The proof MUST be considered invalid if the asset amount in its outputs != inputs

rgb-archive / spec

[OLD!] RGB Protocol specifications for Bitcoin-based digital assets

https://rgb-org.github.io/

148 stars 26 forks source link

The proof MUST be considered invalid if the asset amount in its outputs != inputs #89

Closed dr-orlovsky closed 5 years ago

dr-orlovsky commented 5 years ago

Subj.

@giacomozucco do I get it right? If yes, it we need to add this to the spec + proof verification code

petertodd commented 5 years ago

Why?

The equivalent in Bitcoin is blocks are allowed to claim less than the total amount of fees, and that's useful for soft-forks.

On July 10, 2019 3:40:30 PM PDT, "Dr. Maxim Orlovsky" notifications@github.com wrote:

Subj.

@giacomozucco do I get it right? If yes, it we need to add this to the spec + proof verification code

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rgb-org/spec/issues/89

dr-orlovsky commented 5 years ago

@petertodd Well, these are different cases. In Bitcoin,

The fees (difference input-output) go to the miners
We can always compute total supply

With RGB,

We have no party to allocate the difference between the input and output — so we have no other options than to "burn" it
The total supply of the asset is specified only in the contract, so if some of the assets will be burned in non-public proofs, nobody will know about the circulating supply. In case of things like publicaly traded corporate shares, it is an issue.

petertodd commented 5 years ago

@dr-orlovsky That all sounds like fair arguments to me.

Maybe worth writing up an explicit "how would we upgrade this?" section in the docs.

inaltoasinistra commented 5 years ago

nobody will know about the circulating supply

In any case the circulating supply is unknown, because private keys and proofs could be lost.

In order to reduce a bit the size of proofs, the unspent assets could be deterministically binded to an output (e.g. the last).

dr-orlovsky commented 5 years ago

Maybe worth writing up an explicit "how would we upgrade this?" section in the docs.

Yes, we already had that idea and certainly need to do it. But there are already a number of opened issues requiring changing some (not clear/incomplete/contradicting) parts of the spec, so we are working on the spec update, which will be complete during this month – and will add this part into it as well.

dr-orlovsky commented 5 years ago

@inaltoasinistra

In any case the circulating supply is unknown, because private keys and proofs could be lost.

Yes, it seems so... But still No 1 applies

In order to reduce a bit the size of proofs, the unspent assets could be deterministically binded to an output (e.g. the last).

It will create more complications and would not help in reducing the size of the proof... Or you mean that the last triplet in the proof need not to list an asset amount and allocate of of the "change"?

inaltoasinistra commented 5 years ago

Or you mean that the last triplet in the proof need not to list an asset amount and allocate of of the "change"?

Yes, I mean that a triplet for each asset type of the proof can be omitted. This should save 40 bytes (plus encoding overhead) for each asset type.

Wallets must validate all the input proofs, them must compute inputs and outputs assets to check validity. With this change the algorithm would compute the last output assets instead of check them. It would be almost the same operations.

On the other hand the upgrade strategy of the protocol could impact on this, as said by Peter Todd.