summaryrefslogtreecommitdiff
path: root/dc/b8d638d271209813dad294eedc1d807bf46424
blob: d1271520ede7164d170fe8ec1ee343b3d75850b9 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
Return-Path: <alex.schoof@gmail.com>
Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 203C4C0012;
 Thu,  7 Apr 2022 19:11:54 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp4.osuosl.org (Postfix) with ESMTP id F20CC40999;
 Thu,  7 Apr 2022 19:11:53 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level: 
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: smtp4.osuosl.org (amavisd-new);
 dkim=pass (2048-bit key) header.d=gmail.com
Received: from smtp4.osuosl.org ([127.0.0.1])
 by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id nVgB31KKu9BG; Thu,  7 Apr 2022 19:11:51 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.8.0
X-Greylist: whitelisted by SQLgrey-1.8.0
Received: from mail-io1-xd35.google.com (mail-io1-xd35.google.com
 [IPv6:2607:f8b0:4864:20::d35])
 by smtp4.osuosl.org (Postfix) with ESMTPS id 0677A408AE;
 Thu,  7 Apr 2022 19:11:50 +0000 (UTC)
Received: by mail-io1-xd35.google.com with SMTP id k25so7984899iok.8;
 Thu, 07 Apr 2022 12:11:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=7NI9q80Rh7peFXN41UW/8BEtNH4CYHo/6icZTRBWqxE=;
 b=EZ6v0ZZwiUMuc4fOrNVu6KcWbr7tTsjwZdJK228lDw+dXXqpvWqaUlJ1ISmwabmVLB
 1qV/eszg4FMi12ow+2MX8e2N9IUu8ZrSHnBafSyQWXkG9kqomoT+SMRfw7GD54PpOcRq
 Uvo56X4FLo/IGxjYqSaasw5xto8DI3woGo0XrI5tWn9vQ4RTu2oNHlK3G9aqKJBy0sKg
 d4g7zyRskYiBHYhxaz+ef/TyWjq0tWliQAqz31mLoMyyByeCfRLc/FEazvBDHITM7UCh
 NCYmpL4QCQzEYNk604IvYoyP7c6DLmZiOUnqiqbTilkW0YCTpex/bNwCoyCtNKGZcX7g
 KxMg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=7NI9q80Rh7peFXN41UW/8BEtNH4CYHo/6icZTRBWqxE=;
 b=D7Gs2Ua3ne/j7RJb0/l2/w8nLkfI8LvYgZvUxn6XqXS67Tzaqem9+SWmm4VAVizU24
 7N04mHh6gkCpeSdPz9pkXnxLFydh/m4fY+y+oCN9jSPsR4X7ajfIVwMgnS+cw4GHRZsB
 x6xfXbQ3s8HXJSi3a+Zltr0L1q5OMS7d236jPVfPdJsc68xUCy73VjDZIH6ODKwi+nZL
 +B0///m2gDJeBaRjafcWdi50bXttOHGdRsq6MvOCpFoTjcLgSp10NJo5JcW8AjKIfPgt
 m/fWGeYM7baPoczgXSfLaE3cwD/klZdbTFLiiiJccWFApDNgBb5TYxBsyT4KA1yuTt+b
 mPew==
X-Gm-Message-State: AOAM530CDkYmSPwQQuVr9/uEuLvHfkeCkGi1oHtPZc1Scco4hA3LrNGA
 xcIOqZXn6Z80L6vXtT+HCdk7TTfrS2GtnsmQfX3kLLOfKFc=
X-Google-Smtp-Source: ABdhPJwwlMHDZoPaLPt797VIIOIQhKfIi18Cl7N+/uxBG1Q8H8ds9440XsY0nI7/DtT6DkIUmeMGI1P7+2kmePATyEY=
X-Received: by 2002:a05:6602:2e10:b0:649:e2d4:3334 with SMTP id
 o16-20020a0566022e1000b00649e2d43334mr6836297iow.210.1649358709919; Thu, 07
 Apr 2022 12:11:49 -0700 (PDT)
MIME-Version: 1.0
References: <CAO3Pvs_pkYAYsrAEtv3KuJevXQHBLZQ-ihjP4Ur_A1NjJRA+Lw@mail.gmail.com>
 <CAPv7TjYTjvSV7UFgOwif6tFj3jVxDfJdW-p_cyPoAGGWKQbwRQ@mail.gmail.com>
In-Reply-To: <CAPv7TjYTjvSV7UFgOwif6tFj3jVxDfJdW-p_cyPoAGGWKQbwRQ@mail.gmail.com>
From: Alex Schoof <alex.schoof@gmail.com>
Date: Thu, 7 Apr 2022 15:11:39 -0400
Message-ID: <CA+2b5C058bdGfqB9uzSHkv3Q4=mC=fRdNJAuxErkXfKF2X-Siw@mail.gmail.com>
To: Ruben Somsen <rsomsen@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000000316a105dc15400a"
X-Mailman-Approved-At: Thu, 07 Apr 2022 19:44:14 +0000
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>,
 lightning-dev <lightning-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] [Lightning-dev] Taro: A Taproot Asset
 Representation Overlay
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Apr 2022 19:11:54 -0000

--0000000000000316a105dc15400a
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hey Laolu,

Really interesting protocol. I'm not all the way through all of the docs
yet, but had a few questions/comments:
- The top-level doc (
https://github.com/Roasbeef/bips/blob/bip-taro/bip-taro.mediawiki) talks
about embedding overlay metadata in the taproot script tree. From my
reading, it seems like what gets committed is the root of the taro MS-SMT
tree, while leaves of the tree itself are off-chain in a proof file. If
that's the case, did you look at other mechanisms to commit to a merkle
root? For example, I believe mainstay[1] uses a
pay-to-contract/bip175[2]-like scheme to commit sidechain merkle roots to
p2pkh/p2sh addresses with signature tweaks. Are there other interesting (to
taro) spend-paths that need to be allowed that led to the taproot script
tree being particularly helpful?

- It appears that the transfer proofs are kept off-chain in another file
which is passed between users, where the receiver can validate the transfer
according to whatever semantics the taro-vm has at that moment and refuse
to credit the sender if the transfer breaks some business logic or
validation rules. This reminds me a lot of single-use-seals[3]. Is that the
right way to think about what's going on here? If it is, then it looks like
a Universe/Multiverse is an offload/aggregation mechanism that can keep
track of asset lineages on behalf of users, which would be useful for light
clients of heavily-used asset types (so your mobile client doesnt have to
traverse the transfer lineage of some high-liquidity stablecoin or
something).

- Rubin made a good point above about how something like a conditional
transfer in a taro asset won't necessarily cause the conditional bitcoin
transfer to fail. My first thought was to have the "carrier utxo" for a
taro asset be really small, like dust + some buffer. The thought being that
I'm basically just paying gas and if I lose `dust+buffer` amount of bitcoin
but not a lot of some token, then that's not great but not terrible. Where
it gets bad is if the value of the taro asset that you're trying to
transfer is close to or less than the value of the bitcoin that's being
used to do the transfer.

- There's been a lot of talk lately on the bitcoin-dev list about
covenants, and I wonder if some of those designs (specifically TLUV or CTV)
might be useful with Taro, to "lift" some of the taro conditions into
covenants that encumber the underlying bitcoin. I don't have a design or
anything, wondering if you've given this any thought.

- was this originally named CMYK?

Thanks,
Alex


[1]
https://cloudflare-ipfs.com/ipns/ipfs.commerceblock.com/commerceblock-white=
paper-mainstay.pdf
[2] https://github.com/bitcoin/bips/blob/master/bip-0175.mediawiki
[3] https://petertodd.org/2016/commitments-and-single-use-seals

On Thu, Apr 7, 2022 at 1:14 PM Ruben Somsen <rsomsen@gmail.com> wrote:

> Hi Laolu,
>
> Nice work. This is an interesting protocol, in my opinion.
>
> Seeing as there's a large amount of overlap with RGB, a protocol which I
> have examined quite extensively, I believe some of the issues I uncovered
> in that project also apply here.
>
> The biggest issue revolves around the scripting expectations for this
> protocol. Taro is described as being able to have its own scripting
> capabilities that will initially be similar to Bitcoin and eventually be
> made to do more. I'm afraid this is fundamentally impossible. Conditional
> scripts (and thus most scripts that could potentially be of interest) won=
't
> be possible if the satisfaction of the condition is not recorded publicly
> on-chain.
>
> The core problem here is that you have two levels of scripting. At the
> Bitcoin level the UTXO is encumbered by the Bitcoin script, then at the
> Taro level you have yet another script. This may seem similar at first
> glance to how taproot has a key path and a script path, but there are a f=
ew
> key differences. In taproot only one of the two needs to be satisfied,
> while here you need to satisfy both. Furthermore, the Taro script is not
> enforced by Bitcoin, meaning those who control the Bitcoin script can
> always choose to ignore the Taro script and destroy the Taro assets as a
> result.
>
> I'll describe an example. Imagine Alice wants to send Bob a payment insid=
e
> Taro, but she wants to make it conditional. Bob gets the Taro tokens if h=
e
> reveals a pre-image, while Alice can claim the tokens back after the
> timelock expires (i.e. the minimum scripting requirements for HTLCs). Ali=
ce
> starts by locking up coins in a 2-of-2 multisig on the mainchain with som=
e
> Taro tokens inside. She then gives Bob a pre-signed transaction that only
> requires him to reveal the pre-image in order to claim the tokens. The
> issue here is that from Bitcoin's perspective, you're giving Bob a valid
> transaction, regardless of whether he reveals the pre-image. If Bob
> maliciously broadcasts it without the pre-image, he will have destroyed
> your tokens.
>
> Of course this was a contrived example, as these conditions could simply
> take place entirely in Bitcoin script, but it demonstrates that Taro scri=
pt
> fundamentally cannot handle conditional payments, which is the basis for
> any meaningful script other than self-encumbering covenants (i.e. if you
> send your Taro tokens in any way other than specified, the tokens will be
> destroyed). Luckily this has no effect on whether Taro can function over
> Lightning, because solely relying on Bitcoin's scripting capabilities
> should be sufficient for that use case.
>
> As a side note, it may be worth pointing out that it *is* possible to
> create conditional payments if the satisfaction of the condition is
> recorded publicly on the mainchain (e.g. in an op_return), making it sort
> of a hybrid on-chain/off-chain model, but it would increase complexity
> considerably. I can explain this model in more detail, if it happens to
> interest you.
>
> Now there's a second issue I want to bring up, but unfortunately my
> understanding of how exactly you made assets divisible is not complete
> enough to know how this problem might have manifested in Taro. Nonetheles=
s,
> I'll try to describe it.
>
> One of the core concepts of Taro/RGB is that the sender of the token has
> to reveal the history to the recipient. In case of an NFT the history is
> simply every prior owner and grows linearly, but in the case of fungible
> tokens things are more complicated. Let's say Carol receives 2 fungible
> Taro tokens from Alice and 3 fungible Taro tokens from Bob. Now Carol wan=
ts
> to send 4 of them to Dave and keep 1. There are two possible designs here=
:
>
> a.) The token history remains separate =E2=80=93 Dave receives Alice's 2 =
tokens,
> Bob's tokens are split and he receives 2 (or 3 from Bob 1 from Alice).
>
> b.) The token history gets merged =E2=80=93 Dave receives 4 tokens (linki=
ng the
> new output with both Alice and Bob's history).
>
> The issue with a.) is that you're only ever fragmenting tokens, so
> eventually you end up with lots of tiny but separate amounts. This will
> cause making large payments to involve sending lots of tokens, each with
> their own history. Under this model, I suspect the fixed value token mode=
l
> (e.g. 1, 2, 4, 8) might be preferable, as this prevents the entire supply
> from getting split into tiny fragments.
>
> The issue with b.) is that you end up with a linked transaction graph,
> just like in Bitcoin. If you pick a random Bitcoin UTXO and try to trace =
it
> back to a coinbase, you'll quickly find that it could have come from many
> of them. The graph that you'd traverse to get to all of these coinbases i=
s
> equivalent to the amount of history that a recipient of a Taro token has =
to
> validate in order to accept it, which I suspect quickly becomes a
> bottleneck that is not unlike that of a regular blockchain.
>
> It'd probably be wise to make a model of the potential transaction flow,
> and simulate how it affects the size of the history in order to determine
> what's the best approach and to generally get a better idea of how it
> affects scaling. Also, the repeated sharing of history makes me skeptical
> about the privacy this protocol may provide. If large amounts of history
> moved through the hands of a large number of people, it wouldn't be very
> private.
>
> There's a third third smaller issue I want to point out, which is easily
> fixable and perhaps was just a typo. In your slides, you showed a
> screenshot of a taproot tree containing the Taro tree as the third elemen=
t
> of four. This implies the location of the Taro tree inside the taproot tr=
ee
> is not fixed. What needs to be prevented here is that a taproot tree
> contains more than one Taro tree, as that would enable the owner of the
> commitment to show different histories to different people.
>
> Finally, let me conclude with two questions. Could you clarify the purpos=
e
> of the sparse merkle tree in your design? I suppose you want to be able t=
o
> open a commitment and show it contains a certain asset without having to
> reveal any of the other assets and simultaneously guarantee that you
> haven't committed to the same asset twice (i.e. the SMT guarantees each
> asset gets a specific location in the tree)? Or is there another reason?
>
> And the second question =E2=80=93 when transferring Taro token ownership =
from one
> Bitcoin UTXO to another, do you generate a new UTXO for the recipient or =
do
> you support the ability to "teleport" the tokens to an existing UTXO like
> how RGB does it? If the latter, have you given consideration to timing
> issues that might occur when someone sends tokens to an existing UTXO tha=
t
> simultaneously happens to get spent by the owner?
>
> In any case, I hope this email was useful. Feel free to reach out if I ca=
n
> clarify anything.
>
> Good luck with the protocol.
>
> Best regards,
> Ruben
>
> On Tue, Apr 5, 2022 at 5:06 PM Olaoluwa Osuntokun via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> Hi y'all,
>>
>> I'm excited to publicly publish a new protocol I've been working on over
>> the
>> past few months: Taro. Taro is a Taproot Asset Representation Overlay
>> which
>> allows the issuance of normal and also collectible assets on the main
>> Bitcoin
>> chain. Taro uses the Taproot script tree to commit extra asset structure=
d
>> meta
>> data based on a hybrid merkle tree I call a Merkle Sum Sparse Merkle Tre=
e
>> or
>> MS-SMT. An MS-SMT combined the properties of a merkle sum tree, with a
>> sparse
>> merkle tree, enabling things like easily verifiable asset supply proofs
>> and
>> also efficient proofs of non existence (eg: you prove to me you're no
>> longer
>> committing to the 1-of-1 holographic beefzard card during our swap). Tar=
o
>> asset
>> transfers are then embedded in a virtual/overlay transaction graph which
>> uses a
>> chain of asset witnesses to provably track the transfer of assets across
>> taproot outputs. Taro also has a scripting system, which allows for
>> programmatic unlocking/transfer of assets. In the first version, the
>> scripting
>> system is actually a recursive instance of the Bitcoin Script Taproot VM=
,
>> meaning anything that can be expressed in the latest version of Script
>> can be
>> expressed in the Taro scripting system. Future versions of the scripting
>> system
>> can introduce new functionality on the Taro layer, like covenants or oth=
er
>> updates.
>>
>> The Taro design also supports integration with the Lightning Network
>> (BOLTs) as
>> the scripting system can be used to emulate the existing HTLC structure,
>> which
>> allows for multi-hop transfers of Taro assets. Rather than modify the
>> internal
>> network, the protocol proposes to instead only recognize "assets at the
>> edges",
>> which means that only the sender+receiver actually need to know about an=
d
>> validate the assets. This deployment route means that we don't need to
>> build up
>> an entirely new network and liquidity for each asset. Instead, all asset
>> transfers will utilize the Bitcoin backbone of the Lightning Network,
>> which
>> means that the internal routers just see Bitcoin transfers as normal, an=
d
>> don't
>> even know about assets at the edges. As a result, increased demand for
>> transfers of these assets as the edges (say like a USD stablecoin), whic=
h
>> in
>> will turn generate increased demand of LN capacity, result in more
>> transfers, and
>> also more routing revenue for the Bitcoin backbone nodes.
>>
>> The set of BIPs are a multi-part suite, with the following breakdown:
>>  * The main Taro protocol:
>> https://github.com/Roasbeef/bips/blob/bip-taro/bip-taro.mediawiki
>>  * The MS-SMT structure:
>> https://github.com/Roasbeef/bips/blob/bip-taro/bip-taro-ms-smt.mediawiki
>>  * The Taro VM:
>> https://github.com/Roasbeef/bips/blob/bip-taro/bip-taro-vm.mediawiki
>>  * The Taro address format:
>> https://github.com/Roasbeef/bips/blob/bip-taro/bip-taro-addr.mediawiki
>>  * The Taro Universe concept:
>> https://github.com/Roasbeef/bips/blob/bip-taro/bip-taro-universe.mediawi=
ki
>>  * The Taro flat file proof format:
>> https://github.com/Roasbeef/bips/blob/bip-taro/bip-taro-proof-file.media=
wiki
>>
>> Rather than post them all in line (as the text wouldn't fit in the
>> allowed size
>> limit), all the BIPs can be found above.
>>
>> -- Laolu
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
> _______________________________________________
> Lightning-dev mailing list
> Lightning-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
>


--=20


Alex Schoof

--0000000000000316a105dc15400a
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hey Laolu,<div><br></div><div>Really interesting protocol.=
 I&#39;m not all the way through all of the docs yet, but had a few questio=
ns/comments:=C2=A0</div><div>- The top-level doc (<a href=3D"https://github=
.com/Roasbeef/bips/blob/bip-taro/bip-taro.mediawiki">https://github.com/Roa=
sbeef/bips/blob/bip-taro/bip-taro.mediawiki</a>) talks about embedding over=
lay metadata in the taproot script tree. From my reading, it seems like wha=
t gets committed is the root of the taro MS-SMT tree, while leaves of the t=
ree itself are off-chain=C2=A0in a proof file. If that&#39;s the case, did =
you look at other mechanisms to commit to a merkle root? For example, I bel=
ieve mainstay[1] uses a pay-to-contract/bip175[2]-like scheme to commit sid=
echain merkle roots to p2pkh/p2sh addresses with signature tweaks. Are ther=
e other interesting (to taro) spend-paths that need to be allowed that led =
to the taproot script tree being particularly helpful?</div><div><br></div>=
<div>- It appears that the transfer proofs are kept off-chain in another fi=
le which is passed between users, where the receiver=C2=A0can validate the =
transfer according to whatever semantics the taro-vm has at that moment and=
 refuse to credit the sender if the transfer breaks some business logic or =
validation rules. This reminds me a lot of single-use-seals[3]. Is that the=
 right way to think about what&#39;s going on here? If it is, then it looks=
 like a Universe/Multiverse is an offload/aggregation mechanism that can ke=
ep track of asset lineages on behalf of users, which would be useful for li=
ght clients of heavily-used asset types (so your mobile client doesnt=C2=A0=
have to traverse the transfer lineage of some high-liquidity stablecoin or =
something).=C2=A0</div><div><br></div><div>- Rubin made a good point above =
about how something like a conditional transfer in a taro asset won&#39;t n=
ecessarily cause the conditional bitcoin transfer to fail. My first thought=
 was to have the &quot;carrier utxo&quot; for a taro asset be really small,=
 like dust=C2=A0+ some buffer. The thought being that I&#39;m basically jus=
t paying gas and if I lose `dust+buffer` amount of bitcoin but not a lot of=
 some token, then that&#39;s not great but not terrible. Where it gets bad =
is if the value of the taro asset that you&#39;re trying to transfer is clo=
se to or less than the value of the bitcoin that&#39;s being used to do the=
 transfer.=C2=A0</div><div><br></div><div>- There&#39;s been a lot of talk =
lately on the bitcoin-dev list about covenants, and I wonder if some of tho=
se designs (specifically TLUV or CTV) might be useful with Taro, to &quot;l=
ift&quot; some of the taro conditions into covenants that encumber the unde=
rlying bitcoin. I don&#39;t have a design or anything, wondering if you&#39=
;ve given this any thought.=C2=A0</div><div><br></div><div>- was this origi=
nally named CMYK?=C2=A0</div><div><br></div><div>Thanks,</div><div>Alex</di=
v><div><br></div><div><br></div><div>[1]=C2=A0<a href=3D"https://cloudflare=
-ipfs.com/ipns/ipfs.commerceblock.com/commerceblock-whitepaper-mainstay.pdf=
">https://cloudflare-ipfs.com/ipns/ipfs.commerceblock.com/commerceblock-whi=
tepaper-mainstay.pdf</a></div><div>[2]=C2=A0<a href=3D"https://github.com/b=
itcoin/bips/blob/master/bip-0175.mediawiki">https://github.com/bitcoin/bips=
/blob/master/bip-0175.mediawiki</a></div><div>[3]=C2=A0<a href=3D"https://p=
etertodd.org/2016/commitments-and-single-use-seals">https://petertodd.org/2=
016/commitments-and-single-use-seals</a></div></div><br><div class=3D"gmail=
_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Thu, Apr 7, 2022 at 1:14 P=
M Ruben Somsen &lt;<a href=3D"mailto:rsomsen@gmail.com">rsomsen@gmail.com</=
a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0p=
x 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-c=
olor:rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div>Hi Laolu,<br>=
</div><div><br></div><div>Nice work. This is an=C2=A0interesting protocol, =
in my opinion.<br><div><br></div><div>Seeing as there&#39;s a large amount =
of overlap with RGB, a protocol which I have examined quite extensively, I =
believe some of the issues I uncovered in that project also apply here.=C2=
=A0</div><div><br></div><div>The biggest issue revolves around the scriptin=
g expectations for this protocol. Taro is described as being able to have i=
ts own scripting capabilities that will initially be similar to Bitcoin and=
 eventually be made to do more. I&#39;m afraid this is fundamentally imposs=
ible. Conditional scripts (and thus most scripts that could potentially be =
of interest) won&#39;t be possible if the satisfaction of the condition is =
not recorded publicly on-chain.</div></div><div><br></div><div>The core pro=
blem here is that you have two levels of scripting. At the Bitcoin level th=
e UTXO is encumbered by the Bitcoin script, then at the Taro level you have=
 yet another script. This may seem similar at first glance to how taproot h=
as a key path and a script path, but there are a few key differences. In ta=
proot only one of the two needs to be satisfied, while here you need to sat=
isfy both. Furthermore, the Taro script is not enforced by Bitcoin, meaning=
 those who control the Bitcoin script can always choose to ignore the Taro =
script and destroy the Taro assets as a result.</div><div><br></div><div>I&=
#39;ll describe an example. Imagine Alice wants to send Bob a payment insid=
e Taro, but she wants to make it conditional. Bob gets the Taro tokens if h=
e reveals a pre-image, while Alice can claim the tokens back after the time=
lock expires (i.e. the minimum scripting requirements for HTLCs). Alice sta=
rts by locking up coins in a 2-of-2 multisig on the mainchain with some Tar=
o tokens inside. She then gives Bob a pre-signed transaction that only requ=
ires him to reveal the pre-image in order to claim the tokens. The issue he=
re is that from Bitcoin&#39;s perspective, you&#39;re giving Bob a valid tr=
ansaction, regardless of whether he reveals the pre-image. If Bob malicious=
ly broadcasts it without the pre-image, he will have destroyed your tokens.=
</div><div><br></div><div>Of course this was a contrived example, as these =
conditions could simply take place entirely in Bitcoin script, but it demon=
strates that Taro script fundamentally cannot handle conditional payments, =
which is the basis for any meaningful script other=C2=A0than self-encumberi=
ng covenants (i.e. if you send your Taro tokens in any way other than speci=
fied, the tokens will be destroyed). Luckily this has no effect on whether =
Taro can function over Lightning, because solely relying on Bitcoin&#39;s s=
cripting capabilities should be sufficient for that use case.</div><div><br=
></div><div>As a side note, it may be worth pointing out that it *is* possi=
ble to create conditional payments if the satisfaction of the condition is =
recorded publicly on the mainchain (e.g. in an op_return), making it sort o=
f a hybrid on-chain/off-chain model, but it would increase complexity consi=
derably. I can explain this model in more detail, if it happens to interest=
 you.</div><div><br></div><div>Now there&#39;s a second issue I want to bri=
ng up, but unfortunately my understanding of how exactly you=C2=A0made asse=
ts divisible is not complete enough to know how this problem might have man=
ifested in Taro. Nonetheless, I&#39;ll try to describe it.</div><div><br></=
div><div>One of the core concepts of Taro/RGB is that the sender of the tok=
en has to reveal the history to the recipient. In case of an NFT the histor=
y is simply every prior owner and grows linearly, but in the case of fungib=
le tokens things are more complicated. Let&#39;s say Carol receives 2 fungi=
ble Taro tokens from Alice and 3 fungible Taro tokens from Bob. Now Carol w=
ants to send 4 of them to Dave and keep=C2=A01. There are two possible desi=
gns here:</div><div><br></div><div>a.) The token history remains separate =
=E2=80=93 Dave receives Alice&#39;s 2 tokens, Bob&#39;s tokens are split an=
d he receives 2 (or 3 from Bob 1 from Alice).=C2=A0</div><div><br></div><di=
v>b.) The token history gets merged =E2=80=93 Dave receives 4 tokens (linki=
ng the new output with both Alice and Bob&#39;s history).</div><div><br></d=
iv><div>The issue with a.) is that you&#39;re only ever fragmenting tokens,=
 so eventually you end up with lots of tiny but separate amounts. This will=
 cause making large payments to involve sending lots of tokens, each with t=
heir own history. Under this model, I suspect the fixed value token model (=
e.g. 1, 2, 4, 8) might be preferable, as this prevents the entire supply fr=
om getting split into tiny fragments.</div><div><br></div><div>The issue wi=
th b.) is that you end up with a linked transaction graph, just like in Bit=
coin. If you pick a random Bitcoin UTXO and try to trace it back to a coinb=
ase, you&#39;ll quickly find that it could have come from many of them. The=
 graph that you&#39;d traverse to get to all of these coinbases is equivale=
nt to the amount of history that a recipient of a Taro token has to validat=
e in order to accept it, which I suspect quickly becomes a bottleneck that =
is not unlike that of a regular blockchain.</div><div><br></div><div>It&#39=
;d probably be wise to make a model of the potential transaction flow, and =
simulate how it affects the size of the history in order to determine what&=
#39;s the best approach and to generally get a better idea of how it affect=
s scaling. Also, the repeated sharing of history makes me skeptical about t=
he privacy this protocol may provide. If large amounts of history moved thr=
ough the hands of a large number of people, it wouldn&#39;t be very private=
.</div><div><br></div><div>There&#39;s a third third smaller issue I want t=
o point out, which is easily fixable and perhaps was just a typo. In your s=
lides, you showed a screenshot of a taproot tree containing the Taro tree a=
s the third element of four. This implies the location of the Taro tree ins=
ide the taproot tree is not fixed. What needs to be prevented here is that =
a taproot tree contains more than one Taro tree, as that would enable the o=
wner of the commitment to show different histories to different people.</di=
v><div><br></div><div>Finally, let me conclude with two questions. Could yo=
u clarify the=C2=A0purpose of the=C2=A0sparse merkle tree in your design? I=
 suppose you want to be able to open a commitment and show it contains a ce=
rtain asset without having to reveal any of the other assets and simultaneo=
usly guarantee that you haven&#39;t committed to the same asset twice (i.e.=
 the SMT guarantees each asset gets a specific location in the tree)? Or is=
 there another reason?</div><div><br></div><div>And the second question =E2=
=80=93 when transferring Taro token ownership from one Bitcoin UTXO to anot=
her, do you generate a new UTXO for the recipient or do you support the abi=
lity to &quot;teleport&quot; the tokens to an existing UTXO like how RGB do=
es it? If the latter, have you given consideration to timing issues that mi=
ght occur when someone sends tokens to an existing UTXO that simultaneously=
 happens to get spent by the owner?</div><div><br></div><div>In any case, I=
=C2=A0hope this email was useful. Feel free to reach out if I can clarify a=
nything.</div><div><br></div><div>Good luck with the protocol.</div><div><b=
r></div><div>Best regards,</div><div>Ruben</div></div><br><div class=3D"gma=
il_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Tue, Apr 5, 2022 at 5:06=
 PM Olaoluwa Osuntokun via bitcoin-dev &lt;<a href=3D"mailto:bitcoin-dev@li=
sts.linuxfoundation.org" target=3D"_blank">bitcoin-dev@lists.linuxfoundatio=
n.org</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"ma=
rgin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border=
-left-color:rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr">Hi y&#39;al=
l, <br><br>I&#39;m excited to publicly publish a new protocol I&#39;ve been=
 working on over the<br>past few months: Taro. Taro is a Taproot Asset Repr=
esentation Overlay which<br>allows the issuance of normal and also collecti=
ble assets on the main Bitcoin<br>chain. Taro uses the Taproot script tree =
to commit extra asset structured meta<br>data based on a hybrid merkle tree=
 I call a Merkle Sum Sparse Merkle Tree or<br>MS-SMT. An MS-SMT combined th=
e properties of a merkle sum tree, with a sparse<br>merkle tree, enabling t=
hings like easily verifiable asset supply proofs and<br>also efficient proo=
fs of non existence (eg: you prove to me you&#39;re no longer<br>committing=
 to the 1-of-1 holographic beefzard card during our swap). Taro asset<br>tr=
ansfers are then embedded in a virtual/overlay transaction graph which uses=
 a<br>chain of asset witnesses to provably track the transfer of assets acr=
oss<br>taproot outputs. Taro also has a scripting system, which allows for<=
br>programmatic unlocking/transfer of assets. In the first version, the scr=
ipting<br>system is actually a recursive instance of the Bitcoin Script Tap=
root VM,<br>meaning anything that can be expressed in the latest version of=
 Script can be<br>expressed in the Taro scripting system. Future versions o=
f the scripting system<br>can introduce new functionality on the Taro layer=
, like covenants or other<br>updates.<br><br>The Taro design also supports =
integration with the Lightning Network (BOLTs) as<br>the scripting system c=
an be used to emulate the existing HTLC structure, which<br>allows for mult=
i-hop transfers of Taro assets. Rather than modify the internal<br>network,=
 the protocol proposes to instead only recognize &quot;assets at the edges&=
quot;,<br>which means that only the sender+receiver actually need to know a=
bout and<br>validate the assets. This deployment route means that we don&#3=
9;t need to build up<br>an entirely new network and liquidity for each asse=
t. Instead, all asset<br>transfers will utilize the Bitcoin backbone of the=
 Lightning Network, which<br>means that the internal routers just see Bitco=
in transfers as normal, and don&#39;t<br>even know about assets at the edge=
s. As a result, increased demand for<br>transfers of these assets as the ed=
ges (say like a USD stablecoin), which in<br>will turn generate increased d=
emand of LN capacity, result in more transfers, and<br>also more routing re=
venue for the Bitcoin backbone nodes.<br><br>The set of BIPs are a multi-pa=
rt suite, with the following breakdown:<br>=C2=A0* The main Taro protocol: =
<a href=3D"https://github.com/Roasbeef/bips/blob/bip-taro/bip-taro.mediawik=
i" target=3D"_blank">https://github.com/Roasbeef/bips/blob/bip-taro/bip-tar=
o.mediawiki</a><br>=C2=A0* The MS-SMT structure: <a href=3D"https://github.=
com/Roasbeef/bips/blob/bip-taro/bip-taro-ms-smt.mediawiki" target=3D"_blank=
">https://github.com/Roasbeef/bips/blob/bip-taro/bip-taro-ms-smt.mediawiki<=
/a><br>=C2=A0* The Taro VM: <a href=3D"https://github.com/Roasbeef/bips/blo=
b/bip-taro/bip-taro-vm.mediawiki" target=3D"_blank">https://github.com/Roas=
beef/bips/blob/bip-taro/bip-taro-vm.mediawiki</a><br>=C2=A0* The Taro addre=
ss format: <a href=3D"https://github.com/Roasbeef/bips/blob/bip-taro/bip-ta=
ro-addr.mediawiki" target=3D"_blank">https://github.com/Roasbeef/bips/blob/=
bip-taro/bip-taro-addr.mediawiki</a><br>=C2=A0* The Taro Universe concept: =
<a href=3D"https://github.com/Roasbeef/bips/blob/bip-taro/bip-taro-universe=
.mediawiki" target=3D"_blank">https://github.com/Roasbeef/bips/blob/bip-tar=
o/bip-taro-universe.mediawiki</a><br>=C2=A0* The Taro flat file proof forma=
t: =C2=A0<a href=3D"https://github.com/Roasbeef/bips/blob/bip-taro/bip-taro=
-proof-file.mediawiki" target=3D"_blank">https://github.com/Roasbeef/bips/b=
lob/bip-taro/bip-taro-proof-file.mediawiki</a><br><br>Rather than post them=
 all in line (as the text wouldn&#39;t fit in the allowed size<br>limit), a=
ll the BIPs can be found above.<br><br>-- Laolu<br></div>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div>
_______________________________________________<br>
Lightning-dev mailing list<br>
<a href=3D"mailto:Lightning-dev@lists.linuxfoundation.org" target=3D"_blank=
">Lightning-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev=
" rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/ma=
ilman/listinfo/lightning-dev</a><br>
</blockquote></div><br clear=3D"all"><div><br></div>-- <br><div dir=3D"ltr"=
 class=3D"gmail_signature"><br><br>Alex Schoof</div>

--0000000000000316a105dc15400a--