supertestnet / tapleaf-circuits

A proof-of-concept implementation of BitVM for bristol circuits
https://supertestnet.github.io/tapleaf-circuits/
Creative Commons Zero v1.0 Universal
167 stars 27 forks source link

Can storage proofs be implemented using bitvm? #1

Open starius opened 1 year ago

starius commented 1 year ago

Storage proofs are used in some altcoins, e.g. Sia

The idea is that one participant (renter) uploads data to another participant's server (host). The renter and host lock some funds in a contract. After predefined period of time, if the host publishes a storage proof on Sia blockchain, the funds go to the host. Otherwise the hosts looses his funds (the collateral) as a punishment of failing to provide storage proof.

Storage proof is a merkle proof of random 64 byte segment of the stored data, which is chosen based on block hash at a certain block height, predefined in the contract.

Can a similar contract be implemented using bitvm? I don't know other ways to implement storage proofs in Bitcoin blockchain.

supertestnet commented 1 year ago

It certainly sounds possible. The merkle tree of stored bits would be known in advance by both host and client, and the host could send their proof to the client (I don't see why posting it to the blockchain would be necessary). If the proof is wrong the client can slash the host.

starius commented 1 year ago

It is necessary to post the proof on blockchain at least in non-cooperative scenario to enforce the penalty for the host for not storing the data. Absence of a proof is interpreted as host losing data. Penalty can not be done client side, because how one can prove absence of something?

So, let me define it in more formal way. A (renter) and B (host) agree on storing some amount of data provided by A for certain period of time, defined in blocks. A allocates funds to cover payment for storage and B allocates a collateral. There is a certain agreed upon ratio between payment and collateral, say 1:1. All that money is locked in a smart contract. As time passes, A uploads data to the contract. Each successful upload results in updated balances in the contract and updated Merkle root. There are 2 outcomes in the contract, each having two outputs: to A and to B:

Both outcomes are updated upon uploading, moving some money from one output to another.

After the storage contract expires, B has certain time [block height] window to publish a storage proof. Publishing storage proof unlocks the successful outcome of the contract. Non publishing results in penalty outcome.

That is more or less how this is done in Sia. (They also burn the collateral in penalty case, but I think it should be sent to A as compensation for lost data.)

In Bitcoin it could work more or less the same, with the same incentives structure, but the cooperative case might happen without publishing a Merkle proof, similar to cooperative channel closure in Lightning Network.

supertestnet commented 1 year ago

Good point about proving the absence of something. I suppose the proof needs to be posted somewhere public, but I'd prefer to use a spacechain for that instead of clogging up bitcoin.