User-defined objects

[PhilippGackstatter]

Motivation

The current asset model in Miden supports fungible and non-fungible assets, which are a way for users to represent value and ownership on-chain. This model couples the transaction kernel to these specific asset types as it handles construction, modification, and destruction of these assets. I think this coupling is undesirable as it makes the protocol hardcoded to those two asset types and makes extension from users impossible.

A more generic and decoupled approach would be to adopt an object-based model, where asset types are represented as user-defined objects defined outside the kernel but managed by it. The kernel would operate on these objects as opaque entities, focusing solely on object management rather than specific asset logic. This change would make the programming model more adaptable and better at handling diverse use cases. At the same time it would make the transaction kernel and protocol at large agnostic to the concrete assets/objects that are represented.

Idea

The basic idea is to have the transaction kernel manage objects. An object represents value or ownership, just like assets, but is user-defined. The details of each object would be implemented outside the kernel, keeping the kernel decoupled. In this model the kernel would only know about objects as black boxes and offer generic methods for creating, setting and getting fields as well as destroying them.

To illustrate this further, here are a few bullet points to hopefully get the idea across. I might be missing some details of how the current asset model has evolved and whether some of its limitations are byproducts of constraints I don't know about. I might even be thinking incorrectly about the asset model. It's intended both as a proposal but also as a way to learn more about the design choices that led to the current model in case I have misunderstandings.

I'll try to explain what I mean in more detail with an example. Let's say we want to represent a fungible asset issued by a faucet in this object model.

• For simplicity, every account can issue objects (currently only faucets can issue assets), though this is not a must.
• Code would be addressed as a first-class protocol entity, a package (see also here for the idea of an on-chain registry which is similar). Such packages have their own package ID and can be published on-chain. This is not that different from accounts as they are now, but packages wouldn't need to be full accounts as they don't need storage or vaults like accounts do. Package IDs could probably be generated like account IDs. So a useful mental model for a package is as an account without a vault and without storage.
• The reason why packages need to be first class citizens is that a package can define object types. For instance, we might write a miden_std library (i.e. a MastForest) which is published as a package on-chain. It could contain a miden_std::Coin type to represent what are now fungible assets.
• Each object would have a unique ID to authenticate which package issued it. This is a hard problem to solve, but the initial thought is that this would probably be a combination of:
  • a counter starting from 0 to differentiate between different object types from the same package.
  • the package ID to be able to verify the origin of an object and which package's procedures are allowed to modify an object.
  • and a protocol-generated part (i.e. block hash or similar as input) so that multiple miden_std::Coin objects have different IDs.
• Objects are stored in kernel memory. On the stack, objects are pointers to kernel memory. The reason for this is that we would want to enforce that objects can only be modified by code defined in the package that defines the object type, e.g. miden_std::Coin can only be modified through miden_std::Coin::* procedures.

Here is a more concrete visual example for how issuing a new type of Coin might work, which builds on the proposed VM component model.

In this example, a user wants to issue a Coin of the Example flavor, i.e. a type they defined. To do so, they execute a transaction against their own account whose code package is user_package. Here, every package is run in a separate VM component whose ID is the package ID (assuming that's feasible). When the account calls miden_std::Coin::new, it passes a pre-existing Example object (just to keep this simple) from its vault and miden_std::Coin::new would verify that the issuer of this user_package::Example object is the calling component, i.e. that the issuer account ID and the component ID are equal. This might still require something like the caller instruction. This is something only the Coin::new procedure would do. A Coin::get_amount procedure could be executed by any caller as it does not require any kind of authentication.

In the second step, kernel::create_object would create a new Coin object whose issuer is set to the component ID of miden_std which is the same as the miden_std package ID. So more generally, this allows objects of type package_id::Type to be created/modified/destroyed only by procedures that are defined in the package with ID package_id.

The Coin object would store in one of its fields that it is of flavor Example. Then, two Coin<Example> objects could be merged into one by a Coin::merge procedure, but it would fail if called on Coin<Example> and Coin<OtherType>.

The Coin object is returned to the control of the user account component and it can choose to store it in its vault or transfer it to a note via a call to another kernel procedure.

I hope this covers a rough, high level idea of this approach.

Advantages

• Make Miden more generic, as any kind of user-defined object could be natively represented rather than having to be defined as one the two asset types we have now. Examples:
  • A Name service could define a NameObject { name: Word } type which represents ownership over a name and the capability to update it.
  • A staking implementation could define a StakedExample object which represents a receipt for having staked Coin<Example> and represents the capability to unstake and retrieve the staked coins.
  • Bridges can define objects for wrapped versions of bridged assets defined on other chains.
  • Next to a Coin type there could be a TreasuryCapability object type which gives whoever owns it, the right to increase or decrease the supply of a Coin<T>. Burning the object would make the supply verifiably fixed. This is the kind of stuff we could technically have with the asset model as well, by introducing a "fungible faucet treasury capability", but we wouldn't realistically do it because it would be a manual extension of the protocol. With an object based model this would be comparatively easy.
• Faucets currently can issue one asset type. In the object model, accounts can issue many object types. This allows for more flexibility and richer expressivity within a module (e.g. Coin and TreasuryCapability).
• Developers should have a better experience by being able to directly interact with objects and their fields instead of (in the current model) having to represent a custom asset like NameObject as a non-fungible asset, which must be hashed first to verify it is the actual pre-image. This must be done for every user-defined asset in the current model, iiuc.
  • This also makes me wonder if we could have better documentation eventually by having more concrete types like NameObject rather than a name object which is hashed into a NonFungibleAsset. E.g. a name service could describe in its API docs that to change the ID to which a name points, a NameObject must be provided to prove ownership over it rather than NonFungibleAsset, which is less clear.
• It would lead to less coupling between the transaction kernel and our asset/object model. Having less coupling should mean we can more easily evolve our transaction kernel in the future. In particular a library like miden_std and the kernel can evolve independently over time.
• Even if this model would for now be too expensive to represent larger objects in, it would keep the door open for future improvements that make this eventually possible. Until then, users could choose to represent complex objects with a NonFungibleAsset object, that works the same as the current one, i.e. it commits to something. In the future, new object types could be defined without having to upgrade the protocol.
• (Optionally) Get rid of the distinction between faucets and accounts. There are only generic accounts, code packages and objects.
• With objects represented in kernel memory and as pointers on the stack, we should no longer have the problem of non-fungible assets only having the faucet prefix in their stack representation.

Drawbacks

• Performance: This object model would definitely be less efficient than the current asset model (due to pointers and memory loading and making cross-context calls more common). I'm not sure how much worse this would be, maybe others have a hunch.
  • The counter argument is that as the VM, cryptography and hardware get more efficient over time, I'm going to assume this will be less of a problem in the future and I think in the long run, the performance cost could outweigh the benefit of having a more generic model from the start.
• Complexity: Making things more flexible and generic comes with an increase in complexity. Adding objects, object IDs, packages and package IDs would increase the complexity of the protocol and the kernel.
  • Some complexity would also be taken from the kernel as it would no longer have to deal with the details of assets, such as verifying max amounts of fungible assets or calculating amounts when withdrawing.

Inspiration

The above is an idea for an object-based model on Miden, replacing the current asset model. It is inspired by Sui Move's object-based programming model. I personally really enjoyed using their object model as a developer and think that Miden could benefit from something similar, so the above is an adaptation to hopefully fit into Miden's architecture. Here is a link to Sui's Coin type to get an idea of what methods could be possible and how different object types could be used together.

Conclusion

There are probably many details I haven't though of, as this would be a pretty big change. I would be interested if anyone sees the merits in something like this, especially from a developer perspective and if we should explore this further. Thanks for taking the time to read and I would be happy to receive feedback on this!

[bobbinth]

Thank you for such a detailed write up! I really like the idea of adding more customizability/programmability to assets, and have been trying to think in this direction as well. There are a few things, however, that are not yet clear to me in the proposal.

One such thing is who/how keeps track of the "bookkeeping data" about created objects. By bookkeeping data I mean things like the total number of issued coins for a fungible asset, or all issued non-fungible assets. Currently, we have a dedicated storage slot in the faucet accounts to keep track of this data - but how would this be handled in the model where any account can create objects of different types?

Somewhat related to the above: in the current model, the assets are "static". That is, once issued they don't really change (an exception to this is the amount part of the fungible asset). One reason for this is that the original issuer needs to make sure they don't create "duplicate" assets. But if an asset can be modified after it is issued, this may become complicated. Another way to think about this is that we need to make sure that an asset's "vault key" remains stable throughout its lifetime while some other attributes of an asset are allowed to change.

Also, it seems to me that we need to route most interactions with the objects through the vault. That is, instead of calling procedures on an object directly, we'd call a procedure on an object that is stored in a vault. This way, we can ensure that an object can be modified only via its "native" procedures. So, for example, instead of first removing an asset from the vault and then adding it to a note (via two separate procedures), we'd have to provide kernel procedures like:

#! Moves the specified asset from the account to the note with the specified index.
#!
#! Inputs: [ASSET, note_idx, ...]
#!
#! Fails if the asset is not present in the account's vault, note with such index does not exist, etc.
export.move_asset_from_account_to_note
    ...
end

#! Moves the specified asset from the note which is currently being processed into the account.
#!
#! Inputs: [ASSET, ...]
#!
#! Fails if the asset is not present in the note.
export.move_asset_from_note_to_account
    ...
end

#! Updates the specified asset in the account's vault by calling the specified procedure on it.
#!
#! Inputs: [ASSET, PROC_ROOT, <proc parameters>
#!
#! Fails if the asset is not in the account's vault or if PROC_ROOT is not a "native" asset procedure.
export.mutate_account_asset
    ...
end

With this setup it would be possible to define assets generically. For example, the asset definition itself would know how to insert an asset into the vault and so, for example, for fungible assets move_asset_from_note_to_account would know that if there is already an asset in the vault the "incoming" asset would need to be merged with the existing one.

Another question is what should be the capabilities of the native asset procedures. For example, it would be great to have the ability to define an asset that can only be transferred to accounts which meet certain criteria (e.g., the owner of the account is 18 years old or older). For this, native asset procedures should be able to call methods on the account itself (maybe via FPI?).

[PhilippGackstatter]

Great questions, thanks!

One such thing is who/how keeps track of the "bookkeeping data" about created objects.

My thinking was that the bookkeping data of objects is not generic but specific to the type of object. A coin's bookkeping data is the total supply, its decimals or its symbol. A non-fungible asset's bookkeping data might be the total number of issued assets, though some issuers might not care about it. A nameservice's bookkeping data would perhaps be a name -> address mapping.

So bookkeeping data is "specific" in the above sense to each use case. So I think it can be represented by more objects, assuming that not all objects generate more bookkeeping data. For example, when minting a new Coin, one gets a treasury capability object and a coin metadata object (which here represent the bookkeeping data). The treasury capability contains the total supply and the coin metadata contains the decimals, the symbol and other such static data. These could be stored in the issuing account's vault.
If an issuer wants to increase the supply of their Coin, they can use their treasury capability from the vault to mint new coins, which increases the supply field in the treasury capability object.
If someone other than the issuer wants to reference the total supply of a specific coin type, they would have to obtain a proof that the treasury capability is in the issuer account's vault and then, in MASM, execute a foreign procedure invocation to get this object and its supply field.

The advantage of using objects as bookkeping data is that there would be a standardized representation (e.g. every Coin has a CoinMetadata) and that they can be concretely identified (e.g. if you want to find the metadata of some Coin<Example>, you look for CoinMetadata<Example>). This data could be indexed by nodes (or node extensions) for public accounts, which I assume most issuer accounts would be. I'm pretty sure that's how this works in Sui for them to be able to support APIs such as getCoinMetadata.

Non-fungible assets I find generally difficult to discuss in this context, because they are so generic. This is one of the motivations of introducing objects, so that instead of a generic representation, we have (more) concrete ones.
So I'm not sure if a general "non-fungible object" API even makes sense, but assuming that an issuer of such objects simply wants to keep track of the number of issued assets, that would not necessarily have to be an object but could also be just a counter in one of the issuer's account storage slots.

Object ID

Another way to think about this is that we need to make sure that an asset's "vault key" remains stable throughout its lifetime while some other attributes of an asset are allowed to change.

I agree that an asset/object's vault key must remain stable. In the original post I described a high-level approach for deriving such IDs, but I now think it could be simpler. The idea is that object IDs are generated "by the protocol".
One approach could be that for each transaction we initialize an OBJECT_SEED word with the hash of (BLOCK_HASH, [account_id_prefix, account_id_suffix, 0, nonce]). This seed should be non-gameable and different for every transaction, even TXs against the same account that reference the same block, due to inclusion of the nonce.
When creating a new object, we can generate an object ID by hashing (OBJECT_SEED, [0, 0, 0, counter]), where counter is initialized to 0 and incremented every time a new object ID is generated.

The properties of this should be:

• A unique ID for every created object. This object ID is the vault key of the object.
• A uniform distribution of objects across the vault.
• Objects can be modified while their ID remains stable.
• Objects can be addressed by their ID in the asset vault in a transaction. They can also be referenced via this ID globally in the blockchain.
  • A nice thing about globally unique IDs for objects is that one can always refer to a specific object by its ID, for example a CoinMetadata<Example>. That should make it possible to find the account where it is stored (through indexing by object ID and perhaps object type), which can then be fetched for use in an FPI call within a transaction that needs access to that coin's metadata.

The object ID does not authenticate the object, but that's fine I think, because objects are created and destroyed in the controlled environment of the TX kernel and are already authenticated via the asset vault in accounts and the assets hash in notes. Moreover, if the ID would authenticate the object it would change when the object changes, so the stability of the ID is important.

One reason for this is that the original issuer needs to make sure they don't create "duplicate" assets

This ID doesn't prevent issuing "duplicate" assets in the sense that an issuer could issue two objects of type Coin<Example> both with amount = 5. But that seems like a legitimate use case. Do we actually have to prevent that?

For example, the asset definition itself would know how to insert an asset into the vault and so, for example, for fungible assets move_asset_from_note_to_account would know that if there is already an asset in the vault the "incoming" asset would need to be merged with the existing one.

With these IDs we could not query the vault for an existing Coin<Example> that another Coin<Example> can be merged with. So these wouldn't automatically be merged together, but a user could do so explicitly. As far as I can tell this is not essential to have, but just an optimization?

Object procedures

Also, it seems to me that we need to route most interactions with the objects through the vault.

This seems like an important point and I agree that's probably how it would work.
My question is how would we support a flexible amount of object fields and how would mutate_{note,account}_asset be implemented on a high level?

If objects are stored in vaults then we can only directly support two words of data (the Smt key and value) per object. The key would be taken up by the object ID.
For every object we have to store at least some bookkeeping data like its object type. For now I assume this to be simply [package_id_prefix (64 bits), package_id_suffix (56 bits) | type_counter (8 bits)], although there is a good argument to be made to represent the full type, e.g. if we have some_package::Coin<other_package::CoinType> then maybe we'd want to include the full generic type in the bookkeeping, but that's a rather detailed point for later discussion.
In any case, we need some mechanism to allow objects to be defined with more fields.

We can use the value of the leaf by making an indirection and:

1. pack an SMT in there by storing the root in the value,
2. or a sequential hash of the object's fields.

SMT Layout:

Object SMT
├── 0
│   └── BOOKKEEPING = [package_id_prefix, package_id_suffix | type_counter, 0, num_fields ]
├── 1
│   └── FIELD_1
└── 2
│   └── FIELD_2
...
└── n
    └── FIELD_n

Sequential Hash Layout:

[
  OBJECT_ID,
  BOOKKEEPING = [
    package_id_prefix,
    package_id_suffix | type_counter,
    0,
    num_fields
  ],
  field_0,
  field_1,
  ...,
  field_n
]

This comes with trade-offs:

• The SMT's advantage is that objects can get very large. We could reserve a small number of bits in the object ID to specify the depth of this tree, so that, for instance, an object could have any power-of-two number of fields. For a small object with just 2^2=4 fields, the object's field proof would be just 2 hashes. For a large object with 2^10=1024 fields, the object's field proof would be 10 hashes.
• An SMT also means that for large objects, not all fields must be loaded into the advice provider to read or write a new value, though not sure if that's actually needed on the object level, but may be a nice to have. On the other hand, it's questionable how large objects would be in practice - probably typically rather small. So loading the entire object might be just fine.
• To explore what both approaches mean when writing an object field:
  • SMT approach
    • retrieve the object SMT root using smt::get on the asset vault tree at key OBJECT_ID.
    • an smt::set operation on the object SMT root to set the new field's value.
    • another smt::set to update the object root in the asset vault tree
  • Sequential Hash approach
    • retrieve the object's sequential hash using smt::get on the asset vault tree at key OBJECT_ID.
    • load the entire object into kernel memory and verify its hash, then write the new field in memory,
    • Once done with the object, compute the sequential hash again and write the hash into the asset vault tree with smt::set.
  • In both approaches, there may be multiple operations on the object and we may want to avoid updating the asset vault SMT after every write which is unnecessary and inefficient. It would be better to update it once after all changes are done, but not sure how to facilitate that without making it more complex.

Procedure Capabilities

Another question is what should be the capabilities of the native asset procedures. For example, it would be great to have the ability to define an asset that can only be transferred to accounts which meet certain criteria (e.g., the owner of the account is 18 years old or older).

Yeah, that would be very powerful. In Sui, for example, an object can be defined to have or not to have a store ability. If it does have this ability, it can be transferred using a standard public_transfer function. If it doesn't, the object can't be transferred with the public_transfer function but the object itself can define how it can be transferred. This can be used to define a variant of a coin object which can have a global deny list, for example.

I imagine we could do something similar by specifying on object's somewhere (ID or bookkeeping data) whether it has such abilities or not.

Or, as you mentioned, it could be done with something like FPI. While technically possible, it seems tricky for a client to figure out what data an object will require from an account, so that it can load the right data into the advice provider.

This depends on how much flexibility we need here. The abilities would be protocol-defined, so fairly static, while the FPI mechanism would allow for permissionless extension, which keeps the protocol simpler and is more powerful, but also may be more tricky to use.

[PhilippGackstatter]

In discussing the approach from #1271 with others, I think some things did not become clear so I want to try and clarify some of these. Here is an overview of the current approach, depicting the three "components" involved in creating a treasury capability and token asset.

Here we're executing a transaction against some user's account, which is the "native account". It calls out to the protocol-deployed Miden Account (via foreign procedure invocation), providing the standard functionality of token minting. It's called the Miden Account because it is protocol-owned and provides standard functionality needed in Miden, such as defining a standard token type. And then there's the transaction kernel, which exposes generic asset management APIs such as create_asset or store_asset_to_account.

One of the things that wasn't clear is why we need the "Miden Account". Why can't we write the "create treasury" or "mint token" procedures as a library and run it from the native account directly?
When an asset such as a treasury cap is created, the kernel stores some bookkeeping data with it. One of those fields is the issuer of the asset, which in this case is the "Miden Account". Why is it the Miden account and not the native account? Because what matters is where the asset is defined, i.e. which account defines the operations that can be executed against a certain asset. This field is immutable and preserved across transactions. Going forward, any mutating operation on the asset must be a call from this issuer account. That ensures that only that account's procedures are allowed to mutate it. If this encapsulation mechanism wasn't there, then one could modify any asset in any way. For instance, we could write a procedure that sets the field of a token to an arbitrary value which would defeat its purpose.
So the context of the issuer account is needed to ensure that only the issuer of the asset can define the set of operations of the asset, rather than anyone. Such an account can be thought of as a "protocol library" - which is a MASM library and a specific Miden account. A MASM library alone wouldn't give us this encapsulation.

To illustrate further, suppose we have this type in Rust:

pub struct Token {
    amount: u64
}

Because amount is not public, the field cannot be read or written to outside of the module it is declared in. This mechanism is what we're trying to get for assets as well, so the issuer of an asset can define exactly what can be done with a Token.

Pure MASM library

Let's entertain the option of using a pure MASM library for this, though. To restrict the set of allowed procedures of an asset we could store the hash of the MASM library instead of the issuer as part of its bookkeeping data. The tx kernel could then check whether a mutation operation originates from one of the procedures in this library. The main problem with this is that the library hash is part of the globally unique identifier of the asset. E.g. if the library hash is 0x234 then a token defined in that library can be written as 0x234::token::Token. If the library author wants to extend the set of procedures (which I think is a very useful feature) then the hash of the library changes, which in turn causes the asset identifier to change. This means that once an asset is defined with a certain library hash, the set of procedures can never be updated. This is probably desirable in some cases, but in many cases I think, we'd want to retain the ability to add more procedures in the future. This is one of the reasons why using an account ID is a much better fit here. An account ID is a globally unique, stable identifier while its account code can be updated. This means the newly added operations can be used on existing assets as well.

Maybe there is a middle-ground here. Can we use an account ID as the asset issuer and use it to retrieve its account code which is then used as the library for asset operations? This is similar to FPI, but could perhaps be optimized to avoid context switching into the foreign account. Instead the tx kernel gets the calling procedure's hash using the caller instruction and checks if it is part of the issuer account's account code. This should end up being more efficient than FPI calls. I haven't thought this through completely though.

Asset Faucet Call

One core issue we want to solve with asset programmability is to restrict transferability. One alternative idea from @Dominik1999 was (please correct me if I'm misrepresenting the idea) to specify a MAST root in the faucet account of the asset. When an asset is moved to/from an account it is checked if that root is 0x000..., and if so, nothing happens. If that root is non-zero however, it is called in the context of the faucet account (FPI). That would then allow aborting the transaction if the asset is not allowed to be transferred (for whatever reason). So this acts like an on_transfer hook, and there could be separate hooks for transferring from note to account or account to note.
(I think it might also be possible to add a flag directly in the asset to avoid having to fetch the faucet account state just to check if there is a procedure set - and maybe that was the original proposal. If that flag is set, a predefined storage slot of the faucet account is checked for a non-zero MAST root.)

This does solve the problem of restricting transferability.

Being able to modify an asset on a transfer is also useful functionality, and we could enable this by making the signature of the called procedure look something like on_transfer(Asset) -> Asset, i.e. the original asset is passed along and the procedure must return the (potentially updated) asset. That way, something like transfer royalties could be implemented (e.g. the faucet account takes 1% of every transfer and creates a note for itself as part of the transaction).

General Programmability

One of the downsides I see with this is that this solution is somewhat limited in its functionality but simple, which is good. Having a more general programmable asset model still comes with some advantages. For example, say we want to issue a token of flavor POL from account A and we want account B to be able to issue more such tokens. Right now, we could go with at least these two ways:

• Add the public falcon key of account B to the faucet account A's access control list. To mint tokens, it will create a transaction directly against the faucet. Most likely, this would be implemented as a public account to avoid having to pass around private state
• The faucet account is a network account. Account B can send a note to the account to issue new tokens. This requires a network account + network transactions.

If we had programmable assets, faucet account A could send a capability asset that represents the ability to issue tokens (e.g. the treasury cap) to account B. Account B can issue more tokens using the treasury cap (e.g. TreasuryCap::mint). All involved accounts, notes and transactions could be private/local (if this uses the standard token functionality of a publicly available "miden account").

This example shows that such general programmability can be a really good fit for the edge architecture of Miden. In such an architecture, a design where state lives in individual accounts rather than being public and shared is ideal because one doesn't have to solve the shared state problem in the first place. It also enables that functionality privately and is much lighter on network resources.

Some other examples where this distribution of capabilities could be powerful:

• Suppose the canonical Miden Name Service is deployed in account A. Account B registers the example.miden name which is an asset of type NameAsset. If NameAsset is itself designed as a capability object, then B itself can be a registrar for subdomains like foo.example.miden or bar.example.miden. It can do this because the NameAsset for example.miden represents the ownership of the entire *.example.miden namespace. In this way, subdomain registration is highly parallelizable across different accounts in a recursive manner. Without this, everything would have to go through a single name service account.
• Implementing delegated voting could be done with this. For example, if there is a VotingCap asset that represents the ability to create a Vote asset, then whoever owns the VotingCap asset has the ability to vote. Delegating therefore works by transferring the VotingCap to the delegatee. It can create a Vote asset in a private transaction and send it to a network account which aggregates the votes. Notably, because the Vote can be created in a private transaction, it is easy to achieve privacy in the voting context, i.e. the voter remains anonymous.
  • There are most likely designs that can also achieve privacy even if direct interaction with the voting network account is required, but the overall number of network transaction required should be greater in that scenario, which I think is less desirable.
  • This scheme could be made more powerful if delegation happens through a dedicated VotingDelegationCap asset which delegates voting only for a certain period of time - just to give another example of this.

Relationship to atomic composability

This asset model is most powerful if there is atomic composability, which Miden does not have at this time or perhaps won't ever have. The reason is that, at least in block chains with atomic composability such as Sui, such capability objects are often used when calling into foreign smart contracts. E.g. to update the name -> address mapping in a name service contract, it'd be useful to have an API on the name service like update_address(name: NameAsset), where NameAsset is provided from a user account. This would require that the user account loads the asset from its vault and calls this API on the name service account within the same transaction, which is what I mean by atomic composability. In my mind, achieving this would require Miden to have a different architecture, so it is not achievable in the short- to mid-term or maybe ever.

So one question I'm asking myself is whether this asset model is useful enough without atomic composability and useful enough within Miden's architecture.

[mmagician]

I've been thinking about an alternative design to the current (static) asset model that achieves the following:

• flexible transfer capabilities (such as freezing user accounts that USDC requires. Q: is "transfer programmability" good enough for launch? If not, what other capabilities do we want to support at mainnet?)
• remove the distinction between fungible and non-fungible assets (at the kernel level)
• reduce coupling between the kernel and the definition of what an "asset" constitutes
  • limit the interaction to {add/remove}_asset (to/from account & note vault)
• let any account issue assets

I think that conceptually the below proposal sits somewhere between Philipp's user-defined objects (most flexible) and the current static asset model (not flexible and very coupled to the kernel). Notably, unless I missed something (quite likely!) it should lend itself to a significantly simpler solution that we could probably pull off in a few weeks.

---

To illustrate how such generic assets could work, consider the proposed new approach for how an account would mint an asset and add it to the note's vault:

1. An account defines a mint procedure with its own custom ACL. The ACL rules can be part of the auth procedure (for simplicity, bc it works with the current authentication design),
2. The mint procedure only needs to adhere to a simple interface of output_note::add_asset(note_id: Felt, faucet_account_id: AccountId, asset: Word)
3. When output_note::add_asset is called, the kernel invokes call::faucet_account_id::add_asset (FPI-like), but additionally performs some other tasks:
   • get the caller account ID
   • get the current value of faucet_account_id-key from the note's vault (call it "current asset")
   • verify that the caller account owns the claimed asset under the faucet_account_id in their vault, OR caller == faucet_account_id
   • finally, invoke call::faucet_account_id::add_asset(caller: AccountId, cur_asset: Word, new_asset: Word) -> updated_asset: Word
4. The issuer (a.k.a. faucet)'s add_asset interprets how to treat the vault value. Its role is to combine cur_asset + new_asset values, and the logic to do it must be encoded in the issuer's procedure logic.
5. The definition of an asset can be very flexible: as long as it fits the interface of a vault, it can store arbitrary data, so can generically support fungible and non-fungible types.

The vault key is just [prefix, suffix], and the interpretation of the value (and how to combine assets) is up to the asset issuer:

• for basic fungible assets, it can simply be [amount, 0, 0, 0]
• for complex non-fungible assets, the value itself can be an SMT root as Philipp suggested above

---

Some MASM pseudo-code for the above:

pub proc mint(amount: u32)
    # prepare the asset WORD
    # [amount, 0, 0, 0] = ASSET

    # get self.accountId
    # [prefix, suffix, ...] = AccountId

    # create a note
    exec.output_note::create
    # => [note_idx, AccountId, ASSET]

    exec.output_note::add_asset
    # => [UPDATED_ASSET] here we only mint one asset so dont care about the output
    dropw 

    # optionally, update total issuance - this should be up to the token standard
end

Now when we add or remove assets from notes (here output_note::add_asset), we'd make an FPI call to the issuer's {add/remove}_asset.
In the case of mint, this will be the same account ID, but for transfers it won't be. But before we invoke the FPI procedure, the kernel should perform a few checks and append some additional data:

proc kernel_add_asset_to_note(note_idx: u32?, asset_id: AccountId, NEW_ASSET: Word) -> UPDATED_ASSET: Word
    # get the caller AccountId
    [caller]

    # assert caller == asset_id, OR
    # assert that the caller's vault contains NEW_ASSET

    # get the note's current vault value for this asset_id
    # [CUR_ASSET]
    
    # [caller, CUR_ASSET, NEW_ASSET] we don't need to pass asset_id, the called contract will know its own ID
    call.asset_id::add_asset
    # [UPDATED_ASSET]
end

The issuer MUST have procedures with the following signatures:

pub proc add_asset(caller: AccountId, CUR_ASSET: Word, NEW_ASSET: Word) -> UPDATED_ASSET: Word

and can define whatever logic they want:

pub proc add_asset(...)
    # check that the caller is not on the blacklist
    
    # add amounts of CUR_ASSET and NEW_ASSET, return UPDATED_ASSET
end

I think very similar logic could apply across the other dimensions:

• moving an asset from note -> account vault
• removing assets

---

Major implications and changes needed:

• any account can be an asset issuer
• unify the vault key to be [prefix, suffix, 0, 0] for all assets (can we drop the 0s?)
• remove the distinction between fungible and non-fungible assets
• we must enforce a common interface for accounts that can issue assets - TBD how
• new kernel procedures for adding and removing assets, which invoke call::faucet_account_id::{add/remove}_asset in an FPI-like fashion. But we can remove a bunch of other kernel procedures, and reduce the coupling w.r.t. asset prefixes, amounts etc.
• while we remove the definition of fungible/non-fungible assets at the kernel level, we should still provide basic standards for fungible and non-fungible token interfaces (e.g. as part of miden-lib or miden-standards)

[PhilippGackstatter]

I was thinking in a similar direction recently and the following can be seen as an extension of what you proposed and filling out some details.

Motivation

I now think that the full flexibility of user-defined objects with full programmability is not an ideal fit for the overall actor-based architecture we have. I think the point about this being most useful in an architecture that has atomic composability still stands (see above). Also, adding this flexibility (and complexity) makes it less clear whether the programmability of accounts, note or assets should be used to achieve an outcome. For instance, we have P2IDE which implements timelocking, but with the full flexibility of user-defined objects we could also define a TimelockedAsset, which has an unlock method that turns into the Asset if its time has come. Having generally one way to do something is a good thing.

Instead, I think a better fit might be for just the data in assets to be customizable, while the behavior stays with code defined in accounts and notes. This is pretty much what Marti proposed:

The vault key is just [prefix, suffix], and the interpretation of the value (and how to combine assets) is up to the asset issuer:

• for basic fungible assets, it can simply be [amount, 0, 0, 0]
• for complex non-fungible assets, the value itself can be an SMT root as Philipp suggested above

As an example, consider a StakedEth asset that represents ETH that was staked at a certain block. The point at which it was staked determines the rewards that a user receives when unstaked and hence it is is stored alongside the staked amount. The structure of it could look like this:

struct StakedEth {
  issuer_id: AccountId,
  staked_at: BlockNumber,
  amount: u64
}

This can already be done without user-defined assets, because this information can be stored in an account's storage. The advantage of making this an asset itself is that it becomes tradable (it's basically a liquidity pool token) without needing a transaction executed against the staking account itself. I think this is a big architectural win because it allows for more parallelization, i.e. less congestion on the staking account. I think this fits perfectly into Miden's edge architecture as it pushes more data to the edge, and thus allows more logic to be done at the edge too (e.g. through FPI).

Asset Interface

Recap for what we need: Assets are stored in asset vaults, which are sparse merkle trees with a vault key (Word) and value (Word).
The vault key uniquely identifies the asset type, not the asset itself. This distinction is important: We can only ever have one type of token issued by account 0xabcd in the vault, since we can only assign one value to that key.

The first point sounds like a restriction but is also a UX feature. In Sui for instance, it is normal to have multiple Coin<SUI> in your wallet, that could technically be merged, but just haven't been merged yet. So fetching your balance of SUI requires summing up the balance of all Coin<SUI> in the wallet. With this asset vault restriction, it's very easy to get your balance for a given asset type from the vault, because assets are automatically merged.

This feature makes user-defined assets quite tricky, because users have to provide the merge (and split - the reverse operation) implementations, basically what Marti alluded to here:

Its role is to combine cur_asset + new_asset values, and the logic to do it must be encoded in the issuer's procedure logic.

The value in the asset vault could either stay the asset itself, become the root of the asset SMT (with a very low depth, ideally customizable), or some other form of commitment, and the tx kernel would treat assets opaquely only via their vault key + encoded representation. The actual data would be in the advice provider and would have to be verified against the SMT root when accessed. In Masm, we'd probably have to always pass around these two as ASSET_VAULT_KEY and ASSET_DATA.

So, to allow users to define the exact structure of an asset, they have to adhere to an interface, quite similar to what Marti proposed already. This is a slightly different way of doing it. The main invariant that needs to be upheld is that assets with the same vault key must be mergeable and splittable. This interface perhaps look like (using Rust instead of MASM for simplicity):

pub type AssetId = [Felt; 2];

trait Asset {
  /// The identifier of the asset type issued by this account.
  /// 
  /// A single account can issue multiple assets and these must be uniquely identified by this ID.
  const TYPE_ID: u8;

  /// Returns the ID of the issuing account.
  fn issuer_id(&self) -> AccountId;

  /// Must return a unique identifier for an asset issued by this account.
  /// 
  /// Must be stable throughout the lifetime of the asset.
  /// 
  /// - Two assets with the same asset ID must be mergeable and splittable.
  /// - If an asset type is not mergeable, the asset IDs of its instances must be unique.
  fn asset_id(&self) -> AssetId;

  /// Merges two instances of the same asset into one.
  /// 
  /// This method is only called when self and other have a matching account ID and asset ID (= vault key).
  /// other is never identical to self (basically pointer to self != pointer to other, though it can be equal),
  /// i.e. an asset is never merged with itself.
  /// 
  /// Must return `None` when merging is not supported.
  fn merge(self, other: Self) -> Self;

  /// Splits an asset into two instances.
  /// 
  /// This method is only called when self and other have a matching account ID and asset ID (= vault key).
  /// other is never identical to self (basically pointer to self != pointer to other, though it can be equal),
  /// i.e. an asset is never merged with itself.
  /// 
  /// `other` is split out of self and and the new self is returned.
  /// 
  /// For instance, if self is a fungible asset with amount 50, and other has amount 30,
  /// then an asset with amount 20 is returned.
  fn split(self, other: &Self) -> Self;

  /// Encodes the asset into a Word.
  /// 
  /// This can either be done by serializing the asset itself as a `Word` if space permits, or
  /// otherwise construct a commitment like a sequential hash or the root of an SMT.
  fn encode(&self) -> Word;
}

/// Returns the key that identifies the asset in the asset vault.
/// 
/// This logic is implemented by the tx kernel and can only be influenced by users through the
/// return values of the account_id and asset_id methods.
fn vault_key<ASSET: Asset>(asset: ASSET) -> AssetVaultKey {
  let issuer_id = asset.issuer_id();
  let asset_id = asset.asset_id();
  let mut key = Word::empty();
  key[0] = asset_id[0];
  key[1] = asset_id[1];
  // Use the lower 8 bits of the account ID suffix to encode the type of the asset within this account.
  key[2] = Felt::try_from(issuer_id.suffix().as_int() | ASSET::TYPE_ID as u64).expect("should be valid");
  key[3] = issuer_id.prefix().as_felt();
  AssetVaultKey::new(key)
}

So, we basically have:

• split and merge methods that allow the tx kernel to merge and split assets that are otherwise opaque to it.
• ID getters to allow the tx kernel to construct the vault key.
• encoding an asset or how it is committed to.

Standard coin

As Marti also mentioned it would be good to provide a standard token/coin/fungible asset so users do not have to reinvent the wheel for the basic use case. So, miden standards could define a miden::std::coin module, that replaces the current fungible asset. It would look like this, again expressed in Rust:

pub struct Coin {
  issuer_id: AccountId,
  amount: Felt
}

impl Asset for Coin {
  const TYPE_ID: u8 = 0;

  fn issuer_id(&self) -> AccountId {
    self.issuer_id
  }

  fn asset_id(&self) -> AssetId {
    // All coins of the same faucet are mergable/splittable, and so their asset ID should be the same.
    [Felt::ZERO; 2]
  }

  fn merge(self, other: Self) -> Self {
    Self {
      issuer_id: self.issuer_id,
      amount: self.amount + other.amount
    }
  }

  fn split(self, other: &Self) -> Self {
    if other.amount > self.amount {
      panic!("self does not contain enough to split out other");
    }

    Self {
      issuer_id: self.issuer_id,
      amount: self.amount - other.amount
    }
  }

  fn encode(&self) -> Word {
    Word::from([self.amount, Felt::ZERO, Felt::ZERO, Felt::ZERO])
  }
}

Staked Coin

Let's also consider the earlier StakedEth example. It is interesting because these are sometimes mergeable and sometimes not. It could look like this:

struct StakedEth {
  issuer_id: AccountId,
  /// The block at which the provided amount was staked. Used to calculate the reward amount.
  staked_at: BlockNumber,
  amount: Felt,
}

impl Asset for StakedEth {
  // Suppose this is the second asset type issued by an account.
  const TYPE_ID: u8 = 1;

  fn issuer_id(&self) -> AccountId {
    self.issuer_id
  }

  fn asset_id(&self) -> AssetId {
    let mut asset_id = [Felt::ZERO; 2];
    // Two StakedEths are mergeable if their staked_at blocks are the same.
    // Therefore the asset ID is the staked_at block number itself.
    asset_id[1] = Felt::from(self.staked_at.as_u32());
    asset_id
  }

  // The tx kernel guarantees that only assets with the same vault key are attempted to be
  // merged (or splitted), and so we don't need to check that `staked_at` matches, because we
  // set up the asset ID in the correct way.
  fn merge(self, other: Self) -> Self {
    Self {
        issuer_id: self.issuer_id,
        staked_at: self.staked_at,
        amount: self.amount + other.amount
    }
  }

  fn split(self, other: &Self) -> Self {
    if other.amount > self.amount {
      panic!("self does not contain enough to split out other");
    }

    Some(Self {
      issuer_id: self.issuer_id,
      staked_at: self.staked_at,
      amount: self.amount - other.amount
    })
  }

  // Technically this would fit into a word, but this is an (inefficient) example for how assets could be
  // encoded that do not fit into a word.
  fn encode(&self) -> Word {
    let mut smt = Smt::new();
    // Field 0 is the amount.
    smt.insert(
        Word::from([0, 0, 0, 0u32]),
        Word::from([self.amount, Felt::ZERO, Felt::ZERO, Felt::ZERO]),
    );
    // Field 1 is the staked_at block number.
    smt.insert(
        Word::from([0, 0, 0, 1u32]),
        Word::from([self.staked_at.as_u32().into(), Felt::ZERO, Felt::ZERO, Felt::ZERO]),
    );
    smt.root()
  }
}

Non-Fungible Asset

Finally, a non-fungible asset example:

struct GenericNFT {
  issuer_id: AccountId,
  // Two felts generated deterministically from something like
  // hash(BLOCK_HASH | ACCOUNT_COMMITMENT | [0, 0, 0, counter]) at asset creation time. Should
  // ensure every asset has a unique asset ID.
  asset_id: AssetId,
  // The raw data the NFT commits to. This assumes the data is not really useful to be accessed on-chain.
  data: Vec<u8>
}

impl Asset for GenericNft {
  const TYPE_ID: u8 = 2;

  fn issuer_id(&self) -> AccountId {
    self.issuer_id
  }

  fn asset_id(&self) -> AssetId {
    self.asset_id
  }

  fn merge(self, other: Self) -> Self {
    panic!("this asset type cannot be merged and the method should never be called");
  }

  fn split(self, other: &Self) -> Self {
    panic!("this asset type cannot be splitted and the method should never be called");
  }

  fn encode(&self) -> Word {
    Hasher::hash(self.data)
  }
}

Asset Creation

Currently, we have the faucet_mint_asset kernel procedure to mint an asset and mutate the transaction input vault (for asset preservation purposes). This mutation of the tx input vault still needs to happen, and could be done with a native_account::create_asset(asset_id: [Felt; 2], value: Word) call. Internally, this would take the account ID of the native account and construct the vault key together with the provided asset ID. This ensures assets issued by account X can only be created in transactions against account X.

Similarly, there'd be a burn kernel procedure.

Pattern: Permissionless transfer

The ability to define custom data in assets allows for "permissionless transfers". This is what I mentioned in the initial StakedEth example. To transfer the right to claim staking rewards, we can just transfer an asset to someone else, instead of having to mutate the "staking record" in the staking account in the model without custom data.

To be clear, this only argues for custom data in assets generally, not necessarily that it's necessary for this amount of data to go beyond one word, though it will almost certainly be beneficial in certain cases to have more than one word of space available.

Pattern: Capability

The ability to define multiple assets per account allows for the capability pattern. That is, an asset can represent a capability, like the right to vote, change a name -> ID mapping in a name service, or mint tokens. The latter could work by calling into a foreign account 0xabcd via FPI. The foreign account checks, via a kernel procedure or a procedure in the native account, that the caller has the capability asset required to call this procedure. If so, it proceeds and mints tokens with the ID of the foreign account. This would require allowing foreign accounts to create assets (with their own ID), which is currently not possble. I haven't though through whether this is okay to do fully.

Open Questions

• Users need to uphold the invariant "matching asset IDs means merging and splitting must be possible." There are mismatchs between these possible:

  Asset ID Matches?	Can Merge/Split?	Outcome okay?
  Yes	Yes	Yes
  Yes	No	No (1)
  No	Yes	Maybe (2)
  No	No	Yes

  • (1) results in a panic! in merge/split, which is technically nice to alert the user that there's a problem. But in practice, this could occur at an arbitrary point. For instance, if a user already has an asset of type A in their vault and receives a note with another asset of type A, they could not consume this note and add the asset to their account because the merging would fail. Since merge/split is disabled, what should actually happen is that the asset IDs are unique and the assets are added to the vault completely separately.
  • (2) results in merge/split never being called despite being implemented (without panicking). Taking StakedEth as an example, this would lead to these assets being separate assets in the vault with unique vault keys. This is probably not problematic, it might just be inconvenient from a programming perspective - having to deal with two instances instead of just a single merged one.
  • I think the first point here is too subtle to ask developers to do it correctly. On one hand, if we provide common asset types like Coin then users may not have to generally define many asset types themselves, and this point is alleviated. On the other hand, this proposal only makes sense if it is very easy and safe for users to define new assets. Ideally, there'd be either a good way to automatically check that this invariant is upheld or a different solution altogether.

• Similarly, users must correctly implement merge and split, which may not alway be trivial and failing to do so could mean loss of funds. Asset preservation rules wouldn't help here because the preservation rules themselves must assume merge and split are correctly implemented.

• The transaction kernel needs to handle fee asset logic and in this context, it would require it to be able to construct a fee asset. Currently this is easy because the tx kernel defines the format itself. It's therefore not possible for a library like miden standards, that depends on the tx kernel, to define the Coin type and depend on the tx kernel. Instead, what might work is that we have a dependency chain of coin_module <- tx kernel <- miden::std. I.e. the coin module would specially be the lowest member of the dependency chain.

• I wonder if it's worth giving up on the UX feature of auto-merging and splitting and, e.g. deal with multiple Coins of the same issuer separately, to make the asset definition simpler at the cost of making the logic that deals with assets harder. This may be worth exploring separately.

Capabilities

Regarding capabilities I also cannot think of any other major ones other than transfer restriction.

So one thing we need is for asset issuers to be able to define one or more hooks that are automatically called when the asset is transferred (or on some other event, though I can't think of another one).

• Transferred could be defined in two ways:
  • When an asset is conceptually added to the transaction input vault:
    • This applies to all assets in inputs notes. This happens in $kernel::prologue::add_input_note_assets_to_vault.
    • This applies when an asset is removed from an account. This happens when miden::native_account::remove_asset is called, since the asset is removed from the account vault and added to the input vault.
  • When an asset is conceptually removed from the transaction input vault:
    • This applies when an asset is added to an output note. This happens when miden::output_note::add_asset is called, since the asset is removed from the input vault and added to the output note.
    • This applies when an asset is added to an account. This happens when miden::native_account::add_asset is called, since the asset is removed from the input vault and added to the account vault.
• Based on how much flexibility we want to offer, we could provide either of the following options:
  • on_transfer hook for one of the definitions of transfer.
  • on_asset_added and on_asset_removed for both definitions of transferred.
  • on_asset_added_to_account, on_asset_added_to_output_note, on_asset_removed_from_account and on_asset_removed_from_input_note for full flexibility.

I'm thinking just "asset added to note/account" should be good enough, because asset preservation rules force an asset that is added to the tx input vault to be added to one of these two eventually.

I haven't explored this in the above at all, but this could conceptually be optional methods on the Asset trait.

[bobbinth]

At the offsite, we discussed various approaches to "programmable assets" which combine different aspects of @mmagician's and @PhilippGackstatter proposals above. The outcome was 3 different approaches varying in their complexity of implementation and flexibility that they would add to the protocol. Below is a quick summary of these approaches - @mmagician (and others) please correct if anything is wrong/missing.

Approach 1

This is the simplest approach needed to support something like "compliant private stablecoins". This approach does not change the current representation of assets - we still have fungible and non-fungible assets as we have now. But, a fungible asset issuer (i.e., a fungible faucet) can define "callbacks" which would be called when a fungible asset issued from this faucet is to be added or removed from an account's vault. These callbacks would act as predicates that would specify whether a given action is permitted.

This would allow enforcing such things as blocklists for fungible asset transfers - i.e., if the callbacks return an error, the asset could not be added to or removed form an account.

The main benefit of this approach is that it would be pretty simple to implement. The main drawback is that it probably wouldn't allow us to support much more beyond blocklists or something very similar.

Approach 2

This builds on the first approach but makes fungible assets more flexible. That is, callbacks would be used not as simple predicates to check whether an asset can be added/removed from the vault, but also to execute fungible asset merging and splitting logic. This would allow defining more complex fungible/semi-fungible assets.

The main drawbacks here are:

1. We have only 2 field elements of "custom data" per fungible asset (the other 2 elements are taken up by the faucet ID).
2. Every asset addition/removal from vault requires an FPI call, and these could get expensive (especially in terms of latency) - though, maybe we can come up with some optimizations.
3. Non-fungible assets remain as they are - and they are not subject to any kind of transfer restrictions and don't have any custom logic defined for them.

The main benefit is that this approach keeps asset representations in a single word, and thus, is still relatively easy to implement.

Approach 3

This is the most flexible approach that is more along the lines of the discussion between @mmagician and @PhilippGackstatter. In this approach, we no longer differentiate between fungible and non-fungible assets - though, there are still two types of assets simple and complex (this is temporary naming which we can/should change).

All assets are defined using 6 field elements (encoded as 2 words) such that:

• 2 elements are used to specify the asset issuer (i.e., the faucet ID).
• 4 elements are used as asset data.

The main difference between simple and complex assets is how the assets are stored in the asset vault:

• Simple assets are stored "as values". That is, the asset vault can be viewed as a map faucet_id |-> asset_data where asset_data is a single word.
• Complex assets are stored "as trees". That is, the asset vault can be viewed as a map faucet_id |-> asset_tree_root where asset_tree_root is a root of a map which can contain arbitrary data.

The faucets would still be expected to provide the logic for adding/removing assets from the vault. Using Rust, the interfaces of these procedures would look something like:

impl MyFaucet {
    /// Builds a value that needs to be inserted into the asset vault resulting from adding
    /// the provided asset data to the vault.
    fn build_merged_value(
        account_id: AccountId, // ID of the account to which we are adding the asset
        vault: &AssetVault, // reference to the vault of the target account
        asset: AssetData, // data of the asset we are adding
    ) -> Word {
        // here, we'd be able to read the current value of the asset from the vault
        // modify it as needed based on the asset data, and then return the new value.
        //
        // - For fungible assets the logic here could be as returning current_amount + new_amount
        // - For NFTs this could be reading the current SMT root from the vault, and adding
        //   the new asset to the SMT, and the returning the root of the new SMT
        //
        // we can perform a number of checks here
        // - check if the account is on some blocklist.
        // - check if the vault contains some other assets.
    }

    /// Builds a value that needs to be inserted into the asset vault resulting from removing
    /// the provided asset data from the vault.
    fn build_split_value(
        account_id: AccountId, // ID of the account from which we are removing the asset
        vault: &AssetVault, // reference to the vault of the target account
        asset: AssetData, // data of the asset we are removing
    ) -> Word {
        ...
    }
}

Another way to think about this is is that asset vault kind of becomes like "storage" where the storage logic is defined by the asset issuer. For "simple" assets, the issuer gets 32 bytes of storage (i.e., a word), for complex assets, the issuer gets a full SMT worth of storage.

This approach is very flexible, but it is also the one that would require the most effort to implement. Main challenges are:

• We need to use double-words to encode assets and this will require lots of changes in the transaction kernel (and elsewhere).
• Supporting "complex" assets would also probably result in quite a few changes as we'll need to have another SMT-based structure both in the kernel and outside of it.
• Handling fees becomes more complicated as well - or at least we'll need to define the asset to be used for fees upstream of the transaction kernel.

One somewhat annoying thing is that we can't allocate more than 4 field elements of data for asset values, which means that assets that require, say, 64 bytes to represent cannot be represented natively - but i'm not sure there is a way to get around this.

[Al-Kindi-0]

Yes, you need two EC points, one is the "ephemeral public key" point and the other is the blinded message point, hence only one of the points carries the "payload".
In other words, the ciphertext is twice the size of the plaintext.

[bobbinth]

I would love to see use cases that are not hypothetically but that are really there (like a compliant, private stablecoin ~private USDC with a pause/blacklist), and then we should do the minimum to implement it.

One example that comes to mind is an asset where an account is allowed to transfer some amount per day (or some other duration), but not more (optionally, unless they have some special permission). We cannot define this using simple fungible assets. Using the programmable asset approach, for each asset, we could store the following in the vault:

[asset_amount, epoch, amount_transferred_in_the_epoch, 0]

Then, on every merge, the faucet logic would be able to check if we are transferring more than allowed per epoch (and the epoch could be defined to be a day, a week, or w/e).

Another type of asset we cannot represent with simple fungible assets is a private yield-bearing asset. For example, something like USDC where people get yield just for holding it. I haven't fully thought it through, but with programmable assets, we could represent the asset as:

[amount, accumulated_yield, last_checkpoint, 0]

Then, on every merge, we'd be able to update accumulated_yield using current_block_num - last_checkpoint duration. Then, a user would be able to "redeem" their yield by send a note with [0, yield, 0, 0] asset to the USDC faucet and get [amount, 0, 0, 0] asset back.

There are probably many other examples, these are just the two that came to mind first.

[bobbinth]

There would have to be a one bit flag somewhere, probably in the asset vault key, to indicate whether the asset is simple or complex, but otherwise this should allow supporting more data in assets similar to the double tree approach.

I think if we allow asset data to be "simple" or "complex" (complex, in this case, meaning more than a single word), then this would address the issue. We could start with "simple" assets now, and enable "complex" ones further down the road.

With the flattened model I imagine there are more dedicated procedures for these two things, specifically there is a merge/split procedure for adding and removing assets from the vault, and there are hook callbacks like on_asset_added_to_account and on_asset_added_to_output_note. These are separate procedures because merge/split aren't guaranteed to be called for every asset (contrary to the double-tree approach), since that depends on a matching asset ID.

I'm not sure I followed this part: I think we'd still need just the merge/split procedures and these would be guaranteed to be called on every asset addition/removal from the vault. Or is the issue that the callback won't be able to identify all assets in the vault issued by the same faucet?

Is this basically for efficiency? The alternative would be to check via FPI whether the native account (that is transfering/adding/merging an asset) has a certain asset in their account, right? Either via a kernel procedure or via the native account's interface (preferably). This is how I imagined that would work, since that seems consistent with I understood we want foreign accounts to "request data" from the native account.

Yes, that would work too - though, currently, I believe, we don't allow foreign accounts to make callbacks back to the native account (but I don't think that's a fundamental limitation).

[PhilippGackstatter]

I think we'd still need just the merge/split procedures and these would be guaranteed to be called on every asset addition/removal from the vault.

I imagined merge to look like this:

fn merge(self, other: Self) -> Self;

And so when new_asset = USDC(500) is added to an account vault, the tx kernel first checks the current vault:

• If a existing_asset = USDC(100) asset already exists, the kernel calls asset = existing_asset.merge(new_asset) and then inserts asset into the asset vault.
• If there is no existing asset, the kernel can directly insert new_asset into the vault, and so merge is never called.

Additionally, for assets where the asset ID does not match (like non-fungible assets), merge is never called because these do not need to be merged into the same asset vault leaf value.

That's why I thought we'd need separate on_asset_added_to_account, etc. hooks that are guaranteed to be called on every asset addition to an account or note.

It does seem generally useful if either the merge or on_asset_added_to_account could mutate the asset, e.g. to implement:

something like USDC where people get yield just for holding it.

The double-tree model enables this directly and in the flat model, I think this could be done via the hook defined as on_asset_added_to_account(self) -> Self.

[Dominik1999]

Just to ensure

something like USDC where people get yield just for holding it.

USDC doesn't give you yield just for holding it. And no other stablecoin does (to my knowledge). Holding the coin is not an economic activity and cannot generate yield.

I think it is super important to align what we build on real use cases before we build it. But I also don't know which standards and coin-types are used most. I think @onurinanc can help here. Does it help with the decision if we come up with a list?

[onurinanc]

Whether such tokens are actually useful is a separate question (mostly because someone needs to have the key to convert plaintext amounts to encrypted amounts and vise-vera), and if we have such a trusted party, there are probably other ways to accomplish similar goals. But I think Penumbra did something like this without trusted parties - would be curious to understand how it worked there.

From an implementation perspective, the encrypted token is a great example for the double-tree. I think Penumbra’s current usage mainly turns a public token into a shielded token to make it usable as a privacy token. But since we can already have naturally private tokens on Miden, I’m not sure this would add any extra value from a privacy perspective.

Exchange-rate tokens can be treated as a simple fungible asset such as mint rETH at 1.08, so we can have a rETH faucet per exchange rate. Then you can merge them in our current model if and only if they were minted at the same rate (i.e. from the same faucet).

I believe there is no issue issue with exchange-rate–based tokens since (I don’t think it makes sense to merge based on the exchange rate, since it can change every second, even every millisecond) we can already merge by faucet_id, so we can have a simple token with Approach 1 anyway.

I think a private yield-bearing stablecoin is a very fitting example here. The idea is that users hold a stablecoin and are earning a small return over time. This already exists in many banks as well, where you get an interest rate just for holding a regular currency such as USD/EURO. There are already non-private versions of this use-case in Ethereum.

• aUSDC, which earns interest via Aave lending pools
• sDAI, which is staked in MakerDAO

These two versions can be implemented using Approach 3. There is also a version of this implemented via an exchange rate: "syrupUSDC". But when we look at it, the current rate is around $1.14 (functionally it behaves like a yield-bearing stablecoin, but visually it no longer looks like a stablecoin). In other words, it is implemented like a simple coin using an exchange-rate. However, I don't think every token issuer desire to implement it with a similar approach. That’s why I think enabling both styles of implementation is the right approach if we want more variation and flexibility.

@Dominik1999 @mmagician I have created a table below to compare the use cases with approach 1 & approach 3.

Use-case / Token type	Summary	Approach 3 – High Level Asset Layout	Approach 1	A1	A3
Streaming / Salary / Subscription	Continuous payments over time. The user can withdraw whatever has vested so far at any moment. Superfluid, Sablier: Token streams and vesting on top of ERC-20.	Each stream is its own asset: asset_data = [remaining_amount, start_block, end_block, mode_or_interval] or asset_id = [start_block, end_block] - remaining_amount: not yet claimed - start_block / end_block: schedule - mode_or_interval: salary frequency	- Similar to P2IDE notes - Payroll account creates a sequence of notes, each spending a slice of the salary (weekly/monthly) - Might need a note logic that creates a sequence of output notes until all the amount is consumed	✓	✓
Vesting / Lockup	Tokens that are locked until a maturity date and then gradually or instantly unlock. Sablier vesting, custom vesting contracts on ERC-20.	Vesting position is an asset: asset_data = [amount_locked, start_block, maturity_block, vesting_type]	- Use P2IDE-style notes - Each grant becomes one or more notes that can only be spent after a certain block/epoch	✓	✓
Rate-Limited Stablecoin	A stablecoin where each account can only send up to X per day/epoch	asset_data = [amount, epoch_id, spent_in_epoch, 0] On each spend, faucet logic updates epoch_id / spent_in_epoch and rejects if the per-epoch limit is exceeded.	- map(account_id -> {epoch_id, spent_in_epoch}) needed for the storage (not well-suited for the actor model) and for privacy at least asset_id is needed	✗	✓
Private Yield-Bearing Stablecoin	- aUSDC (Aave lending pools, ratio ≈ $1) - sDAI (MakerDAO staking, ratio ≈ $1)	asset_data = [principal, accumulated_yield, last_checkpoint, 0]	No	✗	✓
Private Yield-Bearing Stablecoin via Exchange Rate	- syrupUSDC, exchange-rate-based staking (ratio not ≈ $1, increases over time, currently ~$1.14)	Yes	Faucet (or protocol account) keeps a global interest index / exchange rate and redeems using amount * exchange_rate	✓	✓
Bond / Tranche RWA	Fixed-income instruments or RWA notes. ERC-3475, ERC-1400/3643. Multi-class bonds.	asset_data = [amount, maturity_block, coupon_bps, tranche_type] - One faucet can manage multiple tranches	New faucet needed per tranche type	✓	✓
Uniswap v3-style LP Position	LP position that supplies liquidity only within a price range [tick_lower, tick_upper]. Uniswap v3: each LP position is an ERC-721 NFT.	asset_data = [liquidity_amount, tick_lower, tick_upper, fee_index_or_flags] asset_id = [tick_lower, tick_upper] → only identical ranges auto-merge	Might be implemented as an NFT	✗	✓
Loans	Aave Credit Delegation and similar delegated credit patterns.	asset_data = [max_borrow, used_amount, expiry_block]	Faucet would need map(account_id -> {max_borrow, used_amount, expiry}) in its storage	✗	✓
Name Service Subdomain	Ability to register subdomains under a root	Capability asset: asset_data = [root_name_hash, max_depth, flags, 0] Name service account requires caller to hold matching capability and respect max_depth. Capability is transferable/splittable/mergeable.	Storage map needed: namehash -> owner_account_id, enforcing only owner can register subdomains	✗	✓
Mint Capability Asset	Mint capability	asset_data = [max_mint_amount, expiry_block, level] - level: full / only-mint / only-burn	Note logic (MINT note)	✓	✓

[Dominik1999]

Thanks @onurinanc, this is super helpful. Two follow-up questions (I hope here is the right place):

• Which tokens are used in reality and how much? (Rate-Limited Stablecoin? Private Yield-Bearing Stablecoin via non-exchange rate?) Or are 99% of tokens used either L1 native tokens and ERC20?
• Does this list cover what is used on Ethereum or also Solana and others?

[bobbinth]

It seems like Tempo is building in the mechanism for direct token rewards into their TIP-20 standard.