A result proving that the capacity conjecture of Ben-Sasson, Carmon, Ishai, Kopparty and Saraf (J. ACM '23) is false. This conjecture is being used by quite a few zkVM projects, to reduce their proof size and verifier time.
That isn't a vague strawman, that's a great point. Economists work from assumptions, which can be flawed in two ways: they can be blatantly wrong (see the work Kahneman and Tversky did on the rational individual hypothesis) and they can be unfalsifiable (you can't always gather data about the assumption itself). There is a good essay on this from Tirole (yet a very mainstream economist) here: https://www.tse-fr.eu/sites/default/files/TSE/documents/doc/...
You're pointing to a critique of an assumption, what I'm saying can you name a specific economic policy or position given by an economist that is used in real public policy and then we can measure the merits of those policies and their assumptions as opposed to the counterfactuals. I'd bet 9/10 times the chosen policy likely would have been the most logical option.
After all, it's not like the epistemologies of the other humanities stands on far more shakier grounds...
Well for whom? Another aspect of this problem is an economic solution can have winners and losers. An economic policy that invokes slavery as solution to labor issues may actually be 'logical' but clearly puts the interests of one group over another. Economics is just the science resource allocation after all. People have some serious biases when it comes to deciding policy on who gets what and how.
I've asking multiple posters to give a specific policy example to critique and so far all of you have been unable to do so, instead dancing around and critiquing vague notions of a possibility of bias without giving concrete examples. Very postmodern, but this is why actual policymakers don't listen to critique like this.
Ok, cutting taxes to the very rich while raising them on middle and lower classes and cutting services. This was part of the big beautiful bill. This is 'logical' from the point of view of the billionaire class, but in terms of the economy that everyone else lives in, things will be worse for them.
>Ok, cutting taxes to the very rich while raising them on middle and lower classes and cutting services. This was part of the big beautiful bill. This is 'logical' from the point of view of the billionaire class
Deciding who benefits or not from legislation is not a Economist's domain, their work is descriptive, not normative. You're critiquing politicians here for prioritizing GDP, but that is divorced from your critique of economics. The economist will only tell you what they think will happen with regard to the economy if you pass a bill or not given the goals you've outlined to them.
Well you look at analysis here, do you then disagree with the predictions of the bill and the methodology used, and if so, what is your better analysis here with supposedly more refined epistemic assumptions?
Milei's government slashed the national health care budget by 48 percent in real terms and fired over 2,000 Health Ministry workers — 1,400 in just a few days in January. These drastic moves were part of Milei's broader plan to shrink the state and remake Argentina's debt-ridden economy.
Among the most dramatic cutbacks was the dismantling of the National Cancer Institute, which halted early detection programs for breast and cervical cancer. Funding was also frozen for immunization campaigns, severely disrupting vaccine access during Argentina's first measles outbreak in decades. The National Directorate for HIV, Hepatitis, and Tuberculosis lost 40 percent of its staff and 76 percent of its budget, delaying diagnosis and treatment across the country. Emergency contraception and abortion pill distribution have also stopped.
Prescription drug prices and private health insurance premiums have surged by 250 percent and 118 percent, respectively, according to official data.
Obviously, this is an article from the political side of things (I tried to cut out value judgements), but these are decisions made by actual economists like José Luis Espert, Agustín Etchebarne, Federico Sturzenegger, Alberto Benegas Lynch and probably a million others I'm not aware of.
There is no economics that involves enslaving other humans. Not slavery. Not ever. However, in debt in perpetuity is a thing. So you have to work to pay, so you can live, so you can work, so you can pay…
Debt crisis is a real problem. We have borrowed more than we can ever repay, all nations, for the last 30 years. Both sides. Just drove right off the cliff.
Which is fine, as long as your assumptions are good models of reality. When your assumptions are essentially articles of faith your models tend to be about as good as the guys who interpret patterns in chicken bones.
Not only tether is a "thing", its actually in the top 10 US bonds buyer. So this "thing" isn't a business anymore, but an actual, proper, geopolitical actor.
Thanks for sharing, that's news to me. They seem to have surpassed Germany as US treasury bond holder [1] but recently stopped buying bonds [2].
Do you have any information which geopolitical actor controls tether? Is it China or Russia trying to circumvent SEPA? Or North Korea because north korean hackers have so much bitcoin from their ransomware operations?
Yes, what you are missing is that attacks on Fiat Shamir were very contrived up to now.
However the paper shows that there in fact exists a pretty simple way to break the Fiat Shamir heuristic, for a protocol operating in the RO model. And such kind of efficient attacks are rather concerning in cryptography land.
So this isn't about the attack per se, rather it's about the existence of such an easy one.
I understand that this is the claim being made, but I think I'm still missing what is the attack's heart. From the article, it seems to boil down to "if you use a malicious program, then Fiat-Shamir is broken". But to me it seems more like that Fiat-Shamir would still give a correct proof of the program's output, it's just that the output itself was wrong from the start (I'm referring to the point in the article where they say such a malicious program behaves differently than intended when it detects its own hash being used). Is this attack actually letting you generate a valid proof for an output that the program doesn't generate under the given input?
As I understand the paper, the point is that Fiat-Shamir does *not* give a correct proof of the program's output.
They gave a (maliciously constructed) program whose outputs are pairs (a,b) where certainly a != b (instead the program is constructed such that a = b+1 always). But you can get the corresponding Fiat-Shamir protocol to accept the statement "I know a secret x such that Program(x) = (0,0)", which is clearly a false statement.
I haven't done a real review yet, but skimming it seems to relate to
Arthur-Merlin[0] oracles and public fair coins.
If you view random numbers as normal numbers, they will seem to be algorithmically random, or at least exceed the complexity of any proof, or even practical proof.
Basically the work of Chatlin, where given the kolmogorov complexity of your verifier, you only have a limited number of bits in any L that you can prove anything.
Probably simpler to think about the challenges of proving a fair coins is fair.
They just have to produce an unfair coin that looks fair as a flawed analogy.
Fiat-Shamir depends on interactive proofs, which equals PSPACE, which seems huge, but it can be a hay in the haystack, and if you are using a magnet to reach into the haystack you will almost never pull out a piece of hay.
The protocol is in charge of producing the proof. Fiat Shamir is a heuristic, some kind of rule of thumb, which consists in using a hash function as a source of randomness.
Cryptographic protocols often feature coin tosses. The idea is that if we replace a hash function in place of the protocol coin tosses, it should still be hard for a malicious prover to craft a false statement with an accepting proof - making the protocol unsound.
Roughly, the meat of the attack consists in baking in the statement being proven the ability for the prover to predict upfront how the hash function is going to behave - hereby breaking the Fiat Shamir heuristic and making the prover able to craft a false statement with an accepting proof.
That’s it, this is “How to Prove False Statements“!
Yes, I happened to study how the Fiat-Shamir transform works a couple years ago, but I only saw it in the context of using it to transform an interactive zero knowledge proof into a digital signature scheme.
So, if the prover can know beforehand how an hash function behaves, wouldn't this make it a more general attack on hash functions (so potentially even worse than how it is presented in the article) and the Fiat-Shamir transform is only broken as a consequence of it relying on an hash function? If not, why?
This is not an attack on hash functions in general. In this paper, the authors build a statement (or "circuit") which should, by construction, not have any accepting claim. Yet, they show that when using GKR along the FS transform, you can still get accepting proofs.
This has to do with "how an hash function behaves" in the sense that, in the context of a specific protocol (GKR), it is possible to bake in the circuit the ability to predict the randomness obtained from hashing the statement itself and the public values satisfying it.
What does "easy" mean in this context? From my [ignorant] reading, it sounds like it requires being able compute a fixed point for the hash function in order to be able to integrate it into the program and respond differently under test. I thought that was one of the things cryptographically secure hash functions explicitly made difficult?
Previous examples which showed how instantiating Fiat Shamir leads to an unsound protocol were so contrived that people use to think that they were a testament to how unlikely breaking FS would be [1].
In "How to Prove False Statements", you can actually build what they show.
The attack does not require a fixed point of the hash function to be integrated into the program, it merely involves an implementation of the hash function included in the program, being fed the exact same input as the hash function used as part of the protocol. This is possible because the input is entirely attacker-controlled, so it's easy to duplicate some values as necessary.
> A modern sparse Transformer, for instance, is not "conscious," but it is an excellent engineering approximation of two core brain functions: the Global Workspace (via self-attention) and Dynamic Sparsity (via MoE).
Could you suggest some literature supporting this claim? Went through your blog post but couldn't find any.
* The prover commits to a starting value (public input)
* Instead of waiting for an interactive challenge, they hash it and use the resulting hash output as if it were a challenge
If we believe the hash is a random oracle (as we do for cryptographic hash functions), then it is hard for the prover to manipulate the challenges. Is that it?
You got it. There are a few nuisances, e.g. the "theorem statement" must be hashed as well so that proving that name=Mickey has a different oracle than proving that name=Goofy, but your basic understanding is correct.
