Jeremy Rubin sur Char : le pari d’infrastructure qui sous-tend toute L2 Bitcoin

if miners made their AS6 such that if you ever find a valid work template for a particular block height and then you run it on another cycle after you found the valid work template it blows up your ASIC. Obviously ASIC producers aren't going to do that. There are a lot of reasons not to, but that would be pretty cool if you like burned in a bit and we're like, "Okay, never this height again." And if it's ever this height again, you know, blow up the chip that would build into the hardware some amount of like reorg safety. And a staking network works almost exactly like this because if you ever equivocate over what you've signed previously, you blow up your mining rig, which is really just locked up Bitcoin. Hello everybody. I'm Shinobi from Bitcoin Magazine joined by Jeremy Rubin from Char, a kind of stealthy company that's been working on the Char network, a layer 2 project. So I guess in mimetic fashion, what the is char? >> Well, I'm glad you asked. Uh, so we're not actually necessarily stealthy. Um, I think that we're just not really trying to say a bunch of fluff if we can't back up our claims. Um, so maybe we're bucking an industry norm that you're used to. What we're working on is a layer 2 consensus mechanism um for rollup like layer 2s. >> Um, can be used for other things as well, but that's sort of a prime target for most of these layer 2 projects. um they build up a lot of uh cool primitives uh that they use to do various parts of the protocol. They have uh now uh like a garbled circuits engine for proving withdrawals from uh a bridge and that's stuff is really neat. Um, one of the areas that across the board, uh, these projects are weak in is, uh, sequencing. And they have a need to commit to some piece of data. Let's call it data, uh, number five. And they also need a piece of data number six. In the same way that Bitcoin has blocks, they need ordered pieces of data. And this is a really difficult problem. In order to solve it, the simplest thing you can do is kind of like a uh an authority or a committee that just says uh well, we signed this with five and trust us, we're not going to sign uh two different things with five. >> Um so that that's what most of them are doing. And I think that this is a uh it is a nice way to do engineering is to make your trusted components do the simplest possible thing. If you for example wanted to have a trusted uh you wanted to have like a Bitcoin like thing and you said okay but we need some trust assumption the trust assumption is the whole thing um and it's just a a bank at that point um and you kind of ruined it. But if you say well it's it's still a bank and you know all let's say all the blocks are signed um but uh there are blocks and they're auditable and you can see if there's been sort of an equivocation. You know these are all things that are improvements because you've reduced what the what the adversary or trusted party is able to do. Mhm. >> And so for the sequencing um it's sort of this void for a lot of these layer 2 where they have minimized the role of the trusted party to a pretty constrained area. Um but it still means that there is uh some sort of entity or small group of entities that can really exert a lot of control over their protocol. Yeah. And at Char, what we're working on is a system that can make that decentralized um and open participant um that can be shared by all of these uh various layer 2 uh protocols and projects. >> So to kind of like simplify uh for the viewer like most of these systems can be boiled down to like the bridge and like what's actually custodying the real Bitcoin on chain and then whatever is processing and ordering things off chain. So like the bridge itself is still somewhat trusted although with the one of trust model like it's massively improved compared to like a traditional federated system but like you still depend on this one operator to keep progressing the system to process withdrawals and that's that point of failure. You want to open that up. So that could be essentially like mining like anyone can come and go participate as they want or leave when they want. >> Yep. >> How do you address the denial of uh service concerns there? Because you know with mining like that kind of solves itself by forcing you to do work like the proof of that. like what way is char going to try to mitigate the risk of people just spamming nonsense updates or invalid updates or trying to stall or progress stall progression of the system. >> Yeah. So the way that we work is uh under the hood we're a proofofstake algorithm. Um what and I think this is also something that that I want to note with Char we're making a very careful effort to be a no like the buck stops with us in terms of uh like we don't want to have trust assumptions down the stack. >> Um so we're a proof ofstake system built on top of Bitcoin but the primitives that we're using we want to be uh simple and with no further trust assumption. Um so we work with Bitcoin as as it is. Um and what we have built is a way that you can commit to a message for your uh staking participant and if you ever equivocate across two messages then your funds uh can be spent um or burned um at a future date. Um, and so that that's the core protection that we build in that prevents somebody from cheaply spamming. Um, in order to drive consensus, you have to have a majority of participants endorse a specific proposal. And therefore, if you wanted to have uh two different things reach that finalization threshold, you would have to have a majority of the stakers willing to lose all of their staked Bitcoin. Mhm. >> Um and in that way, um from a thermodynamic point of view, it's not Bitcoin mining, but from an economic point of view, what's the cost of doing a oneb block uh you know, abandonment if you're the only minor? It's the cost of the reward of that Bitcoin, >> but priced in the energy you had to spend. Yeah. >> In our case, if you wanted to equivocate, it's burning your Bitcoin that's staked. Um, and so this is a little bit more equivalent to if miners made their AS6 such that if you ever find a valid work template for a particular block height and then you run it on another cycle after you found the valid work template, it blows up your ASIC. >> Um, and obviously ASIC producers aren't going to do that. There are a lot of reasons not to, but that would be pretty cool if you like burned in a bit and were like, "Okay, never this height again." And if it's ever this height again, um, you know, blow up the chip. um that would build into the hardware some amount of like reorg safety. Um and a staking network works almost exactly like this because if you ever equivocate over what you've signed previously, you blow up your mining rig which is really just locked up Bitcoin. >> Yeah. And in this case, because this is all a second layer system on Bitcoin, like you don't have to concern yourself with like the meta issues of like a pure proof ofstake chain splitting and like what would one half do and the other half and that bond is duplicated. >> Whatever happens in the layers up, um which you sure bad things can happen in the layers up if everybody decides to burn all their Bitcoin, but at the end of the day you burn your Bitcoin. Um, and so hopefully people will uh avoid that outcome. Um, >> and there's no way like say Ethereum to kind of fork and try to alter rules or continue on a separate chain like that's Bitcoin. You have to convince the miners. >> Exactly. And and I think it's also in an Ethereum like context, you can have these long range attacks. We have a similar problem, but we we deal with it a different way. Um, but where over time um let's say we have uh this, let's call it a an epoch. We're living in this epoch of everybody who's staking today in Ethereum and then they're all going to sell all their coins, move on with their lives, and then five years from now, they're going to be like, "Oh, hey, what if we all got back together and did a little bit of like a family reunion, and then we just started like pretending like we were staking again?" they could make in theory a conflicting set of records from that previous point. There are mitigations for things like that that you can do that you can try to make it harder to uh an example of how you can get around some of this is there are like VDFs that people use verifiable delay functions. You can say well you would have had to have started the attack at that time in the past as well. there mitigations you can do to make it harder for someone to decide on a random day in the future to do this. But at the end of the day, you have these you have these fundamental problems and in Bitcoin um you have much less of this because this is a well no if you if you went to do that we have a a separate chain that's running we have an accurate picture of exactly the stakers today and if if somebody did this you would see their Bitcoin burned. >> Wonderful. I have directed Secretary Connley to suspend temporarily the convertability of the dollar into gold. how exactly does um like the enforcement of the staking mechanism work? Okay. So, right now um as they say uh you know one step forward, two steps backwards. Um we have been doing uh a lot of research and we've redone how some of this stuff works uh very recently which is uh on the one hand uh yay we had like a a relatively big breakthrough in how our protocol can work. Um, on the other hand, uh, this means we have to rewrite a lot of the code that is built up around it, but it's giving us a much simpler protocol and much simpler enforcement. With that said, the way that it works is signatures are ultimately uh, random lines on mathematically a Taurus. So, if you took a donut and then you took a pencil and then you traced a line around the the donut, eventually you'll, you know, maybe come back to that same point >> on that Taurus. you could go on different slopes and still wind up back at the same point um if you spiral around enough times. And it turns out that that in Bitcoin um private keys are really just very high slope lines almost exactly straight up and they loop around really tightly and a small perturbation completely changes uh the way that you spiral around this this Taurus. Um that's kind of some of the underlying math. Um, and the the slope of um, and it'll get a little handwavy, but the way that it works is every time you make a signature, you're picking a different line on that Taurus. If you ever pick two lines that share uh, a single component of that line, and these lines are really their lines. They're y= mx plus b. Mhm. >> If you ever pick two of the same uh B's, um which that's, you know, from grade school math, the Y intercept, you're able to uniquely determine what the line was. And the line has m(x) plus b. x is your private key. Then you're able to solve for x. And once you solve for x, then you have the private key. We have what's called an anchor output. Um slightly different context. It's like a stake anchor. >> Um than than what people talk about with like dust anchors or whatever. And so we have two two mechanisms. One is an output that immediately can be spent but carries no value. Just maybe a dust amount if it's required by the protocol. If it weren't, we would remove that dust amount. >> And then we have another set of outputs that are locktimed. Um and then at that lock time if the public key is well known um then either the minor uh will like claim those funds or they can be um maybe burned. It it always ends up in the camp of at that point in time um the miners can either you know sweep the funds if they collude um anyways. So that's the uh reasonable outcome. other other systems make a little bit more effort to make it seem as if you can do burning. Um or maybe if there was a covenant you could enforce burning. From another perspective um which is the perspective we've taken, it turns out that punishment for misbehavior um is always relatively probabilistic in that uh if a tree falls in a forest uh and no one's around to hear it, does it, you know, does it really happen? So if you did the equivocation to someone and and then they didn't know that they should punish you, then you're not going to be punished anyways. And if a transaction has to go in by a certain time or you can redeem and then the miners are censoring that punishment transaction, you're also not going to get punished. And so we've taken maybe a little bit more aggressive stance of just saying that punishment is really up to the minor um to enforce and that their incentive is to sweep these if somebody's cheating. Um and that does mean that in theory a minor um could you or a set of miners could maybe collude in the staking layer but because of the unpredictability of that it still should be sufficient disincentive because you don't know who is going to mine that block. >> So that that that's how our enforcement mechanism works. Um the way that it changed recently is that um early in some of the research for char I was looking for a specific primitive and it was eluding me um which is a verifiable random function. This is essentially a hash function that only one person can compute but anyone can verify. Mhm. >> And I wanted a verifiable random function that gives you a curve point instead of reveals it output as a curve point instead of as a um as a as a raw scaler. Basically, I wanted something that gives you a public key instead of a private key because proving to somebody this is a private key is not that great because then they have your private key. Yeah. proving that this is a public key that's much more useful and for various reasons some of it is like literature misalignment on terminologies I couldn't find something that satisfied that and so we abandoned that course >> um it turns out that two things have happened one there's been a little bit of like a resurgence of literature around this space under the name EVRF meaning exponent verifiable random function and it further turns out that um the uh wizards uh over at uh Blockstream also knew that this is kind of a cool thing and they wrote a paper called musigden which is deterministic nonses and inside of that paper there's a construct in order to make deterministic nons work called purify which happens to be an EVRF >> and unfortunately there's no implementation publicly available of uh like a production grade purify um so we made an implementation of it have some you know decent tests would love more review if you're of the reviewing class of people. And it turns out that this primitive really dramatically simplifies um how our signing of attestations works. And the reason that it does that simplification is because remember that y= mx plusb and we're worried about those b points is it turns out the way that we guarantee if you sign twice you get punished is by fixing that b point. But being able to fix that B point using an EVRF allows us to dramatically reduce the amount of context that you need in order to establish that you are using a fixed uh B inside of your signature. And so that dramatic simplification basically removes tons of context tracking that we need to do in the protocol otherwise to guarantee that. Um, if you had like Ethereum like smart contracts, you would never come up with this stuff because there are so many simpler ways to be like, I have the two things literally look at the number that I signed and they're they're the same one and it's two different things. But in Bitcoin, we have to be much more clever in order to figure out how we accidentally expose these properties. >> Yeah. Because you can't just explicitly compare these types of variables or have the context across different transactions. >> Yep. Exactly. And so now with that in hand, we actually have a uh dramatically simplified uh whole stack of our protocol. And so we're, you know, we were hoping and I think we'll still be able to make it of uh being able to publish some stuff really imminently. Um but this is such a big win that we're going to we we actually we published the purify library so that's ready for you know public review. um uh but we'll be grinding on getting it fully integrated and uh usable because it makes everything simpler and better throughout the whole protocol. It's going to be a win for you know for the success of the protocol long term. So to kind of distill down like you're essentially have been just quietly for the last few years looking at this whole wave of BitBM layer 2s and going how do we actually make this decentralized like how do we actually have this function as something more analogist to the old vision for side chains or the lightning network rather than like a service that one entity is offering. >> Exactly. And I think the other thing that's maybe relevant because we're at the MIT Bitcoin Expo is um last year that's when I um sort of garblepilled everyone on uh garbled circuits is the way forward. Mhm. >> And that came about because in working on char um obviously I you know knew about bitm and you know roughly how it works but I hadn't really done like a deep read on like what exactly are they proposing for bitv2 >> and when I was in the process of doing that saying like okay how can we build the best possible chart network to support that I was like this is just not going to cut it. Why aren't they using garbled circuits? And I went and I looked at all the like, you know, Telegram groups and postings and nobody had even mentioned the word garbled circuit once and I was like, "Oh, maybe, you know, maybe this is like actually truly novel." And I, you know, told Robin and stuff and they were very plea, displeased and pleased, uh, displeased that it upset a lot of the work they were doing, but pleased in that like it actually was a big win. Um, and I think that's sort of my hope is that through this, you know, research and development and extra emphasis on the development that we're going to make really, really, really high quality primitives that are going to give us a global scale network for not just uh, Bitcoin based layer settlement um, but for like much much higher throughput um, and meaningful uh, financial transactions on Bitcoin. >> I mean, that's the dream, isn't it? >> Absolutely. A Bitcoin behind every blade of grass. Yes. >> In barrel of oil. >> Yes. >> Well, I want to say thanks for sitting down and uh talking through everything, Jeremy. And I hope the viewers now actually have a coherent idea of what char actually is. >> So, thank you everybody. Thanks.