reply on: AMA - John Light, bitcoin researcher \ stacker news ~bitcoin

34 sats \ 3 replies \ @ursuscamp 6 Jan 2023 \ on: AMA - John Light, bitcoin researcher bitcoin

What is the difference between a validity rollup and a sidechain that publishes a merkle root or hash to the parent chain?

Is the difference just that the consensus rules are contained entirely in the child chain without any parent chain enforcement?

22 sats \ 1 reply \ @ursuscamp 6 Jan 2023

And as a secondary question, how does a validity rollup compare to mimblewimble?

8 sats \ 0 replies \ @lightcoin OP 7 Jan 2023

Validity rollups and Mimblewimble both enable "transaction cut-through", a technique where if A transfers X to B and B transfer X to C in the same block, block producers can collapse that down to "A transfers X to C" and get rid of B, which reduces the amount of data in the block. Other than that I'd say these protocols are quite different from each other and serve different purposes: validity rollup is a protocol for securely transferring assets between two different blockchains; Mimblewimble is a protocol for reducing the amount of information that is stored (and publicly legible) in a blockchain.

5 sats \ 0 replies \ @lightcoin OP 7 Jan 2023

The main difference is certainty over data availability, which ultimately boils down to certainty of ownership security (i.e. that if you own coins, no one else can move them without your private key and you can transfer the coins at-will as long as you pay a market-rate fee).

The merkle root is not enough for a holder of coins on the sidechain to unilterally produce a proof and withdraw their coins, they need data about the entire state of the sidechain to be able to prove that they own some coins in the current canonical state. And there's a problem that can occur called a "data withholding fault" where sidechain block producers create a block, commit the hash to the parent chain, but don't actually broadcast the block. Then users are stuck, because they don't have enough data to produce a proof that convinces parent chain full nodes they own some coins in the current canonical sidechain state. Maybe they have data to show that they owned coins in the past, but they could have spent the coins in the block that wasn't published -- it's uncertain without the proof, so parent chain full nodes won't let those users withdraw their coins back to the parent chain. And since the block producers aren't publishing those blocks, even if the user could get a transfer tx confirmed in a sidechain block, no one would know if the tx was confirmed since the block data isn't available. So then the sidechain coins are worthless. If this was actually an attack by sidechain block producers and not just a technical failure, at this point they can extort users ("we will give you the block data if you transfer us x% of your coins" or something like that).

Rollups solve the data availability problem by publishing rollup block data (or a compressed form of it that still has enough information to reconstruct the rollup state) inside of the parent chain blocks. This, combined with the use of validity proofs to ensure the correctness of rollup state transitions, makes the rollup ownership security equal to the parent chain ownership security, since the data availability guarantees are equivalent and coins cannot be transferred on the rollup without cryptographic proof of correctness.