đź“… Original date posted:2023-04-18
🗒️ Summary of this message: The email discusses the invalidity of a proposed setup for using RGB with BTC and suggests a new setup involving creating an RGB contract with BTC* and specific conditions.
đź“ť Original message:Hi Harding,
This is the continuation from my previous e-mail [1] addressing the
largest and last unanswered question from your reply:
> To give my own example of the problem <… description follows …>
I am not entirely understand your argument or question, even though
I have spent a lot of time trying to crack it. For me it seems that
this is due to different paradigms we are thinking in. Client-side-
validation and work on RGB had required me to dramatically change
the way I see distributed systems, bitcoin and other “blockchains”
and multi-party contracts, thus this may have caused inability to
speak in the same terms. For me, the setup you are describing
doesn’t make sense at all: there is no reason of doing things with
RGB that way. I.e, you are suggesting invalid setup - and then
prove that it is not working :).
I will try first to explain why I think the reasoning you are
putting into the argument is invalid in the assumptions: nobody
should expect that RGB somehow magically makes on-chain BTC (I will
use this acronym to distinguish BTC-as-money from bitcoin-as-
blockchain or tech) more programmable or anyhow better: it is
impossible without softfork or a hardfork on _blockchain consensus_
level. What is possible is to add functionality on top of that; but
anything additional won’t work for BTC unless it is “lifted” into
that new layer. This is true with sidechains, this is true with
Lightning, this is for sure true with RGB. So any setups we are
analyzing must analyze such lifted BTC* in RGB as a value, and not
an on-chain. Next, most forms of contracts do not require a new
token, so I propose not to make setups more complex and start
discussing them without introducing a new tokens unless it is
really required.
Now, my setup to cover your case (or at least what I understood
from it) would be the following:
1. Assume we have some BTC lifted to RGB, which we will name BTC*.
(let’s leave the question on how to do that aside; it can be
discussed separately).
2. > Bob doesn't believe that there's a number which can be
multiplied by to produce 4. He's willing to pay a bounty for
proof that he's wrong.
This part I will take from your letter without changes, however
will skip the rest about production of some tokens etc, which
is unnecessary here.
(Please correct me if I am wrong in understanding what you wanted
to achieve and I will correct it - for instance I can't understand
why we need some Carol(s) at all).
To fulfill the described setup, Bob have to create a new RGB
contract (its **genesis**) featuring BTC* AND providing the
following conditions (in the contract **schema**, which is a part
of genesis):
1. The value of BTC* is preserved within the contract not attached
to any of UTXOs (it has become possible with RGB v0.10
introduction of “global state”)
2. BTC* can be reclaimed by any party providing a solution (in form
of RGB **state extension**) which is verified by AluVM. Alice,
if she have found the solution, now can **assign** that
previously “floating”/unowned BTC* to an UTXO she controls.
State extensions were introduced into RGB in late 2020 v0.4.
State extensions are different from a normal state transitions
by the fact that they do not have inputs referencing some
previously-owned (i.e. assigned to an UTXO) state, i.e. their
creation doesn’t require creation of a corresponding bitcoin
transaction spending some UTXOs with a state (as it is in case
of a state transitions).
3. To ensure uniqueness of the winner (i.e. prevent
“double-spending” of “free-floating”/unowned BTC* from the
contract global state) Alice is also required (by the contract
conditions defined by Bob in the contract schema) to post some
identifiable information into a mined bitcoin transaction
on-chain (NB: this is not the same as a witness transaction; it
can be any transaction not related to the contract UTXOs in any
way). The transaction must contain a pre-defined signal in a
form known only to the contract participants; for instance some
pre-defined random value stored in OP_RETURN, address, value,
witness, pay-to-contract tweak of some pre-defined pubkey - or
anywhere else. This can re-use a transaction which can be mined
anyway (like a payment that happens in parallel) and can even
avoid additional block space consumption if something like P2C
or tapret commitment is used (though this will require
a pre-knowledge of public keys at the moment of contract
creation). The contract script claims that only the first
party who had made such tx mined wins the game (if two txes are
mined in a block, they may be sorted by their txid or block
position). Because of AluVM, contracts can inspect on-chain
bitcoin state and find the signal.
That’s it! The structure of the contract would be genesis and that
thing called “state extension” - and nothing more. “Normal” RGB
flow (known to those who read about RGB before introduction of
state extensions) with state transitions and witness bitcoin
transactions would start only when Alice would like to spend that
BTC* or to peg out - and at that point of time an RGB state
transition will have to be created, and a corresponding bitcoin
transaction (called “witness transaction”) spending that Alice’s
UTXO, will have to be crafted, signed and mined.
Final notes:
============
Communication medium
--------------------
All communications between Alice and Bob happens wherever they
want - in IRC, mailing list, Nostr, telegram - or using
decentralized networks like LN (with [Storm] on top, which we
deliberately created for that purpose). It would be also possible
for Alice and Bob to use their RGB Nodes which will be
communicating through RGB RPC protocol - there is a lot of ways,
and RGB is fully abstracted from them.
Going fully off-chain
---------------------
The above design can be put fully off-chain if the group of players
may set up a n-of-n or n-of-m multiparty state channel (“channel
factory”).
Question of BTC*
----------------
Regarding BTC* creation, for now we do have at least two designs we
have developed over years:
1) for Lightning channels, which has the same level of
trustlessness as the pure BTC in LN;
2) on-chain "lifting" which is semi-trusted (trustless private
decentralized peg-in and semi-trusted federated peg-out
requiring user+federation multisig but no privacy/history
exposure thanks to zk; such on-chain lifting is still much
better than other alternatives with drivechains or federated
sidechains).
Last, but not least
-------------------
> Is there any documentation or discussion archives that address the
> problem of non-publishable conditional statements seemingly being
> insecure in multiparty protocols, as previously described on this
> list [1] by Ruben Somsen?
As far as I see, Ruben's letter was about different protocol, built
by Lightning Labs after they had studied (since they did plan to
implement) RGB - but they ended up with taking results of many years
of our research and did a successful fundraising of ~80m on it, even
"forgetting" to mention the original authors - until they were
ashamed by the community. Funny enough, even the original name of
their "protocol" was [CMYK].
I have no desire on commenting how they solved (and did they solve)
that - or any other - problem. I expect that they would again try
to take the solution I have described above and do another
fundraising with motto of transforming their product into “smart
contracts on Lightning” :)
Kind regards,
Maxim Orlovsky
CEO (Chief engineering officer)
@ LNP/BP Standards Association,
https://lnp-bp.org
Twitter: @lnp_bp
-----
[1]: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2023-April/021559.html
[Storm]: https://github.com/Storm-WG
[CMYK]: [https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-April/020208.html](https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-April/020208.html)
Dr Maxim Orlovsky [ARCHIVE] /
npub1a8…rpwgy
2023-06-07 23:20:28
in reply to nevent1q…0qzg
Author Public Key
npub1a80jcetgws9xmu7wnylvekpymw2acym2psjpp03e0chmhq38pc8qwrpwgyPublished at
2023-06-07 23:20:28Event JSON
{
"id": "38cecde95ac08266c6997f225362aad365dd06f082a9168bdc89a160e35e83d0",
"pubkey": "e9df2c6568740a6df3ce993eccd824db95dc136a0c2410be397e2fbb82270e0e",
"created_at": 1686180028,
"kind": 1,
"tags": [
[
"e",
"17c6b88eaabd27d18d00d5fd92c39900bd12338a2c8102c44983686a740531ea",
"",
"root"
],
[
"e",
"64702d0204f928a7358bbe0a9d097df2ff4f9a29bf09eeb9c2ed128122b40d64",
"",
"reply"
],
[
"p",
"e9df2c6568740a6df3ce993eccd824db95dc136a0c2410be397e2fbb82270e0e"
]
],
"content": "📅 Original date posted:2023-04-18\n🗒️ Summary of this message: The email discusses the invalidity of a proposed setup for using RGB with BTC and suggests a new setup involving creating an RGB contract with BTC* and specific conditions.\n📝 Original message:Hi Harding,\n\nThis is the continuation from my previous e-mail [1] addressing the\nlargest and last unanswered question from your reply:\n\n\u003e To give my own example of the problem \u003c… description follows …\u003e\n\nI am not entirely understand your argument or question, even though\nI have spent a lot of time trying to crack it. For me it seems that\nthis is due to different paradigms we are thinking in. Client-side-\nvalidation and work on RGB had required me to dramatically change \nthe way I see distributed systems, bitcoin and other “blockchains” \nand multi-party contracts, thus this may have caused inability to \nspeak in the same terms. For me, the setup you are describing \ndoesn’t make sense at all: there is no reason of doing things with\nRGB that way. I.e, you are suggesting invalid setup - and then \nprove that it is not working :).\n\nI will try first to explain why I think the reasoning you are \nputting into the argument is invalid in the assumptions: nobody \nshould expect that RGB somehow magically makes on-chain BTC (I will \nuse this acronym to distinguish BTC-as-money from bitcoin-as-\nblockchain or tech) more programmable or anyhow better: it is \nimpossible without softfork or a hardfork on _blockchain consensus_ \nlevel. What is possible is to add functionality on top of that; but\nanything additional won’t work for BTC unless it is “lifted” into \nthat new layer. This is true with sidechains, this is true with \nLightning, this is for sure true with RGB. So any setups we are \nanalyzing must analyze such lifted BTC* in RGB as a value, and not\nan on-chain. Next, most forms of contracts do not require a new \ntoken, so I propose not to make setups more complex and start \ndiscussing them without introducing a new tokens unless it is \nreally required.\n\nNow, my setup to cover your case (or at least what I understood \nfrom it) would be the following:\n\n1. Assume we have some BTC lifted to RGB, which we will name BTC*.\n (let’s leave the question on how to do that aside; it can be \n discussed separately).\n\n2. \u003e Bob doesn't believe that there's a number which can be\n multiplied by to produce 4. He's willing to pay a bounty for\n proof that he's wrong.\n\n This part I will take from your letter without changes, however \n will skip the rest about production of some tokens etc, which \n is unnecessary here.\n\n(Please correct me if I am wrong in understanding what you wanted\nto achieve and I will correct it - for instance I can't understand\nwhy we need some Carol(s) at all).\n\nTo fulfill the described setup, Bob have to create a new RGB \ncontract (its **genesis**) featuring BTC* AND providing the \nfollowing conditions (in the contract **schema**, which is a part \nof genesis):\n\n1. The value of BTC* is preserved within the contract not attached\n to any of UTXOs (it has become possible with RGB v0.10 \n introduction of “global state”)\n\n2. BTC* can be reclaimed by any party providing a solution (in form\n of RGB **state extension**) which is verified by AluVM. Alice, \n if she have found the solution, now can **assign** that \n previously “floating”/unowned BTC* to an UTXO she controls. \n\n State extensions were introduced into RGB in late 2020 v0.4.\n State extensions are different from a normal state transitions \n by the fact that they do not have inputs referencing some \n previously-owned (i.e. assigned to an UTXO) state, i.e. their \n creation doesn’t require creation of a corresponding bitcoin \n transaction spending some UTXOs with a state (as it is in case \n of a state transitions).\n\n3. To ensure uniqueness of the winner (i.e. prevent \n “double-spending” of “free-floating”/unowned BTC* from the \n contract global state) Alice is also required (by the contract \n conditions defined by Bob in the contract schema) to post some \n identifiable information into a mined bitcoin transaction\n on-chain (NB: this is not the same as a witness transaction; it \n can be any transaction not related to the contract UTXOs in any \n way). The transaction must contain a pre-defined signal in a \n form known only to the contract participants; for instance some \n pre-defined random value stored in OP_RETURN, address, value, \n witness, pay-to-contract tweak of some pre-defined pubkey - or \n anywhere else. This can re-use a transaction which can be mined\n anyway (like a payment that happens in parallel) and can even\n avoid additional block space consumption if something like P2C\n or tapret commitment is used (though this will require\n a pre-knowledge of public keys at the moment of contract\n creation). The contract script claims that only the first \n party who had made such tx mined wins the game (if two txes are \n mined in a block, they may be sorted by their txid or block \n position). Because of AluVM, contracts can inspect on-chain\n bitcoin state and find the signal.\n\nThat’s it! The structure of the contract would be genesis and that\nthing called “state extension” - and nothing more. “Normal” RGB\nflow (known to those who read about RGB before introduction of \nstate extensions) with state transitions and witness bitcoin \ntransactions would start only when Alice would like to spend that \nBTC* or to peg out - and at that point of time an RGB state \ntransition will have to be created, and a corresponding bitcoin \ntransaction (called “witness transaction”) spending that Alice’s \nUTXO, will have to be crafted, signed and mined. \n\n\nFinal notes:\n============\n\nCommunication medium\n--------------------\n\nAll communications between Alice and Bob happens wherever they \nwant - in IRC, mailing list, Nostr, telegram - or using \ndecentralized networks like LN (with [Storm] on top, which we \ndeliberately created for that purpose). It would be also possible\nfor Alice and Bob to use their RGB Nodes which will be \ncommunicating through RGB RPC protocol - there is a lot of ways,\nand RGB is fully abstracted from them.\n\nGoing fully off-chain\n---------------------\n\nThe above design can be put fully off-chain if the group of players \nmay set up a n-of-n or n-of-m multiparty state channel (“channel \nfactory”).\n\nQuestion of BTC*\n----------------\n\nRegarding BTC* creation, for now we do have at least two designs we \nhave developed over years: \n\n1) for Lightning channels, which has the same level of \n trustlessness as the pure BTC in LN;\n\n2) on-chain \"lifting\" which is semi-trusted (trustless private \n decentralized peg-in and semi-trusted federated peg-out \n requiring user+federation multisig but no privacy/history \n exposure thanks to zk; such on-chain lifting is still much \n better than other alternatives with drivechains or federated \n sidechains).\n\nLast, but not least\n-------------------\n\n\u003e Is there any documentation or discussion archives that address the\n\u003e problem of non-publishable conditional statements seemingly being\n\u003e insecure in multiparty protocols, as previously described on this\n\u003e list [1] by Ruben Somsen? \n\nAs far as I see, Ruben's letter was about different protocol, built\nby Lightning Labs after they had studied (since they did plan to \nimplement) RGB - but they ended up with taking results of many years\nof our research and did a successful fundraising of ~80m on it, even \n\"forgetting\" to mention the original authors - until they were\nashamed by the community. Funny enough, even the original name of \ntheir \"protocol\" was [CMYK].\n\nI have no desire on commenting how they solved (and did they solve) \nthat - or any other - problem. I expect that they would again try \nto take the solution I have described above and do another \nfundraising with motto of transforming their product into “smart \ncontracts on Lightning” :)\n\n\nKind regards,\nMaxim Orlovsky\nCEO (Chief engineering officer)\n@ LNP/BP Standards Association,\nhttps://lnp-bp.org\nTwitter: @lnp_bp\n\n-----\n\n[1]: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2023-April/021559.html\n[Storm]: https://github.com/Storm-WG\n[CMYK]: [https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-April/020208.html](https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-April/020208.html)",
"sig": "d692042409716a7cadd76be139cbd1e3d100fe1d97d5be52e80e29d31d42b665a3898e6b834b887bf4a4c826726525fabb93dfd6581bf9f7c711d3a1879221b4"
}