(this might be a double post as I ran into the size limit)
Hi Alex,
Thanks for taking a look at things!
> If that's the case, did you look at other mechanisms to commit to a merkle
> root? For example, I believe mainstay[1] uses a
> pay-to-contract/bip175[2]-like scheme to commit sidechain merkle roots to
> p2pkh/p2sh addresses with signature tweaks. Are there other interesting
> (to taro) spend-paths that need to be allowed that led to the taproot
> script tree being particularly helpful?
I considered other approaches, but by relying on the existing taproot
commitment structure/derivation, Taro implementations are able to re-use
surrounding code/libraries, making a core implementation more compact.
Committing into the tapscript tree is also simpler than signature tweaks.
One nice trait about using the tapscript tree is that from a wallet's
perceptive, Taro just wants a particular opaque hash to be included in the
final tapscript tree. As a result, the wallet doesn't need to modify the way
they sign, or do key derivations or anything. In addition, using the
tapscript tree lets us separate the Bitcoin layer from the Taro layer as far
as scripts, and also enables easily verification of any sort of Script
mirroring between the layers that may be required for certain applications.
> This reminds me a lot of single-use-seals[3]. Is that the right way to
> think about what's going on here?
Yes a similar construct is used. I personally don't really like the
single-use-seals terminology, as I find it somewhat obtuse and trying to
bind the mechanics to the analogy/metaphor just makes it harder for people
to understand what's going on.
> If it is, then it looks like a Universe/Multiverse is an
> offload/aggregation mechanism that can keep track of asset lineages on
> behalf of users, which would be useful for light clients of heavily-used
> asset types (so your mobile client doesnt have to traverse the transfer
> lineage of some high-liquidity stablecoin or something).
So the provide a few different types of functionality:
* A way to bootstrap genesis output provenance by maintaining a Universe
which is just the set of asset issuance transactions (the Universe MS-SMT is
keyed by a prevOut at the lowest level). This can be done for several
assets.
* A way to collect+index a more complete view of the set of transfers
related to assets. This can serve the basis for things like a block
explorer for a single or several assets. Since the data structure is
history independent, multiple explorers can publish their root hash which
makes it easy to check that they have the same data, and a bisection
protocol can be used to sync up distinct universe/multiverse instances.
* A way to allow aggregation of transfers tied to a single to level UTXO
chain, which would likely be used in cases like games where the actual
game needs other servers or closed source functionality, but the game
publisher wants the users to be able to prove ownership and also trade in
game asset. This can be maintained by a single party, or a
threshold/federation. The parties can't include invalid state transitions
or proofs (can't forge the proper signature, etc).
> - There's been a lot of talk lately on the bitcoin-dev list about
> covenants, and I wonder if some of those designs (specifically TLUV or
> CTV) might be useful with Taro, to "lift" some of the taro conditions into
> covenants that encumber the underlying bitcoin. I don't have a design or
> anything, wondering if you've given this any thought.
Yep! I described a sketch of something like that using TLVU in my prior
reply to Rubin. At a high level, since Taro affect the tapscript root hash,
which affects the output key, by requiring a certain output key, or swapping
out the leaf elements, a covenant can further bind Taro rules without
needing to explicitly do validation/execution in Bitcoin script itself.
> My first thought was to have the "carrier utxo" for a taro asset be really
> small, like dust + some buffer.
Hmm, can you describe this in more detail? Do you mean an _extra_ UTXO, or
just mapping the Taro conditions as much as possible to the top-level
Bitcoin scripts?
> - was this originally named CMYK?
Maybe ;), a few versions were floating around before I published the current
draft, so some prior artifacts may still be floating around. Will do another
sweep to clean up anything else that was lingering.
-- Laolu