From: "Johan Torås Halseth" <johanth@gmail•com>
To: Olaoluwa Osuntokun <laolu32@gmail•com>
Cc: Bitcoin Protocol Discussion
<bitcoin-dev@lists•linuxfoundation.org>,
lightning-dev <lightning-dev@lists•linuxfoundation.org>
Subject: Re: [bitcoin-dev] [Lightning-dev] Taro: A Taproot Asset Representation Overlay
Date: Mon, 7 Nov 2022 14:51:12 +0100 [thread overview]
Message-ID: <CAD3i26BkzBSRTqaLxArHJVuE+41SnCzP3JmLoAreF-Lazxgjww@mail.gmail.com> (raw)
In-Reply-To: <CAO3Pvs9EeKu1p9egeeRZduvgX_Xf21rh0N8iRY9xo2m01sw_oA@mail.gmail.com>
Hi Laolu,
Yeah, that is definitely the main downside, as Ruben also mentioned:
tokens are "burned" if they get sent to an already spent UTXO, and
there is no way to block those transfers.
And I do agree with your concern about losing the blockchain as the
main synchronization point, that seems indeed to be a prerequisite for
making the scheme safe in terms of re-orgs and asynchronicity.
I do think the scheme itself is sound though (maybe not off-chain, see
below): it prevents double spending and as long as the clients adhere
to the "rule" of not sending to a spent UTXO you'll be fine (if not
your tokens will be burned, the same way as if you don't satisfy the
Taro script when spending).
Thinking more about the examples you gave, I think you are right it
won't easily be compatible with LN channels though:
If you want to refill an existing channel with tokens, you need the
channel counterparties to start signing new commitments that include
spending the newly sent tokens. A problem arises however, if the
channel is force-closed with a pre-existing commitment from before the
token transfer took place. Since this commitment will be spending the
funding UTXO, but not the new tokens, the tokens will be burned. And
that seems to be harder to deal with (Eltoo style channels could be an
avenue to explore, if one could override the broadcasted commitment).
Tl;dr: I think you're right, the scheme is not compatible with LN.
- Johan
On Sat, Nov 5, 2022 at 1:36 AM Olaoluwa Osuntokun <laolu32@gmail•com> wrote:
>
> Hi Johan,
>
> I haven't really been able to find a precise technical explanation of the
> "utxo teleport" scheme, but after thinking about your example use cases a
> bit, I don't think the scheme is actually sound. Consider that the scheme
> attempts to target transmitting "ownership" to a UTXO. However, by the time
> that transaction hits the chain, the UTXO may no longer exist. At that
> point, what happens to the asset? Is it burned? Can you retry it again? Does
> it go back to the sender?
>
> As a concrete example, imagine I have a channel open, and give you an
> address to "teleport" some additional assets to it. You take that addr, then
> make a transaction to commit to the transfer. However, the block before you
> commit to the transfer, my channel closes for w/e reason. As a result, when
> the transaction committing to the UTXO (blinded or not), hits the chain, the
> UTXO no longer exists. Alternatively, imagine the things happen in the
> expected order, but then a re-org occurs, and my channel close is mined in a
> block before the transfer. Ultimately, as a normal Bitcoin transaction isn't
> used as a serialization point, the scheme seems to lack a necessary total
> ordering to ensure safety.
>
> If we look at Taro's state transition model in contrast, everything is fully
> bound to a single synchronization point: a normal Bitcoin transaction with
> inputs consumed and outputs created. All transfers, just like Bitcoin
> transactions, end up consuming assets from the set of inputs, and
> re-creating them with a different distribution with the set of outputs. As a
> result, Taro transfers inherit the same re-org safety traits as regular
> Bitcoin transactions. It also isn't possible to send to something that won't
> ultimately exist, as sends create new outputs just like Bitcoin
> transactions.
>
> Taro's state transition model also means anything you can do today with
> Bitcoin/LN also apply. As an example, it would be possible for you to
> withdrawn from your exchange into a Loop In address (on chain to off chain
> swap), and have everything work as expected, with you topping off your
> channel. Stuff like splicing, and other interactive transaction construction
> schemes (atomic swaps, MIMO swaps, on chain auctions, etc) also just work.
>
> Ignoring the ordering issue I mentioned above, I don't think this is a great
> model for anchoring assets in channels either. With Taro, when you make the
> channel, you know how many assets are committed since they're all committed
> to in the funding output when the channel is created. However, let's say we
> do teleporting instead: at which point would we recognize the new asset
> "deposits"? What if we close before a pending deposits confirms, how can one
> regain those funds? Once again you lose the serialization of events/actions
> the blockchain provides. I think you'd also run into similar issues when you
> start to think about how these would even be advertised on a hypothetical
> gossip network.
>
> I think one other drawback of the teleport model iiuc is that: it either
> requires an OP_RETURN, or additional out of band synchronization to complete
> the transfer. Since it needs to commit to w/e hash description of the
> teleport, it either needs to use an OP_RETURN (so the receiver can see the
> on chain action), or the sender needs to contact the receiver to initiate
> the resolution of the transfer (details committed to in a change addr or
> w/e).
>
> With Taro, sending to an address creates an on-chain taproot output just
> like sending to a P2TR address. The creation of the output directly creates
> the new asset anchor/output as well, which allows the receiver to look for
> that address on chain just like a normal on chain transaction. To 3rd party
> observers, it just looks like a normal P2TR transfer. In order to finalize
> the receipt of the asset, the receiver needs to obtain the relevant
> provenance proofs, which can be obtained from a multi-verse gRPC/HTTP
> service keyed by the input outpoint and output index. In short, the send
> process is fully async, with the sender and receiver using the blockchain
> itself as a synchronization point like a normal Bitcoin wallet.
>
> -- Laolu
next prev parent reply other threads:[~2022-11-07 13:51 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-05 15:06 [bitcoin-dev] " Olaoluwa Osuntokun
2022-04-07 17:14 ` Ruben Somsen
2022-04-07 19:11 ` [bitcoin-dev] [Lightning-dev] " Alex Schoof
2022-04-08 17:49 ` Olaoluwa Osuntokun
2022-04-08 17:48 ` [bitcoin-dev] " Olaoluwa Osuntokun
2022-04-10 16:51 ` Ruben Somsen
2022-04-11 19:51 ` Olaoluwa Osuntokun
2022-04-15 13:14 ` Ruben Somsen
2022-11-03 9:26 ` [bitcoin-dev] [Lightning-dev] " Johan Torås Halseth
2022-11-05 0:35 ` Olaoluwa Osuntokun
2022-11-07 13:51 ` Johan Torås Halseth [this message]
2022-04-16 2:43 ` [bitcoin-dev] " Olaoluwa Osuntokun
[not found] ` <CAO6oAq2nC9_0GdoOQbmX3Qt4OsSYzMVBy-vyGczwn1GhLHN2Kw@mail.gmail.com>
2022-10-19 2:40 ` [bitcoin-dev] [Lightning-dev] " Olaoluwa Osuntokun
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAD3i26BkzBSRTqaLxArHJVuE+41SnCzP3JmLoAreF-Lazxgjww@mail.gmail.com \
--to=johanth@gmail$(echo .)com \
--cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
--cc=laolu32@gmail$(echo .)com \
--cc=lightning-dev@lists$(echo .)linuxfoundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox