From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Thu, 18 Jun 2026 23:47:59 -0700 Received: from mail-oa1-f55.google.com ([209.85.160.55]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1waT1C-0007yv-4f for bitcoindev@gnusha.org; Thu, 18 Jun 2026 23:47:59 -0700 Received: by mail-oa1-f55.google.com with SMTP id 586e51a60fabf-43d1691d2f2sf5082638fac.0 for ; Thu, 18 Jun 2026 23:47:57 -0700 (PDT) ARC-Seal: i=3; a=rsa-sha256; t=1781851671; cv=pass; d=google.com; s=arc-20240605; b=jiUWAxIBjQqPOBHhybcAFNU9lcHEHQOZpoMzZsrUnyN60ranBivdq44V6uGsQtNRWF Kp7bgfyn9JjRkDDOQFi7oRf1WaKALaUcj/HQElrOYvr7NeuC5szYa5DRj+vdZUGMiNBe y4LPgFXwtRPZxeekTHLasNzYfy+dq1GeLKM4drEsYdOI5WKmfM5FO5xnLJPgBS9kCH6N W9h/s+0tGt1r/BhvKMY8/MSUi0L3C/9N4MSLifAjObw/sZ7On4Yo84nrN4o3iU7q+Ifc 7iwfQ/C85XL8h54HEWFO1m4aQiVTJHM5j+uiBC8qgcsZOR1dM4GSNBlSWRH1dsP7dVHK FD5g== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:cc:to:subject:message-id:date:from :mime-version:sender:dkim-signature:dkim-signature; bh=KouV20MwKGiWMfW3nrruf/TmMUH7Himd93MJ+l+s1Gc=; fh=iM/7GwGRFvYmd2BCqUjfsFa7DUBMDH9nESxXzmKudxo=; b=ahv0DwM1NLrHbVHo3KZycK0bDLIDy4Onoyi0enWhf8ymocdWD7E1lPQh5azPXCKsvQ XsfS34f5MsRafyoprZMXGHrMYk+uYn1c82Fskfzx/N0wI6I9VF6wu/Ep/RVK5KIMPuah kM7ocvO08hrZPSMotCuFxxOD52aVLXvyIERRgFmQ7lgloKyLioubwmLgz+qo4xUNxMCd sz3ARKF0s7x5bE7DWov8QD0lM/bGjHeVW0a0G8NN2yvtpC8iPXDvux4MMZoyidm0ggQW +dVBw9iZzFaCq3DSG1THVED//Ba6BlEw/TyuAzWWwd7IyxdHNVgDvCqm+vHvpN7uSzan m0rg==; darn=gnusha.org ARC-Authentication-Results: i=3; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20251104 header.b=GR6aWeRK; arc=pass (i=1); spf=pass (google.com: domain of antoine.riard@gmail.com designates 2607:f8b0:4864:20::1235 as permitted sender) smtp.mailfrom=antoine.riard@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20251104; t=1781851671; x=1782456471; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:mime-version :sender:from:to:cc:subject:date:message-id:reply-to; bh=KouV20MwKGiWMfW3nrruf/TmMUH7Himd93MJ+l+s1Gc=; b=xMSdweMcDANLkKVPZ/78JdEY6IwJT0o3RxqsyVRNqd0ae92rH+73kixooLnyu4CZ8D 5cXj4jRAPSuQ/qR/A7DsOVSy6NuGTtDUjZJu725IiSe7X5WSRLqLW3ATPcGOcRyvgEFi 2RUz61JFS2z8qVYDd9Z7KLLbtXawQEX/eUGOOoV5I769ZN8+tlYGsvL1gr0Ej2txXW2F fiTXm3wRhnwSXRlKrb6koIPa51BD31slapF882Qeh49CUwrf6pwrW7pU/1dihBuq+l3k tTWszmdBQIB8hgf3LiEnPeG7J6EY+nT6SvSIieu35cCD+mMrhB2lQ+R/DBgMxpI7NBNS V6Vg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1781851671; x=1782456471; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=KouV20MwKGiWMfW3nrruf/TmMUH7Himd93MJ+l+s1Gc=; b=fXZwMHaMCvtmRpk6xSC4x/ivEBTit2otWQdN6NjheZqox/NoyLH5wuGnGaUqcocTjZ k0DkiW05tlqzRx6TOIY6G8gH57DqHPSCvSUy5PkkmMvLNW+9CV7voDcRX+c1oXMcHA7u dlJEf4mL7U8Aogkk3lUJGhbL8qlSMJ6LVcuHafgjt8kuIz7YHWl9GudebAlC4mIN4hoj wbdG/mEfIS1QU9hC0Pn+5cykwXm39pA+Hlk0MWE7OLCaQMJZO10zKKG40tqkdd0ILqbI q6/9gD4uE2auDHsDb1I03ktsJu+64VWs/VsYFO+27SNoqh3TCFGjfRBEZ7bZegKtbjYL l5eQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781851671; x=1782456471; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:mime-version :x-gm-gg:x-beenthere:x-gm-message-state:sender:from:to:cc:subject :date:message-id:reply-to; bh=KouV20MwKGiWMfW3nrruf/TmMUH7Himd93MJ+l+s1Gc=; b=seyhTpT1ITQ3AKrPLndCkVNOrlePDH9aT4CiKpCAiZMbB2QWI6bw01MgmfJku6dg5q IVTk5EdIo0bpLvF9P4WlPQGLwFVFzpRsXxu64pGJv+Qm3vU1pHAAbw9B+9ojvWv4iOID NYsHzEeyriEHXdEBg8h9hhM7BcPj8qxm8Z46lJHPYA+Z6k3AfY7e3dXD7/LAT2sZQRz9 1WxXFKPMahV/SAPQYEJxYkcbi44bkTBDaYKBGHFy3KbtmTnF1P+wvj9hmf6C98tCInbe sgfMPR7L1ZgslfPX1IdVnKBPzz10Gz/xnOP22rnHhodYaAma96ii08y6jg8+vAfh5BSz Xp9g== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=3; AFNElJ+Ubhnkc15qe1AmkbIkTNVYH10stx1X931nt9ami9epe+fOntzaVPnhQZT1eIABMB/SBp+tiUq20IPB@gnusha.org X-Gm-Message-State: AOJu0YwCEdmo6P39l8Q1He6c5+MsQbLwoeiMt6vxiJM3KGHn/IYjOxIE j8g73h/8JEP3uS4NTJb0pbawMMLl2QIUZ8DjG5UwsG+jEldYAX0W0Azn X-Received: by 2002:a05:6871:708:b0:440:8cf3:33b5 with SMTP id 586e51a60fabf-4470a6fe305mr1413060fac.3.1781851671242; Thu, 18 Jun 2026 23:47:51 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h="AX0PUUcwkVhyOPwebtAkOtjhHUxZHKHGTn1hDCbLvB9uo+/4cw==" Received: by 2002:a05:6871:9c1a:b0:43d:33ef:23cb with SMTP id 586e51a60fabf-44634c666dals1056364fac.2.-pod-prod-00-us-canary; Thu, 18 Jun 2026 23:47:45 -0700 (PDT) X-Received: by 2002:a05:6808:2444:b0:467:d71:7f1a with SMTP id 5614622812f47-4896c8a3f7cmr1394485b6e.21.1781851665719; Thu, 18 Jun 2026 23:47:45 -0700 (PDT) Received: by 2002:a05:6809:8a:20b0:486:3611:b101 with SMTP id 5614622812f47-4896a561838msb6e; Thu, 18 Jun 2026 22:04:40 -0700 (PDT) X-Received: by 2002:a05:7022:c85:b0:128:d396:f2ea with SMTP id a92af1059eb24-139a30731e9mr794881c88.11.1781845479424; Thu, 18 Jun 2026 22:04:39 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1781845479; cv=pass; d=google.com; s=arc-20240605; b=LzPIrYuNf1J77HxVM4+hvBgz75p9Lpg0nL4iZAxX30VGvhK5Fgz8DfYNiin/kMzrxQ 0X1cYMLjtQ1hxnPjyuw+iOfT8bsHImoo/fNRw6ofPF50YviWkLjGlfpCke9GrUSVhX3z 3F9IVtq9EUOUlz/pf6Z2UkLreXODY40VgtAUicM+PnT4cFzggAGAgU2zw0Ubii6K2YWd L/0MbhDmxCckqqNaWDyrRsGQJM5EvmRnVU28X/vjTUpSzTF4rzlutxqMWeCJebiLcXwB HcNore1LewHnFiD8Zt5cXz6xkOisBCRza3nnkJ3Bd1c1M9TfZokod4bb33mC9TZmPmRy 2fcg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:mime-version:dkim-signature; bh=k6Vs6LKbOMjn9nMXECxwUoID+Hgv4Dr1C+3cAfy/oJA=; fh=rkm3bHbFkkqaOCEhDYIrUdh+uNF0aEpt1sjHeEyiFh0=; b=jeZFsBP11sWmb1RHVLu6z33utMG3GufayI6S9v5H+y/Id1Wz8R1b069EZHlfMs2sXO teS6tZuYGu280pBECXyNZOGvdPsPuz/JKJOcJDOkg9iC9qiDGueiXToT0pVS1k1vNSeg EDZfXS1h+WnaZBiZAhRkUrUukq8OYoYQAn1pvE/jWmdr58n3zIFRHetf3hPpPs+zuYkM SruYLuUjUPPLhUcbWT1JM6EGldX6039fz5E4Cl6z9PCdBNIlM2/wp8ne25/X2qA5D8BV MPg0qIxs8YaP8MEDET2XoKXIAuBM7HG9Jo8TBfZTYf+nB0+cBSeO1QJHc2qF7vr4WP+z dwsA==; dara=google.com ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20251104 header.b=GR6aWeRK; arc=pass (i=1); spf=pass (google.com: domain of antoine.riard@gmail.com designates 2607:f8b0:4864:20::1235 as permitted sender) smtp.mailfrom=antoine.riard@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Received: from mail-dl1-x1235.google.com (mail-dl1-x1235.google.com. [2607:f8b0:4864:20::1235]) by gmr-mx.google.com with ESMTPS id a92af1059eb24-139a3677bc1si48401c88.7.2026.06.18.22.04.39 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 18 Jun 2026 22:04:39 -0700 (PDT) Received-SPF: pass (google.com: domain of antoine.riard@gmail.com designates 2607:f8b0:4864:20::1235 as permitted sender) client-ip=2607:f8b0:4864:20::1235; Received: by mail-dl1-x1235.google.com with SMTP id a92af1059eb24-137d464c47eso2113123c88.1 for ; Thu, 18 Jun 2026 22:04:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1781845478; cv=none; d=google.com; s=arc-20240605; b=Py65DVBKKG76H7XK/wam5pqyg1u75dRh5Gl8u5+nW4j0SFEbO8sY30jd7hRnyYP9Nu Dd5TdJ2wOZo+enzk90Z/1itoeNlYOv58CzKdaWh1xZlNLUQwfkzILz+d1AXpXpPeCM9K B3PKTGPUCedDzllGnBigE9Vuxj6PhlU2KqZDRKMFOw8qRpicVdNmnhqBbm6BEyjdogiU Gia4Fi8pphspSRb91QbiHAHNh95hDA00irmrOyO7hhcf2QhwIKUx6UV0lUO1p7x/LE35 jhHCTIMRRffsNEfLxdSeuXWnikZTP+LEQEsfcAbFqjJfSGhThEOt46IaRHGCJ/Ncvxhn b+Pw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:mime-version:dkim-signature; bh=k6Vs6LKbOMjn9nMXECxwUoID+Hgv4Dr1C+3cAfy/oJA=; fh=rkm3bHbFkkqaOCEhDYIrUdh+uNF0aEpt1sjHeEyiFh0=; b=UmDauPrgFbqpFnk7+1+y6n3h4qgyxsbBeH6voZOb5ZFjHv615GDJs5nzg4S7dLTgB2 0T2hLI81gdLNsWn3F7uJHdaeIcAAiOH2r3/q2vILgHW4tXtlymgog91bJ62V+p6tY71z XU2Jj/l4UXSrcZ/8eye3oIae4fZ9TBh2obUb0z+ofHTic2XGH23eLGmosKcdbdO78sBU r7sfEvGiHP+9v4xuLl79u10+CNpyMoaRiGrMs8W2hLDKfhYDwItfqNUjNwLlINIUpS1V aRv5kmEIZd+duOgO+g40HNhOn7NzBBQ/UdeK2wUaYzeNUeL8sBu1wpxN818j9qgLr48i CeOw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; arc=none X-Gm-Gg: AfdE7cmvmBH8meGKIsxeRKvVyx1bOVc1PPu/fa+dbVASEs/tkpfeVA085pcM03PyvMc XLVVVjKJnVrf8s+bgPXN4AVgV7uDATDeBX9FmBpp74CyLfeLRZqUPt+1d5SbJoRJRWwu6+8nmed wN/62krT6tIR8bcB44dNX6+UlfNdxdSnjONX6ZKtxSQUvN9zMdv+307kuGurijRDoE++vRw/5sM hNRRLtXikcaSINv5z7fWwrByjRo/kaTgjrUYtlPju33xIJeTCUBDX5DFfjw82Qk2hVEc/y0 X-Received: by 2002:a05:7022:2606:b0:138:43a4:925b with SMTP id a92af1059eb24-139a311bdecmr1005913c88.20.1781845478141; Thu, 18 Jun 2026 22:04:38 -0700 (PDT) MIME-Version: 1.0 From: Antoine Riard Date: Fri, 19 Jun 2026 06:04:26 +0100 X-Gm-Features: AVVi8Cf9QpRDRNYpsnnAI31k37yvMDknkf48xtEYQ00DnlX6JFxKjFCMOV8Qb3s Message-ID: Subject: [bitcoindev] Accountable Computing On-Chain Contracts for AI Agents Supervision To: Bitcoin Development Mailing List Cc: btc@ariard.me Content-Type: multipart/alternative; boundary="000000000000c4fafb0654943a31" X-Original-Sender: antoine.riard@gmail.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20251104 header.b=GR6aWeRK; arc=pass (i=1); spf=pass (google.com: domain of antoine.riard@gmail.com designates 2607:f8b0:4864:20::1235 as permitted sender) smtp.mailfrom=antoine.riard@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.5 (/) --000000000000c4fafb0654943a31 Content-Type: text/plain; charset="UTF-8" Hi list, With the ongoing discussions on defining a basic format for the data-carrying annex accompanying P2TR spends comes the question why it would be useful for. One usage explored in this post is to be used as an authenticated data payload emplacement and nonce marker as a component of accountable computing contracts being leveraged for AI agents supervision [0]. ## Robinson Crusoe and the AI agent Let's start with an exposition of the problem in isolation. A random hacker, called Robinson Crusoe, has failed on a desert island and he has to reinvent all the basic tools of modern life for his survival. The hacker avails a single item on his desert island, a random AI agent application running on a crank handle powered thinkpad. The random AI agent, let's call it Alice, has access to the whole world information. Our Robinson Crusoe would like to ask questions to the random AI agent, e.g "what is the easiest way to kickstart a warming fire at nights ?" or "what is the best method for desalineating seawater?". Robinson does not have an idea of what the _correct_ AI answer looks like, and a _wrong_ answer might be a source of harm, e.g getting sicks of drinking badly desalineated water. Formally, Robinson and Alice are playing a game, where the question cost is measured by the scarce sun energy to power Alice and Robinson has time-bounded constraints to get correct information or "knowledge" to the practical survival problems Robinson is facing. There is a non-null cost in turning the crank to submit prompts to Alice and ideally, Rob would like to only turn the crank to power Alice only if Alice is able to provide a _correct_ answer to the submitted prompts. There might be a halting problem where Alice is not even able to provide a _correct_ answer limited by the model performance. Robinson and Alice are stuck in a noteworthy information asymmetry, such as asymmetry being measurable from Robinson's subjective viewpoint on an energy scale. ## The principal-agent relationship and the "fronting" user-agent problem In the discipline of economics, the problem of principal-agent relations is a well-studied issue [1]. Basically, any large social organization can know incentives problems due to the structural dissociation between the organization managers and the beneficiaries of the organization results e.g the shareholders. There is a concern in the incentives problems for the agents operating in the best interest of the principals, e.g that they are maximizing the benefice yielded by their managements of the social organization. Translated in the world of AI agents, human users are "fronting" tokens for a solution of which the correctness is uncertain bearing the sole risks of an AI agent token cost processing. In a more ideal setup, human users would only pay an AI agent cost *if the solution is correct*, the AI agent bearing the cost of imprecise solutions, or even more the AI agent being put in an open competition between them to "mine" a solution. Accessory to the "fronting cost" of acquiring verified computations from a crowd of AI agents, a group of principals would like to acquire the verified computation with the minimal sharing of confidential information. E.g the AI agent execution might be influenced by the "knowledge" of the user raw information. In the following sections, we conjecture a simple protocol bringing a solution to this AI agent "fronting" cost problem leveraging the bitcoin blockchain and its scripting mechanism, and minimize AI structured outputs being a market of "lemons". ## The list of cryptographic and bitcoin primitives The taproot annex. With the introduction of the taproot output type an unspecified consensus field embedded as the last of the witness element and starting by the marker 0x50. It can be present or absent in the witness, however this information is committed in the transaction digest. The class of construction known as accountable computing contracts [2]. While there are multiple ways to do it, basically an ACC it's a payment that can only be executed if the receiving party verifiably run a specified function on a specified set of inputs. A functional homomorphic encryption cryptosystem. A FHE is a a kind of cryptosystem allowing to perform functions on the encrypted data without first having to decrypt it. A zero-knowlewdge cryptosystem. A zero-knowledge cryptosystem is a protocol in which one party can prove to another party that some random statement in a defined language is true, without conveying any additional information beyond the mere fact of the statement truth [3]. A contract orchestrer or watchtower system, to provide complete ample data payloads or timeout the ACC after a defined duration. ## A Simple Accountable Computing Contract for Single Task Supervision Let's describe a simple accountable computing contract to supervise a single AI agent task. Our Robinson Crusoe, back to the modern civilization from the desert island has joined a cryptographers club of red wine hobbyists. Our cryptographers clubs would like to make a global search of all the existent red wine appellations in the world (napa valley, cote-rotie, brunello, bodega monteviejo, etc, etc). Navigating the multitude of red wine good bottles is a not trivial problem and our cryptographers club would like a bottle satisfying the palates of everyone for their annual global meeting, *without* exploding the club's budget, and with *availability* for everyone of the solution, if there is one existent. Let's call this information on the best red wine the random string or solution S. Let's call the bitcoin denominated reward for the solution S the reward R. Let's call the input data for the problem, the data D. In our present example, the data D can be a superset of each cryptographer participants's allergy to a grape variety. Each cryptographer would like to keep her or his allergy private, from the other cryptographers. Let's call the verification constraints for the solution S the constraints C. In our present example, the constraints can be the wine's year, the geographical origin, the price, the unctuosity, the acidity, the level of sugar, etc, etc [4] Let's call the script locking the reward R under the constraint C, the lock L. Let's call the time by when a valid random string S must be submitted T. The characteristics of the AI agent are not defined. Neither the model, the weights, the training code, the intermediate checkpoints, the pipeline or whatever. The AI agent is simply denoted by A, a complete black box [5]. Running a simple accountable computing contract for a single AI agent task supervision can be described as publishing a data D, with a reward R locked under a lock L that can be unlocked by a string S respecting the constraints C before the expiration of a time T. We now describe at the high-level how this can be theoretically achieved by using the bitcoin blockchain in a trust-minimized fashion. The init transaction is composed of an input contributing a collateral value from each cryptographers and a signature committing to a data-carrying annex embedding the data D. The sum of the collateral value is the reward R. The output of the init transaction is a simple accountable computing lock e.g do you know a zero-knowledge proof H(X) = Y where H is fixed point encoding the constraints C for the solution S before time T. It can be translated in bitcoin script with OP_SHA256 OP_EQUALVERIFY OP_CHECKLOCKTIMEVERIFY etc. The output should also have a OP_CHECKSIG with a prefixed key and SIGHASH_NONE signature. A lead annex can be used to encode a meta-protocol to give "open" instructions to the AI agent based on the problems to be solved. Either fitting the whole problem formal description as a data payload "what's weather in stockholm tmrw" or a more complete description e.g LOAD . Once the init transaction is confirmed, the problem is solvable by any lively AI agent scanning the bitcoin blockchain and earnmarking flagged P2TR utxo annexes to "mine" for solutions. When such annex is found, the agent reaches Robinson's contract orchestrer, download the full problem description and attempts to solve it. The AI agent computation is considered as a "black box". When a solution is found which can be evaluated by the agent by running H(X) = Y, a zero-knowledge proof can be generated by his local prover. This zero-knowledge proof can be committed in the claim transaction witness and this transaction submitted for inclusion to the chain. To avoid replay of the solution by a third-party and stealing the bounty, the zero-knowledge proof should be randomized with a nonce and the claim scriptpubkey solving the fixed challenge. The claim transaction is also encoding in its annex the ciphered solution under the aggregated cryptographers public key, and the validity of the ciphered solution. By using the aggregated cryptographers key, they can learn the structured output of the open problem submitted to the anonymous crowd of agents. E.g that the best wine to go to drink for their cryptographers meeting is a sonoma valley 2015. In theory, this simple flow can be tweaked, extended, improved on any class of problems solvable by a chain-encodable proof. Beyond, a single ACC could be decomposed in multiple ones, e.g when the described problem doesn't fit the AI agent token context window's size, or decomposed horizontally to buy cycles from hardware accelerators. ## The Open Design Questions There are 2 open design questions, a cryptoeconomic one and a cryptographic one. The crypto economic one, there is an uncertainty on the generation cost of the constraints for the user group wishing to have a verifiable computation done by an AI agent. For the contract to be economically interesting for them, the expression cost should be strictly inferior to the resolution one. The cryptographic one, an ACC for an open set of AI agents, is ultimately a conjectural "open-ended" contract built from an anyone-can-spend. Replay and feerates races by AI agents can be a real concern, so the pre-fixed signature of the claim transaction should commit to the witness solution and an algebraic relationship found between the zero-knowledge and the signature nonce-committed-in-the-annex. While a solution through multiple rounds of bitvm is plausible, it's less elegant. ## An Open Market of Verifiable and Confidential Computations The Bitcoin blockchain is a global system for electronic transactions without relying on trust. This system is globally accessible to anyone in the world availing an internet connection and a basic full-node software implementing the consensus rules and inter-compatible with the rest of the peer-to-peer network. The transaction's spending mechanism has been vetted with a programmable locking mechanism. While this scripting mechanism has been originally design to emulate real-world contracts, e.g bonded contracts or third-party arbitrations, using it as a mechanism to supervise AI agents has not been well studied, from the best knowledge of this author post [6] On one hand, energy sources, AI models and private data sets are unevenly distributed over the world. On the other hand, crowd of users who might be interested in crowd-buying computations that are randomly dispersed around the world. Leveraging the bitcoin blockchain and its scripting mechanisms offers a unique global system to enable a AI agents-powered market for verifiable and confidential computations, while minimizing information asymmetries, among all the players. Bitcoin, tools for the people. Cheers, Antoine OTS hash: 42e9891e32471101b13cf8829b6bf24f1d0ad866b1c30b40f48812a128052d4b PS: Thanks to some smart kids for conversations about this subject. [0] For more intuitions behind this post, the author can refer to the book "Cybernetics: Or Control and Communication in the Animal and the Machine", Norbert Wiener, 1948. [1] "Agency Problems and the Theory of Firms", Eugene Fama, 1980. [2] "Accountable Computing Contracts", Bitcoin Optech. [3] "The knowledge complexity of interactive proof systems", Shafi Goldwasser, Silvio Micali and Charles Rackoff, 1989. [4] This can be dubbed "The Red Wine Cryptographers Problem". It is not scientifically demonstrated that a cryptographer dinner without good wine is worth it. [5] The author of this post confess he doesn't have Yann Le Cun, Yoshua Bengio or Geoffrey Hinton's levels of mastery in the discipline of machine learning. [6] "Transactions and Scripts: DUP HASH160...", Satoshi Nakamoto, June 17 2010 -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CALZpt%2BGGORG3bgM0C3sQYVNbc1W7aFyb0qP_c2xbZ8f64S_ksQ%40mail.gmail.com. --000000000000c4fafb0654943a31 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi list,

With the ongoing discussions on defining a= basic format for the
data-carrying annex accompanying P2TR spends comes= the question
why it would be useful for. One usage explored in this pos= t is to
be used as an authenticated data payload emplacement and nonce m= arker
as a component of accountable computing contracts being leveraged<= br>for AI agents supervision [0].

## Robinson Crusoe and the AI agen= t

Let's start with an exposition of the problem in isolation.
A random hacker, called Robinson Crusoe, has failed on a desert island=
and he has to reinvent all the basic tools of modern life for his
su= rvival. The hacker avails a single item on his desert island, a
random A= I agent application running on a crank handle powered thinkpad.
The rand= om AI agent, let's call it Alice, has access to the whole world
info= rmation.

Our Robinson Crusoe would like to ask questions to the rand= om AI
agent, e.g "what is the easiest way to kickstart a warming fi= re
at nights ?" or "what is the best method for desalineating = seawater?".
Robinson does not have an idea of what the _correct_ AI= answer looks
like, and a _wrong_ answer might be a source of harm, e.g = getting
sicks of drinking badly desalineated water.

Formally, Rob= inson and Alice are playing a game, where the question
cost is measured = by the scarce sun energy to power Alice and Robinson
has time-bounded co= nstraints to get correct information or "knowledge"
to the pra= ctical survival problems Robinson is facing.

There is a non-null cos= t in turning the crank to submit prompts to
Alice and ideally, Rob would= like to only turn the crank to power Alice
only if Alice is able to pro= vide a _correct_ answer to the submitted
prompts. There might be a halti= ng problem where Alice is not even able
to provide a _correct_ answer li= mited by the model performance.

Robinson and Alice are stuck in a no= teworthy information asymmetry,
such as asymmetry being measurable from = Robinson's subjective viewpoint
on an energy scale.

## The pr= incipal-agent relationship and the "fronting" user-agent problem<= br>
In the discipline of economics, the problem of principal-agent
re= lations is a well-studied issue [1].=C2=A0 Basically, any large social
o= rganization can know incentives problems due to the structural
dissociat= ion between the organization managers and the beneficiaries
of the organ= ization results e.g the shareholders.


There is a concern in the = incentives problems for the agents operating
in the best interest of the= principals, e.g that they are maximizing
the benefice yielded by their = managements of the social organization.

Translated in the world of A= I agents, human users are "fronting"
tokens for a solution of = which the correctness is uncertain bearing
the sole risks of an AI agent= token cost processing. In a more ideal
setup, human users would only pa= y an AI agent cost *if the solution
is correct*, the AI agent bearing th= e cost of imprecise solutions,
or even more the AI agent being put in an= open competition between
them to "mine" a solution.
=C2=A0=
Accessory to the "fronting cost" of acquiring verified comput= ations
from a crowd of AI agents, a group of principals would like to ac= quire
the verified computation with the minimal sharing of confidential<= br>information. E.g the AI agent execution might be influenced by the
&q= uot;knowledge" of the user raw information.

In the following se= ctions, we conjecture a simple protocol bringing
a solution to this AI a= gent "fronting" cost problem leveraging the
bitcoin blockchain= and its scripting mechanism, and minimize AI
structured outputs being a= market of "lemons".


## The list of cryptographic and = bitcoin primitives

The taproot annex. With the introduction of the t= aproot output type
an unspecified consensus field embedded as the last o= f the witness
element and starting by the marker 0x50. It can be present= or absent
in the witness, however this information is committed in the = transaction
digest.

The class of construction known as accountabl= e computing contracts [2].
While there are multiple ways to do it, basic= ally an ACC it's a payment
that can only be executed if the receivin= g party verifiably run a specified
function on a specified set of inputs= .

A functional homomorphic encryption cryptosystem. A FHE is a a kin= d of
cryptosystem allowing to perform functions on the encrypted data wi= thout
first having to decrypt it.

A zero-knowlewdge cryptosystem.= A zero-knowledge cryptosystem is a
protocol in which one party can prov= e to another party that some random
statement in a defined language is t= rue, without conveying any additional
information beyond the mere fact o= f the statement truth [3].

A contract orchestrer or watchtower syste= m, to provide complete ample
data payloads or timeout the ACC after a de= fined duration.

## A Simple Accountable Computing Contract for Singl= e Task Supervision

Let's describe a simple accountable computing= contract to supervise a single
AI agent task. Our Robinson Crusoe, back= to the modern civilization from the
desert island has joined a cryptogr= aphers club of red wine hobbyists.

Our cryptographers clubs would li= ke to make a global search of all the existent
red wine appellations in = the world (napa valley, cote-rotie, brunello, bodega
monteviejo, etc, et= c). Navigating the multitude of red wine good bottles is a
not trivial p= roblem and our cryptographers club would like a bottle satisfying
the pa= lates of everyone for their annual global meeting, *without* exploding
t= he club's budget, and with *availability* for everyone of the solution,= if
there is one existent.
=C2=A0
Let's call this information = on the best red wine the random string or solution S.

Let's call= the bitcoin denominated reward for the solution S the reward R.

Let= 's call the input data for the problem, the data D.

In our prese= nt example, the data D can be a superset of each cryptographer
participa= nts's allergy to a grape variety. Each cryptographer would like to
k= eep her or his allergy private, from the other cryptographers.
=C2=A0Let's call the verification constraints for the solution S the constra= ints C.

In our present example, the constraints can be the wine'= s year, the geographical
origin, the price, the unctuosity, the acidity,= the level of sugar, etc, etc [4]

Let's call the script locking = the reward R under the constraint C, the lock L.

Let's call the = time by when a valid random string S must be submitted T.

The charac= teristics of the AI agent are not defined. Neither the model, the
weight= s, the training code, the intermediate checkpoints, the pipeline or
what= ever. The AI agent is simply denoted by A, a complete black box [5].
Running a simple accountable computing contract for a single AI agent task=
supervision can be described as publishing a data D, with a reward R lo= cked
under a lock L that can be unlocked by a string S respecting the co= nstraints
C before the expiration of a time T.

We now describe at= the high-level how this can be theoretically achieved
by using the bitc= oin blockchain in a trust-minimized fashion.
=C2=A0 =C2=A0
The init t= ransaction is composed of an input contributing a collateral value
from = each cryptographers and a signature committing to a data-carrying annex
= embedding the data D. The sum of the collateral value is the reward R.
=
The output of the init transaction is a simple accountable computing lo= ck
e.g do you know a zero-knowledge proof H(X) =3D Y where H is fixed po= int encoding
the constraints C for the solution S before time T. It can = be translated in bitcoin
script =C2=A0with OP_SHA256 OP_EQUALVERIFY OP_C= HECKLOCKTIMEVERIFY etc. The output
should also have a OP_CHECKSIG with a= prefixed key and SIGHASH_NONE signature.

A lead annex can be used t= o encode a meta-protocol to give "open" instructions
to the AI= agent based on the problems to be solved. Either fitting the whole
prob= lem formal description as a data payload "what's weather in stockh= olm tmrw"
or a more complete description e.g LOAD <hyperlink_to_= full_desc> <commitment_desc>.

Once the init transaction is = confirmed, the problem is solvable by any
lively AI agent scanning the b= itcoin blockchain and earnmarking flagged
P2TR utxo annexes to "min= e" for solutions. When such annex is found, the
agent reaches Robin= son's contract orchestrer, download the full problem
description and= attempts to solve it.

The AI agent computation is considered as a &= quot;black box". When a solution is
found which can be evaluated by= the agent by running H(X) =3D Y, a zero-knowledge
proof can be generate= d by his local prover. This zero-knowledge proof can be
committed in the= claim transaction witness and this transaction submitted for
inclusion = to the chain.

To avoid replay of the solution by a third-party and s= tealing the bounty,
the zero-knowledge proof should be randomized with a= nonce and the claim
scriptpubkey solving the fixed challenge. The claim= transaction is also
encoding in its annex the ciphered solution under t= he aggregated cryptographers
public key, and the validity of the ciphere= d solution.

By using the aggregated cryptographers key, they can lea= rn the structured
output of the open problem submitted to the anonymous = crowd of agents. E.g
that the best wine to go to drink for their cryptog= raphers meeting is a
sonoma valley 2015.

In theory, this simple f= low can be tweaked, extended, improved on any class
of problems solvable= by a chain-encodable proof.

Beyond, a single ACC could be decompos= ed in multiple ones, e.g when the
described problem doesn't fit the = AI agent token context window's size,
or decomposed horizontally to = buy cycles from hardware accelerators.
=C2=A0
## The Open Design Ques= tions

There are 2 open design questions, a cryptoeconomic one and a = cryptographic one.

The crypto economic one, there is an uncertainty = on the generation cost of
the constraints for the user group wishing to = have a verifiable computation
done by an AI agent. For the contract to b= e economically interesting for them,
the expression cost should be stric= tly inferior to the resolution one.

The cryptographic one, an ACC fo= r an open set of AI agents, is ultimately a
conjectural "open-ended= " contract built from an anyone-can-spend. Replay
and feerates race= s by AI agents can be a real concern, so the pre-fixed
signature of the = claim transaction should commit to the witness solution
and an algebraic= relationship found between the zero-knowledge and the
signature nonce-c= ommitted-in-the-annex. While a solution through multiple
rounds of bitvm= is plausible, it's less elegant.

## An Open Market of Verifiabl= e and Confidential Computations

The Bitcoin blockchain is a global s= ystem for electronic transactions without
relying on trust. This system = is globally accessible to anyone in the world
availing an internet conne= ction and a basic full-node software implementing
the consensus rules an= d inter-compatible with the rest of the peer-to-peer
network.

The= transaction's spending mechanism has been vetted with a programmablelocking mechanism. While this scripting mechanism has been originally
= design to emulate real-world contracts, e.g bonded contracts or third-party=
arbitrations, using it as a mechanism to supervise AI agents has not be= en
well studied, from the best knowledge of this author post [6]

= On one hand, energy sources, AI models and private data sets are unevenlydistributed over the world. On the other hand, crowd of users who mightbe interested in crowd-buying computations that are randomly dispersed ar= ound
the world. Leveraging the bitcoin blockchain and its scripting mech= anisms
offers a unique global system to enable a AI agents-powered marke= t for
verifiable and confidential computations, while minimizing informa= tion
asymmetries, among all the players.

Bitcoin, tools for the p= eople.
=C2=A0
Cheers,
Antoine
OTS hash: 42e9891e32471101b13cf88= 29b6bf24f1d0ad866b1c30b40f48812a128052d4b

PS: Thanks to some smart k= ids for conversations about this subject.

[0] For more intuitions be= hind this post, the author can refer to
the book "Cybernetics: Or C= ontrol and Communication in the Animal
and the Machine", Norbert Wi= ener, 1948.
[1] "Agency Problems and the Theory of Firms", Eug= ene Fama, 1980.
[2] "Accountable Computing Contracts", Bitcoin= Optech.
[3] "The knowledge complexity of interactive proof systems= ", Shafi
Goldwasser, Silvio Micali and Charles Rackoff, 1989.
[4= ] This can be dubbed "The Red Wine Cryptographers Problem". Itis not scientifically demonstrated that a cryptographer dinner without
= good wine is worth it.
[5] The author of this post confess he doesn'= t have Yann Le Cun,
Yoshua Bengio or Geoffrey Hinton's levels of mas= tery in the discipline
of machine learning.
[6] "Transactions an= d Scripts: DUP HASH160...", Satoshi Nakamoto,
June 17 2010

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/= msgid/bitcoindev/CALZpt%2BGGORG3bgM0C3sQYVNbc1W7aFyb0qP_c2xbZ8f64S_ksQ%40ma= il.gmail.com.
--000000000000c4fafb0654943a31--