BitVM:Bitcoin的链下合约
最后更新于
最后更新于
Robin Linus加入了Brink工程师团队,讨论了他的BitVM提案及相关项目。在他的演讲和问答环节中,我们讨论了以下内容:
有状态的比特币脚本
BitVM架构
Tree++语言
BitVM桥梁、锚定进入和锚定退出
限制和未来计划
Robin Linus 00:00
Today, I'm going to talk about BitVM, which is a way to advance bitcoin contracts motivation. Yeah, first of all, we all know blockchain stone scale. Lightning also doesn't quite scale. Of course, it scales like Bitcoin by effect of 10 x or something, but unfortunately not far beyond that. And yeah, we're asking the question, can we scale bitcoin to billions of users at all? And in an ideal world, we would have like 100 x to 1,000 x higher throughput.
今天,我要谈论一下 BitVM,这是推动比特币合约激励的一种方式。首先,我们都知道区块链的扩展性。闪电网络也无法完全扩展。当然,它的扩展性与比特币相似,效果可以达到 10 倍左右,但不幸的是,并没有远远超过这个水平。我们正在提出一个问题,是否能够将比特币扩展到数十亿用户?在理想的情况下,希望吞吐量能够提高 100 倍到 1,000 倍。
Robin Linus 00:34
We would have a free market of L2, like consisting of ZK rollup, side chains, 2nd layer protocols like ZKcoins and stuff like that. And that would enable both rapid innovation and also cheap experimentation. And all of these L2 tools could be interconnected via the Lightning net network. That is like somehow how I would roughly envision an ideal world of scaling bitcoin to billions of users. But unfortunately, we cannot do that because we don't have any bridges that would allow us to bridge BTC into any L2.
我们将拥有一个自由市场的 L2,包括 ZK rollup、侧链、第二层协议如 ZKcoins等等。这将使得快速创新和廉价实验都成为可能。所有这些 L2 工具都可以通过闪电网络相互连接。这大致是我对将比特币扩展到数十亿用户的理想世界的设想。但不幸的是,我们无法实现这一点,因为我们没有任何桥梁能够将比特币桥接到任何 L2。
Robin Linus 01:12
Of course, we can use it on Lightning, but ZK rollup side chains, ZKcoins and stuff like that, they all cannot use BTC currently without, yeah, relying on some federation, on some multi stick merchant in the end. Okay, and BitVM is trying to solve that. BitVM is trying to enable bridges into other systems. And the overview is I'm going to talk about how to introduce state to bitcoin scripts, to have stateful bitcoin scripts. Next, I'm going to talk about the architecture of bitvm. And finally, I'm going to talk about how to enable bridges with the bid VM architecture, Bitcoin script, bitten scripts. Yeah, unfortunately, Satoshi disabled secretly all of the fun op codes, like he discovered a bug in OP_CAT and then, or like in the op eh implementation of our cat and then he got kind of paranoid and disabled essentially all of the one of codes. And what we have been what he left us with is a very reduced version of Bitcoin script and it's reduced to the bare minimum.
当然,我们可以在闪电网络上使用它,但是 ZK rollup、侧链、ZKcoins等等,它们目前都无法在没有依赖某个联邦、某个多方商家的情况下使用 BTC。BitVM 就是在尝试解决这个问题。BitVM 尝试着建立桥梁,与其他系统进行连接。概述一下,我将讨论如何向比特币脚本引入状态,实现有状态的比特币脚本。接下来,我将讨论 BitVM 的架构。最后,我将讨论如何使用 BitVM 架构启用桥梁,涉及比特币脚本。不幸的是,中本聪秘密禁用了所有有趣的操作码,就好像他发现了 OP_CAT 中的一个错误,或者在 OP_CAT 的实现中发现了一个错误,然后他变得有点偏执,实际上禁用了几乎所有的操作码。他留给我们的是一个大大简化过的比特币脚本,被简化到了最基本的程度。
Robin Linus 02:25
And it looks like as if we cannot do anything really. Interesting with it beyond the basic stuff that we know, which is like signatures, multi signatures, hash locks and time locks. But there are some op codes left and they're actually enough to do all kinds of interesting stuff as it turns out. Also, scripts can be up to form for megabyte in size. So even if it's verbose, like even if we have to compose things out of very limited of codes, in theory, we can express quite a few things within theoretically 4 megabyte large script. And since it is so interesting to play with that stuff, somehow in official community of Bitcoin script code golf has evolved and I'm part of that and part of that Bittranscript code golfing or as part of Bittranscript code golfing.
看起来好像我们真的不能在它上面做太多有趣的事情,除了我们已经了解的基本内容,比如签名、多重签名、哈希锁和时间锁。但是,还有一些操作码是留下来的,实际上它们足以完成各种有趣的事情。此外,脚本的大小可以达到 4 兆字节。因此,即使它很冗长,即使我们必须用非常有限的代码来组合事物。在理论上,我们可以在 4 兆字节的脚本中表达相当多的东西。由于与这些东西玩耍非常有趣,比特币脚本的官方社区中不知何故出现了代码高尔夫(代码越短越好),并且我是其中的一部分,也是 bitcoin script代码高尔夫的一部分。
Robin Linus 03:30
The ideas behind bitvm arose in particular stateful bitcoin scripts because currently bitcoin script is completely stateless. So when you execute a bitcoin script, it's execution environment resets after every script. Like there is no native way to have, let's say, a value x that is the same in script 1 as it is in script 2. Bittranscript doesn't really support that natively. However, we can hack around that. And the general idea behind it is if we could just sign a value somehow.
BitVM 的理念主要是由有状态的比特币脚本引起的,因为当前比特币脚本是完全无状态的。因此,当执行比特币脚本时,其执行环境在每个脚本之后都会重置。例如,在脚本1和脚本2中拥有相同值x的本地方式是不存在的。bitcoin script并不原生支持这一点。然而,我们可以通过一些技巧来绕过这个问题。总体的想法是,如果我们能够以某种方式对一个值进行签名。
Robin Linus 04:11
If we could create a signature for a value, then that would be already enough to introduce stateful Bitcoin scripts. Because yeah, we could enforce the same value for X in script 1 and in script 2. And we can simply do that by, yeah, checking the signature for script, for the value x in both scripts. And when the person who claims what the value is, or like the, yeah, the person who determines the value, if they're equivocate and sign to conflicting values for X, then we can punish them because we can easily prove that here's a signature that signs two different values for the same variable x. And that is the general idea behind it.
如果我们能够为一个值创建一个签名,那么这就足以引入有状态的比特币脚本。因为我们可以强制在脚本1和脚本2中使用相同的值X。我们只需通过在两个脚本中检查值X的签名来实现这一点。当声称某个值的人,或者说确定值的人,如果他们在值X上签署了相互冲突的签名,那么我们可以惩罚他们,因为我们可以轻松证明这里有一个签名,为同一个变量X签署了两个不同的值。这就是这背后的基本思想。
Robin Linus 05:03
However, how can we sign a value in Bittranscript? Because we don't have check signature from stack and there is not really a native way in Bitcoin script to sign a value. However, there are Lemper signatures. And Lemper signatures, they're very simple. And since they're very simple and they require only hash functions, they're possible in Bitcoin script.
然而,在 bitcoin script中,我们如何为一个值签名呢?因为我们没有来自堆栈的检查签名,而在比特币脚本中没有真正的原生方式来为一个值签名。但是,有 Lamport一次性签名。Lamport一次性签名非常简单。由于它们非常简单且只需要哈希函数,它们在比特币脚本中是可行的。
Robin Linus 05:31
Lampert signatures are a quite simple concept. It's just for every bit of the message, you have two different hashes, hash 0 and hash 1. And if you want to sign a 0 bit, you'll reveal the pre image of hash 1, sorry, the pre image of hash 0. And if you want to us to sign one bit, then you review the pre image of hash 1. And just by revealing one of these two pre images, you can create a signature.Lamport一次性签名是一个相当简单的概念。对于消息的每一位,你有两个不同的哈希,hash 0 和 hash 1。如果你想签署一个 0 位,你会透露 hash 0 的原像。如果你想签署一个 1 位,那么你会透露 hash 1 的原像。通过揭示这两个原像中的一个,你就可以创建一个签名。
Robin Linus 06:03
The main drawback is, of course, it's quite large because for every bit in your message, you need to commit to two hashes and to unlock it, you need to reveal one of the pre images. So if you have like 32 bits, then you need 64 hashes and 32 pre images to unlock it. But it's still possible and we can easily, or we can just use it to sign stuff like the bytes, a 4 byte value or even eh, you hundred sixty. So a 20 by value we can also sign a 20 by value that is still feasible in Bitcoin script even though it's a bit clunky and it's large, it does enable signatures for values and that's why Lampert signatures also enable stateful Bitcoin scripts. And that in and itself is already quite big because stateful bittranscripts enable all kinds of interesting new features. Here's a little example of how that would look like in bitcoin script. Like the unlocking script would be just some pre image. And then in the first line it gets hashed and then we do duplicate it twice.
主要的缺点签名数据非常大,因为对于消息中的每一位,你需要承诺两个哈希,要解锁它,你需要揭示其中一个原像。所以如果你有像32位这样的消息,那么你就需要64个哈希和32个原像来解锁它。但这仍然是可能的,我们可以轻松地使用它来签署诸如4字节值或甚至160字节值之类的内容。因此,即使在比特币脚本中它有点臃肿且庞大,它仍然可以用来签署20字节值,这是可行的。尽管它有点笨拙且庞大,但它确实为值提供了签名的可能性,这就是为什么Lamport一次性签名也能够实现有状态的比特币脚本的原因。而这本身已经相当重要,因为有状态的比特币脚本使得各种有趣的新特性变得可能。以下是比特币脚本中这个过程的一个简单示例。解锁脚本只是一些原像。然后,在第一行中,它被哈希,然后我们将其复制两次。
Robin Linus 07:21
Or like we just duplicate it to have it two times and then we compare it to the first hash and then we compare to the second hash, and then we check if it was equal to one of them. And we pushed the bits on the stack to which one it was equal. So either it was equal to hash 1 or it was equal to h 0. And depending to what it was equal after that script was executed, we either have 0 or we have one on the stack. So that is a way to, or like the most simple way to sign a simple one bit value.
或者我们只是将其复制一次,使其变为两个,然后我们将其与第一个哈希值进行比较,再与第二个哈希值进行比较,然后检查它是否等于其中之一。我们将比特推送到栈上,以指示它等于哪一个。所以它要么等于 hash 1,要么等于 hash 0。在执行完该脚本后,根据它等于哪个值,我们在栈上要么有0,要么有1。这是一种签署一个简单的一位值的最简单方式。
Robin Linus 08:00
And if we wanna have more bits, we can essentially just copy paste this script 160 times for a 160 bit value. For example. Oh, in general, please ask questions if I'm going to faster. So I'm so deep into the weeds. I've been working on that stuff for like three months straight and I'm very deep into the weeds and I'm not quite sure I if it makes sense what I'm saying.
如果我们想要更多的位,我们可以简单地将这个脚本复制粘贴160次,用于160位值。总的来说,请随时提问,如果我说得太快了。我深陷其中,一直在处理这些东西,已经有三个月了,我深陷其中,我不太确定我说的是否有意义。
Robin Linus 08:28
So if you have any question, just don't hesitate to ask BitVM, the paradigm, I kind of overloaded the term BitVM. It is multiple things. It's like the paradigm and it's also the actual implementation. And in the white paper that I published, I mostly describe the paradigm. And here for the introduction, I'm giving a high level overview of the Bitby and paradigm. First of all, yeah, the bitbm tries to keep things off chain.
如果你有任何问题,随时提问。BitVM 这个术语有点被我混淆了。它有多重含义。它既是一种范式,又是实际的实现。在我发布的白皮书中,我主要描述了这个范式。在这里,我正在为 BitVM和范式进行高层次的概述。首先,是的,BitVM 试图将交易保持在链下。
Robin Linus 09:02
This is similar to Lightning that you just have some kind of contract that allows you to use the chain as a court when you have a dispute. But most of the time, you will not have a dispute. And the fact that you have, the court sets the incentives such that you probably will not have to use it, just like in real life, like most people get along with each other because, or like most businesses get along with each other because they know if they cheat each other, then there will be some legal consequences. And that's why everyone complies with the rules that we set up.
这与闪电网络类似,你只需要一种合约,该合约允许你在发生争端时使用链作为法庭。但大多数情况下,你不会发生争端。事实上,法庭设置激励措施,以便你可能不必使用它,就像在现实生活中一样,大多数人之间相处融洽,因为他们知道如果彼此欺骗,就会有一些法律后果。这就是为什么每个人都遵守我们设定的规则的原因。
Robin Linus 09:42
And yeah, in a very similar fashion between m operates, it operates in a two party setting. There's always a prover and a verifier. Unfortunately, we can hardly get around that. But we can make it better such that we can expand it to a multi party setting, such as a single approver and verify us and all of them can challenge the approval at once. So like they can play the challenge response game in parallel against approval.
在非常类似的情况下,BitVM 在一个双方设置中运作。总是有一个证明者和一个验证者。不幸的是,我们几乎无法绕过这一点。但我们可以改进它,使得我们能够将其扩展到多方设置,例如单一证明者和验证者,所有他们可以同时对批准进行挑战。因此,他们可以并行地进行挑战响应游戏来反对批准。
Robin Linus 10:13
And that has nice features because of only a single verifier is honest, then the security guarantees hold. But I will talk about that later more. For now, we will just say the BitVM paradigm in its pure setting lines, most simple setting, it's always using the proven verifier roles and there's two parties. Yeah, in general, we're using optimistic computation. That means we're not trying to execute all of the computation on chain.
这具有良好的特性,因为只要有一个验证者是诚实的,那么安全性保证就成立。但我稍后会更详细地谈论这一点。目前,我们只会在 BitVM 范式的最简单设置中讨论,它总是使用证明者和验证者的角色,有两方参与。总体而言,我们使用的是乐观计算。这意味着我们不试图在链上执行所有的计算。
Robin Linus 10:45
We're doing quite the opposite. We're trying to minimize the amount of computation that we have to execute on chain.
我们正好相反。我们试图最小化在链上执行的计算量。
Robin Linus 10:51
And we're doing that by trying or like by disproving a faulty result instead of computing right result that is much easier. Like the verifier, just ask the prover for the end state, for the final say, for the result of the computation. And if that result is incorrect, then the verifier tries to find the most succinct way to disprove that incorrect result. And in general, that is much easier than the verifier computing the right result. I'm saying that is also kind of intuitive because for example, if I tell you, let's say, 100300 e equals 7, then you can easily say that 7 cannot be right because it's it is way too small. 我
们通过尝试或者说通过证伪错误的结果而不是计算正确的结果来实现这一点,这要简单得多。比如,验证者只需向证明者询问最终状态,即计算的结果。如果结果不正确,那么验证者会尽量寻找证伪错误结果的最简洁方法。总的来说,这比验证者计算正确结果要容易得多。这也是直觉上的一种理解,例如,如果我告诉你,比如说,100300 等于7,那么你可以轻松地说 7 不可能是正确的,因为它太小了。
Robin Linus 11:49
So without even computing the actual result, you can immediately tell the result that I just said 7 must be wrong because it's way too small. And that is like in general or like that there, there are many such often in computation, it's much easier to disprove an incorrect result than it is to compute the correct result. Another example is, for example, square roots, like the, to compute the square root of a number, you have to execute it quite complete complicated algorithm relatively in comparison to multiplication, for example. And the but proving or like verifying a result, like if you give me a square root, I just have to multiply it with itself to see if it's the correct result, which is much easier. That's another example of why, or like, it's another example for the fact that verification is often much cheaper than execution.
因此,甚至在计算实际结果之前,你就能立即判断我刚才说的结果 7 必定是错误的,因为它太小了。总的来说,在计算中,通常证伪一个错误的结果要比计算正确的结果容易得多。另一个例子是,例如,平方根,计算一个数字的平方根相对于乘法来说,需要执行相当复杂的算法。但是证明或者验证一个结果,如果你给我一个平方根,我只需将它与自己相乘,就能看出它是否是正确的结果,这要容易得多。这是为什么验证通常比执行要便宜得多的另一个例子。
Robin Linus 12:51
And yeah, we have developed a tiny domain specific language that we call Tree++. That is kinda, it's a language built upon Bitcoin script and that enhances the capabilities of Bittranscript. And now I'm going to them give a short overview about what Tree++ is. Most of all, it's a templating link language for script. Since script is so limited, we often have to do like, we often have to copy paste a lot of things. 我们开发了一种我们称之为 Tree++ 的微型领域特定语言。它是一种基于比特币脚本构建的语言,增强了 Bitcoin script 的功能。现在我将简要介绍一下 Tree++ 是什么。首先,它是一种用于脚本的模板化语言。由于脚本的限制,我们经常不得不进行复制和粘贴。
Robin Linus 13:28
And yeah, we, in general, it is very handy to be able to evaluate constant expressions such that, for example, I can write something like 2 to the power 5 or some binary number or something. That is the most basic thing that you can do. But you can also unroll loops. For example, if you have to do something 32 times or so, you can just write a simple loop that unrolls this template with particular parameters. You can compose functions and composing function allows you to compose functions and yeah, compose them into bigger function and bigger functions. In this way, you can manage a lot of complexity in relatively simple compositions. And using this templating language, we implemented some basic op calls that we call composite of codes.
总的来说,能够评估常量表达式非常方便,例如,我可以写类似于2的5次方或一些二进制数之类的东西。这是你可以做的最基本的事情。但你也可以展开循环。例如,如果你需要做某事32次,你可以编写一个简单的循环,展开带有特定参数的模板。你可以组合函数,组合函数允许你将函数组合成更大的函数和更大的函数。通过这种方式,你可以在相对简单的组合中管理许多复杂性。利用这个模板语言,我们实现了一些基本的操作码,我们称之为组合操作码。
Robin Linus 14:33
And it's, yeah, for example, bit wise XR or bit wise shifts multiplication. And it goes even to us implementing Blake 3. Some people wondered, why do we implement like 3 that there are already hash functions in Bitconscript, but why do we re implement something like 3? The reason is that we don't have OP_CAT. Like we cannot concatenate bytes in bittranscript.
这包括一些位运算操作,如按位异或、按位移位和乘法。我们甚至实现了哈希函数Blake3。有些人想知道,为什么我们要实现 哈希函数Blake3,因为 Bitcoin script 中已经有哈希函数了,但为什么我们要重新实现哈希函数Blake3?原因是我们没有 OP_CAT,即我们无法在 Bitcoin script 中连接字节。
Robin Linus 14:58
And that means we cannot verify Merkel proof. Because for Michael inclusion proofs, you have to hash the path and to hash the path you always have to concatenate two nodes with each other to then hash them to get the next node. And unfortunately, that's not possible in Bittranscript currently since we do not have a cat or something similar. And that's why we had to implement our own hashing function. And then we can do it on like on the byte level.
这意味着我们无法验证 Merkle 证明。因为对于 Merkle 包含证明,你必须对路径进行哈希,而要对路径进行哈希,你总是需要将两个节点连接在一起,然后对它们进行哈希以获取下一个节点。不幸的是,目前在 Bitcoin script 中这是不可能的,因为我们没有 OP_CAT 或类似的东西。这就是为什么我们不得不实现自己的哈希函数。然后我们可以在字节级别上进行操作。
Robin Linus 15:30
Yeah, we're representing large bytestrings, just like a single bytes on the stack. So 20 bytes would be 20 stack items, not a single stack item of 20 bytes, but like 20 single sec items.
我们将大的字节串表示为栈上的单个字节。所以20字节将是20个栈项,而不是一个20字节的单个栈项。
Robin Linus 15:45
And this way, yeah, we can concatenate them and then we can, yeah, do everything with them, what we can think of or what we're used to from like regular computers. And yeah, that's allowed us to implement highly complex stuff such as Blake 3 in the end. And this language Tree++, we're use, we're using it to implement BitVM.
通过这种方式,可以将它们连接起来,然后可以做我们能想到的或者我们从常规计算机上习惯的一切。这使得我们能够实现高度复杂的东西,比如最终的 Blake3。而这个 Tree++ 语言,我们使用它来实现 BitVM。
Robin Linus 16:15
Oh yeah, Tree++ also that's where the name comes from. It usually contains many tab trees. So it's more than just writing a single script. It's also a language to write like graphs of transactions, which have scripts that are connected with each other. And yes, they're potentially large. For example, the Blake 3 is script is quite large. It contains of I think about 100,000 of codes or so.
Tree++ 也正是这个名字的由来。它通常包含许多标签树。因此,它不仅仅是编写一个单一的脚本,还是一种编写与其他脚本连接在一起的交易图的语言。是的,它们可能很大。例如,Blake 3 的脚本相当大,包含了大约 10 万条代码左右。
Robin Linus 16:43
But yeah, they don't have to be large to that, but they're potentially large. Yeah, and we're using Tree++ to implement bitvm. And here I'm talking about not bitvm the paradigm, I'm talking about bitvm, the actual virtual machine for Bitcoin, which is kind of similar to the E e theorem virtual machine, but it is way more limited and it's like an Ethereum. They, I have designed the entire chain to support this. Yeah, this sophisticated virtual machine.
但是,它们不一定要很大,但它们有可能很大。是的,我们使用 Tree++ 来实现 BitVM。在这里,我谈论的不是 BitVM 这个范式,而是实际用于比特币的 BitVM 虚拟机,它与以太坊的 EVM 虚拟机有些相似,但它更为有限,就像是一个以太坊的翻版。我已经设计整个链来支持这个复杂的虚拟机。
Robin Linus 17:19
In Bitcoin, we totally don't have that. It's the exact opposite, actually. Bitcoin is stumped down such that it doesn't support all these things. So what bitvm actually is a huge pile of tricks or a pile of hacks that hacks something like EVM into Bitcoin without changing its consensus rules.
在比特币中,我们完全没有这个。实际上,情况正好相反。比特币被限制得不支持所有这些功能。因此,BitVM 实际上是一堆巧妙的技巧或一堆黑客技巧,将类似 EVM 的东西嵌入比特币,而不改变其共识规则。
Robin Linus 17:40
Yeah, the main idea behind it is that Tree++ is nice, but we don't want everyone to have to handcraft and hand optimize low level bitcoin scripts for every application that they do. Because yeah, handcrafting these scripts is super, it's complex and it's arrow prone and it's expensive. It's an expensive process. It takes a lot of time. So a much nicer e idea would be to build a generic B virtual machine, which has like a nice instruction set.
主要思想是 Tree++ 很好,但我们不希望每个人都必须为他们做的每个应用手工制作和手动优化低级比特币脚本。因为手工制作这些脚本非常复杂,容易出错,而且昂贵。这是一个昂贵的过程。它需要很多时间。因此,一个更好的想法是构建一个通用的比特币虚拟机,它有一个良好的指令集。
Robin Linus 18:13
And then people can just use some high level language that compiles down to that instruction set and collected compiles down to instructions of that set. And then they can use nice high angle languages such as rust or something to write their applications. And we just have a single tab 3 circuit that, yeah, all the low levels of deaths can focus on. And we build this s circuit only once and then everybody can use it for any kind of application. And yeah, this VM, this circuits in particular, they're designed to succinctly disprove any faulty result of that virtual machine.
然后,人们可以使用一些高级语言,将其编译成该指令集的指令。然后,他们可以使用像 Rust 等高级语言来编写他们的应用程序。我们只需要一个单一的标签树电路,所有的低级细节都可以专注于它。我们只需构建这个电路一次,然后每个人都可以用它来实现任何类型的应用程序。而且,这个虚拟机,特别是这个电路,它们被设计成能够简明地证伪该虚拟机的任何错误结果。
Robin Linus 18:59
That is also a cool thing because in general, it's not easy to, like for general computation, it's not easy to structure. It's such that it's easy to disprove any faulty result.
这也是一个很酷的事情,因为总的来说,对于一般的计算,要设计得容易证伪任何错误的结果并不容易。
Robin Linus 19:12
You usually have to craft the circuits such that it has very narrow positions. And in these narrow positions, you can do queries and then you can do like a binary search over these narrow positions. But if the circuit doesn't have these narrow positions, then it's very hard.
通常,你必须精心设计电路,使其具有非常狭窄的位置。在这些狭窄的位置上,你可以进行查询,然后可以在这些狭窄的位置上进行二分查找。但是如果电路没有这些狭窄的位置,那就很难做到。
Robin Linus 19:28
And yeah, by building a generic VM, we have that problem only once. And then we solve it once for every application. And yeah, ideally we would have something like a risk 5 architecture, such, yeah, that we can use existing tooling to compile down to our architecture. And that's exactly what we're doing here. Like rough specs of what we're implementing. Currently we're implementing the basic instruction set of risk 5, the 32 bit instruction set of course. And that can then act as a comply target for us. GCC, LVM, and like all the things, all the compilers that you know enough and you can use all of your existing C++ and rust and whatever libraries.
通过构建一个通用的虚拟机,我们只需要解决一次这个问题。然后,我们为每个应用程序解决一次。理想情况下,我们希望有类似于 RISC-V 架构的东西,这样我们就可以使用现有的工具来编译到我们的架构。这正是我们正在做的事情。我们正在实现的是粗略的规格。目前我们正在实现 RISC-V 的基本指令集,当然是32位指令集。然后它可以作为我们的编译目标,可以使用 GCC、LVM 和所有你知道的编译器,你可以使用所有你现有的 C++、Rust 和其他库。
Robin Linus 20:22
And in particular, you can use existing stock and Slack verifier libraries. And yeah, then just compile them to the VM and run them in a bit here, a bit more detailed specs.
你可以使用现有的栈和验证库。然后,只需将它们编译到 VM 并在其中运行,稍后会更详细地介绍规格。
Robin Linus 20:36
The BM as we build it currently can run for 2 to the power of 32, so roughly 4 billion steps. It has 4 billion memory cells or 4 bytes each, which results in about 17 gigabytes of memory in the worst case, you would have about 40 rounds of challenge in response. The, in the worst case, the court case would run for about half a year. Every party would have to submit one, 1 transaction per week, approximately. And yeah, then in good one for about half a year in the absolute worst case. In total, you would have to write about 150 kilobytes of script over that half of year. And what's important to notice is that this worst case is heavily disincentivized.
目前我们正在构建的 BitVM 可以运行 2^32,大约 40 亿步。它有 40 亿个内存单元,每个单元 4 字节,最坏情况下会占用约 17GB 内存,挑战响应可能有大约 40 轮。最坏情况下,挑战可能会运行大约半年。每一方大约每周需要提交一个交易。在最糟糕的情况下,总共半年时间,你可能需要编写约 150 千字节的脚本。重要的是要注意,这种最坏情况是严重激励不足的。
Robin Linus 21:44
And also, once you start the trial, it is already certain who will win and who will lose. So there is no incentive really for an attacker to start this trial because they know in advance that they will lose, they will pay the fees. I think there was a question. Yes, Fabian.
并且一旦开始审判,谁会赢谁会输已经是确定的。因此,攻击者真的没有动力开始这个审判,因为他们事先知道他们会输,他们会支付费用。我认为有一个问题。
Speaker 2 22:03
Yeah, I was like, I already thought of that because before you said that. So like, how was like complex scripts, how do you actually verify that the worst case holds like that you, there cannot be a state or like the, yeah, the program can run to state where you would need 41 rounds of change and.
我已经考虑过那个因为在你说之前。那么,对于复杂脚本,你是如何实际验证最坏情况的,确保没有状态,或者说程序不能运行到需要41轮挑战和响应的状态呢?
Robin Linus 22:28
Response. Oh, that is quite easy because you just limit the trace size to like 4 billion. And if the program would run for more than 4 billion steps, then it's already wrong that that would be the result would be wrong. You can just say the program has lost. If the program doesn't terminate within any 4 million steps. Okay, yeah, make sense?
回应。 这相当容易,因为你只需将trace大小限制在大约40亿。如果程序运行超过40亿步,那么它已经是错误的,结果将是错误的。如果程序在任何4百万步内没有终止,你可以说程序已失败。好的,有道理吗?
Robin Linus 23:02
And we think like for all practical purposes, the 4 billion steps will probably be way more than you need. Also, you can reset the VM off chain in a fashion similar to how lightning channels work. So you can just, when you agree on a particular computation, you can just reset the VM and just change the program and then you can use it for something else. The only limitation here is that it has to fit in these 4 billion steps.
而且我们认为,对于所有实际目的,这40亿步可能会远远超过你的需求。此外,你可以以类似闪电通道的方式离线重置虚拟机。因此,当你就某个计算达成一致时,你可以重置虚拟机,改变程序,然后将其用于其他用途。唯一的限制是它必须适应这40亿步。
Robin Linus 23:37
Yeah, the worst case likely never happens in any reward applications. The system would have to break that it would make sense for anyone to ever execute the worst case. And also, like, as an honest participant, you're always happy if somebody makes, opens a trial against you, even if you're un innocent because yeah, you will profit from it. You they will pay your fees and they will pay like a little bounty on top of it. So if you're honest, you're happy if somebody challenges you for no reason.
最坏情况很可能在任何奖励应用中都不会发生。系统必须崩溃,才有可能有人执行最坏情况。而且,作为一个诚实的参与者,即使你是无辜的,如果有人对你提出质疑,你总是很高兴,因为你会从中获利。他们会支付你的费用,并在其上支付一些赏金。所以如果你是诚实的,你会很高兴如果有人无故挑战你。
Robin Linus 24:13
Here is a rough overview of how that transaction graph looks like. Unfortunately, I cannot really zoom in here. I try to figure out how that works, but it doesn't really. You can have a high resolution version of the graph here at github.comslashbvmslashbvmslashdocs if you're interested. Just to give you a very rough overview here, the first part, or like there are three main parts of it here. The first part is the trace, the second part is the instruction, and the third part is essentially the memory. And what you do here in the first part is you do a binary search over the trace of the VM. The trace means that's the, at every step of the VM, you can mercalize the memory and then you get a root of them. You get a marker root of the memory. Somebody asked a question. Yeah, cool.
这是交易图看起来的一个粗略概述。我尝试弄清楚它的工作原理,但实际上并没有成功。如果你感兴趣,你可以在github.com/bvm/bvm/docs找到图表的高分辨率版本。为了给你一个非常粗略的概述,在这里有三个主要部分。第一部分是跟踪,第二部分是指令,第三部分本质上是内存。 在第一部分中,你对虚拟机的跟踪进行二进制搜索。跟踪意味着在虚拟机的每一步,你都可以对内存进行Merkle化,然后得到一个它们的根。你获得内存的一个标记根。
Robin Linus 25:37
I think Gloria just posted the version 1 of the graph. There is also a version 2. Then what I'm showing here is, yeah, I confuse you, Gloria. Sorry. Yeah, what I'm showing here is version 2 and version 1 is almost the same, but slightly different.
我想Gloria刚刚发布了图的第1版本。还有第2版本。那么我在这里展示的是,是的,我弄混了,Gloria。抱歉。是的,我在这里展示的是第2版本,而第1版本几乎相同,但略有不同。
Robin Linus 25:58
Yeah, like the first part is binary search over the trace. The trace is essentially just a list of mercury routes and every marker root represents the memory after executing a particular step. So for potentially for every step, you have a merger route of train on chain, you need at most lock trace them many merchant routes. So if your trace has two, 4 billion steps, then you need at most 30 too many trace rules that you have to commit to in the chain.
就像第一部分是对跟踪进行二分法搜索。跟踪本质上只是一个Merkle路由表,每个标记根代表执行特定步骤后的内存状态。因此,对于每一步,你都有一个链上的Merkle路由,你最多需要锁定跟踪个数的Merkle路由。所以如果你的跟踪有40亿步,那么你最多需要在链上提交30个Merkle路由。
Robin Linus 26:38
And yeah, the process is actually quite simple. The Hoover, they commit to a particular 2 particular state node. And then the verifier just responds with a single bit saying if they think the root was correct or incorrect. And then if it's, if it was correct, then the binary search continues in the lower half of the trace. If it was incorrect, the binary search continues in the upper half of the trace. And the interesting thing here is that they really just exchanged the signal just for values like the approver signs 160 bits, the verifier signs one bit, then the approver signs again 1 hundred sixty bits, then the verifier 1 bit and so on, always 161 bit and so on until step 32. And after step 32, the approval has revealed 32 roots and the verifier has revealed 32 bits. And these 32 bits, if you put them together in a 32 bit number, then interestingly they represent exactly the index of the last correct route. That is just by how the verifier chooses the bits. They just choose the bits to be 0 or 1, depending if they think it's correct or incorrect. And that implies just very implicitly, it's nowhere explicit in the scripts, it's completely implicit that the, when you put these bits all together and interpret them as a 32 bit number, then you get the index of the last correct state node. And that means that index plus 1 must be the first incorrect state node.
实际上这个过程非常简单。证明者,他们承诺一个特定的两个特定状态节点。然后验证者只需用一个比特响应,表明他们认为根是正确还是错误的。如果是正确的,那么二进制搜索将继续在跟踪的下半部分进行。如果是错误的,二进制搜索将在跟踪的上半部分继续。他们真的只是为值交换信号,就像证明者签署160位,验证者签署1位,然后证明者再次签署160位,验证者签署1位,依此类推,总是160位/1位等等,直到第32步。在第32步之后,证明者已经揭示了32个根,验证者揭示了32个比特。而这32个比特,如果将它们组合成一个32位的数字,有趣的是它们恰好代表了最后一个正确根的索引。这仅仅是验证者如何选择比特的方式。他们只选择比特为0或1,取决于他们认为是正确还是错误的。这就非常隐含地暗示了,虽然在脚本中没有明确表示,但完全是隐含的,当你将所有这些比特放在一起,并将它们解释为一个32位的数字时,你得到的是最后一个正确状态节点的索引。这意味着索引加1必须是第一个错误状态节点。
Robin Linus 28:32
And this is how you implicitly find out which or like how the verifier defines what they think was the last correct state note. And once they have defined what the last correct state notice, they have automatically define a faulty state transition because they know a route for which they know correct route that is followed by an incorrect route. And that means they just have to prove that the instruction following from the correct state into the incorrect state, that this one single instruction was executed incorrectly.
这就是你隐式找出验证者如何定义他们认为的最后一个正确状态节点的方式。一旦他们定义了最后一个正确状态节点,他们就自动地定义了一个有问题的状态转换,因为他们知道一条根,知道正确的根,后面跟着一条不正确的根。这意味着他们只需要证明从正确状态到不正确状态的指令中,这一条指令被执行错误。
Robin Linus 29:10
And that is a very important concept here that we just have to execute a single instruction. We can run the VM for a billion. We can execute a billion instructions. But on Shane, to disprove a faulty result, we just have to disprove a single step. And yeah, the entire first part is just to find the faulty step. And then the second part is that the verifier, they have found it and then they ask the prover to reveal that instruction. That's that they just showed. And then after they have reviewed that instruction, the verifier can disprove it because something has to be wrong about it. And there cannot be many things wrong about it. The first branches here on the left, that would be that in general, in every instruction has like the form operant a, operation operant B result. So something like a plus b equals C, for example, that could be an operation if you would use the ad op code. Then a simple, the most simple thing you can think of, the most simple op code you can think of is addition and then you have just a plus B equal C. So and what can happen here is that first of all, they could have read the value a incorrectly. And this is proven by this path here.
这是一个非常重要的概念,我们只需执行一条指令。我们可以运行虚拟机十亿次,执行十亿条指令。但是在链上,为了证明有问题的结果,我们只需证明一步。整个第一部分就是为了找出有问题的步骤。然后第二部分是验证者找到了有问题的步骤,然后他们要求证明者揭示那条指令。就是他们刚刚展示的。在他们揭示了那条指令之后,验证者可以证明它是错误的,因为它肯定有问题。而且它不可能有很多问题。左侧的第一个分支通常是每个指令都有的形式,像是操作数A,操作,操作数B,结果。例如,如果使用了加法操作码(add opcode),那么a加b等于c,这可能是一种操作。所以最简单的操作码可能就是加法,然后你就有a加b等于c。在这里可能发生的一件事是,首先,他们可能错误地读取了值a。这由这个路径证明。
Robin Linus 30:37
If you got this route here, the most left route, you disprove the value a. It means the prover has committed to an incorrect value a. It is not at the position where they claimed. Like they are saying at address a, there is value a, but the verifier knows exactly how the Merkl tree looks at the correct state. So they can say, no, that's incorrect. There is not value at the address. And this is how they prove it with this path.
如果你得到了这条路径,即最左边的路径,你就证明了值a。这意味着证明者已经承诺了一个不正确的值a。它并不在他们声称的位置。他们说在地址a上有值a,但验证者确切地知道在正确的状态下Merkle树的样子。所以他们可以说那不正确。在该地址上没有值。这就是他们用这条路径证明的方式。
Robin Linus 31:08
The second path is to disprove the second upper run that would be value B. And the third one is to disprove the result that would be, yeah, the value c was written incorrectly into the memory. And the other branches, they're just like the 4th branch with like the little. Do you even see my mouse? I think you don't see my mouse, right? Can we see it? As you can see? Yep. Okay.
第二条路径是证明第二个上方运行即值B是错误的。第三个路径是证明结果即值c被错误地写入了内存。其他的分支,就像第四个分支,有点小。你能看到我的鼠标吗?我想你看不到我的鼠标,对吗?我们能看到吗?你能看到吗?好的。
Robin Linus 31:38
Yeah, here, the first branch that's allows you to disprove the program itself. So that would be the proof I executed an incorrect instruction at the current program counter. There is not that instruction that there were the approval just claimed. So essentially here is the entire program encoded. And to change the program, we would just have to change this route here. Everything else can stay the same. Here is the only part where the actual program is committed to.
在这里,第一个分支允许你证明程序本身是错误的。这将是证明我在当前程序计数器处执行了错误指令的证明。那里没有证明者声称的那个指令。所以在这里,整个程序被编码了。要更改程序,只需更改这个路径。其他一切都可以保持不变。这是唯一实际承诺程序的部分。
Robin Linus 32:16
Yeah, and here, these other two branches, they're just to disprove the program counter. I know this is super complex and I'm pretty sure my explanation didn't help that much. It's how to wrap your head around this stuff. Fabian.
这另外两个分支只是用来证明程序计数器是错误的。我知道这非常复杂,我相信我的解释并没有帮助太多。理解这些东西确实需要一些思考。
Speaker 2 32:38
Maybe can you take one step back for a moment and like just make it more clear how this exactly then gets like, or how this is then the how the protocol works on the higher level. So I guess this is then the transaction like there are funds locked in a 2 of two.
当然可以,让我们退一步,更清楚地说明这个协议在更高层次上是如何工作的。我猜这就是交易,其中有资金被锁定在一个2对2的地址。
Robin Linus 33:01
Oh yeah, I haven't even talked about how to deal with the firms yet. Yeah, this is more just like how to. Yeah, how to how to walk through faulty state transition.
我甚至还没有谈到如何处理这些资金。是的,这更像是如何。是的,如何处理错误的状态转换。
Speaker 2 33:16
If you still getting to it, then it's fine. I just most interested.
我理解了。如果你还没讲到这部分,那没关系。我最感兴趣的确实是这方面的内容。
Robin Linus 33:20
Right now. Yeah, a simple way to do it would be just that the funds are locked in the same output as the entire graph is in. So then just like the party who wins will be able to take the output and that would be like the most simple way to control funds with them.
一个简单的方法就是将资金锁定在与整个图形相同的输出中。这样,获胜方就可以获取输出,这是控制资金的最简单方式。
Robin Linus 33:47
Well, that's graph, but there are more sophisticated ways to do it for the bridge later on. I feel like it would be just, maybe it's just too much to explain all the details of the BitVM graph here. I will go through the rest of the presentation and then if we have time, we can go back to this one.
这是图形,但以后可能会有更复杂的方式来实现桥接。我觉得在这里解释BitVM图的所有细节可能有点太多了。我会继续浏览剩下的演示,如果有时间,我们可以再回来讨论这个。
Robin Linus 34:14
Yeah, the this is in general the bridge there. Sorry, this is the graph. And now the question is, how do we apply that graph to build bridges into other system. And the main idea here is if the bridge is a bit clunky, it would be fine. We can build the bridge such that is used very rarely and only for large amounts. For example, like a trip of just a random number would be, you can use the bridge only from minimum 10 BTC. And it would also take you, I don't know, three months to pick out or something. And that would still be fine because most end users can just use cross chain swaps.
这通常是bridge的图。现在的问题是,我们如何将该图应用于构建通往其他系统的桥梁。这里的主要思想是,如果bridige有点笨重,也没关系。我们可以设计bridge,使其很少使用,且仅用于大额交易。例如,你只能使用bridge进行至少10 BTC的交易,而且可能需要花费三个月时间才能取出之类的。这仍然是可以接受的,因为大多数最终用户可以使用跨链swaps。
Robin Linus 34:59
As soon as we have some kind of guarantee that the xbtc or whatever we call the asset on the side chain, on the site system, whatever we call that asset, as long as xbtc has, is guaranteed to be anchored into Bitcoin value. And as long as you have a guarantee that you will always get BTC if you want for your xbtc, then these xbtc have value. And once this XPTC have value, then you can easily picture that some market will arise of, yeah, liquidity providers enabling cross chain swaps between different chains. We already have that between liquid, for example, liquid and lightning. I think just aqua wasn't wallet that was just launched that is based on that idea that is kind of easy to have a lightning channel on on a side chain, on the liquid side chain and then interact with the regular lightning network just via atomic swaps that you as an end user just don't notice. And that is the rough idea. So if we just have some kind of secure bridge, even if it's slow and clunky, it would totally enable bridging BTC to other systems and then would enable it in the end efficiently because we can just use atomic swaps, the guarantees of the bridge.
只要我们有某种保证,无论我们称其为xbtc的资产在侧链上,还是在系统上,无论我们称该资产为什么,只要xbtc的价值有望锚定到比特币价值。只要你有一个保证,你总是可以获取BTC,如果你想要你的xbtc,那么这些xbtc就有价值。一旦这些xbtc有了价值,你就很容易想象到,会出现一些市场,即提供流动性的参与者,使不同链之间的跨链交换成为可能。例如,我们已经在liquid和lightning之间实现了这一点。我认为刚刚推出的Aqua钱包就是基于这个想法的,它很容易在侧链上建立一个闪电通道,然后通过原子交换与常规的闪电网络进行交互,而作为最终用户,你几乎感觉不到。这就是大致的想法。因此,即使我们只是有某种安全但慢而繁琐的bridge,它完全可以使BTC桥接到其他系统,最终还可以以高效的方式实现,因为我们可以仅使用桥梁的保证进行原子交换。
Robin Linus 36:30
First of all, it's just a federation. But what's way better than what we have so far is that a single honest member suffice. Like if we, if the federation contains at least a single honest number, then the bridge is secure. And secure means the bridge is safe. And live save means nobody can steal the deposit. And live means you cannot stop a valid pack out. And.
首先,它只是一个联邦。但比迄今为止我们所拥有的要好得多的是,只需要一个诚实的成员。如果联邦至少包含一个诚实的成员,那么bridge就是安全的。安全意味着bridge是安全的。生存安全意味着没有人能够窃取存款。活动安全意味着你不能阻止有效的兑现。
Robin Linus 37:04
Yeah, we can have large federations, which is very good because yeah, it's, it's the more federation members we have, the more likely it is that there is also a single that there's at least one honest member. And another cool thing is that if you're an exchange or something or whatever stakeholder that has a high stake in the site system, then you can become a member of the federation. And once you're a member, then it's trusted for yourself because you can be that one honest member. And this way, you don't have to trust anyone, even if all the other members are malicious, you can guarantee safety and liveness.
我们可以拥有庞大的联邦,这非常好,因为是的,我们拥有的联邦成员越多,就越有可能至少有一个诚实的成员。另一件很酷的事情是,如果你是一个交易所或者任何在侧链系统中拥有高利益的利益相关者,那么你可以成为联邦的一员。一旦你成为成员,那么对于你自己来说是可信的,因为你可以是那一个诚实的成员。这样,你就不必信任任何人,即使所有其他成员都是恶意的,你仍然可以保证安全性和活性。
Robin Linus 37:46
Here is a great diagram from our design department that just gives like a very rough overview of how we envision the bridge. And the in principle, it's quite simple. It uses an ingenious idea of Burak. He is the creator of arc and he invented the idea of connector outputs. And connector outputs is something very simple. It's just the idea that you can connect two outputs by resigning the transaction for one of the outputs, spending both of outputs. And this way you can atomically connect them to each other.
这是我们设计部门提供的一个很好的图示,大致概述了我们对bridge的设想。原则上非常简单。它使用了Burak的一个巧妙想法。他是arc的创作者,他发明了connector output连接器输出的概念。连接器输出是一种非常简单的东西。它只是一个想法,你可以通过重新签署一个输出的交易来连接两个输出,同时花费这两个输出。通过这种方式,你可以原子地将它们连接在一起。
Robin Linus 38:31
In concrete terms, this is a very simple, simplified version of the packing and peg out. But I try to explain now like Alice would peg in 100 BTC here, and she would create an output of 100 BTC that is an NFN multi sick. And those are this is like the federation, all federation members have to presign and they would presign, eh, here, this blue transaction.
这是打包和兑现的一个非常简单、简化的版本。但我现在试图解释,就好像Alice会在这里兑现100 BTC,她会创建一个100 BTC的输出,这是一个N-N多签名输出。所有联邦成员都必须预先签名,他们将在这里预先签署这笔蓝色的交易。
Robin Linus 38:59
And the interesting part here is like they give the 100 BTC just to the operator, which is also an interesting optimization that we came up with. You can just give it to the opt 0,0 operator. I will explain later how you can pack out to any user, even though that money always goes to the operator.
这里有趣的部分是,他们将100 BTC交给了operator,这也是我们提出的一个有趣的优化。你可以将其交给opt 0,0 operator。稍后我会解释如何兑现到任何用户,尽管资金总是流向operator。
Robin Linus 39:21
But the most important part here is the blue output. Yeah, the blue output precise the entire transaction. And it uses C cache all and also signs these two inputs, like there are two inputs coming from the kickoff transaction of the operator, which will happen later. It didn't happen yet, like at the point of packing, it didn't happen yet, but they will know how the co kickoff transaction will look like. So they can already compute the outputs that it creates and then they can use it to presign this blue transaction here. And this kickoff transaction is built such that the operator puts in an input and then there are two outputs. One is time locked. It takes six months until you can spend it. And the other one is the so called connect output. And you can spend it at any time.
但这里最重要的部分是蓝色输出。蓝色输出确定了整个交易。它使用了C缓存,还签署了这两个输入,就像有两个输入来自operator的启动交易一样,这将在稍后发生。在打包的时候还没有发生,但他们会知道启动交易将会是什么样子。因此,他们可以预先计算它创建的输出,然后可以用它来预先签署这个蓝色交易。而这个启动交易是这样构建的,即operator放入一个输入,然后有两个输出。一个是定时锁定的,需要六个月才能花费。另一个是所谓的connector output连接输出,可以随时花费。
Robin Linus 40:12
But the interesting part here is that once the operator publish the kickoff transaction, it will take them 6 months until they can execute the blue transaction. And they will not be able to execute the blue transaction before 6 months. And they can only execute the blue transaction if they still have their connector output. If something happens to their connector output, then they won't be able to execute the blue transaction because the signature here commits to all of the outputs of the kickoff transaction. So if the connector output gets somehow spent by someone in some way, then the operator will not be able to touch the funds here.
但这里有趣的部分是,一旦operator发布了启动交易,他们将花费六个月的时间才能执行蓝色交易。在六个月之前,他们将无法执行蓝色交易。而且,他们只能在拥有connector output的情况下执行蓝色交易。如果connector output发生了什么问题,那么他们将无法执行蓝色交易,因为这里的签名承诺了启动交易的所有输出。因此,如果connector output以某种方式被某人花费,那么operator将无法触及这里的资金。
Robin Linus 40:52
So what we are doing here now is we have the connector output, which is a very powerful primitive because we can use it in conjunction with the BitVM. Like these red boxes, they're BitVM setups, 1 BitVM setup for each verifier. So the the prover, the operator of the bridge has for every other member one between m setup a separate BitVM setup and then work such that if one of the verifiers wins their challenge against the operator, then they win an output that allows them to spend the connector output of the operator. So if the verifier wins, if any web verifier wins their challenge against the operator, they win an output that allows them to spend the connector output of the operator, which guarantees that the operator cannot touch difference.
所以我们现在正在做的是,我们有了connector output,这是一个非常强大的原语,因为我们可以与BitVM一起使用它。就像这些红色框,它们是BitVM设置,每个验证者都有一个BitVM设置。所以桥梁的证明者,也就是operator,对于每个其他成员都有一个BitVM设置,并确保如果其中一个验证者在他们对operator的挑战中获胜,那么他们就能获得一个输出,使他们能够花费operator的connector output。因此,如果任何验证者在他们对operator的挑战中获胜,他们将获得一个允许他们花费operator connector output的输出,这就保证了operator不能动用其中的差异。
Robin Linus 41:48
And the good thing here is that all of these challenges can happen in parallel. So every verifier can attack the operator in parallel. And if only one of them succeeds, they can take the connector output, destroy the connector output, and this way they ensure that the operator cannot touch the funds. And this is like the rough idea how such a peg out can work. There are a couple more levels of complexity to it, but in general, this is the rough overview of of how the how of how it works. I can go into it to more detail, but I will finish the slides first. Limitations. What are the main limitations of private? Yep.这里的好处是所有这些挑战都可以并行发生。因此,每个验证者都可以并行攻击操作者。如果其中一个成功,他们就可以获取connector output,销毁connector output,从而确保operator无法动用这些资金。这就是这样的兑现如何工作的大致思路。还有一些更复杂的层面,但总体上,这是它运作方式的大致概述。我可以详细说明,但我将先完成这些幻灯片。有什么主要的私有限制吗?是的。
Speaker 3 42:41
Gloria has a question or.
Robin Linus 42:43
Come. Oh, yeah, I haven't seen that. Sorry.
Speaker 4 42:46
Hey, Stephen, here. Is it kind of like for Lightning also, the connector output would have a sizable output dashboard so that verifiers are incentivized to look for kind of cheating more.
对于闪电网络来说,connector output是否也会有一个相当大的输出仪表板,以激励验证者更加积极地寻找可能的作弊行为?
Robin Linus 43:00
Yeah, the you have to align the incentive such that the verifier makes a profit if they're disprove the operator. So the operator will over will have a deposit. Yeah, the minimum.
你必须调整激励机制,使得验证者在驳斥operator时能够获利。因此,operator将会有一个存款,是最低的。
Speaker 4 43:13
Value that has to be in the connector output to make it worthwhile.Connector output中必须有足够的价值,以使其具有吸引力。
Speaker 5 43:18
So would you publish the kickoff transaction first and have that bounty in there? And then you try to do the peg in.那么,你会首先发布启动交易并在其中设置悬赏吗?然后再尝试进行对接?
Robin Linus 43:29
You would just publish your I that operator output. You would not publish the entire transaction, or at least you would not publish the sign transaction. Because yeah, this putting this kickoff transaction on chain is also like the signal from the operator, which means I just witnessed a valid pack out in the side chain. And that's why I'm going to proceed now with the pack out. Oh, does that make sense.
你只需发布operator的输出信息,不需要发布整个交易,或者至少不要发布已签名的交易。因为将这个启动交易放在链上也像是来自operator的信号,表示我刚刚在侧链上见证了一个有效的锚定输出。这就是为什么我现在要继续进行锚定输出的原因。噢,这样说通吗?
Speaker 5 44:05
Okay. So it's like an unvault.好的,所以这有点像是一个未锁定输出(unvault)。 Robin Linus 44:09
Okay. It's also like the operator makes the claim that a valid headcount was initiated on the site system.这也像是运营商声称在侧链系统上已经启动了一个有效的头寸。
Speaker 5 44:19
Okay..
Robin Linus 44:21
And that's important that they make a claim because once they had make a claim that is that they commit to, then you can use that claim and disprove it in a BitVM if it's incorrect from.
重要的是他们提出了这样的声明,因为一旦他们提出了承诺,你就可以在稍后的虚拟机中使用该声明,并证明它如果不正确的话。
Speaker 5 44:34
Hum in.
Speaker 4 44:35
Conceptually, who's operator again? Like what do they do?概念上,"operator" 指的是什么?他们的工作是什么?
Robin Linus 44:39
The operator is just one member of the federation that is in charge of, yeah, operating the bridge in essentially of paying the people who wanna pack out.
"Operator" 只是联邦中的一个成员,负责在桥上操作,基本上是支付那些想要离开的人。
Speaker 4 44:51
So each federation is a single operator and then that operator is kind of checked by all the federation members. Yes.
所以每个联邦都是一个单一的操作者,然后这个操作者受到所有联邦成员的监督,是吗?是的。
Robin Linus 44:57
Okay, thanks. And they can like kill them and then the next party becomes the operator. Like if you win against the operator, if they cheated, then some. And there's no honest verifier, then the honest verifier will win and then they can kill the operator's connector output and essentially remove them from the federation. And then just the next party becomes the operator and you start from scratch with the same setup.如果他们能击败操作者,如果操作者作弊,那么下一个团队将成为操作者。如果没有诚实的验证者,那么诚实的验证者将获胜,然后他们可以杀死操作者的连接输出,从而将其从联邦中移除。然后下一个团队成为操作者,你可以使用相同的设置从头开始。
Robin Linus 45:28
Hum, thanks. I know it's highly complex and there are many levels of many pilots of hacks piled on top of each other. So don't hesitate to ask any questions. I know it's complex and I would certainly not understand it from my explanation. But yeah, limitations of BitVM, first of all, yeah, there's lots of complexity. The scripts that we're building are complex. It's a complex process. It's, it has complex assumptions about fees and all that stuff. So I, it is not a simple solution. It's a com like solution. Definitely. Also, it's complex to, yeah, balance the incentives.
我知道这非常复杂,有许多层次、许多飞行员的黑客技巧堆叠在一起。所以请随时提出任何问题。我知道这很复杂,而且我肯定无法从我的解释中理解它。但是,首先,BitVM有很多复杂性。我们正在构建的脚本很复杂。这是一个复杂的过程。它对费用等方面有复杂的假设。所以,这不是一个简单的解决方案。它是一个复杂的解决方案。此外,平衡激励也是复杂的。
Robin Linus 46:27
Of course, if the incentives are balanced, the chain is not needed. However, that's potentially capital intensive because you kind of have to predict the highest possible fees, and you have to put up capital to be able to pay for the worst case. So that's interesting thing. Like if you're able to pay for the worst case, then the worst case probably won't happen. But if you're not able to pay for the worst case, then there's an incentive to export that. So yeah, you, it's pretty much it boils down to capital costs, like the cost of putting up the capital and waiting or like being there if you would need it, that guarantees mostly that you don't need it at all.
当然,如果激励被平衡了,那么就不需要链。然而,这可能需要大量资本,因为你必须预测最高可能的费用,并且你必须投入资本来支付最坏的情况。这是一个有趣的事情。如果你能支付最坏的情况,那么最坏的情况可能不会发生。但如果你不能支付最坏的情况,那就有动机去导致它发生。所以,基本上归结为资本成本,即投入资本的成本和等待,或者在需要的时候在那里,这主要保证你根本不需要它。
Robin Linus 47:16
Whoops. Yeah, a very good thing here in comparison to other bridges that like other people have been doing research on Bitcoin bridges and they usually come up with solutions that require some kind of 1 to 1 collateral or even over collateralization. Here in our model, we don't need that at all because we have that nice connector output thing, which essentially guarantees that if the attacker cannot touch the funds, so there is no need to over collateralize anything. Also because yeah, all you need is them paying the winner's fees, but they cannot touch the deposits. So there is no way, there is no need to collateralize it.
与其他桥梁相比,这里有一个非常好的特点,其他人一直在研究比特币桥梁,他们通常提出需要某种1对1的抵押品或甚至过度抵押的解决方案。在我们的模型中,我们完全不需要这个,因为我们有一个不错的连接器输出的机制,它本质上保证了如果攻击者无法触及资金,那么就无需过度抵押任何东西。另外,因为你只需要支付赢家的费用,但他们不能触及存款,所以没有必要进行抵押。
Robin Linus 48:18
Yeah, and there are some scalability issues like you cannot scare to a thousands, federation of a thousand people because for every pack, our pack in all of the end parties have to pre sign and pack out transactions in the end. So there's a lot of presigning going on. It's way less than I originally anticipated. Originally, I thought every party has to presign the entire BitVM setup of all other parties. But this is not the case. It can be still 2 party setting. It totally works out. But that pagout transaction, like the blue transaction, if you remember, that has to be signed by all end parties. And you have to sign it n times because, yeah, you need the entire setup end times because when you kill malicious or like m minus 1 malicious operators, you still need the single honest verifier to be able to keep the bridge running. And that's why you need the setup end times.
是的,还存在一些可扩展性问题,比如你不能对成千上万的联邦进行恐吓,因为对于每一个包,我们所有最终参与方都必须预先签署和打包交易。因此有很多预签署的操作。这比我最初预期的要少得多。最初,我认为每个参与方都必须预先签署所有其他参与方的整个 BitVM 设置。但事实并非如此。它仍然可以是一个两方设置,完全可行。但是那个打包交易,就是蓝色的交易,如果你还记得的话,必须由所有最终参与方签署。而且你必须签 n 次,因为当你消除恶意的或者说 m 减 1 个恶意的操作者时,你仍然需要单一的诚实验证者来保持桥梁运行。这就是为什么你需要进行 n 次设置。
Robin Linus 49:119
And in general, federation can sense of peg-ins. That's an issue. Like since all of them have to cosine, if one refuses to cosine, then you cannot do more pagins. That is definitely an issue, but it's not as big of an issue as if they could send the payouts pack sender impact and nobody loses money, right? But in a pack, sending a pack out, that would be equal to stealing one.
总的来说,联邦可以检测到 "peg-ins"。这是一个问题。因为它们都必须签署,如果有一个拒绝签署,那么你就不能进行更多 "peg-ins"。这确实是一个问题,但并不像如果它们可以发送支付包发送方影响并且没有人失去钱那样大的问题,对吧?但在发送 "pack out" 的情况下,这将等同于偷窃。
Robin Linus 49:47
Summary and outlook. BitVM definitely enables much more complex bitcoin contacts. The main use case that I see is a trust minimize bridge. In general, trust minimize bridges to all kinds of systems. Maybe there are also other use cases, but since it is slow and expensive, it doesn't really fit many use cases. But it fits the bridge use case quite well. Yeah, it is practical, but it is clunky.
总结和展望。BitVM 确实使得更复杂的比特币合约成为可能。我看到的主要用例是最小化信任的桥梁,通常是对各种系统的最小信任的桥梁。也许还有其他用例,但由于它速度较慢且昂贵,实际上并不适用于许多用例。但它相当适用于桥梁用例。是的,它是实用的,但也有一些笨拙的地方。
Robin Linus 50:16
As I said, it's very cool that it doesn't require any soft fork. So we can do more innovation without any activation drama. And hopefully our toy version will be ready this month.
正如我所说,它非常酷的地方在于它不需要任何软分叉。因此,我们可以在没有激活戏剧的情况下进行更多创新。希望我们的玩具版本将在这个月准备就绪。
Robin Linus 50:30
We have already implemented since, I don't know, 2,3 months already, and we got it to quite sophisticated level. Just yesterday, we walked or like we executed all transactions for the first time down to the Merkel pass. So like the entire graph from like the top to the bottom yesterday for the first time. And yeah, hopefully we will even have a reckless main net this year. Well, people can already use some small real amounts and use it in the wild. No, that's it. Do you have any questions.
我们已经实施了,我不知道,大概有2、3个月了,而且我们已经把它发展到了相当复杂的水平。就在昨天,我们首次执行了所有交易,一直到默克尔通道。所以,从昨天开始,整个图谱从顶部到底部都已经运行了一次。是的,希望我们今年甚至能够有一个不谨慎的主网。嗯,人们已经可以使用一些小额真实金额,并在实际环境中使用它。好了,这就是全部。你有任何问题吗?
Speaker 3 51:17
Robin? That's great. Thanks for jumping on. I know folks will have some questions. I see Fabian's got his hand up group. Maybe quick question for myself first. The BitVM enables this federation in this peg and peg out W. Is there a name for this bridge you just called BitVM bridge or does it have its own, they distinguish from ByteDance itself.
我知道大家可能有一些问题。先给我提一个简短的问题。BitVM使得这个联邦和这个转入和转出 W 的桥梁成为可能。这个桥梁有一个名字吗,你刚才称之为 BitVM 桥梁,还是有它自己的名字,与 ByteDance 区分开来?
Robin Linus 51:42
And I'm working on a paper together with Alex, say, and he calls it Sentient Bridge or something. But I have really come up with any name that really resonates strongly with me. So I'm open for suggestions.我正在与 Alex 一起写一篇论文,他称之为 "Sentient Bridge" 或类似的东西。但我真的还没有想到一个让我深感共鸣的名字。所以我对提议很开放。
Speaker 3 51:59
TBD. Alright, have any other question?
Speaker 2 52:04
Yeah, you had like some examples of stuff that is implemented and you mention Blake, which I've seen, but I've also seen somebody post something about a function chart 1 or 56 implemented in the PM. Is it something different? r I'm just curious because you didn't mention it in your presentation.
你提到了一些已实施的东西,并且提到了 Blake,我看到了。但我也看到有人发布了关于在 PM 中实现的功能图 1 或 56 的内容。这是不同的东西吗?我只是好奇,因为你在演示中没有提到这个。
Robin Linus 52:23
I thinn that's different. I think that was more like pllaing around with ideas. We were really serious about like 3, like we have completely implemented it to the like it just works. And I think the short one and 56 version was more like theoreticall. It'slike, yeeh, we do have the buiiding blockk, but they haven't built it. Okay, ggttit. But maybe I'm wrong here. I'm hope, I hope I don't friend.
我认为那是不同的。我认为那更像是围绕着一些想法玩耍。我们对于 3 是非常认真的,我们已经完全实现它了,它就是可以工作的。而我认为短的和 56 版本更多是理论上的。就像是,嗯,我们确实有了构建块,但他们还没有建造出来。好吧,我可能在这里弄错了。我希望,我希望我没有弄错。
Speaker 5 53:02
I have a kind of a question reeated to that. LLikehow much of, I guess ii's kind of unclear to me wwat goos on chain, like you were talking about using 100,0000 o codds to implement like 3 is not something that you have in youu like is thha part f a the sccipt of a transaction you publish on chain? Yeah, but practically does that work if it like that's a non standard size, right? Is it 100 k? Oh, I guess it's witness discount. But yeah, like what goes.
我有一个与此相关的问题。就像链上发生了多少事情,我猜对我来说有点不清楚,你刚才提到使用 100,000 个代码来实现像 3 这样的东西,这不是你在交易中发布的脚本的一部分吗?是的,但实际上如果它是一个非标准大小,那么它会工作吗?是 100k 吗?嗯,我猜是见证折扣。但是,究竟是怎么回事呢?
Robin Linus 53:44
Can be by. So it should be stupid.
可能是的。所以它应该是简单的。
Speaker 5 53:48
Right? Right.
Robin Linus 53:51
Okay, never mind. Andd mybe here to show it, it's really liik the very laatt ransaction only hre, eitherrin this or in that transaation, you would execute one round of pplte 3. So only n the very worst case that the alicioussparry knows they hve lost, buutthey still keep doing it for half ayear and keep posting like the worst answer that they can to really get here and like to really end up there. And then at the end, they would haae to execute one round of Plate 3.
好的,没关系。也许在这里展示一下,就像在最后的交易中,或者在这个交易中,你会执行一轮 Plate 3。所以只有在最坏的情况下,恶意方知道他们已经输了,但他们仍然坚持半年,不断发布最差的答案,以确保到最后真的到达那里。然后最终,他们将不得不执行一轮 Plate 3。
Speeker 5 54:33
And so this 40 rounds over six months is that worst case, as in the attacker waits untii the last mmnute. Yeah, to ooanotthr. Okky.
所以这 40 轮在六个月内的情况是最坏的情况,就是攻击者等到最后一刻。是的,转到下一个。好的。Robin Linus 54:42 Exactly. Yeah, that's like the attacker trying to maximize the length of the trial, the uration of the trial.
确切地说,是的,这就像攻击者试图最大化试验的持续时间。
Speaker 5 54:54
And is it so you do you have to put all of the, I guess, value upfront? Okay. So you would like run out of fees and that's not be worth it anymore. You.
是的,你需要提前放入所有的价值吗?好的,所以你可能会用尽费用,然后再也不值得了。
Robin Linus 55:13
Fee. Yeah, no, the fees are not that much of ann ssue. You caa always have anchor outputs and then just use these. But.
费用。是的,不,费用不是太大的问题。你可以随时有锚定输出,然后只需使用它们。但是。
Speaker 5 55:20
Like if i's an expenssve fee mmrkee, yyah, anndit's expensive to publish a transactiion o make a proof, yeah, tthnnyou might not bother.
就像如果我的费用很昂贵,嗯,是的,发布交易或做证明很昂贵,是的,你可能不会打扰。
Speaker 5 55:58
Okay, intereettng. I have a, I guess so I don't wanna kind of, I'm likkea little worried that this will sound rude, I guess. So you mentioned kind of this very rich universe of possibilities of like, you know, the infinite amount of things that you can do here. Is that kind of the goal or something you're just trying to demonstrate and you're actually looking to deploy something a bit smaller or.
好的,很有趣。我有一个,我猜我不想,我有点担心这会听起来有点粗鲁,我猜。所以你提到了这个非常丰富的可能性宇宙,像你知道的,你可以在这里做的事情有无限多。这是目标吗,还是你只是想展示一下,实际上你正在寻找部署一些规模较小的东西呢,还是什么?
Robin Linus 56:36
Like we're really building these bridges and then everybody can use them to bridge BTC into their system Like some people want use it for Ethereum, others when I use it for bitcoin side chains, like Soren found it interesting or like rootstock people found it interesting. In general, everybody who's building side chains can use it. Everybody who's building ZK rollops, there's another company that is using this building. They can roll up some bitcoin. They're very interested in using the bridge. And in general, we wanna offer that's primitive for other people to bridge BTC into their system.
好比我们真的在构建这些桥梁,然后每个人都可以使用它们将比特币桥接到他们的系统中。有些人想要将其用于以太坊,而其他人可能想将其用于比特币侧链,比如Soren觉得很有趣,或者Rootstock的人觉得很有趣。总的来说,所有正在构建侧链的人都可以使用它。所有正在构建ZK rollup的人,还有另一家公司正在使用这个系统,他们可以将一些比特币rollup起来。他们对使用这座桥梁非常感兴趣。总的来说,我们希望提供这样的基础设施,使其他人能够将比特币桥接到他们的系统中。
Speaker 5 57:12
Okay, so they could have side chains where they have whatever they want. Yeah, and it's, I see interruptable. Okay.
好的,这样他们就可以拥有他们想要的侧链。是的,我明白了,它是可中断的。好的。
Robin Linus 57:20
And then you could have like all the like you can have all kind of clones. You can clone Ethereum, you can clone Z cash, you can clone Monero, whatever you want. And then just remove the shitcoin and replace it with BTC and then have essentially every feature, every blockchain architecture that you want.
然后你可以拥有各种克隆。你可以克隆以太坊,你可以克隆Zcash,你可以克隆Monero,任何你想要的都可以。然后只需移除那些不受欢迎的代币,用比特币替换,就可以拥有你想要的每个功能,每个区块链架构。
Speaker 5 57:42
I see. Okay.
Robin Linus 57:43
Like the brand vision. Cool.
Speaker 5 57:46
Very cool. Thank you. Did you wanna go?
Speaker 4 57:49
So Stephanie, two questions. I think they're related. One is like a few months ago, up came out the only function available was, I think, checking if value is 0 or something. And then it would say that you take a long time to build all the functionality. But it seems now that you've already built a lot of that quite quickly, like what's what happened that things involve so quickly. And it also was a link between G++ and the VM implementation. Cuz I didn't quite get that, but I'm thinking it might be. Great question.Stephanie,
有两个问题,我认为它们有关联。一个问题是,几个月前,唯一可用的功能似乎是检查值是否为0之类的。然后会说你花了很长时间来构建所有的功能。但现在似乎你已经相当快速地构建了很多功能,发生了什么让事情发展得这么迅速。另一个问题是G++和VM实现之间的链接,因为我没有完全理解,但我认为可能存在某种关联。这是一个很好的问题。
Robin Linus 58:19
Since. Okay. Yeah, like super test night is not here, like in the Zerosync team would BitVM or like this, what I'm presenting here is built by the ZeroSync team. And so, but Tessen was toying around with BitVM in general, and he built the first prototypes. But they will, his goal was just to build something as soon as possible and give people something to play around with. And what we're doing here is, yeah, I'm more complex approach that is aiming for more real world use cases. And it's essentially two different projects. So it's maybe we should just not overload the name that VM too much. Maybe we need to find a official name for this project to distinguish it from other things that are also called PDM. Okay, and the second thing, the difference between Tree++ and the BitVM is that Tree++ is like that domain specific language built on top of Bitcoin script, like it allows these things that I mentioned, like I'm rolling stuff or here it is essentially just a templating language for script. That's the main reason, main thing here. And we're using Tree++ to implement BitVM
.嗯,夜间超级测试并不存在,就像在ZeroSync团队中,BitVM或我在这里呈现的这个是由ZeroSync团队构建的。Tessen一直在尝试BitVM的一般性玩法,他构建了第一个原型。但他的目标只是尽快构建一些东西,让人们玩弄一下。而我们在这里所做的是更复杂的方法,旨在满足更多真实世界的用例。它实际上是两个不同的项目。所以或许我们不应该过多地使用BitVM这个名字。也许我们需要为这个项目找一个官方名称,以区别于其他也被称为PDM的事物。好的,第二个问题,Tree++和BitVM之间的区别在于,Tree++是建立在比特币脚本之上的领域特定语言,它允许我提到的一些事情,比如rollup等。这里它本质上只是脚本的模板语言。这是这里的主要原因,主要内容。我们正在使用Tree++来实现BitVM。
Speaker 4 59:54
Okay. So it wouldn't be like if you're writing a one of these contracts, you would be using the bitfield implementation with the language you wanna use and you wanna.
好的。那么,如果你正在编写其中一个合约,你将使用Bitfield实现以及你想要使用的语言,对吗?
Robin Linus 01:00:05
You would use rust or something, you would use C++ rust or whatever high language you're used to and then compile that down to the BitVM instruction set. And then, okay. So s normal contract developers will not deal with Tree++ at all. And they will not deal low level stuff. It's a very way more like solidity in the end for the developer experience. All of that stuff here, Tree++ is not solidity. Like we will have another language that will probably be just some rust dialect that will be, yeah, the main language to them express programs to run them in video. This is just, yeah, and then a templating language on top of big Country. Thank you..
你将使用Rust或其他高级语言,然后将其编译成BitVM指令集。好的,所以普通的合约开发者根本不需要处理Tree++,也不需要处理底层的东西。这更类似于Solidity,对于开发者来说体验更好。所有这些东西,Tree++不是Solidity。我们将使用另一种语言,可能只是某种Rust方言,它将是他们表达在比特币中运行程序的主要语言。这只是一个模板语言,位于比特币上层。
