Return-Path: Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 0CE3DC002C for ; Mon, 11 Apr 2022 18:21:30 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id E69F141525 for ; Mon, 11 Apr 2022 18:21:29 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -1.848 X-Spam-Level: X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: smtp4.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AS_WLbVAfmSI for ; Mon, 11 Apr 2022 18:21:28 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 Received: from mail-wr1-x433.google.com (mail-wr1-x433.google.com [IPv6:2a00:1450:4864:20::433]) by smtp4.osuosl.org (Postfix) with ESMTPS id 01C4E41519 for ; Mon, 11 Apr 2022 18:21:27 +0000 (UTC) Received: by mail-wr1-x433.google.com with SMTP id s28so8350751wrb.5 for ; Mon, 11 Apr 2022 11:21:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=5jV83CnLsh9hxDgbO3HaZSjwoHG+a0FHWp5IqP7twKk=; b=F4d9CUQSJB3V4Z+tJhhHlYei1HuxflSKczgDZ7XM2dKgLbRuU3Whx9+We3njd7elRF 0YERWD5Dk04sFY5BUzLGGqw7D3oXzb5S7fujAkXEbQ92OzlOVNUWn7Xmol7e2yXm5oTJ O4n+wkjEO+VEEWsMB7vE1aVGn1XBU1qH5TGbPmZJpnyYx/k4Syp/j6aVHt5ybjRSYMr0 hsbcI7khRV8iudKOESsOV2ydcL2dSlpKEXyj20Qw+LqrNYGJX/tLYg1Xe8rXcAf+Bb9k DpavzouJjz9HjtbrITiH+Bky3OGI5OJScKL8RkJpQ5jSxkTKo4XvjitwN/c3PuxqvzT4 c1xg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=5jV83CnLsh9hxDgbO3HaZSjwoHG+a0FHWp5IqP7twKk=; b=IxCT2gaNaDrI/i7NQgz+ECT1vsL7mO/zUhqv/KXDnSL8S6Sxw/is8oPkJYJi1AqP1V fyq6m0ISiBagPQU72cqOwGYVWNxr9af+iQvWd4669gzJucaGbYaFzwCWdvgwEyJYXOAg UPpT24599yj7ZMwFls9wfdU2iIP+adi94iPdqddpsDAxwcs3aGj4Jk9F6YK1snk83o+v dDR78kEr+SD2aWs6p/x/zjYh8NHJMF6vUvpcFmygcjSl+mYRI7EkHob8xJkE8eh2yGbj H35OX7Ambd/+igRvONRZOVxAZOMsRwnUhff7Xj0h+xeQfLj2ihftu1rRaupW/ZRHmRYR Uo+g== X-Gm-Message-State: AOAM531wKBpW+WUbjwxxJ2C7pTDvbPan5iSbIfq4TtG8fDqIToFNFHp6 B/Vb8wLDyG+7OVfCxSDQdUfivD83jv1t4x4i6IE= X-Google-Smtp-Source: ABdhPJwKUG5RIYB/FxpQ3cX5y1kx2G95uEmycM3fVIeGKidkPY+6NbaXtSWQbZSiWjCWYWmINwAlalSV+/UuVYY9WIs= X-Received: by 2002:adf:910d:0:b0:1e3:9484:1601 with SMTP id j13-20020adf910d000000b001e394841601mr24758931wrj.419.1649701285913; Mon, 11 Apr 2022 11:21:25 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Olaoluwa Osuntokun Date: Mon, 11 Apr 2022 14:21:14 -0400 Message-ID: To: Bram Cohen , Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="00000000000021e88305dc650327" Subject: Re: [bitcoin-dev] Taro: A Taproot Asset Representation Overlay X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Apr 2022 18:21:30 -0000 --00000000000021e88305dc650327 Content-Type: text/plain; charset="UTF-8" Hi Bram, > The witnesses for transactions need to be put into Bitcoin transactions > even though the Bitcoin layer doesn't understand them Is this related to Ruben's comment about invalid state transitions (published in the base chain) leading to burned assets? In the past, I've considered using the existing annex field in taproot transactions to implement partial reveal of certain data. However, today bitcoind treats annex usage as non-standard, so those transactions may be harder to relay. IMO this is a great place to add minimal extra data, as it doesn't bleed over into the scripting layer (via OP_DROP usages) and since Bitcoin-level signatures also include this field in the sighash, the sigs serve to further authenticate this data. Future op codes that allow Scripts to push annex data onto the stack could also be used to further bind higher level protocols while still allowing the base Bitcoin consensus rules to not have to be explicitly aware of them. > Taro issuance is limited to a single event rather than potentially > multiple events over time subject to special per-asset rules. There's a provision in the protocol that lets a party issuing assets to specify a special public key which is then tweaked with the genesis outpoint, similar to the way the asset IDs are generated. If this key is specified, then future issuance, if signed off by that key, will serve to associate assets of discrete IDs under a single identifier. This feature allows assets issued in multiple tranches to be fungible with one another. > but I am puzzled by the announcement saying Taro assets are 'analogous > with' colored coins. Taro assets are straightforwardly and unambiguously > colored coins and that isn't something to be ashamed of. We've shied away from using the "colored coins' terminology as at this point in the game it's pretty dated: new developers that joined in the last 3 years or so have likely never heard of that term. Explaining the term also requires one to define "coin coloring", and what that actually means, etc, etc. IMO it's simpler to just use the familiar and widely used asset issuance/minting terminology. -- Laolu On Sun, Apr 10, 2022 at 9:10 PM Bram Cohen via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > From: Olaoluwa Osuntokun > >> >> > Furthermore, the Taro script is not enforced by Bitcoin, meaning those >> who >> > control the Bitcoin script can always choose to ignore the Taro script >> and >> > destroy the Taro assets as a result. >> >> This is correct, as a result in most contexts, an incentive exists for the >> holder of an asset to observe the Taro validation rules as otherwise, >> their >> assets are burnt in the process from the PoV of asset verifiers. In the >> single >> party case things are pretty straight forward, but more care needs to be >> taken >> in cases where one attempts to express partial application and permits >> anyone >> to spend a UTXO in question. >> >> By strongly binding all assets to Bitcoin UTXOs, we resolve issues related >> to >> double spending or duplicate assets, but needs to mind the fact that >> assets >> can >> be burnt if a user doesn't supply a valid witness. There're likely ways to >> get >> around this by lessening the binding to Bitcoin UTXO's, but then the >> system >> would need to be able to collect, retain and order all the set of possible >> spends, essentially requiring a parallel network. The core of the system >> as >> it >> stands today is pretty simple (which was an explicit design goal to avoid >> getting forever distracted by the large design space), with a minimal >> implementation being relatively compact given all the Bitcoin >> context/design >> re-use. >> > > The TARO set of tradeoffs is fairly coherent but is subject to certain > limitations (modulo my understanding of it being off): > > The witnesses for transactions need to be put into Bitcoin transactions > even though the Bitcoin layer doesn't understand them > > There needs to be a constraint on Taro transactions which is understood by > the Bitcoin layer (which often/usually happens naturally because there's a > user signature but sometimes doesn't. It's a limitation) > > Multiple Taro coins can't consolidate their value into a single output > because they only support a single linear history > > Taro issuance is limited to a single event rather than potentially > multiple events over time subject to special per-asset rules. > > This seems like a fairly logical approach (although my understanding of > the limitations/tradeoffs could be wrong, especially with regards to > consolidation). There's nothing wrong with a system having well documented > limitations, but I am puzzled by the announcement saying Taro assets are > 'analogous with' colored coins. Taro assets are straightforwardly and > unambiguously colored coins and that isn't something to be ashamed of. > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > --00000000000021e88305dc650327 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Bram,

> The witnesses for t= ransactions need to be put into Bitcoin transactions
> even though th= e Bitcoin layer doesn't understand them

Is this related to Ruben= 's comment about invalid state transitions
(published in the base ch= ain) leading to burned assets? In the past, I've
considered using th= e existing annex field in taproot transactions to
implement partial reve= al of certain data. However, today bitcoind treats
annex usage as non-st= andard, so those transactions may be harder to relay.
IMO this is a grea= t place to add minimal extra data, as it doesn't bleed over into
the= scripting layer (via OP_DROP usages) and since Bitcoin-level signaturesalso include this field in the sighash, the sigs serve to further
authe= nticate this data.

Future op codes that allow Scripts to push annex = data onto the stack could
also be used to further bind higher level prot= ocols while still allowing the
base Bitcoin consensus rules to not have = to be explicitly aware of them.

> Taro issuance is limited to a s= ingle event rather than potentially
> multiple events over time subje= ct to special per-asset rules.

There's a provision in the protoc= ol that lets a party issuing assets to
specify a special public key whic= h is then tweaked with the genesis
outpoint, similar to the way the asse= t IDs are generated. If this key is
specified, then future issuance, if = signed off by that key, will serve to
associate assets of discrete IDs u= nder a single identifier. This feature
allows assets issued in multiple = tranches to be fungible with one another.

> but I am puzzled by t= he announcement saying Taro assets are 'analogous
> with' col= ored coins. Taro assets are straightforwardly and unambiguously
> col= ored coins and that isn't something to be ashamed of.

We've = shied away from using the "colored coins' terminology as at this p= oint
in the game it's pretty dated: new developers that joined in th= e last 3
years or so have likely never heard of that term. Explaining th= e term also
requires one to define "coin coloring", and what t= hat actually means, etc,
etc. IMO it's simpler to just use the famil= iar and widely used asset
issuance/minting terminology.

-- Laolu<= br>

On Sun, Apr 10, 2022 at 9:10 PM Bram Cohen via bitcoin-dev <bitcoin-dev@lists.linuxfo= undation.org> wrote:
From: Olaoluwa Osuntokun <= laolu32@gmail.com>

> Furthermore, the Taro script= is not enforced by Bitcoin, meaning those who
> control the Bitcoin = script can always choose to ignore the Taro script and
> destroy the = Taro assets as a result.

This is correct, as a result in most contex= ts, an incentive exists for the
holder of an asset to observe the Taro v= alidation rules as otherwise, their
assets are burnt in the process from= the PoV of asset verifiers. In the
single
party case things are pret= ty straight forward, but more care needs to be
taken
in cases where o= ne attempts to express partial application and permits
anyone
to spen= d a UTXO in question.

By strongly binding all assets to Bitcoin UTXO= s, we resolve issues related
to
double spending or duplicate assets, = but needs to mind the fact that assets
can
be burnt if a user doesn&#= 39;t supply a valid witness. There're likely ways to
get
around t= his by lessening the binding to Bitcoin UTXO's, but then the system
= would need to be able to collect, retain and order all the set of possible<= br>spends, essentially requiring a parallel network. The core of the system= as
it
stands today is pretty simple (which was an explicit design go= al to avoid
getting forever distracted by the large design space), with = a minimal
implementation being relatively compact given all the Bitcoin = context/design
re-use.



=
There needs to be a constraint on Taro transactions which is understoo= d by the Bitcoin layer (which often/usually happens naturally because there= 's a user signature but sometimes doesn't. It's a limitation)

Multiple Taro coins can't consolidate their val= ue into a single output because they only support a single linear history

Taro issuance is limited to a single event rather t= han potentially multiple events over time subject to special per-asset rule= s.

This seems like a fairly logical approach (alth= ough my understanding of the limitations/tradeoffs could be wrong, especial= ly with regards to consolidation). There's nothing wrong with a system = having well documented limitations, but I am puzzled by the announcement sa= ying Taro assets are 'analogous with' colored coins. Taro assets ar= e straightforwardly and unambiguously colored coins and that isn't some= thing to be ashamed of.
_______________________________________________
bitcoin-dev mailing list
= bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev
--00000000000021e88305dc650327--