Ark explainer
ELI5
- Alice sends money to the bank and in return receives a check from the bank that she can redeem anytime anywhere (not only on this bank)
- If Alice wants to pay Bob using Ark, she can ask the bank to pay Bob, and in return she will endorse their check back to the bank.
- The bank can only redeem Alice's check if it shows proof of payment to Bob.
- Bob receives a check from the bank that he can redeem anytime anywhere.
TL/DR
- There are two parties involved in Ark: users and the Ark Service Provide (ASP) aka Server
- Ark implements VTXOs, and all values exchanged inside Ark use VTXOs
- VTXOs are outpoints from hidden transactions, that can be broadcasted to mainchain to become UTXOs, or sent to the ASP in exchange for other VTXOs
- VTXOs are created inside Pool transactions
- Spending and receiving VTXOs doesn't touch the chain, which allows for an infinite exchange of value inside Ark with a minimal chain footprint
- Ark is a completely trustless solution: users don't need ASP's permission to get their money back from the Ark, and the ASP doesn't need to trust users
Pool transaction
The ASP makes a special transaction, called Pool transaction, where it mixes UTXOs from many users (among other things) and creates a Shared UTXO as well as many offchain VTXOs for each of those users.
🔎 Deep dive on Pool transactions
Pool transaction
The ASP places one (or more) input(s) to its pool transaction to supply funds to the shared UTXO, connectors output, change output, and transaction fees.
Shared output (aka Shared UTXO)
The shared UTXO is locked by 2 taproot leaves:
- A multisig n-of-n, where n is the number of participants in the transaction.
- The other leaf, ASP in 1 month, allows the ASP to spend it alone after 1 month.
In order to be trustless, before signing the pool transaction Alice needs a way to unilaterally get their funds back. To achieve this, the ASP builds and signs a binary tree of transactions and shares them with each participant.
Each leaf on this tree represents a VTXO:
In the example above, Alice can broadcast anytime tx1 => tx2 => tx4 to receive their funds back.
For comparison, Bob will need to broadcast tx1 => tx2 => tx5.
Notes:
- Since tx1:1 => tx2:1 => tx4 (the VTXO) have no fees, Alice will need to add an extra transaction to pay for all the fees (see CPFP).
- The number of transactions on this branches will be equal to log2(n) + 1, where n = number of participants
For clarity, VTXOs will be represented like this:
Onboarding the Ark
The first step is for Alice to lift her coins. This is an atomic swap where she will give up a UTXO (+ fees) to receive a VTXO from the ASP at the same time. This VTXO will be inside the next Pool transaction.
In this example, Alice, Bob, Carol and Dave are "lifting" UTXOs to Ark:
In order to be trustless:
- Alice sending funds to ASP and the ASP creating the VTXO needs to be an atomic operation:
- This atomicity is achieved using Anchored transactions
- Alice needs a way to exit the Ark without ASP's permission
🔎 Deep dive on Anchored transactions
Example
Alice wants to send sats to Charlie via Bob, which means she will send sats to Bob but only if she is sure Bob will send them to Charlie
-
Bob prepares payment to Charlie (B => C)
- adds Bob's UTXO as input
- adds Charlie address as output
- adds extra output (aka connector), with minimum value possible
- doesn't sign it, shows transaction to Alice
-
Alice prepares payment to Bob (A => B)
- adds Alice's UTXO as input
- adds connector output from B => C as input
- signs (commiting all inputs with SIGHASH_ALL) and sends to Bob
-
Bob broadcasts
- signs and broadcasts B => C
- broadcasts A => B
Payment of A => B is anchored to payment B => C
🔎 Deep dive on Onboarding Ark
Onboarding
Alice now wants to enter the Ark, so he must use a process called lifting, which is an atomic two-way peg mechanism that doesn't require trust. Lifting lets users lift their onchain UTXOs off the chain for a 1:1 VTXO. Users can unilaterally redeem a VTXO for an onchain UTXO without asking for ASP cooperation.
-
Alice creates a Funding transaction:
- adds any segwit output as an input (must be segwit)
- adds output locked by (Alice + ASP) or (ASP in 1 month)
- sends it to ASP, not signed
-
Alice receives a signed Redeem transaction from the ASP:
- spends Funding transaction (1) via Alice + ASP
- has output locked to (Alice + ASP) or (Alice in 24h)
-
Alice signs and broadcasts Funding transaction (1)
- Is now safe for Alice to broadcast his funding transaction because now she can leave anytime with Redeem transaction (2) spending Alice in 24h, i.e. Alice will be able to get her funds back in 24 hours.
- ASP (with Alice) prepares next Pool transaction
-
Alice creates a Forfeit transaction:
- spends from Redeem transaction (2) via Alice + ASP
- adds connector output from Pool transaction (4) as input
- signs (commits all inputs with SIGHASH_ALL) and sends it to the ASP
- ASP broadcasts Pool transaction (4)
-
Alice has now a VTXO
- A VTXO is very similar to a Redeem transaction
- After 1 month ASP spends Funding transaction (1) via ASP in 1 month
So far, Alice polluted onchain by funding an address, and the ASP by claiming funds from that address.
Further steps from here will be footprint minimal.
Adversarial scenarios
-
Alice broadcasts Funding transaction (1) but ASP never responds:
Alice broadcasts Redeem transaction (2) and get his funds back in 24 hours
-
Alice broadcasts Redeem transaction (2) after Pool transaction (3):
ASP broadcasts Forfeit transaction (5) and claims Alice's funds
-
ASP doesn't wait for confirmation of Funding transaction (1) before broadcasting
Pool transaction (4):
Alice will double spend his original UTXO, making the funding transaction invalid and them spending the VTXO, thus stealing the ASP
Payments on Ark
Alice then instructs the ASP to take her VTXO and pay Bob. She will only need to know Bob's address. This payment is also atomic and private. The ASP does not know which VTXO belongs to which user and blindly mixes them to produce another anonymous VTXO set. Ark's magic occurs in the fact that the post-mix VTXOs can only be claimed by the intended recipients even though the ASP has no idea who owns them. Put another way, the ASP is simply coordinating blind coinjoin rounds.
Now let's imagine Alice wants to send some sats to Bob using Ark:
Alice forfeits its VTXO to the ASP and in return Bob receives a VTXO
In order to be trustless:
- Alice sending funds to ASP and the ASP creating the VTXO for Bob needs to be an atomic operation
- The ASP needs to have an insurance that Alice will not try to double spend her VTXO after it funds Bob's VTXO, so it demands a signed transaction (the forfeit transaction) from Alice. This forfeit transaction spends from Alice's VTXO and it will be broadcasted only if Alice tries to double spend her VTXO
🔎 Deep dive on Payments on Ark
- Alice asks Bob for an address (address B)
- Alice informs ASP she wants to pay 0.01 BTC to address B
- ASP prepares new transaction (Pool Tx 2) and show it to Alice:
- Alice looks at the locking script for this new UTXO and sees Bob's public key on it
- Alice understands that when Pool Tx 2 confirms, Bob will have 0.01 BTC on Ark
- Alice proceeds by signing a PSBT that sends her VTXO to the ASP, on the condition that Pool Tx 2 is confirmed. We will call this the forfeit transaction:
- ASP cannot cheat, if he wants to receive from Alice he needs to send it to Bob, which means Alice is paying Bob atomically.
"Only if Pool Tx 2 is confirmed"
This condition is not possible to implement today using Bitcoin script, but we can implement it using anchored transactions:
- Pool Tx 1 will have additional outputs, called connectors
- This connectors have no financial value (minimum dust limit)
- Connectors are singlesig spendable by the ASP (ASP)
- Alice will use one of this connectors as input to the new transaction
- Alice will sign her VTXO with SIGHASH_ALL to commit to all inputs
- The ASP will sign the connector input
This way, the transaction where Alice gives her VTXO to the ASP is only valid if Pool Tx 2 is confirmed.
Adversarial scenarios
-
Alice doesn't sign the Forfeit transaction
The ASP doesn't include Bob's VTXO on the next pool transaction
-
ASP never broadcasts the next Pool transaction
ASP forfeit transaction becomes invalid, which means Alice still has full control of her VTXO
Offboarding the Ark
When Alice wants to exit the Ark, she arranje with the ASP to have an output (Alice) on the next Pool transaction.
Alice could also unilaterally exit, i.e. without ASP's cooperation, by redeeming hers VTXO for an onchain UTXO.
In order to be trustless:
- Alice sending the VTXO to ASP and the ASP sending funds to Alice must be atomic
- The ASP needs to have an insurance that Alice will not try to double spend her VTXO after it funds Alice's UTXO, so it demands a signed transaction (the forfeit transaction) from Alice. This forfeit transaction spends from Alice's VTXO and it will be broadcasted only if Alice tries to double spend her VTXO
🔎 Deep dive on Offboarding the Ark
Collaborative exit
- Alice generates new onchain address A
- Alice informs ASP she wants to pay 0.01 BTC onchain to address A
- ASP (with help of Alice) prepares new transaction (Pool Tx 3) and show it to Alice:
- Alice sees extra output paying 0.01 BTC to her address
- Alice understands that when Pool Tx 3 confirms, she will have 0.01 BTC onchain
- Alice proceeds by sending her VTXO to the ASP, on the condition that Pool Tx 3 is confirmed:
- ASP cannot cheat, if he wants to receive the VTXO from Alice he needs to send it onchain to Alice, which means Alice is exiting the Ark atomically.
Unilateral exit
Alice can leave the Ark anytime by redeeming hers VTXO for an onchain UTXO.
The cost of this broadcast depends on several factors:
- How many transactions are on Alice's branch?
- How much is mempool fees (sats/vbyte) at the moment?
- Did anyone leaved already, making some of Alice's transactions already confirmed?
Adversarial scenarios
-
Alice doesn't sign the Forfeit transaction
The ASP doesn't include Alice's UTXO on the next pool transaction
-
ASP never broadcasts the next Pool transaction
ASP forfeit transaction becomes invalid, which means Alice still has full control of her VTXO
Covenants
Ideally Ark would use covenants to achieve non-interactivity:
- OP_CHECKTEMPLATEVERIFY (CTV)
- OP_TXHASH / OP_TX
- OP_CHECKSIGFROMSTACK (on Liquid)
- SIGHASH_ANYPREVOUT
🔎 Deep dive on Ark with covenants
Without covenants: clArk
- Possible on Bitcoin today
-
Uses multisigs instead of covenants:
- All receivers cosign with ASP
- Requires senders and receivers online → Interactive version
🔎 Deep dive on Ark without covenants
The Somsen Shortcut
Currently both senders and recipients need to be online simultaneously to transfer value in Ark. This requirement can be reduced by a soft fork (i.e. OP_CTV). We can eliminate the need for a soft fork by giving both the sender and the recipient the option to complete a swap with the ASP, allowing the recipient to complete the payment on their own.
The swap option
Enables both Alice as well as Bob to control the funds together with the ASP and makes no judgement about who currently owns the money.
Now it's up to Alice or Bob to collaborate with the ASP and transfer the coins inside Ark (so a new on-chain UTXO) in order to turn over the ownership exclusively to either Alice or Bob.
In practice this means Bob can finish the payment without requiring direct interaction with A.
- No trust needed
- Reduces Ark interactivity without a soft fork
- Preserves proof of payment and has no race conditions
🔎 Deep dive on the swap option
- Let's say Alice wants to send to Bob
- Alice gets the ASP to sign a new Shortcut transaction with the following script: (Bob + ASP) or (Alice + ASP) or (Alice in 1 month) (i.e. adding the Bob + ASP condition). We ensure the new Shortcut transaction becomes valid before the old Redeem transaction with timelocks.
- Now Alice foregoes her claim on the old Redeem transaction by signing an unconditional Forfeit transaction, thus allowing ASP to simply claim the money if Redeem transaction ever gets published.
- Alice now sends Shortcut transaction to Bob, who can claim the payment by swapping with the ASP. If Bob isn't responsive, Alice can perform the swap instead, or attempt to repeat the same steps with another recipient.
The statechain option
This "statechain option" is basically statechains on top of Ark, so you're transferring from Alice to Bob without going on-chain by co-signing with the ASP and trusting them not to change their minds. As long as this this assumption holds, the transfer is instant.
- Basically statechains on top of Ark
- Bob trusts Alice and ASP will not to change their minds
- Instant (trusted) finality
🔎 Deep dive on the statechain option
- Let's say Alice wants to send to Bob
- Alice gets the ASP to sign a new Shortcut transaction with locking script: (Bob + ASP) or (Bob in 24h)
- Alice doesn't need to sign a Forfeit transaction
- The Ark tree will look something like this:
Connectors
Explain connectors
🔎 Understanding connectors
Sources
- https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2023-May/021694.html
- https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2023-August/021858.html
- https://www.youtube.com/watch?v=EocWax43QgQ
- https://bitguide.substack.com/p/ark-bitcoins-new-layer-2-protocol
- https://gist.github.com/RubenSomsen/a394beb1dea9e47e981216768e007454
- https://roose.io/presentations/understanding-ark.pdf
- Pippellia video explaining Ark