Bitcoin Magazine: What challenges does Rollup face?

Source: Bitcoin Magazine; Compilation: Wuzhu, Golden Finance

Rollups have recently become the focus of BTC scalability and have become the first thing to truly overshadow the Lighting Network in terms of broader attention. Rollups aim to be an off-chain second layer that is not constrained or limited by the core Liquidity of the Lighting Network, meaning that end users need someone to pre-allocate (or ‘lend’) funds in order to receive money, or intermediate routing Nodes need channel balances to facilitate the full flow of payment amounts from sender to receiver.

These systems were initially run on Ethereum and other Turing Complete systems, but the focus has recently shifted to porting them to UTXO-based blockchains (e.g. Bitcoin). This article does not intend to discuss the current state of implementation on Bitcoin, but rather the idealized Rollup functionality that people have long been pursuing, which depends on the ability to directly verify Zero-Knowledge Proof (ZKP) on Bitcoin, a feature that is currently not supported by Bitcoin.

The basic structure of Roll is as follows: a single account (UTXO in BTC) stores the balances of all users in Rollup. This UTXO contains a commitment, which exists in the form of the Merkle root of the Merkle tree, committing to all current balances of accounts in Rollup. All these accounts are authorized using Public Key/Private Key, so in order to make off-chain spendings, users still need to sign certain content with their Secret Key. This part of the structure allows users to exit at any time without permission, they just need to produce transaction proofs that their account is part of the Merkle tree, and they can unilaterally exit Rollup without permission from the operator.

The operator of Rollup must include a ZKP in the transaction to update the merkle root of the on-chain account balance during the process of completing off-chain transactions. Without this ZKP, the transaction will be invalid and cannot be included in the blockchain. This proof allows people to verify that all changes to the off-chain account are properly authorized by the account holder, and that the operator does not maliciously update the balance to steal user funds or dishonestly reallocate them to other users.

The question is, if only the root of the Merkle tree is published on-chain for users to view and access, how do they put their branches in the tree so that they can exit without permission whenever they want?

Appropriate Rollup

In an appropriate Rollup, whenever a new off-chain transaction is confirmed and the Rollup account’s status changes, the information is directly placed on the blockchain. Not the entire tree, which would be absurd, but the information needed to rebuild the tree. In a simple implementation, the summary of all existing accounts in the Rollup will include the balance, and the account will only be added in the updated Rollup transaction.

In more advanced implementations, balance diffs are used. This is essentially a summary of which accounts had funds added or removed during an update. This allows each Rollup update to only include the account balance changes that occurred. Then, users can simply scan the chain and ‘do the math’ from the beginning of the Rollup to arrive at the current state of account balances, which allows them to reconstruct the Merkle tree of current balances.

This saves a lot of expenses and Block space (thus saving money), while still allowing users to ensure access to the information required for unilateral exit. The rollup rules require that these data be included in the formal rollup provided to users using the Block chain, i.e., transactions that do not include account summaries or account differences are considered invalid transactions.

Expiration date

Another way to address the issue of user withdrawal data availability is to store the data elsewhere outside the Block chain. This introduces subtle issues where rollup still needs to enforce the availability of the data elsewhere. Traditionally, other Block chains are used for this purpose, specifically designed to serve as data availability layers for systems like rollup.

This creates a dilemma of equally strong security. When data is directly posted to the BTCBlock chain, Consensus rules can guarantee that it is absolutely correct. However, when it is posted to an external system, the best it can do is to verify the SPV proof, which means that the data has been posted to another system.

This requires verifying that the data exists in other on-chain proofs, which is ultimately an Oracle Machine problem. The BTC Block chain cannot fully verify anything that happens off-chain, except for what happens on its own Block on-chain. The best it can do is verify ZKP. However, ZKP cannot verify whether a Block containing rollup data is actually publicly broadcasted after it is generated. It cannot verify whether external information is truly publicly accessible to everyone.

This opens the door to data withholding attacks, which is the creation of a commitment to published data and using it to advance rollup, but the data is not actually available. This prevents users from withdrawing funds. The only real solution is to fully rely on the value and incentive structure of systems other than BTC.

A dilemma

This poses a dilemma for rollup. When it comes to data availability, there is essentially a binary choice of whether to publish the data on the BTC blockchain or elsewhere. This choice has significant implications for the security, sovereignty, and scalability of rollup.

On the one hand, using BTCBlock chain as the data availability layer will set a hard limit on the scalability of rollups. Block space is limited, which sets a limit on the number of rollups that can exist at once and the total number of transactions that can be processed off-chain for all rollups. Each rollup update requires block space proportional to the number of accounts whose balances have changed since the last update. Information theory only allows data to be compressed to a certain extent, and at this point, there is no more potential for expansion.

On the other hand, using different layers to achieve data availability eliminates the hard upper limit of scalability gains, but it also brings new security and sovereignty issues. In Rollups that achieve data availability using BTC, if the data that users need to extract is not automatically published on the blockchain, the state of the Rollup cannot change. With Validiums, this guarantee depends entirely on the ability of the external system used to resist deception and data hiding.

Now, any Block producer on the external data availability system can hijack the funds of BTCRollup users by producing Blocks instead of actually broadcasting them, thus making the data available.

So, if we really achieve the ideal Rollup implementation on BTC, and truly realize unilateral user withdrawals, what would that be like?