Along remotely similar lines: While looking into the current way bitcoind can already do an UTXO hash, as available through gettxoutsetinfo, I found a short discussion on BCT: https://archive.fo/lEpEhI went looking into libsecp256k1 a while back to see if the improvements were invented by core or had been created elsewhere and just integrated but couldn't get a good handle on that. I did notice that, when looking at the commits, compared to other contributors (one in particular), Maxwell's were much fewer and more janitorial in nature. Not that there's anything wrong with that but I've seen some commenters talk as if he's some kind of coding god and brought us libsecp256k1 all by himself.

In it, someone comes up with the idea to 'just XOR the UTXO hashes together'. Greg gave an answer that I tried to parse and I'd really like to have the input of some people better-versed in cryptography than the relative layman that I certainly am:

Now:Congrats, you win today's failed cryptography trophy. That kind of structure is trivially to second preimage attacks using wagners algorithm for solutions to the subset sum problem. Order independent accumulators are a tricky subject, the only that I'm aware of that have any real argument for security have huge hashes and are very slow.and xor all the hashes together to get the final value.

- I don't question the unwiseness of using XOR to combine hashes, among other things because hash(thing) ^ hash(thing) == 0

- However, I don't see anything really
*trivial*here - However, 'Wagner's algorithm' must be shorthand for an algorithm that I still fail to find
- However, any algorithm will still be exponential in the number of hashes or the number of bits to zero. I fail to see how e.g. dynamic programming as a common scheme to solve it (typical CS homework) would be a successful attack on this, because it basically degrades to brute-forcing

@albin:

Yes, that sounds very reasonable. I always wanted to instrument my bitcoind to make more analyses on the typical age/value of UTXOs spend, and on exactly such correlations like UTXO growth vs. price. This might also be a way to get clues about the growth of our userbase.@awemany

WRT the issue of utxo set, is it really true that blocksize is the actual primary driver of growth?

Isn't it entirely possible that the bitcoin price drives the size of the utxo set, by making smaller denomination outputs economically meaningful?

Yesterday, I saw that we have just short of 200mio transactions made in total on the network, and about 45mio UTXOs. (Which also means that there's less than 45mio Bitcoiners, but that's probably a gross overestimation...)

In any case, that means on average, over the lifespan of Bitcoin, we have just every fourth transaction creating an UTXO. I don't think that's too bad, that's IMO a quite low 'UTXO creation ratio'. Especially given that so far we'd expect Bitcoin to grow strongly in user base (and thus that's reflected a lot more in the UTXO set).

With your assumption (that one could look at the data to prove/disprove), constraining the UTXO set size would thus go against the dynamics for a higher price and against the dynamics for a larger user base.

Sounds familiar, doesn't it?

Finally, I just wrote this on Reddit and I think everyone would get a clearer picture if we'd start to divide the 'people interested in Bitcoin' into various faction exerting different pulls on the direction this beast is taking. I am personally aligned with several factions (user, holder, miner) to varying degrees. After I wrote that, it once more appears clear as day to me that we've been played by outsiders for the last couple years.