Falcon is a lattice-based post-quantum digital signature scheme, notable for its relatively small signature and public key sizes, as well as fast signing and verification times.

The code here demonstrates the integration of Falcon-512 into Bitcoin Core as a soft fork, along with benchmark tests and comparisons with traditional ECDSA. The results highlight Falcon’s advantages over currently selected post-quantum signature algorithms like SPHINCS+ and ML-DSA, which face significant time and space constraints.

BTC L2 Citrea Mainnet Launch: Introducing Clementine Bridge Based on BitVM2 and ctUSD Stablecoin

Citrea has officially launched its mainnet and issued a native stablecoin, ctUSD. The core component is the Clementine Bridge, which maps Bitcoin (BTC) to on-chain equivalent assets (cBTC) for use in DeFi applications.

The bridge’s security model relies on BitVM2 combined with ZK/optimistic verification. It only requires one honest participant to ensure asset security and does not rely on fully trusted custodians or multisig parties.

Citrea’s native stablecoin ctUSD is issued via MoonPay and built on the M0 stablecoin infrastructure, designed to meet institutional-grade compliance. It aligns with the upcoming GENIUS Act guidelines.

The First Permissionless BTC-ADA Bridge, BIFROST, Coming Soon

FluidTokens announced that BIFROST, the first bridge connecting Bitcoin and Cardano, is in its final development stage. The bridge enables Bitcoin to be used within Cardano’s decentralized finance ecosystem, supports atomic swaps, and directly facilitates cross-chain liquidity.

BIFROST’s innovation lies in leveraging Cardano’s existing security infrastructure—Stake Pool Operators (SPOs)—to safeguard BTC locked on Bitcoin, rather than relying on wrapped tokens or federated bridges. To address the fact that SPOs cannot directly observe Bitcoin state, BIFROST uses Watchtowers—open participants who compete to submit confirmed Bitcoin blocks to Cardano. Anyone, including end users, can become a Watchtower. This permissionless design eliminates the trust assumptions present in most cross-chain bridges.

BIFROST prioritizes security and availability over speed or low cost.

More technical details: BIFROST Technical Documentation

BLISK Framework: New Complex Boolean Logic Encoding for Optimized Bitcoin Authorization

A recent study introduced BLISK, a framework that compiles monotone Boolean authorization policies into a single signature verification key. BLISK ensures that only the subset of signers satisfying the policy can produce a standard, constant-size aggregated signature.

BLISK achieves this by using:

• n-of-n multisig to implement “AND” logic;
• Key agreement protocols to implement “OR” logic;
• Verifiable group operations (e.g., based on the 0-ART framework).

Additionally, BLISK avoids Distributed Key Generation (DKG), allowing users to reuse long-term keys; supports publicly verifiable policy compilation; and implements non-interactive key rotation.

By compiling monotone Boolean policies into a single verification key, BLISK enables fine-grained control over who can spend Bitcoin without compromising privacy or efficiency. It keeps policy complexity off-chain while leveraging cryptographic primitives such as MuSig2, Elliptic Curve Diffie-Hellman (ECDH), and non-interactive zero-knowledge proofs, ensuring privacy and security without reducing the expressiveness of transactions.

Reducing PoW Dependence on Mempool and Consensus Time via Compressed Blocks and Delayed Verification

The author points out that although current proof-of-work (PoW) blockchain protocols show significant potential, they still face inherent limitations in scalability, efficiency, and decentralization. While compact block propagation reduces bandwidth and propagation delay under ideal network conditions, performance suffers in practice due to mempool inconsistencies among nodes.

This paper proposes a new block propagation and consensus protocol designed to reduce reliance on mempool synchronization. By redefining the PoW process, nodes can start mining immediately on compressed transaction IDs within a block, even before fully verifying transactions. Full transaction validation occurs in parallel via delayed verification.

Results show that this approach can process more transactions faster while maintaining Bitcoin’s decentralization and security. For example, with 10MB blocks, it achieves approximately 66.7 TPS.

OptiBridge: Trustless, Low-Cost Bridge Between Lightning Network and Ethereum

The authors note that conventional bridge designs assume that events on the source ledger are publicly observable. However, in layer 2 payment channels like Lightning, channel state updates occur off-chain and are private between counterparties.

To address this, they propose OptiBridge, a bridge connecting a payment channel (e.g., Lightning Network) to a smart contract blockchain (e.g., Ethereum). It guarantees safety and liveness without introducing additional trust assumptions and is fully compatible with existing Lightning and Ethereum technology stacks.

Under normal conditions, OptiBridge uses an optimistic execution path: if both channel parties are honest, they reveal a pre-agreed secret to materialize the intended state on the target chain. To handle faults and adversarial behavior, OptiBridge provides a dispute path via a contract deployed only when necessary.

In the optimistic path, deployment and proof costs are significantly reduced. In dispute scenarios, contract deployment costs 2,785,514 gas, with core dispute calls costing even less. Analyses show rational users will strictly prefer the optimistic path, while the dispute mechanism prevents fund theft and imposes higher penalties and delays for protocol deviations.

Falcon 是一种基于格点（lattice-based）的后量子数字签名方案，特点是签名和公钥大小较小，签名和验证时间较短。

该代码（GitHub repo: bitcoin-falcon）演示了 Falcon-512 在 Bitcoin Core 中作为软分叉的集成和基准测试，并提供了与传统 ECDSA 方案的比较。比较结果显示出了 Falcon 之于当前选择的后量子签名算法（如 SPHINCS+ 和 ML-DSA）的优势，后者面临较大的时间和空间限制。

BTC L2 Citrea 主网上线：引入基于 BitVM2 的 Clementine 桥与稳定币 ctUSD

Citrea 正式上线主网，并推出原生稳定币ctUSD。其核心是 Clementine 桥，它把比特币资产（BTC）映射为链上等价资产（cBTC），供 DeFi 应用使用。桥的安全模型基于 BitVM2 + ZK/乐观验证机制，依赖至少一名诚实参与者即可保证资产安全，而不需要完全信任中心化托管或多签方。

Citrea 推出的原生稳定币 ctUSD 由 MoonPay 发行，基于 M0 稳定币基础设施，设计为机构级合规。符合即将发布的《天才法案》指南。

首个 BTC-ADA 的无需许可桥接 BIFROST 即将上线

FluidTokens 表示，链接 Cardano 和比特币的首个桥接方案 BIFROST 已进入最后开发阶段。该桥将使比特币能够在 Cardano 的去中心化金融生态系统中使用，支持原子互换，并直接实现两条链间的流动性流动。

BIFROST 的创新在于重新利用 Cardano 现有的安全基础设施 Stake Pool Operators（SPOs）来保护比特币上被锁定的 BTC，而并不是某种包裹代币或联邦桥（federated bridge）。而对于 SPO 无法直接看到比特币的状态的问题，BIFROST 采用了 Watchtower。这是一组开放的参与者，它们相互竞争，将已确认的比特币区块写入 Cardano。任何人——包括终端用户自身——都可以成为 Watchtower。BIFROST 通过这种无需许可设计，消除了困扰大多数跨链桥的信任假设。

此外，Bifrost 的建造首要地是确保安全性和可用性，而非速度或低成本。

关于 Bifrost 的更多技术细节见：https://github.com/FluidTokens/ft-bifrost-bridge/blob/main/documentation/technical_documentation.md

BLISK 框架: 新的复杂布尔逻辑编码机制，优化比特币授权

这项研究引入了 BLISK，这是一个能将单调布尔授权策略（monotone Boolean authorization policy）编译为单一签名验证密钥的框架。BLISK 使只有满足授权条件的签名者子集，才能生成标准的、常数大小的聚合签名。

BLISK 通过组合以下机制实现上述目标：

• 使用 n-of-n 多签实现“与“逻辑（合取）；
• 使用密钥协商协议（key agreement protocols）实现”活“逻辑（析取）；
• 使用可验证群运算（verifiable group operations）（如基于 0-ART 框架 的方案）。

此外，BLISK 避免了分布式密钥生成（Distributed Key Generation, DKG），允许用户复用其长期密钥；同时支持可公开验证的策略编译（publicly verifiable policy compilation），并实现了非交互式密钥轮换（non-interactive key rotation）。

这一开发通过将单调布尔策略编译成单一签名验证密钥，从而实现了对谁可以使用比特币的细致控制，同时不影响隐私或效率，从而将政策复杂性保持在链外。该方法利用了如 MuSig2、椭圆曲线 Diffie-Hellman（ECDH）和非交互零知识证明等密码学原语，确保隐私和安全，同时保持数字货币交易的表现力。

通过压缩区块与延迟验证，减小 PoW 对 Mempool 的依赖并缩减共识时间

作者指出，尽管现有基于工作量证明（PoW）区块链协议展现了显著的创新潜力，但在可扩展性、效率与去中心化方面仍然面临固有的限制。紧凑区块传播（compact block propagation）方法虽然在理想网络环境下能够有效降低网络带宽消耗与传播延迟，但由于各节点之间 mempool 不一致，其性能在实际运行中会明显下降。

本文提出了一种新的区块传播与共识协议，旨在缓解区块链对 mempool 同步的依赖。该方法通过重新定义 PoW 过程，即便在区块尺寸增大的情况下，也能显著缩短达成共识的时间。具体而言，该方案在紧凑区块中引入了一份压缩后的交易输入 ID 列表，使节点在尚未完成完整验证之前即可立即开始挖矿。交易的完整验证则采用一种延迟验证机制，与挖矿过程并行执行。结果表明，在保持比特币去中心化与安全性的前提下，该方案能够更快地处理更多交易，例如在 10MB 区块大小的情况下，实现约 66.7 TPS 的吞吐量。

OptiBridge：闪电网络与以太坊间的无需信任、低成本桥接

研究者指出，传统桥的设计通常隐含一个假设：源账本上的事件是公开可观测的。然而，这一假设在闪电网络这样的二层支付通道中并不成立——通道状态更新是在交易对手之间的链下进行，对外界不可见。这一促使了他们为该场景重新设计桥协议。

在本文中他们提出一种连接支付通道（如闪电网络）与智能合约区块链（如以太坊）的桥协议 OptiBridge。它在不引入额外信任假设的前提下，同时保证安全性与活性，并且完全兼容现有的闪电网络与以太坊技术栈。在常见情况下，OptiBridge 采用乐观执行路径：当通道中的两方均为诚实时，它们通过揭示事先约定的秘密（pre-agreed secret），在目标链上具现（materialize）预期的状态。为了处理故障和对抗行为，OptiBridge 提供了一条由更具表达力的契约编排的争议路径（dispute path），该契约仅按需部署。在乐观路径下，OptiBridge 可显著降低合约部署和证明提交的成本；当处理争议时，争议合约的部署成本为 2,785,514 gas，且核心争议调用的成本更低。分析表明，理性用户会严格偏好乐观执行路径；而争议机制则能够防止资金被盗，并对偏离协议的一方施加更高的费用与延迟惩罚。

BIP110 was proposed in early December 2025, introducing a temporary, consensus-level limit on the amount of data transmitted in transactions, aimed at mitigating spam. According to data from BitcoinPortal, as of January 30, 1097 out of 23217 Bitcoin nodes (~4.7%) signal support for the BIP110-based soft fork. Support is limited to Bitcoin Knots nodes, with no signals from the top 20 mining pools.

QRAMP: A Two-Phase “Quarantine Mode” for Post-Quantum Migration

Bitcoin developer Bnav proposed a new approach to addressing quantum threats, as an alternative to “freeze/sunset legacy signatures” in QRAMP (Quantum‑Resistant Address Migration Protocol).

The proposal introduces a “quarantine mode” for legacy spending. Instead of making old ECDSA outputs invalid after a cutoff, existing Bitcoin UTXOs would remain spendable after post-quantum activation, but only through an on-chain two-phase “commit → spend” process. Users must first submit a commitment transaction that binds the final recipient address and amount. After sufficient confirmations, the actual spend can occur, preventing destination tampering even if private keys are compromised by quantum attacks.

This scheme requires consensus enforcement, does not rely on historical tx lookups (pruned nodes / no txindex), and allows recipients to pay fees on behalf of senders to improve usability. The goal is to provide Bitcoin with a smoother, more practical post-quantum migration path.

BitMEX: Dual Taproot Spending for Pre- and Post-QDay

BitMEX Research introduces a quantum safe Taproot design that allows a Bitcoin output to be spent via two tapleaves: one quantum safe and one quantum vulnerable.

Before QDay, users can continue using the more efficient, quantum vulnerable path and benefit from smaller signatures. Given the uncertainty around the timing of QDay and the long safety buffer required by any coin-freezing scheme, the author argues that such flexibility is not only desirable, but potentially necessary.

Eliminating Silent Payments Scanning with Nostr Notifications

Setavenger proposed a design that uses Nostr (or other channels) to send notifications for Silent Payments, eliminating the scanning effort for individual transactions. This builds on the idea of “Stealth addresses using Nostr.”

Under this design, senders notify recipients via Nostr with the transaction ID and tweak data, allowing wallets to immediately locate and verify received funds without full scanning. If notifications are missing or untrusted, wallets can always fall back to on-chain scanning. This preserves privacy while significantly improving efficiency, especially for mobile wallets. The approach is wallet-agnostic; Nostr is merely an optional communication layer.

Parallelization Brings Post-Quantum Signature Verification Throughput Close to Schnorr

Conduition demonstrated that the common assumption that post-quantum signature schemes like SLH-DSA (SPHINCS+) are impractically slow may be misleading. By leveraging massive parallelism, performance changed dramatically.

Using a custom tool called slhvk, built on the Vulkan API and running on GPUs or multi-core CPUs, Conduition showed that SLH-DSA signature verification throughput can match—or even exceed—that of traditional schemes like Bitcoin’s Schnorr signatures. Under heavy load, the parallelized SLH-DSA-SHA2-128s verifier achieved performance comparable to single-threaded Schnorr verification, though still slower than multi-threaded Schnorr.

A Mathematical Theory of Payment Channel Networks

René Pickhardt posted a new paper, A Mathematical Theory of Payment Channel Networks, formalizing several long-standing observations about payment channel networks—particularly the Lightning Network—within a geometric framework.

The paper addresses phenomena such as channel depletion, capital inefficiency of two-party channels, the benefits of channel factories, and the idea that the true bottleneck is feasibility rather than routing. The work aims to explain why these issues are structurally true and how they are connected.

Argo Delivers Another 1000x Off-Chain Cost Reduction for BitVM3

Robin Linus, Liam Eagen, and Ying Tong Lai introduced the {ideal} project, whose first contribution is a new garbled-circuit scheme, Argo. Building on prior BitVM3 efficiency gains, Argo reduces off-chain costs by another 1000×, resulting in an overall 2000× efficiency improvement.

Argo MAC efficiently encodes elliptic curve point bit decompositions into homomorphic message authentication codes (MACs), significantly improving the efficiency of the garbling process.

Epoch Bitcoin 2026 Report: Bitcoin L2s Consolidate Around Technical Credibility

Bitcoin infrastructure-focused VC firm Epoch recently released its Bitcoin Ecosystem 2026 Annual Report, covering themes such as: price action, adoption, media perception, treasury companies, business models, protocol development, regulation, and venture capital.

In the Protocol section, the report highlights:

• The Bitcoin protocol landscape consolidated in 2025. Most nominal L2 projects failed to achieve either decentralization or real usage, while only a small number of technically credible systems continue shipping.

• A clear divergence between technical scaling and economic scaling: the former extends Bitcoin’s security model off-chain, while the latter is dominated by ETFs and wrapped BTC exposure products that capture most capital inflows.

• From a user perspective, cross-chain bridges remain a “binary custody” problem. Demand is polarizing toward either extreme convenience (ETFs and custodial wrapped assets) or extreme sovereignty (script-enforced unilateral exits), leaving middle-ground designs at a disadvantage.

Looking ahead to 2026, the report argues that the real inflection point is not throughput, but custody. Extending self-custodied BTC into more expressive execution environments could reshape the competitive landscape and favor systems truly anchored to Bitcoin’s security model.

New ECDLP Quantum Circuit Advances Put P-224 at Minute-Level Risk

A recent study presents optimized quantum circuits for implementing Shor’s algorithm on elliptic curves. The authors introduce improved quantum point-addition circuits that reduce circuit depth while balancing qubit counts, achieving up to a ~40% improvement in the qubit-count × depth metric compared to prior work.

Based on these circuits, the study reassesses the post-quantum security of elliptic curve cryptography. Under NIST’s MAXDEPTH constraint (limiting circuit depth to 2⁴⁰), the maximum depth for P-521 is 2²⁸—well below the threshold. For another NIST metric—the product of total gate count and full circuit depth—the complexity on the same curve is 2⁶⁵, far below the 2¹⁵⁷ requirement for post-quantum security level 1.

The authors also estimate fault-tolerant physical resource costs. P-224 (roughly equivalent to RSA-2048) could be broken in 34 minutes using 19.1 million physical qubits, or in 96 minutes with 6.9 million physical qubits using their optimized methods.

RISC-V ISA Extensions Boost Multi-Precision Crypto Arithmetic

This paper proposes instruction set extensions for RISC-V (RV32I / RV64I) that enhance unsigned integer multiplication, addressing the minimalism of existing instructions. Designed for cryptography and other multi-precision-heavy workloads, the extensions add multiply-accumulate and carry-handling instructions.

Experimental results show that for X25519 scalar multiplication, the extensions yield performance improvements of 1.5× (full radix) and 1.6× (reduced radix) on RV32I, and 1.3× and 1.7× respectively on RV64I.

World Economic Forum 2026 Signals Digital Assets as Financial Infrastructure

At the 2026 World Economic Forum Annual Meeting, prominent industry figures—including David Sacks, Coinbase CEO Brian Armstrong, Binance’s CZ, Ripple’s Brad Garlinghouse, and Cardano’s Charles Hoskinson—participated in discussions on integrating digital assets into mainstream finance, regulatory frameworks, tokenization, and stablecoins.

The Davos 2026 discussions signaled that digital assets have transitioned from fringe speculative tools to core components of global financial infrastructure. The focus has shifted from disruption to regulatory compliance and tokenization. Stablecoins were repeatedly described as “internet-native money,” with growing recognition of their role in cross-border trade, humanitarian aid, and small-business financing.

Key takeaways include:

• Blockchain as infrastructure: Moving from experimental deployments toward enterprise-grade integration into core financial systems.

• Regulatory clarity driving adoption: Regulated stablecoins and digital assets are seeing broader institutional and corporate uptake.

• Improved financial access: Stablecoins lower barriers for cross-border payments, humanitarian aid, and small-business financing, enabling faster, cheaper, and more transparent value transfer.

• Systemic transformation and technological convergence: Tokenized assets, AI-driven systems, and future quantum technologies are reshaping financial flows—while introducing new technical and economic challenges.

Overall, cryptocurrencies and digital assets are entering a “systems phase”: no longer experiments, but integral components of global financial flows and infrastructure.

Related articles and discussions:

• A digital economy at an inflection point: What to expect for digital assets in 2026

• The new foundation of global finance: a dialogue between banks and blockchains

• How stablecoins can expand financial access to the most underserved and unbanked

• Meeting session: New era for finance

BIP110 于 2025 年 12 月初提出，建议对交易中传输的数据大小设定临时共识级别限制，旨在打击垃圾邮。根据 BitcoinPortal 数据，截至 1 月 30 日，比特币区块链中 23217 个节点中有 1097 个（~4.7%） 支持 BIP110 软分叉。支持仅来自运行 Bitcoin Knots 的节点，而前 20 大矿池尚未发出任何支持信号。

QRAMP：两阶段“隔离模式”优化后量子迁移

比特币开发者 Bnav 提出了一种应对量子威胁的新思路，作为“抗量子地址迁移协议”（QRAMP, Quantum‑Resistant Address Migration Protocol）等方案中提议的“冻结或终止传统 ECDSA 签名”的替代方案。

该提案引入隔离模式（quarantine mode）的传统花费机制：不同于让遗留的 ECDSA 支出在截止后失效的方式，这种模式让旧的比特币 UTXO 在后量子激活后仍可使用，但必须通过链上“两阶段承诺→花费”的流程。用户需先提交一笔绑定最终收款地址和金额的承诺交易，待其获得足够确认后，才能进行实际花费，从而在私钥可能被量子破解的情况下防止目的地被篡改。该方案须通过共识强制执行，且不进行历史交易查询（修建节点/无交易索引），并允许接收方代付手续费以改善用户体验，旨在为比特币提供一种更平滑、可用性更高的后量子迁移路径。

BitMEX：采用双重 Taproot 路径兼顾 QDay 前后的效率与安全

BitMEX Research 主张引入一种新的量子安全的 Taproot，让钱包能够用两种方式来花费同一笔比特币输出：分别是量子安全和量子脆弱的 tapleaf。在 Qday 来临之前，用户可以一直使用量子脆弱但更高效的方式来花费比特币，享受更小签名带来的效率优势。鉴于 Qday 何时到来存在不确定性，以及任何冻结币方案都需要较长的安全缓冲期，作者认为这种特性不仅是理想的，甚至可能是必不可少的。

利用 Nostr 发送通知，消除静默支付的扫描开销

开发者 setavenger 提出了一种通过 Nostr（以及其他通信渠道）发送静默支付（Silent Payments）通知的设计，以消除对单笔交易进行扫描的开销。这也是“使用 nostr 的隐形地址（Stealth addresses using nostr）”想法的延伸。

该设计的主要想法是：发送者无需让接收者的钱包逐一检查所有交易，而是通过 Nostr 发送一条包含交易 ID 和微调数据的通知，使接收者能立即定位并验证自己的款项，无需进行全链扫描；一旦通知缺失或不可信，接收方也始终可以退回到链上扫描。这在保持隐私的同时提升了移动端钱包的运行效率，并保留了区块链作为可靠的备选方案。此外，该方案不依赖特定钱包实现，Nostr 只是可选通信层。

并行化使后量子签名验证吞吐量接近 Schnorr

Conduition 通过一个测试，挑战了后量子签名算法 SLH-DSA (即 SPHINCS+) 因速度太慢而无法实用的传统观念，并证明通过大规模并行化处理可以彻底改变其性能。他使用一个名为 slhvk 的自定义工具，利用 Vulkan API 将任务运行在 GPU 或多核 CPU 上，展示了其签名验证吞吐量实际上可以达到甚至超过比特币 Schnorr 签名等传统算法。结果显示，在高负载下，其使用的并行化 SLH-DSA-SHA2-128s 验证器性能可与单线程 Schnorr 签名验证器媲美，但不如多线程的 Schnorr。

《支付通道的数学理论》：通过形式化认识支付通道的局限

René Pickhardt 发布了他的新论文 《支付通道网络的数学理论》（A Mathematical Theory of Payment Channel Networks），将他关于支付通道网络——尤其是闪电网络——的几个长期观察，在一个几何框架下进行了形式化。论文讨论的具体现象包括：通道耗尽、两方通道（two-party channels）的资本低效、通道工厂的好处、以及真正的瓶颈是可行性而非路线规划的观点。这项工作旨在解释以上问题为何是结构性真实的，以及它们之间的联系。

Argo 再将 BitVM3 的链下成本降低 1000 倍

Robin Linus、Liam Eagen 和 Ying Tong Lai 推出了 {ideal}。其首个贡献是一个新的混乱电路方案 Argo，由此在 BitVM3 提效的基础上，将链外成本再次降低 1000 倍，实现了 2000 倍的效率提升。

Argo MAC 能够高效地将椭圆曲线点的比特分解编码，转换为该点的同态 MAC（Message Authentication Code），使得混淆过程更加高效。

Epoch 比特币 2026 报告：L2 大浪淘沙，唯技术可信者仍在持续交付

专注于比特币基础设施的风险投资公司 Epoch 于近日发布了 2026 比特币年度生态系统报告。主题包括：价格行为、采用、媒体认知、国债公司、商业模式、协议、监管、风投。

在“协议”板块，报告特别指出：

• 比特币协议生态在 2025 年进入整合期：大多数名义上的 L2 项目既未能实现去中心化，也未能吸引真实使用，而只有少数在技术上具备可信度的系统仍在持续交付。

• 技术扩容与经济扩容出现了明显分化：前者专注于将比特币的安全模型延展至链下，而后者则主要由 ETF、封装 BTC 等资产敞口型工具主导，吸纳了绝大部分资金流入。

• 从用户视角看，跨链桥仍然是一个“二元托管”问题：需求正在向两个极端分化——要么是极致便利（ETF 和托管型封装资产），要么是极致主权（由脚本强制保障的单方面退出），使得介于两者之间的设计处于劣势。

对于 2026 年，报告认为真正的关键拐点不在于吞吐量，而在于托管模式：若能将自托管的 BTC 扩展到更具表达力的执行环境中，将会显著重塑竞争格局，并使那些真正锚定比特币安全模型的系统占据优势。

ECDLP 新型量子电路降低 Shor 成本，使 P-224 面临分钟级破解风险

本研究改进了在椭圆曲线上实现 Shor 算法的量子电路。研究者提出了经过优化的量子点加法电路（quantum point addition circuits）旨在降低电路深度，同时兼顾量子比特数量。与此前的研究相比，该方案显著降低了电路深度，并在“量子比特数深度积乘”（qubit count-depth product ）这一指标上取得了最高约 40% 的改进。

基于以上量子电路，研究重新评估了椭圆曲线密码学的后量子的安全性。根据 NIST 提出的最大深度（MAXDEPTH）约束（该约束限制了量子电路的最大深度为 2⁴⁰），其方案在 P-521 曲线上的最大电路深度为 2²⁸，明显低于该阈值。对于 NIST 用于评估量子攻击抗性的另一项指标——总门数与完整电路深度的乘积(total gate count and full depth product)——在同一曲线上的最大复杂度为 2⁶⁵，也远低于后量子安全等级 1 所要求的 2¹⁵⁷ 。

此外，研究者还估算了破解椭圆曲线密码学在物理资源层面的容错成本。结果显示，P-224 曲线（其安全性相当于 RSA-2048）在使用 1910 万物理量子比特时可在 34 分钟内被破解，而在该研究提出的两种优化方法下，使用 690 万物理量子比特在 96 分钟内可被突破。

RISC-V ISA 扩展显著提升多精度密码计算性能

这篇论文提出了一种针对 RISC-V（RV32I / RV64I）的指令集扩展，用更强的无符号整数乘法（unsigned integer multiplication）支持来弥补现有乘法指令过于精简的不足。该设计主要面向密码学等高度依赖多精度运算的场景，通过引入乘加与进位相关指令来实现性能的显著提升。实验结果表明，在基于 X25519 的标量乘法中，使用该指令集扩展在 RV32I 上可分别带来 1.5×（全基数） 和 1.6×（缩减基数） 的性能提升；在 RV64I 上则可分别获得 1.3×（全基数） 和 1.7×（缩减基数） 的性能提升。

2026 世界经济论坛：数字资产迈入金融基础设施阶段

在 2026 年的世界经济论坛（World Economic Forum）年会上，包括 Coinbase CEO Brian Armstrong、David Sacks、Binance 的 CZ、Ripple 的 Brad Garlinghouse、Cardano 的 Charles Hoskinson 等在内的加密圈活跃者，参与了数字资产融入主流金融、监管框架、代币化和稳定币等议题的讨论。

2026年达沃斯会议表明，数字资产已从边缘化的投机工具转向全球金融基础设施的关键组成部分。焦点从颠覆性创新转向合规监管和代币化。稳定币也被称为“互联网原生货币”，它在跨境贸易、人道主义援助和小企业融资等领域的意义也正被逐渐重视。

主要亮点：

• 区块链基础设施化：从实验性部署走向企业级应用，逐渐成为核心金融系统的一部分。

• 监管清晰推动采用：受监管的稳定币和数字资产得到机构和企业广泛采纳，扩展性提升。

• 金融可及性提升：稳定币降低跨境支付、人道援助和小企业融资的门槛，使资金传输更快、更透明、成本更低。

• 系统重塑与技术融合：代币化资产、人工智能驱动系统和未来量子技术正在改变金融流动，同时也带来技术和经济竞争的挑战。

整体来看，加密货币和数字资产正进入一个“系统阶段”，不再只是实验，而是全球金融流动和基础设施的重要组成部分。

相关文章与讨论链接：

• 数字经济正处于拐点：2026年数字资产的展望

• 全球金融的新基础：银行与区块链之间的对话

• 稳定币如何扩大金融服务最匮乏和银行服务最匮乏人群的金融访问

• New Era for Finance 讨论

Bruno Garcia introduced his work on improving mutation testing in Bitcoin Core. This technique evaluates testing effectiveness by intentionally adding systemic bugs (mutants) in the codebase: if a test fails, the mutant is “killed,” indicating the test can catch the error; if a test passes, the mutant “survives,” revealing insufficient coverage or gaps in the tests.

The goal of this work is to improve the efficiency of incremental mutation testing. Bruno Garcia validated his approach across eight pull requests, collecting feedback and suggesting changes to address mutants.

Bitcoin’s BIP Process Updated with BIP3

BIP3 defines the preparation and publication process for Bitcoin Improvement Proposals. A recently deployed update to BIP3 replaces BIP2 as the primary guideline for the BIP workflow.

While BIP3 retains most of the existing process, it introduces several simplifications and improvements. These include removing the comment system; reducing the number of BIP statuses from nine (Draft, Proposed, Active, Final, Rejected, Deferred, Withdrawn, Replaced, and Obsolete) to four (Draft, Complete, Deployed, and Closed); updating preamble headers; replacing Standards Track type with Specification type.

For more details see the change summary.

New Transaction Privacy Broadcasting Mechanism Merged into Bitcoin Core

A new transaction privacy broadcasting mechanism (GitHub PR) has been merged into Bitcoin Core. It allows locally submitted transactions (from the sendrawtransaction RPC) to be broadcast to the P2P network using Tor or I2P short-lived connections, or to IPv4/IPv6 peers via Tor, improving transaction-level privacy.

SHA-256 Visualization Tool Released: Intuitive Understanding of Hash Computation

The Bitcoin Dev Project has released a SHA-256 visualization tool, Hash Explained, providing animated, interactive demonstrations of how cryptographic functions transform input text into hash values.

Users can step through each stage of the computation to gain an intuitive understanding of complex cryptographic concepts such as padding and compression.

For more details see the GitHub repo.

Efficient Bitcoin Metaprotocol Transactions and Data Discovery via nLockTime Reuse

The Lockchain Protocol is a lightweight Bitcoin meta-protocol that enables efficient transaction discovery at zero marginal block space cost, and data verification without introducing any new on-chain storage mechanism.

The protocol repurposes the mandatory 4-byte nLockTime field in every transaction as a compact metadata header. By constraining its value to an unused range of past Unix timestamps (≥ 500,000,000), it encodes protocol signal, type, variant, and sequence identifier while remaining fully valid under the existing Bitcoin consensus and policies.

Its primary contribution lies in efficient transaction discovery: indexers only need to inspect a fixed-size header field to filter candidate transactions, independent of transaction payload size. Heavier data, such as OP_RETURN outputs or witness fields, can then be selectively parsed as needed. This approach requires no new cryptographic primitives or storage mechanisms.

See more details in the paper.

Breaking Elliptic Curve Cryptography with Cross-Axis Transformers

Researchers point out that while Elliptic Curve Cryptography (ECC) is widely deployed, it has seen limited systematic security testing. Exploits against ECC already exist, and with increasing computational power—alongside distributed, federated computing on the rise—the eventual erosion of ECC’s current security guarantees become inevitable.

The study explores the use of modern language model architecture in cracking the association between a known public key, and its associated private key, by reverse-engineering the public–private keypair generation process. It also evaluates whether modern machine learning models can memorize secp256r1 keypairs and whether such memorization could reverse engineer the keypair generation process. The work emphasizes that “proof-for” are equally valuable as “proof-against” for understanding ECC security.

For more details see the paper.

APoW: Auditable Proof-of-Work to Prevent Block Withholding Attacks

To address Block Withholding Attacks (BWAs) in pooled mining, Fairgate proposes APoW (Auditable Proof-of-Work), which elevates auditability to a first-class property, without relying on trusted hardware, interactive protocols, or centralized pool secrets.

At the core of APoW is v-diging (verification mining). Miners can be assigned to re-scan the same nonce space previously explored by another miner, using a modified PoW condition based on pattern matching rather than leading zeros. If a miner claims to have honestly searched a region, APoW provides a statistically meaningful chance of detecting withheld valid block solutions during verification.

Although APoW requires consensus-layer changes and poses challenges for existing ASICs, it opens a new design space for proof-of-work systems: one where mining effort itself is auditable, enabling stronger security guarantees and more robust decentralized coordination.

For more details see the paper.

BABE: Reducing BitVM3 Proof Costs by 1000×

A new proof verification protocol, BABE, introduces a low-cost verification scheme that preserves BitVM3’s on-chain cost advantages while reducing its off-chain storage and setup costs by approximately 1000×.

BABE uses witness encryption for linear pairing relations to verify Groth16 proofs, augmented with a secure two-party computation (2PC) protocol implemented using an efficient garbled circuit for scalar multiplication on elliptic curves. The garbled circuit design builds on recent work on Argo MAC (see below), which introduces an efficient garbling scheme for computing homomorphic MACs on such curves.

New Garbling Primitive Argo MAC: 1000× Efficiency Gain for Garbled SNARKs

Argo MAC is a new garbling primitive that efficiently translates from an encoding of the bit decomposition of a curve point to a homomorphic MAC of that point. This approach significantly simplifies SNARKs verification using garbled circuits and reduces circuit size by roughly 1000×.

Bruno Garcia 介绍了他在改进变异测试（mutation testing）方面的工作 。该技术通过向代码库中引入系统性缺陷（变异体 / mutants）来评估测试的有效性：测试失败则变异体“被杀死”，表明测试能够捕获该错误；测试通过则变异体“存活”，说明测试存在缺陷或覆盖不足。

这项工作的目的是提升增量突变测试的效率。Bruno Garcia 在八个公认测试中验证了他的方法并收集反馈，提出针对变异体的改进建议。

比特币的 BIP 流程已更新至 BIP3

BIP3 是关于 BIP 准备及发布流程的提案。近日部署的 BIP3 更新了比特币改进提案（BIP）准备与发布流程，取代了 BIP2 作为指导方针。

BIP3 保留了大部分流程，但做了若干简化和改进，包括取消评论系统，BIP 状态数量从九个（草稿、提案、活跃、最终、拒绝、延期、撤回、替换和过时）减为四个（草案、完成、部署和关闭），前言 header 更新，标准轨道类型（Standards Track type）改为规范类型（Specification type）。

详情见变更概览。

新交易隐私播报机制并入 Bitcoin Core

新交易隐私播报机制（GitHub PR）已合并，可通过短期 Tor 或 I2P 连接，将本地提交的交易（sendrawtransaction RPC）广播至 P2P 网络，或通过 Tor 向 IPv4/IPv6 节点广播，从而增强交易隐私。

SHA-256 可视化工具发布：直观理解哈希计算

Bitcoin Dev Porject 开发的 -256 可视化工具 Hash Explained 提供互动演示，呈现密码学函数将输入文本转换为哈希值的过程。用户可以逐步学习每个阶段的数学计算，更直观地理解复杂的加密概念，如 padding 和 compression。

详情见项目 GitHub。

通过 nLockTime 再利用，实现高效比特币元协议交易和数据发现

锁链协议（Lockchain Protocol）是一种轻量级的比特币元协议，可在零边际区块空间成本实现高效交易发现和数据验证，无需新增链上存储。

该协议利用每笔交易中强制的 4 字节 nLockTime 字段作为紧凑元数据头。通过限制其取值在未被使用且 ≥ 500,000,000 的历史 Unix 时间戳区间内，编码协议标识、类型、变体和序列号，同时保持共识和策略规则一致。

该协议的主要贡献在于高效交易发现：索引器仅需检查固定大小的头部字段，即可筛选候选交易，无需关心交易负载的大小；随后再选择性解析更“重”的数据，例如 OP_RETURN output 或 witness 字段，无需新增密码学原语或存储方法。

详情见论文。

利用交叉轴变换器，破解椭圆曲线密码公私钥

研究者指出，椭圆曲线密码学（Elliptic Curve Cryptography，ECC）虽广泛应用，但系统性安全测试不足；且针对 ECC 的攻击早已存在，且随着算力的提升，以及分布式、联邦式计算的不断发展，这些当前的“安全堡垒”逐渐走向失效只是时间问题。

她尝试利用现代语言模型架构，探索从公钥推导私钥的可能性，包括直觉学习并逆向工程公钥对的生成过程，从而在实质上破解椭圆曲线；此外还尝试评估现代机器学习模型对 secp256r1 公私钥对的记忆能力，并进一步测试其是否能够据此逆向推导公钥对的生成过程。研究强调，对 ECC 安全性的支持性证明与反证均有价值。

详情见论文。

APoW：可审计工作量证明防止阻挡攻击

针对池化挖矿的阻挡阻挠攻击（BWAs, Block Withholding Attacks），Fairgate 提出 APoW（Auditable Proof-of-Work）机制，将可审计性提升为一类属性，无需依赖可信硬件、交互协议或集中式池秘密。

APoW 的核心是 v-diging（verification mining，验证挖矿）：矿工可以被指派重新扫描另一台矿工之前探索过的同一 nonce 区域，使用基于模式匹配而非前置零点的修改 PoW 条件。如果矿工声称诚实地搜索了某个区域，APoW 使得在验证阶段检测到被保留的区块解决方案的可能性在统计上存在。

虽然 APoW 需要共识层面的变革，并为现有 ASIC 的部署带来挑战，但它为工作量证明系统开辟了一个新的设计空间：在这种空间中，挖矿工作本身可审计 ，从而实现更强的安全保障和更稳健的去中心化协调。

详情见 论文。

BABE: 降低 BitVM3 证明成本 1000 倍

BABE 协议提出一种新的低成本验证方案，在保留 BitVM3 链上成本优势的同时，将 BitVM3 链下存储和初始化成本降低约 1000 倍。

BABE 使用一种针对线性配对关系（linear pairing relations）的见证加密（witness encryption）验证 Groth16 证明，并结合了安全的两方安全计算（secure two-party computation, 2PC）协议；该协议通过一种用于椭圆曲线标量乘法的高效混淆电路来实现。

该混淆电路的设计基于近期的一项研究 Argo MAC（见下），该工作提出了一种高效的混淆方案，用于在此类曲线上计算同态 MAC。

新混乱原语 Argo MAC：提升混乱 SNARK 效率 1000 倍

Argo MAC 是一种新混乱原语 ，通过将曲线点编码转换为同态 MACs。该方案大大简化了混乱电路验证 SNARKs 的过程，让电路规模减少约 1000 倍。

Our first story features Tea (@teaplusplus11), creator of Quantum Purse (@quantumpurse), the industry's first SPHINCS+-based quantum-resistant wallet. He has built across ecosystems: EOS, Bitcoin, Ethereum, and now CKB.

Here he shares how he stumbled into CKB, why he decided to stay & build long-term, his appreciation for Proof of Work, and why good architecture + good people matter.

More Links

• Quantum Purse GitHub repo.

• Quantum Purse AMA on Reddit and the recap.

René Pickhardt proposed and discussed the idea of using Ark as a channel factory, rather than as an end-user payment solution.

Pickhardt’s idea focuses on the possibility that many channel owners could batch their channel liquidity changes (opens, closes, and splices) using Ark’s vTXO (virtual Transaction Outputs) structure. This approach can significantly reduce the on-chain cost of operating the Lightning Network, at the expense of some additional liquidity overhead. This additional liquidity overhead primarily occurs during the period between when a channel is forfeited and when the Ark batch it belongs to fully expires. By using Ark batches as efficient channel factories, Lightning Service Providers (LSPs) can provision liquidity to a larger number of end users more efficiently. The built-in batch expiration mechanism also allows LSPs to reclaim liquidity from idle channels without resorting to costly, dedicated on-chain force closes.

Routing nodes can benefit as well: instead of performing frequent individual splices, they can periodically rebalance liquidity across channels using Ark batches, resulting in more efficient channel management.

In the follow-up discussion, Vincenzo Palazzo noted that he has already implemented a proof-of-concept Ark channel factory.

Bithoven: A New Bitcoin Smart Contract Language Bridging Expressiveness and Formal Safety

The Bitcoin community is exploring a new smart contract language, Bithoven. Proposed as a response to Miniscript, its designers argue that while Miniscript provides essential abstractions for policy verification, it fails to model the full imperative logic required for complex contracts, leaving gaps in state management and resource liveness. By integrating a strict type checker and a resource liveness analyzer with a semantic control-flow analyzer, Bithoven eliminates major categories of consensus and logic defects defined in their fault model prior to deployment.

Paper: Bithoven: Formal Safety for Expressive Bitcoin Smart Contracts

Bitcoin-IPC: Scaling Bitcoin via PoS Subnet

This research introduces Bitcoin-IPC, a software stack and protocol designed to enable Bitcoin to function as a universal Medium of Exchange by supporting permissionless creation of fully programmable PoS Layer-2 chains (subnets). Assets staked on the subnets are denominated in BTC on Bitcoin L1, upon which the system relies for information propagation, settlement, and security.

Inspired by SWIFT messaging and embedded within Bitcoin’s SegWit framework, the design allows value transfers between different L2 subnets to be routed and settled via Bitcoin L1. Notably, without requiring any changes to Bitcoin L1, this approach can reduce the virtual byte cost per transaction (vB/tx) by up to 23×, increasing monetary transaction throughput from roughly 7 TPS to over 160 TPS.

Using Observable Mempools to Determine Transaction Timing and Fees

This study examines how transaction fees affect transaction inclusion priority. Currently, by inspecting their local mempool, a strategic user can delay transaction broadcasts and set fees as low as possible while remaining unconfirmed. However, due to the randomness of mining intervals, delayed broadcasts risk missing the next block. Meanwhile, fee bumping mechanisms allow users to increase fees before confirmation, introducing additional complexity.

The paper proposes a new transaction strategy that jointly determines broadcasting time and transaction fee It analyzes two representative scenarios:

• Ordinary users: who are unaware of mempool conditions and set fees according to a certain distribution;

• Semi-strategic users: who observe the mempool at a Poisson rate and update fees accordingly.

In the former case, it computes the optimal broadcast timing and transaction fee under arbitrary mining interval distributions. With exponentially distributed block intervals, as in Bitcoin-like PoW systems, a strategic user could broadcast immediately upon creation; with fixed intervals, as in Ethereum-like PoS systems, it becomes optimal to wait until just before block production. In the latter case, researchers use a continuous-time Markov chain to characterize mempool dynamics, and derive the optimal fee adjustment frequency for a strategic user under exponentially distributed block intervals. Both theoretical analysis and simulations show that the user should immediately increase the transaction fee whenever it falls below the minimum fee required for inclusion.

Hornet UTXO (1): A UTXO Database Optimized for Maximum Bitcoin Consensus Throughput

Developer tobysharp introduced Hornet UTXO (1), a new UTXO database specifically designed to maximize throughput in Bitcoin consensus validation.

Implemented in modern C++, the database exploits parallelism and is highly concurrent and lock-free.

Hornet UTXO (1) is a component of Hornet Node, an experimental Bitcoin client focused on declarative consensus specifications and high performance. More details can be found in: Hornet Node and the Hornet DSL: A Minimal, Executable Specification for Bitcoin Consensus

Global Lightning Network Snapshots: A Spatiotemporal Dataset from 2019–2023

This study presents a curated dataset of Lightning Network snapshots from January 2019 to July 2023, comprising 336 geolocated LN topology snapshots. The snapshots were reconstructed from publicly available gossip message archives. The authors applied strict consistency checks and enriched node metadata using city-level geolocation derived from public IP addresses.

The resulting dataset captures both the temporal and spatial evolution of LN, filling a key research gap. The reconstructed snapshots were also cross-validated against independent statistics to establish a robust and reliable benchmark.

OHMG: Improving Off-Chain Verification of Garbled Circuits by Changing Arithmetic Representation

Efficient verification of complex off-chain computation remains a major bottleneck for blockchain scalability. Garbled-circuit-based approaches typically rely on Boolean circuit representations, resulting in massive communication and storage requirements.

To address this inefficiency, a new garbling scheme OHMG (One-Hot Modular Garbling) is introduced. It improves efficiency by changing how arithmetic computation is represented. Instead of decomposing arithmetic operations into Boolean gates, OHMG natively processes small integers using one-hot encoding. As a result, the resulting garbling framework requires at most one ciphertext per arithmetic gate, independent of circuit size.

Babylon: An Introduction to the Trustless BTCVault (TBV) Protocol

According to statistics from mid-to-late 2025, only about 1% of Bitcoin is currently used in DeFi. Babylon attributes this low participation to Bitcoin’s limited programmability, which forces users to rely on additional trust assumptions.

Babylon introduces a trustless BTCVault protocol (TBV), enabling native Bitcoin to participate in DeFi while remaining self-custodied and trust-minimized.

The core components of TBV include:

• SNARK: Used to succinctly verify arbitrary program execution. It is used to verify state transitions of TBV-related smart contracts on DeFi chains.

• Garbled circuits: Used to reduce program verification to secret revelation. Babylon encodes the SNARK verifier into a garbled circuit such that, when the proof is valid, evaluating the obfuscated circuit reveals a specific string that only the Bitcoin chain can process.

• Lamport signatures: A one-time signature scheme verifiable in Bitcoin Script, allowing Bitcoin L1 to resolve disputes.

• Bitcoin Script: Bitcoin’s programming language. Babylon particularly relies on: hash lock, time lock, and Taproot addresses.

At the product level, TBV turns Bitcoin into a universal, programmable collateral for any DeFi system. The Bitcoin is neither bridged, wrapped, pooled, fungible, nor rehypothecated.

Risks Beyond Digital Assets: Real-World Attacks on Bitcoin Are Increasing

Haseeb Qureshi has visualized the data previously collected by Bitcoin developer/security researcher Jameson Lopp on real-world physical attacks against Bitcoin users (GitHub: Known Physical Bitcoin Attacks)

The visualization shows that attacks increased and are becoming more violent. The actual situation may be even worse, as many attacks likely go unreported. Victims may fear becoming targets again or distrust law enforcement’s ability to help, leading them to remain silent.

According to Qureshi’s analysis, the primary driver of these attacks is price: as Bitcoin’s price rises, attackers perceive greater opportunity (White: market cap; colors: violent incidents):

Geographically, the sharpest increases in reported attacks have occurred in Western Europe and parts of Asia:

René Pickhardt 提出并讨论了 Ark 作为通道工厂（channel factory），而非终端用户支付解决方案的最佳应用场景的想法。

Pickhardt 的想法聚焦于一种可能性：让大量通道所有者利用 Ark 的 vTXO （virtual Transaction Outputs）结构，将通道流动性的变更（如开启、关闭、拼接）进行批量处理，从而在牺牲一定流动性开销的前提下，大幅降低运行闪电网络的链上成本。这种额外的流动性开销主要发生在某个通道被放弃、到其所在的 Ark 批次完全到期之间的这段时间。通过将 Ark 批次作为高效的通道工厂，LSP （Lightning Service Provide）可以更高效地为更多终端用户提供流动性；而批次自带的到期机制则保证了他们能够从闲置通道中回收流动性，而无需进行成本高昂、专门的链上强制关闭操作。路由节点同样可以受益：它们可以通过定期使用批次在不同通道之间转移流动性，而不是进行一次次单独的拼接操作，从而实现更高效的通道管理。

在后续的回复中，Vincenzo Palazzo 称他已经实现了一个 Ark 通道工厂的概念验证代码。

新比特币智能合约语言 Bithoven：弥合表达力与形式安全

比特币社区正在与一种新的智能合约语言 Bithoven 合作。Bithoven 是针对 Miniscript 而提出的，设计者认为，虽然 Miniscript 为策略验证提供了必要的抽象，但并未建模复杂合同所需的全部命令式逻辑，导致状态管理和资源活性存在空白。Bithoven 旨在弥合表达力与形式安全之间的高阶语言。通过结合严格类型检查器、资源活度分析器与语义控制流分析器，Bithoven 能够在部署之前消除其故障模型中所定义的多类共识与逻辑缺陷。

Bithoven 论文：Bithoven: Formal Safety for Expressive Bitcoin Smart Contracts

Hornet UTXO (1)：为最大化比特币共识验证吞吐量定制的 UTXO 数据库

开发者 tobysharp 推出了一个新的 UTXO 数据库 Hornet UTXO (1)，专为最大化比特币共识验证的吞吐量而定制。该数据库使用现代 C++开发，将并行性最大化，因此高度并发且无锁 。

Hornet UTXO (1) 是 Hornet Node 的组件，后者是专注于声明式共识规范和高性能的实验性比特币客户端。关于 Hornet Node 更多细节可见 Hornet Node and the Hornet DSL: A Minimal, Executable Specification for Bitcoin Consensus

比特币-IPC：通过 PoS 子网网络扩展比特币

这项研究提出 Bitcoin-IPC，它是一个软件栈与协议，旨在通过支持无需许可地创建、完全可编程的 PoS 二层链，推动比特币成为一个通用的交换媒介（Medium of Exchange, MoE）。在 Bitcoin-IPC 子网（subnet）上质押资产以 L1 比特币主链的 BTC 计价，依赖比特币 L1 来传递关键信息、完成结算并提供安全保障。

该设计受 SWIFT 报文（SWIFT messaging）机制启发，并嵌入在比特币的 SegWit 机制中，使得不同 L2 子网之间的价值转移可以通过比特币 L1 进行路由与结算。其独特之处在于：在不对比特币 L1 做任何修改的前提下，这一机制可将单笔交易的虚拟字节成本（vB/tx）最多降低 23 倍，从而将货币型交易的吞吐能力从约 7 笔/秒（tps） 提升至 160 笔/秒以上。

利用可观察的内存池确定区块链交易时机和费用

本研究关注的议题是交易手续费对交易处理优先级的影响。目前优化交易优先级的可能方式是：用户可以通过查看本地内存池中的交易情况，推迟广播交易的时间，并将手续费设置得尽可能低由于未确认。然而，挖矿时间间隔的随机性可能导致被延迟广播的交易错过下一个有效区块。不过与此同时，手续费提升 (fee bumping) 机制则允许用户在交易确认之前提高交易手续费，但这也使手续费设置问题变得更加复杂。

本研究探讨了一种新的交易策略——同时决定交易的广播时机和手续费水平。研究考虑了两种具有代表性的场景：

• 其一：大量共存的普通用户，对内存池状态无感知，按照特定分布设置其手续费；

• 其二：半策略性（semi-strategic）用户，以泊松速率（Poisson rate）检查内存池并更新费用

在第一种场景中，研究者计算了能够适应任意挖矿时间间隔分布的最优广播时间与交易手续费。当区块间隔服从指数分布（如比特币类 PoW 系统）时，策略性用户应在交易创建后立即广播；而当区块间隔固定（如以太坊类 PoS 系统）时，用户会发现等到区块生成前的最后一刻再广播交易是有利可图的。

在第二种场景中，研究者构建了一个连续时间马尔可夫链来刻画内存池状态的动态变化，并在区块间隔服从指数分布的情况下，推导出策略性用户的最优手续费调整频率。无论在理论分析还是仿真结果中，研究都表明：当交易手续费低于被纳入区块所需的最低手续费时，策略性用户都应立即提高自己的手续费。

全球闪电网络快照：2019–2023 年的地理与时间演变数据集

这项研究呈现了 2019 年 1 月至 2023 年 7 月间的闪电网络快照精选集，包含 336 个地理定位的闪电网络拓扑快照。这些快照是从公开可获得的 gossip 消息档案中重建而成。收集者采用严格的一致性检查，并用来自公共 IP 地址的城市级地理位置数据丰富节点元数据。

所得数据集捕捉了闪电网络的时间和空间演变，弥补了关键的研究空白。此外，收集者还重建的网络快照与独立统计数据进行了交叉验证，以建立稳健可靠的基准。

OHMG：通过改变算术表示方式，提高混淆电路链外验证的方法

高效验证复杂的链外计算仍是区块链扩展的主要瓶颈之一。对于基于混淆电路构造的解决途径而言，它依然高度依赖布尔电路表示，导致了巨大的通信和存储需求。

针对这一问题，本研究引入了一项新型混淆方案 OHMG (One Hot Modular Garbling) ，旨在通过改变混淆电路中算术计算的表示方式来解决上述低效问题。与将算术运算分解为布尔门（Boolean gates）不同，OHMG 通过单热编码原生处理小整数。其结果是形成了一种混淆框架，在该框架中，每个算术门最多只需要一个密文，而与线路规模无关。

Babylon: 无需信任的 BTCVault 协议 TBV 简介

根据 2025 年中后期的统计，目前只有 1% 的比特币使用 DeFi。Babylon 指出，这一低参与度的原因是比特币缺乏可编程性所导致的对额外信任的需要，并由此介绍 Babylon 的解决方案：一个无需信任的 BTCVault 协议（TBV），允许原生比特币以自我托管且无需信任的方式使用 DeFi。

TBV 的核心要素有：

• SNARK：能够简洁地验证任何程序的执行。Babylon 用它验证与 TBV 相关的智能合约（决定每个保险库中比特币的所有权）在 DeFi 链上的状态转换；

• 混淆电路：可将任意程序的验证简化为秘密揭示。Babylon 用它来编码 SNARK 验证器，使得在证明有效时，对扰的电路进行评估时，会发现一个特定的只有比特币链能够处理的文本字符串；

• Lamport 签名：一种一次性签名方案，其验证可以通过比特币脚本实现。Babylon 使用 Lamport 签名，允许比特币链在有争议时进行验证；

• 比特币脚本：具有有限的可编程性的编程语言。Babylon 主要依赖：hash 锁、时间锁、taproot 地址。

就 TBV 的产品特性而言，它将比特币变成任何 DeFi 的通用可编程抵押品。抵押比特币既不是桥接/包裹/池化/同质化的，也不能重新抵押。就适用的 DeFi 链而言，TBV 支持任何拥有 ZK 轻客户端的区块链/整合。

数字资产之外的风险：现实世界中的比特币袭击正在加剧

近日，Haseeb Qureshi 将比特币开发者/安全研究员 Jameson Lopp 之前搜集的现实世界中发生的针对比特币的真实袭击（GitHub: Known Physical Bitcoin Attacks）数据进行了可视化。结果发现袭击次数一直在增加，同时袭击还变得更加暴力。然而，真实情况可能更糟，更多攻击可能未被报告。因为受害者会担心再次成为攻击目标，或者不信任执法部门能提供帮助，而选择保持沉默：

根据 Haseeb Qureshi 的分析，攻击的主要驱动因素是价格。当比特币价格上涨时，犯罪分子看到了更大的机会（白色：市值；颜色：暴力事件）：

此外在地理方面，西欧和亚洲部分地区遭受袭击事件的激增最为显著：

Developer Jonathan T. Halseth has released a prototype for a vault scheme using blinded co-signers. Unlike traditional co-signing methods, this approach utilizes a blinded version of MuSig2 to ensure signers have minimal knowledge about the on-chain movements of the funds they are securing.

To prevent signers from blindly signing malicious transactions, the proposal attaches a Zero-Knowledge Proof to the signature request. This proves the transaction complies with a pre-defined policy—in this case, the timelock of the final transaction.

The flowchart outlines four pre-signed transactions: vault_deposit, vault_recovery, unvault and unvault_recovery. During the unvaulting, the co-signer requires a proof that the transaction correctly sets a relative timelock. This ensures that in case of an unauthorized unvault, the user or a watchtower still has a window of time to reclaim the funds. A prototype implementation (GitHub) is available for testing on regtest and signet.

Mitigating the OP_CTV Footgun: Unsatisfiable UTXOs

The author explores a potential footgun in BIP OP_CHECKTEMPLATEVERIFY (OP_CTV): Unsatisfiable UTXOs. Because OP_CTV can be used in “forwarding address contract”, which involves the problem of key-reuse. For example, a hot wallet might use an address which can automatically be moved to a cold storage address after a timeout. Reusing addresses in this way may lead to loss of funds.

The author argues that there is no significant benefit to committing to a single input, while the risks are high. He suggests that when building OP_CTV templates, it is prudent to commit to at least two inputs. Users can then craft a "secondary input" to satisfy the total amount locked in the template. A Python test (GitHub) demonstrating this recovery mechanism has been provided.

OP_CC: A Simple Introspection Opcode to Lower UTXO Consolidation Costs

Developer billymcbip proposed a new Tapscript opcode, OP_CHECKCONSOLIDATION (OP_CC). This simple introspection opcode significantly improves the space efficiency of consolidation transactions, thereby reducing the cost of UTXO Consolidation (merging multiple small UTXOs into larger ones).

Current discussions focus on the necessity of OP_CC and how it compares to the more versatile OP_CHECKCONTRACTVERIFY (OP_CCV) in terms of efficiency and implementation complexity.

QRMVL: A Modular Verification Layer for Post-Quantum Signatures

Developer Karin Eunji proposed QRMVL (Quantum-Resilient Modular Verification Layer), a soft-fork compatible verification layer designed to provide a progressive path to post-quantum security without altering current validation semantics.

QRMVL combines a hybrid LMS / SPHINCS+ signature architecture with a STARK-inspired Linear Hash Tree (LHT) optimization. Compared to standard SPHINCS+, it reduces verification latency by 57% and witness size by 48%.

The author is also advancing a Bitcoin commit-and-reveal quantum-resistant scheme. This path allows the ecosystem to gradually develop quantum-resistant vaults and covenant primitives without introducing premature trust assumptions or rushing into complex signature migrations.

Timelock-Recovery: A New Long-Term Asset Security Mechanism

Oren proposed a "Timelock-Recovery" mechanism to provide monitorable, revocable, and low-maintenance recovery/inheritance for long untouched wallets without requiring new consensus rules.

The scheme involves pre-signing a pair of transactions:

• Alert/Trigger Transaction: A consolidation transaction that keeps most funds in the original wallet but moves a small amount to an "anchor address" to facilitate CPFP (Child-Pays-For-Parent) fee bumping.

• Recovery Transaction: Moves BTC from the consolidated UTXO to a secondary wallet. It uses an nSequence relative timelock, giving the user time to move funds elsewhere if they notice the Alert transaction has been mined.

Proof of Buying: A Layer 2 Consensus for Proof of Work Layer 1

The Nervos community proposed Proof of Buying (PoB) as a consensus mechanism for Layer 2 networks anchored to programmable PoW chains (like CKB).

• Mechanism: Miners pay Layer 1 native tokens (e.g., CKB) as a mining cost and use a VDF (Verifiable Delay Function) to compete for block production rights.

• Value: PoB maintains PoW principles through tangible economic costs and creates a direct value loop: increased L2 activity drives demand for the L1 token.

SlowMist: 2025 Blockchain Security & AML Annual Report

SlowMist released its 2025 report analyzing major security incidents, APT (Advanced Persistent Threat) trends, and money laundering patterns.

Key Findings:

• Higher Total Losses: 200 security incidents resulted in ~$2.935 billion in losses. While the number of incidents decreased compared to 2024 (410 incidents), the total value lost increased by 46%.

• Ethereum as the Primary Targeted Ecosystem: Ethereum remained the most frequently attacked blockchain and suffered the largest losses ($254 million lost), followed by BSC and Solana.

• DeFi as the Top Targeted Sector: DeFi accounted for 63% of incidents. However, Centralized Exchanges suffered massive losses from fewer incidents (12 events totaling $1.809 billion), driven largely by the ~$1.46 billion Bybit incident.

• Primary Causes: Smart contract vulnerabilities (61 incidents) and compromised accounts (48 incidents) were the leading causes of loss.

The report provides a detailed breakdown of the Top 10 security incidents by loss in 2025 and highlights emerging fraud techniques that demand close attention, including:

• Phishing Attacks: Phishing remains one of the most active risks, with techniques evolving far beyond traditional fake websites and forged authorization pages. Attackers now combine system commands, wallet permissions, protocol mechanisms, and even device control to execute composite attacks. Four typical patterns are highlighted: ClickFix phishing, Solana wallet ownership tampering, EIP-7702 authorization abuse, and "Fake Protection" scams.

• Social Engineering: Blockchain-related social engineering showed a significant upward trend in 2025, serving as a critical entry point for phishing, malware deployment, and asset theft. These attacks manipulate trust through impersonation, emotional pressure, and information asymmetry to induce victims into high-risk actions.

• Supply Chain & Open-Source Ecosystem Pollution: Software supply chain attacks remain highly active. Attackers no longer focus solely on compromising well-known libraries or core infrastructure; they increasingly target smaller open-source projects, developer tools, and dependency distribution chains. By injecting malicious code, they launch indirect, large-scale attacks on downstream users.

Other malicious attacks include browser extensions and ecosystem risks, AI-powered attacks, Ponzi schemes.

Additionally, the report summarizes 2025 Anti-Money Laundering (AML) trends, covering law enforcement and sanctions, regulatory policies, data on frozen/recovered funds, and the activities of organized cybercrime groups.

For full details, refer to the SlowMist 2025 Blockchain Security and AML Annual Report.

开发者 Jonathan T. Halseth 发布了一种使用盲化共同签名者的类保险库方案原型。与传统依赖共同签名者的方案不同，该方案采用了 MuSig2 的盲化版本，以确保签名者对其所参与签名的资金了解尽可能少。

为避免签名者在不明情况下对提交给他们的内容进行盲签，该方案在签名请求中附加了一个零知识证明，用于证明该交易符合预先设定的策略——在这个方案中，策略是一个时间锁。

Halseth 提供了一张展示该方案的流程图，其中包含四笔将被预签名的交易：初始存款交易、恢复交易、解锁交易，以及解锁后的恢复交易。在执行解锁时，共同签名者会要求提供一个零知识证明，以证明他们即将签名的交易正确设置了相对时间锁。这可以保证在发生未授权解锁的情况下，用户或 watchtower 仍有时间将资金取走。此外，Halseth 还提供了一个可在 regtest 和 signet 上运行的原型实现。

用于降低 UTXO 归集成本的简单内省操作码 OP_CC

开发者 billymcbip 提出了一个新的 Tapscript 操作码 OP_CHECKCONSOLIDATION（OP_CC），它是一个简单的内省操作码，能显著提升合并交易的空间效率，降低 UTXO 归集（Consolidation，把多个小额 UTXO 合并成一个或几个大额 UTXO）的成本。

目前围绕 OP_CC 进行的讨论当前主要集中在：OP_CC 的必要性、它同另一个更通用的操作码 OP_CHECKCONTRACTVERIFY (OP_CCV) 相比在效率、实现复杂度等方面的对比上。

了解并缓和 OP_CTV 的 Footgun：无法满足的 UTXO

作者探讨了比特币改进提案 OP_CHECKTEMPLATEVERIFY (CTV) 中的一个潜在的 footgun——“不可满足的 UTXO”（Unsatisfiable UTXO）。这一风险主要出现在转发地址合约（Forwarding Address Contract） 中，且涉及密钥复用（Key-reuse）问题。例如，热钱包可能会使用一个能够在超时后自动将资金转移到冷钱包地址的特定地址。在这种机制下，如果用户复用地址可能会导致资金永久丢失。

作者称未看到承诺单一输入的显着好处，但缺点却很明确——即可能创建出永久无法花费的 UTXO。所以他认为，在构建 OP_CTV 模板时至少承诺两个输入是谨慎的做法。用户仍可以制作辅助输入（secondary input）以满足 OP_CTV 模板中锁定的总量。为此，他也提供了Python 测试，演示了相关的恢复机制。

QRMVL：面向后量子哈希签名的模块化验证层

开发者 Karin Eunji 提出 QRMVL（Quantum-Resilient Modular Verification Layer），即一种模块化且兼容软分叉的验证层，目标是在保持当前验证语义不变的前提下，提供一条软分叉兼容、可渐进部署的后量子验证路径。QRMVL 结合了混合式 LMS / SPHINCS+ 签名架构与受 STARK 启发的 线性哈希树（LHT） 优化方案，相比标准 SPHINCS+，在验证延迟上降低了 57%，在 witness 体积上减少了 48%。

该提议的作者同时也在推进比特币 commit-and-reveal 抗量子方案。他认为从该路径开始的一个重要优势是：它允许生态系统逐步发展出量子抗性的 vault 机制以及具有广泛适用性的 covenant 原语，而不会过早引入新的信任假设。同时，这也为构建一个经过充分审计、并在性能上高度优化的量子安全承诺库争取了时间，而不是立即处理更复杂的后量子签名迁移问题。详情见：

• QRMVL 白皮书草案

• 包含示例和伪代码的仓库

比特币长期资产安全新方案：时间锁-恢复存储机制

开发者 Oren 提出一项“时间锁-恢复（Timelock-Recovery）”机制，目的是在不引入新共识规则的前提下，为长期不动的钱包实现可监控、可撤销、低维护成本的比特币恢复/继承。

方案主要包括预签一对交易：

• 提醒/启动交易：一种合并交易（consolidation transaction），大部分资金保留在原钱包。除了少量资金流向锚地址，以加速子为父偿（CPFP）。

• 回收交易：将比特币从合并后的 UTXO 转移到次级钱包的交易，具有 nSequence 相对锁定时间，允许用户有足够时间将资金转移到其他地方（假设他们注意到 Alert 交易已被挖出，且仍持有种子或提前签署替代交易）。

Proof of Buying：一种专为 PoW Layer 1 设计的 Layer 2 共识

社区成员提出了 Proof of Buying（PoB）共识机制。PoB 被提议作为一种专为 Layer 1（特别是像 CKB 这样具有可编程性的 PoW 公链）设计的 L2 准入和出块共识机制。其核心逻辑是将 Layer 1 的原生代币（如 CKB）作为挖矿成本。矿工需支付 L1 原生代币 CKB，并结合 VDF（验证延迟函数）来竞争出块权。PoB 继承了 PoW 核心原则，通过真实的经济成本确保安全性；它也可以将 L2 的应用价值直接传导至 L1：L2 越繁荣，L1 的代币就越值钱。

慢雾 2025 年区块链安全与反洗钱年度报告

慢雾发布了 2025 年区块链安全与反洗钱报告，深入分析了重大区块链安全事件和攻击技术、进阶持续性威胁（Advanced Persistent Threat）组织活动趋势、洗钱模式的发展以及全球监管执法发展。重要结论包括：

• 总损失金额增加：根据 SlowMist Hacked 维护的区块链安全事件档案的不完整统计数据，全年共发生 200 起安全事件，造成约 29.35 亿美元的损失。相比之下，2024 年发生了 410 起事故，损失约为 20.13 亿美元。虽然事故数量同比下降，但总损失量增加了约 46%。

• 以太坊为首要被攻击生态：从生态系统分布角度来看，以太坊仍是攻击最频繁且损失最大的，全年总损失约为 2.54 亿美元，远超其他平台；BSC 紧随其后，相关亏损约为 2193 万美元；Solana 排名第三，年亏约 1745 万美元。

• DeFi 仍是最常被攻击的行业：2025 年共发生 126 起安全事件，约占全年总数的 63%，导致损失约 6.49 亿美元——较 2024 年减少约 37%（339 起事件，损失 10.29 亿美元）。与交易所相关的事件仅有 12 起，但造成了高达 18.09 亿美元的惊人损失，单起 Bybit 事件就造成约 14.6 亿美元的损失，成为当年最严重的事件。

• 合同漏洞为首要原因：在攻击原因方面，合同漏洞是主要触发因素，造成了61起事件，紧随其后的是被攻破账户，共计48起。

报告还具体呈现了 2025 年按损失排名前十的安全攻击事件 ，并提到了值得密切关注的新兴欺诈手法，包括：

• 网络钓鱼攻击：钓鱼依然是最活跃的风险之一，其技术已远远超越了传统的假网站和伪造授权页面。攻击者现在结合系统命令、钱包权限、协议机制，甚至设备控制来执行复合攻击。重点关注四种典型钓鱼模式：ClickFix 钓鱼攻击、Solana 钱包所有者权限篡改、EIP-7702 授权滥用、以及假保护诈骗。

• 社会工程攻击：区块链相关的社交工程攻击在 2025 年显示出明显上升趋势，日益成为连接钓鱼、恶意软件部署和资产盗窃的关键切入点。这些攻击主要通过控信任、利用身份冒充、情感压力和信息不对称来引导受害者积极配合高风险行动。

• 供应链与开源生态系统污染：软件供应链攻击在区块链安全领域依然高度活跃。攻击者不再仅仅关注攻破知名库或核心基础设施，而是越来越多地针对开源项目、开发者工具和依赖分发链。通过注入恶意代码，他们对下游用户实施间接且大规模的攻击。

以及恶意浏览器扩展和生态系统风险、利用人工智能、庞氏骗局欺诈等其他攻击手法。

此外，报告还总结了 2025 年反洗钱趋势，包括执法部门与制裁行动、监管政策、以及冻结/恢复资金的相关数据、网络犯罪组织等。

完整详情见 PDF 报告。

In a collaborative effort to proactively address potential threats from quantum computing and strengthen Bitcoin’s security, Hunter Beast (cryptoquick), Ethan Heilman, Isabel Foxen Duke, and other contributors have made significant revisions to BIP 360. The update introduces a new output type Pay-to-Tapscript-Hash (P2TSH), designed to mitigate potential risks to elliptic curve cryptography without immediately adopting post-quantum signature schemes.

The revision focuses on improving Bitcoin’s resilience to quantum-related risks and outlines a strategy that avoids premature migration to post-quantum cryptography. The proposal also includes Python and Rust test vectors to facilitate understanding, verification, and participation from the developer community.

• GitHub PR

• Hunter Beast’s post on the proposal

A Minimal New Introspection Primitive as a Potentially Simple Quantum-Safe Upgrade

Erik Aronesty has proposed a quantum-resistance mechanism grounded in economic assumptions and on-chain data. The proposal introduces a minimal new introspection primitive to enhance Bitcoin’s security without requiring a comprehensive redesign of Bitcoin Script. This design enables quantum migration without changing address formats, inflating transaction sizes, or introducing fragile cryptographic assumptions.

The mechanism follows a commit–challenge–response framework: a transaction must satisfy both a traditional signature check and a delayed, chain-conditioned hash-based proof. This reflects a conservative approach to achieving quantum resistance without major infrastructure changes.

A Standardized and Extensible P2P Feature Negotiation Mechanism

Anthony Towns has published a BIP on peer feature negotiation, proposing a standardized and extensible mechanism for P2P message. The goal is to simplify the introduction of new features into the Bitcoin P2P protocol without coordinated protocol version bumps or network splits caused by message incompatibility.

The core of the proposal is a new P2P message type, feature (for protocol versions ≥ 70017). The feature message is explicitly designed to be sent only during the initial handshake, between version and verack, enabling flexible feature deployment and versioning without increasing the protocol version number. Nodes implementing this proposal are required to ignore unknown feature messages, ensuring backward compatibility.

Bitcoin Optech’s 2025 Year-in-Review Special

Bitcoin Optech has published its 2025 Year-in-Review, summarizing major technical developments and discussions across the Bitcoin ecosystem over the past year, including:

1. Core Protocol and Research Progress

• Privacy and signature technologies: Updates to the ChillDKG draft (a distributed key generation protocol for FROST threshold signatures); discussions on DahLIAS interactive aggregate signatures.

• Network relay and performance: Continued progress on Erlay integration in Bitcoin Core; research into improving Compact Block reconstruction efficiency; analysis of network partition attacks via Border Gateway Protocol (BGP) interception and potential defenses.

• Mempool management: Focus on the development of Cluster Mempool to improve miners’ transaction selection logic and addressing complex dependency handling.

2. Lightning Network and Layer-2

• Channel management: Introduction of ephemeral anchor outputs based on TRUC (Topologically Restricted Unexpected Confirmations) to improve fee bumping.

• Channel jamming mitigation: Proposals using upfront fees and hold fees to mitigate channel jamming attacks.

• DLC optimizations: Proposals for off-chain DLCs (Discreet Log Contracts), enabling cooperative contract updates without frequent on-chain interaction.

3. Vulnerability Disclosures

More than a dozen vulnerabilities were disclosed in 2025, including:

• LDK and LND: Multiple vulnerabilities related to HTLCs and forced channel closures, some of which could result in funds being stuck or lost.

• Privacy issues: De-anonymization weaknesses identified in wallets such as Wasabi and Ginger that rely on centralized CoinJoin protocols.

• Bitcoin Core: Fixes for several low-severity vulnerabilities.

4. Soft Fork Proposals

• Transaction templates: In-depth discussion of CTV (BIP119), CSFS (BIP348), and LNHANCE, aimed at enabling advanced features such as vaults and LN-Symmetry.

• Consensus cleanup: The release of BIP54 to address legacy consensus edge cases.

• Opcode proposals: Introduction of OP_CHECKCONTRACTVERIFY (BIP443), viewed as a more general alternative to the earlier OP_VAULT proposal.

5. Infrastructure Updates

• Stratum v2: Significant progress on the next-generation mining pool protocol. Bitcoin Core 30.0 added experimental support for its IPC interface, enhancing miner decentralization in transaction selection.

• Other major infrastructure projects: BDK (Bitcoin Dev Kit) released v1.0.0; LDK added support for BIP353 (human-readable addresses).

6. Miscellaneous

• Simplicity language: Russell O’Connor provided in-depth insights into the design philosophy of this smart contract language.

• SwiftSync: A technique that significantly improves initial block download speed.

Taproot Assets v0.7: Static Reusable Addresses, Auditable Supply, and Optimized Large Lightning Payments

Taproot Assets, the first multi-asset Lightning protocol on Bitcoin mainnet, has released v0.7. This release focuses on simplifying real-world flows like on-chain sends and receives for users, hardening supply-proof infrastructure, and smoothing price-quote negotiation across multiple peers. Key features include:

• Static, reusable addresses: With AddressV2, addresses can continuously receive a specific asset without generating a new address for each payment, while preserving fungibility across asset batches.

• Fully auditable circulating supply: New grouped asset supply commitments enable on-chain verification of minting and burning history, allowing users, explorers, and third parties to independently audit total supply.

• Larger, more reliable Lightning transfers: Support for Multi-RFQ Send aggregates liquidity across multiple channels, improving the success rate and speed of large asset payments.

UPLC Programming Language Conference, Spotlighting Cardano Languages and Smart Contract Tooling

The Cardano ecosystem recently hosted the inaugural UPLC Programming Language Conference 2025 and published a conference recap. The event focused on the evolution of Cardano programming languages, smart contract optimization, and new formal verification tools. The conference also explored new tools such as a Jai-to-UPLC compiler, the UPLC-CAPE benchmarking framework, zk-SNARK integrations, and the roadmap for Plutus V4.

BOB Reduces BitVM3 On-Chain Costs to Roughly $10

BOB has implemented a cut-and-choose mechanism (a cryptographic technique for verifying honesty in garbled circuits) for BitVM3, combined with Verifiable Secret Sharing Schemes and adaptor signatures, and has submitted transactions to Bitcoin mainnet for the first time.

As a result, the cost of assertion transactions was reduced by approximately 87% compared to previous implementations using SP1 soldering methods. Further improvements are expected, though at the expense of increased precomputation time and storage requirements.

SLH-DSA Hardware Performance Evaluation: Slow Signing but Competitive Verification, Suitable for Long-Term Security

This paper presents a hardware benchmark study implementing and synthesizing Verilog HDL designs for SLH-DSA and a range of classical digital signature schemes (RSA, DSA, ECDSA, EdDSA) on a unified Xilinx FPGA platform.

The analysis shows that SLH-DSA has higher logic and memory requirements, significantly longer signing latency and larger signature sizes, but competitive verification performance. Based on mature hash-function security assumptions, the study concludes that despite its higher computational cost, SLH-DSA’s architecture and strong security model make it a viable specialized option for applications where long-term security is prioritized over signing speed.

在一项旨在提前应对量子计算威胁、提升比特币安全性的协作努力中，Hunter Beast (cryptoquick)、Ethan Heilman、Isabel Foxen Duke 及其他贡献者对 BIP 360 进行了重大修订，引入了一种新的输出类型 Pay-to-Tapscript-Hash（P2TSH）。该方案旨在不引入后量子签名方案的前提下，缓解椭圆曲线密码学（ECC）可能面临的潜在风险。

此次修订重点在于增强比特币对量子相关风险的韧性，详细阐述了一种避免过早迁移至后量子密码体系的策略。同时，提案还提供了 Python 和 Rust 的测试向量，以促进开发者社区的理解、验证和参与。

• GitHub PR

• Hunter Beast 关于此提议的帖子

最小化的新内省原语，或是最简单的量子安全升级

Erik Aronesty 提出了一种基于经济假设与区块链数据的抗量子机制，通过引入一个最小化的新型自省原语（introspection primitive）来增强比特币的安全性，从而避免对 Bitcoin Script 进行全面重构。该提案以可立即部署、验证成本低、以及对交易体积影响极小为设计目标。

该机制基于一种提交–挑战–响应（commit–challenge–response）框架：交易需要同时满足传统数字签名以及一个依赖未来区块链数据条件的哈希型证明。这一设计体现了一种在不引入重大基础设施变更的前提下、以保守路线实现抗量子安全性的思路。

标准且可扩展的 P2P 功能协商机制新提案

Anthony Towns 发布“节点功能协商（peer feature negotiation）” BIP，提出了一种标准化且可扩展的 P2P 功能协商机制，旨在在无需协调式提升协议版本号、也不因消息不兼容而引发网络分裂的前提下，简化比特币 P2P 协议中新功能的引入流程。

该方案的核心是引入一种新的 P2P 消息类型：feature（协议版本 >= 70017）。feature 消息被明确设计为仅在初始在 version 与 verack 之间发送，从而在无需提升协议版本号的情况下，实现功能的灵活发布、协调与版本管理。该规范要求实现该提案的节点忽略未知的 feature 消息，以确保向后兼容性。

Bitcoin Optech 推出 2025 年回顾特辑

Bitcoin Optech 发布 2025 年度回顾，总结了过去一年比特币生态中的重要技术进展与讨论，涵盖以下方面：

1. 核心协议与研究进展

• 隐私与签名技术： 更新了 ChillDKG 草案（用于 FROST 阈值签名的分布式密钥生成协议）；讨论了 DahLIAS 交互式聚合签名。

• 网络中继与性能： 推进了 Erlay 在 Bitcoin Core 中的实现；研究了紧凑区块（Compact Blocks）的重建效率提升；探讨了通过 Border Gateway Protocol (BGP) 拦截进行的网络分区攻击及防御。

• 内存池管理： 重点讨论了集群内存池（Cluster Mempool）的开发，旨在优化矿工选择交易的逻辑并解决复杂的依赖问题。

2. 闪电网络与二层扩展

• 通道管理：引入了基于 TRUC（Topologically Restricted Unexpected Confirmations）的临时锚点脚本，优化了费率调整。

• 防干扰机制：提出了使用预付费用（upfront fee）和持有费用（hold fee）来解决通道拥塞攻击（channel jamming attack）。

• DLCs 优化：提出链下 DLC（离散对数合约）方案，允许在不频繁触达链上的情况下协作更新合约。

3. 2025 年漏洞披露汇总

2025 共披露了十余项漏洞，涵盖：

• LDK 与 LND：多个与 HTLC、强制关闭通道相关的漏洞，包括可能导致资金滞留或丢失的风险。

• 隐私漏洞：披露了 Wasabi 和 Ginger 等钱包使用中心化 CoinJoin 协议中存在的去匿名化缺陷。

• Bitcoin Core：修复了一些低风险的漏洞。

4. 软分叉提案

• 交易模板（Transaction templates）： 重点讨论了 CTV (BIP119)、CSFS (BIP348) 以及 LNHANCE。这些提案旨在实现保险库（Vaults）、LN-Symmetry 等高级功能。

• 共识清理（Consensus Cleanup）：发布的 BIP54 旨在修复一些历史遗留的共识边缘问题。

• 操作码提案： 提出了 OP_CHECKCONTRACTVERIFY (BIP443)，被视为替代之前 OP_VAULT 的更通用方案。

5. 基础设施更新

• Stratum v2：这一新一代矿池协议在 2025 年取得重大进展，Bitcoin Core 30.0 开始实验性支持其 IPC 接口，增强了矿工在交易选择上的去中心化能力。

• 其他流行的基础设施项目：BDK (Bitcoin Dev Kit) 发布了 v1.0.0；LDK 增加了对 BIP 353（人类可读地址）的支持。

6. 其他

• Simplicity 语言： Russell O'Connor 深入分享了这种面向智能合约的新语言的设计哲学。

• SwiftSync：一种能显著提升初始区块下载速度的技术方案。

Taproot Assets v0.7 发布：静态地址、可审计供应与大额 Lightning 支付优化

在比特币主网运行的首个多资产 Lightning 协议 Taproot Assets 近日发布了 v0.7。本次更新专注于简化用户现实世界的流程，如用户的链上发送和接收，加强供应证明基础设施，并平滑跨多个对等方的价格报价协商。亮点包括：

• 静态可复用地址：通过 AddressV2，新地址可长期接收特定资产，无需为每笔支付生成新地址，同时保障资产分批的可替代性。

• 完全可审计的流通供应：新增分组资产供应承诺（supply commitment），可在链上验证铸造与销毁历史，方便用户、浏览器或第三方独立核查总供应量。

• 更大、更可靠的 Lightning 转账：支持 Multi-RFQ Send，可通过多通道汇聚流动性，提升大额资产支付的成功率与速度。

UPLC 编程语言大会，聚焦 Cardano 编程语言与智能合约工具

Cardano 生态近日举办首届 UPLC 编程语言大会（UPLC Programming Language Conference 2025），并发布了会议总结。该会议聚焦 Cardano 的智能合约语言 Plutus 的历史、智能合约优化以及新的形式验证工具，还探讨了 Jai-to-UPLC 编译器、UPLC-CAPE 基准测试框架以及 zk-SNARK 集成等新工具，以及 Plutus V4 的路线图。

BOB 将 BitVM3 链上成本降至约 10 美元

BOB 表示，他们为 BitVM3 实现了 cut-and-choose 机制（一种用于验证混淆电路诚实性的密码学技术），并结合可验证秘密共享方案（VSSS）与 适配器签名（adaptor signatures），首次向比特币主网提交了交易。由于这一实现，断言交易（assert transaction）的成本比以往使用 SP1 soldering 的方法降低了~87%， 未来有望进一步改进，但预计算时间和存储成本会增加。

SLH-DSA 硬件性能评估：签名耗时大但验证高效，适用于长期安全

本论文呈现了一项硬件基准研究，在统一的 Xilinx FPGA 平台上实现并综合了 Verilog HDL 设计，涵盖 SLH-DSA 以及一系列经典数字签名方案（RSA、DSA、ECDSA、EdDSA）。

分析表明，SLH-DSA 逻辑与内存消耗较大，签名延迟显著更高，签名长度也更长，但在验证性能上具有竞争力，并基于成熟的哈希函数提供稳健的安全性。结论指出，尽管 SLH-DSA 计算开销较高，其独特的架构特性和强安全模型仍使其成为一种可行的专用方案，适用于以长期安全保障优先于签名速度的应用场景。

Blockstream Research recently published the paper Hash-based Signature Schemes for Bitcoin. Hash-based signature schemes are considered a promising post-quantum alternative for Bitcoin, as their security relies entirely on hash function assumptions—consistent with the security foundation of Bitcoin’s existing design.

This paper comprehensively introduces these schemes, from fundamental principles to SPHINCS+ and its variants, and explores parameter selection tailored to Bitcoin’s specific needs. By applying latest optimizations such as SPHINCS+C, TL-WOTS-TW, and PORS+FP, and reducing the number of signatures allowed per public key, significant size improvements are achieved compared to the standardized SPHINCS+ (SLH-DSA) implementation. The research provides reproducible public scripts and discusses limitations of key derivation, multisignatures, and threshold signatures.

Additionally, Blockstream has built the SPHINCS-Parameters library, a set of scripts for exploring SPHINCS+ parameter trade-offs, computational security levels, signature sizes, and signature/verification costs.

DustSweep: A Lightweight UTXO Dust Cleanup Solution

To reduce the growth of the UTXO set, enable economical dust consolidation, and avoid introducing dust carriers or distorting the fee market, Defenwycke has proposed DustSweep (GitHub). It is policy-only, allowing nodes and miners to relay and include strictly monetary UTXO-compaction transactions with 1 satoshi per input under tightly controlled conditions.

BitMEX: Bitcoin Transaction Security Vulnerability—Risks of 64-Byte Transactions

This research by BitMEX focuses on the issue of 64-byte transactions. The authors note that the data in the inner nodes in the Merkle trees are 64 bytes. The hash of a Bitcoin transaction, the TXID, is 32 bytes. The inner branches of the second lowest row of the Merkle tree hashes two Bitcoin TXIDs concatenated together, totaling 64 bytes. A 64-byte Bitcoin transaction could thus be mistaken for an intermediate hashing step in the Bitcoin Merkle tree. This creates a security vulnerability that can be used to deceive Simplified Payment Verification (SPV) clients into believing they have received payment.

While executing such attacks is highly complex and the vulnerability is not severe, there is a relatively simple fix: BIP 54—which prohibits all transactions with a witness-stripped byte size of 64 via a soft fork.

Time to Consensus: Analyzing Bitcoin’s 6-Block Confirmation Rule

This study examines the time to reach consensus in Nakamoto blockchains, modeling the system as a competitive growth process between “honest” and “adversarial”, and identifying the point in time when an honest process permanently overtakes the adversarial process.

Using queueing theory, the paper derives the Laplace transform and tail distribution decay characteristics of consensus time for a stylized Bitcoin model, and proves that the number of cycles required to reach consensus has an exponential tail bound in a more general framework. The research shows that Bitcoin’s "6-block confirmation rule" is likely based on relatively conservative system parameters, while providing a new time-based security interpretation for blockchain protocols when accounting for block propagation delays.

Payment-Failure Times for Random Lightning Paths: Channel Capacity is Key

This paper studies a random process on graphs inspired by the Lightning Network, analyzing the time until payment failure considering graph topology and channel capacity.

For complete graphs, the paper proves that payment failure times are nearly tight in terms of upper and lower bounds as a function of the number of nodes and edge capacity. It then demonstrates the relationship between this random process and edge-betweenness centrality, deriving upper and lower bounds for payment failure times on arbitrary graphs based on edge-betweenness and capacity. Extensive simulation experiments validate the theoretical results across multiple graph types, including snapshot data from the real Lightning Network, and reveal the significant impact of channel capacity distribution on payment failure rates.

Cardinal: Achieving Ownership Preservation for Bitcoin Cross-Chain Bridges

Cardano has proposed Cardinal, a Bitcoin cross-chain bridge based on BitVM that solves the problem of ownership preservation—ensuring users always withdraw the exact coins they deposited, a capability not achievable with attribute-based multisignatures or previous BitVM-based bridges. Cardinal extends the BitVM model with a universal execution layer called ChainVM, and the paper demonstrates how to implement this framework using BitVMX.

This minimal-trust design has been implemented on Bitcoin and Cardano, avoiding operator fund pre-funding and supporting bidirectional cross-chain transfer of assets including Bitcoin Ordinal NFTs. Cardinal’s security is formally proven under a rigorous modeling framework, using HTLCs, Bitcoin Covenants signature committees, and a new ChainVM abstraction for BitVM-agnostic implementations.

Extending the SPHINCS+ Framework: Design with Variable Tree Heights and Chain Lengths

The SPHINCS+ framework is the foundational architecture for modern post-quantum, stateless, hash-based digital signature schemes, including the NIST standard SLH-DSA and variants such as SPHINCS+ and SPHINCS+C. This research extends the hypertree structure used by SPHINCS+, allowing Merkle trees of different heights at different layers and introducing one-time hash signature schemes with varying chain lengths. As long as the encoding functions used by the underlying one-time signatures are injective and non-comparable, these structural changes do not compromise the original security proof of SPHINCS+. Meanwhile, this extension significantly expands the design space, enabling more fine-grained trade-offs between signature size, signing speed, and verification speed. Through systematic parameter space search combined with rigorous theoretical cost analysis, the research identifies multiple parameter configurations that outperform existing stateless hash signature schemes. In some cases, significant improvements can be achieved without optimizing all performance metrics simultaneously. For example, a set of 128-bit security parameter configurations proposed in the research has a signature size 8.1% smaller than SPHINCS+C-128s, 26.2% smaller than SPHINCS+-128s, and 16.7% smaller than SPHINCS-128s. This scheme offers faster verification speed but slightly slower signing speed. Further sacrificing speed can yield even smaller signature sizes. Additionally, the research provides implementation code and benchmark results for representative parameter configurations.

Golden: A Lightweight Non-Interactive Distributed Key Generation (DKG) Protocol

This paper presents Golden, a new non-interactive Distributed Key Generation (DKG) protocol. Unlike previous schemes, Golden achieves public verifiability in a lightweight manner, enabling all participants to verify whether others have correctly executed the protocol without interaction—thus achieving lightweight public verifiability in a single round. This is particularly important for distributed systems, where participants may go offline at any time; reducing communication rounds can significantly enhance system robustness. As a foundational component of Golden, the research defines an exponential Verifiable Random Function (eVRF). This eVRF uses Non-Interactive Key Exchange (NIKE) to generate a Diffie–Hellman shared key and provides a public proof of the key’s correctness. In Golden, participants use the eVRF to generate one-time keys for each other, which are used to encrypt Shamir secret shares while maintaining public verifiability. Golden thus avoids the use of public key encryption schemes such as ElGamal, Paillier, or group-based cryptography. Furthermore, the eVRF itself can be independently used in other scenarios requiring publicly verifiable encryption.

Blockstream 团队近日发布论文 Hash-based Signature Schemes for Bitcoin。基于哈希的签名方案被认为是为比特币提供了一个有前景的后量子替代方案，因为其安全性完全依赖于哈希函数假设，这与比特币现有设计的安全基础一致。

该论文全面介绍了这些方案，从基础基本原则到 SPHINCS+及其变体，并探讨了针对比特币具体需求的参数选择。通过应用如 SPHINCS+C、TL-WOTS-TW 和 PORS+FP 等最新优化，并减少每个公钥允许的签名数，相较于标准化的 SPHINCS+（SLH-DSA）实现了显著的尺寸提升。研究提供了可重复性的公开脚本，并讨论密钥派生、多重签名和阈值签名的局限性。

此外，Blockstream 还设立了 SPHINCS-Parameters 库，用于探索 SPHINCS+参数权衡、计算安全级别、签名大小及签名/验证成本的脚本。

DustSweep：轻量级 UTXO 尘埃清理方案

减少长期 UTXO 集的增长，实现经济的尘埃整合，同时避免引入垃圾载体或费用市场扭曲，开发者 Defenwycke 提出了解决方案 DustSweep（GitHub）。它仅限于策略使用，允许节点和矿工在严格控制条件下，以每个输入 1 个聪的严格货币 UTXO 压缩交易（strictly-monetary UTXO-compaction transactions）进行中继和包含。

BitMEX：比特币交易安全漏洞，64 字节交易的风险

BitMEX 的这份研究关注 64 字节交易的问题。作者指出，Merkle 树中内部节点所包含的数据为 64 字节。比特币交易的哈希值（TXID）为 32 字节。在 Merkle 树倒数第二层的内部分支节点中，会对两个拼接在一起的比特币 TXID 进行哈希，其拼接后的总长度正好是 64 字节。而一个 64 字节的比特币交易可能会被误认为是比特币 Merkle 树中的中间哈希步骤。这就出现了安全漏洞，被用来欺骗简单支付验证（SPV）客户，让他们误以为已收到付款。

虽然实施这些攻击非常复杂且漏洞不严重，但它有一个相对简单的修复方法，即 BIP 54——通过软分叉禁止所有见证剥离字节大小为 64 字节的交易。

通向共识的时间：分析比特币的 6 个区块规则

本研究考察了 Nakamoto 型区块链中的共识达成时间问题，将系统建模为诚实方与最坏情形下的对手之间相互竞争的增长过程，并确定一个诚实过程永久超过敌对过程的时间点。

通过排队论（queueing theory）的方法，论文对一个风格化的比特币模型推导了共识时间的拉普拉斯变换与尾部分布衰减特性，并在更一般的框架下证明了达到共识所需周期数具有指数级尾界。研究表明，比特币的“6 个区块确认规则”可能建立在较为保守的系统参数之上，同时在考虑区块传播延迟的情况下，为区块链协议提供了一种基于时间维度的全新安全性解释。

随机闪电路径的支付失败时间分析：通道容量是关键

Payment-failure times for random Lightning paths 研究了一种受闪电网络启发的图上随机过程，在考虑图拓扑结构与通道容量的情况下，分析支付失败发生之前的时间。

在完全图的情况下，论文证明了支付失败时间在上、下界意义下几乎是紧的，该时间作为节点数量和边容量的函数；之后，研究展示了这种随机过程与边介数中心性（edge-betweenness centrality）的关系，并对任意图基于边介数和容量推导了支付失败时间的上界与下界。大量仿真实验在多种图类型上验证了理论结果，其中包括真实闪电网络的快照数据，并揭示了通道容量分布对支付失败率的显著影响。

Cardinal：比特币跨链桥实现所有权保全

Cardano 提出了 Cardinal，一种基于 BitVM 的比特币跨链桥，解决了所有权保全（ownership preservation）的问题，确保用户始终提取他们存入的精确币，这是属性多重签名和以往基于 BitVM 的桥都无法实现的。Cardinal 通过一个名为 ChainVM 的通用执行层扩展了 BitVM 模型，论文展示了如何使用 BitVMX 实现该框架。

该最小信任设计已在比特币与 Cardano 上实现，避免了操作方资金预付，并支持包括 Bitcoin Ordinal NFTs 在内的资产双向跨链转移。Cardinal 的安全性在严格建模框架下经过形式化证明，使用了 HTLC、比特币 Covenants 签名委员会，以及用于 BitVM 无关实现的新 ChainVM 抽象。

扩展 SPHINCS+ 框架：可变树高度与链长度的设计

SPHINCS+ 框架是现代抗量子、无状态、基于哈希的数字签名方案的基础架构，其代表包括 NIST 标准 SLH-DSA 以及 SPHINCS+、SPHINCS+C 等变体。

Extending the SPHINCS+ Framework: Varying the Tree Heights and Chain Lengths 这项研究扩展了 SPHINCS+ 所使用的超树（hypertree）结构，允许不同层使用不同高度的 Merkle 树，并在其中引入链长度不同的一次性哈希签名方案。只要底层一次性签名所使用的编码函数是单射且不可比较的，这些结构上的变化并不会破坏 SPHINCS+ 原有的安全性证明。同时，这种扩展显著扩大了设计空间，使得在签名大小、签名速度和验证速度之间进行更精细的权衡。

研究通过系统性的参数空间搜索，并辅以严格的理论成本分析，找到了多个在性能上优于现有无状态哈希签名方案的参数配置。在某些情况下，可以在不同时优化所有性能指标的前提下，获得显著改进。例如，研究提出的一组 128 位安全性参数配置，其签名大小比 SPHINCS+C-128s 小 8.1%，比 SPHINCS+-128s 小 26.2%，比 SPHINCS-128s 小 16.7%。该方案在验证速度上更快，但签名速度略慢。若进一步牺牲速度，还可获得更小的签名尺寸。此外，研究还提供了实现代码及代表性参数配置的基准测试结果。

Golden: 轻量级的非交互式分布式密钥生成（DKG） 协议

本论文提出了 Golden，一种新的非交互式（non-interactive）分布式密钥生成（DKG）协议。与以往方案不同，Golden 以一种轻量级的方式实现了公开可验证性，使得所有参与者都可以在无需交互的情况下验证其他参与者是否正确执行了协议，从而在单轮中实现了轻量级的公开可验证性。这一点对于分布式系统尤为重要，因为参与者可能随时离线，减少通信轮数可以显著提升系统鲁棒性。

作为 Golden 的基础构件，研究定义了一种指数型可验证随机函数（eVRF）。该 eVRF 使用非交互式密钥交换（NIKE）来生成 Diffie–Hellman 共享密钥，并提供该密钥正确性的公开证明。在 Golden 中，参与者使用 eVRF 为彼此生成一次性密钥，用于加密 Shamir 秘密分享，同时保持公开可验证性。因此，Golden 避免使用 ElGamal、Paillier 或类群等公钥加密方案。此外，eVRF 本身也可独立用于其他需要公开可验证加密的场景。

The post-quantum signature algorithm SLH-DSA (a stateless hash-based digital signature algorithm, formerly known as SPHINCS+) is being considered as a candidate for Bitcoin’s quantum-resistant soft fork upgrade, referenced in BIP360. However, a naive implementation of SLH-DSA is extremely slow and produces large signatures.

Developer conduition has been experimenting with various performance optimizations aimed at minimizing signature size and accelerating signing, verification, and key generation. Recently, he released a new round of optimizations that can speed up SLH-DSA by 10x–100x. Currently, SLH-DSA verification performance is approaching pre-quantum elliptic curve levels, though signing costs remain about two orders of magnitude higher than those of elliptic curve signatures. Since signing and key generation require several megabytes of RAM, SLH-DSA is unsuitable for resource-constrained environments like hardware wallets, and is better suited for dedicated hash-accelerator chips or FPGAs.

More details can be found in the survey article.

MuSig2 + Zero-Knowledge Proofs: Halseth Releases Bitcoin Vault-Like Security Prototype

Halseth published blind-vault, a prototype for Bitcoin vault-like security solution based on blinded co-signers and MuSig2 multi-sig protocols. It uses zero-knowledge proofs to safeguard on-chain fund transfers. Blind-vault can be tested on regtest and signet, demonstrating its potential for enhanced transaction security. The project will focus on optimizing ZK proof generation time to improve practicality. More details can be found in its GitHub.

Short-Term Gains and Long-Term Efficiency of Three Bitcoin Incentive Attacks

This study provides a systematic analysis of incentive attacks under Bitcoin’s Difficulty Adjustment Algorithm (DAA), including selfish mining, block withholding, and coin hopping strategies. The authors examine short-term gains per unit of hashpower for attackers and honest miners, and introduce a new efficiency metric for long-term impact: the ratio of reward to cost per unit of hashpower per unit of time for both attackers and honest miners.

Key findings:

• In the short term, intermittent mining yields negligible gains; long-term, selfish mining is more efficient.
• Coin hopping provides similar short-term rewards for loyal miners and coin hoppers.
• For block withholding, honest miners outside the attacking pool may benefit, often earning more than the attacker in both short and long term. Moreover, withholding attackers that adjust hashpower may not experience delayed gains in the short term. Long-standing assumptions that selfish mining’s delayed rewards prevent real-world adoption do not apply to hashpower-adjusted attacks; smaller mining pools may face immediate threats.

Fake Keys, Real Lessons: Understanding Bitcoin Consensus vs Policy Through Counterparty’s Fake-Pubkey Grinding

Counterparty once encoded arbitrary data into 1/3 bare multisig outputs (1-of-3 bare multisig outputs) using fake public keys, bypassing OP_RETURN storage limits.

This analysis reviews that method, highlighting the key distinction between Bitcoin’s consensus and policy layer:

• Consensus Layer: strict logic, wide permission
• Policy Layer: pragmatic, local, protective

The consensus layer ensures transactions are valid and theoretically spendable, while the policy layer governs node propagation and network health. In other words, Bitcoin allows technically feasible “abuse,” but the policy layer may limit its spread through mempool rules.

The author notes that recent debates on OP_RETURN policy changes, Ordinals, BitVM anchoring, and knothole discussions all stem from confusion between consensus rules (what is allowed) and policy rules (what is relayed or encouraged). The Counterparty event remains instructive for understanding ongoing discussions about Ordinals, BitVM, and Bitcoin protocol evolution.

Vanadium: A RISC-V Virtual Machine for Embedded Development on Hardware Signing Devices

Team Salvatoshi launched a RISC-V virtual machine called Vanadium for firmware applications in hardware signing devices. Vanadium runs applications (V-Apps) in a secure isolated environment, offloading most memory demands to a controlled space and reinforcing security with encrypted page swaps, significantly reducing development complexity. While an important step for crypto hardware, the team notes that further optimization of memory access patterns and full security audits are still needed. More details can be found in its GitHub.

Gossip Observer: New Lightning Network P2P Monitor

Developer jonhbit created gossip_observer to monitor the Lightning Network gossip layer. Recently, he reported several findings:

• With more default P2P connections in LN, message propagation convergence delay significantly decreased: 75% of messages propagated in ~200 seconds instead of ~500 seconds.
• Many messages are only sent by a few nodes to observer nodes, possibly due to an incoherent P2P link graph or filtering strategies in LN implementations.
• channel_update messages account for 60% of total messages, with roughly 20% of channels sending more than 144 messages.
• node_announcement messages constitute 30% of total messages, with 2.5% of nodes announced more than 144 times.

Future work will gather gossip data from different regions and P2P graphs to study propagation more deeply. Discussions mention LN could borrow methods from Erlay and BIP to reduce latency and propagation delay.

LND v0.20 Released: Channel Graph Migrated to SQL, 57× Throughput Increase

LND team recently released v0.20-beta, bringing significant performance improvements and greater control to nodes. Key updates include:

• Faster node startup and payment handling: Migration of the channel graph to SQL (sqlite/postgres) increased startup and query speed by up to 99%.
• Network sync optimization: Improved gossip mechanism increased node synchronization speed ~57×, with DNS announcements for more stable connections.
• User experience improvements: Node personalization no longer resets; PendingChannel provides clearer confirmations; new RPC supports deleting canceled invoices and querying detailed forwarding history.
• Enhanced liquidity control: The blind feature allows specifying an inbound channel for blinded invoices, improving liquidity management and privacy.

Stealth Address Lock Script Introduced in CKB

Stealth addresses is a technique for obscuring public blockchain transactions by generating one-time addresses for each transaction. The CKB community recently introduced a Stealth Address Lock Script with a wallet demo. This implementation follows early Bitcoin stealth address proposals, offering:

• Payment addresses are unlinkable
• The recipient’s real public key is not exposed on-chain
• No interaction required between sender and recipient

The Lock Script uses ckb-auth and standard CKB secp256k1 verification, and is compatible with existing tools.

Quantum Computing and Blockchains: Aligning Urgency with Actual Threats

a16zcrypto researcher Justin Thaler clarifies common misconceptions about quantum threats to cryptography in this article. He points out that timelines for quantum computers breaking cryptography are often overstated, leading to calls for urgent, full-scale transition to post-quantum cryptography. Such calls neglect the cost and risk of premature migration, as well as the differing threat profiles of cryptographic primitives. Hasty upgrades may create greater real-world risk. Currently, many post-quantum algorithms impose substantial performance costs, complexity, and even vulnerabilities (side-channel attacks, floating-point bugs, or parameter errors causing key leaks). For example, popular post-quantum signatures like ML-DSA and Falcon are tens to hundreds of times larger than current signatures and may even be vulnerable to classical attacks.

He emphasizes that the real challenge in adopting post-quantum cryptography is aligning urgency with actual threat. Blockchains should not migrate blindly; a staged, multi-track, and replaceable architecture is recommended:

• Deploy hybrid cryptography immediately—use post-quantum and current schemes concurrently
• Adopt hash-based signatures when size and performance are acceptable
• For privacy-focused chains with encryption or hidden transactions, prioritize transition if performance allows
• In the near term, focus on security rather than mitigating quantum threats prematurely

Elliptic JS Library Vulnerabilities: Missing Module Reduction and Length Checks Poses Risks

The security team Trail of Bits recently disclosed two vulnerabilities in the JavaScript library elliptic. These stem from missing module reductions and absent length checks, potentially allowing attackers to forge signatures or prevent valid signatures from verifying. Elliptic is widely used, with over 10 million weekly downloads and adoption by nearly 3,000 projects.

The vulnerabilities were discovered using the Wycheproof test vector suite. This article explains how Wycheproof tests the elliptic library and how these vulnerabilities enable signature forgery or verification failure.

后量子签名算法 SLH-DSA（stateless hash-based digital signature algorithm，无状态基于哈希的数字签名算法，前称 SPHINCS+）正被视为比特币的抗量子软分叉升级候选方案，涉及 BIP360。然而，SLH-DSA 如果实现得很简单，不但非常慢，签名也很大。

开发者 conduition 一直在尝试各种性能优化，目标是最小化签名大小，并加快签名、验证和密钥生成速度。他于近日 公布了新一轮优化成果，可让 SLH-DSA 速度提升 10 到 100 倍。目前，SLH-DSA 验证的运行时的性能现在开始接近量子出现前的椭圆曲线水平，但签名的成本仍高出椭圆曲线两个数量级。由于签名和密钥生成需要数兆字节的内存，因此它在硬件钱包等资源有限的环境中无效，只有专用哈希加速芯片或 FPGA 更适合这些用例。更多细节见详细的调查记录。

MuSig2 + 零知识证明：Halseth 推出新的类比特币金库安全方案原型

Halseth 公布了一项基于盲化协签者（blinded co-signers）与 MuSig2 多签协议的类比特币金库安全方案原型 blind-vault，通过零知识证明保护链上资金的移动。blind-vault 支持在 regtest 与 signet 环境中测试，展示了其在增强交易安全方面的潜力。项目未来将重点优化零知识证明的生成时间，以提升实用性。更多细节见 GitHub。

三种比特币激励攻击的短期收益与长期效率研究

该研究对比特币难度调整算法（Difficulty Adjustment Algorithm，DAA）下的激励性攻击进行了系统分析，包括自私挖矿、区块扣留（block withholding）和跳币（coin hopping）策略。针对这些激励性攻击，作者研究了攻击方和诚实矿工每单位算力在短期内的收益变化；针对长期影响，他们引入了新的效率指标——攻击者和诚实矿工每单位算力每单位时间的收益与成本比。

研究发现：

• 短期内，间歇性挖矿带来的收益微乎其微；而长期来看，自私挖矿效率更高；

• 跳币策略在短期内对忠诚矿工和跳币者收益相当；

• 对于区块扣留攻击，矿池外的诚实矿工会从攻击中获利，通常在短期和长期内的收益甚至高于攻击者。此外，采用算力调节的扣留攻击者在短期内不一定会出现收益滞后。长期以来，人们普遍认为自私挖矿的收益滞后是此类攻击在实际中未被观察到的主要原因之一。我们的研究表明，这一障碍并不适用于算力调节攻击，相对较小的矿池会面临立即的威胁。

假公钥，真教训：通过 Counterparty 事件理解比特币共识层与策略层的差异

Counterparty 曾经通过在 1/3 裸多重签名输出（1-of-3 bare multisig output）中将有效载荷编码在假公钥中，系统性地将任意数据嵌入比特币，突破了 OP_RETURN 的存储限制。

这篇分析回顾了 Counterparty 的这一在比特币上存储数据的案例，揭示了比特币共识层（Consensus）与策略层（Policy）之间的重要区别：

• 共识层：严格逻辑，广泛权限

• 政策层：务实、本地、保护

共识层只保证交易在规则上可被验证和理论上可花费，而策略层负责节点的实际转发与网络健康。换句话说，比特币允许技术上可行的“滥用”，但策略层会通过 mempool 规则限制其传播。

作者认为，近期比特币辩论中 OP_RETURN 政策变更、Ordinals 论证、BitVM 锚定，以及 knothole 讨论，都源于同样的误解：混淆了共识规则（what is allowed）和政策规则（what is relayed or encouraged）。Counterparty 事件对于理解当下诸如 Ordinals、BitVM 等争论及比特币协议演进依然有重要意义。

钒（Vanadium）：为硬件签名设备重塑嵌入式开发的 RISC-V 虚拟机

比特币社区的开发团队 Salvatoshi 推出了一款面向硬件签名设备的 RISC-V 虚拟机“钒”(Vanadium)。钒通过在安全隔离区中运行应用程序（V-Apps），将大部分内存需求外包到受控环境，并通过加密页交换强化安全性，大幅降低了开发复杂度。该方案被视为加密硬件领域的重要进展，但团队也表示仍需要优化内存访问模式并进行完整的安全审计。更多细节见 GitHub。

中文圈首个 Bitcoin Optech Newsletter 解读

该节目的目标是把 Bitcoin 前沿研究者与 Core Dev 的工程视角、提案背景、邮件组争议，全部用中文讲清楚。内容拟包括：最新 Optech Newsletter 精读、最近提案（BIPs / PRs）脉络分析、mempool & policy 更新、邮件组争议（为什么提出、影响什么），以及历史文章、代码实现、demo 等扩展。节目主讲人为 Aaron Zhang（@zzmjxy），联合主持 Dapangdun（@dapangdun）。

Gossip Observer：闪电网络 p2p 监控新项目

开发者 jonhbit 通过一个名为 gossip_observer 的工具监控闪电 gossip 网络，并于近日公布了目前所观察到的问题：

• 随着闪电网络默认采用更多点对点连接，网络消息传播的收敛延迟显著下降：75% 消息传播时间从约 500 秒减少到 200 秒

• 大量消息只由少数节点发送给观测节点。这可能是由于 p2p 链接图不连贯导致，或者是闪电网络实现中的某些过滤策略所致

• channel_update 消息占总量的 60%，部分 20% 通道消息量超过 144 条

• node_announcement 的消息占总消息的 30%，其中 2.5%的节点被宣布超过 144 次

未来他会收集来自更多不同地理位置和 p2p 图的 gossip 数据，以便更深入研究消息传播。讨论还提到闪电网络有望借鉴 Erlay 与 BIP 的方法，降低延迟和传播延迟。

LND v0.20 发布：通道图迁移至 SQL、吞吐量提升 57 倍

LND 团队近日发布 v0.20-beta，为节点带来显著的性能提升和更高的可控性。此次更新的重点包括：

• 更快的节点启动和支付处理：通道图全面迁移至 SQL 数据库（sqlite/postgres），节点启动和查询速度提升高达 99%

• 网络同步优化：改进 gossip 机制，节点间同步速度提升约 57 倍，并支持 DNS 公告，让连接更稳定。

• 用户体验优化：节点个性化设置不再重置，PendingChannel 提供更清晰的确认信息，新增 RPC 支持删除取消的发票和更精细的转发历史查询。

• 更强的流动性控制：通过 -blind 功能，用户可为 blinded invoice 指定入账通道，更好地管理流动性与隐私。

在 CKB 上实现隐形地址 Lock Script

隐形地址（Stealth Address）是一种通过为每笔交易生成一次性地址来隐藏公链交易的技术。CKB 社区最近推出了隐形地址 Lock Scirpt，并附带钱包演示 。 该实现遵循了早期比特币提案中的隐形地址模式，实现了以下功能：

• 支付地址不可关联

• 不会在链上暴露接收方的真实公钥

• 发送方和接收方之间无需任何交互

该 Lock Script 通过 ckb-auth使用到了 CKB 标准的 secp256k1 验证，并与现有工具保持兼容。

量子计算与区块链：紧迫性与实际威胁的匹配

a16zcrypto 的研究员 Justin Thaler 通过这篇文章，澄清了关于量子威胁密码学的常见误解。他指出，实现密码学相关量子计算机的时间线常被夸大——这导致人们呼吁紧急、全面地向后量子密码学转型。但这些呼声忽视了过早迁移的成本和风险，以及不同密码学原语之间截然不同的风险特征。仓促升级可能带来更大的现实风险。而且现阶段许多抗量子算法存在显著性能成本、实现复杂性、甚至被经典算法直接攻破的历史案例。例如，主流后量子签名如 ML-DSA、Falcon 都比当前签名大数十倍甚至上百倍，且实现容易遭受侧信道攻击、浮点漏洞或参数错误导致密钥泄漏。

他强调，成功向后量子密码学迁移的真正挑战在于：如何将紧迫性与实际威胁相匹配。 因此，区块链不应盲目迁移，而应采用分阶段、多轨制、可替换架构的策略：

• 立即部署混合加密——同时使用后量子安全方案和现有方案

• 当基于哈希的签名体积大且可接受时立即使用

• 对于加密或隐藏交易细节的隐私链，如果性能可接受，优先优先进行过渡

• 近期应优先考虑实施安全，而非缓解量子威胁

Elliptic JS 库漏洞披露：缺失模块缩减和长度检查引发风险

网络安全团队 Trail of Bits 近日披露了一个名为 elliptic 的 JavaScript 库中的两个漏洞。这些漏洞由缺失的模块缩减和长度检查的缺失引起，可能使攻击者伪造签名或阻止有效签名被验证。而 Elliptic 正被广泛使用，它每周下载量超过 1000 万次，被近 3000 个项目采用。

这些漏洞是通过测试向量集合 Wycheproof 被发现的。这篇文章介绍了如何使用 Wycheproof 测试椭圆库，从而发现这些漏洞是如何工作的，以及它们如何实现签名伪造或阻止签名验证。

Bitcoin Core Completes First External Security Assessment With No Major Issues

Recently, software security firm Quarkslab conducted Bitcoin Core’s first public, third-party audit. Although Bitcoin Core has a strong security track record, it had never undergone an external security evaluation before.

The audit covered the P2P networking layer, mempool, chain management, and consensus logic. The main efforts involved:

• Manual code review of complex areas such as thread handling and transaction validation

• Static and dynamic analysis using tools integrated into Bitcoin’s CI workflow

• Advanced fuzz testing built on the fuzzing infrastructure maintained by Bitcoin Core contributors

According to the report, Bitcoin Core had no critical, high, or medium-severity issues. Two low-severity findings and thirteen informational recommendations were identified, none of which qualify as security vulnerabilities under Bitcoin Core’s standards.

The full report is available here: Bitcoin Core: Technical Security Audit Report

Private Key Handover: Using Taproot and MuSig2 to Simplify Single-UTXO Fund Transfers

Developer ZmnSCPxj proposed an optimization plan for Private Key Handover, enabling more efficient and secure transfer of a lump fund (a single-UTXO) to a single beneficiary in protocols that support Taproot and MuSig2.

The approach requires each participant to use an ephemeral public key in the Taproot keyspend path. Once the protocol ends and all parties semantically agree that the funds belong entirely to one party, the party relinquishing control hands over the corresponding one-time private key. The recipient can then spend the UTXO unilaterally via the keyspend path.

Benefits include:

• If on-chain fees spike, Bob can perform an RBF transaction without cooperation from Alice. This is particularly useful in early proof-of-concept stages, where developers may not want to implement RBF yet.

• The recipient can batch the claim transaction with any other operations.

However, the proposal is limited to single-UTXO scenarios where final control ends with a single party. It does not apply to bilateral or multi-output setups like Lightning Network channels.

Could Bitcoin Mining Survive a Major Solar Storm?

Developer Alexandre called for research on improving Bitcoin’s resilience to large-scale infrastructure disruptions, such as a Carrington-level solar superstorm. Such an event could cause regional or continental power outages, communication failures, and satellite malfunctions, splitting Bitcoin into isolated partitions that mine independently and produce divergent chains—potentially resulting in deep reorganizations after reconnection.

The proposal aims for Bitcoin Core can provide clearer operational guidance and tooling for extreme conditions, including:

• Better documentation and optional tools for running nodes over degraded communication channels (HF/VHF radio links, mesh networks, intermittent satellite reception)

• Best-practice guidelines for wallets, miners, and node operators under high-latency or partitioned-network environments

The goal is to reduce fragmentation risk and support rapid recovery in catastrophic scenarios.

Data Costs in BitVM-Based Sidechains Spark Concern; Lightweight Merkle Tree Scheme Proposed

Super Testnet noted that several BitVM-based sidechain projects (such as Citrea and Alpen Labs) plan to publish full state differences of each sidechain block to Bitcoin for reconstructability during unilateral exits. This approach is extremely costly—both in data footprint and fees.

The author proposes an alternative: Store state differences in an indexable Merkle tree and commit only one 32-byte root hash per block on Bitcoin. Under the normal “happy path,” users obtain their leaves off-chain. Only when initiating an exit or dispute—the “sad path”—must the required leaf and proof be revealed on-chain, with the cost borne by the exiting user. This drastically reduces continuous block-space usage by BitVM sidechains and improves scalability and fees.

Ergo Proposes Node Incentives Using Micropayments for P2P Services

Ergo community recently proposed a unified node incentive approach addressing a long-standing lack of incentives issue in crypto and P2P systems in general: only miners get rewards, while running nodes to provide services do not. Instead of relying on altruism or launching new tokens—both of which lead to inflation and complex tokenomics—the proposal suggests using Ergo’s native assets and trust-minimized derivatives (e.g., stablecoins). Based on the Basis framework, nodes can charge micropayments for API services or P2P resources (storage, bandwidth, computation).

Features include:

• Nodes receive limited service on credit (similar to BitTorrent’s early download allowance).

• Mutual credit clearing offchain

• On-chain reserves redeemed only when balances accumulate; offchain payments still settle immediately.

• Privacy-preserving payments The model could extend beyond Ergo to other blockchains and broader P2P or agent-to-agent contexts.

A New Censorship-Resistant Sealed-Bid Auction Protocol

A study titled Censorship-Resistant Sealed-Bid Auctions on Blockchains introduces a new sealed-bid auction design that avoids the drawbacks of traditional commit-and-reveal schemes—such as timing leakage, inefficient participation costs, and multi-slot execution. The protocol combines timestamp-based certificates with censorship resistance through inclusion lists, providing four key properties:

• Strong privacy: both bid amounts and bidder identities are indistinguishable

• Short-term censorship resistance: all honest bids are included in blocks

• Auction Participation Efficiency (APE): measures how closely on-chain outcomes resemble classical auctions in terms of costs for participating users.

• No free bid withdrawal: prevents participants from reneging after submitting a bid Altogether, these properties create a fair, private, and economically robust auction primitive integratible for any blockchain.

A Systematic Study of Crypto Wallet Design, Attacks, and Defenses

This research builds a structured knowledge framework for cryptocurrency wallets, aiming to better address the growing number of wallet-related security incidents.

Contributions include:

• Wallet design taxonomy: A multi-dimensional classification covering both traditional and emerging wallet types, mapping design choices to known threats and guiding future wallet designs.

• Wallet attack framework: A systematization of attack vectors, techniques, and targets, based on surveys of academic work and 85 real-world wallet incidents (2012–2025). The study also highlights gaps between academic and industry research.

• Defense strategies: A combination of preventive and post-incident mitigation methods, along with an analysis of their effectiveness.

HKT-SmartAudit: A Knowledge-Distillation Framework for Lightweight Smart-Contract Auditing

This study proposes HKT-SmartAudit, a framework for developing lightweight models optimized for smart contract auditing. It features a multi-stage knowledge distillation pipeline that integrates classical distillation, external domain knowledge, and reward-guided learning to transfer high-quality insights from large teacher models. A single-task learning strategy is employed to train compact student models that maintain high accuracy and robustness while significantly reducing computational overhead.

Experiments show that the distilled model outperforms commercial tools and even large LLMs in identifying complex smart-contract vulnerabilities, offering an efficient, scalable auditing solution.

Free Testing, But Expensive Consequences

This article argues that with the rise of LLMs and code-generation tools, the marginal cost of writing tests has dropped near zero—but the flood of new tests has not increased safety. Instead, they introduce maintenance overhead. Many tests catch no real bugs and fail frequently due to intentional code changes, obstructing refactoring and improvement.

The author redefines test value in terms of ROI: The value of a test is the future stream of bugs it prevents minus the cost of maintaining it, adjusted for how much we care about the future. However, LLM-generated tests tend to write only trivial cases and avoid the hard parts (e.g., file writing, API calls), and only test now, not what. The result is an illusion of safety combined with higher project costs.

Bitcoin Core 完成首次外部安全评估，无重大漏洞

近期，软件安全公司 Quarkslab 对 Bitcoin Core 代码库进行了首次公开第三方审计。虽然 Bitcoin Core 拥有强大的安全记录，但却从未接受过外部安全评估。

本次审计内容包括了 P2P 网络层、内存池、链管理和共识逻辑。主要工作涉及：

• 对线程处理和事务验证等复杂领域的人工代码审查

• 静态和动态分析，利用集成在比特币 CI 工作流程中的工具

• 先进的模糊测试，基于比特币核心贡献者维护的模糊测试基础设施

根据报告结果，Bitcoin Core 中没有出现严重、高或中等严重的问题 。但他们发现了两项低严重性发现和十三项信息建议，这些均未被 Bitcoin Core 标准归类为安全漏洞。

完整的报告见 Bitcoin Core: Technical Security Audit Report

私钥交接：用 Taproot 与 MuSig2 简化单 UTXO 资金移交

开发者 ZmnSCPxj 提出了一项关于私钥交接（Private Key Handover）的优化思路，用于在支持 Taproot 与 MuSig2 的链上协议中，更高效地把原本由多方共同控制的一笔整块资金（单一 UTXO）安全地移交给单一受益人。该模式要求各参与方在 Taproot 的 keyspend 路径中使用临时公钥，当协议结束且语义上所有人都同意这笔钱只属于某一方时，放弃权利的一方将对应的一次性私钥直接移交给最终受益人，使其单方面即可走 keyspend 路径花费该 UTXO。

这一优化带来的好处有：如果链上费用飙升，Bob 可以在没有 Alice 合作的情况下进行 RBF（Replace-by-fee）交易。这对协议开发者尤其有用，因为他们在简单的概念验证阶段无需实现 RBF。其次，接收方还能将领取资金的交易与任何其他操作进行合并打包。而这一提案的局限是：只适合单一 UTXO、最终完全归单一方控制的场景；无法用于像闪电网络通道这样的双边或多输出情境。

比特币挖矿能在重大太阳风暴中存活吗？

开发者 Alexandre 呼吁探索提升比特币在大型基础设施中断事件中的生存能力，如类似 Carrington 事件这样的超强太阳风暴。此类事件可能导致区域甚至大陆级别的电网瘫痪、通信中断与卫星系统故障，从而使比特币网络在长时间内被分割成无法互相通信的孤立区域，各自独立挖矿并形成不同链版本，最终在重新连网时引发深度链分叉和大规模回滚。

该提案希望 Bitcoin Core 能在极端情况下提供更清晰的操作指导与工具支持，包括：改进在退化通信环境下（如短波/甚高频电台、网状网络、间歇卫星信号）运行节点的文档与可选工具，以及为钱包、矿工和节点运营者提供在高延迟和网络分区条件下的最佳实践指南，旨在降低网络碎片化风险，确保此类事件的快速恢复。

BitVM 侧链面临数据成本隐患，开发者提出更轻量的 Merkle 树方案

Super Testnet 指出，多家 BitVM 侧链项目（如 Citrea、Alpen Labs）计划在主网上线的方案都存在成本过于昂贵的问题——它们打算将每个侧链区块的全部状态差异（state diff）发布到比特币链上，以便用户在需要时能够重建区块并发起单边退出。

作者指出这将给比特币带来大量数据负担，并拉高侧链费用；也提出替代设计：不再将每个侧链区块的完整状态差异写入比特币，而是将其组织成可索引的 Merkle 树，只在每个区块发布一个 32 字节的根哈希。正常情况下（“快乐路径”，happy path）用户从链下获取自己的叶子数据，只有在需单边退出或发起挑战时（“悲伤路径”，sad path），才在链上强制要求披露相应叶子与证明，由退出方承担额外数据成本。该方法可显著降低 BitVM 侧链对比特币区块空间的持续占用，改善费用和扩展性。

Ergo 提出新的节点激励方案，探索微支付支持 P2P 服务

Ergo 社区的开发者近日提出了一种统一的节点激励方案，旨在解决加密货币和 P2P 网络长期存在的“只奖励挖矿、不激励运行节点与提供网络服务”的问题。

帖子指出，当前无论是存历史区块、同步新区块，还是在 DePIN 与 AI 相关网络中提供存储、带宽或算力，多数方案要么依赖节点的利他，要么用新代币激励，导致通胀和复杂的代币经济难以自洽。作为替代，该方案主张使用 Ergo 原生资产及其信任最小化衍生品，通过基于 Basis 方案的微支付，让节点在提供 API 服务或 P2P 网络资源（如存储、带宽、计算能力）时收取小额费用，支持信用额度、双边信用清算和隐私支付，无需发行新代币。功能包括：

• 节点可获得一定额度的信用服务（类似 BitTorrent 允许在分享前进行有限下载）。

• 双方链下信用清算。

• 在信用累积到一定程度后才能兑现链上储备；链下支付仍可即时结算。

• 可支持隐私保护的支付。

该模式也可推广到其他区块链与更广泛的 P2P、Agent‑to‑Agent 场景。

区块链密封竞价拍卖新协议：公平抗审查，保障隐私与效率

一项名为 Censorship-Resistant Sealed-Bid Auctions on Blockchains 的研究提出了一种新的区块链密封竞价（sealed-bid）拍卖协议，旨在解决传统的“提交-揭示”（commit-and-reveal）机制泄露时间信息、参与成本高和多轮执行等问题。

该协议结合了基于时间戳的证书和通过“包含列表”的抗审查设计，具备四大核心特性：

• 强隐私保护，可以让对手无法区分不同竞价金额、并隐匿竞价本身与竞价者身份；

• 短期抗审查，保证区块链出块时所有诚实用户的竞价都被包含；

• 竞拍参与效率，确保链上用户参与成本接近传统拍卖；

• 禁止竞价撤回，避免竞价者反悔撤销出价。

综上，该协议为区块链平台提供了公平、安全且经济稳健的密封竞价拍卖基础，可广泛应用于去中心化金融和其他需要竞价机制的场景。

加密钱包的设计、攻击与防御的系统化研究

本研究提出了针对加密货币钱包的系统化知识体系，旨在应对日益增长的钱包安全事件，开展系统的评估与提升工作。研究者设计了一个新的多维度加密货币钱包分类体系，涵盖传统与新兴钱包类型。该分类法揭示了具体设计决策与已知威胁事件之间的关联，并在此基础上系统化整理了威胁与攻击，从而为后续提出防御策略奠定基础。贡献包括：

• 钱包设计分类体系： 提出了用于分析各类现有钱包设计、并指导新钱包设计的分类框架，同时基于威胁模型梳理了现有设计所面临的威胁。

• 钱包攻击框架： 对文献中的攻击方法、技术与目标进行系统化与分析，并考察了2012–2025年间 85 起典型钱包安全事件，比较学术界与业界在攻击研究上的差距。

• 防御策略： 给出了结合前置预防与事后响应的防御方法，并分析不同防御手段在减轻攻击方面的效果。

HKT-SmartAudit：轻量化智能合约审计的知识蒸馏框架

这项研究提出了一个名为 HKT-SmartAudit 的框架。它是一个用于开发针对智能合约审计优化的轻量级模型，采用多阶段知识蒸馏流程，结合经典蒸馏方法、外部领域知识以及奖励引导学习，将大型教师模型中的高质量洞见传递给学生模型。通过单任务学习策略训练出的紧凑学生模型在保持高准确性和鲁棒性的同时，显著降低了计算开销。

实验结果显示，经过蒸馏的模型在识别复杂智能合约漏洞方面优于商业工具甚至大型语言模型（LLM），提供了一种高效且可扩展的审计解决方案。

测试免费了，代价却更高

这篇文章指出，随着大型语言模型（LLM）和代码生成工具普及，写测试的边际成本被压到接近于零，但大量新生成的测试并没有带来更多安全，反而形成沉重的维护负担。这些大量无效或低价值的测试充斥项目，无法捕捉真正的缺陷，却频繁因正常代码更新而失败，从而提高了改进和重构的难度。

作者也从投资回报的角度重新定义了测试的价值——它应等于它未来可能阻止的缺陷损失减去维护成本，并可以根据对未来的关心程度进行调整。而 LLM 自动生成的测试的问题是：只会生成琐碎的测试、跳过最困难的部分（如调用 API、写文件或执行逻辑）、只能测试如何进行——而无法真正去测试，由此带来安全的假象，同时增加了测试成本。

OP_CIV: A New Attempt at Post-Quantum Signature Aggregation for Bitcoin

Bitcoin developer Tadge Dryja proposed the idea of OP_CIV (OP_CHECKINPUTVERIFY) to implement a post-quantum version of Cross-Input Signature Aggregation (CISA). Dryja noted that traditional CISA provides limited savings for elliptic curve signatures, but in post-quantum schemes, signatures can be several thousand bytes (especially for SPHINCS+, Dilithium), occupying over 90% of a transaction. The basic idea of OP_CIV is: A transaction input can prove its relation to another input in the same transaction, and by pointing to another input to say "that's the signature I'm using", without providing one of its own, thereby reducing witness data costs. The proposal is still in the conceptual stage and waiting for community feedback.

Related talk.

Discussion on Introducing OP_STARK_VERIFY in Tapscript

A proposal suggests adding an opcode OP_STARK_VERIFY to Bitcoin Tapscript for verifying bounded-size STARK proofs. Its goal is to validate zero-knowledge proofs on-chain while maintaining transparency and post-quantum security assumptions, without relying on temporary script encoding (like OP_CAT) or introducing numerous arithmetic opcodes. Current discussions show cautious or negative responses. Critics argue that while STARKs are mature and widely deployed (e.g., in Starknet), embedding them in Bitcoin’s consensus layer may conflict with its core principles: simplicity, security, and long-term stability. Key risks include:

• Consensus risk: Adding tens of thousands of lines of complex code for OP_STARK_VERIFY to core validation logic risks unrecoverable network-level failures if bugs appear.
• Economic risk: The verification costs of a STARK proof are not proportional to its byte size, potentially enabling resource-intensive transaction attacks that undermine decentralization.
• Long-term risk (protocol ossification): ZK technologies evolve rapidly; fixing a specific method in the consensus layer creates permanent technical debt and bloating.

The proposal suggests keeping such complex mechanisms at higher layers or considering introducing general, composable primitives rather than monolithic, application-specific solutions.

Nick Szabo: Bitcoin Is Not Magical Anarcho-Capitalism; Arbitrary Data Is Risky

Bitcoin pioneer Nick Szabo posted that anarcho-capitalism, as an abstract ideal, inspires innovation and motivated his involvement in the invention of cryptocurrency. However, in reality, cryptocurrencies are not trustless but rather trust-minimized. Bitcoin and similar layer-1 protocols can withstand more interference than centralized systems but still have technical and legal boundaries.

He also pointed out that past legal risks from the financial sector were relatively manageable due to trust-minimized design and the presence of lawyers familiar with financial law. Arbitrary data, however, introduces larger, harder-to-predict legal attack surface, and the crypto industry lacks sufficient legal expertise to handle it. He warned that imagining Bitcoin or any blockchain as a “Swiss Army knife” resistant to all government legal actions is insanity.

Starknet: Dual-Staked Rollup Model for Sustainable DeFi Domain

Starknet, in Bitcoin’s DeFi Domain, discussed its transition into a BTCFi hub and sustainable DeFi layer for Bitcoin. Since Bitcoin L2s emerged in 2023, BTCFi profits mainly came from token-incentivized liquidity programs, encouraging users to “park” funds in underutilized pools for rewards. Such incentives-based programs are unsustainable due to:

• Limited incentives
• No reliable long-term BTC deployment options, as users keep searching for new opportunities

Starknet proposed dual-staked rollups to address these issues, positioning itself as a sustainable DeFi layer for Bitcoin—where BTC can be actively used in economic activity, not just temporarily incentivized.

BATTLE for Bitcoin: DoS-Resilient Cross-Chain Bridge Protocol Based on UTXO

A research team recently proposed a DoS-resilient dispute layer for Bitcoin—BATTLE for Bitcoin to enhance the security of optimistic cross-chain bridges connecting Bitcoin with rollups or sidechains. The protocol adapts the BATTLE tournament protocol to Bitcoin’s UTXO model, using BitVM-style FLEX components and garbled circuits, combined with on-demand L1 security bonds. Disputes are resolved in logarithmic rounds while recycling rewards, keeping the honest asserter's minimum initial capital constant even under many permissionless challengers. The construction is fully contestable (challengers can supply higher-work counter-proofs) and relies only on standard timelocks and pre-signed transaction DAGs, without new opcodes.

For N operators, the protocol requires O(N²) pre-signed transactions, signatures, and message exchanges, but remains practical for N ≳ 10³, achieving high decentralization.

Vega: Low-Latency, Transparent ZK Proofs Built on Existing Credentials, Outperforming Some Trusted-Setup Systems

Vega is a zero-knowledge proof system that proves statements about existing credentials without revealing anything else. For a 1920-byte credential without trusted setup, Vega achieves 212 ms proving time, 51 ms verification time, 150 kB proofs, and a 436 kB proving key. Its efficiency relies on two principles: fold-and-reuse proving and lookup-centric arithmetization.

• Fold-and-reuse proving exploits repetition and folding opportunities:
  • across presentations, by pushing repeated work to a rerandomizable precomputation
  • across uniform hashing steps, by folding many steps into a single step
  • (for zero-knowledge) by folding the public-coin transcript with a random one
• Lookup-centric arithmetization: extracts relevant values from credential bytes, both for extracting relevant fields without full in-circuit parsing, and to enable length-hiding hashing.

Check out the paper Vega: Low-Latency Zero-Knowledge Proofs over Existing Credentials.

Arcade Tokens: From Internal Tokens to Open, Composable Assets

a16z introduced a new token taxonomy covering seven categories, including network tokens, collectibles, and memecoins. One underappreciated but potentially promising category is the Arcade Tokens: tokens with relatively stable value within a specific software or product ecosystem, typically managed by the issuer (e.g., a company).

These tokens are essentially blockchain versions of familiar assets like airline miles, credit card points, or game currencies—internal currencies maintaining a closed or semi-closed economy. Traditionally, these operated on centralized databases, limiting user ownership, transferability, and user choice. On-chain, arcade tokens become open, interoperable, and composable, unlocking richer market design possibilities.