From: Peter Todd <pete@petertodd.org>
To: waxwing/ AdamISZ <ekaggata@gmail.com>
Cc: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Subject: Re: [bitcoindev] A safe way to remove objectionable content from the blockchain
Date: Sun, 30 Nov 2025 14:39:13 +0000 [thread overview]
Message-ID: <aSxXEZzEAlfxLYlY@petertodd.org> (raw)
In-Reply-To: <f5cf7fb8-61ce-437b-b26b-241d47b3fcb5n@googlegroups.com>
[-- Attachment #1: Type: text/plain, Size: 3592 bytes --]
On Sat, Nov 29, 2025 at 05:54:13AM -0800, waxwing/ AdamISZ wrote:
> Hi Peter, list,
>
> Interesting!
>
> One thought that springs to mind: attempts to ameliorate IBD with ZKP
> should not forget one thing: what we actually want here is succinctness,
> and not so much ZK. Think SNARK instead of ZkSNARK.
> Which is important; without the requirement for an actual ZK property for
> the protocol, you can have it have attached witness that is not secret.
The Zero-Knowledge part is important to the goal in this specific use-case:
trying to prevent all arbitrary data publication.
> Then a counter-thought strikes, that any version of these protocols that
> requires more data/bandwidth probably loses out to versions that have less
> data/bandwidth. Hmm.
Ecash has even less data/bandwidth than Bitcoin. Yet people choose not to use
weaker security assumptions in favor of stronger security assumptions.
> I do think, long term that ZKP over history is correct, and that (see
> typical rollup design) data carrying in state can do the job that you are
> (correctly) insisting, must be done.
> (And the corollary: "harmful data on the blockchain" is a wrong mental
> model and should be abandoned, irrespective of architecture.)
It's quite possible that ZKP's are, in the context of decentralized
blockchains, an exploit that will prove to be impossible to patch. Similar to
how merge mining is an economic exploit that may well be impossible to patch.
Sometimes seemingly good ideas are ultimately killed by clever exploits.
> Aside from your *main* concept here, I think the idea that HTLCs require
> *proof* of publication is wrong. What they require is publication. A
> wronged channel party needs to read the preimage, not have proof that it
> can be read.
That is not correct. If Alice offers a HTLC to Bob, Alice needs proof that in
the event of a redemption, Bob is forced to publish the preimage in such a way
that Alice can recover it.
The *proof* aspect of this is critical to the security model. It's not enough
that Bob merely promise to give the preimage to Alice: redemption must be
atomic with publication.
> Take as contrast the opentimestamps model, where having proof
> that something was published, is the main functionality offered/required.
Nope. OpenTimestamps does not use proof of publication at all. OpenTimestamps
is a commitment operation: proof that if A was changed, B would have to change
too. The vast majority of OTS timestamps are for private data that is never
published in any way. OTS simply shows that data *existed*.
> I
> suppose there is another way to say it: the channel counterparty needs
> "proof of future publication" in contract setup. That's fair enough but
> it's a very different thing than getting a proof that something *was*
> published.
It is not a meaningfully different thing. An HTLC is proof that in the event of
an uncooperative redemption, publication will happen. Slightly changing the
time it takes is irrelevant to the general concept.
Concretely: unless you can propose a technical innovation that somehow turns
this pedantic nuance into a meaningfully different implementation, so what?
--
https://petertodd.org 'peter'[:-1]@petertodd.org
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/aSxXEZzEAlfxLYlY%40petertodd.org.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2025-12-01 8:37 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-20 1:57 Lazy Fair
2025-11-20 18:45 ` Greg Maxwell
2025-11-23 6:37 ` Saint Wenhao
2025-11-20 21:21 ` Ethan Heilman
2025-11-29 9:25 ` Peter Todd
2025-11-29 13:54 ` waxwing/ AdamISZ
2025-11-29 15:41 ` Erik Aronesty
2025-11-29 15:56 ` waxwing/ AdamISZ
2025-11-29 17:03 ` Erik Aronesty
2025-11-29 18:15 ` Greg Maxwell
2025-11-29 18:52 ` waxwing/ AdamISZ
2025-11-30 14:39 ` Peter Todd [this message]
2025-12-02 12:33 ` waxwing/ AdamISZ
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aSxXEZzEAlfxLYlY@petertodd.org \
--to=pete@petertodd.org \
--cc=bitcoindev@googlegroups.com \
--cc=ekaggata@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox