ZK STARKs are very powerful and will certainly be useful for off-chain bitcoin smart contracts, rollups, etc, but STARKs are very complicated and inefficient.

An average bitcoin dev could probably implement almost any hash-based signature algorithm in a day or two. Contrastingly, implementing a STARK prover/verifier seems to demand teams of people with years of expert knowledge in the domain. Even established STARK software like [Winterfell](https://github.com/facebook/winterfell/) suffer from awful usability/ergonomics. Read their README and examples, and you'll see what I mean.

I don't think we should build on-chain bitcoin security standards based on such things without a simple easy-to-use library to depend on, like libsecp256k1 is today. Perhaps there will be a more stable and usable STARK library in the future but so far I haven't found any. The closest is [RISC0](https://www.dev.risczero.com/), but AFAICT [it's bugged for secp256k1 usage, and they're not fixing it](https://github.com/risc0/risc0/issues/1455).

conduition

bitcoin

Hash-Based Signature Schemes for Post-Quantum Bitcoin

Thank you!

How do you think a ZK STARKS solution will go down with all the aversion to other "sh$tcoin" technology?