahahahaha! I think we all know who this someone is and each of us is avoiding mentioning him by name. But the way you guys responded, it makes me wonder whether we are on the same page. You guys really deserve an Oscar if an Oscar exists for laconic wordsmiths.

Leave a Reply