Hi ZmnSCPxj,
I do mean to have specialized computing power vendors, which could happen to be miners, or not. Optiming ZKP computations is rather different from Bitcoin mining so I expect those vendors to be from more research-driven teams focused in cryptographic engineering.
I am open to whether to put those transactions in mempool or not. I apologize for giving an inaccurate number earlier about the verification cost. I just ran gnark-bench on my Mac M2, it turns out the cost for Groth16 verification could be as fast as 1ms. For Plonk it is around 1.6ms. So it seems even a common fullnode could handle thousands of OP_ZKP transactions. In that case, the ZKP transactions could be put into mempool, and be open to be aggregated by some vendor. Fullnodes should verify these transactions as well. It does not seem a good idea to treat them with special rules as there is no guarantee that certain OP_ZKP transactions will be aggregated or recursively verified. Of course, the weighting should be well benchmarked and calculated. The cost for those *standalone* OP_ZKP transactions might be higher due to more data and/or higher weighting. This incentivizes vendors to develop aggregation / recursive verification services to drive down the fee requirements and profit from doing so (fee extraction). I also expect to see an open market where various vendors can compete against each other, so it makes sense to have these transactions openly visible to all participants.
Meanwhile, some transactions are meant to be off-chain. For example, a would-be smart contract can aggregate many related transactions in a OP_ZKP transaction. Those aggregated transactions should *not* be transmitted within the Bitcoin network. They could even be *not* valid Bitcoin transactions. Usually the smart contract operator or its community could host such a service.
Consider a potential situation in a few years: there are thousands of active smart contracts based on OP_ZKP, and each block contains a few hundred OP_ZKP transactions, each one of them aggregates / recursively verifies many transactions. The effective TPS of the Bitcoin network could far exceed the current value, reaching the range of thousands or even more.
Hope this clarifies.
Weiji