Hi list, With the ongoing discussions on defining a basic format for the data-carrying annex accompanying P2TR spends comes the question why it would be useful for. One usage explored in this post is to be used as an authenticated data payload emplacement and nonce marker as a component of accountable computing contracts being leveraged for AI agents supervision [0]. ## Robinson Crusoe and the AI agent Let's start with an exposition of the problem in isolation. A random hacker, called Robinson Crusoe, has failed on a desert island and he has to reinvent all the basic tools of modern life for his survival. The hacker avails a single item on his desert island, a random AI agent application running on a crank handle powered thinkpad. The random AI agent, let's call it Alice, has access to the whole world information. Our Robinson Crusoe would like to ask questions to the random AI agent, e.g "what is the easiest way to kickstart a warming fire at nights ?" or "what is the best method for desalineating seawater?". Robinson does not have an idea of what the _correct_ AI answer looks like, and a _wrong_ answer might be a source of harm, e.g getting sicks of drinking badly desalineated water. Formally, Robinson and Alice are playing a game, where the question cost is measured by the scarce sun energy to power Alice and Robinson has time-bounded constraints to get correct information or "knowledge" to the practical survival problems Robinson is facing. There is a non-null cost in turning the crank to submit prompts to Alice and ideally, Rob would like to only turn the crank to power Alice only if Alice is able to provide a _correct_ answer to the submitted prompts. There might be a halting problem where Alice is not even able to provide a _correct_ answer limited by the model performance. Robinson and Alice are stuck in a noteworthy information asymmetry, such as asymmetry being measurable from Robinson's subjective viewpoint on an energy scale. ## The principal-agent relationship and the "fronting" user-agent problem In the discipline of economics, the problem of principal-agent relations is a well-studied issue [1]. Basically, any large social organization can know incentives problems due to the structural dissociation between the organization managers and the beneficiaries of the organization results e.g the shareholders. There is a concern in the incentives problems for the agents operating in the best interest of the principals, e.g that they are maximizing the benefice yielded by their managements of the social organization. Translated in the world of AI agents, human users are "fronting" tokens for a solution of which the correctness is uncertain bearing the sole risks of an AI agent token cost processing. In a more ideal setup, human users would only pay an AI agent cost *if the solution is correct*, the AI agent bearing the cost of imprecise solutions, or even more the AI agent being put in an open competition between them to "mine" a solution. Accessory to the "fronting cost" of acquiring verified computations from a crowd of AI agents, a group of principals would like to acquire the verified computation with the minimal sharing of confidential information. E.g the AI agent execution might be influenced by the "knowledge" of the user raw information. In the following sections, we conjecture a simple protocol bringing a solution to this AI agent "fronting" cost problem leveraging the bitcoin blockchain and its scripting mechanism, and minimize AI structured outputs being a market of "lemons". ## The list of cryptographic and bitcoin primitives The taproot annex. With the introduction of the taproot output type an unspecified consensus field embedded as the last of the witness element and starting by the marker 0x50. It can be present or absent in the witness, however this information is committed in the transaction digest. The class of construction known as accountable computing contracts [2]. While there are multiple ways to do it, basically an ACC it's a payment that can only be executed if the receiving party verifiably run a specified function on a specified set of inputs. A functional homomorphic encryption cryptosystem. A FHE is a a kind of cryptosystem allowing to perform functions on the encrypted data without first having to decrypt it. A zero-knowlewdge cryptosystem. A zero-knowledge cryptosystem is a protocol in which one party can prove to another party that some random statement in a defined language is true, without conveying any additional information beyond the mere fact of the statement truth [3]. A contract orchestrer or watchtower system, to provide complete ample data payloads or timeout the ACC after a defined duration. ## A Simple Accountable Computing Contract for Single Task Supervision Let's describe a simple accountable computing contract to supervise a single AI agent task. Our Robinson Crusoe, back to the modern civilization from the desert island has joined a cryptographers club of red wine hobbyists. Our cryptographers clubs would like to make a global search of all the existent red wine appellations in the world (napa valley, cote-rotie, brunello, bodega monteviejo, etc, etc). Navigating the multitude of red wine good bottles is a not trivial problem and our cryptographers club would like a bottle satisfying the palates of everyone for their annual global meeting, *without* exploding the club's budget, and with *availability* for everyone of the solution, if there is one existent. Let's call this information on the best red wine the random string or solution S. Let's call the bitcoin denominated reward for the solution S the reward R. Let's call the input data for the problem, the data D. In our present example, the data D can be a superset of each cryptographer participants's allergy to a grape variety. Each cryptographer would like to keep her or his allergy private, from the other cryptographers. Let's call the verification constraints for the solution S the constraints C. In our present example, the constraints can be the wine's year, the geographical origin, the price, the unctuosity, the acidity, the level of sugar, etc, etc [4] Let's call the script locking the reward R under the constraint C, the lock L. Let's call the time by when a valid random string S must be submitted T. The characteristics of the AI agent are not defined. Neither the model, the weights, the training code, the intermediate checkpoints, the pipeline or whatever. The AI agent is simply denoted by A, a complete black box [5]. Running a simple accountable computing contract for a single AI agent task supervision can be described as publishing a data D, with a reward R locked under a lock L that can be unlocked by a string S respecting the constraints C before the expiration of a time T. We now describe at the high-level how this can be theoretically achieved by using the bitcoin blockchain in a trust-minimized fashion. The init transaction is composed of an input contributing a collateral value from each cryptographers and a signature committing to a data-carrying annex embedding the data D. The sum of the collateral value is the reward R. The output of the init transaction is a simple accountable computing lock e.g do you know a zero-knowledge proof H(X) = Y where H is fixed point encoding the constraints C for the solution S before time T. It can be translated in bitcoin script with OP_SHA256 OP_EQUALVERIFY OP_CHECKLOCKTIMEVERIFY etc. The output should also have a OP_CHECKSIG with a prefixed key and SIGHASH_NONE signature. A lead annex can be used to encode a meta-protocol to give "open" instructions to the AI agent based on the problems to be solved. Either fitting the whole problem formal description as a data payload "what's weather in stockholm tmrw" or a more complete description e.g LOAD . Once the init transaction is confirmed, the problem is solvable by any lively AI agent scanning the bitcoin blockchain and earnmarking flagged P2TR utxo annexes to "mine" for solutions. When such annex is found, the agent reaches Robinson's contract orchestrer, download the full problem description and attempts to solve it. The AI agent computation is considered as a "black box". When a solution is found which can be evaluated by the agent by running H(X) = Y, a zero-knowledge proof can be generated by his local prover. This zero-knowledge proof can be committed in the claim transaction witness and this transaction submitted for inclusion to the chain. To avoid replay of the solution by a third-party and stealing the bounty, the zero-knowledge proof should be randomized with a nonce and the claim scriptpubkey solving the fixed challenge. The claim transaction is also encoding in its annex the ciphered solution under the aggregated cryptographers public key, and the validity of the ciphered solution. By using the aggregated cryptographers key, they can learn the structured output of the open problem submitted to the anonymous crowd of agents. E.g that the best wine to go to drink for their cryptographers meeting is a sonoma valley 2015. In theory, this simple flow can be tweaked, extended, improved on any class of problems solvable by a chain-encodable proof. Beyond, a single ACC could be decomposed in multiple ones, e.g when the described problem doesn't fit the AI agent token context window's size, or decomposed horizontally to buy cycles from hardware accelerators. ## The Open Design Questions There are 2 open design questions, a cryptoeconomic one and a cryptographic one. The crypto economic one, there is an uncertainty on the generation cost of the constraints for the user group wishing to have a verifiable computation done by an AI agent. For the contract to be economically interesting for them, the expression cost should be strictly inferior to the resolution one. The cryptographic one, an ACC for an open set of AI agents, is ultimately a conjectural "open-ended" contract built from an anyone-can-spend. Replay and feerates races by AI agents can be a real concern, so the pre-fixed signature of the claim transaction should commit to the witness solution and an algebraic relationship found between the zero-knowledge and the signature nonce-committed-in-the-annex. While a solution through multiple rounds of bitvm is plausible, it's less elegant. ## An Open Market of Verifiable and Confidential Computations The Bitcoin blockchain is a global system for electronic transactions without relying on trust. This system is globally accessible to anyone in the world availing an internet connection and a basic full-node software implementing the consensus rules and inter-compatible with the rest of the peer-to-peer network. The transaction's spending mechanism has been vetted with a programmable locking mechanism. While this scripting mechanism has been originally design to emulate real-world contracts, e.g bonded contracts or third-party arbitrations, using it as a mechanism to supervise AI agents has not been well studied, from the best knowledge of this author post [6] On one hand, energy sources, AI models and private data sets are unevenly distributed over the world. On the other hand, crowd of users who might be interested in crowd-buying computations that are randomly dispersed around the world. Leveraging the bitcoin blockchain and its scripting mechanisms offers a unique global system to enable a AI agents-powered market for verifiable and confidential computations, while minimizing information asymmetries, among all the players. Bitcoin, tools for the people. Cheers, Antoine OTS hash: 42e9891e32471101b13cf8829b6bf24f1d0ad866b1c30b40f48812a128052d4b PS: Thanks to some smart kids for conversations about this subject. [0] For more intuitions behind this post, the author can refer to the book "Cybernetics: Or Control and Communication in the Animal and the Machine", Norbert Wiener, 1948. [1] "Agency Problems and the Theory of Firms", Eugene Fama, 1980. [2] "Accountable Computing Contracts", Bitcoin Optech. [3] "The knowledge complexity of interactive proof systems", Shafi Goldwasser, Silvio Micali and Charles Rackoff, 1989. [4] This can be dubbed "The Red Wine Cryptographers Problem". It is not scientifically demonstrated that a cryptographer dinner without good wine is worth it. [5] The author of this post confess he doesn't have Yann Le Cun, Yoshua Bengio or Geoffrey Hinton's levels of mastery in the discipline of machine learning. [6] "Transactions and Scripts: DUP HASH160...", Satoshi Nakamoto, June 17 2010 -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CALZpt%2BGGORG3bgM0C3sQYVNbc1W7aFyb0qP_c2xbZ8f64S_ksQ%40mail.gmail.com.