heyuan 发布的文章 - 六币之门

Possible futures of the Ethereum protocol, part 1: The Merge Possible futures of the Ethereum protocol, part 1: The Merge2024 Oct 14 See all posts Possible futures of the Ethereum protocol, part 1: The Merge Special thanks to Justin Drake, Hsiao-wei Wang, @antonttc, Anders Elowsson and Francesco for feedback and review.Originally, "the Merge" referred to the most important event in the Ethereum protocol's history since its launch: the long-awaited and hard-earned transition from proof of work to proof of stake. Today, Ethereum has been a stably running proof of stake system for almost exactly two years, and this proof of stake has performed remarkably well in stability, performance and avoiding centralization risks. However, there still remain some important areas in which proof of stake needs to improve.My roadmap diagram from 2023 separated this out into buckets: improving technical features such as stability, performance, and accessibility to smaller validators, and economic changes to address centralization risks. The former got to take over the heading for "the Merge", and the latter became part of "the Scourge". The Merge, 2023 roadmap edition. This post will focus on the "Merge" part: what can still be improved in the technical design of proof of stake, and what are some paths to getting there?This is not meant as an exhaustive list of things that could be done to proof of stake; rather, it is a list of ideas that are actively being considered.The Merge: key goals Single slot finality Transaction confirmation and finalization as fast as possible, while preserving decentralization Improve staking viability for solo stakers Improve robustness Improve Ethereum's ability to resist and recover from 51% attacks (including finality reversion, finality blocking, and censorship) In this chapterSingle slot finality and staking democratization Single secret leader election Faster transaction confirmations Other research areas Single slot finality and staking democratizationWhat problem are we solving?Today, it takes 2-3 epochs (~15 min) to finalize a block, and 32 ETH is required to be a staker. This was originally a compromise meant to balance between three goals:Maximizing the number of validators that can participate in staking (this directly implies minimizing the min ETH required to stake) Minimizing the time to finality Minimizing the overhead of running a node, in this case the cost of downloading, verifying and re-broadcasting all the other validator's signatures The three goals are in conflict: in order for economic finality to be possible (meaning: an attacker would need to burn a large amount of ETH to revert a finalized block), you need every single validator to sign two messages each time finality happens. And so if you have many validators, either you need a long time to process all their signatures, or you need very beefy nodes to process all the signatures at the same time. Note that this is all conditional on a key goal of Ethereum: ensuring that even successful attacks have a high cost to the attacker. This is what is meant by the term "economic finality". If we did not have this goal, then we could solve this problem by randomly selecting a committee to finalize each slot. Chains that do not attempt to achieve economic finality, such as Algorand, often do exactly this. But the problem with this approach is that if an attacker does control 51% of validators, then they can perform an attack (reverting a finalized block, or censoring, or delaying finality) at very low cost: only the portion of their nodes that are in the committee could be detected as participating in the attack and penalized, whether through slashing or socially-coordinated soft fork. This means that an attacker could repeatedly attack the chain many times over, losing only a small portion of their stake during each attack. Hence, if we want economic finality, a naive committee-based approach does not work, and it appears at first glance that we do need the full set of validators to participate.Ideally, we want to preserve economic finality, while simultaneously improving on the status quo in two areas:Finalize blocks in one slot (ideally, keep or even reduce the current length of 12s), instead of 15 min Allow validators to stake with 1 ETH (down from 32 ETH) The first goal is justified by two goals, both of which can be viewed as "bringing Ethereum's properties in line with those of (more centralized) performance-focused L1 chains".First, it ensures that all Ethereum users actually benefit from the higher level of security assurances achieved through the finality mechanism. Today, most users do not, because they are not willing to wait 15 minutes; with single-slot finality, users will see their transactions finalized almost as soon as they are confirmed. Second, it simplifies the protocol and surrounding infrastructure if users and applications don't have to worry about the possibility of the chain reverting except in the relatively rare case of an inactivity leak.The second goal is justified by a desire to support solo stakers. Poll after poll repeatedly show that the main factor preventing more people from solo staking is the 32 ETH minimum. Reducing the minimum to 1 ETH would solve this issue, to the point where other concerns become the dominant factor limiting solo staking. There is a challenge: the goals of faster finality and more democratized staking both conflict with the goal of minimizing overhead. And indeed, this fact is the entire reason why we did not start with single-slot finality to begin with. However, more recent research presents a few possible paths around the problem.What is it and how does it work?Single-slot finality involves using a consensus algorithm that finalizes blocks in one slot. This in itself is not a difficult goal: plenty of algorithms, such as Tendermint consensus, already do this with optimal properties. One desired property unique to Ethereum, which Tendermint does not support, is inactivity leaks, which allow the chain to keep going and eventually recover even when more than 1/3 of validators go offline. Fortunately, this desire has already been addressed: there are already proposals that modify Tendermint-style consensus to accommodate inactivity leaks. A leading single slot finality proposal The harder part of the problem is figuring out how to make single-slot finality work with a very high validator count, without leading to extremely high node-operator overhead. For this, there are a few leading solutions:Option 1: Brute force - work hard on implementing better signatures aggregation protocols, potentially using ZK-SNARKs, which would actually allow us to process signatures from millions of validators in each slot. Horn, one of the proposed designs for a better aggregation protocol. Option 2: Orbit committees - a new mechanism which allows a randomly-selected medium-sized committee to be responsible for finalizing the chain, but in a way that preserves the cost-of-attack properties that we are looking for.One way to think about Orbit SSF is that it opens up a space of compromise options along a spectrum from x=0 (Algorand-style committees, no economic finality) to x=1 (status quo Ethereum), opening up points in the middle where Ethereum still has enough economic finality to be extremely secure, but at the same time we get the efficiency benefits of only needing a medium-sized random sample of validators to participate in each slot.Orbit takes advantage of pre-existing heterogeneity in validator deposit sizes to get as much economic finality as possible, will still giving small validators a proportionate role. In addition, Orbit uses slow committee rotation to ensure high overlap between adjacent quorums, ensuring that its economic finality still applies at committee-switching boundaries. Option 3: two-tiered staking - a mechanism where there are two classes of stakers, one with higher deposit requirements and one with lower deposit requirements. Only the higher-deposit tier would be directly involved in providing economic finality. There are various proposals (eg. see the Rainbow staking post) for exactly what rights and responsibilities the lower-deposit tier has. Common ideas include: the right to delegate stake to a higher-tier staker a random sample of lower-tier stakers attesting to, and being needed to finalize, each block the right to generate inclusion lists What are some links to existing research?Paths toward single slot finality (2022): https://notes.ethereum.org/@vbuterin/single_slot_finality A concrete proposal for a single slot finality protocol for Ethereum (2023): https://eprint.iacr.org/2023/280 Orbit SSF: https://ethresear.ch/t/orbit-ssf-solo-staking-friendly-validator-set-management-for-ssf/19928 Further analysis on Orbit-style mechanisms: https://ethresear.ch/t/vorbit-ssf-with-circular-and-spiral-finality-validator-selection-and-distribution/20464 Horn, signature aggregation protocol (2022): https://ethresear.ch/t/horn-collecting-signatures-for-faster-finality/14219 Signature merging for large-scale consensus (2023): https://ethresear.ch/t/signature-merging-for-large-scale-consensus/17386?u=asn Signature aggregation protocol proposed by Khovratovich et al: https://hackmd.io/@7dpNYqjKQGeYC7wMlPxHtQ/BykM3ggu0#/ STARK-based signature aggregation (2022): https://hackmd.io/@vbuterin/stark_aggregation Rainbow staking: https://ethresear.ch/t/unbundling-staking-towards-rainbow-staking/18683 What is left to do, and what are the tradeoffs?There are four major possible paths to take (and we can also take hybrid paths):Maintain status quo Brute-force SSF Orbit SSF SSF with two-tiered staking (1) means doing no work and leaving staking as is, but it leaves Ethereum's security experience and staking centralization properties worse than it could be.(2) brute-forces the problem with high tech. Making this happen requires aggregating a very large number of signatures (1 million+) in a very short period of time (5-10s). One way to think of this approach is that it involves minimizing systemic complexity by going all-out on accepting encapsulated complexity.(3) avoids "high tech", and solves the problem with clever rethinking around protocol assumptions: we relax the "economic finality" requirement so that we require attacks to be expensive, but are okay with the cost of attack being perhaps 10x less than today (eg. $2.5 billion cost of attack instead of $25 billion). It's a common view that Ethereum today has far more economic finality than it needs, and its main security risks are elsewhere, and so this is arguably an okay sacrifice to make.The main work to do is verifying that the Orbit mechanism is safe and has the properties that we want, and then fully formalizing and implementing it. Additionally, EIP-7251 (increase max effective balance) allows for voluntary validator balance consolidation that immediately reduces the chain verification overhead somewhat, and acts as an effective initial stage for an Orbit rollout.(4) avoids clever rethinking and high tech, but it does create a two-tiered staking system which still has centralization risks. The risks depend heavily on the specific rights that the lower staking tier gets. For example:If a low-tier staker needs to delegate their attesting rights to a high-tier staker, then delegation could centralize and we would thus end up with two highly centralized tiers of staking. If a random sample of the lower tier is needed to approve each block, then an attacker could spend a very small amount of ETH to block finality. If lower-tier stakers can only make inclusion lists, then the attestation layer may remain centralized, at which point a 51% attack on the attestation layer can censor the inclusion lists themselves. Multiple strategies can be combined, for example:(1 + 2): use brute-force techniques to reduce the min deposit size without doing single slot finality. The amount of aggregation required is 64x less than in the pure (3) case, so the problem becomes easier.(1 + 3): add Orbit without doing single slot finality(2 + 3): do Orbit SSF with conservative parameters (eg. 128k validator committee instead of 8k or 32k), and use brute-force techniques to make that ultra-efficient.(1 + 4): add rainbow staking without doing single slot finalityHow does it interact with other parts of the roadmap?In addition to its other benefits, single slot finality reduces the risk of certain types of multi-block MEV attacks. Additionally, attester-proposer separation designs and other in-protocol block production pipelines would need to be designed differently in a single-slot finality world.Brute-force strategies have the weakness that they make it harder to reduce slot times.Single secret leader electionWhat problem are we solving?Today, which validator is going to propose the next block is known ahead of time. This creates a security vulnerability: an attacker can watch the network, identify which validators correspond to which IP addresses, and DoS attack each validator right when they are about to propose a block.What is it and how does it work?The best way to fix the DoS issue is to hide the information about which validator is going to produce the next block, at least until the moment when the block is actually produced. Note that this is easy if we remove the "single" requirement: one solution is to let anyone create the next block, but require the randao reveal to be less than 2256 / N. On average, only one validator would be able to meet this requirement - but sometimes there would be two or more and sometimes there would be zero. Combining the "secrecy" requirement with the "single" requirement" has long been the hard problem.Single secret leader election protocols solve this by using some cryptographic techniques to create a "blinded" validator ID for each validator, and then giving many proposers the opportunity to shuffle-and-reblind the pool of blinded IDs (this is similar to how a mixnet works). During each slot, a random blinded ID is selected. Only the owner of that blinded ID is able to generate a valid proof to propose the block, but no one else knows which validator that blinded ID corresponds to. Whisk SSLE protocol What are some links to existing research?Paper by Dan Boneh (2020): https://eprint.iacr.org/2020/025.pdf Whisk (concrete proposal for Ethereum, 2022): https://ethresear.ch/t/whisk-a-practical-shuffle-based-ssle-protocol-for-ethereum/11763 Single secret leader election tag on ethresear.ch: https://ethresear.ch/tag/single-secret-leader-election Simplified SSLE using ring signatures: https://ethresear.ch/t/simplified-ssle/12315 What is left to do, and what are the tradeoffs?Realistically, what's left is finding and implementing a protocol that is sufficiently simple that we are comfortable implementing it on mainnet. We highly value Ethereum being a reasonably simple protocol, and we do not want complexity to increase further. SSLE implementations that we've seen add hundreds of lines of spec code, and introduce new assumptions in complicated cryptography. Figuring out an efficient-enough quantum-resistant SSLE implementation is also an open problem.It may end up the case that the extra complexity introduced by SSLE only goes down enough once we take the plunge and introduce the machinery to do general-purpose zero-knowledge proofs into the Ethereum protocol at L1 for other reasons (eg. state trees, ZK-EVM).An alternative option is to simply not bother with SSLE, and use out-of-protocol mitigations (eg. at the p2p layer) to solve the DoS issues.How does it interact with other parts of the roadmap?If we add an attester-proposer separation (APS) mechanism, eg. execution tickets, then execution blocks (ie. blocks containing Ethereum transactions) will not need SSLE, because we could rely on block builders being specialized. However, we would still benefit from SSLE for consensus blocks (ie. blocks containing protocol messages such as attestations, perhaps pieces of inclusion lists, etc).Faster transaction confirmationsWhat problem are we solving?There is value in Ethereum's transaction confirmation time decreasing further, from 12 seconds down to eg. 4 seconds. Doing this would significantly improve the user experience of both the L1 and based rollups, while making defi protocols more efficient. It would also make it easier for L2s to decentralize, because it would allow a large class of L2 applications to work on based rollups, reducing the demand for L2s to build their own committee-based decentralized sequencing.What is it and how does it work?There are broadly two families of techniques here:Reduce slot times, down to eg. 8 seconds or 4 seconds. This does not necessarily have to mean 4-second finality: finality inherently takes three rounds of communication, and so we can make each round of communication be a separate block, which would after 4 seconds get at least a preliminary confirmation. Allow proposers to publish pre-confirmations over the course of a slot. In the extreme, a proposer could include transactions that they see into their block in real time, and immediately publish a pre-confirmation message for each transaction ("My first transaction is 0×1234...", "My second transaction is 0×5678..."). The case of a proposer publishing two conflicting confirmations can be dealt with in two ways: (i) by slashing the proposer, or (ii) by using attesters to vote on which one came earlier. What are some links to existing research?Based preconfirmations: https://ethresear.ch/t/based-preconfirmations/17353 Protocol-enforced proposer commitments (PEPC): https://ethresear.ch/t/unbundling-pbs-towards-protocol-enforced-proposer-commitments-pepc/13879 Staggered periods across parallel chains (a 2018-era idea for achieving low latency): https://ethresear.ch/t/staggered-periods/1793 What is left to do, and what are the tradeoffs?It's far from clear just how practical it is to reduce slot times. Even today, stakers in many regions of the world have a hard time getting attestations included fast enough. Attempting 4-second slot times runs the risk of centralizing the validator set, and making it impractical to be a validator outside of a few privileged geographies due to latency. Specifically, moving to 4-second slot times would require reducing the bound on network latency ("delta") to two seconds.The proposer preconfirmation approach has the weakness that it can greatly improve average-case inclusion times, but not worst-case: if the current proposer is well-functioning, your transaction will be pre-confirmed in 0.5 seconds instead of being included in (on average) 6 seconds, but if the current proposer is offline or not well-functioning, you would still have to wait up to a full 12 seconds for the next slot to start and provide a new proposer.Additionally, there is the open question of how pre-confirmations will be incentivized. Proposers have an incentive to maximize their optionality as long as possible. If attesters sign off on timeliness of pre-confirmations, then transaction senders could make a portion of the fee conditional on an immediate pre-confirmation, but this would put an extra burden on attesters, and potentially make it more difficult for attesters to continue functioning as a neutral "dumb pipe".On the other hand, if we do not attempt this and keep finality times at 12 seconds (or longer), the ecosystem will put greater weight on pre-confirmation mechanisms made by layer 2s, and cross-layer-2 interaction will take longer.How does it interact with other parts of the roadmap?Proposer-based preconfirmations realistically depend on an attester-proposer separation (APS) mechanism, eg. execution tickets. Otherwise, the pressure to provide real-time preconfirmations may be too centralizing for regular validators.Exactly how short slot times can be also depends on the slot structure, which depends heavily on what versions of APS, inclusion lists, etc we end up implementing. There are slot structures that contain fewer rounds and are thus more friendly to short slot times, but they make tradeoffs in other places.Other research areas51% attack recoveryThere is often an assumption that if a 51% attack happens (including attacks that are not cryptographically provable, such as censorship), the community will come together to implement a minority soft fork that ensures that the good guys win, and the bad guys get inactivity-leaked or slashed. However, this degree of over-reliance on the social layer is arguably unhealthy. We can try to reduce reliance on the social layer, by making the process of recovering as automated as possible.Full automation is impossible, because if it were, that would count as a >50% fault tolerant consensus algorithm, and we already know the (very restrictive) mathematically provable limitations of those kinds of algorithms. But we can achieve partial automation: for example, a client could automatically refuse to accept a chain as finalized, or even as the head of the fork choice, if it censors transactions that the client has seen for long enough. A key goal would be ensuring that the bad guys in an attack at least cannot get a quick clean victory.Increasing the quorum thresholdToday, a block finalizes if 67% of stakers support it. There is an argument that this is overly aggressive. There has been only one (very brief) finality failure in all of Ethereum's history. If this percentage is increased, eg. to 80%, then the added number of non-finality periods will be relatively low, but Ethereum would gain security properties: in particular, many more contentious situations will result in temporary stopping of finality. This seems a much healthier situation than "the wrong side" getting an instant victory, both when the wrong side is an attacker, and when it's a client that has a bug.This also gives an answer to the question "what is the point of solo stakers"? Today, most stakers are already staking through pools, and it seems very unlikely to get solo stakers up to 51% of staked ETH. However, getting solo stakers up to a quorum-blocking minority, especially if the quorum is 80% (so a quorum-blocking minority would only need 21%) seems potentially achievable if we work hard at it. As long as solo stakers do not go along with a 51% attack (whether finality-reversion or censorship), such an attack would not get a "clean victory", and solo stakers would be motivated to help organize a minority soft fork.Note that there are interactions between quorum thresholds and the Orbit mechanism: if we end up using Orbit, then what exactly "21% of stakers" means will become a more complicated question, and will depend in part on the distribution of validators.Quantum-resistanceMetaculus currently believes, though with wide error bars, that quantum computers will likely start breaking cryptography some time in the 2030s:Quantum computing experts such as Scott Aaronson have also recently started taking the possibility of quantum computers actually working in the medium term much more seriously. This has consequences across the entire Ethereum roadmap: it means that each piece of the Ethereum protocol that currently depends on elliptic curves will need to have some hash-based or otherwise quantum-resistant replacement. This particularly means that we cannot assume that we will be able to lean on the excellent properties of BLS aggregation to process signatures from a large validator set forever. This justifies conservatism in the assumptions around performance of proof-of-stake designs, and also is a cause to be more proactive to develop quantum-resistant alternatives.

Making Ethereum alignment legible Making Ethereum alignment legible2024 Sep 28 See all posts Making Ethereum alignment legible One of the most important social challenges in the Ethereum ecosystem is balancing - or, more accurately, integrating, decentralization and cooperation. The ecosystem's strength is that there is a wide array of people and organizations - client teams, researchers, layer 2 teams, application developers, local community groups - all building toward their own visions of what Ethereum can be. The primary challenge is making sure that all these projects are, collectively, building something that feels like one Ethereum ecosystem, and not 138 incompatible fiefdoms.To solve this challenge, many people throughout the Ethereum ecosystem have brought up the concept of "Ethereum alignment". This can include values alignment (eg. be open source, minimize centralization, support public goods), technological alignment (eg. work with ecosystem-wide standards), and economic alignment (eg. use ETH as a token where possible). However, the concept has historically been poorly defined, and this creates risk of social layer capture: if alignment means having the right friends, then "alignment" as a concept has failed.To solve this, I would argue that the concept of alignment should be made more legible, decomposed into specific properties, which can be represented by specific metrics. Each person's list will be different, and metrics will inevitably change over time. However, I think we already have some solid starting points. Open source - this is valuable for two reasons: (i) code being inspectable to ensure security, and more importantly (ii) reducing the risk of proprietary lockin and enabling permissionless third-party improvements. Not every piece of every application needs to be fully open source, but core infrastructure components that the ecosystem depends on absolutely should be. The gold standard here is the FSF free software definition and OSI open source definition. Open standards - striving for interoperability with the Ethereum ecosystem and building on open standards, both the ones that exist (eg. ERC-20, ERC-1271...) and those that are under development (eg. account abstraction, cross-L2 transfers, L1 and L2 light client proofs, upcoming address format standards). If you want to introduce a new feature that is not well-served by existing standards, write a new ERC in collaboration with others. Applications and wallets can be rated by which ERCs they are compatible with. Decentralization and security - avoiding points of trust, minimizing censorship vulnerabilities, and minimizing centralized infrastructure dependency. The natural metrics are (i) the walkaway test: if your team and servers disappear tomorrow, will your application still be usable, and (ii) the insider attack test: if your team itself tries to attack the system, how much will break, and how much harm could you do? An important formalization is the L2beat rollup stages. Positive-sum Toward Ethereum - the project succeeding should benefit the whole Ethereum community (eg. ETH holders, Ethereum users), even if they are not part of the project's own ecosystem. Specific examples include using ETH as the token (and thus contributing to its network effect), contributions to open source technology, and commitments to donate a % of tokens or revenue to Ethereum ecosystem-wide public goods. Toward the broader world - Ethereum is here to make the world a more free and open place, enable new forms of ownership and collaboration, and contribute positively to important challenges facing humanity. Does your project do this? Examples include applications that bring sustainable value to broader audiences (eg. financial inclusion), % donations to beyond-Ethereum public goods, and building technology with utility beyond crypto (eg. funding mechanisms, general computer security) that actually gets used in those contexts. Ethereum node map, source ethernodes.org Obviously, not all of the above is applicable to each project. The metrics that make sense for L2s, wallets, decentralized social media applications, etc, are all going to look very different. Different metrics may also change in priority: two years ago, rollups having "training wheels" was more okay because it was "early days"; today, we need to move to at least stage 1 ASAP. Today, the most legible metric for being positive sum is commitments to donate a percentage of tokens, which more and more projects are doing; tomorrow we can find metrics to make other aspects of positive-sumness legible too.My ideal goal here is that we see more entities like L2beat emerging to track how well individual projects are meeting the above criteria, and other criteria that the community comes up with. Instead of competing to have the right friends, projects would compete to be as aligned as possible according to clearly understandable criteria. The Ethereum Foundation should remain one-step-removed from most of this: we fund L2beat, but we should not be L2beat. Making the next L2beat is itself a permissionless process.This would also give the EF, and other organizations (and individuals) interested in supporting and engaging with the ecosystem while keeping their neutrality, a clearer route to determine which projects to support and use. Each organization and individual can make their own judgement about which criteria they care about the most, and choose projects in part based on which ones best fit those criteria. This makes it easier for both the EF and everyone else to become part of the incentive for projects to be more aligned.You can only be a meritocracy if merit is defined; otherwise, you have a (likely exclusive and negative-sum) social game. Concerns about "who watches the watchers" are best addressed not by betting everything on an attempt to make sure everyone in positions of influence is an angel, but through time-worn techniques like separation of powers. "Dashboard organizations" like L2beat, block explorers, and other ecosystem monitors are an excellent example of such a principle working in the Ethereum ecosystem today. If we do more to make different aspects of alignment legible, while not centralizing in one single "watcher", we can make the concept much more effective, and fair and inclusive in the way that the Ethereum ecosystem strives to be.

Glue and coprocessor architectures Glue and coprocessor architectures2024 Sep 02 See all posts Glue and coprocessor architectures Special thanks to Justin Drake, Georgios Konstantopoulos, Andrej Karpathy, Michael Gao, Tarun Chitra and various Flashbots contributors for feedback and review.If you analyze any resource-intensive computation being done in the modern world in even a medium amount of detail, one feature that you will find again and again is that the computation can be broken up into two parts:A relatively small amount of complex, but not very computationally intensive, "business logic" A large amount of intensive, but highly structured, "expensive work" These two forms of computation are best handled in different ways: the former, with an architecture that may have lower efficiency but needs to have very high generality, and the latter, with an architecture that may have lower generality, but needs to have very high efficiency.What are some examples of this separation in practice?To start off, let us look under the hood of the environment I am most familiar with: the Ethereum Virtual Machine (EVM). Here is the geth debug trace of a recent Ethereum transaction that I did: updating the IPFS hash of my blog on ENS. The transaction consumes a total of 46924 gas, which can be categorized in this way:Base cost: 21,000 Calldata: 1,556 EVM execution: 24,368 SLOAD opcode: 6,400 SSTORE opcode: 10,100 LOG opcode: 2,149 Other: 6,719 EVM trace of an ENS hash update. Second last column is gas consumption. The moral of the story is: most of the execution (~73% if you look at the EVM alone, ~85% if you include the portion of the base cost that covers computation) is concentrated in a very small number of structured expensive operations: storage reads and writes, logs, and cryptography (the base cost includes 3000 to pay for signature verification, and the EVM also includes 272 to pay for hashing). The rest of the execution is "business logic": fiddling around with the bits of the calldata to extract the ID of the record I am trying to set and the hash I am setting it to, and so on. In a token transfer, this would include adding and subtracting balances, in a more advanced application, this might include a loop, and so on.In the EVM, these two forms of execution are handled in different ways. The high-level business logic is written in a higher-level language, often Solidity, which compiles to the EVM. The expensive work is still triggered by EVM opcodes (SLOAD, etc), but > 99% of the actual computation is done in specialized modules written directly inside of client code (or even libraries).To reinforce our understanding of this pattern, let's explore it in another context: AI code written in python using torch. Forward pass of one block of a transformer model, source. What do we see here? We see a relatively small amount of "business logic", written in python, which describes the structure of the operations that are being done. In an actual application, there will also be another type of business logic, which determines details like how you get the input and what you do to the output. But, if we peek into each of the individual operations themselves (self.norm, torch.cat, +, *, the various steps inside self.attn...), we see vectorized computation: the same operation getting computed on a large number of values in parallel. Similarly to the first example, a small portion of the compute is spent on business logic, and the bulk of the compute is spent on performing the big structured matrix and vector operations - in fact, the majority is just matrix multiplication.Just like in the EVM example, the two types of work are handled in two different ways. The high-level business logic code is written in Python, a highly general and flexible language which is also very slow, and we just accept the inefficiency because it only touches a small part of the total computational cost. Meanwhile, the intensive operations are written in highly optimized code, often CUDA code running on a GPU. Increasingly, we're even starting to see LLM inference being done on ASICs.Modern programmable cryptography, such as SNARKs, follows a similar pattern yet again, on two levels. First, the prover can be written in a high-level language where the heavy work is done with vectorized operations, just like the AI example above. My circle STARK code here shows this in action. Second, the program that is being executed inside the cryptography can itself be written in a way that is split between generalized business logic and highly structured expensive work.To see how this works, we can look at one of the latest trends in STARK proving. To be general-purpose and easy to use, teams are increasingly building STARK provers for widely-adopted minimal virtual machines, such as RISC-V. Any program whose execution needs to be proven can be compiled into RISC-V, and then the prover can prove the RISC-V execution of that code. Diagram from RiscZero documentation This is super convenient: it means that we only need to write the prover logic once, and from that point forward any program that needs to be proven can just be written in any "conventional" programming language (eg. RiskZero supports Rust). However, there is a problem: this approach incurs significant overhead. Programmable cryptography is already very expensive; adding the overhead of running code inside a RISC-V interpreter is too much. And so developers have come up with a hack: you identify the specific expensive operations that make up the bulk of the computation (often that's hashes and signatures), and you create specialized modules to prove those operations extremely efficiently. And then you just combine the inefficient-but-general RISC-V proving system and the efficient-but-specialized proving systems together, and you get the best of both worlds.Programmable cryptography other than ZK-SNARKs, such as multi-party computation (MPC) and fully homomorphic encryption (FHE) will likely be optimized using a similar approach.What is the general pattern at play?Modern computation is increasingly following what I call a glue and coprocessor architecture: you have some central "glue" component, which has high generality but low efficiency, which is responsible for shuttling data between one or more coprocessor components, which have low generality but high efficiency. This is a simplification: in practice, there are almost always more than two levels along the tradeoff curve between efficiency and generality. GPUs, and other chips that are often called "coprocessors" in industry, are less general than CPUs but more general than ASICs. There are complicated tradeoffs of how far to specialize, which are decided based on projections and intuitions about what parts of an algorithm will still be the same in five years, and which parts will change in six months. In a ZK-proving architecture, we often similarly see multiple layers of specialization. But for a broad mental model, it's sufficient to think about two levels. There are parallels to this in many domains of computation:Domain Glue Coprocessor Ethereum EVM Dedicated opcodes/precompiles for specialized operations AI (eg. LLMs) Python (often) GPU via CUDA; ASICs Web apps Javascript WASM Programmable cryptography RISC-V Specialized modules (eg. for hashes and signatures) From the above examples, it might feel like a law of nature that of course computation can be split in this way. And indeed, you can find examples of specialization in computing for decades. However, I would argue that this separation is increasing. I think this is true for a few key reasons:We have only relatively recently hit the limits of increasing CPU clock speed, and so further gains can only come from parallelization. However, parallelization is hard to reason about, and so it's often more practical for developers to continue reasoning sequentially, and let the parallelization happen in the backend, wrapped inside specialized modules built for specific operations. Computation has only recently become so fast that the computational costs of business logic have become truly negligible. In this world, it makes sense to optimize the VM that business logic runs in for goals other than compute efficiency: developer friendliness, familiarity, security, and other similar objectives. Meanwhile, the specialized "coprocessor" modules can continue to be designed for efficiency, and get their security and developer friendliness properties from the relatively simple "interface" that they have with the glue. It's becoming clearer what the most important expensive operations are. This is most obvious in cryptography, where it's clear what kinds of specific expensive operations are most likely to be used: modular arithmetic, elliptic curve linear combinations (aka multi-scalar multiplications), Fast Fourier transforms, and so on. It's also becoming clearer in AI, where the bulk of computation has been "mostly matrix multiplication" (albeit with different levels of precision) for over two decades. Similar trends appear in other domains. There are just much fewer unknown unknowns in (computationally intensive) computing than there were 20 years ago. What does this imply?A key takeaway is that glue should optimize for being good glue, and coprocessors should optimize for being good coprocessors. We can explore the implications of this in a few key areas.EVMBlockchain virtual machines (eg. EVM) don't need to be efficient, they just need to be familiar. Computation in an inefficient VM can be made almost as efficient in practice as computation in a natively efficient VM by just adding the right coprocessors (aka "precompiles"). The overhead incurred by eg. the EVM's 256-bit registers is relatively small, while the benefits from the EVM's familiarity and existing developer ecosystem are great and durable. Developer teams optimizing the EVM are even finding that lack of parallelization is often not a primary barrier to scalability.The best ways to improve the EVM may well just be (i) adding better precompiles or specialized opcodes, eg. some combination of EVM-MAX and SIMD may be justified, and (ii) improving the storage layout, which eg. the Verkle tree changes do as a side effect by greatly reducing the cost of accessing storage slots that are beside each other. Storage optimizations in the Ethereum Verkle tree proposal, putting adjacent storage keys together and adjusting gas costs to reflect this. Optimizations like this, together with better precompiles, may well matter more than tweaking the EVM itself. Secure computing and open hardwareOne of the big challenges with improving security of modern computing at the hardware layer is the overcomplicated and proprietary nature of it: chips are designed to be highly efficient, which requires proprietary optimizations. Backdoors are easy to hide, and side channel vulnerabilities keep getting discovered.There continues to be a valiant effort to push more open and more secure alternatives from multiple angles. Some computations are increasingly done in trusted execution environments, including on users' phones, and this has increased security for users already. The push toward more-open-source consumer hardware continues, with recent victories like a RISC-V laptop running Ubuntu. RISC-V laptop running Debian, source However, efficiency continues to be a problem. The author of the above-linked article writes:It's unfeasible for a newer, open-source chip design like RISC-V to go toe to toe with processor technologies that have been around for and refined for decades. Progress has a starting point.More paranoid ideas, like this design for building a RISC-V computer on top of an FPGA, face even more overhead. But what if glue and coprocessor architectures mean that this overhead does not actually matter? What if we accept that open and secure chips will be be slower than proprietary chips, if needed even giving up on common optimizations like speculative execution and branch prediction, but try to compensate for this by adding (if needed, proprietary) ASIC modules for specific types of computation that are the most intensive? Sensitive computations can be done in a "main chip" that would be optimized for security, open source design and side-channel resistance. More intensive computations (eg. ZK-proving, AI) would be done in the ASIC modules, which would learn less information (potentially, with cryptographic blinding, perhaps in some cases even zero information) about the computation being performed.CryptographyAnother key takeaway is that this is all very optimistic for cryptography, especially programmable cryptography, going mainstream. We're already seeing hyper-optimized implementations of some specific highly structured computations in SNARKs, MPC and other settings: overhead for some hash functions is in the range of being only a few hundred times more expensive than running the computation directly, and extremely low overhead for AI (which is mostly just matrix multiplications) is also possible. Further improvements like GKR will likely reduce this further. Fully general purpose VM execution, especially if executed inside a RISC-V interpreter, will likely continue to have something like ten-thousand-fold overhead, but for the reasons described in this post, this will not matter: as long as the most intensive parts of a computation are handled separately using efficient dedicated techniques, the total overhead will be manageable. A simplified diagram of a dedicated MPC for matrix multiplication, the largest component in AI model inference. See this paper for more details, including ways to keep both the model and the input private. One exception to the idea that "glue only needs to be familiar, not efficient" is latency, and to a smaller extent data bandwidth. If a computation involves doing repeated heavy operations on the same data dozens of times (as cryptography and AI both do), any delays that result from an inefficient glue layer can become a primary bottleneck to running time. Hence, glue also has efficiency requirements, though they are more specific ones.ConclusionOn the whole, I consider the above trends to be very positive developments from several perspectives. First, it is the logical way to maximize computing efficiency while preserving developer friendliness, and being able to get more of both at the same time benefits everyone. In particular, by enabling more efficiency gains from specialization on the client side, it improves our ability to run computations that are both sensitive and performance-demanding (eg. ZK-proving, LLM inference) locally on the user's hardware. Second, it creates a large window of opportunity to ensure that the drive for efficiency does not compromise other values, most notably security, openness and simplicity: side-channel security and openness in computer hardware, reducing circuit complexity in ZK-SNARKs, and reducing complexity in virtual machines. Historically, the drive for efficiency has led to these other factors taking a back seat. With glue-and-coprocessor architectures, it no longer needs to. One part of the machine optimizes for efficiency, and the other part optimizes for generality and other values, and the two work together.The trend is also very beneficial for cryptography, because cryptography itself is a major example of "expensive structured computation", which gets accelerated by this trend. This adds a further opportunity to increase security. A security increase also becomes possible in the world of blockchains: we can worry less about optimizing virtual machines, and instead focus more on optimizing precompiles and other features that live alongside virtual machines.Third, this trend presents an opportunity for smaller and newer players to participate. If computation is becoming less monolithic, and more modular, that greatly decreases the barrier to entry. Even with an ASIC for one type of computation, it's possible to make a difference. The same will be true in the ZK-proving space, and in EVM optimization. Writing code that has near-frontier-level efficiency becomes much easier and more accessible. Auditing and formally verifying such code becomes easier and more accessible. And finally, because these very different domains of computing are converging on some common patterns, there is more room for collaboration and learning between them.

Plurality philosophy in an incredibly oversized nutshell Plurality philosophy in an incredibly oversized nutshell2024 Aug 21 See all posts Plurality philosophy in an incredibly oversized nutshell Special thanks to Glen Weyl and Audrey Tang for discussion and Karl Floersch for review.One of the interesting tensions in the crypto space, which has become a sort of digital home for my geographically nomadic self over the last decade, is its relationship to the topic of governance. The crypto space hails from the cypherpunk movement, which values independence from external constraints often imposed by ruthless and power-hungry politicians and corporations, and has for a long time built technologies like torrent networks and encrypted messaging to achieve these ends. With newer ideas like blockchains, cryptocurrencies and DAOs, however, there is an important shift: these newer constructions are long-lived, and constantly evolving, and so they have an inherent need to build their own governance, and not just circumvent the governance of unwanted outsiders. The ongoing survival of these structures depends crucially on mathematical research, open source software, and other large-scale public goods. This requires a shift in mentality: the ideology that maintains the crypto space needs to transcend the ideology that created it.These kinds of complex interplays between coordination and freedom, especially in the context of newer technologies, are everywhere in our modern society, going far beyond blockchains and cryptocurrency. Earlier this year, Florida governor Ron DeSantis signed a bill that would ban synthetic (aka "lab-grown") meat from the state, arguing that "global elites want to control our behavior and push a diet of petri dish meat and bugs on Americans", and that we need to "prioritize our farmers and ranchers over ... the World Economic Forum". As you might expect, the Libertarian Party New Hampshire account publicly criticized the "authoritarian socialist" nature of the legislation. But as it turned out, many other self-described libertarians did not share the same opinion: To me, LPNH's criticism of DeSantis's ban makes total sense: banning people from eating a new and potentially far more ethical and sustainable form of meat, on the basis of little more than a disgust reflex, is the exact opposite of valuing freedom. And yet, it's clear that many others do not feel the same way. When I scoured the internet for cogent arguments why, the most compelling I could find is this argument from Roko Mijic: in short, once something like this is allowed, it becomes mainstream, society reorganizes around it, and the lives of those who do not want to follow along inevitably become harder and harder. It happened with digital cash, to the point where even the Swedish central bank is worried about cash payments accessibility, so why wouldn't it happen in other sectors of technology as well?About two weeks after the DeSantis signed the bill banning lab-grown meat, Google announced that it was rolling out a feature into Android that would analyze the contents of calls in real time, and would automatically give the user a warning if it thinks the user might be getting scammed. Financial scams are a large and growing problem, especially in regions like Southeast Asia, and they are becoming increasingly sophisticated more rapidly than many people can adapt. AI is accelerating this trend. Here, we see Google, creating a solution to help warn users about scams, and what's more, the solution is entirely client-side: there's no personal data being shipped off to any corporate or governmental Big Brother. This seems amazing; it's exactly the kind of tech that I advocated for in my post introducing "d/acc". However, not all freedom-minded people were happy, and at least one of the detractors was very difficult to dismiss as "just a Twitter troll": it was Meredith Whittaker, president of the Signal Foundation. All three of these tensions are examples of things that have made a deep philosophical question repeatedly pop into my mind: what is the thing that people like myself, who think of ourselves as principled defenders of freedom, should actually be defending? What is the updated version of Scott Alexander's notion of liberalism as a peace treaty that makes sense in the twenty first century? Clearly, the facts have changed. Public goods are much more important than before, at larger scales than before. The internet has made communication abundant, rather than scarce. As Henry Farrell analyzed in his book on weaponized interdependence, modern information technology doesn't just empower the recipient: it also enables ongoing power projection by the creator. Existing attempts to deal with these questions are often haphazard, trying to treat them as exceptions that require principles to be tempered by pragmatic compromise. But what if there was a principled way of looking at the world, which values freedom and democracy, that can incorporate these challenges, and deal with them as a norm rather than an exception?Table of contentsPlurality, the book How would I define Plurality in one sentence? What are the megapolitics of Plurality? What is the Plurality model of "the world as it is"? How does Plurality differ from libertarianism? How does Plurality differ from democracy? What are some specific technologies that the Plurality vision advocates? Identity Plural Money and Property Voting Conversations Brain-to-brain communication and virtual reality Where does Plurality stand in the modern ideological landscape? Is Pluralism compatible with wanting a crazy exponential future? Is Plurality compatible with valuing excellence and expertise? Where could these ideas be applied first? Plurality, the bookThe above is not how Glen Weyl and Audrey Tang introduce their new book, Plurality: the future of collaborative technology and democracy. The narrative that animates Glen is a somewhat different one, focusing on the increasingly antagonistic relationship between many Silicon Valley tech industry figures and the political center-left, and seeking to find a more collaborative way forward: Glen Weyl, introducing the Plurality book in a presentation in Taipei But it felt more true to the spirit of the book for me to give an introduction that gestures at a related set of problems from my own angle. After all, it is an explicit goal of Plurality to try to be compelling to a pretty wide group of people with a wide set of concerns, that draw from all different parts of the traditional political spectrum. I've long been concerned about what has felt to me like a growing decline of support for not just democracy but even freedom, which seems to have accelerated since around 2016.I've also had a front-row seat dealing with questions of governance from the governance builder's side, from my role within the Ethereum ecosystem. At the start of my Ethereum journey, I was originally animated by the dream of creating a governance mechanism that was provably mathematically optimal, much like we have provably optimal consensus algorithms. Five years later, my intellectual exploration ended up with me figuring out the theoretical arguments why such a thing is mathematically impossible.Glen's intellectual evolution was in many ways different from mine, but in many ways similar. His previous book Radical Markets featured ideas inspired by classical liberal economics, as well as more recent mathematical discoveries in the field, to try to create better versions of property rights and democracy that solve the largest problems with both mechanisms. Just like me, he has always found ideas of freedom and ideas of democracy both compelling, and has tried to find the ideal combination of both, that treats them not as opposite goals to be balanced, but as opposite sides of the same coin that need to be integrated. More recently, just like what happened with me, the mathematical part of his social thinking has also moved in the direction of trying to treat not just individuals, but also connections between individuals, as a first-class object that any new social design needs to take into account and build around, rather than treating it as a bug that needs to be squashed.It is in the spirit of these ideas, as well as in the spirit of an emerging transition from theory to practice, that the Plurality book is written.How would I define Plurality in one sentence?In his 2022 essay "Why I Am A Pluralist", Glen Weyl defines pluralism most succinctly as follows:I understand pluralism to be a social philosophy that recognizes and fosters the flourishing of and cooperation between a diversity of sociocultural groups/systems.If I had to expand on that a little bit, and define Plurality the book in four bullet points, I would say the following:Glen's megapolitics: the idea that the world today is stuck in a narrow corridor between conflict and centralization, and we need a new and upgraded form of highly performant digital democracy as an alternative to both. Plurality the vibe: the general theme that (i) we should understand the world through a patchwork combination of models, and not try to stretch any single model to beyond its natural applicability, and (ii) we should take connections between individuals really seriously, and work to expand and strengthen healthy connections. Plurality-inspired mechanism design: there is a set of principled mathematical techniques by which you can design social, political and economic mechanisms that treat not just individuals, but also connections between individuals as a first-class object. Doing this can create newer forms of markets and democracy that solve common problems in markets and democracy today, particularly around bridging tribal divides and polarization. Audrey's practical experience in Taiwan: Audrey has already incorporated a lot of Plurality-aligned ideas while serving as Digital Minister in Taiwan, and this is a starting point that can be learned from and built upon. The book also includes contributions from many authors other than Glen and Audrey, and if you reach the chapters closely you will notice the different emphases. However, you will also find many common threads.What are the megapolitics of Plurality?In Balaji Srinivasan's magnum opus The Network State, Balaji described his vision of the current world as being split between three poles: center-left Anglosphere elites exemplified by the New York Times (NYT), the Chinese Communist Party (CCP), and ultra-individualistic right-leaning people as exemplified by Bitcoin (BTC). Glen, both in the Plurality book and elsewhere, has given his own characterization of the "political ideologies of the 21st century", that looks as follows: The names of the three are taken from Civilization 6, and in the Plurality book Glen simplifies the names to Technocracy, Libertarianism and Plurality. He describes the three roughly as follows:(Synthetic) Technocracy: some mechanism run by a combination of AI and a small human elite creates lots of amazing stuff, and makes sure that everyone gets the share they need to live a good life (eg. via UBI). Political input from non-elites is considered unimportant. Examples of this ideology include the Chinese Community Party, the World Economic Forum ("you will own nothing and you will be happy"), Sam Altman and friends' UBI advocacy, and from my recent travels, I would perhaps add the Dubai Museum of the Future. (Corporate) Libertarianism: maximize security of property rights and freedom of contract, and expect that most important projects are started by some kind of "great founder" entrepreneur. Individuals are protected from abuse almost entirely through the right to "exit" any system that becomes too inefficient or exploitative. Examples of this ideology include books like The Sovereign Individual, free city movements like Prospera, as well as network states. Digital democracy / Plurality: use internet-enabled technology to create much more high-bandwidth democratic mechanisms that can aggregate preferences from a very wide group of people, and use these mechanisms to create a much more powerful and effective "third-sector" or "civil society" that can make much better decisions. Examples that Glen cites include both fiction, most notably Star Trek and anything by Ursula le Guin, and real-life proto-examples, most notably e-government in Estonia and Taiwan. Glen sees Plurality as being uniquely able to simultaneously avoid three failure modes: coordination failure leading to conflict (which he sees Libertarianism as risking), centralization and authoritarianism (which he sees Technocracy as risking), and stagnation (which he sees "old-world democracy" as risking, causing it to lose competitiveness against Libertarianism and Technocracy). Glen sees Plurality as an under-explored alternative which it is his project to flesh out as an idea, and Audrey's project to bring to life, first in Taiwan then elsewhere.If I had to summarize the difference between Balaji's program and Glen and Audrey's program, I would do so as follows. Balaji's vision centers around creating new alternative institutions and new communities around those new institutions, and creating safe spaces to give them a chance to grow. Glen and Audrey's approach, on the other hand, is best exemplified by her "fork-and-merge" strategy in e-government in Taiwan:So, you visit a regular government website, you change your O to a zero, and this domain hack ensures that you're looking at a shadow government versions of the same website, except it's on GitHub, except it's powered by open data, except there's real interactions going on and you can actually have a conversation about any budget item around this visualization with your fellow civic hackers.And many of those projects in Gov Zero became so popular that the administration, the ministries finally merged back their code so that if you go to the official government website, it looks exactly the same as the civic hacker version.There is still some choice and exit in Audrey's vision, but there is a much tighter feedback loop by which the improvements created by micro-exits get merged back into "mainline" societal infrastructure. Balaji would ask: how do we let the synthetic meat people have their synthetic meat city, and the traditional meat people have their traditional city? Glen and Audrey might rather ask: how do we structure the top levels of society to guarantee people's freedom to do either one, while still retaining the benefits of being part of the same society and cooperating on every other axis?What is the Plurality model of "the world as it is"?The Plurality view on how to improve the world starts with a view on how to describe the world as it is. This is a key part of Glen's evolution, as the Glen of ten years ago had a much more economics-inspired perspective toward these issues. For this reason, it's instructive to compare and contrast the Plurality worldview with that of traditional economics.Traditional economics focuses heavily on a small number of economic models that make particular assumptions about how agents operate, and treats deviations from these models as bugs whose consequences are not too serious in practice. As given in textbooks, these assumptions include:Competition: the common case for the efficiency of markets relies on the assumption that no single market participant is large enough to significantly move market prices with their actions - instead, the prices they set only determine whether or not anyone buys their product. Perfect information: people in a market are fully informed about what products they are purchasing Perfect rationality: people in a market have consistent goals and are acting toward achieving those goals (it's allowed for these goals to be altruistic) No externalities: production and use of the things being traded in a marketplace only affects the producer and user, and not third parties that you have no connection with In my own recent writing, I generally put a stronger emphasis on an assumption that is related to competition, but is much stronger: independent choice. Lots of mechanisms proposed by economists work perfectly if you assume that people are acting independently to pursue their own independent objectives, but break down quickly once participants are coordinating their actions though some mechanism outside of the rules that you set up. Second price auctions are a great example: they are provably perfectly efficient if the above conditions are met and the participants are independent, but break heavily if the top bidders can collude. Quadratic funding, invented by myself, Glen Weyl and Zoe Hitzig, is similar: it's a provably ideal mechanism for funding public goods if participants are independent, but if even two participants collude, they can extract an unbounded amount of money from the mechanism. My own work in pairwise-bounded quadratic funding tries to plug this hole.But the usefulness of economics breaks down further once you start to analyze incredibly important parts of society that don't look like like trading platforms. Take, for instance, conversations. What are the motivations of speakers and listeners in a conversation? As Hanson and Simler point out in The Elephant In The Brain, if we try to model conversations as information exchange, then we would expect to see people guarding information closely and trying to play tit-for-tat games, saying things only in exchange for other people saying things in return. In reality, however, people are generally eager to share information, and criticism of people's conversational behavior often focuses on many people's tendency to speak too much and listen too little. In public conversations such as social media, a major topic of analysis is what kinds of statements, claims or memes go viral - a term that directly admits that the most natural scientific field to draw analogies from is not economics, but biology.So what is Glen and Audrey's alternative? A big part of it is simply recognizing that there is simply no single model or scientific approach that can explain the world perfectly, and we should use a combination of different models instead, recognizing the limits of the applicability of each one. In a key section, they write:Nineteenth century mathematics saw the rise of formalism: being precise and rigorous about the definitions and properties of mathematical structures that we are using, so as to avoid inconsistencies and mistakes. At the beginning of the 20th century, there was a hope that mathematics could be "solved", perhaps even giving a precise algorithm for determining the truth or falsity of any mathematical claim.[6] 20th century mathematics, on the other hand, was characterized by an explosion of complexity and uncertainty.Gödel's Theorem: A number of mathematical results from the early 20th century, most notably Gödel's theorem, showed that there are fundamental and irreducible ways in which key parts of mathematics cannot be fully solved. Computational complexity: Even when reductionism is feasible in principle/theory, the computation required to predict higher-level phenomena based on their components (its computational complexity) is so large that performing it is unlikely to be practically relevant. Sensitivity, chaos, and irreducible uncertainty: Many even relatively simple systems have been shown to exhibit "chaotic" behavior. A system is chaotic if a tiny change in the initial conditions translates into radical shifts in its eventual behavior after an extended time has elapsed Fractals: Many mathematical structures have been shown to have similar patterns at very different scales. A good example of this is the Mandelbrot set. Glen and Audrey proceed to give similar examples from physics. An example that I (as one of many co-contributors in the wiki-like process of producing the book) contributed, and they accepted, was:The three body problem, now famous after its central role in Liu Cixin's science-fiction series, shows that an interaction of even three bodies, even under simple Newtonian physics, is chaotic enough that its future behavior cannot be predicted with simple mathematical problems. However, we still regularly solve trillion-body problems well enough for everyday use by using seventeenth-century abstractions such as "temperature" and "pressure". In biology, a key example is:Similarities between organisms and ecosystems: We have discovered that many diverse organisms ("ecosystems") can exhibit features similar to multicellular life (homeostasis, fragility to destruction or over propagation of internal components, etc.) illustrating emergence and multiscale organization. The theme of these examples should at this point be easy to see. There is no single model that can be globally applicable, and the best that we can do is stitch together many kinds of models that work well in many kinds of situations. The underlying mechanisms at different scales are not the same, but they do "rhyme". Social science, they argue, needs to go in the same direction. And this is exactly where, they argue, "Technocracy" and "Libertarianism" fail:In the Technocratic vision we discussed in the previous chapter, the "messiness" of existing administrative systems is to be replaced by a massive-scale, unified, rational, scientific, artificially intelligent planning system. Transcending locality and social diversity, this unified agent is imagined to give "unbiased" answers to any economic and social problem, transcending social cleavages and differences. As such, it seeks to at best paper over and at worst erase, rather than fostering and harnessing, the social diversity and heterogeneity that ⿻ social science sees as defining the very objects of interest, engagement, and value.In the Libertarian vision, the sovereignty of the atomistic individual (or in some versions, a homogeneous and tightly aligned group of individuals) is the central aspiration. Social relations are best understood in terms of "customers", "exit" and other capitalist dynamics. Democracy and other means of coping with diversity are viewed as failure modes for systems that do not achieve sufficient alignment and freedom.One particular model that Glen and Audrey come back to again and again is Georg Simmel's theory of individuality as arising from each individual being at a unique intersection of different groups. They describe this as being a long-lost third alternative to both "atomistic individualism" and collectivism. They write:In [Georg Simmel's] view, humans are deeply social creatures and thus their identities are deeply formed through their social relations. Humans gain crucial aspects of their sense of self, their goals, and their meaning through participation in social, linguistic, and solidaristic groups. In simple societies (e.g., isolated, rural, or tribal), people spend most of their life interacting with the kin groups we described above. This circle comes to (primarily) define their identity collectively, which is why most scholars of simple societies (for example, anthropologist Marshall Sahlins) tend to favor methodological collectivism.[14] However, as we noted above, as societies urbanize social relationships diversify. People work with one circle, worship with another, support political causes with a third, recreate with a fourth, cheer for a sports team with a fifth, identify as discriminated against along with a sixth, and so on.As this occurs, people come to have, on average, less of their full sense of self in common with those around them at any time; they begin to feel "unique" (to put a positive spin on it) and "isolated/misunderstood" (to put a negative spin on it). This creates a sense of what he called "qualitaitive individuality" that helps explain why social scientists focused on complex urban settings (such as economists) tend to favor methodological individualism. However, ironically as Simmel points out, such "individuation" occurs precisely because and to the extent that the "individual" becomes divided among many loyalties and thus dividual.This is the core idea that the Plurality book comes back to again and again: treating connections between individuals as a first class object in mechanism design, rather than only looking at individuals themselves.How does Plurality differ from libertarianism?Robert Nozick, in his 1974 book Anarchy, State and Utopia, argued for a minimal government that performs basic functions like preventing people from initiating violent force, but otherwise leaves it up to people to self-organize into communities that fulfill their values. This book has become something of a manifesto describing an ideal world for many classical liberals since then.Two examples that come to mind for me are Robin Hanson's recent post Libertarianism as Deep Multiculturalism, and Scott Alexander's 2014 post Archipelago and Atomic Communitarianism. Robin is interested in this concept because he wants to see a world that has more of what he calls deep multiculturalism:A shallow "multiculturalism" tolerates and even celebrates diverse cultural markers, such as clothes, food, music, myths, art, furniture, accents, holidays, and dieties. But it is usually also far less tolerant of diverse cultural values, such as re war, sex, race, fertility, marriage, work, children, nature, death, medicine, school, etc. It seeks a "mutual understanding" that that we are (or should be) all really the same once we get past our different markers.In contrast, a deep "multiculturalism" accepts and even celebrates the co-existence of many cultures with diverse deeply-divergent values. It seeks ways for a world, and even geographic regions, to encompass such divergent cultures under substantial peace and prosperity. It expects some mistrust, conflict, and even hostility between cultures, due to their divergent values. But it sees this as the price to pay for deep cultural variety.As most non-libertarian government activities are mainly justified as creating and maintaining shared communities/cultures and their values, this urge to use government to promote shared culture seems the main obstacle to libertarian-style governance. That is, libertarians hope to share a government without sharing a community or culture. The usual "libertarian" vs "statist" political axis might be seen as an axis re how much we want to share culture, versus allow divergent culturesScott Alexander comes to similar conclusions in his 2014 post, though his underlying goal is slightly different: he wants to find an ideal political architecture that creates the opportunity for organizations to support public goods and limit public bads that are culturally subjective, while limiting the all-too-common tendency for subjective arguments about higher-order harm ("the gays are corroding the social fabric") to become a mask for oppression. Balaji's The Network State is a much more concrete proposal for a social architecture that tries to accomplish exactly the same objective.And so a key question worth asking is: where exactly is libertarianism insufficient to bring about a Plural society? If I had to summarize the answer in two sentences, I would say:Plurality is not just about enabling pluralism, it's also about harnessing it, and about making a much more aggressive effort to build higher-level institutions that maximize positive-sum interactions between different groups and minimize conflict. Plurality is not just at the level of society, it's also within each individual, allowing each individual to be part of multiple tribes at the same time. To understand (2), we can zoom in on one particular example. Let us look at the debate around Google's on-device anti-fraud scanning system in the opening section. On one side, we have a tech company releasing a product that seems to be earnestly motivated by a desire to protect users from financial scams (which are a very real problem and have cost people I personally know hundreds of thousands of dollars), which even goes the extra mile and checks the most important "cypherpunk values" boxes: the data and computation stays entirely on-device and it's purely there to warn you, not report you to law enforcement. On the other side, we see Meredith Whittaker, who sees the offering as a slippery slope toward something that does do more oppressive things.Now, let's look at Glen's preferred alternative: a Taiwanese app called Message Checker. Message checker is an app that runs on your phone, and intercepts incoming message notifications and does analysis with them. This includes features that have nothing to do with scams, such as using client-side algorithms to identify messages that are most important for you to look at. But it also detects scams: A key part of the design is that the app does not force all of its users into one global set of rules. Instead, it gives users a choice of which filters they turn on or off: From top to bottom: URL checking, cryptocurrency address checking, rumor checking. These are all filters that are made by the same company. A more ideal setup would have this be part of the operating system, with an open marketplace of different filters that you can install, that would be created by a variety of different commercial and non-profit actors.The key Pluralist feature of this design is: it gives users more granular freedom of exit, and avoids being all-or-nothing. If a norm that on-device anti-fraud scanning must work in this way can be established, then it seems like it would make Meredith's dystopia much less likely: if the operator decides to add a filter that treats information about transgender care (or, if your fears go the other direction, speech advocating limits on gender self-categorization in athletics competitions) as dangerous content, then individuals would be able to simply not install that particular filter, and they would still benefit from the rest of the anti-scam protection.One important implication is that "meta-institutions" need to be designed to encourage other institutions to respect this ideal of granular freedom of exit - after all, as we've seen with software vendor lock-in, organizations don't obey this principle automatically! One way to think about the complex interplay between coordination and autonomy in Plurality. How does Plurality differ from democracy?A lot of the differences between Plural democracy and traditional democracy become clear once you read the chapter on voting. Plural voting mechanisms have some strong explicit answers to the "democracy is two wolves and one sheep voting on what's for dinner" problem, and related worries about democracy descending into populism. These solutions build on Glen's earlier ideas around quadratic voting, but go a step further, by explicitly counting votes more highly if those votes come from actors that are more independent of each other. I will get into this more in a later section.In addition to this big theoretical leap from only counting individuals to also counting connections, there are also broad thematic differences. One key difference is Plurality's relationship to nation states. A major disadvantage of nation-state democracy that speaks to me personally was summarized well in this tweet by libertarian philosopher Chris Freiman: This is a serious gap: two thirds of global inequality is between countries rather than within countries, an increasing number of (especially digital) public goods are not global but also not clearly tied to any specific nation state, and the tools that we use for communication are highly international. A 21st century program for democracy should take these basic facts much more seriously.Plurality is not inherently against the existence of nation states, but it makes an explicit effort to expand beyond relying on nation states as its locus of action. It has prescriptions for how all kinds of actors can act, including transnational organizations, social media platforms, other types of businesses, artists and more. It also explicitly acknowledges that for many people, there is no overarching single nation-state that dominates their lives. Left: a concentric circle view of society, from a sociology paper in 2004. Right: a Plural view of society: intersecting, but non-hierarchical circles. A big theme of Plurality is expanded on in much more detail in Ken Suzuki's Smooth Society and its Enemies: the idea that membership in an organization should not be treated as a "true-or-false" question. Instead, there should be different degrees of membership, and these different degrees would carry different benefits and different levels of obligation. This is an aspect of society that was always true, but becomes much more important in an internet-first world where our communities are no longer necessarily nested and fully overlapping.What are some specific technologies that the Plurality vision advocates?The Plurality book advocates for a pretty wide set of digital and social technologies that stretch across what are traditionally considered a large number of "spaces" or industries. I will give examples by focusing on a few specific categories.IdentityFirst, Glen and Audrey's criticism of existing approaches to identity. Some key quotes from the chapter on this topic:Many of the simplest ways to establish identity paradoxically simultaneously undermine it, especially online. A password is often used to establish an identity, but unless such authentication is conducted with great care it can reveal the password more broadly, making it useless for authentication in the future as attackers will be able to impersonate them. "Privacy" is often dismissed as "nice to have" and especially useful for those who "have something to hide". But in identity systems, the protection of private information is the very core of utility. Any useful identity system has to be judged on its ability to simultaneously establish and protect identities.On biometrics:[Biometrics] have important limits on their ability to establish and protect identities. Linking such a wide variety of interactions to a single identifier associated with a set of biometrics from a single individual collected at enrollment (or registration) forces a stark trade-off. On the one hand, if (as in Aadhaar) the administrators of the program are constantly using biometrics for authentication, they become able to link or see activities to these done by the person who the identifier points to, gaining an unprecedented capacity to surveil citizen activities across a wide range of domains and, potentially, to undermine or target the identities of vulnerable populations.On the other hand, if privacy is protected, as in Worldcoin, by using biometrics only to initialize an account, the system becomes vulnerable to stealing or selling of accounts, a problem that has decimated the operation of related services ... If eyeballs can, sometime in the future, be spoofed by artificial intelligence systems combined with advanced printing technology, such a system may be subject to an extreme "single point of failure".Glen and Audrey's preferred approach is intersectional social identity: using the entire set of a person's actions and interactions to serve the underlying goals of identity systems, like determining the degree of membership in communities and degree of trustworthiness of a person:This social, Plural approach to online identity was pioneered by danah boyd in her astonishingly farsighted master's thesis on "faceted identity" more than 20 years ago.[28] While she focused primarily on the benefits of such a system for feelings of personal agency (in the spirit of Simmel), the potential benefits for the balance between identity establishment and protection are even more astonishing:Comprehensiveness and redundancy: For almost anything we might want to prove to a stranger, there is some combination of people and institutions (typically many) who can "vouch" for this information without any dedicated strategy of surveillance. For example, a person wanting to prove that they are above a particular age could call on friends who have known them for a long time, the school they attended, doctors who verified their age at various times as well, of course, on governments who verified their age. Privacy: Perhaps even more interestingly, all of these "issuers" of attributes know this information from interactions that most of us feel consistent with "privacy": we do not get concerned about the co-knowledge of these social facts in the way we would surveillance by a corporation or government. Security: Plurality also avoids many of the problems of a "single point of failure". The corruption of even several individuals and institutions only affects those who rely on them, which may be a very small part of society, and even for them, the redundancy described above implies they may only suffer a partial reduction in the verification they can achieve. Recovery: individuals [could] rely on a group of relationships allowing, for example, 3 of 5 friends or institutions to recover their key. Such "social recovery" has become the gold standard in many Web3 communities and is increasingly being adopted even by major platforms such as Apple. The core message is any single-factor technique is too fragile, and so we should use multi-factor techniques. For account recovery, it is relatively easy to see how this works, and it's easy to understand the security model: each user chooses what they trust, and if a particular user makes a wrong choice, the consequences are largely confined to that user. Other use cases of identity, however, are more challenging. UBI and voting, for example, seem like they inherently require global (or at least community-wide) agreement on who the members of a community are. But there are efforts that try very hard to bridge this gap, and create something that comes close to "feeling" like a single global thing, while being based on subjective multi-factorial trust under the hood.The best example in the Ethereum ecosystem would be Circles, a UBI coin project that is based on a "web of trust", where anyone can create an account (or an unlimited number of accounts) that generates 1 CRC per hour, but you only treat a given account's coins as being "real Circles" if that account is connected to you through a web-of-trust graph. Propagation of trust in Circles, from the Circles whitepaper Another approach would be to abandon the "you're either a person or you're not" abstraction entirely, and try to use a combination of factors to determine the degree of trustworthiness and membership of a given account, and give it a UBI or voting power proportional to that score. Many airdrops that are being done in the Ethereum ecosystem, such as the Starknet airdrop, follow these kinds of principles. Starknet airdrop recipient categories. Many recipients ended up falling into multiple categories. Plural Money and PropertyIn Radical Markets, Glen focused a lot on the virtues "stable and predictable, but deliberately imperfect" versions of property rights, like Harberger taxes. He also focused a lot on "market-like" structures that can fund public goods and not just private goods, most notably quadratic voting and quadratic funding. These are both ideas that continue to be prominent in Plurality. A non-monetary implementation of quadratic funding called Plural Credits was used to help record contributions to the book itself. The ideas around Harberger taxes are somewhat updated, seeking to extend the idea into mechanisms that allow assets to be partially owned by multiple different individuals or groups at the same time.In addition to this ongoing emphasis on very-large-scale market designs, one new addition to the program is a greater emphasis on community currencies:In a polycentric structure, instead of a single universal currency, a variety of communities would have their own currencies which could be used in a limited domain. Examples would be vouchers for housing or schooling, scrip for rides at a fair, or credit at a university for buying food at various vendors.[18] These currencies might partially interoperate. For example, two universities in the same town might allow exchanges between their meal programs. But it would be against the rules or perhaps even technically impossible for a holder to sell the community currency for broader currency without community consent.The underlying goal is to have a combination of local mechanisms that are deliberately kept local, and global mechanisms to enable very-large-scale cooperation. Glen and Audrey see their modified versions of markets and property as being the best candidates for very-large-scale global cooperation:Those pursuing Plurality should not wish markets away. Something must coordinate at least coexistence if not collaboration across the broadest social distances and many other ways to achieve this, even ones as thin as voting, carry much greater risks of homogenization precisely because they involve deeper ties. Socially aware global markets offer much greater prospect for Plurality than a global government. Markets must evolve and thrive, along with so many other modes of collaboration, to secure a Plural future.VotingIn Radical Markets, Glen advocated quadratic voting, which deals with the problem of allowing voters to express different strength of preferences but while avoiding failure modes where the most extreme or well-resourced voice dominates decision-making. In Plurality, the core problem that Glen and Audrey are trying to solve is different, and this section does a good job of summarizing what new problem they are trying to solve:it is natural, but misleading, to give a party with twice the legitimate stake in a decision twice the votes. The reason is that this will typically give them more than twice as much power. Uncoordinated voters on average cancel one another out and thus the total influence of 10,000 completely independent voters is much smaller than the influence of one person with 10,000 votes.When background signals are completely uncorrelated and there are many of them, there is a simple way to mathematically account for this: a series of uncorrelated signals grows as the square root of their number, while a correlated signal grows in linear proportion to its strength. Thus 10,000 uncorrelated votes will weigh as heavily as only 100 correlated ones.To fix this, Glen and Audrey argue for designing voting mechanisms with a principle of "degressive proportionality": treat uncorrelated signals additively, but give N correlated signals only sqrt(N) votes.A precedent for this kind of approach exists in countries like the United States and in international bodies, where there are typically some chambers of governance that give sub-units (states in the former case, countries in the latter case) a quantity of voting power proportional to their population or economic power, and other chambers of governance that give one unit of voting power to each sub-unit regardless of size. The theory is that ten million voters from a big state matter more than a million voters from a small state, but they represent a more correlated signal than ten million voters from ten different states, and so the voting power that the ten million voters from a big state should be somewhere in between those two extremes. Left: US senate, two senators per state regardless of size. Right: US electoral college, senator count roughly proportional to population. The key challenge to making this kind of design work in a more general way is, of course, in determining who is "uncorrelated". Coordinated actors pretending to be uncoordinated to increase their legitimacy (aka "astroturfing", "decentralization larping", "puppet states"...) is already a mainstream political tactic and has been for centuries. If we instantiate a mechanism that determines who is correlated to whom by analyzing Twitter posts, people will start crafting their Twitter content to appear as uncorrelated as possible toward the algorithm, and perhaps even intentionally create and use bots to do this.Here, I can plug my own proposed solution to this problem: vote simultaneously on multiple issues, and use the votes themselves as a signal of who is correlated to whom. One implementation of this was in pairwise quadratic funding, which allocates to each pair of participants a fixed budget, which is then split based on the intersection of how that pair votes. You can do a similar thing for voting: instead of giving one vote to each voter, you can give one (splittable) vote to each pair of voters: If you count by raw numbers, YES wins 3-2 on issue C. But Alice, Bob and Charlie are highly correlated voters: they agree on almost everything. Meanwhile, David and Eve agree on nothing but C. In pairwise voting, the whole "NO on C" vote of the (David, Eve) pair would be allocated to C, and it would be enough to overpower the "YES on C" votes of Alice, Bob and Charlie, whose pairwise votes for C add up to only 11/12. The key trick in this kind of design is that the determination of who is "correlated" and "uncorrelated" is intrinsic to the mechanism. The more that two participants agree on one issue, the less their vote counts on all other issues. A set of 100 "organic" diverse participants would get a pretty high weight on their votes, because the overlap area of any two participants is relatively small. Meanwhile, a set of 100 people who all have similar beliefs and listen to the same media would get a lower weight, because their overlap area is higher. And a set of 100 accounts that are all being controlled by the same owner would have perfect overlap, because that's the strategy that maximizes the owner's objectives, but they would get the lowest weight of all.This "pairwise" approach is not the mathematically ideal way to implement this kind of thing: in the case of quadratic funding, the amount of money that an attacker can extract grows with the square of the number of accounts they control, whereas ideally it would be linear. There is an open research problem in specifying an "ideal" mechanism, whether for quadratic funding or voting, that has the strongest properties when faced with attackers controlling multiple accounts or correlated voters.This is a new type of democracy that naturally corrects for the phenomenon that internet discourse sometimes labels as "NPCs": a large mass of people that might as well just be one person because they're all consuming exactly the same sources of information and believe all of the same things. ConversationsAs I've said on many occasions especially in the context of DAOs, the success or failure of governance depends ~20% on the formal governance mechanism, and ~80% on the structure of communication that the participants engage in before they get to the step where they've settled on their opinions and are inputting them into the governance. To that end, Glen and Audrey have also spent quite a lot of time thinking about better technologies for large-scale conversations.One conversation tool that they focus on a lot is Polis. Polis is a system that allows people to submit statements about an issue, and vote on each other's statements. At the end of a round, it identifies the different major "clusters" in the different points of view, and surfaces the statements that were the most effective at getting support from all clusters. Source: https://words.democracy.earth/hacking-ideology-pol-is-and-vtaiwan-570d36442ee5 Polis was actually used in Taiwan during some public deliberations over proposed laws, including agreeing on the rules for Uber-like ride hailing services. It has been used in several other contexts around the world as well, including some experiments within the Ethereum community.The second tool that they focus on is one that has had much more success becoming mainstream, though in large part due to its "unfair advantage" from being introduced into a pre-existing social media platform with hundreds of millions of users: Twitter's Community Notes. Community Notes similarly uses an algorithm that allows anyone to submit a proposed note for a post, and shows the notes that are rated the most highly by people who disagree on most other notes. I described this algorithm in much more detail in my review of the platform. Since then, Youtube has announced that they are planning to introduce a similar feature.Glen and Audrey want to see the underlying ideas behind these mechanisms expanded on, and used much more broadly throughout the platforms:While [Community Notes] currently lines up all opinions across the platform on a single spectrum, one can imagine mapping out a range of communities within the platform and harnessing its bridging-based approach not just to prioritize notes, but to prioritize content for attention in the first place.The end goal is to try to create large-scale discussion platforms that are not designed to maximize metrics like "engagement", but are instead intentionally optimized around surfacing points of consensus between different groups. Live and let live, but also identify and take advantage of every possible opportunity to cooperate.Brain-to-brain communication and virtual realityGlen and Audrey spend two whole chapters on "post-symbolic communication" and "immersive shared reality". Here, the goal is to spread information from person to person in a way that is much higher bandwidth than what can be accomplished with markets or conversation.Glen and Audrey describe an exhibit in Tokyo that gives the user a realistic sensory experience of what it's like to be old:Visors blur vision, mimicking cataracts. Sounds are stripped of high pitches. In a photo booth that mirrors the trials of aged perception, facial expressions are faded and blurred. The simple act of recalling a shopping list committed to memory becomes an odyssey as one is ceaselessly interrupted in a bustling market. Walking in place on pedals with ankle weights on and while leaning on a cart simulates the wear of time on the body or the weight of age on posture.They argue that even more valuable and high-fidelity versions of these kinds of experiences can be made with future technologies like brain-computer interfaces. "Immersive shared reality", a cluster encompassing what we often call "virtual reality" or "the metaverse" but going broader than that, is described as a design space halfway in between post-symbolic communication and conversations.Another recent book that I have read on similar topics is Herman Narula's Virtual Society: The Metaverse and the New Frontiers of Human Experience. Herman focuses heavily on the social value of virtual worlds, and the ways in which virtual worlds can support coordination within societies if they are imbued with the right social meaning. He also focuses on the risks of centralized control, arguing that an ideal metaverse would be created by something more like a non-profit DAO than a traditional corporation. Glen and Audrey have very similar concerns:Corporate control, surveillance, and monopolization: ISR blurs the lines between public and private, where digital spaces can be simultaneously intimate and open to wide audiences or observed by corporate service providers. Unless ISR networks are built according to the principles of rights and interoperability we emphasized above and governed by the broader Plurality governance approaches that much of the rest of this part of the book are devoted to, they will become the most iron monopolistic cages we have known.If I had to point to one difference in their visions, it is this. Virtual Society focuses much more heavily on the shared-storytelling and long-term continuity aspects of virtual worlds, pointing out how games like Minecraft win the hearts and minds of hundreds of millions despite being, by modern standards, very limited from a cinematic immersion perspective. Plurality, on the other hand, seems to focus somewhat more (though far from exclusively) on sensory immersion, and is more okay with short-duration experiences. The argument is that sensory immersion is uniquely powerful in its ability to convey certain kinds of information that we would otherwise have a hard time getting. Time will tell which of these visions, or what kind of combination of both, will prove successful.Where does Plurality stand in the modern ideological landscape?When I reflect on the political shifts that we've seen since the early 2010s, one thing that strikes me is that the movements that succeed in the current climate all seem to have one thing in common: they are all object-level rather than meta-level. That is, rather than seeking to promote broad overarching principles for how social or political questions should be decided, they seek to promote specific stances on specific issues. A few examples that come to mind include:YIMBY: standing for "yes, in my back yard", the YIMBY movement seeks to fight highly restrictive zoning regulations (eg. in the San Francisco Bay Area), and expand freedom to build housing. If successful, they argue that this would knock down the single largest component of many people's cost of living, and increase GDP by up to 36%. YIMBY has recently had a large number of political wins, including a major zoning liberalization bill in California. The crypto space: ideologically, the space stands for freedom, decentralization, openness and anti-censorship as principles. In practice, large parts of it end up focusing more specifically on openness of a global financial system and freedom to hold and spend money. Life extension: the concept of using biomedical research to figure out how to intervene in the aging process before it progresses to the point of being a disease, and in doing so potentially give us a far longer (and entirely healthy) lifespan, has become much more mainstream over the last ten years. Effective altruism: historically, the effective altruism movement has stood for the broad application of a formula: (i) caring about doing the most good, and (ii) being rigorous about determining which charities actually accomplish that goal, noting that some charities are thousands of times more effective than others. More recently, however, the most prominent parts of the movement have made a shift toward focusing on the single issue of AI safety. Of the modern movements that have not become issue-driven in this way, a large portion could be viewed as obfuscated personality cults, rallying around whatever set of positions is adopted and changed in real time by a single leader or small well-coordinated elite. And still others can be criticized for being ineffective and inconsistent, constantly trying to force an ever-changing list of causes under the umbrella of an ill-defined and unprincipled "Omnicause".If I had to ask myself why these shifts are taking place, I would say something like this: large groups have to coordinate around something. And realistically, you either (i) coordinate around principles, (ii) coordinate around a task, or (iii) coordinate around a leader. When the pre-existing set of principles becomes perceived as being worn out and less effective, the other two alternatives naturally become more popular. Coordinating around a task is powerful, but it is temporary, and any social capital you build up easily dissipates once that particular task is complete. Leaders and principles are powerful because they are factories of tasks: they can keep outputting new things to do and new answers for how to resolve new problems again and again. And of those two options, principles are far more socially scalable and far more durable.Plurality seems to stand sharply in opposition to the broader trends. Together with very few other modern movements (perhaps network states), it goes far beyond any single task in scope, and it seeks to coordinate around a principle, and not a leader. One way to understand Plurality, is that it recognizes that (at least at very large scales) coordinating around principles is the superior point on the triangle, and it's trying to do the hard work of figuring out the new set of principles that work well for the 21st century. Radical Markets was trying to reinvent the fields of economics and mechanism design. Plurality is trying to reinvent liberalism.The way in which all of the mechanisms described in the sections above combine into a single framework is best exemplified in this chart by Gisele Chou: On one level, the framework makes total sense. The philosopher Nassim Taleb loves to quote Geoff and Vince Graham to describe his rejection of "scale-free universalism": "I am, at the Fed level, libertarian; at the state level, Republican; at the local level, Democrat; and at the family and friends level, a socialist". Plurality philosophy takes this seriously, recommending different mechanisms at different scales.On another level, it sometimes feels like "the Plurality vibe" is acting as an umbrella that is combining very different concepts, that have very different reasons for accepting or rejecting them. For example, "creating healthy connections between people is very important" is a very different statement from "voting mechanisms need to take differences in degree of connectedness into account". It's entirely possible that pairwise quadratic funding can be used to make a new and better United Nations that subsidizes cooperation and world peace, but at the same time "creative collaborations" are overrated and great works should be the vision of one author. Some of this seeming inconsistency comes from the book's diverse collaborative authorship: for example, the virtual reality and brain-to-brain sections, and much of the work on correlation discounts, was written by Puja Ohlhaver, and her focuses are not quite the same as Glen's or Audrey's. But this is a property of all philosophies: 19th century liberalism combined democracy and markets, but it was a composite work of many people with different beliefs. Even today, there are many people who like democracy and are suspicious of markets, or like markets and are suspicious of democracy.And so one question worth asking is: if your background instincts on various questions differ from "the Plurality vibe" on some dimensions, can you still benefit from Plurality ideas? I will argue that the answer is yes.Is Plurality compatible with wanting a crazy exponential future?One of the impressions that you might get from reading Plurality is that, while Glen and Audrey's meta-level visions for conversations and governance are fascinating, they don't really see a future where anything too technologically radical happens. Here is a list of specific object-level outcomes that they hope to achieve:The workplace, where we believe it could raise economic output by 10% and increase the growth rate by a percentage point Health, where we believe it can extend human life by two decades Media, where it can heal the divides opened by social media, provide sustainable funding, expand participation and dramatically increase press freedom Environment, where it is core to addressing most of the serious environmental problems we face, perhaps even more so than traditional "green" technologies Learning, where it can upend the linear structure of current schooling to allow far more diverse and flexible, lifelong learning paths. These are very good outcomes, and they are ambitious goals for the next ten years. But the goals that I want to see out of a technologically advanced society are much greater and deeper than this. Reading this section reminded me of the recent review I made of the museums of the future in Dubai vs Tokyo:But their proposed solutions are mostly tweaks that try to make the world more gentle and friendly to people suffering from these conditions: robots that can help guide people, writing on business cards in Braille, and the like. These are really valuable things that can improve the lives of many people. But they are not what I would expect to see in a museum of the future in 2024: a solution that lets people actually see and hear again, such as optic nerve regeneration and brain computer interfaces.Something about the Dubai approach to these questions speaks deeply to my soul, in a way that the Tokyo approach does not. I do not want a future that is 1.2x better than the present, where I can enjoy 84 years of comfort instead of 70 years of comfort. I want a future that is 10000x better than the present ... If I become infirm and weak for a medical reason, it would certainly be an improvement to live in an environment designed to still let me feel comfortable despite these disadvantages. But what I really want is for technology to fix me so that I can once again become strong.Dubai is an interesting example because it also uses another technology that speaks deeply to my soul: geoengineering. Today, the usage, and risks, of geoengineering are on a fairly local scale: the UAE engages in cloud seeding and some blamed Dubai's recent floods on it, though the expert consensus seems to disagree. Tomorrow, however, there may be much bigger prizes. One example is solar geoengineering: instead of re-organizing our entire economy and society to keep CO2 levels reasonably low and the planet reasonably cool, there is a chance that all it takes to achieve a 1-4⁰C temperature reduction is sprinkling the right salts into the air. Today, these ideas are highly speculative, and the science is far too early to commit to them, or use them as an excuse not to do other things. Even more modest proposals like artificial lakes cause problems with parasites. But as this century progresses, our ability to understand the consequences of doing things like this will improve. Much like medicine went from being often net-harmful in earlier periods to crucially lifesaving today, our ability to heal the planet may well go through a similar transition. But even after the scientific issues become much more well-understood, another really big question looms: how the hell do we govern such a thing?Environmental geopolitics is already a big question today. There are already disputes over water rights from rivers. If transformative continent-scale or world-scale geoengineering becomes viable, these issues will become much more high-stakes. Today, it seems hard to imagine any solution other a few powerful countries coming together to decide everything on humanity's behalf. But Plurality ideas may well be the best shot we have at coming up with something better. Ideas around common property, where certain resources or features of the environment can have shared ownership between multiple countries, or even non-country entities tasked with protecting the interests of the natural environment or of the future, seem compelling in principle. Historically, the challenge has been that such ideas are hard to formalize. Plurality offers a bunch of theoretical tools to do just that.If we zoom back out beyond the geoengineering issue, and think about the category of "crazy exponential technology" in general, it might feel like there is a tension between pluralism and technology leading to exponential growth in capabilities. If different entities in society progress according to a linear, or slightly superlinear, trajectory, then small differences at time T remain small differences at time T+1, and so the system is stable. But if the progress is super-exponential, then small differences turn into larger and larger differences, even in proportional terms, and the natural outcome is one entity overtaking everything else. Left: slightly super-linear growth. Small differences at the start become small differences at the end. Right: super-exponential growth. Small differences at the start become very large differences quickly. Historically this has actually been a tradeoff. If you were to ask which 1700s-era institutions feel the most "pluralist", you might have said things like deeply-rooted extended family ties and trade guilds. However, the Industrial Revolution sweeping these institutions away and replacing them with economies of scale and industrial capitalism is often precisely the thing that is credited with enabling great economic growth.However, I would argue that the static pluralism of the pre-industrial age and Glen and Audrey's Plurality are fundamentally different. Pre-industrial static pluralism was crushed by what Glen calls "increasing returns". Plurality has tools specifically designed for handling it: democratic mechanisms for funding public goods, such as quadratic funding, and more limited versions of property rights, where (especially) if you build something really powerful, you only have partial ownership of what you build. With these techniques, we can prevent super-exponential growth at the scale of human civilization from turning into super-exponential growth in disparities of resources and power. Instead, we design property rights in such a way that a rising tide is forced to lift all boats. Hence, I would argue that exponential growth in technological capability and Plurality governance ideas are highly complementary.Is Plurality compatible with valuing excellence and expertise?There is a strand in political thought that can be summarized as "elitist liberalism": valuing the benefits of free choice and democracy but acknowledging that some people's inputs are much higher quality than others, and wanting to put friction or limits on democracy to give elites more room to maneuver. Some recent examples include:Richard Hanania's concept of "Nietzschean liberalism" where he seeks to reconcile his long-held belief that "some humans are in a very deep sense better than other humans ... society disproportionately benefits from the scientific and artistic genius of a select few", and his growing appreciation for the benefits of liberal democracy in avoiding outcomes that are really terrible and in not over-entrenching specific elites that have bad ideas. Garrett Jones's 10% Less Democracy, which advocates for more indirect democracy through longer term durations, more appointed positions, and similar mechanisms. Bryan Caplan's guarded support for free speech as an institution that at least gives a chance for counter-elites to form and develop ideas under hostile conditions, even if an open "marketplace of ideas" is far from a sufficient guarantee that good ideas will win broader public opinion. There are parallel arguments on the other side of the political spectrum, though the language there tends to focus on "professional expertise" rather than "excellence" or "intelligence". The types of solutions that people who make these arguments advocate often involve making compromises between democracy and either plutocracy or technocracy (or something that risks being worse than both) as ways of trying to select for excellence. But what if, instead of making this kind of compromise, we try harder to solve the problem directly? If we start from a goal that we want an open pluralistic mechanism that allows different people and groups to express and execute on their diverse ideas so that the best can win, we can ask the question: how would we optimize institutions with that idea in mind?One possible answer is prediction markets. Left: Elon Musk proclaiming that civil war in the UK "is inevitable". Right: Polymarket bettors, with actual skin in the game, think that the probability of a civil war is.... 3% (and I think even that's way too high, and I made a bet to that effect) Prediction markets are an institution that allows different people to express their opinions on what will happen in the future. The virtues of prediction markets come from the idea that people are more likely to give high-quality opinions when they have "skin in the game", and that the quality of the system improves over time because people with incorrect opinions will lose money, and people with correct opinions will gain money. It is important to point out that while prediction markets are pluralistic in the sense of being open to diverse participants, they are not Pluralistic in Glen and Audrey's sense of the word. This is because they are a purely financial mechanism: they do not distinguish between $1 million bet by one person and $1 million bet by a million unconnected people. One way to make prediction markets more Pluralistic would be to introduce per-person subsidies, and prevent people from outsourcing the bets that they make with these subsidies. There are some mathematical arguments why this could do an even better job than traditional prediction markets of eliciting participants' knowledge and insights. Another option is to run a prediction market and in parallel run a Polis-style discussion platform that encourages people to submit their reasoning for why they believe certain things - perhaps using soulbound proofs of previous track record on the markets to determine whose voice carries more weight.Prediction markets are a tool that can be applied in many form factors and contexts. One example is retroactive public goods funding, where public goods are funded after they have made an impact and enough time has passed that the impact can be evaluated. RPGF is typically conceived of as being paired with an investment ecosystem, where ahead-of-time funding for public goods projects would be provided by venture capital funds and investors making predictions about which projects will succeed in the future. Both the after-the-fact piece (evaluation) and the before-the-fact piece (prediction) can be made more Pluralistic: some form of quadratic voting for the former, and per-person subsidies for the latter.The Plurality book and related writings do not really feature a notion of "better vs worse" ideas and perspectives, only of getting more benefit from aggregating more diverse perspectives. On the level of "vibes", I think there is an actual tension here. However, if you believe that the "better vs worse" axis is important, then I do not think that these focuses are inherently incompatible: there are ways to take the ideas of one to improve mechanisms that are designed for the other.Where could these ideas be applied first?The most natural place to apply Plurality ideas is social settings that are already facing the problem of how to improve collaboration between diverse and interacting tribes while avoiding centralization and protecting participants' autonomy. I personally am most bullish on experimentation in three places: social media, blockchain ecosystems and local government. Particular examples include:Twitter's Community Notes, whose note ranking system is already designed to favor notes that gain support across a wide spectrum of participants. One natural path toward improving Community Notes would be to find ways to combine it with prediction markets, thereby encouraging sophisticated actors to much more quickly flag posts that will get noted. User-facing anti-fraud software. Message Checker, as well as the Brave browser and some crypto wallets, are early examples of a paradigm of software that works aggressively on the user's behalf to protect the user from threats without needing centralized backdoors. I expect that Software like this will be very important, but it carries the inherent political question of determining what is and is not a threat. Plurality ideas can be of help in navigating this issue. Public goods funding in blockchain ecosystems. The Ethereum ecosystem makes heavy use of quadratic funding and retroactive funding already. Pluralistic mechanisms could help in bounding the vulnerability of these mechanisms to collusion, and subsidize collaboration between parts of the ecosystem that face pressures to act competitively towards each other, eg. layer-2 scaling platforms and wallets. Network states, popup cities and related concepts. New voluntary communities that form online based on shared interests, and then "materialize" offline, have many needs for (i) having less dictatorial forms of governance internally, (ii) cooperating more between each other, and (iii) cooperating more with the physical jurisdictions in which they are based. Plurality mechanisms could improve on all three. Publicly funded news media. Historically, media has been funded either by listeners, or by the administrative arm of a centralized state. Plurality mechanisms could enable more democratic mechanisms, which also explicitly try to bridge across and reduce rather than increase polarization. Local public goods: there are many hyper-local governance and resource allocation decisions that could benefit from Plurality mechanisms; my post on crypto cities contains some examples. One possible place to start is quasi-cities with highly sophisticated residents, such as universities. Today, I think that the right way to think about Plurality is as an "intuition pump" for ideas for designing social mechanisms to better preserve freedom of individuals and communities, enable large-scale collaboration, and minimize polarization. The above contexts are good grounds for experimentation because they contain (i) real-world problems and resources, and (ii) people who are very interested in trying new ideas.Tomorrow, there are broader political questions about the structure of the world in the 21st century, including what level of sovereignty individuals, companies and nations have, how equal or unequal the world ends up being, and which kinds of powerful technologies get developed in what order and with what properties. Both "the Plurality vibe", and specific implications of Plurality mechanism design theory, have a lot to say on these topics.Often, there are multiple contradictory ways to apply the ideas to the same question. For example, Plurality philosophy implies that there is value in elevating a group or mechanism if it's uncorrelated with other dominant mechanisms in society and thus brings something unique to the table. But are billionaires a welcome injection of uncorrelated activity into a world dominated by nation-states that all operate by very similar internal political logic, or are more active nation states a welcome injection of diversity into a world dominated by homogeneous billionaire capitalism? Your answer will likely depend on your pre-existing feelings toward these two groups. For this reason, I think Plurality is best understood not as an overarching substitute for your existing frameworks of thinking about the world, but as a complement to it, where the underlying ideas can make all kinds of mechanisms better.

Review: museums of the future, Dubai and Tokyo Review: museums of the future, Dubai and Tokyo2024 Aug 03 See all posts Review: museums of the future, Dubai and Tokyo In this past year, I have had the pleasure of visiting the Museum of the Future in Dubai, and more recently the Miraikan (called "The National Museum of Emerging Science and Innovation" in English, but its Japanese short name 未来館 translates directly to "Museum of the Future") in Tokyo. Both of these museums came highly recommended to me by close friends and collaborators, and I see both as trying to solve a crucially important problem: coming up with concrete imaginations of what a technologically advanced future could look like that are positive, and not just the 3478th Black Mirror-esque Hollywood dystopia.What struck me the most about my visits to the two museums were just how different the two visions are. They are in no way incompatible with each other: there is no logical impossibility, and not even that strong a tension, between the specific technologies and structures imagined by futurists in Dubai, and that of their Tokyo counterparts. But at the same time, they have a very different feel, and a very different direction of priorities. This leads to a natural question: what can we learn and appreciate from each one, and is there a synthesis of the two? Left: Museum of the Future, Dubai, view from the outside. Right: giant orb inside the Miraikan, Tokyo, showing the world's major languages. What I liked about the Museum of the Future, DubaiWhen you start going through the Museum of the Future, the first thing you go into is a simulated space elevator, taking you from the surface of the Earth in 2064 into a space station in geostationary orbit. You can see information screens and panels that give you a view of all the space stations that humanity has all around the solar system, both on and around planets and at Lagrange points.After that, you see exhibits various other areas of science and technology. One major theme was meditation and health and wellness, showing infrastructure that makes it much easier for people to enter alternative mental states. The section that struck me the most was the one on biotech, which showed a vision of using genetic engineering to improve the resilience of the biosphere by enabling plants and animals to survive in more diverse environments. It's worth, err.... meditating on this scene for a bit. This is a drastic departure from the traditional Western way of thinking about environmental issues. In the West, nature is a garden of Eden, originally a beautiful pristine thing, now fallen to the corrupting influence of industrial technology. The main ethical imperative is to preserve, to do less harm than we otherwise would. In Dubai, the narrative is the opposite. The default condition of nature, at least as they are accustomed to it, is a desolate wasteland. Human ingenuity and artifice applied to nature is not just there to mitigate the harms of other human ingenuity and artifice, it can actually go further and improve the environment beyond what it was when we started.The Miraikan does not have anything like this. There is an exhibit that deals with the important environmental problems facing the earth, but its tone toward the problem is much more conventional: these problems are the fault of human beings, we need to be mindful and find ways to have a smaller footprint. There are multiple exhibits that deal with improving the lives of people who do not have good (or functioning at all) eyesight or hearing. But their proposed solutions are mostly tweaks that try to make the world more gentle and friendly to people suffering from these conditions: robots that can help guide people, writing on business cards in Braille, and the like. These are really valuable things that can improve the lives of many people. But they are not what I would expect to see in a museum of the future in 2024: a solution that lets people actually see and hear again, such as optic nerve regeneration and brain computer interfaces.Something about the Dubai approach to these questions speaks deeply to my soul, in a way that the Tokyo approach does not. I do not want a future that is 1.2x better than the present, where I can enjoy 84 years of comfort instead of 70 years of comfort. I want a future that is 10000x better than the present. I believe in the type of Nietzscheanism that Scott Alexander described in his recent blog post, where he cautions against having your primary goals in life be goals like "I don't want to make anyone mad" and "I want to take up less space", which are better satisfied by being dead than being alive. If I become infirm and weak for a medical reason, it would certainly be an improvement to live in an environment designed to still let me feel comfortable despite these disadvantages. But what I really want is for technology to fix me so that I can once again become strong.That said, there is also something in the Dubai Museum of the Future that felt missing and limiting, which the Miraikan does a truly excellent job of making up for. And so now is a good time to switch focus, and talk about the virtues that I think make the Miraikan great.What I liked about the Miraikan, TokyoWhen you first enter the Miraikan, the first exhibit is about the planetary crisis: both global warming, and the whole host of various environmental issues that have to do with the quantities of pollutants getting too high or the quantities of essential resources getting too low. Immediately after that, you see an exhibit of various forms of art, involving heavy use of AI, that mimics various patterns that we see in nature. After that, a giant orb that repeats a short infographic film called "Into the Diverse World" that shows various statistics about different parts of the world and how people live in the various regions. After that, a hands-on exhibit showing the inner workings of the basic low-level internet protocols. Left: a diagram showing how much different countries contribute to the world's CO2 emissions. Right: a replica of a natural butterfly right beside a robotic one. What particularly strikes me about the exhibits is the way in which they invite people to actively learn and participate. The informational exhibits all strive to present information in a way that makes it tangible and easier for people to understand important details, and consequences, of each problem. A section on overfishing features the complaint "I like sushi ... but we may not be able to eat sushi casually in the future, right?". At least two of the exhibits end with an interactive section, which asks a question related to the content and invites people to provide their own answers. An exhibit on solving the Earth's resource problems takes the form of a game. Left: a billboard inviting museum guests to submit answers to "how can we avoid polluting?" and "what can we do to continue living on this Earth?", and showing recent guests' answers. Right: a game with the theme of avoiding a minefield of ecological challenges on the way to getting to a good future in 2100. The underlying tone of the two museums differs drastically in this regard. The museum in Dubai feels consumerist: this is the amazing future that we are going to have, and you just need to sit back and enjoy as we build it for you. The museum in Tokyo feels like an invitation to participate: we're not going to tell you too much about what the future is, but we want you to think about the issues, learn what's going on under the hood, and become part of building the shared future.The main type of technology that I found missing in the Museum of the Future in Dubai is social technology, particularly governance. The only explicit description of governance structure that I found in Dubai's imagined world of 2064 was an offhand line in a description of the primary space station on Mars: "Operator: Global Space Authority, SpaceX". In the Miraikan, on the other hand, the structure of the museum itself emphasizes collaborative discussion, and you see frequent references to languages, culture, government and freedom of the press.Are the two visions compatible?At first, the two visions seem very different, and perhaps thematically even going in opposite directions. But the more I think about them, the more it feels like the two are actually very synergistic: one plugs the holes in the other. I do not want to see a world in 2100 that is like the world of today, but at most 20% better. And civilizations that do have an overriding mindset of trying to make do with less are going to find themselves under constant pressure from both outside forces and parts of their own societies that want to more strongly push against our boundaries. But at the same time, the more our society does radically progress into something far outside historical norms, the more it becomes important to make sure that everyone is along for the ride, both in understanding what is going on, and in being part of the discussion and part of the process of making it happen.My own posts trying to make advanced topics in cryptography more accessible are made precisely in this spirit: we really need the advanced tools, but we also need them to be understandable and accessible, to ensure that more people can work together and ensure that the future empowers people, rather than turning into a series of iPhone interfaces built by a few that the rest of us can only access in standardized ways.Perhaps the ideal museum of the future that I would want to see, is one that combines the boldness of the Dubai Museum of the Future's imagination, with the welcoming and inviting spirit that only something like the Miraikan can bring. Left: "The cosmos is for everyone", Dubai Museum of the Future. Right: a robot intentionally designed to be cute and friendly rather than threatening, Miraikan.

Exploring circle STARKs Exploring circle STARKs2024 Jul 23 See all posts Exploring circle STARKs This article assumes familiarity with the basics of how SNARKs and STARKs work; if you are not familiar, I recommend the first few sections in this article. Special thanks to Eli ben-Sasson, Shahar Papini, Avihu Levy and others at starkware for feedback and discussion.The most important trend in STARK protocol design over the last two years has been the switch to working over small fields. The earliest production implementations of STARKs worked over 256-bit fields - arithmetic modulo large numbers such as 21888...95617 \(\approx 1.51 * 2^\) - which made these protocols naturally compatible with verifying elliptic curve-based signatures, and made them easy to reason about. But this led to inefficiency: in most cases we don't actually have good ways to make use of these larger numbers, and so they ended up as mostly wasted space, and even more wasted computation, since arithmetic over 4x bigger numbers takes ~9x more computation time. To deal with this, STARKs have started working over smaller fields: first Goldilocks (modulus \(2^ - 2^ + 1\)) and then Mersenne31 and BabyBear (\(2^ - 1\) and \(2^ - 2^ + 1\), respectively).This switch has already led to demonstrated massive improvements in proving speed, most notably Starkware being able to prove 620,000 Poseidon2 hashes per second on an M3 laptop. Particularly, this means that, provided we're willing to trust Poseidon2 as a hash function, one of the hardest parts of making an efficient ZK-EVM is effectively solved. But how do these techniques work, and how do cryptographic proofs, which typically require large numbers for security, get built over these fields? And how do these protocols compare to even more exotic constructions such as Binius? This post will explore some of these nuances, with a particular eye to a construction called Circle STARKs (implemented in Starkware's stwo, Polygon's plonky3, and my own implementation in (sort of) python), which has some unique properties designed to be compatible with the highly efficient Mersenne31 field.Issues common to small fieldsOne of the most important "tricks" when making hash-based proofs (or really, any kind of proof) is the idea of proving things about evaluations of a polynomial as a random point, as a substitute for proving things about the underlying polynomials.For example, suppose that a proof system requires you to generate a commitment to a polynomial, \(A\), which must satisfy \(A^3(x) + x - A(\omega*x) = x^N\) (a pretty common type of claim to prove in ZK-SNARK protocols). The protocol can require you to pick a random coordinate \(r\), and prove that \(A(r) + r - A(\omega*r) = r^N\). And then in turn, to prove that \(A(r) = c\), you prove that \(Q = \frac\) is a polynomial (as opposed to a fractional expression).If you know \(r\) ahead of time, you can always cheat these protocols. In this case, you could just set \(A(r)\) to be zero, retrofit \(A(\omega * r)\) to satisfy the equation, and then let \(A\) be the line that passes through those two points. And similarly for the second step, if you know \(r\) ahead of time, you can generate whatever \(Q\) you want, and then retrofit \(A\) to match it, even if \(A\) is a fractional (or other non-polynomial) expression.To prevent these attacks, we need to choose \(r\) after the attacker provides \(A\) (the "Fiat-Shamir heuristic" is a fancy name for setting \(r\) to be the hash of \(A\)). Importantly, we need to choose \(r\) from a set large enough that the attacker cannot guess it.In elliptic curve based protocols and even 2019-era STARKs, this was trivial: all of our math was done over 256-bit numbers, so we choose \(r\) as a random 256-bit number, and we're fine. With STARKs over smaller fields, we have a problem: there are only about two billion possible values of \(r\) to choose from, and so an attacker wanting to make a fake proof need only try two billion times - a lot of work, but quite doable for a determined attacker!There are two natural solutions to this problem:Perform multiple random checks Extension fields The approach of performing multiple random checks is intuitively appealing and simple: instead of checking at one coordinate, you repeat the check at each of four random coordinates. This is theoretically doable, but there is an efficiency issue. If you're dealing with degree < \(N\) polynomials over a size \(p\) field, it's actually possible for an attacker to craft bad polynomials that "look" good in \(N\) positions. Hence, their chance of breaking one round of the protocol is \(\frac\). If eg. \(p = 2^ - 1\) and \(N = 2^\), that means the attacker only gets seven bits of security per round, and so you need to do not four, but around 18 rounds, to be properly robust against such attackers. Ideally, we would have something where we do \(k\) times more work but only have to subtract \(N\) from the security level once.This gets us to the other solution: extension fields. Extension fields are like complex numbers, but over finite fields: we imagine into existence a new value, call it \(i\), and declare that \(i^2 = -1\). Multiplication becomes: \((a+bi) * (c+di) = (ac - bd) + (ad + bc)i\). We can now operate over pairs \((a,b)\) rather than just single numbers. Assuming we're working over size \(\approx 2^\) fields like Mersenne or BabyBear, this gets us up to having \(\approx 2^\) values from which to choose \(r\). To go even higher, we apply the same technique again, except we already used \(i\) so we need to define a new value differently: in Mersenne31, we pick \(w\) where \(w^2 = -2i-1\). Multiplication now becomes \((a + bi + cw + diw) * (e + fi + gw + hiw) = ...\) OK fine, here's the code implementation. It's not optimal (you can improve it with Karatsuba), but it shows the principles. Now, we have \(\approx 2^\) values to choose \(r\) from, which is high enough for our security needs: if we are dealing with degree < \(2^\) polynomials, we get 104 bits of security from one round. If we want to be paranoid and go up to the more widely-accepted 128 bit security level, we can add some proof of work into the protocol.Note that we only actually use this extension field in the FRI protocol, and other cases where random linear combinations are required. The bulk of the math is done over only the "base field" (modulo \(2^-1\) or \(15 * 2^ + 1\)), and almost all of the data that is hashed is over the base field, so you only hash four bytes per value. This lets us both benefit from the efficiency of small fields, and retain the ability to dip into a larger field when we need to do so for security.Regular FRIWhen building a SNARK or STARK, the first step is typically arithmetization: reducing an arbitrary computation problem into an equation where some of the variables and coefficients are polynomials (eg. the equation often looks like \(C(T(x), T(next(x))) = Z(x) * H(x)\), where \(C\), \(next\) and \(Z\) are provided and the solver needs to provide \(T\) and \(H\)). Once you have such an equation, a solution to the equation corresponds to a solution to the underlying computational problem.To prove that you have a solution, you need to prove that the values that you are proposing actually are real polynomials (as opposed to fractions, or datasets that look like one polynomial in one place and a different polynomial in another place, or...), and have a certain maximum degree. In order to do this, we apply a random linear combination trick iteratively:Suppose you have evaluations of a polynomial \(A\), and you want to prove that its degree is \(< 2^\) Consider the polynomials \(B(x^2) = A(x) + A(-x)\), and \(C(x^2) = \frac\). Let \(D\) be a random linear combination \(B + rC\) Essentially, what's going on is that \(B\) isolates the even coefficients of \(A\), and \(C\) isolates the odd coefficients. Given \(B\) and \(C\), you can recover \(A\): \(A(x) = B(x^2) + xC(x^2)\). And if \(A\) really has degree \(< 2^\), then (i) \(B\) and \(C\) have degree \(< 2^\). And being a random linear combination, \(D\) must also have degree \(< 2^\).We've reduced a "prove degree \(< 2^\)" problem into a "prove degree \(< 2^\)" problem. Repeat this 20 times, and you get the technique that is called "Fast Reed-Solomon Interactive Oracle Proofs of Proximity", or "FRI". If someone tries to push something through this technique which is not a degree \(< 2^\) polynomial, then the second-round output will (with probability \(\approx 1 - \frac}\)) not be a degree \(< 2^\) polynomial, the third-round output will not be degree \(< 2^\), and so on, and the final check at the end will fail. A dataset which is equal to a degree \(< 2^\) polynomial in most positions has some chance of passing through the scheme, but in order to construct such a dataset you need to know the underlying polynomial, so even such a slightly-defective proof is a convincing argument that the prover could generate a "real" proof if they wanted to. There are further technical complexities in proving that this holds for all possible inputs; understanding the fine details of this has been a major focus of academic STARK research over the last five years.Let's look into what's going on here in more detail, and what properties are necessary to make this all work. At each step, we're reducing the degree by a factor of 2, and we're also reducing the domain (the set of points we're looking at) by a factor of 2. The former is what makes FRI work at all. The latter is what makes it so blazing fast: because each round is 2x smaller than the previous, the total cost is \(O(N)\) instead of \(O(N*log(N))\).To do this domain reduction, we needed a two-to-one map: \(\ \rightarrow x^2\). What's nice about this two-to-one map is that it's repeatable: if you start with a multiplicative subgroup (a set \(\\}\)), then you start off with a set where for any \(x\) in the set, \(-x\) is also in the set (as if \(x = \omega^k\), \(-x = \omega^}\)), and if you then square it to get \(\-1}\}\), then the exact same property applies, and so you can keep reducing all the way down to one value (though in practice we usually stop a little bit earlier). You can think of this as being an operation of taking a line that goes around a circle, and stretching that line until it makes two rotations along that circle. A point at x degrees becomes a point at 2x degrees. Each point from 0...179 degrees has a corresponding point at 180...359 degrees that it ends up overlapping with. And you can repeat this procedure again and again.For this to work, you need the original multiplicative subgroup to have a size with a large power of 2 as a product. BabyBear has modulus \(15 * 2^ + 1\), and so the largest possible subgroup is all nonzero values - hence, size \(15 * 2^\). This is very friendly to the above technique. You could take a subgroup of size \(2^\), or you could just take that full set, do the FRI to reduce the polynomial all the way down to degree 15, and then check tthe degree directly at the end. Mersenne31, however, does not work in this way. The modulus is \(2^ - 1\), and so the multiplicative subgroup has size \(2^ - 2\). This can be divided by 2 only once. From there forward, we have no way to do an FFT - at least not using the technique above.This is a tragedy, because Mersenne31 is a super-convenient field to do arithmetic in using existing 32-bit CPU/GPU operations. If you add two numbers, the result may be above \(2^-1\), but you can reduce it by doing \(x \rightarrow x + (x >> 31)\), where \(>>\) is a bit shift. For multiplication, you can do something similar, though you need to use a special (but commonly available) opcode that returns the "high-order bits" of a multiplication result (ie. \(floor(\frac})\)). This allows arithmetic to be around 1.3x more efficient than BabyBear. If we could do FRI over Mersenne31, it would make things significantly better for us.Circle FRIHere is where the clever trick of circle STARKs comes in. Given a prime \(p\), it turns out that we also have easy access to a group of size \(p+1\) that has similar two-to-one properties: the set of points \((x,y)\) where \(x^2 + y^2 = 1\). Let's look at this structure modulo 31: The points follow an addition law, which might feel very familiar if you've recently done either trigonometry or complex multiplication:\((x_1, y_1) + (x_2, y_2) = (x_1x_2 - y_1y_2, x_1y_2 + x_2y_1)\)The doubling form is:\(2 * (x, y) = (2x^2 - 1, 2xy)\)Now, let's focus on only the points that are in "odd" positions on this circle: Now, here is our FFT. First, we collapse all the points down to a single line. Our equivalent of the \(B(x^2)\) and \(C(x^2)\) formulas that we had in regular FRI is: \(f_0(x) = \frac\) \(f_1(x) = \frac\) We can then take a random linear combination, and we get a one-dimensional \(F\) that is over a subset of the x line: From the second round onward, the map changes: \(f_0(2x^2-1) = \frac\) \(f_1(2x^2-1) = \frac\) And this map actually takes the above set, and reduces its size in half each time! What is going on here is that each \(x\) is in some sense "standing in" for two points: \((x,y)\) and \((x,-y)\). And \(x \rightarrow 2x^2-1\) is the point doubling law above. Hence, we take the \(x\) coordinate of two opposite points on the circle, and convert it into the \(x\) coordinate of the doubled point.For example, if we take the second-rightmost value, \(2\), and apply the map, we get \(2(2^2) - 1 = 7\). If we go back to the original circle, \((2,11)\) is the third point going counterclockwise from the right, and so if we double it, we get the sixth point going counterclockwise from the right, which is... \((7, 13)\).This could have all been done two-dimensionally, but operating over one dimension makes things more efficient.Circle FFTsAn algorithm closely related to FRI is the fast Fourier transform, which takes a set of \(n\) evaluations of a degree \(< n\) polynomial and converts it into the \(n\) coefficients of the polynomial. An FFT follows the same path as a FRI, except instead of generating a random linear combination \(f_0\) and \(f_1\) at each step, it just recursively applies a half-sized FFT on both, and then takes the output of \(FFT(f_0)\) as the even coefficients and \(FFT(f_1)\) as the odd coefficients.The circle group also supports an FFT, which is also constructed from FRI along similar lines. However, a key difference is that the objects that circle FFTs (and circle FRI) work over are not technically polynomials. Rather, they are what mathematicians call a Riemann-Roch space: in this case, polynomials "modulo" the circle (\(x^2 + y^2 - 1 = 0\)). That is, we treat any multiple of \(x^2 + y^2 - 1\) as being equal to zero. Another way of thinking about it is: we only allow degree-1 powers of \(y\): as soon as we get a \(y^2\) term, we replace it with \(1 - x^2\).One other thing that this implies is that the "coefficients" that a circle FFT outputs are not monomials like in regular FRI (eg. if regular FRI outputs \([6, 2, 8, 3]\), then we know this means \(P(x) = 3x^3 + 8x^2 + 2x = 6\)). Instead, the coefficients are in a strange basis specific to circle FFTs:\(\\)The good news is that as a developer, you can almost completely ignore this. STARKs never give you a need to know the coefficients. Instead, you can just always store "polynomials" as a set of evaluations on a particular domain. The only place you need to use FFTs, is to perform (the Riemann-Roch space analogue of) low-degree extension: given \(N\) values, generate \(k*N\) values that are on that same polynomial. In that case, you can do an FFT to generate the coefficients, append \((k-1)n\) zeroes to those coefficients, and then do an inverse-FFT to get back your larger set of evaluations.Circle FFTs are not the only type of "exotic FFT". Elliptic curve FFTs are even more powerful, because they work over any finite field (prime, binary, etc). However, ECFFTs are even more complex to understand and less efficient, and so because we can use circle FFTs for \(p = 2^-1\), we do.From here, let's get into some of the more esoteric minutiae that will be different for someone implementing circle STARKs, as compared to regular STARKs.QuotientingA common thing that you do in STARK protocols is you take quotients at specific points, either deliberately chosen or randomly chosen. For example, if you want to prove that \(P(x) = y\), you do so by providing \(Q = \frac\), and proving that \(Q\) is a polynomial (as opposed to a fractional value). Randomly choosing evaluation points is used in the DEEP-FRI protocol, which lets FRI be secure with fewer Merkle branches.Here, we get to one subtle challenge: in the circle group, there is no line function, analogous to \(X - x\) for regular FRI, that passes through only one point. This is visible geometrically: You could make a line function tangent to one point \((P_x, P_y)\), but that would pass through the point "with multiplicity 2" - that is, for a polynomial to be a multiple of that line function, it would have to fulfill a much stricter condition than just being zero at that point. Hence, you can't prove an evaluation at only one point. So what do we do? Basically, we bite the bullet, and prove an evaluation at two points, adding a dummy point whose evaluation we don't need to care about. A line function: \(ax + by + c\). If you turn it into an equation by forcing it to equal 0, then you might recognize it as a line in what high school math calls "standard form". If we have a polynomial \(P\) that equals \(v_1\) at \(P_1\), and \(v_2\) at \(P_2\), then we choose an interpolant \(I\): a line function that equals \(v_1\) at \(P_1\), and \(v_2\) at \(P_2\). This can be as simple as \(v_1 + (v_2 - v_1) * \frac\). We then prove that \(P\) equals \(v_1\) at \(P_1\), and \(v_2\) at \(P_2\) by subtracting \(I\) (so \(P-I\) equals zero at both points), dividing by \(L\) (the line function between \(P_1\) and \(P_2\)), and proving that the quotient \(\frac\) is a polynomial.Vanishing polynomialsIn a STARK, the polynomial equation you're trying to prove often looks like \(C(P(x), P(next(x))) = Z(x) * H(x)\), where \(Z(x)\) is a polynomial that equals zero across your entire original evaluation domain. In "regular" STARKs, that function is just \(x^n - 1\). In circle STARKs, you the equivalent is: \(Z_1(x,y) = y\)\(Z_2(x,y) = x\)\(Z_(x,y) = (2 * Z_n(x,y)^2) - 1\) Notice that you can derive the vanishing polynomial from the folding function: in regular STARKs, you're repeating \(x \rightarrow x^2\), here you're repeating \(x \rightarrow 2x^2-1\), though you're doing something different for the first round, because the first round is special.Reverse bit orderIn STARKs, evaluations of a polynomial are typically arranged not in the "natural" order (\(P(1)\), \(P(\omega)\), \(P(\omega^2)\) ... \(P(\omega^)\)), but rather what I call "reverse bit order": \(P(1)\), \(P(\omega^})\), \(P(\omega^})\), \(P(\omega^})\), \(P(\omega^})\), \(P(\omega^})\), \(P(\omega^})\), \(P(\omega^})\), \(P(\omega^})\)... If we set \(n = 16\), and we focus just on which powers of \(\omega\) we're evaluating at, the list looks like this: \(\\) This ordering has the key property that values which get grouped together early on in a FRI evaluation are put beside each other in the ordering. For example, the first step of FRI groups together \(x\) and \(-x\). In the \(n=16\) case, \(\omega^8 = -1\), so that means \(P(\omega^i)\) and \(P(-\omega^i) = P(\omega^)\). And, as we can see, those are exactly the pairs that are right beside each other. The second step of FRI groups together \(P(\omega^i)\), \(P(\omega^)\), \(P(\omega^)\) and \(P(\omega^)\). And, those are exactly the groups of four that we see. And so forth. This makes FRI much more space-efficient, because it lets you provide one Merkle proof for both of the values that get folded together (or, if you fold \(k\) rounds at a time, all \(2^k\) of the values) simultaneously.In circle STARKs, the folding structure is a bit different: in the first step we group together \((x, y)\) with \((x, -y)\), in the second step \(x\) with \(-x\), and in subsequent steps \(p\) with \(q\), selecting \(p\) and \(q\) such that \(Q^i(p) = -Q^i(q)\) where \(Q^i\) is the map \(x \rightarrow 2x^2-1\) repeated \(i\) times. If we think of the points in terms of their position along the circle, at each step this looks like the first point getting paired with the last, the second with the second last, etc.To adjust reverse bit order to reflect this folding structure, we reverse every bit except the last. We keep the last bit, and we also use it to determine whether or not to flip the other bits. A size-16 folded reverse bit order looks as follows: \(\\) If you look at the circle in the previous section, the 0th, 15th, 8th and 7th points (going counterclockwise, starting from the right) are of the form \((x, y)\), \((x, -y)\), \((-x, -y)\) and \((-x, y)\), which is exactly what we need.EfficiencyCircle STARKs (and 31-bit-prime STARKs in general) are very efficient. A realistic computation that is being proven in a circle STARK would most likely involve a few types of computation:Native arithmetic, used for "business logic" such as counting Native arithmetic, used for cryptography (eg. hash functions like Poseidon) Lookup arguments, a generic way to do many kinds of computation efficiently by implementing them via reading values from tables The key measure of efficiency is: are you using the entire space in the computational trace to do useful work, or are you leaving a lot of wasted space? In large-field SNARKs, there is a lot of wasted space: business logic and lookup tables mostly involve computation over small numbers (often the numbers are under N in an N-step computation, so under \(2^\) in practice), but you have to pay the cost of using a size \(2^\)-bit field anyway. Here, the field is size \(2^\), so the wasted space is not large. "Designed-for-SNARKs" low-arithmetic-complexity hashes (eg. Poseidon) use every bit of each number in the trace in any field.Hence, circle STARKs actually get pretty close to optimal! Binius is even stronger, because it lets you mix-and-match fields of different sizes and thereby get even more efficient bit packing for everything. Binius also opens up options for doing 32-bit addition without incurring the overhead of lookup tables. However, those gains at the cost of (in my opinion) significantly higher theoretical complexity, whereas circle STARKs (and even more so BabyBear-based regular STARKs) are conceptually quite simple.Conclusion: what do I think about circle STARKs?Circle STARKs don't impose too many extra complexities on developers compared to regular STARKs. In the process of making an implementation, the above three issues are essentially the only differences that I saw compared to regular FRI. The underlying math behind what the "polynomials" that circle FRI is operating on is quite counterintuitive, and takes a while to understand and appreciate. But it just so happens that this complexity is hidden away in such a way it's not that visible to developers. The complexity of circle math is encapsulated, not systemic.Understanding circle FRI and circle FFTs can also be a good intellectual gateway to understanding other "exotic FFTs": most notably binary-field FFTs as used in Binius and in LibSTARK before, and also spookier constructions such as elliptic curve FFTs, which use few-to-1 maps that work nicely with elliptic curve point operations.With the combination of Mersenne31, BabyBear, and binary-field techniques like Binius, it does feel like we are approaching the limits of efficiency of the "base layer" of STARKs. At this point, I am expecting the frontiers of STARK optimization to move to making maximally-efficient arithmetizations of primitives like hash functions and signatures (and optimizing those primitives themselves for that purpose), making recursive constructions to enable more parallelization, arithmetizing VMs to improve developer experience, and other higher-level tasks.

Against choosing your political allegiances based on who is "pro-crypto" Against choosing your political allegiances based on who is "pro-crypto"2024 Jul 17 See all posts Against choosing your political allegiances based on who is "pro-crypto" Over the last couple of years, "crypto" has become an increasingly important topic in political policy, with various jurisdictions considering bills that regulate various actors doing blockchain things in various ways. This includes the Markets in Crypto Assets regulation (MiCA) in the EU, efforts to regulate stablecoins in the UK, and the complicated mix of legislation and attempted regulation-by-enforcement from the SEC that we have seen in the United States. Many of these bills are, in my view, mostly reasonable, though there are fears that governments will attempt extreme steps like treating almost all coins as securities or banning self-hosted wallets. In the wake of these fears, there is a growing push within the crypto space to become more politically active, and favor political parties and candidates almost entirely on whether or not they are willing to be lenient and friendly to "crypto".In this post, I argue against this trend, and in particular I argue that making decisions in this way carries a high risk of going against the values that brought you into the crypto space in the first place. Me with Vladimir Putin in 2018. At the time, many in the Russian government expressed willingness to become "open to crypto". "Crypto" is not just cryptocurrency and blockchainsWithin the crypto space there is often a tendency to over-focus on the centrality of "money", and the freedom to hold and spend money (or, if you wish, "tokens") as the most important political issue. I agree that there is an important battle to be fought here: in order to do anything significant in the modern world, you need money, and so if you can shut down anyone's access to money, you can arbitrarily shut down your political opposition. The right to spend money privately, a cause that Zooko tirelessly advocates for, is similarly important. The ability to issue tokens can be a significant power-up to people's ability to make digital organizations that actually have collective economic power and do things. But a near-exclusive focus on cryptocurrency and blockchains is more difficult to defend, and importantly it was not the ideology that originally created crypto in the first place.What originally created crypto was the cypherpunk movement, a much broader techno-libertarian ethos which argued for free and open technology as a way of protecting and enhancing individual freedoms generally. Back in the 2000s, the main theme was fighting off restrictive copyright legislation which was being pushed by corporate lobbying organizations (eg. the RIAA and MPAA) that the internet labelled as the "MAFIAA". A famous legal case that generated a lot of fury was Capitol Records, Inc. v. Thomas-Rasset, where the defendant was forced to pay $222,000 in damages for illegally downloading 24 songs over a file-sharing network. The main weapons in the fight were torrent networks, encryption and internet anonymization. A lesson learned very early on the importance of decentralization. As explained in one of the very few openly political statements made by Satoshi:[Lengthy exposition of vulnerability of a systm to use-of-force monopolies ellided.]You will not find a solution to political problems in cryptography.Yes, but we can win a major battle in the arms race and gain a new territory of freedom for several years.Governments are good at cutting off the heads of a centrally controlled networks like Napster, but pure P2P networks like Gnutella and Tor seem to be holding their own.Bitcoin was viewed as an extension of that spirit to the area of internet payments. There was even an early equivalent of "regen culture": Bitcoin was an incredibly easy means of online payment, and so it could be used to organize ways to compensate artists for their work without relying on restrictive copyright laws. I participated in this myself: when I was writing articles for Bitcoin Weekly in 2011, I developed a mechanism where we would publish the first paragraph of two new articles that I wrote, and we would hold the remainder "for ransom", releasing the contents when the total donations to a public address would reach some specified quantity of BTC.The point of all this is to contextualize the mentality that created blockchains and cryptocurrency in the first place: freedom is important, decentralized networks are good at protecting freedom, and money is an important sphere where such networks can be applied - but it's one important sphere among several. And indeed, there are several further important spheres where decentralized networks are not needed at all: rather, you just need the right application of cryptography and one-to-one communication. The idea that freedom of payment specifically is the one that's central to all other freedoms is something that came later - a cynic might say, it's an ideology retroactively formed to justify "number go up".I can think of at least a few other technological freedoms that are just as "foundational" as the freedom to do things with crypto tokens:Freedom and privacy of communication: this covers encrypted messaging, as well as pseudonymity. Zero-knowledge proofs could protect pseudonymity at the same time as ensuring important claims about authenticity (eg. that a message is sent by a real human), and so supporting use cases of zero-knowledge proofs is also important here. Freedom and privacy-friendly digital identity: there are some blockchain applications here, most notably in allowing revocations and various use cases of "proving a negative" in a decentralized way, but realistically hashes, signatures and zero knowledge proofs get used ten times more. Freedom and privacy of thought: this one is going to become more and more important in the next few decades, as more and more of our activities become mediated by AI interactions in deeper and deeper ways. Barring significant change, the default path is that more and more of our thoughts are going to be directly intermediated and read by servers held by centralized AI companies. High-quality access to information: social technologies that help people form high-quality opinions about important topics in an adversarial environment. I personally am bullish on prediction markets and Community Notes; you may have a different take on the solutions, but the point is that this topic is important. And the above list is just technology. The goals that motivate people to build and participate in blockchain applications often have implications outside of technology as well: if you care about freedom, you might want the government to respect your freedom to have the kind of family you want. If you care about building more efficient and equitable economies, you might want to look at the implications of that in housing. And so on.My underlying point is: if you're the type of person who's willing to read this article past the first paragraph, you're not in crypto just because it's crypto, you're in crypto because of deeper underlying goals. Don't stand with crypto-as-in-cryptocurrency, stand with those underlying goals, and the whole set of policy implications that they imply.Current "pro-crypto" initiatives, at least as of today, do not think in this way: The "key bills" that StandWithCrypto tracks. There is no attempt made whatsoever to judge politicians on freedoms related to cryptography and technology that go beyond cryptocurrency. If a politician is in favor of your freedom to trade coins, but they have said nothing about the topics above, then the underlying thought process that causes them to support the freedom to trade coins is very different from mine (and possibly yours). This in turn implies a high risk that they will likely have different conclusions from you on issues that you will care about in the future.Crypto and internationalism Ethereum node map, source ethernodes.org One social and political cause that has always been dear to me, and to many cypherpunks, is internationalism. Internationalism has always been a key blind spot of statist egalitarian politics: they enact all kinds of restrictive economic policies to try to "protect workers" domestically, but they often pay little or no attention to the fact that two thirds of global inequality is between countries rather than within countries. A popular recent strategy to try to protect domestic workers is tariffs; but even when tariffs succeed at achieving that goal, unfortunately they often do so at the expense of workers in other countries. A key liberatory aspect of the internet is that, in theory, it makes no distinctions between the wealthiest nations and the poorest. Once we get to the point where most people everywhere have a basic standard of internet access, we can have a much more equal-access and globalized digital society. Cryptocurrency extends these ideals to the world of money and economic interaction. This has the potential to significantly contribute to flattening the global economy, and I've personally seen many cases where it already has.But if I care about "crypto" because it's good for internationalism, then I should also judge politicians by how much they and their policies show a care for the outside world. I will not name specific examples, but it should be clear that many of them fail on this metric.Sometimes, this even ties back to the "crypto industry". While recently attending EthCC, I received messages from multiple friends who told me that they were not able to come because it has become much more difficult for them to get a Schengen visa. Visa accessibility is a key concern when deciding locations for events like Devcon; the USA also scores poorly on this metric. The crypto industry is uniquely international, and so immigration law is crypto law. Which politicians, and which countries, recognize this?Crypto-friendly now does not mean crypto-friendly five years from nowIf you see a politician being crypto-friendly, one thing you can do is look up their views on crypto itself five years ago. Similarly, look up their views on related topics such as encrypted messaging five years ago. Particularly, try to find a topic where "supporting freedom" is unaligned with "supporting corporations"; the copyright wars of the 2000s are a good example of this. This can be a good guide on what kinds of changes to their views might happen five years in the future.Divergence between decentralization and accelerationOne way in which a divergence might happen, is if the goals of decentralization and acceleration diverge. Last year, I made a series of polls essentially asking people which of those two they value more in the context of AI. The results decidedly favored the former: Often, regulation is harmful to both decentralization and acceleration: it makes industries more concentrated and slows them down. A lot of the most harmful crypto regulation ("mandatory KYC on everything") definitely goes in that direction. However, there is always the possibility that those goals will diverge. For AI, this is arguably happening already. A decentralization-focused AI strategy focuses on smaller models running on consumer hardware, avoiding a privacy and centralized-control dystopia where all AI relies on centralized servers that see all our our actions, and whose operators' biases shape the AI's outputs in a way that we cannot escape. An advantage of a smaller-models-focused strategy is that it is more AI-safety-friendly, because smaller models are inherently more bounded in capabilities and more likely to be more like tools and less like independent agents. An acceleration-focused AI strategy, meanwhile, is enthusiastic about everything from the smallest micro-models running on tiny chips to the 7-trillion-dollar clusters of Sam Altman's dreams.As far as I can tell, within crypto we have not yet seen that large a split along these lines, but it feels very plausible that some day we will. If you see a "pro-crypto" politician today, it's worth it to explore their underlying values, and see which side they will prioritize if a conflict does arise.What "crypto-friendly" means to authoritariansThere is a particular style of being "crypto-friendly" that is common to authoritarian governments, that is worth being wary of. The best example of this is, predictably, modern Russia.The recent Russian government policy regarding crypto is pretty simple, and has two prongs:When we use crypto, that helps us avoid other people's restrictions, so that's good. When you use crypto, that makes it harder for us to restrict or surveil you or put you in jail for 9 years for donating $30 to Ukraine, so that's bad. Here are examples of Russian government actions of each type: Another important conclusion of this is that if a politician is pro-crypto today, but they are the type of person that is either very power-seeking themselves, or willing to suck up to someone who is, then this is the direction that their crypto advocacy may look like ten years from now. If they, or the person they are sucking up to, actually do consolidate power, it almost certainly will. Also, note that the strategy of staying close to dangerous actors in order to "help them become better" backfires more often than not.But I like [politician] because of their entire platform and outlook, not just because they're pro-crypto! So why should I not be enthusiastic about their crypto stance?The game of politics is much more complicated than just "who wins the next election", and there are a lot of levers that your words and actions affect. In particular, by publicly giving the impression that you support "pro-crypto" candidates just because they are "pro-crypto", you are helping to create an incentive gradient where politicians come to understand that all they need to get your support is to support "crypto". It doesn't matter if they also support banning encrypted messaging, if they are a power-seeking narcissist, or if they push for bills that make it even harder for your Chinese or Indian friend to attend the next crypto conference - all that politicians have to do is make sure it's easy for you to trade coins. "Someone in a prison cell juggling gold coins", locally-running StableDiffusion 3 Whether you are someone with millions of dollars ready to donate, or someone with millions of Twitter followers ready to influence, or just a regular person, there are far more honorable incentive gradients that you could be helping to craft.If a politician is pro-crypto, the key question to ask is: are they in it for the right reasons? Do they have a vision of how technology and politics and the economy should go in the 21st century that aligns with yours? Do they have a good positive vision, that goes beyond near-term concerns like "smash the bad other tribe"? If they do, then great: you should support them, and make clear that that's why you are supporting them. If not, then either stay out entirely, or find better forces to align with.

Epochs and slots all the way down: ways to give Ethereum users faster transaction confirmation times Epochs and slots all the way down: ways to give Ethereum users faster transaction confirmation times2024 Jun 30 See all posts Epochs and slots all the way down: ways to give Ethereum users faster transaction confirmation times One of the important properties of a good blockchain user experience is fast transaction confirmation times. Today, Ethereum has already improved a lot compared to five years ago. Thanks to the combination of EIP-1559 and steady block times after the Merge, transactions sent by users on L1 reliably confirm within 5-20 seconds. This is roughly competitive with the experience of paying with a credit card. However, there is value in improving user experience further, and there are some applications that outright require latencies on the order of hundreds of milliseconds or even less. This post will go over some of the practical options that Ethereum has.Overview of existing ideas and techniquesSingle slot finalityToday, Ethereum's Gasper consensus uses a slot and epoch architecture. Every 12-second slot, a subset of validators publish a vote on the head of the chain, and over the course of 32 slots (6.4 min), all validators get a chance to vote once. These votes are then re-interpreted as being messages in a vaguely PBFT-like consensus algorithm, which after two epochs (12.8 min) gives a very hard economic assurance called finality.Over the last couple of years, we've become more and more uncomfortable with the current approach. The key reasons are that (i) it's complicated and there are many interaction bugs between the slot-by-slot voting mechanism and the epoch-by-epoch finality mechanism, and (ii) 12.8 minutes is way too long and nobody cares to wait that long.Single-slot finality replaces this architecture by a mechanism much more similar to Tendermint consensus, in which block N is finalized before block N+1 is made. The main deviation from Tendermint is that we keep the "inactivity leak" mechanism, which allows the chain to keep going and recover if more than 1/3 of validators go offline. A diagram of the leading proposed single-slot finality design_ The main challenge with SSF is that naively, it seems to imply that every single Ethereum staker would need to publish two messages every 12 seconds, which would be a lot of load for the chain to handle. There are clever ideas for how to mitigate this, including the very recent Orbit SSF proposal. But even still, while this improves UX significantly by making "finality" come faster, it doesn't change the fact that users need to wait 5-20 seconds.Rollup preconfirmationsFor the last few years, Ethereum has been following a rollup-centric roadmap, designing the Ethereum base layer (the "L1") around supporting data availability and other functionalities that can then be used by layer 2 protocols like rollups (but also validiums and plasmas) that can give users the same level of security as Ethereum, but at much higher scale.This creates a separation-of-concerns within the Ethereum ecosystem: the Ethereum L1 can focus on being censorship resistant, dependable, stable, and maintaining and improving a certain base-level core of functionality, and L2s can focus on more directly reaching out to users - both through different cultural and technological tradeoffs. But if you go down this path, one inevitable issue comes up: L2s want to serve users who want confirmations much faster than 5-20 seconds.So far, at least in the rhetoric, it has been L2s' responsibility to create their own "decentralized sequencing" networks. A smaller group of validators would sign off on blocks, perhaps once every few hundred milliseconds, and they would put their "stake" behind those blocks. Eventually, headers of these L2 blocks get published to L1. L2 validator sets could cheat: they could first sign block B1, and then later sign a conflicting block B2 and commit it onto the chain before B1. But if they do this, they would get caught and lose their deposits. In practice, we have seen centralized versions of this, but rollups have been slow to develop decentralized sequencing networks. And you can argue that demanding L2s all do decentralized sequencing is an unfair deal: we're asking rollups to basically do most of the same work as creating an entire new L1. For this reason and others, Justin Drake has been promoting a way to give all L2s (as well as L1) access to a shared Ethereum-wide preconfirmation mechanism: based preconfirmations.Based preconfirmationsThe based preconfirmation approach assumes that Ethereum proposers will become highly sophisticated actors for MEV-related reasons (see here for my explanation of MEV, and see also the execution tickets line of proposals). The based preconfirmation approach takes advantage of this sophistication by incentivizing these sophisticated proposers to accept the responsibility of offering preconfirmations-as-a-service. The basic idea is to create a standardized protocol by which a user can offer an additional fee in exchange for an immediate guarantee that the transaction will be included in the next block, along with possibly a claim about the results of executing that transaction. If the proposer violates any promise that they make to any user, they can get slashed.As described, based preconfirmations provide guarantees to L1 transactions. If rollups are "based", then all L2 blocks are L1 transactions, and so the same mechanism can be used to provide preconfirmations for any L2.What are we actually looking at here?Suppose that we implement single slot finality. We use Orbit-like techniques to reduce the number of validators signing per slot, but not too much, so that we can also make progress on the key goal of reducing the 32 ETH staking minimum. As a result, perhaps the slot time creeps upward, to 16 sec. We then use either rollup preconfirmations, or based preconfirmations, to give users faster assurances. What do we have now? An epoch-and-slot architecture. The "they're the same picture" meme is getting quite overused at this point, so I'll just put an old diagram I drew years ago to describe Gasper's slot-and-epoch architecture and a diagram of L2 preconfirmations beside each other, and hopefully that will get the point across. There is a deep philosophical reason why epoch-and-slot architectures seem to be so hard to avoid: it inherently takes less time to come to approximate agreement on something, than to come to maximally-hardened "economic finality" agreement on it.One simple reason why is number of nodes. While the old linear decentralization / finality time / overhead tradeoff is looking milder now due to hyper-optimized BLS aggregation and in the near future ZK-STARKs, it's still fundamentally true that:"Approximate agreement" only requires a few nodes while economic finality requires a significant fraction of all nodes. Once the number of nodes goes above a certain size, you need to spend more time to gather signatures. In Ethereum today, a 12-second slot is divided into three sub-slots, for (i) block publication and distribution, (ii) attestation, and (iii) attestation aggregation. If the attester count was much lower, we could drop to two sub-slots and have an 8-second slot time. Another, and realistically bigger, factor, is "quality" of nodes. If we could also rely on a professionalized subset of nodes to do approximate agreements (and still use the full validators set for finality), we could plausibly drop that to ~2 seconds.Hence, it feels to me that (i) slot-and-epoch architectures are obviously correct, but also (ii) not all slot-and-epoch architectures are created equal, and there's value in more fully exploring the design space. In particular, it's worth exploring options that are not tightly interwoven like Gasper, and where instead there's stronger separation of concerns between the two mechanisms.What should L2s do?In my view, there are three reasonable strategies for L2s to take at the moment:Be "based", both technologically and spiritually. That is, they optimize for being pass-through conduits for the Ethereum base layer's technical properties and its values (high decentralization, censorship resistance, etc). In their simplest form, you could think of these rollups as being "branded shards", but they can also be much more ambitious than that, and experiment quite heavily with new virtual machine designs and other technical improvements. Proudly be a "server with blockchain scaffolding", and make the best out of it. If you start from a server, and then add (i) STARK validity proofs to ensure that the server is following the rules, (ii) guaranteed rights for the user to exit or force transactions, and possibly (iii) freedom of collective choice, either through coordinated mass-exit or through the ability to vote to change the sequencer, then you've already gained a lot of the benefits of being onchain, while keeping most of the efficiencies of a server. The compromise approach: a hundred-node fast chain, with Ethereum providing extra interoperability and security. This is the de-facto current roadmap of many L2 projects. For some applications, (eg. ENS, keystores), some payments), a 12-second block time is enough. For those applications that are not, the only solution is a slot-and-epoch architecture. In all three cases, the "epochs" are Ethereum's SSF (perhaps we can retcon that acronym into meaning something other than "single slot", eg. it could be "Secure Speedy Finality"). But the "slots" are something different in each of the above three cases:An Ethereum-native slot-and-epoch architecture Server preconfirmations Committee preconfirmations A key question is, how good can we make something in category (1)? In particular, if it gets really good, then it feels like category (3) ceases to have as much meaning. Category (2) will always exist, at the very least because anything "based" doesn't work for off-chain-data L2s such as plasmas and validiums. But if an Ethereum-native slot-and-epoch architecture can get down to 1-second "slot" (ie. pre-confirmation) times, then the space for category (3) becomes quite a bit smaller.Today, we're far from having final answers to these questions. A key question - just how sophisticated are block proposers going to become - remains an area where there is quite a bit of uncertainty. Designs like Orbit SSF are very recent, suggesting that the design space of slot-and-epoch designs where something like Orbit SSF is the epoch is still quite under-explored. The more options we have, the better we can do for users both on L1 and on L2s, and the more we can simplify the job of L2 developers.

Some reflections on the Bitcoin block size war Some reflections on the Bitcoin block size war2024 May 31 See all posts Some reflections on the Bitcoin block size war Recently I finished reading (or rather, audio-listening) the two main history books covering the great Bitcoin block size war of the 2010s, from opposite ends of the spectrum:Jonathan Bier's "The Blocksize War", telling the story from a pro-small-block perspective Roger Ver and Steve Patterson's "Hijacking Bitcoin", telling the story from a pro-big-block perspective It was fascinating to read these two histories of an event that I personally lived through, and even to some extent participated in. While I was aware of the majority of the events that transpired, and the narratives with which each of the two sides viewed the nature of the conflict, there were still some fascinating bits that I did not know or had completely forgotten, and it was interesting to look at the situation with fresh eyes. Back then, I was a "big blocker", though of a pragmatic medium-block variety that opposed extreme increases or absolutist claims that fees should never be allowed to rise significantly above zero. Do I still support the views I held at the time? I was looking forward to see and find out.In Jonathan Bier's telling, how did the small blockers see the block size war?The original debate in the block size war centered around a simple question: should Bitcoin have a hard fork to raise the block size limit from its then-current value of 1 MB to a higher value, allowing Bitcoin to process more transactions and hence have lower fees, but at the cost of making the chain more difficult and costly to run a node for and verify? "[If the block size were much bigger], you would need a big data center to run a node, and you won't be able to do it anonymously" - a key argument made in a video sponsored by Peter Todd advocating for keeping the block size small. Bier's book gives me the impression that while the small blockers did care about this object-level question, favoring a conservative approach of increasing the block size only a little bit to ensure it remains easy to run a node, they cared even more about the meta-level question of how protocol-level issues like this get decided more generally. In their view, changes to the protocol (especially "hard forks") should only be done very rarely, and with a very high level from consensus of the users of the protocol.Bitcoin is not trying to compete with payment processors - there are lots of those already. Rather, Bitcoin is trying to be something much more unique and special: a completely new type of currency, free from the control of central organizations and central banks. If Bitcoin started to have a highly active governance structure (which would be required to navigate controversial adjustments to block size parameters), or became vulnerable to coordinated manipulation by miners, exchanges or other big companies, it would lose this precious unique advantage forever.In Bier's telling, the big blockers offended the small blockers most strongly precisely because they often attempted to get a relatively small number of big players together to legitimize and push through their preferred changes - anathema to the small blockers' view on how governance should be done. The New York Agreement, signed by major Bitcoin exchanges, payment processors, miners and other companies in 2017. A key example of what small blockers consider to be an attempt to shift Bitcoin from rule by users to rule by corporate cabal. In Roger Ver's telling, how did the big blockers see the block size war?Big blockers generally focus on a key underlying object-level question: what is Bitcoin supposed to be? Is it supposed to be a store of value - digital gold, or a means of payment - digital cash? To them, it was clear to everyone from the start that the original vision, and the vision that big blockers all signed up for, was digital cash. It even says so in the whitepaper! The big blockers also frequently cite two other things written by Satoshi:The simplified payment verification section of the whitepaper, which talks about how once blocks get very big, individual users can verify that their payments were included using Merkle proofs, without needing to verify the whole chain. A Bitcointalk quote advocating hard forks to phase in block size increases: To them, the switch from focus on digital cash to digital gold was a pivot, one that was agreed upon by a small tight-knit group of core developers, who then assumed that because they thought about the issue and came to their conclusion internally, they had the right to impose their view on the entire project.Small blockers did offer solutions for how Bitcoin can be cash and gold at the same time - namely, Bitcoin becomes a "layer 1" that focuses on being gold while "layer 2" protocols built on top of Bitcoin, like the Lightning Network, provide cheap payments without using the blockchain for every transaction. However, these solutions were highly inadequate in practice, and Ver spends several chapters deeply criticizing them. For example, even if everyone switched to Lightning, a block size increase would still eventually be required to onboard hundreds of millions of users. In addition, trustlessly receiving coins in Lightning requires having an online node, and making sure that your coins are not stolen requires checking the chain once a week. These complexities, Ver thought, would inevitably push users toward interacting with Lightning in centralized ways.What is the key difference in their views?Ver's depiction of the object-level debate matches that of the small blockers: both sides agree that small blockers more highly value ease of running a node, and that large blockers more highly value cheap transaction fees. They both acknowledge that there is room for a reasonable difference in beliefs, and that this difference is a key factor that motivated the debate.But Bier and Ver's depictions of most of the deeper underlying issues are extremely different. To Bier, the small-block side is standing on behalf of users against small but powerful cabals of miners and exchanges trying to wrest control of the chain for their own benefit. Small blocks keep Bitcoin decentralized by making sure regular users can run nodes and verify the chain. To Ver, the big-block side is standing on behalf of users against small but powerful cabals of self-appointed high priests and VC-funded companies (namely, Blockstream) who profit from building the layer 2 solutions that the small-block roadmap necessitates. Large blocks keep Bitcoin decentralized by making sure users can continue to afford on-chain transactions without needing to depend on centralized layer-2 infrastructure.The closest that I can see to the two sides even "agreeing on the terms of the debate" is that Bier's book accepts that many big blockers are well intentioned, even acknowledging that they have valid grievances regarding pro-small-block forum moderators censoring opposing views, but frequently criticizes the big block side for being incompetent, while Ver's book is more willing to ascribe malicious intent and even conspiracy theories to small blockers, but rarely criticizes their competence. This echoes a common political trope I have heard on quite a few occasions, that "the right thinks that the left is naive, the left thinks that the right is evil".In my telling, how did I see the block size war? And how do I see it today? Room 77, a former restaurant in Berlin that accepted Bitcoin for payments. It was the centerpiece of the Bitcoin Kiez, a region in Berlin where a large number of restaurants accepted Bitcoin. Unfortunately, the dream of Bitcoin for payments faded away over the latter part of the decade, and I consider rising fees to be a key culprit. While I was experiencing the Bitcoin block size war first hand, I generally sided with the big blockers. My sympathy for the big block side centered on a few key points:A key initial promise of Bitcoin was digital cash, and high fees could kill that use case. While layer 2 protocols could in theory provide much lower fees, the whole concept was highly untested, and it was highly irresponsible for the small blockers to commit to the small-block roadmap given how little they knew about how well the Lightning Network would work in practice. These days, practical experience with the Lightning Network has made pessimistic perspectives much more common. I was not convinced by the small block side's "meta-level" story. Small blockers would often argue that "Bitcoin should be controlled by users", and "users don't support big blocks", but were never willing to pin down any specific way of defining who "users" are or measuring what they wanted. Big blockers implicitly tried to propose at least three different ways of counting users: hashpower, public statements by well-known companies, and social media discourse, and small blockers denounced each one. Big blockers did not organize the New York Agreement because they liked "cabals"; they organized the New York Agreement because small blockers insisted on "consensus" between "users" for any contentious change, and signed statements from major stakeholders were the only practical approach that the big blockers saw to try to actually do that. Segregated Witness, the proposal adopted by the small block side to slightly increase block size, was needlessly overcomplicated, compared to a simple hard fork block size increase. The small block side ended up adopting a religion of "soft forks good, hard forks bad" (which I strongly disagreed with), and designed their approach to increasing the block size to fit this rule, despite what Bier acknowledges are serious increases in complexity, to the point where many big blockers were unable to understand the proposal. I felt that small blockers were not just being "pro-carefulness", they were arbitrarily picking between different types of carefulness, picking one (no hard forks) at the expense of another (keeping a clean and simple code and spec) because it fit their agenda. Eventually, big blockers also ended up throwing away "clean and simple" and going into ideas like Bitcoin Unlimited's adaptive block size increase, a decision that Bier (rightfully) rips into them for. The small block side really was engaging in very uncool acts of social media censorship to impose their views, culminating in Theymos's infamous line "If 90% of /r/Bitcoin users find these policies to be intolerable, then I want these 90% of /r/Bitcoin users to leave." Even relatively mild pro-big-block posts would frequently get deleted. Custom CSS was used to make these deleted posts invisible. Ver's book focuses heavily on the first and the fourth and somewhat on the third, as well as theories of financially motivated malfeasance - namely, that the small blockers formed a company called Blockstream that would build layer 2 protocols on top of Bitcoin, and simultaneously advocated an ideology that the Bitcoin layer 1 should stay crippled, thereby making these commercial layer 2 networks necessary. Ver does not focus much on the philosophy of how Bitcoin should be governed, because to him the answer that "Bitcoin is governed by miners" is satisfying. This is a place where I agreed with neither side: I found the nebulous "consensus of users that we refuse to actually define" and the extreme "miners should control everything because they have aligned incentives" both unreasonable.At the same time, I remember being immensely frustrated with big blockers on a few key points, and they were points that Bier's book echoed. One of the worst (both according to me and according to Bier) was that big blockers were never willing to agree on any realistic limiting principle for how big blocks should go. A common viewpoint was that "the block size was set by the market" - meaning, miners should make blocks as big as they want, and other miners can choose to accept or reject those blocks. I argued against this heavily, and pointed out that it's an extreme stretch of the concept of a "market" to say that such a mechanism is a market. Eventually, when the big blockers split off into their own independent chain (Bitcoin Cash), they ended up moving away from this view, and adding a block size limit of 32 MB.At the time, I actually did have a principled way of reasoning about how to decide on block size limits. Quoting a post from 2018:Bitcoin favors maximum predictability of the cost of reading the blockchain, at the expense of the minimum possible amount of predictability of the cost of writing to the blockchain, with predictably very healthy results in the former metric and disastrous results in the latter metric. Ethereum, with its current governance model, favors medium predictability of both.I later repeated this perspective in a tweet in 2022. In essence, the philosophy is: we should balance between increasing the cost of writing to the chain (ie. transaction fees) and the cost of reading the chain (ie. software requirements for a node). Ideally, if demand for using a blockchain increases by 100x, we should split the pain halfway, and let the block size increase by 10x and the fees increase by 10x (demand elasticity for transaction fees is close enough to 1 that this kind-of works in practice). Ethereum actually did end up taking a medium-block approach: the chain's capacity has increased by roughly 5.3x since it launched in 2015 (perhaps 7x if you count calldata repricings and blobs), and at the same time fees increased from almost nothing to a significant-but-not-too-high level. However, this kind of compromise-oriented (or "concave") approach never caught on with either faction; perhaps it felt too "central-planny" for one side and too "wishy-washy" for the other. I feel like big blockers were more at fault than small blockers here; the small blockers were open to modest block size increases at the beginning (eg. Adam Back's 2/4/8 plan), and it was big blockers that were unwilling to compromise, and moved quickly from advocating a single increase to a specific larger number to advocating an overarching philosophy that pretty much any nontrivial limitation of the block size is illegitimate.Big blockers also started arguing that miners should be in charge of Bitcoin - a philosophy that Bier effectively criticizes, by pointing out that they would probably quickly abandon their views if the miners tried changing the protocol rules to do something other than increasing the block size - say, giving themselves more rewards.A major line of criticism of big blockers in Bier's book was their repeated displays of incompetence. Bitcoin Classic was not well-written code, Bitcoin Unlimited was needlessly overly complicated, for a long time they did not include wipeout protection and did not seem to understand that this choice greatly hurts their chance of success (!!), and they had serious security vulnerabilities. They loudly shouted about the need for multiple implementations of the Bitcoin software - a principle that I agree with and a principle that Ethereum has adopted - but their "alternative clients" were really just forks of Bitcoin Core with a few lines changed to implement a block size increase. In Bier's telling, their repeated faux pas on both code and economics ended up turning away more and more supporters over time. Major big blockers falling for Craig Wright fraudulently claiming to be Satoshi further discredited them. Craig Wright, a scammer pretending to be Satoshi. He frequently used legal threats to take down criticism, which is why my fork is the largest still-online copy of the Cult of Craig repository which documented proof that he's fake. Unfortunately, many big blockers fell for Craig's antics, because Craig toed the big-block party line, and said things that the big blockers wanted to hear. In general, reading through the two books, I found myself agreeing with Ver more often on big-picture questions, but with Bier more often on individual details. In my view, big blockers were right on the central question that blocks needed to be bigger, and that it was best to accomplish this with a clean simple hard fork like Satoshi described, but small blockers committed far fewer embarrassing technical faux pas, and had fewer positions that led to absurd outcomes if you tried to take them to their logical conclusion.The block size war as a one-sided competence trapThe combined picture that I get from reading these two books is a political tragedy that I feel like I have seen over and over again in all kinds of contexts, including cryptocurrencies, corporations and national politics:One side monopolizes all the competent people, but uses its power to push a narrow and biased perspective; the other side correctly recognizes that something is wrong, but engulfs itself in a focus on opposition, failing to develop the technical ability to execute on its own.In many such situations, the first group is criticized as being authoritarian, but when you ask its (often quite many) supporters why they support it, their response is that the other side only knows how to complain; they would completely flop within days if they were to actually gain power.This is to some extent not the opposition's fault: it's hard to become good at executing without having a platform to execute from and gain experience. But in the block size debate in particular, the big block side appears to have largely not even realized the need to be competent at executing - they thought that they could win solely by sheer force of being right on the block size question. Big blockers ended up paying a heavy price for their focus on opposing over building in multiple ways: even when they split off into their own chain with Bitcoin Cash, they ended up splitting in half two more times before the community finally stabilized.I'll label this problem the one-sided competence trap. It feels like a fundamental problem for anyone trying to build a political entity or project or community that they wish to be democratic or pluralistic. Smart people want to work with other smart people. If two distinct groups are roughly equally matched, people would gravitate to the one that better fits their values, and the equilibrium can be stable. But if it goes too far in one direction, it flips into a different equilibrium, and it seems very hard to get it to flip back. To some degree, one-sided competence traps can be mitigated by an opposition simply realizing that the problem exists and that they have to build up competence intentionally. Often, an opposition movement does not even get to this step. But sometimes simply recognizing the problem is not enough. We would benefit a lot from having more robust and deeper ways of preventing and getting out of one-sided competence traps.Less conflict, more technologyOne incredibly glaring omission from both books stood out to me more than anything else: the word "ZK-SNARK" appeared exactly zero times in both books. There is not much excuse for this: even by the mid-2010s, ZK-SNARKs and their potential to revolutionize scalability (and privacy) were well known. Zcash launched in October 2016. The scalability implications of ZK-SNARKs were explored a little bit by Gregory Maxwell in 2013, but they did not seem to get taken into account at all in discussions of Bitcoin's future roadmap.The ultimate diffuser of political tension is not compromise, but rather new technology: the discovery of fundamentally new approaches that give both sides more of what they want at the same time. We've seen several instances of this in Ethereum. A few that come to mind are:Justin Drake's push to embrace BLS aggregation, allowing Ethereum's proof of stake to process many more validators, and thereby decrease the min staking balance from 1500 to 32, with quite little downside. More recently, work on signature merging promises to take this further. EIP-7702, which accomplished the goals of ERC-3074 in a way that is significantly more forward-compatible with smart contract wallets, and thereby helped to tone down a long-standing dispute. Multidimensional gas, starting with its implementation for blobs, has already helped increase Ethereum's capability to hold rollup data, without increasing the size of worst-case blocks, and thereby keeping security risks minimized. When an ecosystem stops embracing new technology, it inevitably stagnates, and becomes more contentious at the same time: a political debate between "I get 10 more apples" vs "you get 10 more apples" inherently causes much less strife than a debate between "I give up 10 apples" vs "you give up 10 apples". Losses are more painful than gains are pleasant, and people are more willing to "break the glass" of their shared political commons in order to avoid losses. This is a key reason why I'm quite uncomfortable with ideas like degrowth and the notion that "we can't use technological solutions to solve social problems": there's a pretty strong reason to believe that fighting over who wins more rather than fighting over who loses less really is much better for social harmony. In economic theory, there is no difference between these two prisoner's dilemmas: the game on the right can be viewed as being the game on the left plus a separate (irrelevant) step where both players lose four points regardless of how they act. But in human psychology, the two games can be very different. One key question for Bitcoin going forward is, will Bitcoin be able to become a tech-forward ecosystem. The development of Inscriptions and later BitVM have created new possibilities for layer 2s, improving on what can be done with Lightning. Hopefully, Udi Wertheimer is correct with his theory that ETH getting an ETF means the death of Saylorism, and a renewed realization that Bitcoin needs to improve technologically.Why do I care about this?I care about examining the successes and failures in Bitcoin not because I want to put Bitcoin down as a way to lift Ethereum up; in fact, as someone who loves trying to understand social and political issues, I find it a feature of Bitcoin that it's sociologically complex enough that it can have internal debates and splits that are so rich and fascinating that you can write two entire books on them. Rather, I care about analyzing these issues because both Ethereum, and other digital (and even physical) communities that I care about, stand to learn a lot from understanding what happened, what went well, and what could have done better.Ethereum's focus on client diversity was born from watching the failures that arose from Bitcoin having a single client team. Its version of layer 2s was born from understanding how the limitations of Bitcoin lead to limitations in what kinds of layer 2s with what trust properties are possible to build on top of it. More generally, Ethereum's explicit attempt to foster a pluralistic ecosystem is in large part an attempt at avoiding one-sided competence traps.Another example that comes to mind is the network state movement. Network states are a new strategy for a kind of digital secession, allowing communities that have aligned values to gain some independence from mainstream society and build out their own visions for the future of culture and technology. But the experience of (post-fork) Bitcoin Cash shows that movements organized around forking to resolve problems have a common failure mode: they can end up splitting again and again and never actually managing to cooperate. Bitcoin Cash's experience carries lessons that go far beyond Bitcoin Cash. Like rebel cryptocurrencies, rebel network states need to learn to actually execute and build, and not just hold parties and vibe and share memes comparing modern brutalism to 16th-century European architecture on Twitter. Zuzalu was in part my own attempt to instigate change in this direction.I recommend reading both Bier's The Blocksize War and Patterson and Ver's Hijacking Bitcoin to understand one of the defining moments of Bitcoin's history. Particularly, I recommend reading the two books with the mindset that this is not just about Bitcoin - rather, this was the first true high-stakes civil war of a "digital nation", and the experiences carry important lessons for other digital nations that we will be building in the decades to come.

Layer 2s as cultural extensions of Ethereum Layer 2s as cultural extensions of Ethereum2024 May 29 See all posts Layer 2s as cultural extensions of Ethereum Special thanks for Abdelhamid Bakhta and Paul Dylan-Ennis for feedback and discussion.In my recent post on the differences between layer 1 and layer 2 scaling, I ended up roughly coming to the conclusion that the most important differences between the two approaches are not technical but organizational (using the word in a similar sense to the field of "industrial organization"): it's not about what can get built, but what will get built, because of how the lines between different parts of the ecosystem are drawn and how that affects people's incentives and ability to act. In particular, a layer-2-centric ecosystem is inherently much more pluralistic, and more naturally leads to a greater diversity of different approaches to scaling, virtual machine design, and other technological features.A key point I made in the previous post is:Because Ethereum is a layer-2-centric ecosystem, you are free to go independently build a sub-ecosystem that is yours with your unique features, and is at the same time a part of a greater Ethereum.In this post, I argue that this is true not just with respect to technology, but also with respect to culture. Blockchains do not just make unique technical tradeoffs, they also have unique cultures. On the day after Ethereum and Ethereum Classic diverged, the two blockchains were exactly the same technologically. But they were radically different culturally, and this fact helped to shape the distinct focuses, user bases and even tech stacks that the two chains have eight years later. The same applies to Ethereum and Bitcoin: at the beginning, Ethereum was roughly "Bitcoin but with smart contracts", but the set of differences grew into something much deeper ten years later. An old tweet by Kevin Pham comparing Bitcoin and Ethereum culture, as they were in 2017. Both cultures continue to evolve: since 2017 we have seen the rise and fall of the "laser eye" movement (and the simultaneous rise of movements like Ordinals), we've seen Ethereum become layer-2 centric, and we've seen both become much more mainstream. But the two remain different, and it's probably for the best that it remains so. What are some examples of things that culture affects?Culture has a similar effect to incentives - indeed, culture is part of incentives. It affects who is attracted to an ecosystem and who is repelled. It affects what kinds of actions people are motivated to do, and what kinds of actions people can do. It affects what is considered legitimate - both in protocol design, and at the ecosystem and application layer.A few particularly important areas that a blockchain's culture has a great impact on include:The type of changes that get made to the protocol - including quantity, quality and direction The protocol's ability to remain open, censorship-resistant and decentralized The ecosystem's ability to attract high-quality protocol developers and researchers The ecosystem's ability to attract high-quality application developers The ecosystem's ability to attract users - both quantity of users, and the right kinds of users The ecosystem's public legitimacy in the eyes of outside communities and actors If you really value having a blockchain that remains decentralized, even at the cost of being slow, you need to look not just at how well the present-day technology accomplishes those goals, but also at how well the culture values those goals. If a blockchain's culture does not value curiosity and openness to new technology, then it may well fail at both decentralization and speed, because it fails to take up new technologies like ZK-SNARKs that can get you more of both at the same time. If a blockchain becomes publicly understood as being "the casino chain" and nothing else, it becomes hard to get non-casino applications onboard. Even non-mercenary core protocol developers and researchers become more difficult to attract. Culture matters, because culture is at least partially upstream of almost everything else.The cultures of Ethereum Ethereum developer interop, Kenya, 2024 May. Ethereum's core research and development ecosystem is one of Ethereum's subcultures, though it is also quite diverse in its own right, with substantial internal disagreements. The researcher Paul Dylan-Ennis has spent a lot of time exploring and understanding Ethereum's subcultures. He identifies three of the main subcultures in Ethereum as follows:Cypherpunk: A cypherpunk is committed to open source development and a certain DIY or punk attitude. In Ethereum's case, the cypherpunks build the infrastructure and tools, but are hands off about how they are used, taking a neutral stance. Historically, cypherpunk had an explicit emphasis on privacy, but in Ethereum it is not always prioritised, albeit ... a neo-cypherpunk movement called lunarpunk has emerged to advocate for placing privacy back front and center Regens: Many influential voices within Ethereum are committed to a regen or regenerative approach to building technology. Rooted in Vitalik Buterin's interest in politics and social science, many regens engage in governance experiments designed to reinvigorate, improve or even replace contemporary institutions. This subculture is characterized by its experimental nature and interest in public goods Degens: Users driven purely by speculation and wealth accumulation at all costs, the degens (degenerates). Degens are financial nihilists who focus on current trends and hype to strike it lucky and escape the rat race of contemporary neoliberal capitalism. Degens will often take extraordinary risks, but in an ironic, almost detached way. These are not the only three groups that matter, and you can even contest the extent to which they are coherent groups: institutional profit-oriented groups and people buying pictures of monkeys are very very culturally different. "Cypherpunks", as described here, includes both people interested in end uses like protecting people's privacy and freedom, and people interested in working with cool frontier math and cryptography without any strong ideology. But this categorization is interesting as a first approximation.One important feature of these three groups in Ethereum is that, in large part because of Ethereum's flexibility as a developer platform (and not just a currency), they each have access to some kind of playing field, where the subculture can engage in action, and not just talking. One crude approximation is:Cypherpunks participate in core Ethereum research and development, and write privacy software Regens do Gitcoin grants rounds, retroactive public goods funding, and various other non-financial applications Degens trade memecoins and NFTs and play games In my view, this cultural branching has been a great benefit to Ethereum. Ethereum core development culture values high-quality thinking on topics like advanced cryptography, game theory and increasingly software engineering, it values freedom and independence, it values cypherpunk ideals as well as blockchainified versions of those principles (eg. "immutability"), and an idealistic approach focused on values and soft power over hard power. These values are important and good; looking at my list of impacts of culture from the previous section, they make Ethereum very well-positioned on (1), (2), (3) and to some extent (6). But they are incomplete: for one, the above description has little emphasis on appealing to application developers, and close to zero emphasis on appealing to users - the stability-oriented values help give confidence to people who "use" Ethereum by hodling ETH, but that's pretty much it. Cultural pluralism is a way of getting out of this quandary, allowing one subculture to focus on core development while another focuses on growing the "edges" of the ecosystem. But this raises a question: are there ways that we can strengthen this kind of cultural pluralism even further?Subcultures and layer 2sThis is where I get to what is perhaps the single most under-appreciated property of layer 2s: for a subculture, a layer 2 is the ultimate playing field for action. Layer 2s allow subcultures to emerge that are armed with substantial resources, and a feedback loop that forces them to learn and adapt in order to be effective in the real world. Layer 2s have to be effective in multiple ways: attracting users and application developers, developing technology, and building global communities.Perhaps the key property of layer 2s that matters here is that a layer 2 is simultaneously (i) an ecosystem, and (ii) organized around building something. Local meetup groups can form their own ecosystems, and they often have their own unique cultures, but they have relatively limited resources and execution power. Applications can have a lot of resources and execution power, but they are applications: you can use them, but you can't build on them. Uniswap is great, but there is no concept of "building on Unsiwap" that is anywhere near as strong as, say, "building on Polygon".Some specific ways in which layer 2s can, and do, end up culturally specializing include:More willingness to do user outreach or "business development": intentionally making efforts to attract specific outside actors, including individuals, businesses and communities, to participate in the ecosystem. Diversity of values that are emphasized. Is your community more about "public goods", "good tech", "Ethereum neutrality", "financial inclusion", "diversity", "scaling", or something else? Different L2s give different answers. Diversity of participants: what kinds of people does the community attract? Does it particularly emphasize certain demographic groups? Personality types? Languages? Continents? Here are a few examples: Optimism ZKSync MegaETH Starknet Polygon has found success with partnerships with mainstream companies, and an increasingly high-quality ZK ecosystem. Optimism has Base and World Chain, and features a heavy cultural interest in ideas like retro funding and not-just-token-based governance. Metis focuses on DAOs. Arbitrum has built a brand around high-quality developer tools and technology. Scroll focuses on "preserv[ing] the essence of Ethereum - trust-minimized, secure and open source". Taiko emphasizes being "seamless UX", "community aligned", "security-first" and "based". In general, every Ethereum layer 2 has a unique "soul": some combination of Ethereum's culture, together with its own particular twist.How can this layer-2-centric approach succeed?The core value proposition of this layer-2 centric approach to culture is that it tries to balance the benefits of pluralism and cooperation, by creating a diverse set of different subcultures that still share some common values and work together on key common infrastructure to achieve those values. Ethereum is trying to take the pluralistic route. There have been other attempts at a similar kind of two-level approach. The most notable one that I can think of is the delegated proof of stake (DPoS) system in EOS back in the 2017 era. EOS's DPoS worked by having coin holders vote on which delegates run the chain. The delegates would be responsible for creating blocks, and coming to consensus on others' blocks, and they would also get a large amount of coins from EOS issuance. Delegates ended up doing a lot of community building in order to attract votes, and many of these "nodes" (eg. EOS New York, EOS Hong Kong), ended up being recognizable brands in their own right.This ended up being an unstable system, because coin voting is inherently unstable, and because some powerful actors in the EOS ecosystem turned out to be greedy jerks that siphoned away lots of money that was raised on behalf of the community for personal gain. But while it worked, it showed an amazing property: it created strong highly-autonomous sub-communities that were still working together toward a common goal. EOS New York, one of the top EOS block producers, even ended up writing quite a bit of open-source infrastructure code. When this approach works successfully, it also creates a kind of healthy competition. By default, a community like Ethereum has a natural tendency to rally around people who have been in the community for a long time. This has an advantage that it can help preserve the community's values as the community rapidly grows - it reduces the chance that Ethereum stops caring about freedom of speech or open source even if unfavorable winds come in from the outside world. But it also risks shifting attention away from technical competence and toward social games, allowing established "OGs" to remain entrenched even if they underperform, and limiting the culture's ability to renew itself and evolve. With a healthy "subculture culture", these problems can be mitigated: entire new subcommunities can rise and fall, and people who succeed within subcommunities can even start contributing to other aspects of Ethereum. In short, less legitimacy by continuity, more legitimacy by performance.We can also examine the above story to identify possible weak points. Here are a few that come to mind:Collapse into echo chambers: essentially, the same failure modes that I talked about in my previous post, but for culture. L2s start acting like separate universes, with little cross-pollination between them. Collapse into monoculture: whether due to shared human biases or shared economic incentives (or too strong of a unified Ethereum culture), everyone ends up looking in similar places for what applications to build and perhaps even what technical choices to make, and this ends up being the wrong place. Alternatively, either a single L2 or a small number of L2s gets entrenched, and there is no longer a functioning mechanism for new people and subcommunities to rise. The vector favored by competition is wrong: L2s that focus on use cases that succeed in some narrow financial sense, but at the expense of other goals, appear successful, and more and more communities go in that direction over time. I do not claim to have perfect answers to these; Ethereum is an ongoing experiment, and part of what excites me about the ecosystem is its willingness to tackle difficult problems head-on. Many of the challenges stem from incentive misalignments; the natural solution to that is to create better ecosystem-wide incentives for collaboration. The idea I mentioned in my previous post, of creating a "Basic Infrastructure Guild" to complement Protocol Guild is one option. Another option is to explicitly subsidize projects that multiple L2s choose to collaborate on (ie. something vaguely like quadratic funding, but focusing on bridging ecosystems rather than bridging individuals). There is a lot of value in trying to expand on these ideas, and keep working to make the best of Ethereum's unique advantage as a pluralistic ecosystem.