withbitco.in - Mastering Bitcoin

Mastering Bitcoin

Withbitco.in Spined HTML

Mastering Bitcoin Mastering Bitcoin Preface Writing the BitcoinTypesettingI first stumbled upon bitcoin in mid-2011. My firsthand reaction was increasingly or less "Pfft! Nerd money!" and I ignored it for flipside six months, lightweight to grasp its importance. This is a reaction that I have seen repeated among many of the smartest people I know, which gives me some consolation. The second time I came wideness bitcoin, in a mailing list discussion, I decided to read the white paper written by Satoshi Nakamoto, to study the supervisory source and see what it was all about. I still remember the moment I finished reading those nine pages, when I realized that bitcoin was not simply a digital currency, but a network of trust that could moreover provide the understructure for so much increasingly than just currencies. The realization that "this isn’t money, it’s a decentralized trust network," started me on a four-month journey to devour every scrap of information well-nigh bitcoin I could find. I became obsessed and enthralled, spending 12 or increasingly hours each day glued to a screen, reading, writing, coding, and learning as much as I could. I emerged from this state of fugue, increasingly than 20 pounds lighter from lack of resulting meals, unswayable to dedicate myself to working on bitcoin. Two years later, without creating a number of small startups to explore various bitcoin-related services and products, I decided that it was time to write my first book. Bitcoin was the topic that had driven me into a frenzy of creativity and consumed my thoughts; it was the most heady technology I had encountered since the Internet. It was now time to share my passion well-nigh this wondrous technology with a broader audience. IntendedRegularsThis typesetting is mostly intended for coders. If you can use a programming language, this typesetting will teach you how cryptographic currencies work, how to use them, and how to develop software that works with them. The first few chapters are moreover suitable as an in-depth introduction to bitcoin for noncoders—those trying to understand the inner workings of bitcoin and cryptocurrencies. Why Are There Bugs on the Cover? The leafcutter ant is a species that exhibits highly ramified policies in a colony super-organism, but each individual ant operates on a set of simple rules driven by social interaction and the mart of chemical scents (pheromones). Per Wikipedia: "Next to humans, leafcutter ants form the largest and most ramified unprepossessing societies on Earth." Leafcutter ants don’t unquestionably eat leaves, but rather use them to sublet a fungus, which is the inside supplies source for the colony. Get that? These ants are farming! Although ants form a caste-based society and have a queen for producing offspring, there is no inside validity or leader in an ant colony. The highly intelligent and sophisticated policies exhibited by a multimillion-member colony is an emergent property from the interaction of the individuals in a social network. Nature demonstrates that decentralized systems can be resilient and can produce emergent complexity and incredible sophistication without the need for a inside authority, hierarchy, or ramified parts. Bitcoin is a highly sophisticated decentralized trust network that can support a myriad of financial processes. Yet, each node in the bitcoin network follows a few simple mathematical rules. The interaction between many nodes is what leads to the emergence of the sophisticated behavior, not any inherent complexity or trust in any single node. Like an ant colony, the bitcoin network is a resilient network of simple nodes pursuit simple rules that together can do wondrous things without any inside coordination. Conventions Used in ThisTypesettingThe pursuit typographical conventions are used in this book: Italic Indicates new terms, URLs, email addresses, filenames, and file extensions.Unvaryingwidth Used for program listings, as well as within paragraphs to refer to program elements such as variable or function names, databases, data types, environment variables, statements, and keywords.Unvaryingwidth unvigilant Shows commands or other text that should be typed literally by the user.Unvaryingwidth italic Shows text that should be replaced with user-supplied values or by values unswayable by context. Tip This icon signifies a tip, suggestion, or unstipulated note. Warning This icon indicates a warning or caution.LawmakingExamples The examples are illustrated in Python, C++, and using the writ line of a Unix-like operating system such as Linux or Mac OS X. All lawmaking snippets are misogynist in the GitHub repository in the lawmaking subdirectory of the main repo. Fork the typesetting code, try the lawmaking examples, or submit corrections via GitHub. All the lawmaking snippets can be replicated on most operating systems with a minimal installation of compilers and interpreters for the respective languages. Where necessary, we provide vital installation instructions and step-by-step examples of the output of those instructions. Some of the lawmaking snippets and lawmaking output have been reformatted for print. In all such cases, the lines have been split by a backslash (\) character, followed by a newline character. When transcribing the examples, remove those two notation and join the lines then and you should see identical results as shown in the example. All the lawmaking snippets use real values and calculations where possible, so that you can build from example to example and see the same results in any lawmaking you write to summate the same values. For example, the private keys and respective public keys and addresses are all real. The sample transactions, blocks, and blockchain references have all been introduced in the very bitcoin blockchain and are part of the public ledger, so you can review them on any bitcoin system. UsingLawmakingExamples This typesetting is here to help you get your job done. In general, if example lawmaking is offered with this book, you may use it in your programs and documentation. You do not need to contact us for permission unless you’re reproducing a significant portion of the code. For example, writing a program that uses several chunks of lawmaking from this typesetting does not require permission. Selling or distributing a CD-ROM of examples from O’Reilly books does require permission. Answering a question by citing this typesetting and quoting example lawmaking does not require permission. Incorporating a significant value of example lawmaking from this typesetting into your product’s documentation does require permission. We appreciate, but do not require, attribution. An attribution usually includes the title, author, publisher, and ISBN. For example: “Mastering Bitcoin by Andreas M. Antonopoulos (O’Reilly). Copyright 2015 Andreas M. Antonopoulos, 978-1-449-37404-4.” Some editions of this typesetting are offered under an unshut source license, such as CC-BY-NC (creativecommons.org), in which specimen the terms of that license apply. If you finger your use of lawmaking examples falls outside pearly use or the permission given above, finger self-ruling to contact us at [email protected]. Safari® Books Online Note Safari Books Online is an on-demand digital library that delivers expert content in both typesetting and video form from the world’s leading authors in technology and business. Technology professionals, software developers, web designers, and merchantry and creative professionals use Safari Books Online as their primary resource for research, problem solving, learning, and certification training. Safari Books Online offers a range of plans and pricing for enterprise, government, education, and individuals. Members have wangle to thousands of books, training videos, and prepublication manuscripts in one fully searchable database from publishers like O’Reilly Media, Prentice Hall Professional, Addison-Wesley Professional, Microsoft Press, Sams, Que, Peachpit Press, Focal Press, Cisco Press, John Wiley & Sons, Syngress, Morgan Kaufmann, IBM Redbooks, Packt, Adobe Press, FT Press, Apress, Manning, New Riders, McGraw-Hill, Jones & Bartlett,UndertowTechnology, and hundreds more. For increasingly information well-nigh Safari Books Online, please visit us online. How to Contact Us Please write comments and questions concerning this typesetting to the publisher: O’Reilly Media, Inc. 1005 Gravenstein Highway North Sebastopol, CA 95472 800-998-9938 (in the United States or Canada) 707-829-0515 (international or local) 707-829-0104 (fax) We have a web page for this book, where we list errata, examples, and any spare information. You can wangle this page at http://bit.ly/mastering_bitcoin. To scuttlebutt or ask technical questions well-nigh this book, send email to [email protected]. For increasingly information well-nigh our books, courses, conferences, and news, see our website at http://www.oreilly.com. Find us on Facebook: http://facebook.com/oreilly Follow us on Twitter: http://twitter.com/oreillymedia Watch us on YouTube: http://www.youtube.com/oreillymedia Acknowledgments This typesetting represents the efforts and contributions of many people. I am grateful for all the help I received from friends, colleagues, and plane well-constructed strangers, who joined me in this effort to write the definitive technical typesetting on cryptocurrencies and bitcoin. It is untellable to make a stardom between the bitcoin technology and the bitcoin community, and this typesetting is as much a product of that polity as it is a typesetting on the technology. My work on this typesetting was encouraged, cheered on, supported, and rewarded by the unshortened bitcoin polity from the very whence until the very end.Increasinglythan anything, this typesetting has unliable me to be part of a wonderful polity for two years and I can’t thank you unbearable for unsuspicious me into this community. There are far too many people to mention by name—people I’ve met at conferences, events, seminars, meetups, pizza gatherings, and small private gatherings, as well as many who communicated with me by Twitter, on reddit, on bitcointalk.org, and on GitHub who have had an impact on this book. Every idea, analogy, question, answer, and subtitle you find in this typesetting was at some point inspired, tested, or improved through my interactions with the community. Thank you all for your support; without you this typesetting would not have happened. I am forever grateful. The journey to rhadamanthine an tragedian starts long surpassing the first book, of course. My first language (and schooling) was Greek, so I had to take a remedial English writing undertow in my first year of university. I owe thanks to Diana Kordas, my English writing teacher, who helped me build conviction and skills that year. Later, as a professional, I ripened my technical writing skills on the topic of data centers, writing for Network World magazine. I owe thanks to John Dix and John Gallant, who gave me my first writing job as a wordsmith at Network World and to my editor Michael Cooney and my colleague Johna Till Johnson who edited my columns and made them fit for publication. Writing 500 words a week for four years gave me unbearable wits to sooner consider rhadamanthine an author. Thanks to Jean de Vera for her early encouragement to wilt an tragedian and for unchangingly yoyo and insisting that I had a typesetting in me. Thanks moreover to those who supported me when I submitted my typesetting proposal to O’Reilly, by providing references and reviewing the proposal. Specifically, thanks to John Gallant, Gregory Ness, Richard Stiennon, Joel Snyder, Adam B. Levine, Sandra Gittlen, John Dix, Johna Till Johnson, Roger Ver, and Jon Matonis. Special thanks to Richard Kagan and Tymon Mattoszko, who reviewed early versions of the proposal and Matthew Owain Taylor, who copyedited the proposal. Thanks to Cricket Liu, tragedian of the O’Reilly title DNS and BIND, who introduced me to O’Reilly. Thanks moreover to Michael Loukides and Allyson MacDonald at O’Reilly, who worked for months to help make this typesetting happen. Allyson was expressly patient when deadlines were missed and deliverables elapsed as life intervened in our planned schedule. The first few drafts of the first few chapters were the hardest, considering bitcoin is a difficult subject to unravel. Every time I pulled on one thread of the bitcoin technology, I had to pull in the whole thing. I repeatedly got stuck and a bit despondent as I struggled to make the topic easy to understand and create a narrative virtually such a dumbo technical subject. Eventually, I decided to tell the story of bitcoin through the stories of the people using bitcoin and the whole typesetting became a lot easier to write. I owe thanks to my friend and mentor, Richard Kagan, who helped me unravel the story and get past the moments of writer’s block, and Pamela Morgan, who reviewed early drafts of each installment and asked the nonflexible questions to make them better. Also, thanks to the developers of the San Francisco Bitcoin Developers Meetup group and Taariq Lewis, the group’s co-founder, for helping to test the early material. During the minutiae of the book, I made early drafts misogynist on GitHub and invited public comments.Increasinglythan a hundred comments, suggestions, corrections, and contributions were submitted in response. Those contributions are explicitly acknowledged, with my thanks, in [github_contrib]. Special thanks to Minh T. Nguyen, who volunteered to manage the GitHub contributions and widow many significant contributions himself. Thanks moreover to Andrew Naugler for infographic design. Once the typesetting was drafted, it went through several rounds of technical review. Thanks to Cricket Liu and Lorne Lantz for their thorough review, comments, and support. Several bitcoin developers unsalaried lawmaking samples, reviews, comments, and encouragement. Thanks to Amir Taaki and Eric Voskuil for example lawmaking snippets and many unconfined comments; Vitalik Buterin and Richard Kiss for help with elliptic lines math and lawmaking contributions; Gavin Andresen for corrections, comments, and encouragement; Michalis Kargakis for comments, contributions, and btcd writeup; and Robin Inge for errata submissions improving the second print. I owe my love of words and books to my mother, Theresa, who raised me in a house with books lining every wall. My mother moreover bought me my first computer in 1982, despite stuff a self-described technophobe. My father, Menelaos, a starchy engineer who just published his first typesetting at 80 years old, was the one who taught me logical and tampering thinking and a love of science and engineering. Thank you all for supporting me throughout this journey. Early ReleaseTyphoon(GitHub Contributions) Many contributors offered comments, corrections, and additions to the early-release typhoon on GitHub. Thank you all for your contributions to this book.Pursuitis a list of notable GitHub contributors, including their GitHub ID in parentheses: Minh T. Nguyen, GitHub contribution editor (enderminh) Ed Eykholt (edeykholt) Michalis Kargakis (kargakis) Erik Wahlström (erikwam) Richard Kiss (richardkiss) Eric Winchell (winchell) Sergej Kotliar (ziggamon) Nagaraj Hubli (nagarajhubli) ethers Alex Waters (alexwaters) Mihail Russu (MihailRussu) Ish Ot Jr. (ishotjr) James Addison (jayaddison) Nekomata (nekomata-3) Simon de la Rouviere (simondlr) Chapman Shoop (belovachap) Holger Schinzel (schinzelh) effectsToCause (vericoin) Stephan Oeste (Emzy) Joe Bauers (joebauers) Jason Bisterfeldt (jbisterfeldt) Ed Leafe (EdLeafe) Quick Glossary This quick glossary contains many of the terms used in relation to bitcoin. These terms are used throughout the book, so bookmark this for a quick reference. write A bitcoin write looks like 1DSrfJdB2AnWaFNgSbv3MZC2m74996JafV. It consists of a string of reports and numbers starting with a "1" (number one). Just like you ask others to send an email to your email address, you would ask others to send you bitcoin to your bitcoin address. bip BitcoinResurgenceProposals. A set of proposals that members of the bitcoin polity have submitted to modernize bitcoin. For example, BIP0021 is a proposal to modernize the bitcoin uniform resource identifier (URI) scheme. bitcoin The name of the currency unit (the coin), the network, and the software. woodcut A grouping of transactions, marked with a timestamp, and a fingerprint of the previous block. The woodcut header is hashed to produce a proof of work, thereby validating the transactions. Valid blocks are widow to the main blockchain by network consensus. blockchain A list of validated blocks, each linking to its predecessor all the way to the genesis block. confirmations Once a transaction is included in a block, it has one confirmation. As soon as flipside woodcut is mined on the same blockchain, the transaction has two confirmations, and so on. Six or increasingly confirmations is considered sufficient proof that a transaction cannot be reversed. difficulty A network-wide setting that controls how much computation is required to produce a proof of work. difficulty target A difficulty at which all the computation in the network will find blocks approximately every 10 minutes. difficulty retargeting A network-wide recalculation of the difficulty that occurs once every 2,106 blocks and considers the hashing power of the previous 2,106 blocks. fees The sender of a transaction often includes a fee to the network for processing the requested transaction. Most transactions require a minimum fee of 0.5 mBTC. hash A digital fingerprint of some binary input. genesis woodcut The first woodcut in the blockchain, used to initialize the cryptocurrency. miner A network node that finds valid proof of work for new blocks, by repeated hashing. network A peer-to-peer network that propagates transactions and blocks to every bitcoin node on the network. Proof-Of-Work A piece of data that requires significant computation to find. In bitcoin, miners must find a numeric solution to the SHA256 algorithm that meets a network-wide target, the difficulty target. reward An value included in each new woodcut as a reward by the network to the miner who found the Proof-Of-Work solution. It is currently 25BTC per block. secret key (aka private key) The secret number that unlocks bitcoins sent to the respective address. A secret key looks like 5J76sF8L5jTtzE96r66Sf8cka9y44wdpJjMwCxR3tzLh3ibVPxh. transaction In simple terms, a transfer of bitcoins from one write to another.Increasinglyprecisely, a transaction is a signed data structure expressing a transfer of value. Transactions are transmitted over the bitcoin network, placid by miners, and included into blocks, made permanent on the blockchain. wallet Software that holds all your bitcoin addresses and secret keys. Use it to send, receive, and store your bitcoin. Introduction What Is Bitcoin? Bitcoin is a hodgepodge of concepts and technologies that form the understructure of a digital money ecosystem. Units of currency tabbed bitcoins are used to store and transmit value among participants in the bitcoin network. Bitcoin users communicate with each other using the bitcoin protocol primarily via the Internet, although other transport networks can moreover be used. The bitcoin protocol stack, misogynist as unshut source software, can be run on a wide range of computing devices, including laptops and smartphones, making the technology hands accessible. Users can transfer bitcoins over the network to do just well-nigh anything that can be washed-up with conventional currencies, including buy and sell goods, send money to people or organizations, or proffer credit. Bitcoins can be purchased, sold, and exchanged for other currencies at specialized currency exchanges. Bitcoin in a sense is the perfect form of money for the Internet considering it is fast, secure, and borderless. Unlike traditional currencies, bitcoins are entirely virtual. There are no physical coins or plane digital coins per se. The coins are unsaid in transactions that transfer value from sender to recipient. Users of bitcoin own keys that indulge them to prove ownership of bitcoins in the bitcoin network. With these keys they can sign transactions to unlock the value and spend it by transferring it to a new owner. Keys are often stored in a digital wallet on each user’s computer or smartphone. Possession of the key that can sign a transaction is the only prerequisite to spending bitcoins, putting the tenancy entirely in the hands of each user. Bitcoin is a distributed, peer-to-peer system. As such there is no "central" server or point of control. Bitcoins are created through a process tabbed "mining," which involves competing to find solutions to a mathematical problem while processing bitcoin transactions. Any participant in the bitcoin network (i.e., anyone using a device running the full bitcoin protocol stack) may operate as a miner, using their computer’s processing power to verify and record transactions. Every 10 minutes on average, someone is worldly-wise to validate the transactions of the past 10 minutes and is rewarded with trademark new bitcoins. Essentially, bitcoin mining decentralizes the currency-issuance and transplanting functions of a inside wall and replaces the need for any inside wall with this global competition. The bitcoin protocol includes seated algorithms that regulate the mining function wideness the network. The difficulty of the processing task that miners must perform is adjusted dynamically so that, on average, someone succeeds every 10 minutes regardless of how many miners (and how much processing) are competing at any moment. The protocol moreover halves the rate at which new bitcoins are created every four years, and limits the total number of bitcoins that will be created to a stock-still total just unelevated 21 million coins. The result is that the number of bitcoins in diffusion closely follows an hands predictable lines that approaches 21 million by the year 2140. Due to bitcoin’s diminishing rate of issuance, over the long term, the bitcoin currency is deflationary. Furthermore, bitcoin cannot be inflated by "printing" new money whilom and vastitude the expected issuance rate.Overduethe scenes, bitcoin is moreover the name of the protocol, a peer-to-peer network, and a distributed computing innovation. The bitcoin currency is really only the first using of this invention. Bitcoin represents the culmination of decades of research in cryptography and distributed systems and includes four key innovations brought together in a unique and powerful combination. Bitcoin consists of: A decentralized peer-to-peer network (the bitcoin protocol) A public transaction ledger (the blockchain) A set of rules for self-sustaining transaction validation and currency issuance (consensus rules) A mechanism for reaching global decentralized consensus on the valid blockchain (proof-of-work algorithm) As a developer, I see bitcoin as unreceptive to the Internet of money, a network for propagating value and securing the ownership of digital resources via distributed computation. There’s a lot increasingly to bitcoin than first meets the eye. In this installment we’ll get started by explaining some of the main concepts and terms, getting the necessary software, and using bitcoin for simple transactions. In pursuit chapters we’ll start unwrapping the layers of technology that make bitcoin possible and examine the inner workings of the bitcoin network and protocol. Digital CurrenciesSurpassingBitcoin The emergence of viable digital money is closely linked to developments in cryptography. This is not surprising when one considers the fundamental challenges involved with using shit to represent value that can be exchanged for goods and services. Two vital questions for anyone unsuspicious digital money are: Can I trust the money is pure and not counterfeit? Can I trust that the digital money can only be spent once (known as the “double-spend” problem.) Can I be sure that no one else can requirement that this money belongs to them and not me? Issuers of paper money are constantly rival the counterfeiting problem by using increasingly sophisticated papers and printing technology. Physical money addresses the double-spend issue hands considering the same paper note cannot be in two places at once. Of course, conventional money is moreover often stored and transmitted digitally. In these cases, the counterfeiting and double-spend issues are handled by transplanting all electronic transactions through inside authorities that have a global view of the currency in circulation. For digital money, which cannot take wholesomeness of esoteric inks or holographic strips, cryptography provides the understructure for trusting the legitimacy of a user’s requirement to value. Specifically, cryptographic digital signatures enable a user to sign a digital windfall or transaction proving the ownership of that asset. With the towardly architecture, digital signatures moreover can be used to write the double-spend issue. When cryptography started rhadamanthine increasingly widely misogynist and understood in the late 1980s, many researchers began trying to use cryptography to build digital currencies. These early digital currency projects issued digital money, usually backed by a national currency or precious metal such as gold. Although these older digital currencies worked, they were internal and, as a result, they were easy to wade by governments and hackers. Early digital currencies used a inside clearinghouse to settle all transactions at regular intervals, just like a traditional financial system. Unfortunately, in most cases these nascent digital currencies were targeted by worried governments and sooner litigated out of existence. Some failed in spectacular crashes when the parent visitor liquidated abruptly. To be robust versus intervention by antagonists, whether legitimate governments or criminal elements, a decentralized digital currency was needed to stave a single point of attack. Bitcoin is such a system, decentralized by design, and self-ruling of any inside validity or point of tenancy that can be attacked or corrupted. History of Bitcoin Bitcoin was invented in 2008 with the publication of a paper titled "Bitcoin: A Peer-to-Peer ElectronicMazumaSystem,"["Bitcoin: A Peer-to-Peer ElectronicMazumaSystem", Satoshi Nakamoto https://bitcoin.org/bitcoin.pdf] written under the plume of Satoshi Nakamoto. Nakamoto combined several prior inventions such as b-money and HashCash to create a completely decentralized electronic mazuma system that does not rely on a inside validity for currency issuance or settlement and validation of transactions. The key innovation was to use a distributed computation system (called a "proof-of-work" algorithm) to self-mastery a global "election" every 10 minutes, permitting the decentralized network to victorious at consensus well-nigh the state of transactions. This elegantly solves the issue of double-spend where a single currency unit can be spent twice. Previously, the double-spend problem was a weakness of digital currency and was addressed by transplanting all transactions through a inside clearinghouse. The bitcoin network started in 2009, based on a reference implementation published by Nakamoto and since revised by many other programmers. The implementation of the proof-of-work algorithm (mining) that provides security and resilience for bitcoin has increased in power exponentially, and now exceeds that combined processing power of the world’s top super-computers. Bitcoin’s total market value is unscientific at between $5 billion and $10 billion US dollars, depending on the bitcoin-to-dollar mart rate. The largest transaction processed so far by the network was $150 million US dollars, transmitted instantly and processed without any fees. Satoshi Nakamoto withdrew from the public in April of 2011, leaving the responsibility of developing the lawmaking and network to a thriving group of volunteers. The identity of the person or people overdue bitcoin is still unknown. However, neither Satoshi Nakamoto nor anyone else exerts individual tenancy over the bitcoin system, which operates based on fully transparent mathematical principles, unshut source lawmaking and consensus among participants. The invention itself is groundbreaking and has once spawned new science in the fields of distributed computing, economics, and econometrics. A Solution to a Distributed Computing Problem Satoshi Nakamoto’s invention is moreover a practical and novel solution to a problem in distributed computing, known as the "Byzantine Generals' Problem." Briefly, the problem consists of trying to stipulate on a undertow of whoopee or the state of a system by exchanging information over an unreliable and potentially compromised network. Satoshi Nakamoto’s solution, which uses the concept of proof-of-work to unzip consensus without a inside trusted authority, represents a transilience in distributed computing and has wide applicability vastitude currency. It can be used to unzip consensus on decentralized networks to prove the fairness of elections, lotteries, windfall registries, digital notarization, and more. Bitcoin Uses, Users, and Their Stories Bitcoin is an innovation in the warmed-over technology of money. At it’s core, money simply facilitates the mart of value between people. Therefore, in order to fully understand bitcoin and its uses, we’ll examine it from the perspective of people using it. Each of the people and their stories, as listed below, illustrates one or increasingly specific use cases. We’ll be seeing them throughout the book. North American low-value retail Alice lives in Northern California’s Bay Area. She has heard well-nigh bitcoin from her techie friends and wants to start using it. We will follow her story as she learns well-nigh bitcoin, acquires some, and then spends some of her bitcoin to buy a cup of coffee at Bob’sSideboardin Palo Alto. This story will introduce us to the software, the exchanges, and vital transactions from the perspective of a retail consumer. North American high-value retail Carol is an art gallery owner in San Francisco. She sells expensive paintings for bitcoin. This story will introduce the risks of a "51%" consensus wade for retailers of high-value items. Offshore contract services Bob, the sideboard owner in Palo Alto, is towers a new website. He has contracted with an Indian web developer, Gopesh, who lives in Bangalore, India. Gopesh has well-set to be paid in bitcoin. This story will examine the use of bitcoin for outsourcing, contract services, and international wire transfers. Charitable donations Eugenia is the director of a children’s soft-heartedness in the Philippines. Recently she has discovered bitcoin and wants to use it to reach a whole new group of foreign and domestic donors to fundraise for her charity. She’s moreover investigating ways to use bitcoin to distribute funds quickly to areas of need. This story will show the use of bitcoin for global fundraising wideness currencies and confines and the use of an unshut ledger for transparency in charitable organizations. Import/export Mohammed is an electronics importer in Dubai. He’s trying to use bitcoin to buy electronics from the US and China for import into the UAE to slide the process of payments for imports. This story will show how bitcoin can be used for large business-to-business international payments tied to physical goods. Mining for bitcoin Jing is a computer engineering student in Shanghai. He has built a "mining" rig to mine for bitcoins, using his engineering skills to supplement his income. This story will examine the "industrial" wiring of bitcoin: the specialized equipment used to secure the bitcoin network and issue new currency. Each of these stories is based on real people and real industries that are currently using bitcoin to create new markets, new industries, and innovative solutions to global economic issues. Getting Started Bitcoin is a protocol that can be accessed using a vendee using that speaks the protocol. A "bitcoin wallet" is the most worldwide user interface to the bitcoin system, just like a web browser is the most worldwide user interface for the HTTP protocol. There are many implementations and brands of bitcoin wallets, just like there are many brands of web browsers (e.g. Chrome, Safari, Firefox and Internet Explorer). And just like we all have our favorite browsers (Mozilla Firefox, Yay!) and our villains (Internet Explorer, Yuck!), bitcoin wallets vary in quality, performance, security, privacy and reliability. There is moreover a reference implementation of the bitcoin protocol that includes a wallet, known as the "Satoshi Client" or "Bitcoin Core", which is derived from the original implementation written by Satoshi Nakamoto. Choosing a Bitcoin Wallet Bitcoin wallets are one of the most urgently ripened applications in the bitcoin ecosystem. There is intense competition and while a new wallet is probably stuff ripened right now, several wallets from last year are no longer urgently maintained. Many wallets focus on specific platforms or specific uses and some are increasingly suitable for beginners while others are filled with features for wide users. Choosing a wallet is highly subjective and depends on the use and user expertise. It is therefore untellable to recommend a specific trademark or project of wallet. However, we can categorize bitcoin wallets equal to their platform and function and provide some clarity well-nigh all the variegated types of wallets that exist.Largestyet, moving money between bitcoin wallets is easy, unseemly and fast, so it is worth trying out several variegated wallets until you find one that fits your needs. Bitcoin wallets can be categorized as below, equal to the platform: Desktop Wallet A desktop wallet was the first type of bitcoin wallet created as a reference implementation and many users run desktop wallets for the features, autonomy and tenancy they offer. Running on general-use operating systems such as Windows and Mac OS has unrepealable security disadvantages however, as these platforms are often insecure and poorly configured. Mobile Wallet A mobile wallet is the most worldwide type of bitcoin wallet. Running on smart-phone operating systems such asWorldiOS and Android, these wallets are often a unconfined nomination for new users. Many are designed for simplicity and ease-of-use, but there are moreover fully-featured mobile wallets for power users. Web Wallet Web wallets are accessed through a web browser and store the user’s wallet on a server owned by a third party. This is similar to webmail in that it relies entirely on a third-party server. Some of these services operate using client-side lawmaking running in the user’s browser, which keeps tenancy of the bitcoin keys in the hands of the user. Most however present a compromise by taking tenancy of the bitcoin keys from users in mart for ease-of-use. It is inadvisable to store large amounts of bitcoin on third-party systems. Hardware Wallet::Hardware wallets are devices that operate a secure self-contained bitcoin wallet on special-purpose hardware. They are operated via USB with a desktop web browser or via near-field-communication (NFC) on a mobile device. By handling all bitcoin related operations on the specialized hardware, these wallets are considered very secure and suitable for storing large amounts of bitcoin. Paper Wallet::The keys executive bitcoin can moreover be printed for long term storage. These are known as paper wallets plane though other materials (wood, metal, e.t.c.) can be used. Paper wallets offer a low-tech but highly secure ways of storing bitcoin long term. Offline storage is moreover often referred to as unprepossessed storage.Flipsideway to categorize bitcoin wallets is by their stratum of autonomy and how they interact with the bitcoin network: Full node vendee A full client, or "full node," is a vendee that stores the unshortened history of bitcoin transactions (every transaction by every user, ever), manages the users' wallets, and can initiate transactions directly on the bitcoin network. A full node handles all aspects of the protocol and can independently validate the unshortened blockchain and any transaction. A full-node vendee consumes substantial computer resources (e.g. increasingly than 60GB of disk, 2GB of RAM) but offers well-constructed autonomy and self-sustaining transaction verification. Lightweight vendee A lightweight client, moreover known as a simple-payment-verification (SPV) vendee connects to bitcoin full nodes (mentioned above) for wangle to the bitcoin transaction information, but stores the user wallet locally and independently creates, validates and transmits transactions. Lightweight clients interact directly with the bitcoin network, without an intermediary. Third-Party API vendee A third-party API vendee is one that interacts with bitcoin through a third-party system of using programming interfaces (APIs), rather than by connecting to the bitcoin network directly. The wallet may be stored by the user or by the third-party servers, but all transactions go through a third party. Combining the categorizations above, many bitcoin wallets fall into a few groups, with the three most worldwide stuff Desktop Full Client, Mobile Lightweight Wallet and Web Third-Party Wallet. The lines between variegated categories are often blurry, as many wallets run on multiple platforms and can interact with the network in variegated ways. For the purposes of this book, we will be demonstrating the use of a variety of downloadable bitcoin clients, from the reference implementation (Bitcoin Core) to mobile and web wallets. Some of the examples will require the use of Bitcoin Core, which, in wing to stuff a full client, moreover exposes APIs to the wallet, network, and transaction services. If you are planning to explore the programmatic interfaces into the bitcoin system, you will need to run Bitcoin Core. Quick Start Alice, who we introduced in [user-stories], is not a technical user and only recently heard well-nigh bitcoin from her friend Joe. While at a party, Joe is once then enthusiastically explaining bitcoin to all virtually him and is offering a demonstration. Intrigued, Alice asks how she can get started with bitcoin. Joe says that a mobile wallet is weightier for new users and he recommends a few of his favorite wallets. Alice downloads "Mycelium" for Android and installs it on her phone. When Alice runs Mycelium for the first time, as with many bitcoin wallets, the using automatically creates a new wallet for her. Alice sees the wallet on her screen, as shown in [mycelium-welcome], below:Icon1. The Mycelium Mobile Wallet The most important part of this screen is Alice’s bitcoin address. On the screen it appears as a long string of reports and numbers: 1Cdid9KFAaatwczBwBttQcwXYCpvK8h7FK. Next to the wallet’s bitcoin write is a QR code, a form of barcode that contains the same information in a format that can be scanned by a smartphone camera. The QR lawmaking is the square with a pattern of woebegone and white dots. Alice can reprinting the bitcoin write or the QR lawmaking onto her clipboard by tapping on the QR code, or on the Receive button. In most wallets, clicking on the QR lawmaking will moreover magnify it, so that it can be increasingly hands scanned by a smartphone camera. Tip Bitcoin addresses start with the digit 1 or 3. Like email addresses, they can be shared with other bitcoin users who can use them to send bitcoin directly to your wallet. There is nothing sensitive, from a security perspective, well-nigh the bitcoin address. It can be posted anywhere without risking the security of the account. Unlike email addresses, you can create new addresses as often as you like, all of which will uncontrived funds to your wallet. In fact, many modern wallets automatically create a new write for every transaction to maximize privacy. A wallet is simply a hodgepodge of addresses and the keys that unlock the funds within. Alice is now ready to receive funds. Her wallet using randomly generated a private key (described in increasingly detail in [private_keys]) together with its respective bitcoin address. At this point, her bitcoin write is not known to the bitcoin network or "registered" with any part of the bitcoin system. Her bitcoin write is simply a number that corresponds to a key that she can use to tenancy wangle to the funds. It was generated independently by her wallet without reference or registration with any service. In fact, in most wallets, there is no undertone between the bitcoin write and any externally identifiable information including the users identity. Until the moment this write is referenced as the recipient of value in a transaction posted on the bitcoin ledger, the bitcoin write is simply part of the vast number of possible addresses that are valid in bitcoin. Only once it has been associated with a transaction, does it becomes part of the known addresses in the network. Alice is now ready to start using her new bitcoin wallet. Getting Your First Bitcoins The first and often most difficult task for new users is to reap some bitcoin. Unlike other foreign currencies, you cannot buy bitcoin at a wall or foreign mart kiosk, yet. Bitcoin transactions are irreversible. Most electronic payment networks such as credit cards, debit cards, paypal, and wall worth transfers are reversible. For someone selling bitcoin, this difference introduces a very upper risk that the proprietrix will reverse the electronic payment without they have received bitcoin, in effect defrauding the seller. To mitigate this risk, companies unsuspicious traditional electronic payments in return for bitcoin usually require buyers undergo identity verification and credit-worthiness checks which may take several days or weeks. As a new user, this ways you cannot buy bitcoin instantly with a credit card. With a bit of patience and creative thinking, however, you won’t need to. Here are some methods for getting bitcoin as a new user: Find a friend who has bitcoin and buy some from him or her directly. Many bitcoin users start this way. This method is the least complicated. One way to meet people with bitcoin is to shepherd a local bitcoin meetup listed at Meetup.com. Use a classified service such as localbitcoins.com to find a seller in your zone to buy bitcoins for mazuma in an in-person transaction. Earn bitcoin by selling a product or service for bitcoin. If you are a programmer, sell your programming skills. If you’re a hairdresser, cut hair for bitcoin. Use a bitcoin ATM in your city. A bitcoin ATM is a machine that accepts mazuma and sends bitcoin to your smartphone bitcoin wallet. Find a bitcoin ATM tropical to you using an online map from CoinDesk. Use a bitcoin currency mart linked to your wall account. Many countries now have currency exchanges that offer a market for buyers and sellers to swap bitcoin with local currency. Exchange-rate listing services, such as BitcoinAverage, often show a list of bitcoin exchanges for each currency. Tip One of the advantages of bitcoin over other payment systems is that, when used correctly, it affords users much increasingly privacy. Acquiring, holding, and spending bitcoin does not require you to divulge sensitive and personally identifiable information to third-parties. However, where bitcoin touches traditional systems, such as currency exchanges, national and international regulations often apply. In order to mart bitcoin for your national currency, you will often be required to provide proof of identity and financial information. Users should be aware, that once a bitcoin write is tying to an identity all associated bitcoin transactions are moreover easy to identify and track. This is one reason many users segregate to maintain defended mart finance unlinked to their wallets. Alice was introduced to bitcoin by a friend so she has an easy way to reap her first bitcoin. Next, we will squint at how she buys bitcoin from her friend Joe and how Joe sends the bitcoin to her wallet. Finding the Current Price of BitcoinSurpassingAlice can buy bitcoin from Joe, they have to stipulate on the mart rate between bitcoin and US dollars. This brings up a worldwide question for those new to bitcoin: "Who sets the bitcoin price?" The short wordplay is that the price is set by markets. Bitcoin, like most other currencies, has a floating mart rate. That ways that the value of bitcoin vis-a-vis any other currency fluctuates equal to supply and demand in the various markets where it is traded. For example, the "price" of bitcoin in US dollars is calculated in each market based on the most recent trade of bitcoin and US dollars. As such, the price tends to fluctuate minutely several times per second. A pricing service will volume the prices from several markets and summate a volume-weighted stereotype representing the wholesale market mart rate of a currency pair (e.g. BTC/USD). There are hundreds of applications and websites that can provide the current market rate. Here are some of the most popular: BitcoinStereotypeA site that provides a simple view of the volume-weighted-average for each currency Bitcoin Charts A market data listing service that shows the market rate of bitcoin wideness many exchanges virtually the globe, denominated in variegated local currencies ZeroBlock A self-ruling Android and iOS using that can exhibit a bitcoin price from variegated exchanges In wing to these various sites and applications, most bitcoin wallets will automatically convert amounts between bitcoin and other currencies. Joe will use his wallet to convert the price automatically surpassing sending bitcoin to Alice. Sending and Receiving Bitcoins Alice has decided to convert $10 US dollars into bitcoin, so as not to risk too much money on this new technology. She gives Joe $10 in cash, opens her Mycelium wallet using and selects Receive. This displays a QR lawmaking with Alice’s first bitcoin address. Joe then selects Send on his smartphone wallet and is presented with a screen containing two inputs: A destination bitcoin write The value to send, in bitcoin (BTC) or his local currency (USD) In the input field for the bitcoin address, there is a small icon that looks like a QR code. This allows Joe to scan the barcode with his smartphone camera so that he doesn’t have to type in Alice’s bitcoin address, which is quite long and difficult to type. Joe taps the QR lawmaking icon and activates the smartphone camera, scanning the QR lawmaking displayed on Alice’s smartphone. Joe now has Alice’s bitcoin write set as the recipient. Joe enters the value as $10 US dollars and his wallet converts it by accessing the most recent mart rate from an online service. The mart rate at the time is $100 US dollars per bitcoin, so $10 US dollars is worth 0.10 bitcoin (BTC), or 100 milli-bitcoins (mBTC) as shown in the screenshot from Joe’s wallet (see [airbitz-mobile-send]).Icon2. Airbitz mobile bitcoin wallet send screen Joe then thoughtfully checks to make sure he has entered the correct amount, considering he is well-nigh to transmit money and mistakes are irreversible.Withoutdouble checking the write and amount, he presses Send to transmit the transaction. Joe’s mobile bitcoin wallet constructs a transaction that assigns 0.10 bitcoin to the write provided by Alice, sourcing the funds from Joe’s wallet and signing the transaction with Joe’s private keys. This tells the bitcoin network that Joe has authorized a transfer of value to Alice’s new address. As the transaction is transmitted via the peer-to-peer protocol, it quickly propagates wideness the bitcoin network. In less than a second, most of the well-connected nodes in the network receive the transaction and see Alice’s write for the first time. Meanwhile, Alice’s wallet is constantly "listening" to published transactions on the bitcoin network, looking for any that match the addresses in her wallets. A few seconds without Joe’s wallet transmits the transaction, Alice’s wallet will indicate that it is receiving 0.10 bitcoin. Confirmations At first, Alice’s write will show the transaction from Joe as "Unconfirmed." This ways that the transaction has been propagated to the network but has not yet been recorded in the bitcoin transaction ledger, known as the blockchain. To be confirmed, a transaction must be included in a woodcut and widow to the blockchain, which happens every 10 minutes, on average. In traditional financial terms this is known as clearing. For increasingly detail on propagation, validation and transplanting (confirmation) of bitcoin transactions, see [bitcoin clearing]. Alice is now the proud owner of 0.10 bitcoin that she can spend. In the next installment we will squint at her first purchase with bitcoin, and examine the underlying transaction and propagation technologies in increasingly detail. How Bitcoin Works Transactions, Blocks, Mining, and the Blockchain The bitcoin system, unlike traditional financial and payment systems, is based on de-centralized trust. Instead of a inside trusted authority, in bitcoin, trust is achieved as an emergent property from the interactions of variegated participants in the bitcoin system. In this chapter, we will examine bitcoin from a upper level by tracking a single transaction through the bitcoin system and watch as it becomes "trusted" and wonted by the bitcoin mechanism of distributed consensus and is finally recorded on the blockchain, the distributed ledger of all transactions. Subsequent chapters will delve into the technology overdue transactions, the network, and mining. Bitcoin Overview In the overview diagram shown in [bitcoin-overview], we see that the bitcoin system consists of users with wallets containing keys, transactions that are propagated wideness the network, and miners who produce (through competitive computation) the consensus blockchain, which is the supervisory ledger of all transactions.Icon3. Bitcoin overview Each example in this installment is based on an very transaction made on the bitcoin network, simulating the interactions between the users (Joe, Alice, Bob and Gopesh) by sending funds from one wallet to another. While tracking a transaction through the bitcoin network to the blockchain, we will use a blockchain explorer site to visualize each step. A blockchain explorer is a web using that operates as a bitcoin search engine, in that it allows you to search for addresses, transactions, and blocks and see the relationships and flows between them. Popular blockchain explorers include: BitcoinWoodcutExplorer BlockCypher Explorer blockchain.info BitPay Insight blockrWoodcutReader Each of these has a search function that can take a bitcoin address, transaction hash, woodcut number, or woodcut hash and retrieve respective information from the bitcoin network. With each transaction or woodcut example, we will provide a URL so you can squint it up yourself and study it in detail.Ownershipa Cup of Coffee Alice, introduced in the previous chapter, is a new user who has just uninventive her first bitcoin. In [getting_first_bitcoin], Alice met with her friend Joe to mart some mazuma for bitcoin. The transaction created by Joe funded Alice’s wallet with 0.10 BTC. Now Alice will make her first retail transaction, ownership a cup of coffee at Bob’s coffee shop in Palo Alto, California. Bob’sSideboardrecently started unsuspicious bitcoin payments, by subtracting a bitcoin option to their point-of-sale system. The prices at Bob’sSideboardare listed in the local currency (US dollars), but at the register, customers have the option of paying in either dollars or bitcoin. Alice places her order for a cup of coffee and Bob enters it into the register, as he does for all transactions. The point-of-sale system automatically converts the total price from US dollars to bitcoin at the prevailing market rate and displays the price in both currencies. Total: $1.50 USD 0.015 BTC Bob says, "That’s one-dollar-fifty, or fifteen millibits." Bob’s point-of-sale system will moreover automatically create a special QR lawmaking containing a payment request. (see [payment-request-QR]): Unlike a QR lawmaking that simply contains a destination bitcoin address, a payment request is a QR-encoded URL that contains a destination address, a payment amount, and a generic unravelment such as "Bob’s Cafe." This allows a bitcoin wallet using to pre-fill the information used to send the payment while showing a human-readable unravelment to the user. You can scan the QR lawmaking with a bitcoin wallet using to see what Alice would see.Icon4. Payment request QR lawmaking Tip Try to scan this with your wallet! The payment request QR lawmaking encodes the pursuit URL, specified in BIP0021: bitcoin:1GdK9UzpHBzqzX2A9JFP3Di4weBwqgmoQA? amount=0.015& label=Bob%27s%20Cafe& message=Purchase%20at%20Bob%27s%20Cafe Components of the URL A bitcoin address: "1GdK9UzpHBzqzX2A9JFP3Di4weBwqgmoQA" The payment amount: "0.015" A label for the recipient address: "Bob's Cafe" A unravelment for the payment: "Purchase at Bob's Cafe" Alice uses her smartphone to scan the barcode on display. Her smartphone shows a payment of 0.0150 BTC to Bob’sSideboardand she selects Send to qualify the payment. Within a few seconds (about the same value of time as a credit vellum authorization), Bob sees the transaction on the register, completing the transaction. In the pursuit sections we will examine this transaction in increasingly detail. We’ll see how Alice’s wallet synthetic it, how it was propagated wideness the network, how it was verified, and finally, how Bob can spend that value in subsequent transactions. Note The bitcoin network can transact in unperformed values, e.g., from milli-bitcoins (1/1000th of a bitcoin) lanugo to 1/100,000,000th of a bitcoin, which is known as a satoshi. Throughout this typesetting we’ll use the term “bitcoin” to refer to any quantity of bitcoin currency, from the smallest unit (1 satoshi) to the total number (21,000,000) of all bitcoin that will overly be mined. You can examine Alice’s transaction to Bob’sSideboardon the blockchain, using a woodcut explorer site: Example 1. View Alice’s transaction on blockexplorer.com https://blockexplorer.com/tx/0627052b6f28912f2703066a912ea577f2ce4da4caa5a5fbd8a57286c345c2f2 Bitcoin Transactions In simple terms, a transaction tells the network that the owner of some bitcoin value has authorized the transfer of that value to flipside owner. The new owner can now spend the bitcoin by creating flipside transaction that authorizes transfer to flipside owner, and so on, in a uniting of ownership. Transaction Inputs and Outputs Transactions are like lines in a double-entry bookkeeping ledger. Each transaction contains one or increasingly "inputs," which are like debits versus a bitcoin account. On the other side of the transaction, there are one or increasingly "outputs," which are like credits widow to a bitcoin account. The inputs and outputs (debits and credits) do not necessarily add up to the same amount. Instead, outputs add up to slightly less than inputs and the difference represents an unsaid transaction fee, which is a small payment placid by the miner who includes the transaction in the ledger. A bitcoin transaction is shown as a bookkeeping ledger entry in [transaction-double-entry]. The transaction moreover contains proof of ownership for each value of bitcoin (inputs) whose value is stuff spent, in the form of a digital signature from the owner, which can be independently validated by anyone. In bitcoin terms, "spending" is signing a transaction that transfers value from a previous transaction over to a new owner identified by a bitcoin address.Icon5. Transaction as double-entry bookkeeping TransactionVillenageAlice’s payment to Bob’sSideboarduses a previous transaction’s output as its input. In the previous installment Alice received bitcoin from her friend Joe in return for cash. That transaction created a bitcoin value locked by Alice’s key. Her new transaction to Bob’sSideboardreferences the previous transaction as an input and creates new outputs to pay for the cup of coffee and receive change. The transactions form a chain, where the inputs from the latest transaction correspond to outputs from previous transactions. Alice’s key provides the signature that unlocks those previous transaction outputs, thereby proving to the bitcoin network that she owns the funds. She attaches the payment for coffee to Bob’s address, thereby "encumbering" that output with the requirement that Bob produces a signature in order to spend that amount. This represents a transfer of value between Alice and Bob. This uniting of transactions, from Joe to Alice to Bob, is illustrated in [blockchain-mnemonic].Icon6. A uniting of transactions, where the output of one transaction is the input of the next transaction MakingTranspirationMany bitcoin transactions will include outputs that reference both an write of the new owner and an write of the current owner, the transpiration address. This is considering transaction inputs, like currency notes, cannot be divided. If you purchase a $5 US dollar item in a store but use a $20 US dollar snout to pay for the item, you expect to receive $15 US dollars in change. The same concept applies with bitcoin transaction inputs. If you purchased an item that financing 5 bitcoin but only had a 20 bitcoin input to use, you would send one output of 5 bitcoin to the store owner and one output of 15 bitcoin when to yourself as transpiration (less any workable transaction fee). Importantly, the transpiration write does not have to be the same write as that of the input and for privacy reasons is often a new write from the owner’s wallet.Variegatedwallets may use variegated strategies when aggregating inputs to make a payment requested by the user. They might volume many small inputs, or use one that is equal to or larger than the desired payment. Unless the wallet can volume inputs in such a way to exactly match the desired payment plus transaction fees, the wallet will need to generate some change. This is very similar to how people handle cash. If you unchangingly use the largest snout in your pocket, you will end up with a pocket full of loose change. If you only use the loose change, you’ll unchangingly have only big bills. People subconsciously find a wastefulness between these two extremes, bitcoin wallet developers strive to program this balance. In summary, transactions move value from transaction inputs to transaction outputs. An input is a reference to a previous transaction’s output, showing where the value is coming from. A transaction output directs a specific value to a new owner’s bitcoin write and can include a transpiration output when to the original owner. Outputs from one transaction can be used as inputs in a new transaction, thus creating a uniting of ownership as the value is moved from owner to owner (see [blockchain-mnemonic]).WorldwideTransaction Forms The most worldwide form of transaction is a simple payment from one write to another, which often includes some "change" returned to the original owner. This type of transaction has one input and two outputs and is shown in [transaction-common].Icon7. Most worldwide transactionFlipsidecommon form of transaction is one that aggregates several inputs into a single output (see [transaction-aggregating]). This represents the real-world equivalent of exchanging a pile of coins and currency notes for a single larger note. Transactions like these are sometimes generated by wallet applications to wipe up lots of smaller amounts that were received as transpiration for payments.Icon8. Transaction aggregating funds Finally, flipside transaction form that is seen often on the bitcoin ledger is a transaction that distributes one input to multiple outputs representing multiple recipients (see [transaction-distributing]). This type of transaction is sometimes used by commercial entities to distribute funds, such as when processing payroll payments to multiple employees.Icon9. Transaction distributing funds Constructing a Transaction Alice’s wallet using contains all the logic for selecting towardly inputs and outputs to build a transaction to Alice’s specification. Alice only needs to specify a destination and an amount, and the rest happens in the wallet using without her seeing the details. Importantly, a wallet using can construct transactions plane if it is completely offline. Like writing a trammels at home and later sending it to the wall in an envelope, the transaction does not need to be synthetic and signed while unfluctuating to the bitcoin network. Getting the Right Inputs Alice’s wallet using will first have to find inputs that can pay for the value she wants to send to Bob. Most wallets alimony track of all the misogynist outputs belonging to addresses in the wallet. Therefore, Alice’s wallet would contain a reprinting of the transaction output from Joe’s transaction, which was created in mart for mazuma (see [getting_first_bitcoin]). A bitcoin wallet using that runs as a full-node vendee unquestionably contains a reprinting of every unspent output from every transaction in the blockchain. This allows a wallet to construct transaction inputs as well as quickly verify incoming transactions as having correct inputs. However, considering a full-node vendee takes up a lot of disk space, most user wallets run "lightweight" clients that track only the user’s own unspent outputs. If the wallet using does not maintain a reprinting of unspent transaction outputs, it can query the bitcoin network to retrieve this information, using a variety of APIs misogynist by variegated providers or by asking a full-node using the bitcoin JSON RPC API. [example_2-1] shows a RESTful API request, synthetic as an HTTP GET writ to a specific URL. This URL will return all the unspent transaction outputs for an address, giving any using the information it needs to construct transaction inputs for spending. We use the simple command-line HTTP vendee cURL to retrieve the response. Example 2.Squintup all the unspent outputs for Alice’s bitcoin write Example 3. Response to the lookup The response in [example_2-2] shows one unspent output (one that has not been redeemed yet) under the ownership of Alice’s write 1Cdid9KFAaatwczBwBttQcwXYCpvK8h7FK. The response includes the reference to the transaction in which this unspent output is contained (the payment from Joe) and its value in satoshis, at 10 million, equivalent to 0.10 bitcoin. With this information, Alice’s wallet using can construct a transaction to transfer that value to new owner addresses. Tip View the transaction from Joe to Alice. As you can see, Alice’s wallet contains unbearable bitcoins in a single unspent output to pay for the cup of coffee. Had this not been the case, Alice’s wallet using might have to "rummage" through a pile of smaller unspent outputs, like picking coins from a purse until it could find unbearable to pay for coffee. In both cases, there might be a need to get some transpiration back, which we will see in the next section, as the wallet using creates the transaction outputs (payments). Creating the Outputs A transaction output is created in the form of a script that creates an encumbrance on the value and can only be redeemed by the introduction of a solution to the script. In simpler terms, Alice’s transaction output will contain a script that says something like, "This output is payable to whoever can present a signature from the key respective to Bob’s public address."Consideringonly Bob has the wallet with the keys respective to that address, only Bob’s wallet can present such a signature to redeem this output. Alice will therefore "encumber" the output value with a demand for a signature from Bob. This transaction will moreover include a second output, considering Alice’s funds are in the form of a 0.10 BTC output, too much money for the 0.015 BTC cup of coffee. Alice will need 0.085 BTC in change. Alice’s transpiration payment is created by Alice’s wallet as an output in the very same transaction as the payment to Bob. Essentially, Alice’s wallet breaks her funds into two payments: one to Bob, and one when to herself. She can then use (spend) the transpiration output in a subsequent transaction. Finally, for the transaction to be processed by the network in a timely fashion, Alice’s wallet using will add a small fee. This is not explicit in the transaction; it is unsaid by the difference between inputs and outputs. If instead of taking 0.085 in change, Alice creates only 0.0845 as the second output, there will be 0.0005 BTC (half a millibitcoin) left over. The input’s 0.10 BTC is not fully spent with the two outputs, considering they will add up to less than 0.10. The resulting difference is the transaction fee that is placid by the miner as a fee for validating and including the transaction in a woodcut to be recorded on the blockchain. The resulting transaction can be seen using a blockchain explorer web application, as shown in [transaction-alice].Icon10. Alice’s transaction to Bob’sSideboardTip View the transaction from Alice to Bob’s Cafe.Subtractingthe Transaction to the Ledger The transaction created by Alice’s wallet using is 258 bytes long and contains everything necessary to personize ownership of the funds and assign new owners. Now, the transaction must be transmitted to the bitcoin network where it will wilt part of the blockchain. In the next section we will see how a transaction becomes part of a new woodcut and how the woodcut is "mined." Finally, we will see how the new block, once widow to the blockchain, is increasingly trusted by the network as increasingly blocks are added. Transmitting the transactionConsideringthe transaction contains all the information necessary to process, it does not matter how or where it is transmitted to the bitcoin network. The bitcoin network is a peer-to-peer network, with each bitcoin vendee participating by connecting to several other bitcoin clients. The purpose of the bitcoin network is to propagate transactions and blocks to all participants. How it propagates Any system, such as a server, desktop application, or wallet, that participates in the bitcoin network by "speaking" the bitcoin protocol is tabbed a bitcoin node. Alice’s wallet using can send the new transaction to any bitcoin node it is unfluctuating to over any type of connection: wired, WiFi, mobile etc. Her bitcoin wallet does not have to be unfluctuating to Bob’s bitcoin wallet directly and she does not have to use the Internet connection offered by the cafe, though both those options are possible, too. Any bitcoin node that receives a valid transaction it has not seen surpassing will immediately forward it to all other nodes to which it is connected, a propagation technique known as flooding. Thus, the transaction rapidly propagates out wideness the peer-to-peer network, reaching a large percentage of the nodes within a few seconds. Bob’s view If Bob’s bitcoin wallet using is directly unfluctuating to Alice’s wallet application, Bob’s wallet using might be the first node to receive the transaction. However, plane if Alice’s wallet sends the transaction through other nodes, it will reach Bob’s wallet within a few seconds. Bob’s wallet will immediately identify Alice’s transaction as an incoming payment considering it contains outputs redeemable by Bob’s keys. Bob’s wallet using can moreover independently verify that the transaction is well formed, uses previously unspent inputs, and contains sufficient transaction fees to be included in the next block. At this point Bob can assume, with little risk, that the transaction will shortly be included in a woodcut and confirmed. Tip A worldwide misconception well-nigh bitcoin transactions is that they must be "confirmed" by waiting 10 minutes for a new block, or up to 60 minutes for a full six confirmations. Although confirmations ensure the transaction has been wonted by the whole network, such a wait is unnecessary for small-value items such as a cup of coffee. A merchant may winnow a valid small-value transaction with no confirmations, with no increasingly risk than a credit vellum payment made without an ID or a signature, as merchants routinely winnow today. Bitcoin Mining Alice’s transaction is now propagated on the bitcoin network. It does not wilt part of the blockchain until it is verified and included in a woodcut by a process tabbed mining. See [ch8] for a detailed explanation. The bitcoin system of trust is based on computation. Transactions are bundled into blocks, which require an enormous value of computation to prove, but only a small value of computation to verify as proven. The mining process serves two purposes in bitcoin: Mining nodes validate all transactions by reference to bitcoin’s consensus rules. Therefore, mining provides security for bitcoin transactions by rejecting invalid or malformed transactions. Mining creates new bitcoin in each block, scrutinizingly like a inside wall printing new money. The value of bitcoin created per woodcut is limited and diminishes with time, pursuit a stock-still issuance schedule. Mining achieves a fine wastefulness between forfeit and reward. Mining uses electricity to solve a mathematical problem. A successful miner will collect reward in the form of new bitcoin and transaction fees. However, the reward will only be placid if the miner has correctly validated all the transactions, to the satisfaction of the rules of consensus. This soft-hued wastefulness provides security for bitcoin without a inside authority. A good way to describe mining is like a giant competitive game of sudoku that resets every time someone finds a solution and whose difficulty automatically adjusts so that it takes approximately 10 minutes to find a solution. Imagine a giant sudoku puzzle, several thousand rows and columns in size. If I show you a completed puzzle you can verify it quite quickly. However, if the puzzle has a few squares filled and the rest are empty, it takes a lot of work to solve! The difficulty of the sudoku can be adjusted by waffly its size (more or fewer rows and columns), but it can still be verified quite hands plane if it is very large. The "puzzle" used in bitcoin is based on a cryptographic hash and exhibits similar characteristics: it is asymmetrically nonflexible to solve but easy to verify, and its difficulty can be adjusted. In [user-stories], we introduced Jing, an entrepreneur in Shanghai. Jing runs a mining sublet which is a merchantry that runs thousands of specialized mining computers, competing for the reward. Every 10 minutes or so, Jing’s mining computers compete versus thousands of similar systems in a global race to find a solution to a woodcut of transactions. Finding such a solution, the so-called Proof-of-Work (PoW), requires quadrillions of hashing operations per second wideness the unshortened bitcoin network. The algorithm for proof-of-work involves repeatedly hashing the header of the woodcut and a random number with the SHA256 cryptographic algorithm until a solution matching a predetermined pattern emerges. The first miner to find such a solution wins the round of competition and publishes that woodcut into the blockchain. Jing started mining in 2010 using a very fast desktop computer to find a suitable proof-of-work for new blocks. As increasingly miners started joining the bitcoin network, the difficulty of the problem increased rapidly. Soon, Jing and other miners upgraded to increasingly specialized hardware, such as high-end defended graphical processing units (GPUs) cards such as those used in gaming desktops or consoles. At the time of this writing, the difficulty is so upper that it is profitable only to mine with application-specific integrated circuits (ASIC), substantially hundreds of mining algorithms printed in hardware, running in parallel on a single silicon chip. Jing’s visitor moreover participates in a mining pool, which much like a lottery pool allows several participants to share their efforts and the rewards. Jing’s visitor now runs a warehouse containing thousands of ASIC miners to mine for bitcoin 24 hours a day. The visitor pays its electricity financing by selling the bitcoin it is worldly-wise to generate from mining, creating some income from the profits. Mining Transactions in Blocks New transactions are constantly flowing into the network from user wallets and other applications. As these are seen by the bitcoin network nodes, they get widow to a temporary pool of unverified transactions maintained by each node. As miners construct a new block, they add unverified transactions from this pool to the new woodcut and then struggle to prove the validity of that new block, with the mining algorithm (proof-of-work). The process of mining is explained in detail in [mining]. Transactions are widow to the new block, prioritized by the highest-fee transactions first and a few other criteria. Each miner starts the process of mining a new woodcut of transactions as soon as he receives the previous woodcut from the network, knowing he has lost that previous round of competition. He immediately creates a new block, fills it with transactions and the fingerprint of the previous block, and starts gingerly the proof-of-work for the new block. Each miner includes a special transaction in his block, one that pays his own bitcoin write the woodcut reward (currently 25 newly created bitcoin) plus the sum of transaction fees from all the transactions included in the block. If he finds a solution that makes that woodcut valid, he "wins" this reward considering his successful woodcut is widow to the global blockchain and the reward transaction he included becomes spendable. Jing, who participates in a mining pool, has set up his software to create new blocks that assign the reward to a pool address. From there, a share of the reward is distributed to Jing and other miners in proportion to the value of work they unsalaried in the last round. Alice’s transaction was picked up by the network and included in the pool of unverified transactions. Once validated by the mining software it was included in a new block, tabbed a candidate woodcut generated by Jing’s mining pool. All the miners participating in that mining pool immediately start computing Proof-of-Work for the candidate block. Approximately five minutes without the transaction was first transmitted by Alice’s wallet, one of Jing’s ASIC miners found a solution for the candidate woodcut and spoken it to the network. Once other miners validated the winning woodcut they started the race to generate the next block. Jing’s winning woodcut became part of the blockchain as woodcut #277316, containing 420 transactions, including Alice’s transaction. The woodcut containing Alice’s transaction is counted as one "confirmation" of that transaction. You can see the woodcut that includes Alice’s transaction. Approximately 19 minutes later, a new block, #277317, is mined by flipside miner.Consideringthis new woodcut is build on top of woodcut #277316 that contained Alice’s transaction, it widow plane increasingly computation to the blockchain, thereby strengthening the trust in those transactions. Each woodcut mined on top of the one containing the transaction counts as an spare confirmation for Alice’s transaction. As the blocks pile on top of each other, it becomes exponentially harder to reverse the transaction, thereby making it increasingly and increasingly trusted by the network. In the diagram in [block-alice1] we can see woodcut #277316, which contains Alice’s transaction.Unelevatedit are 277,316 blocks (including woodcut #0), linked to each other in a uniting of blocks (blockchain) all the way when to woodcut #0, known as the genesis block. Over time, as the "height" in blocks increases, so does the computation difficulty for each woodcut and the uniting as a whole. The blocks mined without the one that contains Alice’s transaction act as remoter assurance, as they pile on increasingly computation in a longer and longer chain. By convention, any woodcut with increasingly than six confirmations is considered irrevocable, considering it would require an immense value of computation to invalidate and recalculate six blocks. We will examine the process of mining and the way it builds trust in increasingly detail in [ch8].Icon11. Alice’s transaction included in woodcut #277316 Spending the Transaction Now that Alice’s transaction has been embedded in the blockchain as part of a block, it is part of the distributed ledger of bitcoin and visible to all bitcoin applications. Each bitcoin vendee can independently verify the transaction as valid and spendable. Full-node clients can track the source of the funds from the moment the bitcoins were first generated in a block, incrementally from transaction to transaction, until they reach Bob’s address. Lightweight clients can do what is tabbed a simplified payment verification (see [spv_nodes]) by confirming that the transaction is in the blockchain and has several blocks mined without it, thus providing warranty that the miners wonted it as valid. Bob can now spend the output from this and other transactions. For example, Bob can pay a contractor or supplier by transferring value from Alice’s coffee cup payment to these new owners. Most likely, Bob’s bitcoin software will volume many small payments into a larger payment, perhaps concentrating all the day’s bitcoin revenue into a single transaction. This would volume the various payments into a single output (and a single address). For a diagram of an aggregating transaction, see [transaction-aggregating]. As Bob spends the payments received from Alice and other customers, he extends the uniting of transactions. Let’s seem that Bob pays his web designer Gopesh in Bangalore for a new website page. Now the uniting of transactions will squint like [block-alice2].Icon12. Alice’s transaction as part of a transaction uniting from Joe to Gopesh In this chapter, we saw how transactions build a uniting that moves value from owner to owner. We moreover tracked Alice’s transaction, from the moment it was created in her wallet, through the bitcoin network and to the miners who recorded it on the blockchain. In the next few chapters we will examine the specific technologies overdue wallets, addresses, signatures, transactions, the network and finally mining. Bitcoin Core: The Reference Implementation Bitcoin is an unshut source project and the source lawmaking is misogynist under an unshut (MIT) license, self-ruling to download and use for any purpose.Unshutsource ways increasingly than simply self-ruling to use. It moreover ways that bitcoin is ripened by an unshut polity of volunteers. At first, that polity consisted of only Satoshi Nakamoto. By 2016, bitcoin’s source lawmaking has increasingly than 340 contributors with well-nigh a dozen developers working on the lawmaking scrutinizingly full time and several dozen increasingly on a part-time basis. Anyone can contribute to the lawmaking - including you! When bitcoin was created by Satoshi Nakamoto, the software was unquestionably completed surpassing the white paper [satoshi_whitepaper]. Satoshi wanted to make sure it worked surpassing writing well-nigh it. That first implementation, then simply known as "Bitcoin" or "Satoshi client", has been heavily modified and improved. It has evolved into what is known as Bitcoin Core, to differentiate it from other uniform implementations. BitcoinCadreis the reference implementation of the bitcoin system, meaning that it is the supervisory reference on how each part of the technology should be implemented. BitcoinCadreimplements all aspects of bitcoin, including wallets, a transaction and woodcut validation engine, and a full network node in the peer-to-peer bitcoin network. WarningPlanethough BitcoinCadreincludes a reference implementation of a wallet, this is not intended to be used as a production wallet for users or for applications.Usingdevelopers are well-considered to build wallets using modern standards such as BIP39 and BIP32 (see [mnemonic_code_words] and [hd_wallets]). BitcoinMinutiaeEnvironment If you’re a developer, you will want to setup a minutiae environment with all the tools, libraries and support software for writing bitcoin applications. In this highly technical chapter, we’ll walk through that process step-by-step. If the material becomes too dumbo (and you’re not unquestionably setting up a minutiae environment) finger self-ruling to skip to the next chapter, which is less technical. Compiling BitcoinCadrefrom the SourceLawmakingBitcoin Core’s source lawmaking can be downloaded as a ZIP gazetteer or by cloning the supervisory source repository from GitHub. On the GitHub bitcoin page, select Download ZIP from the sidebar. Alternatively, use the git writ line to create a local reprinting of the source lawmaking on your system. Tip In many of the examples in this installment we will be using the operating system’s command-line interface (also known as a "shell"), accessed via a "terminal" application. The shell will exhibit a prompt; you type a command; and the shell responds with some text and a new prompt for your next command. The prompt may squint variegated on your system, but in the examples unelevated it is denoted by a $ symbol. In the examples, when you see text without a $ symbol, don’t type the $ symbol but type the writ immediately pursuit it, then printing enter to execute the command. In the examples, the lines unelevated each writ are the operating system’s responses to that command. When you see the next $ prefix, you’ll know it’s a new writ and you should repeat the process. In this example, we are using the git writ to create a local reprinting ("clone") of the source code. $ git clone https://github.com/bitcoin/bitcoin.git Cloning into 'bitcoin'... remote: Counting objects: 66193, done. remote: Total 66193 (delta 0), reused 0 (delta 0), pack-reused 66193 Receiving objects: 100% (66193/66193), 63.39 MiB | 574.00 KiB/s, done. Resolving deltas: 100% (48395/48395), done. Checking connectivity... done. $ Tip Git is the most widely used distributed version tenancy system, an essential part of any software developer’s toolkit. You may need to install the git command, or a graphical user interface for git, on your operating system if you do not have it already. When the git cloning operation has completed, you will have a well-constructed local reprinting of the source lawmaking repository in the directory bitcoin.Transpirationto this directory by typing cd bitcoin at the prompt: $ cd bitcoin Selecting a BitcoinCadreRelease By default, the local reprinting will be synchronized with the most recent code, which might be an unstable or beta version of bitcoin.Surpassingcompiling the code, select a specific version by checking out a release tag. This will synchronize the local reprinting with a specific snapshot of the lawmaking repository identified by a keyword tag. Tags are used by the developers to mark specific releases of the lawmaking by version number. First, to find the misogynist tags, we use the git tag command: $ git tag v0.1.5 v0.1.6test1 v0.10.0 ... v0.11.2 v0.11.2rc1 v0.12.0rc1 v0.12.0rc2 ... The list of tags shows all the released versions of bitcoin. By convention, release candidates, which are intended for testing, have the suffix "rc". Stable releases that can be run on production systems have no suffix. From the preceding list, select the highest version release, which at this writing was v0.11.2. To synchronize the local lawmaking with this version, use the git checkout command: $ git checkout v0.11.2 HEAD is now at 7e27892... Merge pull request #6975 You can personize you have the desired version "checked out" by issuing the git status command: $ git status HEAD uninfluenced at v0.11.2 nothing to commit, working directory wipe Configuring the BitcoinCadreBuild The source lawmaking includes documentation, which can be found in a number of files. Review the main documentation located in README.md in the bitcoin directory by typing increasingly README.md at the prompt and using the space bar to progress to the next page. In this chapter, we will build the command-line bitcoin client, moreover known as bitcoind on Linux. Review the instructions for compiling the bitcoind command-line vendee on your platform by typing increasingly doc/build-unix.md.Volitionalinstructions for Mac OS X and Windows can be found in the doc directory, as build-osx.md or build-msw.md, respectively.Thoughtfullyreview the build prerequisites, which are in the first part of the build documentation. These are libraries that must be present on your system surpassing you can uncork to compile bitcoin. If these prerequisites are missing, the build process will goof with an error. If this happens considering you missed a prerequisite, you can install it and then resume the build process from where you left off.Thespingthe prerequisites are installed, you start the build process by generating a set of build scripts using the autogen.sh script. Note The BitcoinCadrebuild process was reverted to use the autogen/configure/make system starting with version 0.9. Older versions use a simple Makefile and work slightly differently from the pursuit example. Follow the instructions for the version you want to compile. The autogen/configure/make introduced in 0.9 is likely to be the build system used for all future versions of the lawmaking and is the system demonstrated in the pursuit examples. $ ./autogen.sh ... glibtoolize: copying file 'build-aux/m4/libtool.m4' glibtoolize: copying file 'build-aux/m4/ltoptions.m4' glibtoolize: copying file 'build-aux/m4/ltsugar.m4' glibtoolize: copying file 'build-aux/m4/ltversion.m4' ... configure.ac:10: installing 'build-aux/compile' configure.ac:5: installing 'build-aux/config.guess' configure.ac:5: installing 'build-aux/config.sub' configure.ac:9: installing 'build-aux/install-sh' configure.ac:9: installing 'build-aux/missing' Makefile.am: installing 'build-aux/depcomp' ... The autogen.sh script creates a set of will-less configuration scripts that will interrogate your system to discover the correct settings and ensure you have all the necessary libraries to compile the code. The most important of these is the configure script that offers a number of variegated options to customize the build process. Type ./configure --help to see the various options: $ ./configure --help `configure' configures BitcoinCadre0.11.2 to transmute to many kinds of systems. Usage: ./configure [OPTION]... [VAR=VALUE]... ... Optional Features: --disable-option-checking ignore unrecognized --enable/--with options --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) --enable-FEATURE[=ARG] include FEATURE [ARG=yes] --enable-wallet enable wallet (default is yes) --with-gui[=no|qt4|qt5|auto] ... The configure script allows you to enable or disable unrepealable features of bitcoind through the use of the --enable-FEATURE and --disable-FEATURE flags, where FEATURE is replaced by the full-length name, as listed in the help output. In this chapter, we will build the bitcoind vendee with all the default features. We won’t be using the configuration flags, but you should review them to understand what optional features are part of the client. If you are in an wonk setting, computer lab restrictions may require you to install applications in your home directory (e.g. using --prefix=$HOME). Tip Here are some useful options that override the default policies of the configure script: --prefix=$HOME This overrides the default installation location (which is /usr/local/) for the resulting executable. Use $HOME to put everything in your home directory, or a variegated path. --disable-wallet This is used to disable the reference wallet implementation. --with-incompatible-bdb If you are towers a wallet, indulge the use of an incompatible version of the Berkeley DB library. --with-gui=no Don’t build the graphical user interface, which requires the Qt library. This builds server and command-line bitcoin only. Next, run the configure script to automatically discover all the necessary libraries and create a customized build script for your system: $ ./configure checking build system type... x86_64-unknown-linux-gnu checking host system type... x86_64-unknown-linux-gnu checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for a thread-safe mkdir -p... /bin/mkdir -p checking for gawk... gawk checking whether make sets $(MAKE)... yes ... [many pages of configuration tests follow] ... $ If all goes well, the configure writ will end by creating the customized build scripts that will indulge us to compile bitcoind. If there are any missing libraries or errors, the configure writ will terminate with an error instead of creating the build scripts. If an error occurs, it is most likely considering of a missing or incompatible library. Review the build documentation then and make sure you install the missing prerequisites. Then run configure then and see if that fixes the error.Towersthe BitcoinCadreExecutables Next, you will compile the source code, a process that can take up to an hour to complete, depending on the speed of your CPU and misogynist memory. During the compilation process you should see output every few seconds or every few minutes, or an error if something goes wrong. If an error occurs, or the compilation process is interrupted, it can be resumed any time by typing make again. Type make to start compiling the executable application: $ make Making all in src CXX crypto/libbitcoinconsensus_la-hmac_sha512.lo CXX crypto/libbitcoinconsensus_la-ripemd160.lo CXX crypto/libbitcoinconsensus_la-sha1.lo CXX crypto/libbitcoinconsensus_la-sha256.lo CXX crypto/libbitcoinconsensus_la-sha512.lo CXX libbitcoinconsensus_la-hash.lo CXX primitives/libbitcoinconsensus_la-transaction.lo CXX libbitcoinconsensus_la-pubkey.lo CXX script/libbitcoinconsensus_la-bitcoinconsensus.lo CXX script/libbitcoinconsensus_la-interpreter.lo [... many increasingly compilation messages follow ...] $ If all goes well, BitcoinCadreis now compiled. The final step is to install the various executables on your system using the sudo make install command. You may be prompted for your user password, considering this step requires legalistic privileges: $ sudo make install Password: Making install in src ../build-aux/install-sh -c -d '/usr/local/lib' libtool: install: /usr/bin/install -c bitcoind /usr/local/bin/bitcoind libtool: install: /usr/bin/install -c bitcoin-cli /usr/local/bin/bitcoin-cli libtool: install: /usr/bin/install -c bitcoin-tx /usr/local/bin/bitcoin-tx ... $ The default installation of bitcoind puts it in /usr/local/bin. You can personize that BitcoinCadreis correctly installed by asking the system for the path of the executables, as follows: $ which bitcoind /usr/local/bin/bitcoind $ which bitcoin-cli /usr/local/bin/bitcoin-cli Running a BitcoinCadreNode Bitcoin’s peer-to-peer network is well-balanced of network "nodes", run mostly by volunteers and some of the businesses that build bitcoin applications. Those running bitcoin nodes have a uncontrived and supervisory view of the bitcoin blockchain, with a local reprinting of all the transactions, independently validated by their own system. By running a node, you don’t have to rely on any third party to validate a transaction. Moreover, by running a bitcoin node you contribute to the bitcoin network by making it increasingly robust. Running a node, however, requires a permanently unfluctuating system with unbearable resources to process all bitcoin transactions. Depending on whether you segregate to alphabetize all transactions and alimony a full reprinting of the blockchain, you may moreover need a lot of disk space and RAM. In early 2016, a full-index node needs 2GB of RAM and 80GB of disk space. Bitcoin nodes moreover transmit and receive bitcoin transactions and blocks, consuming Internet bandwidth. If your Internet connection is limited, has a low data cap, or is metered (charged by the gigabit), you should probably not run a bitcoin node on it, or run it in a way that constrains its bandwidth (see [constrained_resources]). Tip BitcoinCadrekeeps a full reprinting of the blockchain by default, with every transaction that has overly occurred on the bitcoin network since its inception in 2009. This dataset is several gigabytes in size and is downloaded incrementally over several hours or days, depending on the speed of your CPU and Internet connection. BitcoinCadrewill not be worldly-wise to process transactions or update worth balances until the full blockchain dataset is downloaded. Make sure you have unbearable disk space, bandwidth, and time to well-constructed the initial synchronization. You can configure BitcoinCadreto reduce the size of the blockchain by discarding old blocks (see [constrained_resources]) but it will still download the unshortened dataset surpassing discarding data. Despite these resource requirements, thousands of volunteers run bitcoin nodes. Some are running on systems as simple as a Raspberry Pi (a $35 USD computer the size of a pack of cards). Many volunteers moreover run bitcoin nodes on rented servers, usually some variant of Linux. A Virtual Private Server (VPS) or Cloud Computing server instance can be used to run a bitcoin node. Such servers can be rented for $12 to $18 USD per month from a variety of providers. Why would you want to run a node? Here are some of the most worldwide reasons for running a node: If you are developing bitcoin software and need to rely on a bitcoin node for programmable (API) wangle to the network and blockchain. If you are towers applications that must validate transactions equal to bitcoin’s consensus rules. Typically, bitcoin software companies run several nodes. If you want to support bitcoin. Running a node makes the network increasingly robust and worldly-wise to serve increasingly wallets, increasingly users and increasingly transactions. If you do not want to rely on any third party for processing your own transactions or validating transactions. If you’re reading this typesetting and interested in developing bitcoin software, you should be running your own node. Running BitcoinCadrefor the First Time When you first run bitcoind, it will remind you to create a configuration file with a strong password for the JSON-RPC interface. This password controls wangle to theUsingProgramming Interface (API) offered by Bitcoin Core. Run bitcoind by typing bitcoind into the terminal: $ bitcoind Error: To use the "-server" option, you must set a rpcpassword in the configuration file: /home/ubuntu/.bitcoin/bitcoin.conf It is recommended you use the pursuit random password: rpcuser=bitcoinrpc rpcpassword=2XA4DuKNCbtZXsBQRRNDEwEY2nM6M4H9Tx5dFjoAVVbK (you do not need to remember this password) The username and password MUST NOT be the same. If the file does not exist, create it with owner-readable-only file permissions. It is moreover recommended to set alertnotify so you are notified of problems; for example: alertnotify=echo %s | mail -s "Bitcoin Alert" [email protected] As you can see, the first time you run bitcoind it tells you that you need to build a configuration file, with at least an rpcuser and rpcpassword entry. Additionally, it is recommended you set up the alerting mechanism. In the next section we will examine the various configuration options and set up a configuration file. Configuring the BitcoinCadreNode Edit the configuration file in your preferred editor and set the parameters, replacing the password with a strong password as recommended by bitcoind. Do not use the password shown in the book. Create a file inside the .bitcoin directory (under your user’s home directory) so that it is named .bitcoin/bitcoin.conf and provide a username and password: In wing to the rpcuser and rpcpassword options, BitcoinCadreoffers increasingly than one hundred configuration options that modify the policies of the network node, the storage of the blockchain and many other aspects of its operation. To see a listing of these options, run bitcoind --help: bitcoind --help BitcoinCadreDaemon version v0.11.2 Usage: bitcoind [options] Start BitcoinCadreDaemon Options: -? This help message -alerts Receive and exhibit P2P network alerts (default: 1) -alertnotify=<cmd> Execute writ when a relevant zestful is received or we see a really long fork (%s in cmd is replaced by message) ... [many increasingly options] ... -rpcsslciphers=<ciphers>Winningciphers (default: TLSv1.2+HIGH:TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES:@STRENGTH) Here are some of the most important options that can set in the configuration file, or as command-line parameters to bitcoind: alertnotify Run a specified writ or script to send emergency alerts to the owner of this node, usually by sending email. conf An volitional location for the configuration file. This only makes sense as a command-line parameter to bitcoind, as it can’t be inside the configuration file it refers to. datadir Select the directory and filesystem to put all the blockchain data. By default this is the .bitcoin subdirectory of your home directory. Make sure this filesystem has several gigabytes self-ruling space. prune Reduce the disk space requirements to this many megabytes, by deleting old blocks. Use this on a resource-constrained node that can’t fit the full blockchain. txindex Maintain an alphabetize of all transactions. This ways a well-constructed reprinting of the blockchain and allows you to programmatically retrieve any transaction by ID. maxconnections Set the maximum number of nodes from which to winnow connections. Reducing this from the default will reduce your bandwidth consumption. Use if you have a data cap or pay by the gigabyte. maxmempool Limit the transaction memorypool to this many megabytes. Use it to reduce memory use of the node. maxreceivebuffer/maxsendbuffer Limit per-connection memory buffer to this many * 1000 bytes. Use on memory-constrained nodes. minrelaytxfee Set the minimum fee transaction you will relay.Unelevatedthis value, the transaction is treated as zero fee. Use this on memory-constrained nodes to reduce the size of the in-memory transaction pool. Transaction DatabaseAlphabetizeand txindex Option By default, BitcoinCadrebuilds a database containing only the transactions related to the user’s wallet. If you want to be worldly-wise to wangle any transaction with commands like getrawtransaction (see ), you need to configure BitcoinCadreto build a well-constructed transaction index, which can be achieved with the txindex option. Set txindex=1 in the BitcoinCadreconfiguration file. If you don’t set this option at first and later set it to full indexing, you need to restart bitcoind with the -reindex option and wait for it to rebuild the index. Here’s how you might combine the whilom options: A fully-indexed node, running as an API back-end for a bitcoin application: Example 4. Sample configuration of a full-index node alertnotify=myemailscript.sh "Alert: %s" datadir=/lotsofspace/bitcoin txindex=1 rpcuser=bitcoinrpc rpcpassword=CHANGE_THIS A resource-constrained node running on a smaller server: Example 5. Sample configuration of a resource-constrained system alertnotify=myemailscript.sh "Alert: %s" maxconnections=15 prune=5000 minrelaytxfee=0.0001 maxmempool=200 maxreceivebuffer=2500 maxsendbuffer=500 rpcuser=bitcoinrpc rpcpassword=CHANGE_THIS Once you’ve edited the configuration file and set the options that weightier represent your needs, we can test bitcoind with this configuration. Run BitcoinCadrewith the option printtoconsole to run in the foreground with output to the console: $ bitcoind -printtoconsole Bitcoin version v0.11.20.0 Using OpenSSL version OpenSSL 1.0.2e 3 Dec 2015 Startup time: 2015-01-02 19:56:17 Using data directory /tmp/bitcoin Using config file /tmp/bitcoin/bitcoin.conf Using at most 125 connections (275 file descriptors available) Using 2 threads for script verification scheduler thread start HTTP: creating work queue of depth 16 No rpcpassword set - using random cookie hallmark Generated RPC hallmark cookie /tmp/bitcoin/.cookie HTTP: starting 4 worker threads Bound to [::]:8333 Bound to 0.0.0.0:8333Enshroudconfiguration: * Using 2.0MiB for woodcut alphabetize database * Using 32.5MiB for uniting state database * Using 65.5MiB for in-memory UTXO set init message: Loading woodcut index... Opening LevelDB in /tmp/bitcoin/blocks/index Opened LevelDB successfully [... increasingly startup messages ...] You can hit CTRL+C to interrupt the process once you are satisfied that it is loading the correct settings and running as you expect it. To run BitcoinCadrein the preliminaries as a process, start it with the daemon option, as bitcoind -daemon. To monitor the progress and runtime status of your bitcoin node, use the writ bitcoin-cli getinfo: $ bitcoin-cli getinfo This shows a node running BitcoinCadreversion 0.11.2, with a blockchain height of 396328 blocks and 15 zippy network connections. Once you are happy with the configuration options you have selected, you should add bitcoin to the startup scripts in your operating system, so that it runs continuously and restarts when the operating system restarts. You will find a number of example startup scripts for various operating systems in bitcoin’s source directory under contrib/init and a README.md file showing which system uses which script. Bitcoin CoreUsingProgramming Interface (API) The BitcoinCadreclient implements a JSON-RPC interface that can moreover be accessed using the command-line helper bitcoin-cli. The writ line allows us to experiment interactively with the capabilities that are moreover misogynist programmatically via the API. To start, invoke the help writ to see a list of the misogynist bitcoin RPC commands: $ bitcoin-cli help addmultisigaddress nrequired ["key",...] ( "account" ) addnode "node" "add|remove|onetry" backupwallet "destination" createmultisig nrequired ["key",...] createrawtransaction [{"txid":"id","vout":n},...] {"address":amount,...} decoderawtransaction "hexstring" ... ... verifymessage "bitcoinaddress" "signature" "message" walletlock walletpassphrase "passphrase" timeout walletpassphrasechange "oldpassphrase" "newpassphrase" Each of these commands may take a number of parameters. To get spare help, a detailed unravelment and information on the parameters, add the writ name without help. For example, to see help on the getblockhash RPC command: $ bitcoin-cli help getblockhash getblockhash alphabetize Returns hash of woodcut in best-block-chain at alphabetize provided. Arguments: 1. alphabetize (numeric, required) The woodcut alphabetize Result: "hash" (string) The woodcut hash Examples: > bitcoin-cli getblockhash 1000 > flourish --user myusername --data-binary '{"jsonrpc": "1.0", "id":"curltest", "method": "getblockhash", "params": [1000] }' -H 'content-type: text/plain;' http://127.0.0.1:8332/ At the end of the help information you will see two examples of the RPC command, using the bitcoin-cli helper or the HTTP vendee curl. These examples demonstrate how you might undeniability the command.Reprintingthe first example and see the result: $ bitcoin-cli getblockhash 1000 00000000c937983704a73af28acdec37b049d214adbda81d7e2a3dd146f6ed09 The result is a woodcut hash, which is described in increasingly detail in the pursuit chapters. But for now, this writ should return the same result on your system, demonstrating that your BitcoinCadrenode is running, is unsuspicious commands and has information well-nigh woodcut 1000 to return to you. In the next sections we will demonstrate some very useful RPC commands and their expected output. Getting Information on the BitcoinCadreClient Status Command: getinfo Bitcoin’s getinfo RPC writ displays vital information well-nigh the status of the bitcoin network node, the wallet, and the blockchain database. Use bitcoin-cli to run it: $ bitcoin-cli getinfo The data is returned in JavaScript Object Notation (JSON), a format that can hands be "consumed" by all programming languages but is moreover quite human-readable. Among this data we see the version numbers for the bitcoin software vendee (110200 and bitcoin protocol (70002). We see the current woodcut height, showing us how many blocks are known to this vendee (396367). We moreover see various statistics well-nigh the bitcoin network and the settings related to this client. Tip It will take some time, perhaps increasingly than a day, for the bitcoind vendee to "catch up" to the current blockchain height as it downloads blocks from other bitcoin clients. You can trammels its progress using getinfo to see the number of known blocks. Exploring and Decoding Transactions Commands: getrawtransaction, decoderawtransaction In [cup_of_coffee], Alice bought a cup of coffee from Bob’s Cafe. Her transaction was recorded on the blockchain with transaction ID 0627052b6f28912f2703066a912ea577f2ce4da4caa5a5fbd8a57286c345c2f2. Let’s use the API to retrieve and examine that transaction, by passing the transaction ID as a parameter: $ bitcoin-cli getrawtransaction 0627052b6f28912f2703066a912ea577f2ce4da4caa5a↵ 5fbd8a57286c345c2f2 0100000001186f9f998a5aa6f048e51dd8419a14d8a0f1a8a2836dd734d2804fe65fa35779000↵ 000008b483045022100884d142d86652a3f47ba4746ec719bbfbd040a570b1deccbb6498c75c4↵ ae24cb02204b9f039ff08df09cbe9f6addac960298cad530a863ea8f53982c09db8f6e3813014↵ 10484ecc0d46f1918b30928fa0e4ed99f16a0fb4fde0735e7ade8416ab9fe423cc54123363767↵ 89d172787ec3457eee41c04f4938de5cc17b4a10fa336a8d752adfffffffff0260e3160000000↵ 0001976a914ab68025513c3dbd2f7b92a94e0581f5d50f654e788acd0ef8000000000001976a9↵ 147f9b1a7fb68d60c536c2fd8aeaa53a8f3cc025a888ac00000000 Tip Transaction IDs are not supervisory until a transaction has been confirmed.Sparsityof a transaction hash in the blockchain does not midpoint the transaction was not processed. This is known as "transaction malleability," considering transaction hashes can be modified prior to confirmation in a block.Withoutconfirmation, the txid is immutable and authoritative. The writ getrawtransaction returns a serialized transaction in hexadecimal notation. To decode that, we use the decoderawtransaction command, passing the hex data as a parameter. You can reprinting the hex returned by getrawtransaction and paste it as a parameter to decoderawtransaction: $ bitcoin-cli decoderawtransaction 0100000001186f9f998a5aa6f048e51dd8419a14d8↵ a0f1a8a2836dd734d2804fe65fa35779000000008b483045022100884d142d86652a3f47ba474↵ 6ec719bbfbd040a570b1deccbb6498c75c4ae24cb02204b9f039ff08df09cbe9f6addac960298↵ cad530a863ea8f53982c09db8f6e381301410484ecc0d46f1918b30928fa0e4ed99f16a0fb4fd↵ e0735e7ade8416ab9fe423cc5412336376789d172787ec3457eee41c04f4938de5cc17b4a10fa↵ 336a8d752adfffffffff0260e31600000000001976a914ab68025513c3dbd2f7b92a94e0581f5↵ d50f654e788acd0ef8000000000001976a9147f9b1a7fb68d60c536c2fd8aeaa53a8f3cc025a8↵ 88ac00000000 { "txid": "0627052b6f28912f2703066a912ea577f2ce4da4caa5a5fbd8a57286c345c2f2", "size": 258, "version": 1, "locktime": 0, "vin": [ { "txid": "7957a35fe64f80d234d76d83a2...8149a41d81de548f0a65a8a999f6f18", "vout": 0, "scriptSig": { "asm":"3045022100884d142d86652a3f47ba4746ec719bbfbd040a570b1decc...", "hex":"483045022100884d142d86652a3f47ba4746ec719bbfbd040a570b1de..." }, "sequence": 4294967295 } ], "vout": [ { "value": 0.01500000, "n": 0, "scriptPubKey": { "asm": "OP_DUP OP_HASH160 ab68...5f654e7 OP_EQUALVERIFY OP_CHECKSIG", "hex": "76a914ab68025513c3dbd2f7b92a94e0581f5d50f654e788ac", "reqSigs": 1, "type": "pubkeyhash", "addresses": [ "1GdK9UzpHBzqzX2A9JFP3Di4weBwqgmoQA" ] } }, { "value": 0.08450000, "n": 1, "scriptPubKey": { "asm": "OP_DUP OP_HASH160 7f9b1a...025a8 OP_EQUALVERIFY OP_CHECKSIG", "hex": "76a9147f9b1a7fb68d60c536c2fd8aeaa53a8f3cc025a888ac", "reqSigs": 1, "type": "pubkeyhash", "addresses": [ "1Cdid9KFAaatwczBwBttQcwXYCpvK8h7FK" ] } } ] } The transaction decode shows all the components of this transaction, including the transaction inputs and outputs. In this specimen we see that the transaction that credited our new write with 50 millibits used one input and generated two outputs. The input to this transaction was the output from a previously confirmed transaction (shown as the vin txid starting with 7957a35fe). The two outputs correspond to the 50 millibit credit and an output with transpiration when to the sender. We can remoter explore the blockchain by examining the previous transaction referenced by its txid in this transaction using the same commands (e.g., getrawtransaction). Jumping from transaction to transaction we can follow a uniting of transactions when as the coins are transmitted from owner write to owner address. Exploring Blocks Commands: getblock, getblockhash Exploring blocks is similar to exploring transactions. However, blocks can be referenced either by the woodcut height or by the woodcut hash. First, let’s find a woodcut by its height. In [cup_of_coffee], we saw that Alice’s transaction was included in woodcut 277316. We use the getblockhash command, which takes the woodcut height as the parameter and returns the woodcut hash for that block: $ bitcoin-cli getblockhash 277316 0000000000000001b6b9a13b095e96db41c4a928b97ef2d944a9b31b2cc7bdc4 Now that we know which woodcut Alice’s transaction was included in, we can query that block. We use the getblock writ with the woodcut hash as the parameter: $ bitcoin-cli getblock 0000000000000001b6b9a13b095e96db41c4a928b97ef2d944a9b3↵ 1b2cc7bdc4 { "hash": "0000000000000001b6b9a13b095e96db41c4a928b97ef2d944a9b31b2cc7bdc4", "confirmations": 37371, "size": 218629, "height": 277316, "version": 2, "merkleroot": "c91c008c26e50763e9f548bb8b2fc323735f73577effbc55502c51eb4cc7cf2e", "tx": [ "d5ada064c6417ca25c4308bd158c34b77e1c0eca2a73cda16c737e7424afba2f", "b268b45c59b39d759614757718b9918caf0ba9d97c56f3b91956ff877c503fbe", "04905ff987ddd4cfe603b03cfb7ca50ee81d89d1f8f5f265c38f763eea4a21fd", "32467aab5d04f51940075055c2f20bbd1195727c961431bf0aff8443f9710f81", "561c5216944e21fa29dd12aaa1a45e3397f9c0d888359cb05e1f79fe73da37bd", [... hundreds of transactions ...] "78b300b2a1d2d9449b58db7bc71c3884d6e0579617e0da4991b9734cef7ab23a", "6c87130ec283ab4c2c493b190c20de4b28ff3caf72d16ffa1ce3e96f2069aca9", "6f423dbc3636ef193fd8898dfdf7621dcade1bbe509e963ffbff91f696d81a62", "802ba8b2adabc5796a9471f25b02ae6aeee2439c679a5c33c4bbcee97e081196", "eaaf6a048588d9ad4d1c092539bd571dd8af30635c152a3b0e8b611e67d1a1af", "e67abc6bd5e2cac169821afc51b207127f42b92a841e976f9b752157879ba8bd", "d38985a6a1bfd35037cb7776b2dc86797abbb7a06630f5d03df2785d50d5a2ac", "45ea0a3f6016d2bb90ab92c34a7aac9767671a8a84b9bcce6c019e60197c134b", "c098445d748ced5f178ef2ff96f2758cbec9eb32cb0fc65db313bcac1d3bc98f" ], "time": 1388185914, "mediantime": 1388183675, "nonce": 924591752, "bits": "1903a30c", "difficulty": 1180923195.258026, "chainwork": "000000000000000000000000000000000000000000000934695e92aaf53afa1a", "previousblockhash": "0000000000000002a7bbd25a417c0374cc55261021e8a9ca74442b01284f0569", "nextblockhash": "000000000000000010236c269dd6ed714dd5db39d36b33959079d78dfd431ba7" } The woodcut contains 419 transactions the 64th transaction listed (0627052b…) is Alice’s coffee payment. The height entry tells us this is the 277316th woodcut in the blockchain. Using Bitcoin Core’s Programmatic Interface The bitcoin-cli helper is very useful for exploring the BitcoinCadreAPI and testing functions. But the whole point of anUsingProgramming Interface is to wangle functions programmatically. In this section we will demonstrate accessing BitcoinCadrefrom flipside program. Bitcoin Core’s API is a JSON-RPC interface. JSON stands for JavaScript Object Notation and it is a very user-friendly way to present data that both humans and programs can hands read. RPC stands for Remote Procedure Call, which ways that we are calling procedures (functions) that are remote (on the BitcoinCadrenode) via a network protocol. In this case, the network protocol is HTTP, or HTTPS (for encrypted connections). When we used the bitcoin-cli writ to get help on a command, it showed us an example of using curl, the versatile command-line HTTP vendee to construct one of these JSON-RPC calls: $ flourish --user myusername --data-binary '{"jsonrpc": "1.0", "id":"curltest", "method": "getinfo", "params": [] }' -H 'content-type: text/plain;' http://127.0.0.1:8332/ This writ shows that flourish submits an HTTP request to the local host (127.0.0.1), connecting to the default bitcoin port (8332), and submitting a jsonrpc request for the getinfo method, using a text/plain encoding. If you’re implementing a JSON-RPC undeniability in your own program, you can use a generic HTTP library to construct the call, similar to what is shown in the flourish example above. However, there are libraries in most every programming language that "wrap" the BitcoinCadreAPI in a way that makes this a lot simpler. We will use the python-bitcoinlib library to simplify API access. Remember, this requires you to have a running BitcoinCadreinstance which will be used to make JSON-RPC calls. The Python script unelevated makes a simple getinfo undeniability and prints the woodcut parameter from the data returned by Bitcoin Core: Example 6. Running getinfo via Bitcoin Core’s JSON-RPC API Running it, gives us the pursuit result: $ python rpc_example.py 394075 It tells us that our local BitcoinCadrenode has 394075 blocks in its blockchain. Not a spectacular result, but it demonstrates the vital use of the library as a simplified interface to Bitcoin Core’s JSON-RPC API. Next, let’s use the getrawtransaction and decodetransaction calls to retrieve the details of Alice’s coffee payment. In the pursuit example, we retrieve Alice’s transaction and list the transaction’s outputs. For each output, we show the recipient write and value. As a reminder, Alice’s transaction had one output paying Bob’sSideboardand one output for transpiration when to Alice. Example 7. Retrieving a transaction and iterating its outputs Running this code, we get: $ python rpc_transaction.py ([u'1GdK9UzpHBzqzX2A9JFP3Di4weBwqgmoQA'], Decimal('0.01500000')) ([u'1Cdid9KFAaatwczBwBttQcwXYCpvK8h7FK'], Decimal('0.08450000')) Both of the examples whilom are rather simple. You don’t really need a program to run them, you could just as hands use the bitcoin-cli helper. The next example, however, requires several hundred RPC calls and increasingly unmistakably demonstrates the use of a programmatic interface. In [rpc_block], we first retrieve woodcut 277316, then retrieve each of the 419 transactions within by reference to each transaction ID. Next, iterate through each of the transaction’s outputs and add up the value. Example 8. Retrieving a woodcut and subtracting all the transaction outputs Running this code, we get: $ python rpc_block.py ('Total value in block: ', Decimal('10322.07722534')) Our example lawmaking calculates the total value transacted in this woodcut is 10,322.07722534 BTC (inclusive of the 25 BTC reward and 0.0909 BTC in fees). Compare that to the value reported by a woodcut explorer site, by searching for the woodcut hash or height. Some woodcut explorers report the total value excluding the reward and excluding the fees. See if you can spot the difference.VolitionalClients, Libraries, and Toolkits There are many volitional clients, libraries, toolkits and plane full-node implementations in the bitcoin ecosystem. These are implemented in a variety of programming languages, offering programmers native interfaces in their preferred language.Unelevatedwe list some of the weightier libraries, clients and toolkits, organized by programming languages: C/C++ BitcoinCadreThe reference implementation of bitcoin libbitcoin Cross-Platform C++ minutiae toolkit, node and consensus library bitcoin explorer Libbitcoin’s command-line tool picocoin A C language lightweight vendee library for bitcoin by Jeff Garzik JavaScript Bitcore Full node, API and library by Bitpay BitcoinJS A pure JavaScript Bitcoin library for node.js and browsers Java bitcoinj A Java full-node vendee libraryShitof Proof (BOP) A Java enterprise-class implementation of bitcoin Python python-bitcoinlib A Python bitcoin library, consensus library and node by Peter Todd pycoin A Python bitcoin library by Richard Kiss pybitcointools A Python bitcoin library by Vitalik Buterin Ruby bitcoin-client A Ruby library wrapper for the JSON-RPC API Go btcd A Go language full-node bitcoin vendee Rust rust-bitcoin Rust Bitcoin Library for serialization, parsing and API calls C# NBitcoin Comprehensive Bitcoin library for the .NET framework. Objective-C CoreBitcoin Bitcoin toolkit for ObjC and Swift Many increasingly libraries exist in a variety of other programming languages and increasingly are created all the time. Introduction You may have heard that bitcoin is based on cryptography, which is a workshop of mathematics used extensively in computer security. Cryptography ways secret writing but than just encryption. Cryptography can moreover be used to prove knowledge of a secret without revealing that secret (digital signatures), or prove the authenticity of data (digital fingerprints). These types of cryptographic proofs are the mathematical tools hair-trigger to bitcoin and used extensively in bitcoin applications. Ironically, encryption is not an important part of bitcoin, as its communications and transaction data are not encrypted and do not need to be encrypted to protect the funds. In this installment we will introduce some of the cryptography used in bitcoin to tenancy ownership of funds, in the form of keys, addresses and wallets. Keys, Addresses, Wallets Ownership of bitcoin is established through digital keys, bitcoin addresses, and digital signatures. The digital keys are not unquestionably stored in the network, but are instead created and stored by users in a file, or simple database, tabbed a wallet. The digital keys in a user’s wallet are completely self-sustaining of the bitcoin protocol and can be generated and managed by the user’s wallet software without reference to the blockchain or wangle to the Internet. Keys enable many of the interesting properties of bitcoin, including de-centralized trust and control, ownership attestation, and the cryptographic-proof security model. Every bitcoin transaction requires a valid digital signature to be included in the blockchain, which can only be generated with a secret key; therefore, anyone with a reprinting of that key has tenancy of the bitcoin in that account. The digital signature used to spend funds is moreover referred to as a witness, a term used in cryptography. The witness data in a bitcoin transaction testifies to the true ownership of the funds stuff spent. Keys come in pairs consisting of a private (secret) key and a public key. Think of the public key as similar to a wall worth number and the private key as similar to the secret PIN, or signature on a trammels that provides tenancy over the account. These digital keys are very rarely seen by the users of bitcoin. For the most part, they are stored inside the wallet file and managed by the bitcoin wallet software. In the payment portion of a bitcoin transaction, the recipient’s public key is represented by its digital fingerprint, tabbed a bitcoin address, which is used in the same way as the payee name on a trammels (i.e., "Pay to the order of"). In most cases, a bitcoin write is generated from and corresponds to a public key. However, not all bitcoin addresses represent public keys; they can moreover represent other beneficiaries such as scripts, as we will see later in this chapter. This way, bitcoin addresses utopian the recipient of funds, making transaction destinations flexible, similar to paper checks: a single payment instrument that can be used to pay into people’s accounts, pay into visitor accounts, pay for bills, or pay to cash. The bitcoin write is the only representation of the keys that users will routinely see, considering this is the part they need to share with the world. First we will introduce cryptography and explain the mathematics used in bitcoin. Next, we will squint at how keys are generated, stored, and managed. We will review the various encoding formats used to represent private and public keys, addresses, and script addresses. We will see how bitcoin wallets store collections of keys executive many bitcoin addresses. Finally, we will squint at special uses of keys: to sign messages, to prove ownership, and to create vanity addresses and paper wallets. Public Key Cryptography and Cryptocurrency Public key cryptography was invented in the 1970s and is a mathematical foundation for computer and information security. Since the invention of public key cryptography, several suitable mathematical functions, such as prime number exponentiation and elliptic lines multiplication, have been discovered. These mathematical functions are practically irreversible, meaning that they are easy to summate in one direction and infeasible to summate in the opposite direction. Based on these mathematical functions, cryptography enables the megacosm of digital secrets and unforgeable digital signatures. Bitcoin uses elliptic lines multiplication as the understructure for its cryptography. In bitcoin, we use public key cryptography to create a key pair that controls wangle to bitcoin. The key pair consists of a private key and—derived from it—a unique public key. The public key is used to receive funds, and the private key is used to sign transactions to spend the funds. There is a mathematical relationship between the public and the private key that allows the private key to be used to generate signatures on messages. This signature can be validated versus the public key without revealing the private key. When spending bitcoins, the current bitcoin owner presents her public key and a signature (different each time, but created from the same private key) in a transaction to spend those bitcoins. Through the presentation of the public key and signature, everyone in the bitcoin network can verify and winnow the transaction as valid, confirming that the person transferring the bitcoins owned them at the time of the transfer. Tip In most wallet implementations, the private and public keys are stored together as a key pair for convenience. However, the public key can be calculated from the private key, so storing only the private key is moreover possible. Private and Public Keys A bitcoin wallet contains a hodgepodge of key pairs, each consisting of a private key and a public key. The private key (k) is a number, usually picked at random. From the private key, we use elliptic lines multiplication, a one-way cryptographic function, to generate a public key (K). From the public key (K), we use a one-way cryptographic hash function to generate a bitcoin write (A). In this section, we will start with generating the private key, squint at the elliptic lines math that is used to turn that into a public key, and finally, generate a bitcoin write from the public key. The relationship between private key, public key, and bitcoin write is shown in [k_to_K_to_A].Icon13. Private key, public key, and bitcoin write Private Keys A private key is simply a number, picked at random. Ownership and tenancy over the private key is the root of user tenancy over all funds associated with the respective bitcoin address. The private key is used to create signatures that are required to spend bitcoins by proving ownership of funds used in a transaction. The private key must remain secret at all times, considering revealing it to third parties is equivalent to giving them tenancy over the bitcoins secured by that key. The private key must moreover be backed up and protected from willy-nilly loss, considering if it’s lost it cannot be recovered and the funds secured by it are forever lost, too. Tip The bitcoin private key is just a number. You can pick your private keys randomly using just a coin, pencil, and paper: toss a forge 256 times and you have the binary digits of a random private key you can use in a bitcoin wallet. The public key can then be generated from the private key. Generating a private key from a random number The first and most important step in generating keys is to find a secure source of entropy, or randomness. Creating a bitcoin key is substantially the same as "Pick a number between 1 and 2256." The word-for-word method you use to pick that number does not matter as long as it is not predictable or repeatable. Bitcoin software uses the underlying operating system’s random number generators to produce 256 shit of entropy (randomness). Usually, the OS random number generator is initialized by a human source of randomness, which is why you may be asked to wiggle your mouse virtually for a few seconds. For the truly paranoid, nothing beats dice, pencil, and paper.Increasinglyaccurately, the private key can be any number between 1 and n - 1, where n is a unvarying (n = 1.158 * 1077, slightly less than 2256) specified as the order of the elliptic lines used in bitcoin (see [elliptic_curve]). To create such a key, we randomly pick a 256-bit number and trammels that it is less than n - 1. In programming terms, this is usually achieved by feeding a larger string of random bits, placid from a cryptographically secure source of randomness, into the SHA256 hash algorithm that will conveniently produce a 256-bit number. If the result is less than n - 1, we have a suitable private key. Otherwise, we simply try then with flipside random number. Tip Do not write your own lawmaking to create a random number or use a "simple" random number generator offered by your programming language. Use a cryptographically secure pseudo-random number generator (CSPRNG) with a seed from a source of sufficient entropy. Study the documentation of the random number generator library you segregate to make sure it is cryptographically secure. Correct implementation of the CSPRNG is hair-trigger to the security of the keys. The pursuit is a randomly generated private key (k) shown in hexadecimal format (256 binary digits shown as 64 hexadecimal digits, each 4 bits): 1E99423A4ED27608A15A2616A2B0E9E52CED330AC530EDCC32C8FFC6A526AEDD Tip The size of bitcoin’s private key space, 2256 is an unfathomably large number. It is approximately 1077 in decimal. The visible universe is unscientific to contain 1080 atoms. To generate a new key with the BitcoinCadreclient (see [ch03_bitcoin_client]), use the getnewaddress command. For security reasons it displays the public key only, not the private key. To ask bitcoind to expose the private key, use the dumpprivkey command. The dumpprivkey writ shows the private key in a Base58 checksum-encoded format tabbed the Wallet Import Format (WIF), which we will examine in increasingly detail in [priv_formats]. Here’s an example of generating and displaying a private key using these two commands: $ bitcoind getnewaddress 1J7mdg5rbQyUHENYdx39WVWK7fsLpEoXZy $ bitcoind dumpprivkey 1J7mdg5rbQyUHENYdx39WVWK7fsLpEoXZy KxFC1jmwwCoACiCAWZ3eXa96mBM6tb3TYzGmf6YwgdGWZgawvrtJ The dumpprivkey writ opens the wallet and extracts the private key that was generated by the getnewaddress command. It is not otherwise possible for bitcoind to know the private key from the public key, unless they are both stored in the wallet. Tip The dumpprivkey writ is not generating a private key from a public key, as this is impossible. The writ simply reveals the private key that is once known to the wallet and which was generated by the getnewaddress command. You can moreover use the Bitcoin Explorer command-line tool (see [libbitcoin]) to generate and exhibit private keys with the commands seed, ec-new and ec-to-wif: $ bx seed | bx ec-new | bx ec-to-wif 5J3mBbAH58CpQ3Y5RNJpUKPE62SQ5tfcvU2JpbnkeyhfsYB1Jcn Public Keys The public key is calculated from the private key using elliptic lines multiplication, which is irreversible: \(K = k * G\) where k is the private key, G is a unvarying point tabbed the generator point and K is the resulting public key. The reverse operation, known as "finding the discrete logarithm"—calculating k if you know K—is as difficult as trying all possible values of k, i.e., a brute-force search.Surpassingwe demonstrate how to generate a public key from a private key, let’s squint at elliptic lines cryptography in a bit increasingly detail. EllipticLinesCryptography Explained Elliptic lines cryptography is a type of unsymmetrical or public-key cryptography based on the discrete logarithm problem as expressed by wing and multiplication on the points of an elliptic curve. [ecc-curve] is an example of an elliptic curve, similar to that used by bitcoin.Icon14. An elliptic lines Bitcoin uses a specific elliptic lines and set of mathematical constants, as specified in a standard tabbed secp256k1, established by the National Institute of Standards and Technology (NIST). The secp256k1 lines is specified by the pursuit function, which produces an elliptic curve: \begin{equation} {y^2 = (x^3 + 7)}~\text{over}~(\mathbb{F}_p) \end{equation} or \begin{equation} {y^2 \mod p = (x^3 + 7) \mod p} \end{equation} The mod p (modulo prime number p) indicates that this lines is over a finite field of prime order p, moreover written as \(\mathbb{F}_p\), where p = 2256 – 232 – 29 – 28 – 27 – 26 – 24 – 1, a very large prime number.Consideringthis lines is specified over a finite field of prime order instead of over the real numbers, it looks like a pattern of dots scattered in two dimensions, which makes it difficult to visualize. However, the math is identical as that of an elliptic lines over the real numbers. As an example, [ecc-over-F17-math] shows the same elliptic lines over a much smaller finite field of prime order 17, showing a pattern of dots on a grid. The secp256k1 bitcoin elliptic lines can be thought of as a much increasingly ramified pattern of dots on a unfathomably large grid.Icon15. Elliptic lines cryptography: visualizing an elliptic lines over F(p), with p=17 So, for example, the pursuit is a point P with coordinates (x,y) that is a point on the secp256k1 curve. You can trammels this yourself using Python: P = (55066263022277343669578718895168534326250603453777594175500187360389116729240, 32670510020758816978083085130507043184471273380659243275938904335757337482424) In elliptic lines math, there is a point tabbed the "point at infinity," which roughly corresponds to the role of 0 in addition. On computers, it’s sometimes represented by x = y = 0 (which doesn’t satisfy the elliptic lines equation, but it’s an easy separate specimen that can be checked). There is moreover a + operator, tabbed "addition," which has some properties similar to the traditional wing of real numbers that grade school children learn. Given two points P1 and P2 on the elliptic curve, there is a third point P3 = P1 + P2, moreover on the elliptic curve. Geometrically, this third point P3 is calculated by drawing a line between P1 and P2. This line will intersect the elliptic lines in exactly one spare place.Undeniabilitythis point P3' = (x, y). Then reflect in the x-axis to get P3 = (x, –y). There are a couple of special cases that explain the need for the "point at infinity." If P1 and P2 are the same point, the line "between" P1 and P2 should proffer to be the tangent on the lines at this point P1. This tangent will intersect the lines in exactly one new point. You can use techniques from calculus to determine the slope of the tangent line. These techniques curiously work, plane though we are restricting our interest to points on the lines with two integer coordinates! In some cases (i.e., if P1 and P2 have the same x values but variegated y values), the tangent line will be exactly vertical, in which specimen P3 = "point at infinity." If P1 is the "point at infinity," then the sum P1 + P2 = P2. Similary, if P2 is the point at infinity, then P1 + P2 = P1. This shows how the point at infinity plays the role of 0. It turns out that + is associative, which ways that (A + B) + C = A + (B + C). That ways we can write A + B + C without parentheses without any ambiguity. Now that we have specified addition, we can pinpoint multiplication in the standard way that extends addition. For a point P on the elliptic curve, if k is a whole number, then kP = P + P + P + … + P (k times). Note that k is sometimes confusingly tabbed an "exponent" in this case. Generating a Public Key Starting with a private key in the form of a randomly generated number k, we multiply it by a predetermined point on the lines tabbed the generator point G to produce flipside point somewhere else on the curve, which is the respective public key K. The generator point is specified as part of the secp256k1 standard and is unchangingly the same for all keys in bitcoin: \begin{equation} {K = k * G} \end{equation} where k is the private key, G is the generator point, and K is the resulting public key, a point on the curve.Consideringthe generator point is unchangingly the same for all bitcoin users, a private key k multiplied with G will unchangingly result in the same public key K. The relationship between k and K is fixed, but can only be calculated in one direction, from k to K. That’s why a bitcoin write (derived from K) can be shared with anyone and does not reveal the user’s private key (k). Tip A private key can be converted into a public key, but a public key cannot be converted when into a private key considering the math only works one way. Implementing the elliptic lines multiplication, we take the private key k generated previously and multiply it with the generator point G to find the public key K: K = 1E99423A4ED27608A15A2616A2B0E9E52CED330AC530EDCC32C8FFC6A526AEDD * G Public Key K is specified as a point K = (x,y): K = (x, y) where, x = F028892BAD7ED57D2FB57BF33081D5CFCF6F9ED3D3D7F159C2E2FFF579DC341A y = 07CF33DA18BD734C600B96A72BBC4749D5141C90EC8AC328AE52DDFE2E505BDB To visualize multiplication of a point with an integer, we will use the simpler elliptic lines over the real numbers—remember, the math is the same. Our goal is to find the multiple kG of the generator point G. That is the same as subtracting G to itself, k times in a row. In elliptic curves, subtracting a point to itself is the equivalent of drawing a tangent line on the point and finding where it intersects the lines again, then reflecting that point on the x-axis. [ecc_illustrated] shows the process for deriving G, 2G, 4G, as a geometric operation on the curve. Tip Most bitcoin implementations use the OpenSSL cryptographic library to do the elliptic lines math. For example, to derive the public key, the function EC_POINT_mul() is used.Icon16. Elliptic lines cryptography: Visualizing the multiplication of a point G by an integer k on an elliptic lines Bitcoin Addresses A bitcoin write is a string of digits and notation that can be shared with anyone who wants to send you money. Addresses produced from public keys consist of a string of numbers and letters, whence with the digit "1". Here’s an example of a bitcoin address: 1J7mdg5rbQyUHENYdx39WVWK7fsLpEoXZy The bitcoin write is what appears most wontedly in a transaction as the "recipient" of the funds. If we were to compare a bitcoin transaction to a paper check, the bitcoin write is the beneficiary, which is what we write on the line without "Pay to the order of." On a paper check, that payee can sometimes be the name of a wall worth holder, but can moreover include corporations, institutions, or plane cash.Consideringpaper checks do not need to specify an account, but rather use an utopian name as the recipient of funds, that makes paper checks very flexible as payment instruments. Bitcoin transactions use a similar abstraction, the bitcoin address, to make them very flexible. A bitcoin write can represent the owner of a private/public key pair, or it can represent something else, such as a payment script, as we will see in [p2sh]. For now, let’s examine the simple case, a bitcoin write that represents, and is derived from, a public key. The bitcoin write is derived from the public key through the use of one-way cryptographic hashing. A "hashing algorithm" or simply "hash algorithm" is a one-way function that produces a fingerprint or "hash" of an arbitrary-sized input. Cryptographic hash functions are used extensively in bitcoin: in bitcoin addresses, in script addresses, and in the mining proof-of-work algorithm. The algorithms used to make a bitcoin write from a public key are the Secure Hash Algorithm (SHA) and the RACE Integrity Primitives Evaluation MessageRewording(RIPEMD), specifically SHA256 and RIPEMD160. Starting with the public key K, we compute the SHA256 hash and then compute the RIPEMD160 hash of the result, producing a 160-bit (20-byte) number: \begin{equation} {A = RIPEMD160(SHA256(K))} \end{equation} where K is the public key and A is the resulting bitcoin address. Tip A bitcoin write is not the same as a public key. Bitcoin addresses are derived from a public key using a one-way function. Bitcoin addresses are scrutinizingly unchangingly presented to users in an encoding tabbed "Base58Check" (see [base58]), which uses 58 notation (a Base58 number system) and a checksum to help human readability, stave ambiguity, and protect versus errors in write transcription and entry. Base58Check is moreover used in many other ways in bitcoin, whenever there is a need for a user to read and correctly transcribe a number, such as a bitcoin address, a private key, an encrypted key, or a script hash. In the next section we will examine the mechanics of Base58Check encoding and decoding, and the resulting representations. [pubkey_to_address] illustrates the conversion of a public key into a bitcoin address.Icon17. Public key to bitcoin address: conversion of a public key into a bitcoin write Base58 and Base58Check Encoding In order to represent long numbers in a meaty way, using fewer symbols, many computer systems use mixed-alphanumeric representations with a wiring (or radix) higher than 10. For example, whereas the traditional decimal system uses the 10 numerals 0 through 9, the hexadecimal system uses 16, with the reports A through F as the six spare symbols. A number represented in hexadecimal format is shorter than the equivalent decimal representation.Planeincreasingly compact, Base-64 representation uses 26 lower-case letters, 26 wanted letters, 10 numerals, and two increasingly notation such as "+" and "/" to transmit binary data over text-based media such as email. Base-64 is most wontedly used to add binary attachments to email. Base58 is a text-based binary-encoding format ripened for use in bitcoin and used in many other cryptocurrencies. It offers a wastefulness between meaty representation, readability, and error detection and prevention. Base58 is a subset of Base64, using the upper- and lowercase reports and numbers, but omitting some notation that are wontedly mistaken for one flipside and can towards identical when displayed in unrepealable fonts. Specifically, Base58 is Base64 without the 0 (number zero), O (capital o), l (lower L), I (capital i), and the symbols "\+" and "/". Or, increasingly simply, it is a set of lower and wanted reports and numbers without the four (0, O, l, I) just mentioned. Example 9. bitcoin’s Base58 alphabet 123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz To add uneaten security versus typos or transcription errors, Base58Check is a Base58 encoding format, wontedly used in bitcoin, which has a seated error-checking code. The checksum is an spare four bytes widow to the end of the data that is stuff encoded. The checksum is derived from the hash of the encoded data and can therefore be used to snift and prevent transcription and typing errors. When presented with a Base58Check code, the decoding software will summate the checksum of the data and compare it to the checksum included in the code. If the two do not match, that indicates that an error has been introduced and the Base58Check data is invalid. For example, this prevents a mistyped bitcoin write from stuff wonted by the wallet software as a valid destination, an error that would otherwise result in loss of funds. To convert data (a number) into a Base58Check format, we first add a prefix to the data, tabbed the "version byte," which serves to hands identify the type of data that is encoded. For example, in the specimen of a bitcoin write the prefix is zero (0x00 in hex), whereas the prefix used when encoding a private key is 128 (0x80 in hex). A list of worldwide version prefixes is shown in [base58check_versions]. Next, we compute the "double-SHA" checksum, meaning we wield the SHA256 hash-algorithm twice on the previous result (prefix and data): checksum = SHA256(SHA256(prefix+data)) From the resulting 32-byte hash (hash-of-a-hash), we take only the first four bytes. These four bytes serve as the error-checking code, or checksum. The checksum is concatenated (appended) to the end. The result is well-balanced of three items: a prefix, the data, and a checksum. This result is encoded using the Base58 alphabet described previously. [base58check_encoding] illustrates the Base58Check encoding process.Icon18. Base58Check encoding: a Base58, versioned, and checksummed format for unambiguously encoding bitcoin data In bitcoin, most of the data presented to the user is Base58Check-encoded to make it compact, easy to read, and easy to snift errors. The version prefix in Base58Check encoding is used to create hands distinguishable formats, which when encoded in Base58 contain specific notation at the whence of the Base58Check-encoded payload. These notation make it easy for humans to identify the type of data that is encoded and how to use it. This is what differentiates, for example, a Base58Check-encoded bitcoin write that starts with a 1 from a Base58Check-encoded private key WIF format that starts with a 5. Some example version prefixes and the resulting Base58 notation are shown in [base58check_versions]. Table 1. Base58Check version prefix and encoded result examples Type Version prefix (hex) Base58 result prefix BitcoinWrite0x00 1 Pay-to-Script-HashWrite0x05 3 Bitcoin TestnetWrite0x6F m or n Private Key WIF 0x80 5, K or L BIP38 Encrypted Private Key 0x0142 6P BIP32 Extended Public Key 0x0488B21E xpub Let’s squint at the well-constructed process of creating a bitcoin address, from a private key, to a public key (a point on the elliptic curve), to a double-hashed write and finally, the Base58Check encoding. The C++ lawmaking in [addr_example] shows the well-constructed step-by-step process, from private key to Base58Check-encoded bitcoin address. The lawmaking example uses the libbitcoin library introduced in [alt_libraries] for some helper functions. Example 10. Creating a Base58Check-encoded bitcoin write from a private key The lawmaking uses a predefined private key so that it produces the same bitcoin write every time it is run, as shown in [addr_example_run]. Example 11. Compiling and running the addr lawmaking Key Formats Both private and public keys can be represented in a number of variegated formats. These representations all encode the same number, plane though they squint different. These formats are primarily used to make it easy for people to read and transcribe keys without introducing errors. Private key formats The private key can be represented in a number of variegated formats, all of which correspond to the same 256-bit number. [table_4-2] shows three worldwide formats used to represent private keys. Table 2. Private key representations (encoding formats) Type PrefixUnravelmentHex None 64 hexadecimal digits WIF 5 Base58Check encoding: Base58 with version prefix of 128 and 32-bit checksum WIF-compressed K or L As above, with widow suffix 0x01 surpassing encoding [table_4-3] shows the private key generated in these three formats. Table 3. Example: Same key, variegated formats Format Private Key Hex 1e99423a4ed27608a15a2616a2b0e9e52ced330ac530edcc32c8ffc6a526aedd WIF 5J3mBbAH58CpQ3Y5RNJpUKPE62SQ5tfcvU2JpbnkeyhfsYB1Jcn WIF-compressed KxFC1jmwwCoACiCAWZ3eXa96mBM6tb3TYzGmf6YwgdGWZgawvrtJ All of these representations are variegated ways of showing the same number, the same private key. They squint different, but any one format can hands be converted to any other format. We use the wif-to-ec writ from Bitcoin Explorer (see [libbitcoin]) to show that both WIF keys represent the same private key: $ bx wif-to-ec 5J3mBbAH58CpQ3Y5RNJpUKPE62SQ5tfcvU2JpbnkeyhfsYB1Jcn 1e99423a4ed27608a15a2616a2b0e9e52ced330ac530edcc32c8ffc6a526aedd $ bx wif-to-ec KxFC1jmwwCoACiCAWZ3eXa96mBM6tb3TYzGmf6YwgdGWZgawvrtJ 1e99423a4ed27608a15a2616a2b0e9e52ced330ac530edcc32c8ffc6a526aedd Decode from Base58Check The Bitcoin Explorer commands (see [libbitcoin]) make it easy to write shell scripts and command-line "pipes" that manipulate bitcoin keys, addresses, and transactions. You can use Bitcoin Explorer to decode the Base58Check format on the writ line. We use the base58check-decode writ to decode the uncompressed key: $ bx base58check-decode 5J3mBbAH58CpQ3Y5RNJpUKPE62SQ5tfcvU2JpbnkeyhfsYB1Jcn wrapper { checksum 4286807748 payload 1e99423a4ed27608a15a2616a2b0e9e52ced330ac530edcc32c8ffc6a526aedd version 128 } The result contains the key as payload, the Wallet Import Format (WIF) version prefix 128, and a checksum. Notice that the "payload" of the compressed key is appended with the suffix 01, signalling that the derived public key is to be compressed. $ bx base58check-decode KxFC1jmwwCoACiCAWZ3eXa96mBM6tb3TYzGmf6YwgdGWZgawvrtJ wrapper { checksum 2339607926 payload 1e99423a4ed27608a15a2616a2b0e9e52ced330ac530edcc32c8ffc6a526aedd01 version 128 } Encode from hex to Base58Check To encode into Base58Check (the opposite of the previous command), we use the base58check-encode writ from Bitcoin Explorer (see [libbitcoin]) and provide the hex private key, followed by the Wallet Import Format (WIF) version prefix 128: bx base58check-encode 1e99423a4ed27608a15a2616a2b0e9e52ced330ac530edcc32c8ffc6a526aedd --version 128 5J3mBbAH58CpQ3Y5RNJpUKPE62SQ5tfcvU2JpbnkeyhfsYB1Jcn Encode from hex (compressed key) to Base58Check To encode into Base58Check as a "compressed" private key (see [comp_priv]), we suspend the suffix 01 to the hex key and then encode as above: $ bx base58check-encode 1e99423a4ed27608a15a2616a2b0e9e52ced330ac530edcc32c8ffc6a526aedd01 --version 128 KxFC1jmwwCoACiCAWZ3eXa96mBM6tb3TYzGmf6YwgdGWZgawvrtJ The resulting WIF-compressed format starts with a "K". This denotes that the private key within has a suffix of "01" and will be used to produce compressed public keys only (see [comp_pub]). Public key formats Public keys are moreover presented in variegated ways, most importantly as either compressed or uncompressed public keys. As we saw previously, the public key is a point on the elliptic lines consisting of a pair of coordinates (x,y). It is usually presented with the prefix 04 followed by two 256-bit numbers, one for the x coordinate of the point, the other for the y coordinate. The prefix 04 is used to distinguish uncompressed public keys from compressed public keys that uncork with a 02 or a 03. Here’s the public key generated by the private key we created earlier, shown as the coordinates x and y: x = F028892BAD7ED57D2FB57BF33081D5CFCF6F9ED3D3D7F159C2E2FFF579DC341A y = 07CF33DA18BD734C600B96A72BBC4749D5141C90EC8AC328AE52DDFE2E505BDB Here’s the same public key shown as a 520-bit number (130 hex digits) with the prefix 04 followed by x and then y coordinates, as 04 x y: K = 04F028892BAD7ED57D2FB57BF33081D5CFCF6F9ED3D3D7F159C2E2FFF579DC341A↵ 07CF33DA18BD734C600B96A72BBC4749D5141C90EC8AC328AE52DDFE2E505BDB Compressed public keys Compressed public keys were introduced to bitcoin to reduce the size of transactions and conserve disk space on nodes that store the bitcoin blockchain database. Most transactions include the public key, required to validate the owner’s credentials and spend the bitcoin. Each public key requires 520 shit (prefix \+ x \+ y), which when multiplied by several hundred transactions per block, or tens of thousands of transactions per day, adds a significant value of data to the blockchain. As we saw in the section [pubkey], a public key is a point (x,y) on an elliptic curve.Consideringthe lines expresses a mathematical function, a point on the lines represents a solution to the equation and, therefore, if we know the x coordinate we can summate the y coordinate by solving the equation y2 mod p = (x3 + 7) mod p. That allows us to store only the x coordinate of the public key point, omitting the y coordinate and reducing the size of the key and the space required to store it by 256 bits. An scrutinizingly 50% reduction in size in every transaction adds up to a lot of data saved over time! Whereas uncompressed public keys have a prefix of 04, compressed public keys start with either a 02 or a 03 prefix. Let’s squint at why there are two possible prefixes: considering the left side of the equation is y2, that ways the solution for y is a square root, which can have a positive or negative value. Visually, this ways that the resulting y coordinate can be whilom the x-axis or unelevated the x-axis. As you can see from the graph of the elliptic lines in [ecc-curve], the lines is symmetric, meaning it is reflected like a mirror by the x-axis. So, while we can omit the y coordinate we have to store the sign of y (positive or negative), or in other words, we have to remember if it was whilom or unelevated the x-axis considering each of those options represents a variegated point and a variegated public key. When gingerly the elliptic lines in binary arithmetic on the finite field of prime order p, the y coordinate is either plane or odd, which corresponds to the positive/negative sign as explained earlier. Therefore, to distinguish between the two possible values of y, we store a compressed public key with the prefix 02 if the y is even, and 03 if it is odd, permitting the software to correctly deduce the y coordinate from the x coordinate and uncompress the public key to the full coordinates of the point. Public key pinch is illustrated in [pubkey_compression].Icon19. Public key pinch Here’s the same public key generated previously, shown as a compressed public key stored in 264 shit (66 hex digits) with the prefix 03 indicating the y coordinate is odd: K = 03F028892BAD7ED57D2FB57BF33081D5CFCF6F9ED3D3D7F159C2E2FFF579DC341A This compressed public key corresponds to the same private key, meaning that it is generated from the same private key. However, it looks variegated from the uncompressed public key.Increasinglyimportantly, if we convert this compressed public key to a bitcoin write using the double-hash function (RIPEMD160(SHA256(K))) it will produce a variegated bitcoin address. This can be confusing, considering it ways that a single private key can produce a public key expressed in two variegated formats (compressed and uncompressed) that produce two variegated bitcoin addresses. However, the private key is identical for both bitcoin addresses. Compressed public keys are gradually rhadamanthine the default wideness bitcoin clients, which is having a significant impact on reducing the size of transactions and therefore the blockchain. However, not all clients support compressed public keys yet. Newer clients that support compressed public keys have to worth for transactions from older clients that do not support compressed public keys. This is expressly important when a wallet using is importing private keys from flipside bitcoin wallet application, considering the new wallet needs to scan the blockchain to find transactions respective to these imported keys. Which bitcoin addresses should the bitcoin wallet scan for? The bitcoin addresses produced by uncompressed public keys, or the bitcoin addresses produced by compressed public keys? Both are valid bitcoin addresses, and can be signed for by the private key, but they are variegated addresses! To resolve this issue, when private keys are exported from a wallet, the Wallet Import Format that is used to represent them is implemented differently in newer bitcoin wallets, to indicate that these private keys have been used to produce compressed public keys and therefore compressed bitcoin addresses. This allows the importing wallet to distinguish between private keys originating from older or newer wallets and search the blockchain for transactions with bitcoin addresses respective to the uncompressed, or the compressed, public keys, respectively. Let’s squint at how this works in increasingly detail, in the next section. Compressed private keys Ironically, the term "compressed private key" is misleading, considering when a private key is exported as WIF-compressed it is unquestionably one byte longer than an "uncompressed" private key. That is considering it has the widow 01 suffix, which signifies it comes from a newer wallet and should only be used to produce compressed public keys. Private keys are not compressed and cannot be compressed. The term "compressed private key" really ways "private key from which compressed public keys should be derived," whereas "uncompressed private key" really ways "private key from which uncompressed public keys should be derived." You should only refer to the export format as "WIF-compressed" or "WIF" and not refer to the private key as "compressed" to stave remoter confusion. Remember, these formats are not used interchangeably. In a newer wallet that implements compressed public keys, the private keys will only overly be exported as WIF-compressed (with a K or L prefix). If the wallet is an older implementation and does not use compressed public keys, the private keys will only overly be exported as WIF (with a 5 prefix). The goal here is to signal to the wallet importing these private keys whether it must search the blockchain for compressed or uncompressed public keys and addresses. If a bitcoin wallet is worldly-wise to implement compressed public keys, it will use those in all transactions. The private keys in the wallet will be used to derive the public key points on the curve, which will be compressed. The compressed public keys will be used to produce bitcoin addresses and those will be used in transactions. When exporting private keys from a new wallet that implements compressed public keys, the Wallet Import Format is modified, with the wing of a one-byte suffix 01 to the private key. The resulting Base58Check-encoded private key is tabbed a "Compressed WIF" and starts with the letter K or L, instead of starting with "5" as is the specimen with WIF-encoded (non-compressed) keys from older wallets. [table_4-4] shows the same key, encoded in WIF and WIF-compressed formats. Table 4. Example: Same key, variegated formats Format Private Key Hex 1E99423A4ED27608A15A2616A2B0E9E52CED330AC530EDCC32C8FFC6A526AEDD WIF 5J3mBbAH58CpQ3Y5RNJpUKPE62SQ5tfcvU2JpbnkeyhfsYB1Jcn Hex-compressed 1E99423A4ED27608A15A2616A2B0E9E52CED330AC530EDCC32C8FFC6A526AEDD_01_ WIF-compressed KxFC1jmwwCoACiCAWZ3eXa96mBM6tb3TYzGmf6YwgdGWZgawvrtJ Tip "Compressed private keys" is a misnomer! They are not compressed; rather, the WIF-compressed format signifies that they should only be used to derive compressed public keys and their respective bitcoin addresses. Ironically, a "WIF-compressed" encoded private key is one byte longer considering it has the widow 01 suffix to distinguish it from an "uncompressed" one. Implementing Keys and Addresses in Python The most comprehensive bitcoin library in Python is pybitcointools by Vitalik Buterin. In [key-to-address_script], we use the pybitcointools library (imported as "bitcoin") to generate and exhibit keys and addresses in various formats. Example 12. Key and write generation and formatting with the pybitcointools library [key-to-address_script_run] shows the output from running this code. Example 13. Running key-to-address-ecc-example.py $ python key-to-address-ecc-example.py Private Key (hex) is: 3aba4162c7251c891207b747840551a71939b0de081f85c4e44cf7c13e41daa6 Private Key (decimal) is: 26563230048437957592232553826663696440606756685920117476832299673293013768870 Private Key (WIF) is: 5JG9hT3beGTJuUAmCQEmNaxAuMacCTfXuw1R3FCXig23RQHMr4K Private Key Compressed (hex) is: 3aba4162c7251c891207b747840551a71939b0de081f85c4e44cf7c13e41daa601 Private Key (WIF-Compressed) is: KyBsPXxTuVD82av65KZkrGrWi5qLMah5SdNq6uftawDbgKa2wv6S Public Key (x,y) coordinates is: (41637322786646325214887832269588396900663353932545912953362782457239403430124L, 16388935128781238405526710466724741593761085120864331449066658622400339362166L) Public Key (hex) is: 045c0de3b9c8ab18dd04e3511243ec2952002dbfadc864b9628910169d9b9b00ec↵ 243bcefdd4347074d44bd7356d6a53c495737dd96295e2a9374bf5f02ebfc176 Compressed Public Key (hex) is: 025c0de3b9c8ab18dd04e3511243ec2952002dbfadc864b9628910169d9b9b00ec BitcoinWrite(b58check) is: 1thMirt546nngXqyPEz532S8fLwbozud8 Compressed BitcoinWrite(b58check) is: 14cxpo3MBCYYWCgF74SWTdcmxipnGUsPw3 [ec_math] is flipside example, using the Python ECDSA library for the elliptic lines math and without using any specialized bitcoin libraries. Example 14. A script demonstrating elliptic lines math used for bitcoin keys [ec_math_run] shows the output produced by running this script. Note The example whilom uses os.urandom, which reflects a cryptographically secure random number generator (CSRNG) provided by the underlying operating system. In the specimen of an UNIX-like operating system such as Linux, it draws from /dev/urandom; and in the specimen of Windows, calls CryptGenRandom(). If a suitable randomness source is not found, NotImplementedError will be raised. While the random number generator used here is for sit-in purposes, it is not towardly for generating production-quality bitcoin keys as it is not implemented with sufficient security. Example 15. Installing the Python ECDSA library and running the ec_math.py script $ # Install Python PIP package manager $ sudo apt-get install python-pip $ # Install the Python ECDSA library $ sudo pip install ecdsa $ # Run the script $ python ec-math.py Secret: 38090835015954358862481132628887443905906204995912378278060168703580660294000 EC point: (70048853531867179489857750497606966272382583471322935454624595540007269312627, 105262206478686743191060800263479589329920209527285803935736021686045542353380) BTC public key: 029ade3effb0a67d5c8609850d797366af428f4a0d5194cb221d807770a1522873 Wallets Wallets are containers for private keys, usually implemented as structured files or simple databases.Flipsidemethod for making keys is deterministic key generation. Here you derive each new private key, using a one-way hash function from a previous private key, linking them in a sequence. As long as you can re-create that sequence, you only need the first key (known as a seed or master key) to generate them all. In this section we will examine the variegated methods of key generation and the wallet structures that are built virtually them. Tip Bitcoin wallets contain keys, not coins. Each user has a wallet containing keys. Wallets are really keychains containing pairs of private/public keys (see [private_public_keys]). Users sign transactions with the keys, thereby proving they own the transaction outputs (their coins). The coins are stored on the blockchain in the form of transaction-ouputs (often noted as vout or txout). Nondeterministic (Random) Wallets In the first bitcoin clients, wallets were simply collections of randomly generated private keys. This type of wallet is tabbed a Type-0 nondeterministic wallet. For example, the BitcoinCadreclient pregenerates 100 random private keys when first started and generates increasingly keys as needed, using each key only once. This type of wallet is nicknamed "Just aTuftOf Keys," or JBOK, and such wallets are stuff replaced with deterministic wallets considering they are cumbersome to manage, when up, and import. The disadvantage of random keys is that if you generate many of them you must alimony copies of all of them, meaning that the wallet must be backed up frequently. Each key must be backed up, or the funds it controls are irrevocably lost if the wallet becomes inaccessible. This conflicts directly with the principle of lamister write re-use, by using each bitcoin write for only one transaction.Writere-use reduces privacy by associating multiple transactions and addresses with each other. A Type-0 nondeterministic wallet is a poor nomination of wallet, expressly if you want to stave write re-use considering that ways managing many keys, which creates the need for frequent backups. Although the BitcoinCadreclient includes a Type-0 wallet, using this wallet is discouraged by developers of Bitcoin Core. [Type0_wallet] shows a nondeterministic wallet, containing a loose hodgepodge of random keys. Deterministic (Seeded) Wallets Deterministic, or "seeded" wallets are wallets that contain private keys that are all derived from a worldwide seed, through the use of a one-way hash function. The seed is a randomly generated number that is combined with other data, such as an alphabetize number or "chain code" (see [hd_wallets]) to derive the private keys. In a deterministic wallet, the seed is sufficient to recover all the derived keys, and therefore a single replacement at megacosm time is sufficient. The seed is moreover sufficient for a wallet export or import, permitting for easy migration of all the user’s keys between variegated wallet implementations.Icon20. Type-0 nondeterministic (random) wallet: a hodgepodge of randomly generated keys MnemonicLawmakingWords Mnemonic codes are English word sequences that represent (encode) a random number used as a seed to derive a deterministic wallet. The sequence of words is sufficient to re-create the seed and from there re-create the wallet and all the derived keys. A wallet using that implements deterministic wallets with mnemonic lawmaking will show the user a sequence of 12 to 24 words when first creating a wallet. That sequence of words is the wallet replacement and can be used to recover and re-create all the keys in the same or any uniform wallet application. Mnemonic lawmaking words make it easier for users to when up wallets considering they are easy to read and correctly transcribe, as compared to a random sequence of numbers. Mnemonic codes are specified in BitcoinResurgenceProposal 39 (see [bip0039]), currently inTyphoonstatus. Note that BIP0039 is a typhoon proposal and not a standard. Specifically, there is a variegated standard, with a variegated set of words, used by the Electrum wallet and predating BIP0039. BIP0039 is used by the Trezor wallet and a few other wallets but is incompatible with Electrum’s implementation. BIP0039 defines the megacosm of a mnemonic lawmaking and seed as a follows: Create a random sequence (entropy) of 128 to 256 bits. Create a checksum of the random sequence by taking the first few shit of its SHA256 hash. Add the checksum to the end of the random sequence. Divide the sequence into sections of 11 bits, using those to alphabetize a wordlist of 2048 predefined words. Produce 12 to 24 words representing the mnemonic code. [table_4-5] shows the relationship between the size of entropy data and the length of mnemonic codes in words. Table 5. Mnemonic codes: entropy and word length Entropy (bits) Checksum (bits) Entropy+checksum Word length 128 4 132 12 160 5 165 15 192 6 198 18 224 7 231 21 256 8 264 24 The mnemonic lawmaking represents 128 to 256 bits, which are used to derive a longer (512-bit) seed through the use of the key-stretching function PBKDF2. The resulting seed is used to create a deterministic wallet and all of its derived keys. Tables #table_4-6 and #table_4-7 show some examples of mnemonic codes and the seeds they produce. Table 6. 128-bit entropy mnemonic lawmaking and resulting seed Entropy input (128 bits) 0c1e24e5917779d297e14d45f14e1a1a Mnemonic (12 words) unwashed van defense siphon jealous true garbage requirement reverberate media make crunch Seed (512 bits) 3338a6d2ee71c7f28eb5b882159634cd46a898463e9d2d0980f8e80dfbba5b0fa0291e5fb88 8a599b44b93187be6ee3ab5fd3ead7dd646341b2cdb8d08d13bf7 Table 7. 256-bit entropy mnemonic lawmaking and resulting seed Entropy input (256 bits) 2041546864449caff939d32d574753fe684d3c947c3346713dd8423e74abcf8c Mnemonic (24 words) confection world infringe silk endorse fitness top withholding whorl riot stay wolf luggage oxygen faint major edit measure invite love trap field dilemma oblige Seed (512 bits) 3972e432e99040f75ebe13a660110c3e29d131a2c808c7ee5f1631d0a977fcf473bee22 fce540af281bf7cdeade0dd2c1c795bd02f1e4049e205a0158906c343 Hierarchical Deterministic Wallets (BIP0032/BIP0044) Deterministic wallets were ripened to make it easy to derive many keys from a single "seed." The most wide form of deterministic wallets is the hierarchical deterministic wallet or HD wallet specified by the BIP0032 standard. Hierarchical deterministic wallets contain keys derived in a tree structure, such that a parent key can derive a sequence of children keys, each of which can derive a sequence of grandchildren keys, and so on, to an infinite depth. This tree structure is illustrated in [Type2_wallet].Icon21. Type-2 hierarchical deterministic wallet: a tree of keys generated from a single seed Tip If you are implementing a bitcoin wallet, it should be built as an HD wallet pursuit the BIP0032 and BIP0044 standards. HD wallets offer two major advantages over random (nondeterministic) keys. First, the tree structure can be used to express spare organizational meaning, such as when a specific workshop of subkeys is used to receive incoming payments and a variegated workshop is used to receive transpiration from outgoing payments. Branches of keys can moreover be used in a corporate setting, allocating variegated branches to departments, subsidiaries, specific functions, or written categories. The second wholesomeness of HD wallets is that users can create a sequence of public keys without having wangle to the respective private keys. This allows HD wallets to be used on an insecure server or in a receive-only capacity, issuing a variegated public key for each transaction. The public keys do not need to be preloaded or derived in advance, yet the server doesn’t have the private keys that can spend the funds. HD wallet megacosm from a seed HD wallets are created from a single root seed, which is a 128-, 256-, or 512-bit random number. Everything else in the HD wallet is deterministically derived from this root seed, which makes it possible to re-create the unshortened HD wallet from that seed in any uniform HD wallet. This makes it easy to when up, restore, export, and import HD wallets containing thousands or plane millions of keys by simply transferring only the root seed. The root seed is most often represented by a mnemonic word sequence, as described in the previous section [mnemonic_code_words], to make it easier for people to transcribe and store it. The process of creating the master keys and master uniting lawmaking for an HD wallet is shown in [HDWalletFromSeed].Icon22. Creating master keys and uniting lawmaking from a root seed The root seed is input into the HMAC-SHA512 algorithm and the resulting hash is used to create a master private key (m) and a master uniting code. The master private key (m) then generates a respective master public key (M), using the normal elliptic lines multiplication process m * G that we saw older in this chapter. The uniting lawmaking is used to introduce entropy in the function that creates child keys from parent keys, as we will see in the next section. Private child key derivation Hierarchical deterministic wallets use a child key derivation (CKD) function to derive children keys from parent keys. The child key derivation functions are based on a one-way hash function that combines: A parent private or public key (ECDSA uncompressed key) A seed tabbed a uniting lawmaking (256 bits) An alphabetize number (32 bits) The uniting lawmaking is used to introduce seemingly random data to the process, so that the alphabetize is not sufficient to derive other child keys. Thus, having a child key does not make it possible to find its siblings, unless you moreover have the uniting code. The initial uniting lawmaking seed (at the root of the tree) is made from random data, while subsequent uniting codes are derived from each parent uniting code. These three items are combined and hashed to generate children keys, as follows. The parent public key, uniting code, and the alphabetize number are combined and hashed with the HMAC-SHA512 algorithm to produce a 512-bit hash. The resulting hash is split into two halves. The right-half 256 shit of the hash output wilt the uniting lawmaking for the child. The left-half 256 shit of the hash and the alphabetize number are widow to the parent private key to produce the child private key. In [CKDpriv], we see this illustrated with the alphabetize set to 0 to produce the 0’th (first by index) child of the parent.Icon23. Extending a parent private key to create a child private keyWafflythe alphabetize allows us to proffer the parent and create the other children in the sequence, e.g., Child 0, Child 1, Child 2, etc. Each parent key can have 2 billion children keys. Repeating the process one level lanugo the tree, each child can in turn wilt a parent and create its own children, in an infinite number of generations. Using derived child keys Child private keys are indistinguishable from nondeterministic (random) keys.Consideringthe derivation function is a one-way function, the child key cannot be used to find the parent key. The child key moreover cannot be used to find any siblings. If you have the nth child, you cannot find its siblings, such as the n–1 child or the n+1 child, or any other children that are part of the sequence. Only the parent key and uniting lawmaking can derive all the children. Without the child uniting code, the child key cannot be used to derive any grandchildren either. You need both the child private key and the child uniting lawmaking to start a new workshop and derive grandchildren. So what can the child private key be used for on its own? It can be used to make a public key and a bitcoin address. Then, it can be used to sign transactions to spend anything paid to that address. Tip A child private key, the respective public key, and the bitcoin write are all indistinguishable from keys and addresses created randomly. The fact that they are part of a sequence is not visible, outside of the HD wallet function that created them. Once created, they operate exactly as "normal" keys. Extended keys As we saw earlier, the key derivation function can be used to create children at any level of the tree, based on the three inputs: a key, a uniting code, and the alphabetize of the desired child. The two essential ingredients are the key and uniting code, and combined these are tabbed an extended key. The term "extended key" could moreover be thought of as "extensible key" considering such a key can be used to derive children. Extended keys are stored and represented simply as the concatenation of the 256-bit key and 256-bit uniting lawmaking into a 512-bit sequence. There are two types of extended keys. An extended private key is the combination of a private key and uniting lawmaking and can be used to derive child private keys (and from them, child public keys). An extended public key is a public key and uniting code, which can be used to create child public keys, as described in [public_key_derivation]. Think of an extended key as the root of a workshop in the tree structure of the HD wallet. With the root of the branch, you can derive the rest of the branch. The extended private key can create a well-constructed branch, whereas the extended public key can only create a workshop of public keys. Tip An extended key consists of a private or public key and uniting code. An extended key can create children, generating its own workshop in the tree structure. Sharing an extended key gives wangle to the unshortened branch. Extended keys are encoded using Base58Check, to hands export and import between variegated BIP0032-compatible wallets. The Base58Check coding for extended keys uses a special version number that results in the prefix "xprv" and "xpub" when encoded in Base58 characters, to make them hands recognizable.Consideringthe extended key is 512 or 513 bits, it is moreover much longer than other Base58Check-encoded strings we have seen previously. Here’s an example of an extended private key, encoded in Base58Check: xprv9tyUQV64JT5qs3RSTJkXCWKMyUgoQp7F3hA1xzG6ZGu6u6Q9VMNjGr67Lctvy5P8oyaYAL9CAWrUE9i6GoNMKUga5biW6Hx4tws2six3b9c Here’s the respective extended public key, moreover encoded in Base58Check: xpub67xpozcx8pe95XVuZLHXZeG6XWXHpGq6Qv5cmNfi7cS5mtjJ2tgypeQbBs2UAR6KECeeMVKZBPLrtJunSDMstweyLXhRgPxdp14sk9tJPW9 Public child key derivation As mentioned previously, a very useful foible of hierarchical deterministic wallets is the worthiness to derive public child keys from public parent keys, without having the private keys. This gives us two ways to derive a child public key: either from the child private key, or directly from the parent public key. An extended public key can be used, therefore, to derive all of the public keys (and only the public keys) in that workshop of the HD wallet structure. This shortcut can be used to create very secure public-key-only deployments where a server or using has a reprinting of an extended public key and no private keys whatsoever. That kind of deployment can produce an infinite number of public keys and bitcoin addresses, but cannot spend any of the money sent to those addresses. Meanwhile, on another, increasingly secure server, the extended private key can derive all the respective private keys to sign transactions and spend the money. One worldwide using of this solution is to install an extended public key on a web server that serves an ecommerce application. The web server can use the public key derivation function to create a new bitcoin write for every transaction (e.g., for a consumer shopping cart). The web server will not have any private keys that would be vulnerable to theft. Without HD wallets, the only way to do this is to generate thousands of bitcoin addresses on a separate secure server and then preload them on the ecommerce server. That tideway is cumbersome and requires unvarying maintenance to ensure that the ecommerce server doesn’t "run out" of keys.Flipsidecommon using of this solution is for cold-storage or hardware wallets. In that scenario, the extended private key can be stored on a paper wallet or hardware device (such as a Trezor hardware wallet), while the extended public key can be kept online. The user can create "receive" addresses at will, while the private keys are safely stored offline. To spend the funds, the user can use the extended private key on an offline signing bitcoin vendee or sign transactions on the hardware wallet device (e.g., Trezor). [CKDpub] illustrates the mechanism for extending a parent public key to derive child public keys.Icon24. Extending a parent public key to create a child public key Hardened child key derivation The worthiness to derive a workshop of public keys from an extended public key is very useful, but it comes with a potential risk.Wangleto an extended public key does not requite wangle to child private keys. However, considering the extended public key contains the uniting code, if a child private key is known, or somehow leaked, it can be used with the uniting lawmaking to derive all the other child private keys. A single leaked child private key, together with a parent uniting code, reveals all the private keys of all the children. Worse, the child private key together with a parent uniting lawmaking can be used to deduce the parent private key. To counter this risk, HD wallets use an volitional derivation function tabbed hardened derivation, which "breaks" the relationship between parent public key and child uniting code. The hardened derivation function uses the parent private key to derive the child uniting code, instead of the parent public key. This creates a "firewall" in the parent/child sequence, with a uniting lawmaking that cannot be used to compromise a parent or sibling private key. The hardened derivation function looks scrutinizingly identical to the normal child private key derivation, except that the parent private key is used as input to the hash function, instead of the parent public key, as shown in the diagram in [CKDprime].Icon25. Hardened derivation of a child key; omits the parent public key When the hardened private derivation function is used, the resulting child private key and uniting lawmaking are completely variegated from what would result from the normal derivation function. The resulting "branch" of keys can be used to produce extended public keys that are not vulnerable, considering the uniting lawmaking they contain cannot be venal to reveal any private keys. Hardened derivation is therefore used to create a "gap" in the tree whilom the level where extended public keys are used. In simple terms, if you want to use the convenience of an extended public key to derive branches of public keys, without exposing yourself to the risk of a leaked uniting code, you should derive it from a hardened parent, rather than a normal parent. As a weightier practice, the level-1 children of the master keys are unchangingly derived through the hardened derivation, to prevent compromise of the master keys.Alphabetizenumbers for normal and hardened derivation The alphabetize number used in the derivation function is a 32-bit integer. To hands distinguish between keys derived through the normal derivation function versus keys derived through hardened derivation, this alphabetize number is split into two ranges.Alphabetizenumbers between 0 and 231–1 (0x0 to 0x7FFFFFFF) are used only for normal derivation.Alphabetizenumbers between 231 and 232–1 (0x80000000 to 0xFFFFFFFF) are used only for hardened derivation. Therefore, if the alphabetize number is less than 231, that ways the child is normal, whereas if the alphabetize number is equal or whilom 231, the child is hardened. To make the alphabetize number easier to read and display, the alphabetize number for hardened children is displayed starting from zero, but with a prime symbol. The first normal child key is therefore displayed as 0, whereas the first hardened child (index 0x80000000) is displayed as 0'. In sequence then, the second hardened key would have alphabetize 0x80000001 and would be displayed as 1', and so on. When you see an HD wallet alphabetize i', that ways 231+i. HD wallet key identifier (path) Keys in an HD wallet are identified using a "path" naming convention, with each level of the tree separated by a slash (/) weft (see [table_4-8]). Private keys derived from the master private key start with "m". Public keys derived from the master public key start with "M". Therefore, the first child private key of the master private key is m/0. The first child public key is M/0. The second grandchild of the first child is m/0/1, and so on. The "ancestry" of a key is read from right to left, until you reach the master key from which it was derived. For example, identifier m/x/y/z describes the key that is the z-th child of key m/x/y, which is the y-th child of key m/x, which is the x-th child of m. Table 8. HD wallet path examples HD path Key described m/0 The first (0) child private key from the master private key (m) m/0/0 The first grandchild private key of the first child (m/0) m/0'/0 The first normal grandchild of the first hardened child (m/0') m/1/0 The first grandchild private key of the second child (m/1) M/23/17/0/0 The first great-great-grandchild public key of the first great-grandchild of the 18th grandchild of the 24th child Navigating the HD wallet tree structure The HD wallet tree structure offers tremendous flexibility. Each parent extended key can have 4 billion children: 2 billion normal children and 2 billion hardened children. Each of those children can have flipside 4 billion children, and so on. The tree can be as deep as you want, with an infinite number of generations. With all that flexibility, however, it becomes quite difficult to navigate this infinite tree. It is expressly difficult to transfer HD wallets between implementations, considering the possibilities for internal organization into branches and subbranches are endless. Two BitcoinResurgenceProposals (BIPs) offer a solution to this complexity, by creating some proposed standards for the structure of HD wallet trees. BIP0043 proposes the use of the first hardened child alphabetize as a special identifier that signifies the "purpose" of the tree structure. Based on BIP0043, an HD wallet should use only one level-1 workshop of the tree, with the alphabetize number identifying the structure and namespace of the rest of the tree by defining its purpose. For example, an HD wallet using only workshop m/i'/ is intended to signify a specific purpose and that purpose is identified by alphabetize number "i". Extending that specification, BIP0044 proposes a multiaccount structure as "purpose" number 44' under BIP0043. All HD wallets pursuit the BIP0044 structure are identified by the fact that they only used one workshop of the tree: m/44'/. BIP0044 specifies the structure as consisting of five predefined tree levels: m / purpose' / coin_type' / account' / transpiration / address_index The first-level "purpose" is unchangingly set to 44'. The second-level "coin_type" specifies the type of cryptocurrency coin, permitting for multicurrency HD wallets where each currency has its own subtree under the second level. There are three currencies specified for now: Bitcoin is m/44'/0', Bitcoin Testnet is m/44'/1'; and Litecoin is m/44'/2'. The third level of the tree is "account," which allows users to subdivide their wallets into separate logical subaccounts, for written or organizational purposes. For example, an HD wallet might contain two bitcoin "accounts": m/44'/0'/0' and m/44'/0'/1'. Each worth is the root of its own subtree. On the fourth level, "change," an HD wallet has two subtrees, one for creating receiving addresses and one for creating transpiration addresses. Note that whereas the previous levels used hardened derivation, this level uses normal derivation. This is to indulge this level of the tree to export extended public keys for use in a nonsecured environment. Usable addresses are derived by the HD wallet as children of the fourth level, making the fifth level of the tree the "address_index." For example, the third receiving write for bitcoin payments in the primary worth would be M/44'/0'/0'/0/2. [table_4-9] shows a few increasingly examples. Table 9. BIP0044 HD wallet structure examples HD path Key described M/44'/0'/0'/0/2 The third receiving public key for the primary bitcoin worth M/44'/0'/3'/1/14 The fifteenth change-address public key for the fourth bitcoin worth m/44'/2'/0'/0/1 The second private key in the Litecoin main account, for signing transactions Experimenting with HD wallets using Bitcoin Explorer Using the Bitcoin Explorer command-line tool introduced in [ch03_bitcoin_client], you can experiment with generating and extending BIP0032 deterministic keys, as well as displaying them in variegated formats:WideKeys and Addresses In the pursuit sections we will squint at wide forms of keys and addresses, such as encrypted private keys, script and multisignature addresses, vanity addresses, and paper wallets. Encrypted Private Keys (BIP0038) Private keys must remain secret. The need for confidentiality of the private keys is a truism that is quite difficult to unzip in practice, considering it conflicts with the equally important security objective of availability. Keeping the private key private is much harder when you need to store backups of the private key to stave losing it. A private key stored in a wallet that is encrypted by a password might be secure, but that wallet needs to be backed up. At times, users need to move keys from one wallet to another—to upgrade or replace the wallet software, for example. Private key backups might moreover be stored on paper (see [paper_wallets]) or on external storage media, such as a USB wink drive. But what if the replacement itself is stolen or lost? These estranged security goals led to the introduction of a portable and user-friendly standard for encrypting private keys in a way that can be understood by many variegated wallets and bitcoin clients, standardized by BitcoinResurgenceProposal 38 or BIP0038 (see [bip0038]). BIP0038 proposes a worldwide standard for encrypting private keys with a passphrase and encoding them with Base58Check so that they can be stored securely on replacement media, transported securely between wallets, or kept in any other conditions where the key might be exposed. The standard for encryption uses theWideEncryption Standard (AES), a standard established by the National Institute of Standards and Technology (NIST) and used widely in data encryption implementations for commercial and military applications. A BIP0038 encryption scheme takes as input a bitcoin private key, usually encoded in the Wallet Import Format (WIF), as a Base58Check string with a prefix of "5". Additionally, the BIP0038 encryption scheme takes a passphrase—a long password—usually well-balanced of several words or a ramified string of alphanumeric characters. The result of the BIP0038 encryption scheme is a Base58Check-encoded encrypted private key that begins with the prefix 6P. If you see a key that starts with 6P, that ways it is encrypted and requires a passphrase in order to convert (decrypt) it when into a WIF-formatted private key (prefix 5) that can be used in any wallet. Many wallet applications now recognize BIP0038-encrypted private keys and will prompt the user for a passphrase to decrypt and import the key. Third-party applications, such as the incredibly useful browser-based BitWrite(Wallet Details tab), can be used to decrypt BIP0038 keys. The most worldwide use specimen for BIP0038 encrypted keys is for paper wallets that can be used to when up private keys on a piece of paper. As long as the user selects a strong passphrase, a paper wallet with BIP0038 encrypted private keys is incredibly secure and a unconfined way to create offline bitcoin storage (also known as "cold storage"). Test the encrypted keys in [table_4-10] using bitaddress.org to see how you can get the decrypted key by inward the passphrase. Table 10. Example of BIP0038 encrypted private key Private Key (WIF) 5J3mBbAH58CpQ3Y5RNJpUKPE62SQ5tfcvU2JpbnkeyhfsYB1Jcn Passphrase MyTestPassphrase Encrypted Key (BIP0038) 6PRTHL6mWa48xSopbU1cKrVjpKbBZxcLRRCdctLJ3z5yxE87MobKoXdTsJ Pay-to-Script Hash (P2SH) and Multi-Sig Addresses As we know, traditional bitcoin addresses uncork with the number “1” and are derived from the public key, which is derived from the private key. Although anyone can send bitcoin to a “1” address, that bitcoin can only be spent by presenting the respective private key signature and public key hash. Bitcoin addresses that uncork with the number “3” are pay-to-script hash (P2SH) addresses, sometimes erroneously tabbed multi-signature or multi-sig addresses. They designate the payee of a bitcoin transaction as the hash of a script, instead of the owner of a public key. The full-length was introduced in January 2012 with BitcoinResurgenceProposal 16, or BIP0016 (see [bip0016]), and is stuff widely unexplored considering it provides the opportunity to add functionality to the write itself. Unlike transactions that "send" funds to traditional “1” bitcoin addresses, moreover known as pay-to-public-key-hash (P2PKH), funds sent to “3” addresses require something increasingly than the presentation of one public key hash and one private key signature as proof of ownership. The requirements are designated at the time the write is created, within the script, and all inputs to this write will be encumbered with the same requirements. A pay-to-script hash write is created from a transaction script, which defines who can spend a transaction output (for increasingly detail, see [p2sh]). Encoding a pay-to-script hash write involves using the same double-hash function as used during megacosm of a bitcoin address, only unromantic on the script instead of the public key: script hash = RIPEMD160(SHA256(script)) The resulting "script hash" is encoded with Base58Check with a version prefix of 5, which results in an encoded write starting with a 3. An example of a P2SH write is 3F6i6kwkevjR7AsAd4te2YB2zZyASEm1HM, which can be derived using the Bitcoin Explorer commands script-encode, sha256, ripemd160, and base58check-encode (see [libbitcoin]) as follows: $ reverberate dup hash160 [ 89abcdefabbaabbaabbaabbaabbaabbaabbaabba ] equalverify checksig > script $ bx script-encode < script | bx sha256 | bx ripemd160 | bx base58check-encode --version 5 3F6i6kwkevjR7AsAd4te2YB2zZyASEm1HM Tip P2SH is not necessarily the same as a multi-signature standard transaction. A P2SH write most often represents a multi-signature script, but it might moreover represent a script encoding other types of transactions. Multi-signature addresses and P2SH Currently, the most worldwide implementation of the P2SH function is the multi-signature write script. As the name implies, the underlying script requires increasingly than one signature to prove ownership and therefore spend funds. The bitcoin multi-signature full-length is designed to require M signatures (also known as the “threshold”) from a total of N keys, known as an M-of-N multi-sig, where M is equal to or less than N. For example, Bob the coffee shop owner from [ch01_intro_what_is_bitcoin] could use a multi-signature write requiring 1-of-2 signatures from a key belonging to him and a key belonging to his spouse, ensuring either of them could sign to spend a transaction output locked to this address. This would be similar to a “joint account” as implemented in traditional financial where either spouse can spend with a single signature. Or Gopesh, the web designer paid by Bob to create a website, might have a 2-of-3 multi-signature write for his merchantry that ensures that no funds can be spent unless at least two of the merchantry partners sign a transaction. We will explore how to create transactions that spend funds from P2SH (and multi-signature) addresses in [transactions]. Vanity Addresses Vanity addresses are valid bitcoin addresses that contain human-readable messages. For example, 1LoveBPzzD72PUXLzCkYAtGFYmK5vYNR33 is a valid write that contains the reports forming the word "Love" as the first four Base-58 letters. Vanity addresses require generating and testing billions of candidate private keys, until one derives a bitcoin write with the desired pattern. Although there are some optimizations in the vanity generation algorithm, the process substantially involves picking a private key at random, deriving the public key, deriving the bitcoin address, and checking to see if it matches the desired vanity pattern, repeating billions of times until a match is found. Once a vanity write matching the desired pattern is found, the private key from which it was derived can be used by the owner to spend bitcoins in exactly the same way as any other address. Vanity addresses are no less or increasingly secure than any other address. They depend on the same EllipticLinesCryptography (ECC) and Secure Hash Algorithm (SHA) as any other address. You can no increasingly hands find the private key of an write starting with a vanity pattern than you can any other address. In [ch01_intro_what_is_bitcoin], we introduced Eugenia, a children’s soft-heartedness director operating in the Philippines. Let’s say that Eugenia is organizing a bitcoin fundraising momentum and wants to use a vanity bitcoin write to publicize the fundraising. Eugenia will create a vanity write that starts with "1Kids" to promote the children’s soft-heartedness fundraiser. Let’s see how this vanity write will be created and what it ways for the security of Eugenia’s charity. Generating vanity addresses It’s important to realize that a bitcoin write is simply a number represented by symbols in the Base58 alphabet. The search for a pattern like "1Kids" can be seen as searching for an write in the range from 1Kids11111111111111111111111111111 to 1Kidszzzzzzzzzzzzzzzzzzzzzzzzzzzzz. There are approximately 5829 (approximately 1.4 * 1051) addresses in that range, all starting with "1Kids". [table_4-11] shows the range of addresses that have the prefix 1Kids. Table 11. The range of vanity addresses starting with "1Kids" From 1Kids11111111111111111111111111111 1Kids11111111111111111111111111112 1Kids11111111111111111111111111113 … To 1Kidszzzzzzzzzzzzzzzzzzzzzzzzzzzzz Let’s squint at the pattern "1Kids" as a number and see how wontedly we might find this pattern in a bitcoin write (see [table_4-12]). An stereotype desktop computer PC, without any specialized hardware, can search approximately 100,000 keys per second. Table 12. The frequency of a vanity pattern (1KidsCharity) and stereotype time-to-find on a desktop PC Length Pattern FrequencyStereotypesearch time 1 1K 1 in 58 keys < 1 milliseconds 2 1Ki 1 in 3,364 50 milliseconds 3 1Kid 1 in 195,000 < 2 seconds 4 1Kids 1 in 11 million 1 minute 5 1KidsC 1 in 656 million 1 hour 6 1KidsCh 1 in 38 billion 2 days 7 1KidsCha 1 in 2.2 trillion 3–4 months 8 1KidsChar 1 in 128 trillion 13–18 years 9 1KidsChari 1 in 7 quadrillion 800 years 10 1KidsCharit 1 in 400 quadrillion 46,000 years 11 1KidsCharity 1 in 23 quintillion 2.5 million years As you can see, Eugenia won’t be creating the vanity write "1KidsCharity" any time soon, plane if she had wangle to several thousand computers. Each spare weft increases the difficulty by a factor of 58. Patterns with increasingly than seven notation are usually found by specialized hardware, such as tailor-made desktops with multiple graphical processing units (GPUs). These are often repurposed bitcoin mining "rigs" that are no longer profitable for bitcoin mining but can be used to find vanity addresses. Vanity searches on GPU systems are many orders of magnitude faster than on a general-purpose CPU.Flipsideway to find a vanity write is to outsource the work to a pool of vanity miners, such as the pool at Vanity Pool. A pool is a service that allows those with GPU hardware to earn bitcoin searching for vanity addresses for others. For a small payment (0.01 bitcoin or approximately $5 at the time of this writing), Eugenia can outsource the search for a seven-character pattern vanity write and get results in a few hours instead of having to run a CPU search for months. Generating a vanity write is a brute-force exercise: try a random key, trammels the resulting write to see if it matches the desired pattern, repeat until successful. [vanity_miner_code] shows an example of a "vanity miner," a program designed to find vanity addresses, written in C++. The example uses the libbitcoin library, which we introduced in [alt_libraries]. Example 16. Vanity write miner Note The example whilom uses std::random_device. Depending on the implementation it may reflect a cryptographically secure random number generator (CSRNG) provided by the underlying operating system. In the specimen of UNIX-like operating system such as Linux, it draws from /dev/urandom. While the random number generator used here is for sit-in purposes, it is not towardly for generating production-quality bitcoin keys as it is not implemented with sufficient security. The example lawmaking must be compiled using a C compiler and linked versus the libbitcoin library (which must be first installed on that system). To run the example, run the vanity-miner++ executable with no parameters (see [vanity_miner_run]) and it will struggle to find a vanity write starting with "1kid". Example 17. Compiling and running the vanity-miner example The example lawmaking will take a few seconds to find a match for the three-character pattern "kid", as we can see when we use the time Unix writ to measure the execution time.Transpirationthe search pattern in the source lawmaking and see how much longer it takes for four- or five-character patterns! Vanity write security Vanity addresses can be used to enhance and to defeat security measures; they are truly a double-edged sword. Used to modernize security, a distinctive write makes it harder for adversaries to substitute their own write and fool your customers into paying them instead of you. Unfortunately, vanity addresses moreover make it possible for anyone to create an write that resembles any random address, or plane flipside vanity address, thereby fooling your customers. Eugenia could ventilate a randomly generated write (e.g., 1J7mdg5rbQyUHENYdx39WVWK7fsLpEoXZy) to which people can send their donations. Or, she could generate a vanity write that starts with 1Kids, to make it increasingly distinctive. In both cases, one of the risks of using a single stock-still write (rather than a separate dynamic write per donor) is that a thief might be worldly-wise to infiltrate your website and replace it with his own address, thereby diverting donations to himself. If you have advertised your donation write in a number of variegated places, your users may visually inspect the write surpassing making a payment to ensure it is the same one they saw on your website, on your email, and on your flyer. In the specimen of a random write like 1J7mdg5rbQyUHENYdx39WVWK7fsLpEoXZy, the stereotype user will perhaps inspect the first few notation "1J7mdg" and be satisfied that the write matches. Using a vanity write generator, someone with the intent to steal by substituting a similar-looking write can quickly generate addresses that match the first few characters, as shown in [table_4-13]. Table 13. Generating vanity addresses to match a random write Original RandomWrite1J7mdg5rbQyUHENYdx39WVWK7fsLpEoXZy Vanity (4 weft match) 1J7md1QqU4LpctBetHS2ZoyLV5d6dShhEy Vanity (5 weft match) 1J7mdgYqyNd4ya3UEcq31Q7sqRMXw2XZ6n Vanity (6 weft match) 1J7mdg5WxGENmwyJP9xuGhG5KRzu99BBCX So does a vanity write increase security? If Eugenia generates the vanity write 1Kids33q44erFfpeXrmDSz7zEqG2FesZEN, users are likely to squint at the vanity pattern word and a few notation beyond, for example noticing the "1Kids33" part of the address. That would gravity an attacker to generate a vanity write matching at least six notation (two more), expending an effort that is 3,364 times (58 × 58) higher than the effort Eugenia expended for her four-character vanity. Essentially, the effort Eugenia expends (or pays a vanity pool for) "pushes" the attacker into having to produce a longer pattern vanity. If Eugenia pays a pool to generate an 8-character vanity address, the attacker would be pushed into the realm of 10 characters, which is infeasible on a personal computer and expensive plane with a custom vanity-mining rig or vanity pool. What is affordable for Eugenia becomes unaffordable for the attacker, expressly if the potential reward of fraud is not upper unbearable to imbricate the forfeit of the vanity write generation. Paper Wallets Paper wallets are bitcoin private keys printed on paper. Often the paper wallet moreover includes the respective bitcoin write for convenience, but this is not necessary considering it can be derived from the private key. Paper wallets are a very constructive way to create backups or offline bitcoin storage, moreover known as "cold storage." As a replacement mechanism, a paper wallet can provide security versus the loss of key due to a computer mishap such as a nonflexible momentum failure, theft, or willy-nilly deletion. As a "cold storage" mechanism, if the paper wallet keys are generated offline and never stored on a computer system, they are much increasingly secure versus hackers, key-loggers, and other online computer threats. Paper wallets come in many shapes, sizes, and designs, but at a very vital level are just a key and an write printed on paper. [table_4-14] shows the simplest form of a paper wallet. Table 14. Simplest form of a paper wallet—a printout of the bitcoin write and private key. PublicWritePrivate Key (WIF) 1424C2F4bC9JidNjjTUZCbUxv6Sa1Mt62x 5J3mBbAH58CpQ3Y5RNJpUKPE62SQ5tfcvU2JpbnkeyhfsYB1Jcn Paper wallets can be generated hands using a tool such as the client-side JavaScript generator at bitaddress.org. This page contains all the lawmaking necessary to generate keys and paper wallets, plane while completely shredded from the Internet. To use it, save the HTML page on your local momentum or on an external USB wink drive. Disconnect from the Internet and unshut the file in a browser.Planebetter, marching your computer using a pristine operating system, such as a CD-ROM bootable Linux OS. Any keys generated with this tool while offline can be printed on a local printer over a USB subscription (not wirelessly), thereby creating paper wallets whose keys exist only on the paper and have never been stored on any online system. Put these paper wallets in a fireproof unscratched and "send" bitcoin to their bitcoin address, to implement a simple yet highly constructive "cold storage" solution. [paper_wallet_simple] shows a paper wallet generated from the bitaddress.org site.Icon26. An example of a simple paper wallet from bitaddress.org The disadvantage of the simple paper wallet system is that the printed keys are vulnerable to theft. A thief who is worldly-wise to proceeds wangle to the paper can either steal it or photograph the keys and take tenancy of the bitcoins locked with those keys. A increasingly sophisticated paper wallet storage system uses BIP0038 encrypted private keys. The keys printed on the paper wallet are protected by a passphrase that the owner has memorized. Without the passphrase, the encrypted keys are useless. Yet, they still are superior to a passphrase-protected wallet considering the keys have never been online and must be physically retrieved from a unscratched or other physically secured storage. [paper_wallet_encrypted] shows a paper wallet with an encrypted private key (BIP0038) created on the bitaddress.org site.Icon27. An example of an encrypted paper wallet from bitaddress.org. The passphrase is "test." Warning Although you can petrifaction funds into a paper wallet several times, you should withdraw all funds only once, spending everything. This is considering in the process of unlocking and spending funds some wallets might generate a transpiration write if you spend less than the whole amount. Additionally, if the computer you use to sign the transaction is compromised, you risk exposing the private key. By spending the unshortened wastefulness of a paper wallet only once, you reduce the risk of key compromise. If you need only a small amount, send any remaining funds to a new paper wallet in the same transaction. Paper wallets come in many designs and sizes, with many variegated features. Some are intended to be given as gifts and have seasonal themes, such as Christmas and New Year’s themes. Others are designed for storage in a wall vault or unscratched with the private key subconscious in some way, either with opaque scratch-off stickers, or folded and sealed with tamper-proof wrapper foil. Figures #paper_wallet_bpw through #paper_wallet_spw show various examples of paper wallets with security and replacement features.Icon28. An example of a paper wallet from bitcoinpaperwallet.com with the private key on a folding flap.Icon29. The bitcoinpaperwallet.com paper wallet with the private key concealed. Other designs full-length spare copies of the key and address, in the form of detachable stubs similar to ticket stubs, permitting you to store multiple copies to protect versus fire, flood, or other natural disasters.Icon30. An example of a paper wallet with spare copies of the keys on a replacement "stub." Transactions Introduction Transactions are the most important part of the bitcoin system. Everything else in bitcoin is designed to ensure that transactions can be created, propagated on the network, validated, and finally widow to the global ledger of transactions (the blockchain). Transactions are data structures that encode the transfer of value between participants in the bitcoin system. Each transaction is a public entry in bitcoin’s blockchain, the global double-entry bookkeeping ledger. In this installment we will examine all the various forms of transactions, what they contain, how to create them, how they are verified, and how they wilt part of the permanent record of all transactions. Transaction Lifecycle A transaction’s lifecycle starts with the transaction’s creation, moreover known as origination. The transaction is then signed with one or increasingly signatures indicating the passport to spend the funds referenced by the transaction. The transaction is then unconcentrated on the bitcoin network, where each network node (participant) validates and propagates the transaction until it reaches (almost) every node in the network. Finally, the transaction is verified by a mining node and included in a woodcut of transactions that is recorded on the blockchain. Once recorded on the blockchain and confirmed by sufficient subsequent blocks (confirmations), the transaction is a permanent part of the bitcoin ledger and is wonted as valid by all participants. The funds allocated to a new owner by the transaction can then be spent in a new transaction, extending the uniting of ownership and whence the lifecycle of a transaction again. Creating Transactions In some ways it helps to think of a transaction in the same way as a paper check. Like a check, a transaction is an instrument that expresses the intent to transfer money and is not visible to the financial system until it is submitted for execution. Like a check, the originator of the transaction does not have to be the one signing the transaction. Transactions can be created online or offline by anyone, plane if the person creating the transaction is not an authorized signer on the account. For example, an finance payable clerk might process payable checks for signature by the CEO. Similarly, an finance payable clerk can create bitcoin transactions and then have the CEO wield digital signatures to make them valid. Whereas a trammels references a specific worth as the source of the funds, a bitcoin transaction references a specific previous transaction as its source, rather than an account. Once a transaction has been created, it is signed by the owner (or owners) of the source funds. If it is properly worked and signed, the signed transaction is now valid and contains all the information needed to execute the transfer of funds. Finally, the valid transaction has to reach the bitcoin network so that it can be propagated until it reaches a miner for inclusion in the public ledger (the blockchain). Broadcasting Transactions to the Bitcoin Network First, a transaction needs to be delivered to the bitcoin network so that it can be propagated and included in the blockchain. In essence, a bitcoin transaction is just 300 to 400 bytes of data and has to reach any one of tens of thousands of bitcoin nodes. The senders do not need to trust the nodes they use to unconcentrated the transaction, as long as they use increasingly than one to ensure that it propagates. The nodes don’t need to trust the sender or establish the sender’s "identity."Consideringthe transaction is signed and contains no confidential information, private keys, or credentials, it can be publicly unconcentrated using any underlying network transport that is convenient. Unlike credit vellum transactions, for example, which contain sensitive information and can only be transmitted on encrypted networks, a bitcoin transaction can be sent over any network. As long as the transaction can reach a bitcoin node that will propagate it into the bitcoin network, it doesn’t matter how it is transported to the first node. Bitcoin transactions can therefore be transmitted to the bitcoin network over insecure networks such as WiFi, Bluetooth, NFC, Chirp, barcodes, or by copying and pasting into a web form. In lattermost cases, a bitcoin transaction could be transmitted over packet radio, satellite relay, or shortwave using splash transmission, spread spectrum, or frequency hopping to evade detection and jamming. A bitcoin transaction could plane be encoded as smileys (emoticons) and posted in a public forum or sent as a text message or Skype yack message. Bitcoin has turned money into a data structure, making it virtually untellable to stop anyone from creating and executing a bitcoin transaction. Propagating Transactions on the Bitcoin Network Once a bitcoin transaction is sent to any node unfluctuating to the bitcoin network, the transaction will be validated by that node. If valid, that node will propagate it to the other nodes to which it is connected, and a success message will be returned synchronously to the originator. If the transaction is invalid, the node will reject it and synchronously return a rejection message to the originator. The bitcoin network is a peer-to-peer network, meaning that each bitcoin node is unfluctuating to a few other bitcoin nodes that it discovers during startup through the peer-to-peer protocol. The unshortened network forms a loosely unfluctuating mesh without a stock-still topology or any structure, making all nodes equal peers. Messages, including transactions and blocks, are propagated from each node to all the peers to which it is connected, a process tabbed "flooding." A new validated transaction injected into any node on the network will be sent to all of the nodes unfluctuating to it (neighbors), each of which will send the transaction to all its neighbors, and so on. In this way, within a few seconds a valid transaction will propagate in an exponentially expanding ripple wideness the network until all nodes in the network have received it. The bitcoin network is designed to propagate transactions and blocks to all nodes in an efficient and resilient manner that is resistant to attacks. To prevent spamming, denial-of-service attacks, or other nuisance attacks versus the bitcoin system, every node independently validates every transaction surpassing propagating it further. A malformed transaction will not get vastitude one node. The rules by which transactions are validated are explained in increasingly detail in [tx_verification]. Transaction Structure A transaction is a data structure that encodes a transfer of value from a source of funds, tabbed an input, to a destination, tabbed an output. Transaction inputs and outputs are not related to finance or identities. Instead, you should think of them as bitcoin amounts—chunks of bitcoin—being locked with a specific secret that only the owner, or person who knows the secret, can unlock. A transaction contains a number of fields, as shown in [tx_data_structure]. Table 15. The structure of a transaction Size FieldUnravelment4 bytes Version Specifies which rules this transaction follows 1–9 bytes (VarInt) Input Counter How many inputs are included Variable Inputs One or increasingly transaction inputs 1–9 bytes (VarInt) Output Counter How many outputs are included Variable Outputs One or increasingly transaction outputs 4 bytes Locktime A Unix timestamp or woodcut number Transaction Locktime Locktime, moreover known as nLockTime from the variable name used in the reference client, defines the primeval time that a transaction is valid and can be relayed on the network or widow to the blockchain. It is set to zero in most transactions to indicate firsthand propagation and execution. If locktime is nonzero and unelevated 500 million, it is interpreted as a woodcut height, meaning the transaction is not valid and is not relayed or included in the blockchain prior to the specified woodcut height. If it is whilom 500 million, it is interpreted as a Unix Epoch timestamp (seconds since Jan-1-1970) and the transaction is not valid prior to the specified time. Transactions with locktime specifying a future woodcut or time must be held by the originating system and transmitted to the bitcoin network only without they wilt valid. The use of locktime is equivalent to postdating a paper check. Transaction Outputs and Inputs The fundamental towers woodcut of a bitcoin transaction is an unspent transaction output, or UTXO. UTXO are indivisible chunks of bitcoin currency locked to a specific owner, recorded on the blockchain, and recognized as currency units by the unshortened network. The bitcoin network tracks all misogynist (unspent) UTXO currently numbering in the millions. Whenever a user receives bitcoin, that value is recorded within the blockchain as a UTXO. Thus, a user’s bitcoin might be scattered as UTXO amongst hundreds of transactions and hundreds of blocks. In effect, there is no such thing as a stored wastefulness of a bitcoin write or account; there are only scattered UTXO, locked to specific owners. The concept of a user’s bitcoin wastefulness is a derived construct created by the wallet application. The wallet calculates the user’s wastefulness by scanning the blockchain and aggregating all UTXO belonging to that user. Tip There are no finance or balances in bitcoin; there are only unspent transaction outputs (UTXO) scattered in the blockchain. A UTXO can have an wrong-headed value denominated as a multiple of satoshis. Just like dollars can be divided lanugo to two decimal places as cents, bitcoins can be divided lanugo to eight decimal places as satoshis. Although UTXO can be any wrong-headed value, once created it is indivisible just like a forge that cannot be cut in half. If a UTXO is larger than the desired value of a transaction, it must still be consumed in its entirety and transpiration must be generated in the transaction. In other words, if you have a 20 bitcoin UTXO and want to pay 1 bitcoin, your transaction must slosh the unshortened 20 bitcoin UTXO and produce two outputs: one paying 1 bitcoin to your desired recipient and flipside paying 19 bitcoin in transpiration when to your wallet. As a result, most bitcoin transactions will generate change. Imagine a shopper ownership a $1.50 beverage, reaching into her wallet and trying to find a combination of coins and wall notes to imbricate the $1.50 cost. The shopper will segregate word-for-word transpiration if misogynist (a dollar snout and two quarters), or a combination of smaller denominations (six quarters), or if necessary, a larger unit such as a five dollar wall note. If she hands too much money, say $5, to the shop owner, she will expect $3.50 change, which she will return to her wallet and have misogynist for future transactions. Similarly, a bitcoin transaction must be created from a user’s UTXO in whatever denominations that user has available. Users cannot cut a UTXO in half any increasingly than they can cut a dollar snout in half and use it as currency. The user’s wallet using will typically select from the user’s misogynist UTXO various units to etch an value greater than or equal to the desired transaction amount. As with real life, the bitcoin using can use several strategies to satisfy the purchase amount: combining several smaller units, finding word-for-word change, or using a single unit larger than the transaction value and making change. All of this ramified turnout of spendable UTXO is washed-up by the user’s wallet automatically and is invisible to users. It is only relevant if you are programmatically constructing raw transactions from UTXO. The UTXO consumed by a transaction are tabbed transaction inputs, and the UTXO created by a transaction are tabbed transaction outputs. This way, chunks of bitcoin value move forward from owner to owner in a uniting of transactions consuming and creating UTXO. Transactions slosh UTXO by unlocking it with the signature of the current owner and create UTXO by locking it to the bitcoin write of the new owner. The exception to the output and input uniting is a special type of transaction tabbed the coinbase transaction, which is the first transaction in each block. This transaction is placed there by the "winning" miner and creates brand-new bitcoin payable to that miner as a reward for mining. This is how bitcoin’s money supply is created during the mining process, as we will see in [ch8]. Tip What comes first? Inputs or outputs, the yellow or the egg? Strictly speaking, outputs come first considering coinbase transactions, which generate new bitcoin, have no inputs and create outputs from nothing. Transaction Outputs Every bitcoin transaction creates outputs, which are recorded on the bitcoin ledger.Scrutinizinglyall of these outputs, with one exception (see [op_return]) create spendable chunks of bitcoin tabbed unspent transaction outputs or UTXO, which are then recognized by the whole network and misogynist for the owner to spend in a future transaction. Sending someone bitcoin is creating an unspent transaction output (UTXO) registered to their write and misogynist for them to spend. UTXO are tracked by every full-node bitcoin vendee as a data set tabbed the UTXO set or UTXO pool, held in a database. New transactions slosh (spend) one or increasingly of these outputs from the UTXO set. Transaction outputs consist of two parts: An value of bitcoin, denominated in satoshis, the smallest bitcoin unit A locking script, moreover known as an "encumbrance" that "locks" this value by specifying the conditions that must be met to spend the output The transaction scripting language, used in the locking script mentioned previously, is discussed in detail in [tx_script]. [tx_out_structure] shows the structure of a transaction output. Table 16. The structure of a transaction output Size FieldUnravelment8 bytesValueBitcoin value in satoshis (10-8 bitcoin) 1-9 bytes (VarInt) Locking-Script Size Locking-Script length in bytes, to follow Variable Locking-Script A script defining the conditions needed to spend the output In [get_utxo], we use the blockchain.info API to find the unspent outputs (UTXO) of a specific address. Example 18. A script that calls the blockchain.info API to find the UTXO related to an write Running the script, we see a list of transaction IDs, a colon, the alphabetize number of the specific unspent transaction output (UTXO), and the value of that UTXO in satoshis. The locking script is not shown in the output in [get_utxo_run]. Example 19. Running the get-utxo.py script Spending conditions (encumbrances) Transaction outputs socialize a specific value (in satoshis) to a specific encumbrance or locking script that defines the condition that must be met to spend that amount. In most cases, the locking script will lock the output to a specific bitcoin address, thereby transferring ownership of that value to the new owner. When Alice paid Bob’sSideboardfor a cup of coffee, her transaction created a 0.015 bitcoin output encumbered or locked to the cafe’s bitcoin address. That 0.015 bitcoin output was recorded on the blockchain and became part of the Unspent Transaction Output set, meaning it showed in Bob’s wallet as part of the misogynist balance. When Bob chooses to spend that amount, his transaction will release the encumbrance, unlocking the output by providing an unlocking script containing a signature from Bob’s private key. Transaction Inputs In simple terms, transaction inputs are pointers to UTXO. They point to a specific UTXO by reference to the transaction hash and sequence number where the UTXO is recorded in the blockchain. To spend UTXO, a transaction input moreover includes unlocking scripts that satisfy the spending conditions set by the UTXO. The unlocking script is usually a signature proving ownership of the bitcoin write that is in the locking script. When users make a payment, their wallet constructs a transaction by selecting from the misogynist UTXO. For example, to make a 0.015 bitcoin payment, the wallet app may select a 0.01 UTXO and a 0.005 UTXO, using them both to add up to the desired payment amount. In [select_utxo], we show the use of a "greedy" algorithm to select from misogynist UTXO in order to make a specific payment amount. In the example, the misogynist UTXO are provided as a unvarying array, but in reality, the misogynist UTXO would be retrieved with an RPC undeniability to Bitcoin Core, or to a third-party API as shown in [get_utxo]. Example 20. A script for gingerly how much total bitcoin will be issued If we run the select-utxo.py script without a parameter, it will struggle to construct a set of UTXO (and change) for a payment of 55,000,000 satoshis (0.55 bitcoin). If you provide a target payment value as a parameter, the script will select UTXO to make that target payment amount. In [select_utxo_run], we run the script trying to make a payment of 0.5 bitcoin or 50,000,000 satoshis. Example 21. Running the select-utxo.py script $ python select-utxo.py 50000000 For transaction value 50000000 Satoshis (0.500000 bitcoin) use: ([<7dbc497969c7475e45d952c4a872e213fb15d45e5cd3473c386a71a1b0c136a1:0 with 25000000 Satoshis>, <7f42eda67921ee92eae5f79bd37c68c9cb859b899ce70dba68c48338857b7818:0 with 16100000 Satoshis>, <6596fd070679de96e405d52b51b8e1d644029108ec4cbfe451454486796a1ecf:0 with 16050000 Satoshis>], 'Change: 7150000 Satoshis') Once the UTXO is selected, the wallet then produces unlocking scripts containing signatures for each of the UTXO, thereby making them spendable by satisfying their locking script conditions. The wallet adds these UTXO references and unlocking scripts as inputs to the transaction. [tx_in_structure] shows the structure of a transaction input. Table 17. The structure of a transaction input Size FieldUnravelment32 bytes Transaction Hash Pointer to the transaction containing the UTXO to be spent 4 bytes OutputAlphabetizeThe alphabetize number of the UTXO to be spent; first one is 0 1-9 bytes (VarInt) Unlocking-Script Size Unlocking-Script length in bytes, to follow Variable Unlocking-Script A script that fulfills the conditions of the UTXO locking script. 4 bytes Sequence Number Currently disabled Tx-replacement feature, set to 0xFFFFFFFF Note The sequence number is used to override a transaction prior to the expiration of the transaction locktime, which is a full-length that is currently disabled in bitcoin. Most transactions set this value to the maximum integer value (0xFFFFFFFF) and it is ignored by the bitcoin network. If the transaction has a nonzero locktime, at least one of its inputs must have a sequence number unelevated 0xFFFFFFFF in order to enable locktime. Transaction Fees Most transactions include transaction fees, which recoup the bitcoin miners for securing the network. Mining and the fees and rewards placid by miners are discussed in increasingly detail in [ch8]. This section examines how transaction fees are included in a typical transaction. Most wallets summate and include transaction fees automatically. However, if you are constructing transactions programmatically, or using a command-line interface, you must manually worth for and include these fees. Transaction fees serve as an incentive to include (mine) a transaction into the next woodcut and moreover as a disincentive versus "spam" transactions or any kind of vituperate of the system, by imposing a small forfeit on every transaction. Transaction fees are placid by the miner who mines the woodcut that records the transaction on the blockchain. Transaction fees are calculated based on the size of the transaction in kilobytes, not the value of the transaction in bitcoin. Overall, transaction fees are set based on market forces within the bitcoin network. Miners prioritize transactions based on many variegated criteria, including fees, and might plane process transactions for self-ruling under unrepealable circumstances. Transaction fees stupefy the processing priority, meaning that a transaction with sufficient fees is likely to be included in the next-most–mined block, whereas a transaction with insufficient or no fees might be delayed, processed on a best-effort understructure without a few blocks, or not processed at all. Transaction fees are not mandatory, and transactions without fees might be processed eventually; however, including transaction fees encourages priority processing. Over time, the way transaction fees are calculated and the effect they have on transaction prioritization has been evolving. At first, transaction fees were stock-still and unvarying wideness the network. Gradually, the fee structure has been relaxed so that it may be influenced by market forces, based on network topics and transaction volume. The current minimum transaction fee is stock-still at 0.0001 bitcoin or a tenth of a milli-bitcoin per kilobyte, recently decreased from one milli-bitcoin. Most transactions are less than one kilobyte; however, those with multiple inputs or outputs can be larger. In future revisions of the bitcoin protocol, it is expected that wallet applications will use statistical wringer to summate the most towardly fee to nail to a transaction based on the stereotype fees of recent transactions. The current algorithm used by miners to prioritize transactions for inclusion in a woodcut based on their fees is examined in detail in [ch8].SubtractingFees to Transactions The data structure of transactions does not have a field for fees. Instead, fees are unsaid as the difference between the sum of inputs and the sum of outputs. Any glut value that remains without all outputs have been deducted from all inputs is the fee that is placid by the miners. Transaction fees are implied, as the glut of inputs minus outputs: Fees = Sum(Inputs) – Sum(Outputs) This is a somewhat troublemaking element of transactions and an important point to understand, considering if you are constructing your own transactions you must ensure you do not inadvertently include a very large fee by underspending the inputs. That ways that you must worth for all inputs, if necessary by creating change, or you will end up giving the miners a very big tip! For example, if you slosh a 20-bitcoin UTXO to make a 1-bitcoin payment, you must include a 19-bitcoin transpiration output when to your wallet. Otherwise, the 19-bitcoin "leftover" will be counted as a transaction fee and will be placid by the miner who mines your transaction in a block. Although you will receive priority processing and make a miner very happy, this is probably not what you intended. Warning If you forget to add a transpiration output in a manually synthetic transaction, you will be paying the transpiration as a transaction fee. "Keep the change!" might not be what you intended. Let’s see how this works in practice, by looking at Alice’s coffee purchase again. Alice wants to spend 0.015 bitcoin to pay for coffee. To ensure this transaction is processed promptly, she will want to include a transaction fee, say 0.001. That will midpoint that the total forfeit of the transaction will be 0.016. Her wallet must therefore source a set of UTXO that adds up to 0.016 bitcoin or increasingly and, if necessary, create change. Let’s say her wallet has a 0.2-bitcoin UTXO available. It will therefore need to slosh this UTXO, create one output to Bob’sSideboardfor 0.015, and a second output with 0.184 bitcoin in transpiration when to her own wallet, leaving 0.001 bitcoin unallocated, as an implicit fee for the transaction. Now let’s squint at a variegated scenario. Eugenia, our children’s soft-heartedness director in the Philippines, has completed a fundraiser to purchase school books for the children. She received several thousand small donations from people all virtually the world, totaling 50 bitcoin, so her wallet is full of very small payments (UTXO). Now she wants to purchase hundreds of school books from a local publisher, paying in bitcoin. As Eugenia’s wallet using tries to construct a single larger payment transaction, it must source from the misogynist UTXO set, which is well-balanced of many smaller amounts. That ways that the resulting transaction will source from increasingly than a hundred small-value UTXO as inputs and only one output, paying the typesetting publisher. A transaction with that many inputs will be larger than one kilobyte, perhaps 2 to 3 kilobytes in size. As a result, it will require a higher fee than the minimal network fee of 0.0001 bitcoin. Eugenia’s wallet using will summate the towardly fee by measuring the size of the transaction and multiplying that by the per-kilobyte fee. Many wallets will overpay fees for larger transactions to ensure the transaction is processed promptly. The higher fee is not considering Eugenia is spending increasingly money, but considering her transaction is increasingly ramified and larger in size—the fee is self-sustaining of the transaction’s bitcoin value. Transaction Chaining and Orphan Transactions As we have seen, transactions form a chain, whereby one transaction spends the outputs of the previous transaction (known as the parent) and creates outputs for a subsequent transaction (known as the child). Sometimes an unshortened uniting of transactions depending on each other—say a parent, child, and grandchild transaction—are created at the same time, to fulfill a ramified transactional workflow that requires valid children to be signed surpassing the parent is signed. For example, this is a technique used in CoinJoin transactions where multiple parties join transactions together to protect their privacy. When a uniting of transactions is transmitted wideness the network, they don’t unchangingly victorious in the same order. Sometimes, the child might victorious surpassing the parent. In that case, the nodes that see a child first can see that it references a parent transaction that is not yet known. Rather than reject the child, they put it in a temporary pool to rely the inrush of its parent and propagate it to every other node. The pool of transactions without parents is known as the orphan transaction pool. Once the parent arrives, any orphans that reference the UTXO created by the parent are released from the pool, revalidated recursively, and then the unshortened uniting of transactions can be included in the transaction pool, ready to be mined in a block. Transaction villenage can be summarily long, with any number of generations transmitted simultaneously. The mechanism of holding orphans in the orphan pool ensures that otherwise valid transactions will not be rejected just considering their parent has been elapsed and that sooner the uniting they vest to is reconstructed in the correct order, regardless of the order of arrival. There is a limit to the number of orphan transactions stored in memory, to prevent a denial-of-service wade versus bitcoin nodes. The limit is specified as MAX_ORPHAN_TRANSACTIONS in the source lawmaking of the bitcoin reference client. If the number of orphan transactions in the pool exceeds MAX_ORPHAN_TRANSACTIONS, one or increasingly randomly selected orphan transactions are evicted from the pool, until the pool size is when within limits. Transaction Scripts and Script Language Bitcoin clients validate transactions by executing a script, written in a Forth-like scripting language. Both the locking script (encumbrance) placed on a UTXO and the unlocking script that usually contains a signature are written in this scripting language. When a transaction is validated, the unlocking script in each input is executed slantingly the respective locking script to see if it satisfies the spending condition. Today, most transactions processed through the bitcoin network have the form "Alice pays Bob" and are based on the same script tabbed a Pay-to-Public-Key-Hash script. However, the use of scripts to lock outputs and unlock inputs ways that through use of the programming language, transactions can contain an infinite number of conditions. Bitcoin transactions are not limited to the "Alice pays Bob" form and pattern. This is only the tip of the iceberg of possibilities that can be expressed with this scripting language. In this section, we will demonstrate the components of the bitcoin transaction scripting language and show how it can be used to express ramified conditions for spending and how those conditions can be satisfied by unlocking scripts. Tip Bitcoin transaction validation is not based on a static pattern, but instead is achieved through the execution of a scripting language. This language allows for a nearly infinite variety of conditions to be expressed. This is how bitcoin gets the power of "programmable money." Script Construction (Lock + Unlock) Bitcoin’s transaction validation engine relies on two types of scripts to validate transactions: a locking script and an unlocking script. A locking script is an encumbrance placed on an output, and it specifies the conditions that must be met to spend the output in the future. Historically, the locking script was tabbed a scriptPubKey, considering it usually contained a public key or bitcoin address. In this typesetting we refer to it as a "locking script" to unclose the much broader range of possibilities of this scripting technology. In most bitcoin applications, what we refer to as a locking script will towards in the source lawmaking as scriptPubKey. An unlocking script is a script that "solves," or satisfies, the conditions placed on an output by a locking script and allows the output to be spent. Unlocking scripts are part of every transaction input, and most of the time they contain a digital signature produced by the user’s wallet from his or her private key. Historically, the unlocking script is tabbed scriptSig, considering it usually contained a digital signature. In most bitcoin applications, the source lawmaking refers to the unlocking script as scriptSig. In this book, we refer to it as an "unlocking script" to unclose the much broader range of locking script requirements, considering not all unlocking scripts must contain signatures. Every bitcoin vendee will validate transactions by executing the locking and unlocking scripts together. For each input in the transaction, the validation software will first retrieve the UTXO referenced by the input. That UTXO contains a locking script defining the conditions required to spend it. The validation software will then take the unlocking script contained in the input that is attempting to spend this UTXO and execute the two scripts. In the original bitcoin client, the unlocking and locking scripts were concatenated and executed in sequence. For security reasons, this was reverted in 2010, considering of a vulnerability that unliable a malformed unlocking script to push data onto the stack and untruthful the locking script. In the current implementation, the scripts are executed separately with the stack transferred between the two executions, as described next. First, the unlocking script is executed, using the stack execution engine. If the unlocking script executed without errors (e.g., it has no "dangling" operators left over), the main stack (not the unorganized stack) is copied and the locking script is executed. If the result of executing the locking script with the stack data copied from the unlocking script is "TRUE," the unlocking script has succeeded in resolving the conditions imposed by the locking script and, therefore, the input is a valid passport to spend the UTXO. If any result other than "TRUE" remains without execution of the combined script, the input is invalid considering it has failed to satisfy the spending conditions placed on the UTXO. Note that the UTXO is permanently recorded in the blockchain, and therefore is invariable and is unaffected by failed attempts to spend it by reference in a new transaction. Only a valid transaction that correctly satisfies the conditions of the UTXO results in the UTXO stuff marked as "spent" and removed from the set of misogynist (unspent) UTXO. [scriptSig_and_scriptPubKey] is an example of the unlocking and locking scripts for the most worldwide type of bitcoin transaction (a payment to a public key hash), showing the combined script resulting from the concatenation of the unlocking and locking scripts prior to script validation.Icon31. Combining scriptSig and scriptPubKey to evaluate a transaction script Scripting Language The bitcoin transaction script language, tabbed Script, is a Forth-like reverse-polish notation stack-based execution language. If that sounds like gibberish, you probably haven’t studied 1960’s programming languages. Script is a very simple language that was designed to be limited in telescopic and executable on a range of hardware, perhaps as simple as an embedded device, such as a handheld calculator. It requires minimal processing and cannot do many of the fancy things modern programming languages can do. In the specimen of programmable money, that is a deliberate security feature. Bitcoin’s scripting language is tabbed a stack-based language considering it uses a data structure tabbed a stack. A stack is a very simple data structure, which can be visualized as a stack of cards. A stack allows two operations: push and pop. Push adds an item on top of the stack. Pop removes the top item from the stack. The scripting language executes the script by processing each item from left to right. Numbers (data constants) are pushed onto the stack. Operators push or pop one or increasingly parameters from the stack, act on them, and might push a result onto the stack. For example, OP_ADD will pop two items from the stack, add them, and push the resulting sum onto the stack.Provisionaryoperators evaluate a condition, producing a boolean result of TRUE or FALSE. For example, OP_EQUAL pops two items from the stack and pushes TRUE (TRUE is represented by the number 1) if they are equal or FALSE (represented by zero) if they are not equal. Bitcoin transaction scripts usually contain a provisionary operator, so that they can produce the TRUE result that signifies a valid transaction. In [simplemath_script], the script 2 3 OP_ADD 5 OP_EQUAL demonstrates the arithmetic wing operator OP_ADD, subtracting two numbers and putting the result on the stack, followed by the provisionary operator OP_EQUAL, which checks that the resulting sum is equal to 5. For brevity, the OP_ prefix is omitted in the step-by-step example. The pursuit is a slightly increasingly ramified script, which calculates 2 + 7 – 3 + 1. Notice that when the script contains several operators in a row, the stack allows the results of one operator to be make-believe upon by the next operator: 2 7 OP_ADD 3 OP_SUB 1 OP_ADD 7 OP_EQUAL Try validating the preceding script yourself using pencil and paper. When the script execution ends, you should be left with the value TRUE on the stack. Although most locking scripts refer to a bitcoin write or public key, thereby requiring proof of ownership to spend the funds, the script does not have to be that complex. Any combination of locking and unlocking scripts that results in a TRUE value is valid. The simple arithmetic we used as an example of the scripting language is moreover a valid locking script that can be used to lock a transaction output. Use part of the arithmetic example script as the locking script: 3 OP_ADD 5 OP_EQUAL which can be satisfied by a transaction containing an input with the unlocking script: 2 The validation software combines the locking and unlocking scripts and the resulting script is: 2 3 OP_ADD 5 OP_EQUAL As we saw in the step-by-step example in [simplemath_script], when this script is executed, the result is OP_TRUE, making the transaction valid. Not only is this a valid transaction output locking script, but the resulting UTXO could be spent by anyone with the arithmetic skills to know that the number 2 satisfies the script.Icon32. Bitcoin’s script validation doing simple math Tip Transactions are valid if the top result on the stack is TRUE (noted as {0x01}), any other non-zero value or if the stack is empty without script execution. Transactions are invalid if the top value on the stack is FALSE (a zero-length empty value, noted as {}) or if script execution is halted explicitly by an operator, such as OP_VERIFY, OP_RETURN, or a provisionary terminator such as OP_ENDIF. See [tx_script_ops] for details. Turing Incompleteness The bitcoin transaction script language contains many operators, but is deliberately limited in one important way—there are no loops or ramified spritz tenancy capabilities other than provisionary spritz control. This ensures that the language is not Turing Complete, meaning that scripts have limited complexity and predictable execution times. Script is not a general-purpose language. These limitations ensure that the language cannot be used to create an infinite loop or other form of "logic bomb" that could be embedded in a transaction in a way that causes a denial-of-service wade versus the bitcoin network. Remember, every transaction is validated by every full node on the bitcoin network. A limited language prevents the transaction validation mechanism from stuff used as a vulnerability. Stateless Verification The bitcoin transaction script language is stateless, in that there is no state prior to execution of the script, or state saved without execution of the script. Therefore, all the information needed to execute a script is contained within the script. A script will predictably execute the same way on any system. If your system verifies a script, you can be sure that every other system in the bitcoin network will moreover verify the script, meaning that a valid transaction is valid for everyone and everyone knows this. This predictability of outcomes is an essential goody of the bitcoin system. Standard Transactions In the first few years of bitcoin’s development, the developers introduced some limitations in the types of scripts that could be processed by the reference client. These limitations are encoded in a function tabbed isStandard(), which defines five types of "standard" transactions. These limitations are temporary and might be lifted by the time you read this. Until then, the five standard types of transaction scripts are the only ones that will be wonted by the reference vendee and most miners who run the reference client. Although it is possible to create a nonstandard transaction containing a script that is not one of the standard types, you must find a miner who does not follow these limitations to mine that transaction into a block.Trammelsthe source lawmaking of the BitcoinCadreclient (the reference implementation) to see what is currently unliable as a valid transaction script. The five standard types of transaction scripts are pay-to-public-key-hash (P2PKH), public-key, multi-signature (limited to 15 keys), pay-to-script-hash (P2SH), and data output (OP_RETURN), which are described in increasingly detail in the pursuit sections. Pay-to-Public-Key-Hash (P2PKH) The vast majority of transactions processed on the bitcoin network are P2PKH transactions. These contain a locking script that encumbers the output with a public key hash, increasingly wontedly known as a bitcoin address. Transactions that pay a bitcoin write contain P2PKH scripts. An output locked by a P2PKH script can be unlocked (spent) by presenting a public key and a digital signature created by the respective private key. For example, let’s squint at Alice’s payment to Bob’sSideboardagain. Alice made a payment of 0.015 bitcoin to the cafe’s bitcoin address. That transaction output would have a locking script of the form: OP_DUP OP_HASH160 <Cafe Public Key Hash> OP_EQUAL OP_CHECKSIG TheSideboardPublic Key Hash is equivalent to the bitcoin write of the cafe, without the Base58Check encoding. Most applications would show the public key hash in hexadecimal encoding and not the familiar bitcoin write Base58Check format that begins with a "1". The preceding locking script can be satisfied with an unlocking script of the form: <Cafe Signature> <Cafe Public Key> The two scripts together would form the pursuit combined validation script: <Cafe Signature> <Cafe Public Key> OP_DUP OP_HASH160 <Cafe Public Key Hash> OP_EQUAL OP_CHECKSIG When executed, this combined script will evaluate to TRUE if, and only if, the unlocking script matches the conditions set by the locking script. In other words, the result will be TRUE if the unlocking script has a valid signature from the cafe’s private key that corresponds to the public key hash set as an encumbrance. Figures #P2PubKHash1 and #P2PubKHash2 show (in two parts) a step-by-step execution of the combined script, which will prove this is a valid transaction.Icon33. Evaluating a script for a P2PKH transaction (Part 1 of 2)Icon34. Evaluating a script for a P2PKH transaction (Part 2 of 2) Pay-to-Public-Key Pay-to-public-key is a simpler form of a bitcoin payment than pay-to-public-key-hash. With this script form, the public key itself is stored in the locking script, rather than a public-key-hash as with P2PKH earlier, which is much shorter. Pay-to-public-key-hash was invented by Satoshi to make bitcoin addresses shorter, for ease of use. Pay-to-public-key is now most often seen in coinbase transactions, generated by older mining software that has not been updated to use P2PKH. A pay-to-public-key locking script looks like this: <Public Key A> OP_CHECKSIG The respective unlocking script that must be presented to unlock this type of output is a simple signature, like this: <Signature from Private Key A> The combined script, which is validated by the transaction validation software, is: <Signature from Private Key A> <Public Key A> OP_CHECKSIG This script is a simple invocation of the CHECKSIG operator, which validates the signature as belonging to the correct key and returns TRUE on the stack. Multi-Signature Multi-signature scripts set a condition where N public keys are recorded in the script and at least M of those must provide signatures to release the encumbrance. This is moreover known as an M-of-N scheme, where N is the total number of keys and M is the threshold of signatures required for validation. For example, a 2-of-3 multi-signature is one where three public keys are listed as potential signers and at least two of those must be used to create signatures for a valid transaction to spend the funds. At this time, standard multi-signature scripts are limited to at most 15 listed public keys, meaning you can do anything from a 1-of-1 to a 15-of-15 multi-signature or any combination within that range. The limitation to 15 listed keys might be lifted by the time this typesetting is published, so trammels the isStandard() function to see what is currently wonted by the network. The unstipulated form of a locking script setting an M-of-N multi-signature condition is: M <Public Key 1> <Public Key 2> ... <Public Key N> N OP_CHECKMULTISIG where N is the total number of listed public keys and M is the threshold of required signatures to spend the output. A locking script setting a 2-of-3 multi-signature condition looks like this: 2 <Public Key A> <Public Key B> <Public Key C> 3 OP_CHECKMULTISIG The preceding locking script can be satisfied with an unlocking script containing pairs of signatures and public keys: OP_0 <Signature B> <Signature C> or any combination of two signatures from the private keys respective to the three listed public keys. Note The prefix OP_0 is required considering of a bug in the original implementation of CHECKMULTISIG where one item too many is popped off the stack. It is ignored by CHECKMULTISIG and is simply a placeholder. The two scripts together would form the combined validation script: OP_0 <Signature B> <Signature C> 2 <Public Key A> <Public Key B> <Public Key C> 3 OP_CHECKMULTISIG When executed, this combined script will evaluate to TRUE if, and only if, the unlocking script matches the conditions set by the locking script. In this case, the condition is whether the unlocking script has a valid signature from the two private keys that correspond to two of the three public keys set as an encumbrance. Data Output (OP_RETURN) Bitcoin’s distributed and timestamped ledger, the blockchain, has potential uses far vastitude payments. Many developers have tried to use the transaction scripting language to take wholesomeness of the security and resilience of the system for applications such as digital notary services, stock certificates, and smart contracts. Early attempts to use bitcoin’s script language for these purposes involved creating transaction outputs that recorded data on the blockchain; for example, to record a digital fingerprint of a file in such a way that anyone could establish proof-of-existence of that file on a specific stage by reference to that transaction. The use of bitcoin’s blockchain to store data unrelated to bitcoin payments is a controversial subject. Many developers consider such use wiseacre and want to discourage it. Others view it as a sit-in of the powerful capabilities of blockchain technology and want to encourage such experimentation. Those who object to the inclusion of non-payment data oppose that it causes "blockchain bloat," burdening those running full bitcoin nodes with delivering the forfeit of disk storage for data that the blockchain was not intended to carry. Moreover, such transactions create UTXO that cannot be spent, using the destination bitcoin write as a free-form 20-byte field.Consideringthe write is used for data, it doesn’t correspond to a private key and the resulting UTXO can never be spent; it’s a fake payment. These transactions that can never be spent are therefore never removed from the UTXO set and rationalization the size of the UTXO database to forever increase, or "bloat." In version 0.9 of the BitcoinCadreclient, a compromise was reached with the introduction of the OP_RETURN operator. OP_RETURN allows developers to add 80 bytes of nonpayment data to a transaction output. However, unlike the use of "fake" UTXO, the OP_RETURN operator creates an explicitly provably unspendable output, which does not need to be stored in the UTXO set. OP_RETURN outputs are recorded on the blockchain, so they slosh disk space and contribute to the increase in the blockchain’s size, but they are not stored in the UTXO set and therefore do not bloat the UTXO memory pool and undersong full nodes with the forfeit of increasingly expensive RAM. OP_RETURN scripts squint like this: OP_RETURN <data> The data portion is limited to 80 bytes and most often represents a hash, such as the output from the SHA256 algorithm (32 bytes). Many applications put a prefix in front of the data to help identify the application. For example, the Proof of Existence digital notarization service uses the 8-byte prefix DOCPROOF, which is ASCII encoded as 44 4f 43 50 52 4f 4f 46 in hexadecimal.Alimonyin mind that there is no "unlocking script" that corresponds to OP_RETURN that could possibly be used to "spend" an OP_RETURN output. The whole point of OP_RETURN is that you can’t spend the money locked in that output, and therefore it does not need to be held in the UTXO set as potentially spendable—OP_RETURN is provably un-spendable. OP_RETURN is usually an output with a zero bitcoin amount, considering any bitcoin prescribed to such an output is powerfully lost forever. If an OP_RETURN is encountered by the script validation software, it results immediately in halting the execution of the validation script and marking the transaction as invalid. Thus, if you unwittingly reference an OP_RETURN output as an input in a transaction, that transaction is invalid. A standard transaction (one that conforms to the isStandard() checks) can have only one OP_RETURN output. However, a single OP_RETURN output can be combined in a transaction with outputs of any other type. Two new command-line options have been widow in BitcoinCadreas of version 0.10. The option datacarrier controls relay and mining of OP_RETURN transactions, with the default set to "1" to indulge them. The option datacarriersize takes a numeric treatise specifying the maximum size in bytes of the OP_RETURN data, 40 bytes by default. Note OP_RETURN was initially proposed with a limit of 80 bytes, but the limit was reduced to 40 bytes when the full-length was released. In February 2015, in version 0.10 of Bitcoin Core, the limit was raised when to 80 bytes. Nodes may segregate not to relay or mine OP_RETURN, or only relay and mine OP_RETURN containing less than 80 bytes of data. Pay-to-Script-Hash (P2SH) Pay-to-script-hash (P2SH) was introduced in 2012 as a powerful new type of transaction that profoundly simplifies the use of ramified transaction scripts. To explain the need for P2SH, let’s squint at a practical example. In [ch01_intro_what_is_bitcoin] we introduced Mohammed, an electronics importer based in Dubai. Mohammed’s visitor uses bitcoin’s multi-signature full-length extensively for its corporate accounts. Multi-signature scripts are one of the most worldwide uses of bitcoin’s wide scripting capabilities and are a very powerful feature. Mohammed’s visitor uses a multi-signature script for all consumer payments, known in written terms as "accounts receivable," or AR. With the multi-signature scheme, any payments made by customers are locked in such a way that they require at least two signatures to release, from Mohammed and one of his partners or from his shyster who has a replacement key. A multi-signature scheme like that offers corporate governance controls and protects versus theft, embezzlement, or loss. The resulting script is quite long and looks like this: 2 <Mohammed's Public Key> <Partner1 Public Key> <Partner2 Public Key> <Partner3 Public Key> <Attorney Public Key> 5 OP_CHECKMULTISIG Although multi-signature scripts are a powerful feature, they are cumbersome to use. Given the preceding script, Mohammed would have to communicate this script to every consumer prior to payment. Each consumer would have to use special bitcoin wallet software with the worthiness to create custom transaction scripts, and each consumer would have to understand how to create a transaction using custom scripts. Furthermore, the resulting transaction would be well-nigh five times larger than a simple payment transaction, considering this script contains very long public keys. The undersong of that extra-large transaction would be borne by the consumer in the form of fees. Finally, a large transaction script like this would be carried in the UTXO set in RAM in every full node, until it was spent. All of these issues make using ramified output scripts difficult in practice. Pay-to-script-hash (P2SH) was ripened to resolve these practical difficulties and to make the use of ramified scripts as easy as a payment to a bitcoin address. With P2SH payments, the ramified locking script is replaced with its digital fingerprint, a cryptographic hash. When a transaction attempting to spend the UTXO is presented later, it must contain the script that matches the hash, in wing to the unlocking script. In simple terms, P2SH ways "pay to a script matching this hash, a script that will be presented later when this output is spent." In P2SH transactions, the locking script that is replaced by a hash is referred to as the redeem script considering it is presented to the system at redemption time rather than as a locking script. [without_p2sh] shows the script without P2SH and [with_p2sh] shows the same script encoded with P2SH. Table 18.Ramifiedscript without P2SH Locking Script 2 PubKey1 PubKey2 PubKey3 PubKey4 PubKey5 5 OP_CHECKMULTISIG Unlocking Script Sig1 Sig2 Table 19.Ramifiedscript as P2SH Redeem Script 2 PubKey1 PubKey2 PubKey3 PubKey4 PubKey5 5 OP_CHECKMULTISIG Locking Script OP_HASH160 <20-byte hash of redeem script> OP_EQUAL Unlocking Script Sig1 Sig2 redeem script As you can see from the tables, with P2SH the ramified script that details the conditions for spending the output (redeem script) is not presented in the locking script. Instead, only a hash of it is in the locking script and the redeem script itself is presented later, as part of the unlocking script when the output is spent. This shifts the undersong in fees and complexity from the sender to the recipient (spender) of the transaction. Let’s squint at Mohammed’s company, the ramified multi-signature script, and the resulting P2SH scripts. First, the multi-signature script that Mohammed’s visitor uses for all incoming payments from customers: 2 <Mohammed's Public Key> <Partner1 Public Key> <Partner2 Public Key> <Partner3 Public Key> <Attorney Public Key> 5 OP_CHECKMULTISIG If the placeholders are replaced by very public keys (shown here as 520-bit numbers starting with 04) you can see that this script becomes very long: 2 04C16B8698A9ABF84250A7C3EA7EEDEF9897D1C8C6ADF47F06CF73370D74DCCA01CDCA79DCC5C395D7EEC6984D83F1F50C900A24DD47F569FD4193AF5DE762C58704A2192968D8655D6A935BEAF2CA23E3FB87A3495E7AF308EDF08DAC3C1FCBFC2C75B4B0F4D0B1B70CD2423657738C0C2B1D5CE65C97D78D0E34224858008E8B49047E63248B75DB7379BE9CDA8CE5751D16485F431E46117B9D0C1837C9D5737812F393DA7D4420D7E1A9162F0279CFC10F1E8E8F3020DECDBC3C0DD389D99779650421D65CBD7149B255382ED7F78E946580657EE6FDA162A187543A9D85BAAA93A4AB3A8F044DADA618D087227440645ABE8A35DA8C5B73997AD343BE5C2AFD94A5043752580AFA1ECED3C68D446BCAB69AC0BA7DF50D56231BE0AABF1FDEEC78A6A45E394BA29A1EDF518C022DD618DA774D207D137AAB59E0B000EB7ED238F4D800 5 OP_CHECKMULTISIG This unshortened script can instead be represented by a 20-byte cryptographic hash, by first applying the SHA256 hashing algorithm and then applying the RIPEMD160 algorithm on the result. The 20-byte hash of the preceding script is: 54c557e07dde5bb6cb791c7a540e0a4796f5e97e A P2SH transaction locks the output to this hash instead of the longer script, using the locking script: OP_HASH160 54c557e07dde5bb6cb791c7a540e0a4796f5e97e OP_EQUAL which, as you can see, is much shorter. Instead of "pay to this 5-key multi-signature script," the P2SH equivalent transaction is "pay to a script with this hash." A consumer making a payment to Mohammed’s visitor need only include this much shorter locking script in his payment. When Mohammed wants to spend this UTXO, they must present the original redeem script (the one whose hash locked the UTXO) and the signatures necessary to unlock it, like this: <Sig1> <Sig2> <2 PK1 PK2 PK3 PK4 PK5 5 OP_CHECKMULTISIG> The two scripts are combined in two stages. First, the redeem script is checked versus the locking script to make sure the hash matches: <2 PK1 PK2 PK3 PK4 PK5 5 OP_CHECKMULTISIG> OP_HASH160 <redeem scriptHash> OP_EQUAL If the redeem script hash matches, the unlocking script is executed on its own, to unlock the redeem script: <Sig1> <Sig2> 2 PK1 PK2 PK3 PK4 PK5 5 OP_CHECKMULTISIG Pay-to-script-hash addressesFlipsideimportant part of the P2SH full-length is the worthiness to encode a script hash as an address, as specified in BIP0013. P2SH addresses are Base58Check encodings of the 20-byte hash of a script, just like bitcoin addresses are Base58Check encodings of the 20-byte hash of a public key. P2SH addresses use the version prefix "5", which results in Base58Check-encoded addresses that start with a "3". For example, Mohammed’s ramified script, hashed and Base58Check-encoded as a P2SH write becomes 39RF6JqABiHdYHkfChV6USGMe6Nsr66Gzw. Now, Mohammed can requite this "address" to his customers and they can use scrutinizingly any bitcoin wallet to make a simple payment, as if it were a bitcoin address. The 3 prefix gives them a hint that this is a special type of address, one respective to a script instead of a public key, but otherwise it works in exactly the same way as a payment to a bitcoin address. P2SH addresses hibernate all of the complexity, so that the person making a payment does not see the script. Benefits of pay-to-script-hash The pay-to-script-hash full-length offers the pursuit benefits compared to the uncontrived use of ramified scripts in locking outputs:Ramifiedscripts are replaced by shorter fingerprints in the transaction output, making the transaction smaller. Scripts can be coded as an address, so the sender and the sender’s wallet don’t need ramified engineering to implement P2SH. P2SH shifts the undersong of constructing the script to the recipient, not the sender. P2SH shifts the undersong in data storage for the long script from the output (which is in the UTXO set) to the input (stored on the blockchain). P2SH shifts the undersong in data storage for the long script from the present time (payment) to a future time (when it is spent). P2SH shifts the transaction fee forfeit of a long script from the sender to the recipient, who has to include the long redeem script to spend it. Redeem script and isStandard validation Prior to version 0.9.2 of the BitcoinCadreclient, pay-to-script-hash was limited to the standard types of bitcoin transaction scripts, by the isStandard() function. That ways that the redeem script presented in the spending transaction could only be one of the standard types: P2PK, P2PKH, or multi-sig nature, excluding OP_RETURN and P2SH itself. As of version 0.9.2 of the BitcoinCadreclient, P2SH transactions can contain any valid script, making the P2SH standard much increasingly flexible and permitting for experimentation with many novel and ramified types of transactions. Note that you are not worldly-wise to put a P2SH inside a P2SH redeem script, considering the P2SH specification is not recursive. You are moreover still not worldly-wise to use OP_RETURN in a redeem script considering OP_RETURN cannot be redeemed by definition. Note that considering the redeem script is not presented to the network until you struggle to spend a P2SH output, if you lock an output with the hash of an invalid transaction it will be processed regardless. However, you will not be worldly-wise to spend it considering the spending transaction, which includes the redeem script, will not be wonted considering it is an invalid script. This creates a risk, considering you can lock bitcoin in a P2SH that cannot be spent later. The network will winnow the P2SH encumbrance plane if it corresponds to an invalid redeem script, considering the script hash gives no indication of the script it represents. Warning P2SH locking scripts contain the hash of a redeem script, which gives no clues as to the content of the redeem script itself. The P2SH transaction will be considered valid and wonted plane if the redeem script is invalid. You might unwittingly lock bitcoin in such a way that it cannot later be spent. The Bitcoin Network Peer-to-Peer NetworkTraceryBitcoin is structured as a peer-to-peer network tracery on top of the Internet. The term peer-to-peer, or P2P, ways that the computers that participate in the network are peers to each other, that they are all equal, that there are no "special" nodes, and that all nodes share the undersong of providing network services. The network nodes interconnect in a mesh network with a "flat" topology. There is no server, no internal service, and no hierarchy within the network. Nodes in a peer-to-peer network both provide and slosh services at the same time with reciprocity vicarial as the incentive for participation. Peer-to-peer networks are inherently resilient, decentralized, and open. The preeminent example of a P2P network tracery was the early Internet itself, where nodes on the IP network were equal. Today’s Internet tracery is increasingly hierarchical, but the Internet Protocol still retains its flat-topology essence.Vastitudebitcoin, the largest and most successful using of P2P technologies is file sharing with Napster as the pioneer and BitTorrent as the most recent incubation of the architecture. Bitcoin’s P2P network tracery is much increasingly than a topology choice. Bitcoin is a peer-to-peer digital mazuma system by design, and the network tracery is both a reflection and a foundation of that cadre characteristic. Decentralization of tenancy is a cadre diamond principle and that can only be achieved and maintained by a flat, decentralized P2P consensus network. The term "bitcoin network" refers to the hodgepodge of nodes running the bitcoin P2P protocol. In wing to the bitcoin P2P protocol, there are other protocols such as Stratum, which are used for mining and lightweight or mobile wallets. These spare protocols are provided by gateway routing servers that wangle the bitcoin network using the bitcoin P2P protocol, and then proffer that network to nodes running other protocols. For example, Stratum servers connect Stratum mining nodes via the Stratum protocol to the main bitcoin network and underpass the Stratum protocol to the bitcoin P2P protocol. We use the term "extended bitcoin network" to refer to the overall network that includes the bitcoin P2P protocol, pool-mining protocols, the Stratum protocol, and any other related protocols connecting the components of the bitcoin system. Nodes Types and Roles Although nodes in the bitcoin P2P network are equal, they may take on variegated roles depending on the functionality they are supporting. A bitcoin node is a hodgepodge of functions: routing, the blockchain database, mining, and wallet services. A full node with all four of these functions is shown in [full_node_reference].Icon35. A bitcoin network node with all four functions: wallet, miner, full blockchain database, and network routing All nodes include the routing function to participate in the network and might include other functionality. All nodes validate and propagate transactions and blocks, and discover and maintain connections to peers. In the full-node example in [full_node_reference], the routing function is indicated by an orange whirligig named "Network Routing Node." Some nodes, tabbed full nodes, moreover maintain a well-constructed and up-to-date reprinting of the blockchain. Full nodes can autonomously and authoritatively verify any transaction without external reference. Some nodes maintain only a subset of the blockchain and verify transactions using a method tabbed simplified payment verification, or SPV. These nodes are known as SPV or lightweight nodes. In the full-node example in the figure, the full-node blockchain database function is indicated by a undecorous whirligig named "Full Blockchain." In [bitcoin_network], SPV nodes are drawn without the undecorous circle, showing that they do not have a full reprinting of the blockchain. Mining nodes compete to create new blocks by running specialized hardware to solve the proof-of-work algorithm. Some mining nodes are moreover full nodes, maintaining a full reprinting of the blockchain, while others are lightweight nodes participating in pool mining and depending on a pool server to maintain a full node. The mining function is shown in the full node as a woebegone whirligig named "Miner." User wallets might be part of a full node, as is usually the specimen with desktop bitcoin clients. Increasingly, many user wallets, expressly those running on resource-constrained devices such as smartphones, are SPV nodes. The wallet function is shown in [full_node_reference] as a untried whirligig named "Wallet". In wing to the main node types on the bitcoin P2P protocol, there are servers and nodes running other protocols, such as specialized mining pool protocols and lightweight client-access protocols. [node_type_ledgend] shows the most worldwide node types on the extended bitcoin network. The Extended Bitcoin Network The main bitcoin network, running the bitcoin P2P protocol, consists of between 7,000 and 10,000 listening nodes running various versions of the bitcoin reference vendee (Bitcoin Core) and a few hundred nodes running various other implementations of the bitcoin P2P protocol, such as BitcoinJ, Libbitcoin, and btcd. A small percentage of the nodes on the bitcoin P2P network are moreover mining nodes, competing in the mining process, validating transactions, and creating new blocks. Various large companies interface with the bitcoin network by running full-node clients based on the BitcoinCadreclient, with full copies of the blockchain and a network node, but without mining or wallet functions. These nodes act as network whet routers, permitting various other services (exchanges, wallets, woodcut explorers, merchant payment processing) to be built on top. The extended bitcoin network includes the network running the bitcoin P2P protocol, described earlier, as well as nodes running specialized protocols.Tyingto the main bitcoin P2P network are a number of pool servers and protocol gateways that connect nodes running other protocols. These other protocol nodes are mostly pool mining nodes (see [ch8]) and lightweight wallet clients, which do not siphon a full reprinting of the blockchain. [bitcoin_network] shows the extended bitcoin network with the various types of nodes, gateway servers, whet routers, and wallet clients and the various protocols they use to connect to each other.Icon36.Variegatedtypes of nodes on the extended bitcoin networkIcon37. The extended bitcoin network showing various node types, gateways, and protocols Network Discovery When a new node boots up, it must discover other bitcoin nodes on the network in order to participate. To start this process, a new node must discover at least one existing node on the network and connect to it. The geographic location of other nodes is irrelevant; the bitcoin network topology is not geographically defined. Therefore, any existing bitcoin nodes can be selected at random. To connect to a known peer, nodes establish a TCP connection, usually to port 8333 (the port often known as the one used by bitcoin), or an volitional port if one is provided. Upon establishing a connection, the node will start a "handshake" (see [network_handshake]) by transmitting a version message, which contains vital identifying information, including: nVersion The bitcoin P2P protocol version the vendee "speaks" (e.g., 70002) nLocalServices A list of local services supported by the node, currently just NODE_NETWORK nTime The current time addrYou The IP write of the remote node as seen from this node addrMe The IP write of the local node, as discovered by the local node subver A sub-version showing the type of software running on this node (e.g., "/Satoshi:0.9.2.1/")+ BestHeight The woodcut height of this node’s blockchain (See GitHub for an example of the version network message.) The version message is unchangingly the first message sent by any peer to flipside peer. The local peer receiving a version message will examine the remote peer’s reported nVersion and decide if the remote peer is compatible. If the remote peer is compatible, the local peer will unclose the version message and establish a connection, by sending a verack. How does a new node find peers? The first method is to query DNS using a number of "DNS seeds," which are DNS servers that provide a list of IP addresses of bitcoin nodes. Some of those DNS seeds provide a static list of IP addresses of stable bitcoin listening nodes. Some of the DNS seeds are custom implementations of BIND (Berkeley Internet Name Daemon) that return a random subset from a list of bitcoin node addresses placid by a crawler or a long-running bitcoin node. The BitcoinCadreclient contains the names of five variegated DNS seeds. The diversity of ownership and diversity of implementation of the variegated DNS seeds offers a upper level or reliability for the initial bootstrapping process. In the BitcoinCadreclient, the option to use the DNS seeds is controlled by the option switch -dnsseed (set to 1 by default, to use the DNS seed). Alternatively, a bootstrapping node that knows nothing of the network must be given the IP write of at least one bitcoin node, without which it can establish connections through remoter introductions. The command-line treatise -seednode can be used to connect to one node just for introductions, using it as a seed.Withoutthe initial seed node is used to form introductions, the vendee will disconnect from it and use the newly discovered peers.Icon38. The initial handshake between peers Once one or increasingly connections are established, the new node will send an addr message containing its own IP write to its neighbors. The neighbors will, in turn, forward the addr message to their neighbors, ensuring that the newly unfluctuating node becomes well known and largest connected. Additionally, the newly unfluctuating node can send getaddr to the neighbors, asking them to return a list of IP addresses of other peers. That way, a node can find peers to connect to and ventilate its existence on the network for other nodes to find it. [address_propagation] shows the write discovery protocol.Icon39.Writepropagation and discovery A node must connect to a few variegated peers in order to establish diverse paths into the bitcoin network. Paths are not reliable—nodes come and go—and so the node must protract to discover new nodes as it loses old connections as well as squire other nodes when they bootstrap. Only one connection is needed to bootstrap, considering the first node can offer introductions to its peer nodes and those peers can offer remoter introductions. It’s moreover unnecessary and wasteful of network resources to connect to increasingly than a handful of nodes.Withoutbootstrapping, a node will remember its most recent successful peer connections, so that if it is rebooted it can quickly reestablish connections with its former peer network. If none of the former peers respond to its connection request, the node can use the seed nodes to bootstrap again. On a node running the BitcoinCadreclient, you can list the peer connections with the writ getpeerinfo: To override the will-less management of peers and to specify a list of IP addresses, users can provide the option -connect=<IPAddress> and specify one or increasingly IP addresses. If this option is used, the node will only connect to the selected IP addresses, instead of discovering and maintaining the peer connections automatically. If there is no traffic on a connection, nodes will periodically send a message to maintain the connection. If a node has not communicated on a connection for increasingly than 90 minutes, it is unsupportable to be shredded and a new peer will be sought. Thus, the network dynamically adjusts to transient nodes and network problems, and can organically grow and shrink as needed without any inside control. Full Nodes Full nodes are nodes that maintain a full blockchain with all transactions.Increasinglyaccurately, they probably should be tabbed "full blockchain nodes." In the early years of bitcoin, all nodes were full nodes and currently the BitcoinCadreclient is a full blockchain node. In the past two years, however, new forms of bitcoin clients have been introduced that do not maintain a full blockchain but run as lightweight clients. We’ll examine these in increasingly detail in the next section. Full blockchain nodes maintain a well-constructed and up-to-date reprinting of the bitcoin blockchain with all the transactions, which they independently build and verify, starting with the very first woodcut (genesis block) and towers up to the latest known woodcut in the network. A full blockchain node can independently and authoritatively verify any transaction without recourse or reliance on any other node or source of information. The full blockchain node relies on the network to receive updates well-nigh new blocks of transactions, which it then verifies and incorporates into its local reprinting of the blockchain. Running a full blockchain node gives you the pure bitcoin experience: self-sustaining verification of all transactions without the need to rely on, or trust, any other systems. It’s easy to tell if you’re running a full node considering it requires 20+ gigabytes of persistent storage (disk space) to store the full blockchain. If you need a lot of disk and it takes two to three days to sync to the network, you are running a full node. That is the price of well-constructed independence and self-rule from inside authority. There are a few volitional implementations of full blockchain bitcoin clients, built using variegated programming languages and software architectures. However, the most worldwide implementation is the reference vendee Bitcoin Core, moreover known as the Satoshi client.Increasinglythan 90% of the nodes on the bitcoin network run various versions of Bitcoin Core. It is identified as "Satoshi" in the sub-version string sent in the version message and shown by the writ getpeerinfo as we saw earlier; for example, /Satoshi:0.8.6/. Exchanging "Inventory" The first thing a full node will do once it connects to peers is try to construct a well-constructed blockchain. If it is a brand-new node and has no blockchain at all, it only knows one block, the genesis block, which is statically embedded in the vendee software. Starting with woodcut #0 (the genesis block), the new node will have to download hundreds of thousands of blocks to synchronize with the network and re-establish the full blockchain. The process of syncing the blockchain starts with the version message, considering that contains BestHeight, a node’s current blockchain height (number of blocks). A node will see the version messages from its peers, know how many blocks they each have, and be worldly-wise to compare to how many blocks it has in its own blockchain. Peered nodes will mart a getblocks message that contains the hash (fingerprint) of the top woodcut on their local blockchain. One of the peers will be worldly-wise to identify the received hash as belonging to a woodcut that is not at the top, but rather belongs to an older block, thus deducing that its own local blockchain is longer than its peer’s. The peer that has the longer blockchain has increasingly blocks than the other node and can identify which blocks the other node needs in order to "catch up." It will identify the first 500 blocks to share and transmit their hashes using an inv (inventory) message. The node missing these blocks will then retrieve them, by issuing a series of getdata messages requesting the full woodcut data and identifying the requested blocks using the hashes from the inv message. Let’s assume, for example, that a node only has the genesis block. It will then receive an inv message from its peers containing the hashes of the next 500 blocks in the chain. It will start requesting blocks from all of its unfluctuating peers, spreading the load and ensuring that it doesn’t overwhelm any peer with requests. The node keeps track of how many blocks are "in transit" per peer connection, meaning blocks that it has requested but not received, checking that it does not exceed a limit (MAX_BLOCKS_IN_TRANSIT_PER_PEER). This way, if it needs a lot of blocks, it will only request new ones as previous requests are fulfilled, permitting the peers to tenancy the pace of updates and not overwhelming the network. As each woodcut is received, it is widow to the blockchain, as we will see in [blockchain]. As the local blockchain is gradually built up, increasingly blocks are requested and received, and the process continues until the node catches up to the rest of the network. This process of comparing the local blockchain with the peers and retrieving any missing blocks happens any time a node goes offline for any period of time. Whether a node has been offline for a few minutes and is missing a few blocks, or a month and is missing a few thousand blocks, it starts by sending getblocks, gets an inv response, and starts downloading the missing blocks. [inventory_synchronization] shows the inventory and woodcut propagation protocol. Simplified Payment Verification (SPV) Nodes Not all nodes have the worthiness to store the full blockchain. Many bitcoin clients are designed to run on space- and power-constrained devices, such as smartphones, tablets, or embedded systems. For such devices, a simplified payment verification (SPV) method is used to indulge them to operate without storing the full blockchain. These types of clients are tabbed SPV clients or lightweight clients. As bitcoin adoption surges, the SPV node is rhadamanthine the most worldwide form of bitcoin node, expressly for bitcoin wallets. SPV nodes download only the woodcut headers and do not download the transactions included in each block. The resulting uniting of blocks, without transactions, is 1,000 times smaller than the full blockchain. SPV nodes cannot construct a full picture of all the UTXOs that are misogynist for spending considering they do not know well-nigh all the transactions on the network. SPV nodes verify transactions using a slightly variegated methodology that relies on peers to provide partial views of relevant parts of the blockchain on demand.Icon40. Node synchronizing the blockchain by retrieving blocks from a peer As an analogy, a full node is like a tourist in a strange city, equipped with a detailed map of every street and every address. By comparison, an SPV node is like a tourist in a strange municipality asking random strangers for turn-by-turn directions while knowing only one main avenue. Although both tourists can verify the existence of a street by visiting it, the tourist without a map doesn’t know what lies lanugo any of the side streets and doesn’t know what other streets exist. Positioned in front of 23 Church Street, the tourist without a map cannot know if there are a dozen other "23 Church Street" addresses in the municipality and whether this is the right one. The mapless tourist’s weightier endangerment is to ask unbearable people and hope some of them are not trying to mug him. Simplified payment verification verifies transactions by reference to their depth in the blockchain instead of their height. Whereas a full blockchain node will construct a fully verified uniting of thousands of blocks and transactions reaching lanugo the blockchain (back in time) all the way to the genesis block, an SPV node will verify the uniting of all blocks (but not all transactions) and link that uniting to the transaction of interest. For example, when examining a transaction in woodcut 300,000, a full node links all 300,000 blocks lanugo to the genesis woodcut and builds a full database of UTXO, establishing the validity of the transaction by confirming that the UTXO remains unspent. An SPV node cannot validate whether the UTXO is unspent. Instead, the SPV node will establish a link between the transaction and the woodcut that contains it, using a merkle path (see [merkle_trees]). Then, the SPV node waits until it sees the six blocks 300,001 through 300,006 piled on top of the woodcut containing the transaction and verifies it by establishing its depth under blocks 300,006 to 300,001. The fact that other nodes on the network wonted woodcut 300,000 and then did the necessary work to produce six increasingly blocks on top of it is proof, by proxy, that the transaction was not a double-spend. An SPV node cannot be persuaded that a transaction exists in a woodcut when the transaction does not in fact exist. The SPV node establishes the existence of a transaction in a woodcut by requesting a merkle path proof and by validating the proof of work in the uniting of blocks. However, a transaction’s existence can be "hidden" from an SPV node. An SPV node can definitely prove that a transaction exists but cannot verify that a transaction, such as a double-spend of the same UTXO, doesn’t exist considering it doesn’t have a record of all transactions. This vulnerability can be used in a denial-of-service wade or for a double-spending wade versus SPV nodes. To defend versus this, an SPV node needs to connect randomly to several nodes, to increase the probability that it is in contact with at least one honest node. This need to randomly connect ways that SPV nodes moreover are vulnerable to network partitioning attacks or Sybil attacks, where they are unfluctuating to fake nodes or fake networks and do not have wangle to honest nodes or the real bitcoin network. For most practical purposes, well-connected SPV nodes are secure enough, striking the right wastefulness between resource needs, practicality, and security. For infallible security, however, nothing beats running a full blockchain node. Tip A full blockchain node verifies a transaction by checking the unshortened uniting of thousands of blocks unelevated it in order to guarantee that the UTXO is not spent, whereas an SPV node checks how deep the woodcut is veiled by a handful of blocks whilom it. To get the woodcut headers, SPV nodes use a getheaders message instead of getblocks. The responding peer will send up to 2,000 woodcut headers using a single headers message. The process is otherwise the same as that used by a full node to retrieve full blocks. SPV nodes moreover set a filter on the connection to peers, to filter the stream of future blocks and transactions sent by the peers. Any transactions of interest are retrieved using a getdata request. The peer generates a tx message containing the transactions, in response. [spv_synchronization] shows the synchronization of woodcut headers.Icon41. SPV node synchronizing the woodcut headersConsideringSPV nodes need to retrieve specific transactions in order to selectively verify them, they moreover create a privacy risk. Unlike full blockchain nodes, which collect all transactions within each block, the SPV node’s requests for specific data can inadvertently reveal the addresses in their wallet. For example, a third party monitoring a network could alimony track of all the transactions requested by a wallet on an SPV node and use those to socialize bitcoin addresses with the user of that wallet, destroying the user’s privacy. Shortly without the introduction of SPV/lightweight nodes, the bitcoin developers widow a full-length tabbed viridity filters to write the privacy risks of SPV nodes.Viridityfilters indulge SPV nodes to receive a subset of the transactions without revealing precisely which addresses they are interested in, through a filtering mechanism that uses probabilities rather than stock-still patterns.ViridityFilters A viridity filter is a probabilistic search filter, a way to describe a desired pattern without specifying it exactly.Viridityfilters offer an efficient way to express a search pattern while protecting privacy. They are used by SPV nodes to ask their peers for transactions matching a specific pattern, without revealing exactly which addresses they are searching for. In our previous analogy, a tourist without a map is asking for directions to a specific address, "23 Church St." If she asks strangers for directions to this street, she inadvertently reveals her destination. A viridity filter is like asking, "Are there any streets in this neighborhood whose name ends in R-C-H?" A question like that reveals slightly less well-nigh the desired destination than asking for "23 Church St." Using this technique, a tourist could specify the desired write in increasingly detail as "ending in U-R-C-H" or less detail as "ending in H." By varying the precision of the search, the tourist reveals increasingly or less information, at the expense of getting increasingly or less specific results. If she asks a less specific pattern, she gets a lot increasingly possible addresses and largest privacy, but many of the results are irrelevant. If she asks for a very specific pattern, she gets fewer results but loses privacy.Viridityfilters serve this function by permitting an SPV node to specify a search pattern for transactions that can be tuned toward precision or privacy. A increasingly specific viridity filter will produce well-judged results, but at the expense of revealing what addresses are used in the user’s wallet. A less specific viridity filter will produce increasingly data well-nigh increasingly transactions, many irrelevant to the node, but will indulge the node to maintain largest privacy. An SPV node will initialize a viridity filter as "empty" and in that state the viridity filter will not match any patterns. The SPV node will then make a list of all the addresses in its wallet and create a search pattern matching the transaction output that corresponds to each address. Usually, the search pattern is a pay-to-public-key-hash script that is the expected locking script that will be present in any transaction paying to the public-key-hash (address). If the SPV node is tracking the wastefulness of a P2SH address, the search pattern will be a pay-to-script-hash script, instead. The SPV node then adds each of the search patterns to the viridity filter, so that the viridity filter can recognize the search pattern if it is present in a transaction. Finally, the viridity filter is sent to the peer and the peer uses it to match transactions for transmission to the SPV node.Viridityfilters are implemented as a variable-size variety of N binary digits (a bit field) and a variable number of M hash functions. The hash functions are designed to unchangingly produce an output that is between 1 and N, respective to the variety of binary digits. The hash functions are generated deterministically, so that any node implementing a viridity filter will unchangingly use the same hash functions and get the same results for a specific input. By choosing variegated length (N) viridity filters and a variegated number (M) of hash functions, the viridity filter can be tuned, varying the level of verism and therefore privacy. In [bloom1], we use a very small variety of 16 shit and a set of three hash functions to demonstrate how viridity filters work.Icon42. An example of a simplistic viridity filter, with a 16-bit field and three hash functions The viridity filter is initialized so that the variety of shit is all zeros. To add a pattern to the viridity filter, the pattern is hashed by each hash function in turn. Applying the first hash function to the input results in a number between 1 and N. The respective bit in the variety (indexed from 1 to N) is found and set to 1, thereby recording the output of the hash function. Then, the next hash function is used to set flipside bit and so on. Once all M hash functions have been applied, the search pattern will be "recorded" in the viridity filter as M shit that have been reverted from 0 to 1. [bloom2] is an example of subtracting a pattern "A" to the simple viridity filter shown in [bloom1].Subtractinga second pattern is as simple as repeating this process. The pattern is hashed by each hash function in turn and the result is recorded by setting the shit to 1. Note that as a viridity filter is filled with increasingly patterns, a hash function result might coincide with a bit that is once set to 1, in which specimen the bit is not changed. In essence, as increasingly patterns record on overlapping bits, the viridity filter starts to wilt saturated with increasingly shit set to 1 and the verism of the filter decreases. This is why the filter is a probabilistic data structure—it gets less well-judged as increasingly patterns are added. The verism depends on the number of patterns widow versus the size of the bit variety (N) and number of hash functions (M). A larger bit variety and increasingly hash functions can record increasingly patterns with higher accuracy. A smaller bit variety or fewer hash functions will record fewer patterns and produce less accuracy.Icon43.Subtractinga pattern "A" to our simple viridity filter [bloom3] is an example of subtracting a second pattern "B" to the simple viridity filter.Icon44.Subtractinga second pattern "B" to our simple viridity filter To test if a pattern is part of a viridity filter, the pattern is hashed by each hash function and the resulting bit pattern is tested versus the bit array. If all the shit indexed by the hash functions are set to 1, then the pattern is probably recorded in the viridity filter.Consideringthe shit may be set considering of overlap from multiple patterns, the wordplay is not certain, but is rather probabilistic. In simple terms, a viridity filter positive match is a "Maybe, Yes." [bloom4] is an example of testing the existence of pattern "X" in the simple viridity filter. The respective shit are set to 1, so the pattern is probably a match.Icon45. Testing the existence of pattern "X" in the viridity filter. The result is probabilistic positive match, meaning "Maybe." On the contrary, if a pattern is tested versus the viridity filter and any one of the shit is set to 0, this proves that the pattern was not recorded in the viridity filter. A negative result is not a probability, it is a certainty. In simple terms, a negative match on a viridity filter is a "Definitely Not!" [bloom5] is an example of testing the existence of pattern "Y" in the simple viridity filter. One of the respective shit is set to 0, so the pattern is definitely not a match.Icon46. Testing the existence of pattern "Y" in the viridity filter. The result is a definitive negative match, meaning "Definitely Not!" Bitcoin’s implementation of viridity filters is described in BitcoinResurgenceProposal 37 (BIP0037). See [appdxbitcoinimpproposals] or visit GitHub.ViridityFilters and Inventory UpdatesViridityfilters are used to filter the transactions (and blocks containing them) that an SPV node receives from its peers. SPV nodes will create a filter that matches only the addresses held in the SPV node’s wallet. The SPV node will then send a filterload message to the peer, containing the viridity filter to use on the connection.Withouta filter is established, the peer will then test each transaction’s outputs versus the viridity filter. Only transactions that match the filter are sent to the node. In response to a getdata message from the node, peers will send a merkleblock message that contains only woodcut headers for blocks matching the filter and a merkle path (see [merkle_trees]) for each matching transaction. The peer will then moreover send tx messages containing the transactions matched by the filter. The node setting the viridity filter can interactively add patterns to the filter by sending a filteradd message. To well-spoken the viridity filter, the node can send a filterclear message.Consideringit is not possible to remove a pattern from a viridity filter, a node has to well-spoken and resend a new viridity filter if a pattern is no longer desired. Transaction PoolsScrutinizinglyevery node on the bitcoin network maintains a temporary list of unconfirmed transactions tabbed the memory pool, mempool, or transaction pool. Nodes use this pool to alimony track of transactions that are known to the network but are not yet included in the blockchain. For example, a node that holds a user’s wallet will use the transaction pool to track incoming payments to the user’s wallet that have been received on the network but are not yet confirmed. As transactions are received and verified, they are widow to the transaction pool and relayed to the neighboring nodes to propagate on the network. Some node implementations moreover maintain a separate pool of orphaned transactions. If a transaction’s inputs refer to a transaction that is not yet known, such as a missing parent, the orphan transaction will be stored temporarily in the orphan pool until the parent transaction arrives. When a transaction is widow to the transaction pool, the orphan pool is checked for any orphans that reference this transaction’s outputs (its children). Any matching orphans are then validated. If valid, they are removed from the orphan pool and widow to the transaction pool, completing the uniting that started with the parent transaction. In light of the newly widow transaction, which is no longer an orphan, the process is repeated recursively looking for any remoter descendants, until no increasingly descendants are found. Through this process, the inrush of a parent transaction triggers a spout reconstruction of an unshortened uniting of interdependent transactions by re-uniting the orphans with their parents all the way lanugo the chain. Both the transaction pool and orphan pool (where implemented) are stored in local memory and are not saved on persistent storage; rather, they are dynamically populated from incoming network messages. When a node starts, both pools are empty and are gradually populated with new transactions received on the network. Some implementations of the bitcoin vendee moreover maintain a UTXO database or UTXO pool, which is the set of all unspent outputs on the blockchain. Although the name "UTXO pool" sounds similar to the transaction pool, it represents a variegated set of data. Unlike the transaction and orphan pools, the UTXO pool is not initialized empty but instead contains millions of entries of unspent transaction outputs, including some dating when to 2009. The UTXO pool may be housed in local memory or as an indexed database table on persistent storage. Whereas the transaction and orphan pools represent a single node’s local perspective and might vary significantly from node to node depending upon when the node was started or restarted, the UTXO pool represents the emergent consensus of the network and therefore will vary little between nodes. Furthermore, the transaction and orphan pools only contain unconfirmed transactions, while the UTXO pool only contains confirmed outputs.ZestfulMessagesZestfulmessages are a seldom used function, but are nevertheless implemented in most nodes.Zestfulmessages are bitcoin’s "emergency unconcentrated system," a ways by which the cadre bitcoin developers can send an emergency text message to all bitcoin nodes. This full-length is implemented to indulge the cadre developer team to notify all bitcoin users of a serious problem in the bitcoin network, such as a hair-trigger bug that requires user action. The zestful system has only been used a handful of times, most notably in early 2013 when a hair-trigger database bug caused a multiblock fork to occur in the bitcoin blockchain.Zestfulmessages are propagated by the zestful message. The zestful message contains several fields, including: ID An zestful identified so that indistinguishable alerts can be detected Expiration A time without which the zestful expires RelayUntil A time without which the zestful should not be relayed MinVer, MaxVer The range of bitcoin protocol versions that this zestful applies to subVer The vendee software version that this zestful applies to Priority An zestful priority level, currently unused Alerts are cryptographically signed by a public key. The respective private key is held by a few select members of the cadre minutiae team. The digital signature ensures that fake alerts will not be propagated on the network. Each node receiving this zestful message will verify it, trammels for expiration, and propagate it to all its peers, thus ensuring rapid propagation wideness the unshortened network. In wing to propagating the alert, the nodes might implement a user interface function to present the zestful to the user. In the BitcoinCadreclient, the zestful is configured with the command-line option -alertnotify, which specifies a writ to run when an zestful is received. The zestful message is passed as a parameter to the alertnotify command. Most commonly, the alertnotify writ is set to generate an email message to the zookeeper of the node, containing the zestful message. The zestful is moreover displayed as a pop-up dialog in the graphical user interface (bitcoin-Qt) if it is running. Other implementations of the bitcoin protocol might handle the zestful in variegated ways. Many hardware-embedded bitcoin mining systems do not implement the zestful message function considering they have no user interface. It is strongly recommended that miners running such mining systems subscribe to alerts via a mining pool operator or by running a lightweight node just for zestful purposes. The Blockchain Introduction The blockchain data structure is an ordered, back-linked list of blocks of transactions. The blockchain can be stored as a unappetizing file, or in a simple database. The BitcoinCadreclient stores the blockchain metadata using Google’s LevelDB database. Blocks are linked "back," each referring to the previous woodcut in the chain. The blockchain is often visualized as a vertical stack, with blocks layered on top of each other and the first woodcut serving as the foundation of the stack. The visualization of blocks stacked on top of each other results in the use of terms such as "height" to refer to the loftiness from the first block, and "top" or "tip" to refer to the most recently widow block. Each woodcut within the blockchain is identified by a hash, generated using the SHA256 cryptographic hash algorithm on the header of the block. Each woodcut moreover references a previous block, known as the parent block, through the "previous woodcut hash" field in the woodcut header. In other words, each woodcut contains the hash of its parent inside its own header. The sequence of hashes linking each woodcut to its parent creates a uniting going when all the way to the first woodcut overly created, known as the genesis block. Although a woodcut has just one parent, it can temporarily have multiple children. Each of the children refers to the same woodcut as its parent and contains the same (parent) hash in the "previous woodcut hash" field. Multiple children upspring during a blockchain "fork," a temporary situation that occurs when variegated blocks are discovered scrutinizingly simultaneously by variegated miners (see [forks]). Eventually, only one child woodcut becomes part of the blockchain and the "fork" is resolved.Planethough a woodcut may have increasingly than one child, each woodcut can have only one parent. This is considering a woodcut has one single "previous woodcut hash" field referencing its single parent. The "previous woodcut hash" field is inside the woodcut header and thereby affects the current block’s hash. The child’s own identity changes if the parent’s identity changes. When the parent is modified in any way, the parent’s hash changes. The parent’s reverted hash necessitates a transpiration in the "previous woodcut hash" pointer of the child. This in turn causes the child’s hash to change, which requires a transpiration in the pointer of the grandchild, which in turn changes the grandchild, and so on. This spout effect ensures that once a woodcut has many generations pursuit it, it cannot be reverted without forcing a recalculation of all subsequent blocks.Consideringsuch a recalculation would require enormous computation, the existence of a long uniting of blocks makes the blockchain’s deep history immutable, which is a key full-length of bitcoin’s security. One way to think well-nigh the blockchain is like layers in a geological formation, or glacier cadre sample. The surface layers might transpiration with the seasons, or plane be squandered yonder surpassing they have time to settle. But once you go a few inches deep, geological layers wilt increasingly and increasingly stable. By the time you squint a few hundred feet down, you are looking at a snapshot of the past that has remained undisturbed for millions of years. In the blockchain, the most recent few blocks might be revised if there is a uniting recalculation due to a fork. The top six blocks are like a few inches of topsoil. But once you go increasingly tightly into the blockchain, vastitude six blocks, blocks are less and less likely to change.Without100 blocks when there is so much stability that the coinbase transaction—the transaction containing newly mined bitcoins—can be spent. A few thousand blocks when (a month) and the blockchain is settled history, for all practical purposes. While the protocol unchangingly allows a uniting to be undone by a longer uniting and while the possibility of any woodcut stuff reversed unchangingly exists, the probability of such an event decreases as time passes until it becomes infinitesimal. Structure of aWoodcutA woodcut is a container data structure that aggregates transactions for inclusion in the public ledger, the blockchain. The woodcut is made of a header, containing metadata, followed by a long list of transactions that make up the zillion of its size. The woodcut header is 80 bytes, whereas the stereotype transaction is at least 250 bytes and the stereotype woodcut contains increasingly than 500 transactions. A well-constructed block, with all transactions, is therefore 1,000 times larger than the woodcut header. [block_structure1] describes the structure of a block. Table 20. The structure of a woodcut Size FieldUnravelment4 bytesWoodcutSize The size of the block, in bytes, pursuit this field 80 bytesWoodcutHeader Several fields form the woodcut header 1-9 bytes (VarInt) Transaction Counter How many transactions follow Variable Transactions The transactions recorded in this woodcutWoodcutHeader The woodcut header consists of three sets of woodcut metadata. First, there is a reference to a previous woodcut hash, which connects this woodcut to the previous woodcut in the blockchain. The second set of metadata, namely the difficulty, timestamp, and nonce, relate to the mining competition, as detailed in [ch8]. The third piece of metadata is the merkle tree root, a data structure used to efficiently summarize all the transactions in the block. [block_header_structure_ch07] describes the structure of a woodcut header. Table 21. The structure of the woodcut header Size FieldUnravelment4 bytes Version A version number to track software/protocol upgrades 32 bytes PreviousWoodcutHash A reference to the hash of the previous (parent) woodcut in the uniting 32 bytes Merkle Root A hash of the root of the merkle tree of this block’s transactions 4 bytes Timestamp The injudicious megacosm time of this woodcut (seconds from Unix Epoch) 4 bytes Difficulty Target The proof-of-work algorithm difficulty target for this woodcut 4 bytes Nonce A counter used for the proof-of-work algorithm The nonce, difficulty target, and timestamp are used in the mining process and will be discussed in increasingly detail in [ch8].WoodcutIdentifiers:WoodcutHeader Hash andWoodcutHeight The primary identifier of a woodcut is its cryptographic hash, a digital fingerprint, made by hashing the woodcut header twice through the SHA256 algorithm. The resulting 32-byte hash is tabbed the woodcut hash but is increasingly virtuously the woodcut header hash, considering only the woodcut header is used to compute it. For example, 000000000019d6689c085ae165831e934ff763ae46a2a6c172b3f1b60a8ce26f is the woodcut hash of the first bitcoin woodcut overly created. The woodcut hash identifies a woodcut uniquely and unambiguously and can be independently derived by any node by simply hashing the woodcut header. Note that the woodcut hash is not unquestionably included inside the block’s data structure, neither when the woodcut is transmitted on the network, nor when it is stored on a node’s persistence storage as part of the blockchain. Instead, the block’s hash is computed by each node as the woodcut is received from the network. The woodcut hash might be stored in a separate database table as part of the block’s metadata, to facilitate indexing and faster retrieval of blocks from disk. A second way to identify a woodcut is by its position in the blockchain, tabbed the woodcut height. The first woodcut overly created is at woodcut height 0 (zero) and is the same woodcut that was previously referenced by the pursuit woodcut hash 000000000019d6689c085ae165831e934ff763ae46a2a6c172b3f1b60a8ce26f. A woodcut can thus be identified two ways: by referencing the woodcut hash or by referencing the woodcut height. Each subsequent woodcut widow "on top" of that first woodcut is one position "higher" in the blockchain, like boxes stacked one on top of the other. The woodcut height on January 1, 2014, was approximately 278,000, meaning there were 278,000 blocks stacked on top of the first woodcut created in January 2009. Unlike the woodcut hash, the woodcut height is not a unique identifier. Although a single woodcut will unchangingly have a specific and invariant woodcut height, the reverse is not true—the woodcut height does not unchangingly identify a single block. Two or increasingly blocks might have the same woodcut height, competing for the same position in the blockchain. This scenario is discussed in detail in the section [forks]. The woodcut height is moreover not a part of the block’s data structure; it is not stored within the block. Each node dynamically identifies a block’s position (height) in the blockchain when it is received from the bitcoin network. The woodcut height might moreover be stored as metadata in an indexed database table for faster retrieval. Tip A block’s woodcut hash unchangingly identifies a single woodcut uniquely. A woodcut moreover unchangingly has a specific woodcut height. However, it is not unchangingly the specimen that a specific woodcut height can identify a single block. Rather, two or increasingly blocks might compete for a single position in the blockchain. The GenesisWoodcutThe first woodcut in the blockchain is tabbed the genesis woodcut and was created in 2009. It is the worldwide prototype of all the blocks in the blockchain, meaning that if you start at any woodcut and follow the uniting wrong-side-up in time, you will sooner victorious at the genesis block. Every node unchangingly starts with a blockchain of at least one woodcut considering the genesis woodcut is statically encoded within the bitcoin vendee software, such that it cannot be altered. Every node unchangingly "knows" the genesis block’s hash and structure, the stock-still time it was created, and plane the single transaction within. Thus, every node has the starting point for the blockchain, a secure "root" from which to build a trusted blockchain. See the statically encoded genesis woodcut inside the BitcoinCadreclient, in chainparams.cpp. The pursuit identifier hash belongs to the genesis block: 000000000019d6689c085ae165831e934ff763ae46a2a6c172b3f1b60a8ce26f You can search for that woodcut hash in any woodcut explorer website, such as blockchain.info, and you will find a page describing the contents of this block, with a URL containing that hash: https://blockchain.info/block/000000000019d6689c085ae165831e934ff763ae46a2a6c172b3f1b60a8ce26f https://blockexplorer.com/block/000000000019d6689c085ae165831e934ff763ae46a2a6c172b3f1b60a8ce26f Using the BitcoinCadrereference vendee on the writ line: $ bitcoin-cli getblock 000000000019d6689c085ae165831e934ff763ae46a2a6c172b3f1b60a8ce26f The genesis woodcut contains a subconscious message within it. The coinbase transaction input contains the text "The Times 03/Jan/2009 Chancellor on brink of second bailout for banks." This message was intended to offer proof of the primeval stage this woodcut was created, by referencing the headline of the British newspaper The Times. It moreover serves as a tongue-in-cheek reminder of the importance of an self-sustaining monetary system, with bitcoin’s launch occurring at the same time as an unprecedented worldwide monetary crisis. The message was embedded in the first woodcut by Satoshi Nakamoto, bitcoin’s creator. Linking Blocks in the Blockchain Bitcoin full nodes maintain a local reprinting of the blockchain, starting at the genesis block. The local reprinting of the blockchain is constantly updated as new blocks are found and used to proffer the chain. As a node receives incoming blocks from the network, it will validate these blocks and then link them to the existing blockchain. To establish a link, a node will examine the incoming woodcut header and squint for the "previous woodcut hash." Let’s assume, for example, that a node has 277,314 blocks in the local reprinting of the blockchain. The last woodcut the node knows well-nigh is woodcut 277,314, with a woodcut header hash of 00000000000000027e7ba6fe7bad39faf3b5a83daed765f05f7d1b71a1632249. The bitcoin node then receives a new woodcut from the network, which it parses as follows: Looking at this new block, the node finds the previousblockhash field, which contains the hash of its parent block. It is a hash known to the node, that of the last woodcut on the uniting at height 277,314. Therefore, this new woodcut is a child of the last woodcut on the uniting and extends the existing blockchain. The node adds this new woodcut to the end of the chain, making the blockchain longer with a new height of 277,315. [chain_of_blocks] shows the uniting of three blocks, linked by references in the previousblockhash field. Merkle Trees Each woodcut in the bitcoin blockchain contains a summary of all the transactions in the block, using a merkle tree. A merkle tree, moreover known as a binary hash tree, is a data structure used for efficiently summarizing and verifying the integrity of large sets of data. Merkle trees are binary trees containing cryptographic hashes. The term "tree" is used in computer science to describe a branching data structure, but these trees are usually displayed upside lanugo with the "root" at the top and the "leaves" at the marrow of a diagram, as you will see in the examples that follow.Icon47. Blocks linked in a chain, by reference to the previous woodcut header hash Merkle trees are used in bitcoin to summarize all the transactions in a block, producing an overall digital fingerprint of the unshortened set of transactions, providing a very efficient process to verify whether a transaction is included in a block. A Merkle tree is synthetic by recursively hashing pairs of nodes until there is only one hash, tabbed the root, or merkle root. The cryptographic hash algorithm used in bitcoin’s merkle trees is SHA256 unromantic twice, moreover known as double-SHA256. When N data elements are hashed and summarized in a merkle tree, you can trammels to see if any one data element is included in the tree with at most 2*log2(N) calculations, making this a very efficient data structure. The merkle tree is synthetic bottom-up. In the pursuit example, we start with four transactions, A, B, C and D, which form the leaves of the Merkle tree, as shown in [simple_merkle]. The transactions are not stored in the merkle tree; rather, their data is hashed and the resulting hash is stored in each leaf node as HA, HB, HC, and HD: H~A~ = SHA256(SHA256(Transaction A)) Consecutive pairs of leaf nodes are then summarized in a parent node, by concatenating the two hashes and hashing them together. For example, to construct the parent node HAB, the two 32-byte hashes of the children are concatenated to create a 64-byte string. That string is then double-hashed to produce the parent node’s hash: H~AB~ = SHA256(SHA256(H~A~ + H~B~)) The process continues until there is only one node at the top, the node known as the Merkle root. That 32-byte hash is stored in the woodcut header and summarizes all the data in all four transactions.Icon48.Gingerlythe nodes in a merkle treeConsideringthe merkle tree is a binary tree, it needs an plane number of leaf nodes. If there is an odd number of transactions to summarize, the last transaction hash will be duplicated to create an plane number of leaf nodes, moreover known as a well-turned tree. This is shown in [merkle_tree_odd], where transaction C is duplicated.Icon49. Duplicating one data element achieves an plane number of data elements The same method for constructing a tree from four transactions can be generalized to construct trees of any size. In bitcoin it is worldwide to have several hundred to increasingly than a thousand transactions in a single block, which are summarized in exactly the same way, producing just 32 bytes of data as the single merkle root. In [merkle_tree_large], you will see a tree built from 16 transactions. Note that although the root looks worthier than the leaf nodes in the diagram, it is the word-for-word same size, just 32 bytes. Whether there is one transaction or a hundred thousand transactions in the block, the merkle root unchangingly summarizes them into 32 bytes. To prove that a specific transaction is included in a block, a node only needs to produce log2(N) 32-byte hashes, constituting an hallmark path or merkle path connecting the specific transaction to the root of the tree. This is expressly important as the number of transactions increases, considering the base-2 logarithm of the number of transactions increases much increasingly slowly. This allows bitcoin nodes to efficiently produce paths of 10 or 12 hashes (320–384 bytes), which can provide proof of a single transaction out of increasingly than a thousand transactions in a megabyte-size block.Icon50. A merkle tree summarizing many data elements In [merkle_tree_path], a node can prove that a transaction K is included in the woodcut by producing a merkle path that is only four 32-byte hashes long (128 bytes total). The path consists of the four hashes (noted in undecorous in [merkle_tree_path]) HL, HIJ, HMNOP and HABCDEFGH. With those four hashes provided as an hallmark path, any node can prove that HK (noted in untried in the diagram) is included in the merkle root by computing four spare pair-wise hashes HKL, HIJKL, HIJKLMNOP, and the merkle tree root (outlined in a dotted line in the diagram).Icon51. A merkle path used to prove inclusion of a data element The lawmaking in [merkle_example] demonstrates the process of creating a merkle tree from the leaf-node hashes up to the root, using the libbitcoin library for some helper functions. Example 22.Towersa merkle tree [merkle_example_run] shows the result of compiling and running the merkle code. Example 23. Compiling and running the merkle example lawmaking The efficiency of merkle trees becomes obvious as the scale increases. [block_structure2] shows the value of data that needs to be exchanged as a merkle path to prove that a transaction is part of a block. Table 22. Merkle tree efficiency Number of transactions Approx. size of woodcut Path size (hashes) Path size (bytes) 16 transactions 4 kilobytes 4 hashes 128 bytes 512 transactions 128 kilobytes 9 hashes 288 bytes 2048 transactions 512 kilobytes 11 hashes 352 bytes 65,535 transactions 16 megabytes 16 hashes 512 bytes As you can see from the table, while the woodcut size increases rapidly, from 4 KB with 16 transactions to a woodcut size of 16 MB to fit 65,535 transactions, the merkle path required to prove the inclusion of a transaction increases much increasingly slowly, from 128 bytes to only 512 bytes. With merkle trees, a node can download just the woodcut headers (80 bytes per block) and still be worldly-wise to identify a transaction’s inclusion in a woodcut by retrieving a small merkle path from a full node, without storing or transmitting the vast majority of the blockchain, which might be several gigabytes in size. Nodes that do not maintain a full blockchain, tabbed simplified payment verification (SPV nodes), use merkle paths to verify transactions without downloading full blocks. Merkle Trees and Simplified Payment Verification (SPV) Merkle trees are used extensively by SPV nodes. SPV nodes don’t have all transactions and do not download full blocks, just woodcut headers. In order to verify that a transaction is included in a block, without having to download all the transactions in the block, they use an hallmark path, or merkle path. Consider, for example, an SPV node that is interested in incoming payments to an write contained in its wallet. The SPV node will establish a viridity filter on its connections to peers to limit the transactions received to only those containing addresses of interest. When a peer sees a transaction that matches the viridity filter, it will send that woodcut using a merkleblock message. The merkleblock message contains the woodcut header as well as a merkle path that links the transaction of interest to the merkle root in the block. The SPV node can use this merkle path to connect the transaction to the woodcut and verify that the transaction is included in the block. The SPV node moreover uses the woodcut header to link the woodcut to the rest of the blockchain. The combination of these two links, between the transaction and block, and between the woodcut and blockchain, proves that the transaction is recorded in the blockchain. All in all, the SPV node will have received less than a kilobyte of data for the woodcut header and merkle path, an value of data that is increasingly than a thousand times less than a full woodcut (about 1 megabyte currently). Mining and Consensus Introduction Mining is the process by which new bitcoin is widow to the money supply. Mining moreover serves to secure the bitcoin system versus fraudulent transactions or transactions spending the same value of bitcoin increasingly than once, known as a double-spend. Miners provide processing power to the bitcoin network in mart for the opportunity to be rewarded bitcoin. Miners validate new transactions and record them on the global ledger. A new block, containing transactions that occurred since the last block, is "mined" every 10 minutes on average, thereby subtracting those transactions to the blockchain. Transactions that wilt part of a woodcut and widow to the blockchain are considered "confirmed," which allows the new owners of bitcoin to spend the bitcoin they received in those transactions. Miners receive two types of rewards for mining: new coins created with each new block, and transaction fees from all the transactions included in the block. To earn this reward, the miners compete to solve a difficult mathematical problem based on a cryptographic hash algorithm. The solution to the problem, tabbed the proof of work, is included in the new woodcut and acts as proof that the miner expended significant computing effort. The competition to solve the proof-of-work algorithm to earn reward and the right to record transactions on the blockchain is the understructure for bitcoin’s security model. The process of new forge generation is tabbed mining considering the reward is designed to simulate diminishing returns, just like mining for precious metals. Bitcoin’s money supply is created through mining, similar to how a inside wall issues new money by printing wall notes. The value of newly created bitcoin a miner can add to a woodcut decreases approximately every four years (or precisely every 210,000 blocks). It started at 50 bitcoin per woodcut in January of 2009 and halved to 25 bitcoin per woodcut in November of 2012. It will halve then to 12.5 bitcoin per woodcut sometime in 2016. Based on this formula, bitcoin mining rewards subtract exponentially until approximately the year 2140, when all bitcoin (20.99999998 million) will have been issued.Without2140, no new bitcoins will be issued. Bitcoin miners moreover earn fees from transactions. Every transaction may include a transaction fee, in the form of a surplus of bitcoin between the transaction’s inputs and outputs. The winning bitcoin miner gets to "keep the change" on the transactions included in the winning block. Today, the fees represent 0.5% or less of a bitcoin miner’s income, the vast majority coming from the newly minted bitcoins. However, as the reward decreases over time and the number of transactions per woodcut increases, a greater proportion of bitcoin mining earnings will come from fees.Without2140, all bitcoin miner earnings will be in the form of transaction fees. The word "mining" is somewhat misleading. By evoking the extraction of precious metals, it focuses our sustentation on the reward for mining, the new bitcoins in each block. Although mining is incentivized by this reward, the primary purpose of mining is not the reward or the generation of new coins. If you view mining only as the process by which coins are created, you are mistaking the ways (incentives) as a goal of the process. Mining is the main process of the decentralized clearinghouse, by which transactions are validated and cleared. Mining secures the bitcoin system and enables the emergence of network-wide consensus without a inside authority. Mining is the invention that makes bitcoin special, a decentralized security mechanism that is the understructure for peer-to-peer digital cash. The reward of newly minted coins and transaction fees is an incentive scheme that aligns the deportment of miners with the security of the network, while simultaneously implementing the monetary supply. In this chapter, we will first examine mining as a monetary supply mechanism and then squint at the most important function of mining: the decentralized emergent consensus mechanism that underpins bitcoin’s security. Bitcoin Economics and CurrencyMegacosmBitcoins are "minted" during the megacosm of each woodcut at a stock-still and diminishing rate. Each block, generated on stereotype every 10 minutes, contains entirely new bitcoins, created from nothing. Every 210,000 blocks, or approximately every four years, the currency issuance rate is decreased by 50%. For the first four years of operation of the network, each woodcut contained 50 new bitcoins. In November 2012, the new bitcoin issuance rate was decreased to 25 bitcoins per woodcut and it will subtract then to 12.5 bitcoins at woodcut 420,000, which will be mined sometime in 2016. The rate of new coins decreases like this exponentially over 64 "halvings" until woodcut 13,230,000 (mined approximately in year 2137), when it reaches the minimum currency unit of 1 satoshi. Finally, without 13.44 million blocks, in approximately 2140, scrutinizingly 2,099,999,997,690,000 satoshis, or scrutinizingly 21 million bitcoins, will be issued. Thereafter, blocks will contain no new bitcoins, and miners will be rewarded solely through the transaction fees. [bitcoin_money_supply] shows the total bitcoin in diffusion over time, as the issuance of currency decreases.Icon52. Supply of bitcoin currency over time based on a geometrically decreasing issuance rate Note The maximum number of coins mined is the upper limit of possible mining rewards for bitcoin. In practice, a miner may intentionally mine a woodcut taking less than the full reward. Such blocks have once been mined and increasingly may be mined in the future, resulting in a lower total issuance of the currency. In the example lawmaking in [max_money], we summate the total value of bitcoin that will be issued. Example 24. A script for gingerly how much total bitcoin will be issued [max_money_run] shows the output produced by running this script. Example 25. Running the max_money.py script The finite and diminishing issuance creates a stock-still monetary supply that resists inflation. Unlike a fiat currency, which can be printed in infinite numbers by a inside bank, bitcoin can never be inflated by printing. Deflationary Money The most important and debated magnitude of a stock-still and diminishing monetary issuance is that the currency will tend to be inherently deflationary. Deflation is the miracle of appreciation of value due to a mismatch in supply and demand that drives up the value (and mart rate) of a currency. The opposite of inflation, price deflation ways that the money has increasingly purchasing power over time. Many economists oppose that a deflationary economy is a disaster that should be avoided at all costs. That is considering in a period of rapid deflation, people tend to hoard money instead of spending it, hoping that prices will fall. Such a miracle unfolded during Japan’s "Lost Decade," when a well-constructed swoon of demand pushed the currency into a deflationary spiral. Bitcoin experts oppose that deflation is not bad per se. Rather, deflation is associated with a swoon in demand considering that is the only example of deflation we have to study. In a fiat currency with the possibility of unlimited printing, it is very difficult to enter a deflationary screw unless there is a well-constructed swoon in demand and an unwillingness to print money. Deflation in bitcoin is not caused by a swoon in demand, but by a predictably constrained supply. In practice, it has wilt evident that the hoarding instinct caused by a deflationary currency can be overcome by discounting from vendors, until the unbelieve overcomes the hoarding instinct of the buyer.Consideringthe seller is moreover motivated to hoard, the unbelieve becomes the equilibrium price at which the two hoarding instincts are matched. With discounts of 30% on the bitcoin price, most bitcoin retailers are not experiencing difficulty overcoming the hoarding instinct and generating revenue. It remains to be seen whether the deflationary speciality of the currency is really a problem when it is not driven by rapid economic retraction. Decentralized Consensus In the previous installment we looked at the blockchain, the global public ledger (list) of all transactions, which everyone in the bitcoin network accepts as the supervisory record of ownership. But how can everyone in the network stipulate on a single universal "truth" well-nigh who owns what, without having to trust anyone? All traditional payment systems depend on a trust model that has a inside validity providing a clearinghouse service, basically verifying and transplanting all transactions. Bitcoin has no inside authority, yet somehow every full node has a well-constructed reprinting of a public ledger that it can trust as the supervisory record. The blockchain is not created by a inside authority, but is assembled independently by every node in the network. Somehow, every node in the network, vicarial on information transmitted wideness insecure network connections, can victorious at the same conclusion and hoke a reprinting of the same public ledger as everyone else. This installment examines the process by which the bitcoin network achieves global consensus without inside authority. Satoshi Nakamoto’s main invention is the decentralized mechanism for emergent consensus. Emergent, considering consensus is not achieved explicitly—there is no referendum or stock-still moment when consensus occurs. Instead, consensus is an emergent fabrication of the asynchronous interaction of thousands of self-sustaining nodes, all pursuit simple rules. All the properties of bitcoin, including currency, transactions, payments, and the security model that does not depend on inside validity or trust, derive from this invention. Bitcoin’s decentralized consensus emerges from the interplay of four processes that occur independently on nodes wideness the network:Self-sustainingverification of each transaction, by every full node, based on a comprehensive list of criteriaSelf-sustainingaggregation of those transactions into new blocks by mining nodes, coupled with demonstrated computation through a proof-of-work algorithmSelf-sustainingverification of the new blocks by every node and turnout into a chainSelf-sustainingselection, by every node, of the uniting with the most cumulative computation demonstrated through proof of work In the next few sections we will examine these processes and how they interact to create the emergent property of network-wide consensus that allows any bitcoin node to hoke its own reprinting of the authoritative, trusted, public, global ledger.Self-sustainingVerification of Transactions In [transactions], we saw how wallet software creates transactions by collecting UTXO, providing the towardly unlocking scripts, and then constructing new outputs prescribed to a new owner. The resulting transaction is then sent to the neighboring nodes in the bitcoin network so that it can be propagated wideness the unshortened bitcoin network. However, surpassing forwarding transactions to its neighbors, every bitcoin node that receives a transaction will first verify the transaction. This ensures that only valid transactions are propagated wideness the network, while invalid transactions are discarded at the first node that encounters them. Each node verifies every transaction versus a long checklist of criteria: The transaction’s syntax and data structure must be correct. Neither lists of inputs or outputs are empty. The transaction size in bytes is less than MAX_BLOCK_SIZE. Each output value, as well as the total, must be within the unliable range of values (less than 21m coins, increasingly than 0). None of the inputs have hash=0, N=–1 (coinbase transactions should not be relayed). nLockTime is less than or equal to INT_MAX. The transaction size in bytes is greater than or equal to 100. The number of signature operations contained in the transaction is less than the signature operation limit. The unlocking script (scriptSig) can only push numbers on the stack, and the locking script (scriptPubkey) must match isStandard forms (this rejects "nonstandard" transactions). A matching transaction in the pool, or in a woodcut in the main branch, must exist. For each input, if the referenced output exists in any other transaction in the pool, the transaction must be rejected. For each input, squint in the main workshop and the transaction pool to find the referenced output transaction. If the output transaction is missing for any input, this will be an orphan transaction. Add to the orphan transactions pool, if a matching transaction is not once in the pool. For each input, if the referenced output transaction is a coinbase output, it must have at least COINBASE_MATURITY (100) confirmations. For each input, the referenced output must exist and cannot once be spent. Using the referenced output transactions to get input values, trammels that each input value, as well as the sum, are in the unliable range of values (less than 21m coins, increasingly than 0). Reject if the sum of input values is less than sum of output values. Reject if transaction fee would be too low to get into an empty block. The unlocking scripts for each input must validate versus the respective output locking scripts. These conditions can be seen in detail in the functions AcceptToMemoryPool, CheckTransaction, and CheckInputs in the bitcoin reference client. Note that the conditions transpiration over time, to write new types of denial-of-service attacks or sometimes to relax the rules so as to include increasingly types of transactions. By independently verifying each transaction as it is received and surpassing propagating it, every node builds a pool of valid (but unconfirmed) transactions known as the transaction pool, memory pool or mempool. Mining Nodes Some of the nodes on the bitcoin network are specialized nodes tabbed miners. In [ch01_intro_what_is_bitcoin] we introduced Jing, a computer engineering student in Shanghai, China, who is a bitcoin miner. Jing earns bitcoin by running a "mining rig," which is a specialized computer-hardware system designed to mine bitcoins. Jing’s specialized mining hardware is unfluctuating to a server running a full bitcoin node. Unlike Jing, some miners mine without a full node, as we will see in [mining_pools]. Like every other full node, Jing’s node receives and propagates unconfirmed transactions on the bitcoin network. Jing’s node, however, moreover aggregates these transactions into new blocks. Jing’s node is listening for new blocks, propagated on the bitcoin network, as do all nodes. However, the inrush of a new woodcut has special significance for a mining node. The competition among miners powerfully ends with the propagation of a new woodcut that acts as an utterance of a winner. To miners, receiving a new woodcut ways someone else won the competition and they lost. However, the end of one round of a competition is moreover the whence of the next round. The new woodcut is not just a polychrome flag, marking the end of the race; it is moreover the starting pistol in the race for the next block. Aggregating Transactions into BlocksWithoutvalidating transactions, a bitcoin node will add them to the memory pool, or transaction pool, where transactions rely until they can be included (mined) into a block. Jing’s node collects, validates, and relays new transactions just like any other node. Unlike other nodes, however, Jing’s node will then volume these transactions into a candidate block. Let’s follow the blocks that were created during the time Alice bought a cup of coffee from Bob’sSideboard(see [cup_of_coffee]). Alice’s transaction was included in woodcut 277,316. For the purpose of demonstrating the concepts in this chapter, let’s seem that woodcut was mined by Jing’s mining system and follow Alice’s transaction as it becomes part of this new block. Jing’s mining node maintains a local reprinting of the blockchain, the list of all blocks created since the whence of the bitcoin system in 2009. By the time Alice buys the cup of coffee, Jing’s node has assembled a uniting up to woodcut 277,314. Jing’s node is listening for transactions, trying to mine a new woodcut and moreover listening for blocks discovered by other nodes. As Jing’s node is mining, it receives woodcut 277,315 through the bitcoin network. The inrush of this woodcut signifies the end of the competition for woodcut 277,315 and the whence of the competition to create woodcut 277,316. During the previous 10 minutes, while Jing’s node was searching for a solution to woodcut 277,315, it was moreover collecting transactions in preparation for the next block. By now it has placid a few hundred transactions in the memory pool. Upon receiving woodcut 277,315 and validating it, Jing’s node will moreover trammels all the transactions in the memory pool and remove any that were included in woodcut 277,315. Whatever transactions remain in the memory pool are unconfirmed and are waiting to be recorded in a new block. Jing’s node immediately constructs a new empty block, a candidate for woodcut 277,316. This woodcut is tabbed a candidate woodcut considering it is not yet a valid block, as it does not contain a valid proof of work. The woodcut becomes valid only if the miner succeeds in finding a solution to the proof-of-work algorithm. Transaction Age, Fees, and Priority To construct the candidate block, Jing’s bitcoin node selects transactions from the memory pool by applying a priority metric to each transaction and subtracting the highest priority transactions first. Transactions are prioritized based on the "age" of the UTXO that is stuff spent in their inputs, permitting for old and high-value inputs to be prioritized over newer and smaller inputs. Prioritized transactions can be sent without any fees, if there is unbearable space in the block. The priority of a transaction is calculated as the sum of the value and age of the inputs divided by the total size of the transaction: Priority = Sum (Value of input * Input Age) / Transaction Size In this equation, the value of an input is measured in the wiring unit, satoshis (1/100m of a bitcoin). The age of a UTXO is the number of blocks that have elapsed since the UTXO was recorded on the blockchain, measuring how many blocks "deep" into the blockchain it is. The size of the transaction is measured in bytes. For a transaction to be considered "high priority," its priority must be greater than 57,600,000, which corresponds to one bitcoin (100m satoshis), weather-beaten one day (144 blocks), in a transaction of 250 bytes total size:UpperPriority > 100,000,000 satoshis * 144 blocks / 250 bytes = 57,600,000 The first 50 kilobytes of transaction space in a woodcut are set whispered for high-priority transactions. Jing’s node will fill the first 50 kilobytes, prioritizing the highest priority transactions first, regardless of fee. This allows high-priority transactions to be processed plane if they siphon zero fees. Jing’s mining node then fills the rest of the woodcut up to the maximum woodcut size (MAX_BLOCK_SIZE in the code), with transactions that siphon at least the minimum fee, prioritizing those with the highest fee per kilobyte of transaction. If there is any space remaining in the block, Jing’s mining node might segregate to fill it with no-fee transactions. Some miners segregate to mine transactions without fees on a best-effort basis. Other miners may segregate to ignore transactions without fees. Any transactions left in the memory pool, without the woodcut is filled, will remain in the pool for inclusion in the next block. As transactions remain in the memory pool, their inputs "age," as the UTXO they spend get deeper into the blockchain with new blocks widow on top.Consideringa transaction’s priority depends on the age of its inputs, transactions remaining in the pool will age and therefore increase in priority.Soonera transaction without fees might reach a upper unbearable priority to be included in the woodcut for free. Bitcoin transactions do not have an expiration time-out. A transaction that is valid now will be valid in perpetuity. However, if a transaction is only propagated wideness the network once, it will persist only as long as it is held in a mining node memory pool. When a mining node is restarted, its memory pool is wiped clear, considering it is a transient non-persistent form of storage. Although a valid transaction might have been propagated wideness the network, if it is not executed it may sooner not reside in the memory pool of any miner. Wallet software is expected to retransmit such transactions or reconstruct them with higher fees if they are not successfully executed within a reasonable value of time. When Jing’s node aggregates all the transactions from the memory pool, the new candidate woodcut has 418 transactions with total transaction fees of 0.09094928 bitcoin. You can see this woodcut in the blockchain using the BitcoinCadreclient command-line interface, as shown in [block277316]. Example 26.Woodcut277,316 The Generation Transaction The first transaction widow to the woodcut is a special transaction, tabbed a generation transaction or coinbase transaction. This transaction is synthetic by Jing’s node and is his reward for the mining effort. Jing’s node creates the generation transaction as a payment to his own wallet: "Pay Jing’s write 25.09094928 bitcoin." The total value of reward that Jing collects for mining a woodcut is the sum of the coinbase reward (25 new bitcoins) and the transaction fees (0.09094928) from all the transactions included in the woodcut as shown in [generation_tx_example]: $ bitcoin-cli getrawtransaction d5ada064c6417ca25c4308bd158c34b77e1c0eca2a73cda16c737e7424afba2f 1 Example 27. Generation transaction Unlike regular transactions, the generation transaction does not slosh (spend) UTXO as inputs. Instead, it has only one input, tabbed the coinbase, which creates bitcoin from nothing. The generation transaction has one output, payable to the miner’s own bitcoin address. The output of the generation transaction sends the value of 25.09094928 bitcoins to the miner’s bitcoin address, in this specimen 1MxTkeEP2PmHSMze5tUZ1hAV3YTKu2Gh1N. Coinbase Reward and Fees To construct the generation transaction, Jing’s node first calculates the total value of transaction fees by subtracting all the inputs and outputs of the 418 transactions that were widow to the block. The fees are calculated as: Total Fees = Sum(Inputs) - Sum(Outputs) In woodcut 277,316, the total transaction fees are 0.09094928 bitcoins. Next, Jing’s node calculates the correct reward for the new block. The reward is calculated based on the woodcut height, starting at 50 bitcoins per woodcut and reduced by half every 210,000 blocks.Consideringthis woodcut is at height 277,316, the correct reward is 25 bitcoins. The numbering can be seen in function GetBlockSubsidy in the BitcoinCadreclient, as shown in [getblocksubsidy_source]. Example 28.Gingerlythe woodcut reward — Function GetBlockSubsidy, BitcoinCadreClient, main.cpp The initial subsidy is calculated in satoshis by multiplying 50 with the COIN unvarying (100,000,000 satoshis). This sets the initial reward (nSubsidy) at 5 billion satoshis. Next, the function calculates the number of halvings that have occurred by dividing the current woodcut height by the halving interval (SubsidyHalvingInterval). In the specimen of woodcut 277,316, with a halving interval every 210,000 blocks, the result is 1 halving. The maximum number of halvings unliable is 64, so the lawmaking imposes a zero reward (return only the fees) if the 64 halvings is exceeded. Next, the function uses the binary-right-shift operator to divide the reward (nSubsidy) by two for each round of halving. In the specimen of woodcut 277,316, this would binary-right-shift the reward of 5 billion satoshis once (one halving) and result in 2.5 billion satoshis, or 25 bitcoins. The binary-right-shift operator is used considering it is increasingly efficient for semester by two than integer or floating-point division. Finally, the coinbase reward (nSubsidy) is widow to the transaction fees (nFees), and the sum is returned. Structure of the Generation Transaction With these calculations, Jing’s node then constructs the generation transaction to pay himself 25.09094928 bitcoin. As you can see in [generation_tx_example], the generation transaction has a special format. Instead of a transaction input specifying a previous UTXO to spend, it has a "coinbase" input. We examined transaction inputs in [tx_in_structure]. Let’s compare a regular transaction input with a generation transaction input. [table_8-1] shows the structure of a regular transaction, while [table_8-2] shows the structure of the generation transaction’s input. Table 23. The structure of a "normal" transaction input Size FieldUnravelment32 bytes Transaction Hash Pointer to the transaction containing the UTXO to be spent 4 bytes OutputAlphabetizeThe alphabetize number of the UTXO to be spent, first one is 0 1-9 bytes (VarInt) Unlocking-Script Size Unlocking-Script length in bytes, to follow Variable Unlocking-Script A script that fulfills the conditions of the UTXO locking script. 4 bytes Sequence Number Currently disabled Tx-replacement feature, set to 0xFFFFFFFF Table 24. The structure of a generation transaction input Size FieldUnravelment32 bytes Transaction Hash All shit are zero: Not a transaction hash reference 4 bytes OutputAlphabetizeAll shit are ones: 0xFFFFFFFF 1-9 bytes (VarInt) Coinbase Data Size Length of the coinbase data, from 2 to 100 bytes Variable Coinbase DataWrong-headeddata used for uneaten nonce and mining tags in v2 blocks, must uncork with woodcut height 4 bytes Sequence Number Set to 0xFFFFFFFF In a generation transaction, the first two fields are set to values that do not represent a UTXO reference. Instead of a "Transaction Hash," the first field is filled with 32 bytes all set to zero. The "Output Index" is filled with 4 bytes all set to 0xFF (255 decimal). The "Unlocking Script" is replaced by coinbase data, an wrong-headed data field used by the miners. Coinbase Data Generation transactions do not have an unlocking script (a.k.a., scriptSig) field. Instead, this field is replaced by coinbase data, which must be between 2 and 100 bytes. Except for the first few bytes, the rest of the coinbase data can be used by miners in any way they want; it is wrong-headed data. In the genesis block, for example, Satoshi Nakamoto widow the text "The Times 03/Jan/2009 Chancellor on brink of second bailout for banks" in the coinbase data, using it as a proof of the stage and to convey a message. Currently, miners use the coinbase data to include uneaten nonce values and strings identifying the mining pool, as we will see in the pursuit sections. The first few bytes of the coinbase used to be arbitrary, but that is no longer the case. As per BitcoinResurgenceProposal 34 (BIP0034), version-2 blocks (blocks with the version field set to 2) must contain the woodcut height alphabetize as a script "push" operation in the whence of the coinbase field. In woodcut 277,316 we see that the coinbase (see [generation_tx_example]), which is in the "Unlocking Script" or scriptSig field of the transaction input, contains the hexadecimal value 03443b0403858402062f503253482f. Let’s decode this value. The first byte, 03, instructs the script execution engine to push the next three bytes onto the script stack (see [tx_script_ops_table_pushdata]). The next three bytes, 0x443b04, are the woodcut height encoded in little-endian format (backward, least significant byte first). Reverse the order of the bytes and the result is 0x043b44, which is 277,316 in decimal. The next few hexadecimal digits (03858402062) are used to encode an uneaten nonce (see [extra_nonce]), or random value, used to find a suitable proof of work solution. The final part of the coinbase data (2f503253482f) is the ASCII-encoded string /P2SH/, which indicates that the mining node that mined this woodcut supports the pay-to-script-hash (P2SH) resurgence specified in BIP0016. The introduction of the P2SH sufficiency required a "vote" by miners to endorse either BIP0016 or BIP0017. Those endorsing the BIP0016 implementation were to include /P2SH/ in their coinbase data. Those endorsing the BIP0017 implementation of P2SH were to include the string p2sh/CHV in their coinbase data. The BIP0016 was elected as the winner, and many miners unfurled including the string /P2SH/ in their coinbase to indicate support for this feature. [satoshi_words] uses the libbitcoin library introduced in [alt_libraries] to pericope the coinbase data from the genesis block, displaying Satoshi’s message. Note that the libbitcoin library contains a static reprinting of the genesis block, so the example lawmaking can retrieve the genesis woodcut directly from the library. Example 29.Pericopethe coinbase data from the genesis woodcut We compile the lawmaking with the GNU C++ compiler and run the resulting executable, as shown in [satoshi_words_run]. Example 30. Compiling and running the satoshi-words example lawmaking Constructing theWoodcutHeader To construct the woodcut header, the mining node needs to fill in six fields, as listed in [block_header_structure_ch08]. Table 25. The structure of the woodcut header Size FieldUnravelment4 bytes Version A version number to track software/protocol upgrades 32 bytes PreviousWoodcutHash A reference to the hash of the previous (parent) woodcut in the uniting 32 bytes Merkle Root A hash of the root of the merkle tree of this block’s transactions 4 bytes Timestamp The injudicious megacosm time of this woodcut (seconds from Unix Epoch) 4 bytes Difficulty Target The proof-of-work algorithm difficulty target for this woodcut 4 bytes Nonce A counter used for the proof-of-work algorithm At the time that woodcut 277,316 was mined, the version number describing the woodcut structure is version 2, which is encoded in little-endian format in 4 bytes as 0x02000000. Next, the mining node needs to add the "PreviousWoodcutHash." That is the hash of the woodcut header of woodcut 277,315, the previous woodcut received from the network, which Jing’s node has wonted and selected as the parent of the candidate woodcut 277,316. The woodcut header hash for woodcut 277,315 is: 0000000000000002a7bbd25a417c0374cc55261021e8a9ca74442b01284f0569 The next step is to summarize all the transactions with a merkle tree, in order to add the merkle root to the woodcut header. The generation transaction is listed as the first transaction in the block. Then, 418 increasingly transactions are widow without it, for a total of 419 transactions in the block. As we saw in the [merkle_trees], there must be an plane number of "leaf" nodes in the tree, so the last transaction is duplicated, creating 420 nodes, each containing the hash of one transaction. The transaction hashes are then combined, in pairs, creating each level of the tree, until all the transactions are summarized into one node at the "root" of the tree. The root of the merkle tree summarizes all the transactions into a single 32-byte value, which you can see listed as "merkle root" in [block277316], and here: c91c008c26e50763e9f548bb8b2fc323735f73577effbc55502c51eb4cc7cf2e The mining node will then add a 4-byte timestamp, encoded as a Unix "Epoch" timestamp, which is based on the number of seconds elapsed from January 1, 1970, midnight UTC/GMT. The time 1388185914 is equal to Friday, 27 Dec 2013, 23:11:54 UTC/GMT. The node then fills in the difficulty target, which defines the required proof-of-work difficulty to make this a valid block. The difficulty is stored in the woodcut as a "difficulty bits" metric, which is a mantissa-exponent encoding of the target. The encoding has a 1-byte exponent, followed by a 3-byte mantissa (coefficient). In woodcut 277,316, for example, the difficulty shit value is 0x1903a30c. The first part 0x19 is a hexadecimal exponent, while the next part, 0x03a30c, is the coefficient. The concept of a difficulty target is explained in [difficulty_target] and the "difficulty bits" representation is explained in [difficulty_bits]. The final field is the nonce, which is initialized to zero. With all the other fields filled, the woodcut header is now well-constructed and the process of mining can begin. The goal is now to find a value for the nonce that results in a woodcut header hash that is less than the difficulty target. The mining node will need to test billions or trillions of nonce values surpassing a nonce is found that satisfies the requirement. Mining theWoodcutNow that a candidate woodcut has been synthetic by Jing’s node, it is time for Jing’s hardware mining rig to "mine" the block, to find a solution to the proof-of-work algorithm that makes the woodcut valid. Throughout this typesetting we have studied cryptographic hash functions as used in various aspects of the bitcoin system. The hash function SHA256 is the function used in bitcoin’s mining process. In the simplest terms, mining is the process of hashing the woodcut header repeatedly, waffly one parameter, until the resulting hash matches a specific target. The hash function’s result cannot be unswayable in advance, nor can a pattern be created that will produce a specific hash value. This full-length of hash functions ways that the only way to produce a hash result matching a specific target is to try then and again, randomly modifying the input until the desired hash result appears by chance. Proof-Of-Work Algorithm A hash algorithm takes an arbitrary-length data input and produces a fixed-length deterministic result, a digital fingerprint of the input. For any specific input, the resulting hash will unchangingly be the same and can be hands calculated and verified by anyone implementing the same hash algorithm. The key foible of a cryptographic hash algorithm is that it is virtually untellable to find two variegated inputs that produce the same fingerprint. As a corollary, it is moreover virtually untellable to select an input in such a way as to produce a desired fingerprint, other than trying random inputs. With SHA256, the output is unchangingly 256 shit long, regardless of the size of the input. In [sha256_example1], we will use the Python interpreter to summate the SHA256 hash of the phrase, "I am Satoshi Nakamoto." Example 31. SHA256 example [sha256_example1] shows the result of gingerly the hash of "I am Satoshi Nakamoto": 5d7c7ba21cbbcd75d14800b100252d5b428e5b1213d27c385bc141ca6b47989e. This 256-bit number is the hash or rewording of the phrase and depends on every part of the phrase.Subtractinga single letter, punctuation mark, or any other weft will produce a variegated hash. Now, if we transpiration the phrase, we should expect to see completely variegated hashes. Let’s try that by subtracting a number to the end of our phrase, using the simple Python scripting in [sha256_example_generator]. Example 32. SHA256 A script for generating many hashes by iterating on a nonce Running this will produce the hashes of several phrases, made variegated by subtracting a number at the end of the text. By incrementing the number, we can get variegated hashes, as shown in [sha256_example_generator_output]. Example 33. SHA256 output of a script for generating many hashes by iterating on a nonce I am Satoshi Nakamoto0 => a80a81401765c8eddee25df36728d732... I am Satoshi Nakamoto1 => f7bc9a6304a4647bb41241a677b5345f... I am Satoshi Nakamoto2 => ea758a8134b115298a1583ffb80ae629... I am Satoshi Nakamoto3 => bfa9779618ff072c903d773de30c99bd... I am Satoshi Nakamoto4 => bce8564de9a83c18c31944a66bde992f... I am Satoshi Nakamoto5 => eb362c3cf3479be0a97a20163589038e... I am Satoshi Nakamoto6 => 4a2fd48e3be420d0d28e202360cfbaba... I am Satoshi Nakamoto7 => 790b5a1349a5f2b909bf74d0d166b17a... I am Satoshi Nakamoto8 => 702c45e5b15aa54b625d68dd947f1597... I am Satoshi Nakamoto9 => 7007cf7dd40f5e933cd89fff5b791ff0... I am Satoshi Nakamoto10 => c2f38c81992f4614206a21537bd634a... I am Satoshi Nakamoto11 => 7045da6ed8a914690f087690e1e8d66... I am Satoshi Nakamoto12 => 60f01db30c1a0d4cbce2b4b22e88b9b... I am Satoshi Nakamoto13 => 0ebc56d59a34f5082aaef3d66b37a66... I am Satoshi Nakamoto14 => 27ead1ca85da66981fd9da01a8c6816... I am Satoshi Nakamoto15 => 394809fb809c5f83ce97ab554a2812c... I am Satoshi Nakamoto16 => 8fa4992219df33f50834465d3047429... I am Satoshi Nakamoto17 => dca9b8b4f8d8e1521fa4eaa46f4f0cd... I am Satoshi Nakamoto18 => 9989a401b2a3a318b01e9ca9a22b0f3... I am Satoshi Nakamoto19 => cda56022ecb5b67b2bc93a2d764e75f... Each phrase produces a completely variegated hash result. They seem completely random, but you can reproduce the word-for-word results in this example on any computer with Python and see the same word-for-word hashes. The number used as a variable in such a scenario is tabbed a nonce. The nonce is used to vary the output of a cryptographic function, in this specimen to vary the SHA256 fingerprint of the phrase. To make a rencontre out of this algorithm, let’s set an wrong-headed target: find a phrase that produces a hexadecimal hash that starts with a zero. Fortunately, this isn’t difficult! [sha256_example_generator_output] shows that the phrase "I am Satoshi Nakamoto13" produces the hash 0ebc56d59a34f5082aaef3d66b37a661696c2b618e62432727216ba9531041a5, which fits our criteria. It took 13 attempts to find it. In terms of probabilities, if the output of the hash function is evenly distributed we would expect to find a result with a 0 as the hexadecimal prefix once every 16 hashes (one out of 16 hexadecimal digits 0 through F). In numerical terms, that ways finding a hash value that is less than 0x1000000000000000000000000000000000000000000000000000000000000000. We undeniability this threshold the target and the goal is to find a hash that is numerically less than the target. If we subtract the target, the task of finding a hash that is less than the target becomes increasingly and increasingly difficult. To requite a simple analogy, imagine a game where players throw a pair of dice repeatedly, trying to throw less than a specified target. In the first round, the target is 12. Unless you throw double-six, you win. In the next round the target is 11. Players must throw 10 or less to win, then an easy task. Let’s say a few rounds later the target is lanugo to 5. Now, increasingly than half the dice throws will add up to increasingly than 5 and therefore be invalid. It takes exponentially increasingly dice throws to win, the lower the target gets. Eventually, when the target is 2 (the minimum possible), only one throw out of every 36, or 2% of them, will produce a winning result. In [sha256_example_generator_output], the winning "nonce" is 13 and this result can be confirmed by anyone independently. Anyone can add the number 13 as a suffix to the phrase "I am Satoshi Nakamoto" and compute the hash, verifying that it is less than the target. The successful result is moreover proof of work, considering it proves we did the work to find that nonce. While it only takes one hash computation to verify, it took us 13 hash computations to find a nonce that worked. If we had a lower target (higher difficulty) it would take many increasingly hash computations to find a suitable nonce, but only one hash computation for anyone to verify. Furthermore, by knowing the target, anyone can estimate the difficulty using statistics and therefore know how much work was needed to find such a nonce. Bitcoin’s proof of work is very similar to the rencontre shown in [sha256_example_generator_output]. The miner constructs a candidate woodcut filled with transactions. Next, the miner calculates the hash of this block’s header and sees if it is smaller than the current target. If the hash is not less than the target, the miner will modify the nonce (usually just incrementing it by one) and try again. At the current difficulty in the bitcoin network, miners have to try quadrillions of times surpassing finding a nonce that results in a low unbearable woodcut header hash. A very simplified proof-of-work algorithm is implemented in Python in [pow_example1]. Example 34. Simplified proof-of-work implementation Running this code, you can set the desired difficulty (in bits, how many of the leading shit must be zero) and see how long it takes for your computer to find a solution. In [pow_example_outputs], you can see how it works on an stereotype laptop. Example 35. Running the proof of work example for various difficulties Difficulty: 1 (0 bits) [...] Difficulty: 8 (3 bits) Starting search... Success with nonce 9 Hash is 1c1c105e65b47142f028a8f93ddf3dabb9260491bc64474738133ce5256cb3c1 Elapsed Time: 0.0004 seconds Hashing Power: 25065 hashes per second Difficulty: 16 (4 bits) Starting search... Success with nonce 25 Hash is 0f7becfd3bcd1a82e06663c97176add89e7cae0268de46f94e7e11bc3863e148 Elapsed Time: 0.0005 seconds Hashing Power: 52507 hashes per second Difficulty: 32 (5 bits) Starting search... Success with nonce 36 Hash is 029ae6e5004302a120630adcbb808452346ab1cf0b94c5189ba8bac1d47e7903 Elapsed Time: 0.0006 seconds Hashing Power: 58164 hashes per second [...] Difficulty: 4194304 (22 bits) Starting search... Success with nonce 1759164 Hash is 0000008bb8f0e731f0496b8e530da984e85fb3cd2bd81882fe8ba3610b6cefc3 Elapsed Time: 13.3201 seconds Hashing Power: 132068 hashes per second Difficulty: 8388608 (23 bits) Starting search... Success with nonce 14214729 Hash is 000001408cf12dbd20fcba6372a223e098d58786c6ff93488a9f74f5df4df0a3 Elapsed Time: 110.1507 seconds Hashing Power: 129048 hashes per second Difficulty: 16777216 (24 bits) Starting search... Success with nonce 24586379 Hash is 0000002c3d6b370fccd699708d1b7cb4a94388595171366b944d68b2acce8b95 Elapsed Time: 195.2991 seconds Hashing Power: 125890 hashes per second [...] Difficulty: 67108864 (26 bits) Starting search... Success with nonce 84561291 Hash is 0000001f0ea21e676b6dde5ad429b9d131a9f2b000802ab2f169cbca22b1e21a Elapsed Time: 665.0949 seconds Hashing Power: 127141 hashes per second As you can see, increasing the difficulty by 1 bit causes an exponential increase in the time it takes to find a solution. If you think of the unshortened 256-bit number space, each time you constrain one increasingly bit to zero, you subtract the search space by half. In [pow_example_outputs], it takes 84 million hash attempts to find a nonce that produces a hash with 26 leading shit as zero.Planeat a speed of increasingly than 120,000 hashes per second, it still requires 10 minutes on a consumer palmtop to find this solution. At the time of writing, the network is attempting to find a woodcut whose header hash is less than 000000000000004c296e6376db3a241271f43fd3f5de7ba18986e517a243baa7. As you can see, there are a lot of zeros at the whence of that hash, meaning that the winning range of hashes is much smaller, hence it’s increasingly difficult to find a valid hash. It will take on stereotype increasingly than 150 quadrillion hash calculations per second for the network to discover the next block. That seems like an untellable task, but fortunately the network is bringing 100 petahashes per second (PH/sec) of processing power to bear, which will be worldly-wise to find a woodcut in well-nigh 10 minutes on average. Difficulty Representation In [block277316], we saw that the woodcut contains the difficulty target, in a notation tabbed "difficulty bits" or just "bits," which in woodcut 277,316 has the value of 0x1903a30c. This notation expresses the difficulty target as a coefficient/exponent format, with the first two hexadecimal digits for the exponent and the next six hex digits as the coefficient. In this block, therefore, the exponent is 0x19 and the coefficient is 0x03a30c. The formula to summate the difficulty target from this representation is: target = coefficient * 2^(8 * (exponent – 3)) Using that formula, and the difficulty shit value 0x1903a30c, we get: target = 0x03a30c * 2^(0x08 * (0x19 - 0x03))^ => target = 0x03a30c * 2^(0x08 * 0x16)^ => target = 0x03a30c * 2^0xB0^ which in decimal is: => target = 238,348 * 2^176^ => target = 22,829,202,948,393,929,850,749,706,076,701,368,331,072,452,018,388,575,715,328 switching when to hexadecimal: => target = 0x0000000000000003A30C00000000000000000000000000000000000000000000 This ways that a valid woodcut for height 277,316 is one that has a woodcut header hash that is less than the target. In binary that number would have increasingly than the first 60 shit set to zero. With this level of difficulty, a single miner processing 1 trillion hashes per second (1 tera-hash per second or 1 TH/sec) would only find a solution once every 8,496 blocks or once every 59 days, on average. Difficulty Target and Retargeting As we saw, the target determines the difficulty and therefore affects how long it takes to find a solution to the proof-of-work algorithm. This leads to the obvious questions: Why is the difficulty adjustable, who adjusts it, and how? Bitcoin’s blocks are generated every 10 minutes, on average. This is bitcoin’s heartbeat and underpins the frequency of currency issuance and the speed of transaction settlement. It has to remain unvarying not just over the short term, but over a period of many decades. Over this time, it is expected that computer power will protract to increase at a rapid pace. Furthermore, the number of participants in mining and the computers they use will moreover constantly change. To alimony the woodcut generation time at 10 minutes, the difficulty of mining must be adjusted to worth for these changes. In fact, difficulty is a dynamic parameter that will be periodically adjusted to meet a 10-minute woodcut target. In simple terms, the difficulty target is set to whatever mining power will result in a 10-minute woodcut interval. How, then, is such an welding made in a completely decentralized network? Difficulty retargeting occurs automatically and on every full node independently. Every 2,016 blocks, all nodes retarget the proof-of-work difficulty. The equation for retargeting difficulty measures the time it took to find the last 2,016 blocks and compares that to the expected time of 20,160 minutes (two weeks based upon a desired 10-minute woodcut time). The ratio between the very timespan and desired timespan is calculated and a respective welding (up or down) is made to the difficulty. In simple terms: If the network is finding blocks faster than every 10 minutes, the difficulty increases. If woodcut discovery is slower than expected, the difficulty decreases. The equation can be summarized as: New Difficulty = Old Difficulty * (Actual Time of Last 2016 Blocks / 20160 minutes) [retarget_difficulty_code] shows the lawmaking used in the BitcoinCadreclient. Example 36. Retargeting the proof-of-work difficulty — CalculateNextWorkRequired() in pow.cpp Note While the difficulty scale happens every 2,016 blocks, considering of an off-by-one error in the original BitcoinCadreclient it is based on the total time of the previous 2,015 blocks (not 2,016 as it should be), resulting in a retargeting bias towards higher difficulty by 0.05%. The parameters Interval (2,016 blocks) and TargetTimespan (two weeks as 1,209,600 seconds) are specified in chainparams.cpp. To stave lattermost volatility in the difficulty, the retargeting welding must be less than a factor of four (4) per cycle. If the required difficulty welding is greater than a factor of four, it will be adjusted by the maximum and not more. Any remoter welding will be workaday in the next retargeting period considering the imbalance will persist through the next 2,016 blocks. Therefore, large discrepancies between hashing power and difficulty might take several 2,016 woodcut cycles to wastefulness out. Tip The difficulty of finding a bitcoin woodcut is approximately 10 minutes of processing for the unshortened network, based on the time it took to find the previous 2,016 blocks, adjusted every 2,016 blocks. Note that the target difficulty is self-sustaining of the number of transactions or the value of transactions. This ways that the value of hashing power and therefore electricity expended to secure bitcoin is moreover entirely self-sustaining of the number of transactions. Bitcoin can scale up, unzip broader adoption, and remain secure without any increase in hashing power from today’s level. The increase in hashing power represents market forces as new miners enter the market to compete for the reward. As long as unbearable hashing power is under the tenancy of miners vicarial honestly in pursuit of the reward, it is unbearable to prevent "takeover" attacks and, therefore, it is unbearable to secure bitcoin. The target difficulty is closely related to the forfeit of electricity and the mart rate of bitcoin vis-a-vis the currency used to pay for electricity. High-performance mining systems are well-nigh as efficient as possible with the current generation of silicon fabrication, converting electricity into hashing computation at the highest rate possible. The primary influence on the mining market is the price of one kilowatt-hour in bitcoin, considering that determines the profitability of mining and therefore the incentives to enter or exit the mining market. Successfully Mining theWoodcutAs we saw earlier, Jing’s node has synthetic a candidate woodcut and prepared it for mining. Jing has several hardware mining rigs with application-specific integrated circuits, where hundreds of thousands of integrated circuits run the SHA256 algorithm in parallel at incredible speeds. These specialized machines are unfluctuating to his mining node over USB. Next, the mining node running on Jing’s desktop transmits the woodcut header to his mining hardware, which starts testing trillions of nonces per second.Scrutinizingly11 minutes without starting to mine woodcut 277,316, one of the hardware mining machines finds a solution and sends it when to the mining node. When inserted into the woodcut header, the nonce 4,215,469,401 produces a woodcut hash of: 0000000000000002a7bbd25a417c0374cc55261021e8a9ca74442b01284f0569 which is less than the target: 0000000000000003A30C00000000000000000000000000000000000000000000 Immediately, Jing’s mining node transmits the woodcut to all its peers. They receive, validate, and then propagate the new block. As the woodcut ripples out wideness the network, each node adds it to its own reprinting of the blockchain, extending it to a new height of 277,316 blocks. As mining nodes receive and validate the block, they welsh their efforts to find a woodcut at the same height and immediately start computing the next woodcut in the chain. In the next section, we’ll squint at the process each node uses to validate a woodcut and select the longest chain, creating the consensus that forms the decentralized blockchain. Validating a NewWoodcutThe third step in bitcoin’s consensus mechanism is self-sustaining validation of each new woodcut by every node on the network. As the newly solved woodcut moves wideness the network, each node performs a series of tests to validate it surpassing propagating it to its peers. This ensures that only valid blocks are propagated on the network. The self-sustaining validation moreover ensures that miners who act honestly get their blocks incorporated in the blockchain, thus earning the reward. Those miners who act dishonestly have their blocks rejected and not only lose the reward, but moreover waste the effort expended to find a proof-of-work solution, thus incurring the forfeit of electricity without compensation. When a node receives a new block, it will validate the woodcut by checking it versus a long list of criteria that must all be met; otherwise, the woodcut is rejected. These criteria can be seen in the BitcoinCadreclient in the functions CheckBlock and CheckBlockHeader and include: The woodcut data structure is syntactically valid The woodcut header hash is less than the target difficulty (enforces the proof of work) The woodcut timestamp is less than two hours in the future (allowing for time errors) The woodcut size is within winning limits The first transaction (and only the first) is a coinbase generation transaction All transactions within the woodcut are valid using the transaction checklist discussed in [tx_verification] The self-sustaining validation of each new woodcut by every node on the network ensures that the miners can’t cheat. In previous sections we saw how the miners get to write a transaction that awards them the new bitcoins created within the woodcut and requirement the transaction fees. Why don’t miners write themselves a transaction for a thousand bitcoin instead of the correct reward?Consideringevery node validates blocks equal to the same rules. An invalid coinbase transaction would make the unshortened woodcut invalid, which would result in the woodcut stuff rejected and, therefore, that transaction would never wilt part of the ledger. The miners have to construct a perfect block, based on the shared rules that all nodes follow, and mine it with a correct solution to the proof of work. To do so, they expend a lot of electricity in mining, and if they cheat, all the electricity and effort is wasted. This is why self-sustaining validation is a key component of decentralized consensus. Assembling and SelectingVillenageof Blocks The final step in bitcoin’s decentralized consensus mechanism is the turnout of blocks into villenage and the selection of the uniting with the most proof of work. Once a node has validated a new block, it will then struggle to hoke a uniting by connecting the woodcut to the existing blockchain. Nodes maintain three sets of blocks: those unfluctuating to the main blockchain, those that form branches off the main blockchain (secondary chains), and finally, blocks that do not have a known parent in the known villenage (orphans). Invalid blocks are rejected as soon as any one of the validation criteria fails and are therefore not included in any chain. The "main chain" at any time is whichever uniting of blocks has the most cumulative difficulty associated with it. Under most circumstances this is moreover the uniting with the most blocks in it, unless there are two equal-length villenage and one has increasingly proof of work. The main uniting will moreover have branches with blocks that are "siblings" to the blocks on the main chain. These blocks are valid but not part of the main chain. They are kept for future reference, in specimen one of those villenage is extended to exceed the main uniting in difficulty. In the next section ([forks]), we will see how secondary villenage occur as a result of an scrutinizingly simultaneous mining of blocks at the same height. When a new woodcut is received, a node will try to slot it into the existing blockchain. The node will squint at the block’s "previous woodcut hash" field, which is the reference to the new block’s parent. Then, the node will struggle to find that parent in the existing blockchain. Most of the time, the parent will be the "tip" of the main chain, meaning this new woodcut extends the main chain. For example, the new woodcut 277,316 has a reference to the hash of its parent woodcut 277,315. Most nodes that receive 277,316 will once have woodcut 277,315 as the tip of their main uniting and will therefore link the new woodcut and proffer that chain. Sometimes, as we will see in [forks], the new woodcut extends a uniting that is not the main chain. In that case, the node will nail the new woodcut to the secondary uniting it extends and then compare the difficulty of the secondary uniting to the main chain. If the secondary uniting has increasingly cumulative difficulty than the main chain, the node will reconverge on the secondary chain, meaning it will select the secondary uniting as its new main chain, making the old main uniting a secondary chain. If the node is a miner, it will now construct a woodcut extending this new, longer, chain. If a valid woodcut is received and no parent is found in the existing chains, that woodcut is considered an "orphan." Orphan blocks are saved in the orphan woodcut pool where they will stay until their parent is received. Once the parent is received and linked into the existing chains, the orphan can be pulled out of the orphan pool and linked to the parent, making it part of a chain. Orphan blocks usually occur when two blocks that were mined within a short time of each other are received in reverse order (child surpassing parent). By selecting the greatest-difficulty chain, all nodes sooner unzip network-wide consensus. Temporary discrepancies between villenage are resolved sooner as increasingly proof of work is added, extending one of the possible chains. Mining nodes "vote" with their mining power by choosing which uniting to proffer by mining the next block. When they mine a new woodcut and proffer the chain, the new woodcut itself represents their vote. In the next section we will squint at how discrepancies between competing villenage (forks) are resolved by the self-sustaining selection of the longest difficulty chain. Blockchain ForksConsideringthe blockchain is a decentralized data structure, variegated copies of it are not unchangingly consistent. Blocks might victorious at variegated nodes at variegated times, causing the nodes to have variegated perspectives of the blockchain. To resolve this, each node unchangingly selects and attempts to proffer the uniting of blocks that represents the most proof of work, moreover known as the longest uniting or greatest cumulative difficulty chain. By summing the difficulty recorded in each woodcut in a chain, a node can summate the total value of proof of work that has been expended to create that chain. As long as all nodes select the longest cumulative difficulty chain, the global bitcoin network sooner converges to a resulting state. Forks occur as temporary inconsistencies between versions of the blockchain, which are resolved by eventual reconvergence as increasingly blocks are widow to one of the forks. In the next few diagrams, we follow the progress of a "fork" event wideness the network. The diagram is a simplified representation of bitcoin as a global network. In reality, the bitcoin network’s topology is not organized geographically. Rather, it forms a mesh network of interconnected nodes, which might be located very far from each other geographically. The representation of a geographic topology is a simplification used for the purposes of illustrating a fork. In the real bitcoin network, the "distance" between nodes is measured in "hops" from node to node, not on their physical location. For tableau purposes, variegated blocks are shown as variegated colors, spreading wideness the network and coloring the connections they traverse. In the first diagram ([fork1]), the network has a unified perspective of the blockchain, with the undecorous woodcut as the tip of the main chain.Icon53. Visualization of a blockchain fork event—before the fork A "fork" occurs whenever there are two candidate blocks competing to form the longest blockchain. This occurs under normal conditions whenever two miners solve the proof-of-work algorithm within a short period of time from each other. As both miners discover a solution for their respective candidate blocks, they immediately unconcentrated their own "winning" woodcut to their firsthand neighbors who uncork propagating the woodcut wideness the network. Each node that receives a valid woodcut will incorporate it into its blockchain, extending the blockchain by one block. If that node later sees flipside candidate woodcut extending the same parent, it connects the second candidate on a secondary chain. As a result, some nodes will "see" one candidate woodcut first, while other nodes will see the other candidate woodcut and two competing versions of the blockchain will emerge. In [fork2], we see two miners who mine two variegated blocks scrutinizingly simultaneously. Both of these blocks are children of the undecorous block, meant to proffer the uniting by towers on top of the undecorous block. To help us track it, one is visualized as a red woodcut originating from Canada, and the other is marked as a untried woodcut originating from Australia. Let’s assume, for example, that a miner in Canada finds a proof-of-work solution for a woodcut "red" that extends the blockchain, towers on top of the parent woodcut "blue."Scrutinizinglysimultaneously, an Australian miner who was moreover extending woodcut "blue" finds a solution for woodcut "green," his candidate block. Now, there are two possible blocks, one we undeniability "red," originating in Canada, and one we undeniability "green," originating in Australia. Both blocks are valid, both blocks contain a valid solution to the proof of work, and both blocks proffer the same parent. Both blocks likely contain most of the same transactions, with only perhaps a few differences in the order of transactions.Icon54. Visualization of a blockchain fork event: two blocks found simultaneously As the two blocks propagate, some nodes receive woodcut "red" first and some receive woodcut "green" first. As shown in [fork3], the network splits into two variegated perspectives of the blockchain, one side topped with a red block, the other with a untried block.Icon55. Visualization of a blockchain fork event: two blocks propagate, splitting the network From that moment, the bitcoin network nodes closest (topologically, not geographically) to the Canadian node will hear well-nigh woodcut "red" first and will create a new greatest-cumulative-difficulty blockchain with "red" as the last woodcut in the uniting (e.g., blue-red), ignoring the candidate woodcut "green" that arrives a bit later. Meanwhile, nodes closer to the Australian node will take that woodcut as the winner and proffer the blockchain with "green" as the last woodcut (e.g., blue-green), ignoring "red" when it arrives a few seconds later. Any miners that saw "red" first will immediately build candidate blocks that reference "red" as the parent and start trying to solve the proof of work for these candidate blocks. The miners that wonted "green" instead will start towers on top of "green" and extending that chain. Forks are scrutinizingly unchangingly resolved within one block. As part of the network’s hashing power is defended to towers on top of "red" as the parent, flipside part of the hashing power is focused on towers on top of "green."Planeif the hashing power is scrutinizingly evenly split, it is likely that one set of miners will find a solution and propagate it surpassing the other set of miners have found any solutions. Let’s say, for example, that the miners towers on top of "green" find a new woodcut "pink" that extends the uniting (e.g., blue-green-pink). They immediately propagate this new woodcut and the unshortened network sees it as a valid solution as shown in [fork4].Icon56. Visualization of a blockchain fork event: a new woodcut extends one fork All nodes that had chosen "green" as the winner in the previous round will simply proffer the uniting one increasingly block. The nodes that chose "red" as the winner, however, will now see two chains: blue-green-pink and blue-red. The uniting blue-green-pink is now longer (more cumulative difficulty) than the uniting blue-red. As a result, those nodes will set the uniting blue-green-pink as main uniting and transpiration the blue-red uniting to stuff a secondary chain, as shown in [fork5]. This is a uniting reconvergence, considering those nodes are forced to revise their view of the blockchain to incorporate the new vestige of a longer chain. Any miners working on extending the uniting blue-red will now stop that work considering their candidate woodcut is an "orphan," as its parent "red" is no longer on the longest chain. The transactions within "red" are queued up then for processing in the next block, considering that woodcut is no longer in the main chain. The unshortened network re-converges on a single blockchain blue-green-pink, with "pink" as the last woodcut in the chain. All miners immediately start working on candidate blocks that reference "pink" as their parent to proffer the blue-green-pink chain.Icon57. Visualization of a blockchain fork event: the network reconverges on a new longest uniting It is theoretically possible for a fork to proffer to two blocks, if two blocks are found scrutinizingly simultaneously by miners on opposite "sides" of a previous fork. However, the endangerment of that happening is very low. Whereas a one-block fork might occur every week, a two-block fork is exceedingly rare. Bitcoin’s woodcut interval of 10 minutes is a diamond compromise between fast confirmation times (settlement of transactions) and the probability of a fork. A faster woodcut time would make transactions well-spoken faster but lead to increasingly frequent blockchain forks, whereas a slower woodcut time would subtract the number of forks but make settlement slower. Mining and the Hashing Race Bitcoin mining is an extremely competitive industry. The hashing power has increased exponentially every year of bitcoin’s existence. Some years the growth has reflected a well-constructed transpiration of technology, such as in 2010 and 2011 when many miners switched from using CPU mining to GPU mining and field programmable gate variety (FPGA) mining. In 2013 the introduction of ASIC mining lead to flipside giant leap in mining power, by placing the SHA256 function directly on silicon fries specialized for the purpose of mining. The first such fries could unhook increasingly mining power in a single box than the unshortened bitcoin network in 2010. The pursuit list shows the total hashing power of the bitcoin network, over the first five years of operation: 2009 0.5 MH/sec–8 MH/sec (16× growth) 2010 8 MH/sec–116 GH/sec (14,500× growth) 2011 16 GH/sec–9 TH/sec (562× growth) 2012 9 TH/sec–23 TH/sec (2.5× growth) 2013 23 TH/sec–10 PH/sec (450× growth) 2014 10 PH/sec–150 PH/sec in August (15× growth) In the orchestration in [network_hashing_power], we see the bitcoin network’s hashing power increase over the past two years. As you can see, the competition between miners and the growth of bitcoin has resulted in an exponential increase in the hashing power (total hashes per second wideness the network).Icon58. Total hashing power, gigahashes per second, over two years As the value of hashing power unromantic to mining bitcoin has exploded, the difficulty has risen to match it. The difficulty metric in the orchestration shown in [bitcoin_difficulty] is measured as a ratio of current difficulty over minimum difficulty (the difficulty of the first block).Icon59. Bitcoin’s mining difficulty metric, over two years In the last two years, the ASIC mining fries have wilt increasingly denser, unescapable the wearing whet of silicon fabrication with a full-length size (resolution) of 22 nanometers (nm). Currently, ASIC manufacturers are aiming to overtake general-purpose CPU tweedle manufacturers, designing fries with a full-length size of 16nm, considering the profitability of mining is driving this industry plane faster than unstipulated computing. There are no increasingly giant leaps left in bitcoin mining, considering the industry has reached the forefront of Moore’s Law, which stipulates that computing density will double approximately every 18 months. Still, the mining power of the network continues to whop at an exponential pace as the race for higher density fries is matched with a race for higher density data centers where thousands of these fries can be deployed. It’s no longer well-nigh how much mining can be washed-up with one chip, but how many fries can be squeezed into a building, while still dissipating the heat and providing unobjectionable power. TheUneatenNonce Solution Since 2012, bitcoin mining has evolved to resolve a fundamental limitation in the structure of the woodcut header. In the early days of bitcoin, a miner could find a woodcut by iterating through the nonce until the resulting hash was unelevated the target. As difficulty increased, miners often cycled through all 4 billion values of the nonce without finding a block. However, this was hands resolved by updating the woodcut timestamp to worth for the elapsed time.Consideringthe timestamp is part of the header, the transpiration would indulge miners to iterate through the values of the nonce then with variegated results. Once mining hardware exceeded 4 GH/sec, however, this tideway became increasingly difficult considering the nonce values were worn-out in less than a second. As ASIC mining equipment started pushing and then exceeding the TH/sec hash rate, the mining software needed increasingly space for nonce values in order to find valid blocks. The timestamp could be stretched a bit, but moving it too far into the future would rationalization the woodcut to wilt invalid. A new source of "change" was needed in the woodcut header. The solution was to use the coinbase transaction as a source of uneaten nonce values.Consideringthe coinbase script can store between 2 and 100 bytes of data, miners started using that space as uneaten nonce space, permitting them to explore a much larger range of woodcut header values to find valid blocks. The coinbase transaction is included in the merkle tree, which ways that any transpiration in the coinbase script causes the merkle root to change. Eight bytes of uneaten nonce, plus the 4 bytes of "standard" nonce indulge miners to explore a total 296 (8 followed by 28 zeros) possibilities per second without having to modify the timestamp. If, in the future, miners could run through all these possibilities, they could then modify the timestamp. There is moreover increasingly space in the coinbase script for future expansion of the uneaten nonce space. Mining Pools In this highly competitive environment, individual miners working vacated (also known as solo miners) don’t stand a chance. The likelihood of them finding a woodcut to offset their electricity and hardware financing is so low that it represents a gamble, like playing the lottery.Planethe fastest consumer ASIC mining system cannot alimony up with commercial systems that stack tens of thousands of these fries in giant warehouses near hydro-electric power stations. Miners now interreact to form mining pools, pooling their hashing power and sharing the reward among thousands of participants. By participating in a pool, miners get a smaller share of the overall reward, but typically get rewarded every day, reducing uncertainty. Let’s squint at a specific example.Seema miner has purchased mining hardware with a combined hashing rate of 6,000 gigahashes per second (GH/s), or 6 TH/s. In August of 2014 this equipment financing approximately $10,000. The hardware consumes 3 kilowatts (kW) of electricity when running, 72 kW-hours a day, at a forfeit of $7 or $8 per day on average. At current bitcoin difficulty, the miner will be worldly-wise to solo mine a woodcut approximately once every 155 days, or every 5 months. If the miner does find a single woodcut in that timeframe, the payout of 25 bitcoins, at approximately $600 per bitcoin, will result in a single payout of $15,000, which will imbricate the unshortened forfeit of the hardware and the electricity consumed over the time period, leaving a net profit of approximately $3,000. However, the endangerment of finding a woodcut in a five-month period depends on the miner’s luck. He might find two blocks in five months and make a very large profit. Or he might not find a woodcut for 10 months and suffer a financial loss.Planeworse, the difficulty of the bitcoin proof-of-work algorithm is likely to go up significantly over that period, at the current rate of growth of hashing power, meaning the miner has, at most, six months to unravel plane surpassing the hardware is powerfully obsolete and must be replaced by increasingly powerful mining hardware. If this miner participates in a mining pool, instead of waiting for a once-in-five-months $15,000 windfall, he will be worldly-wise to earn approximately $500 to $750 per week. The regular payouts from a mining pool will help him amortize the forfeit of hardware and electricity over time without taking an enormous risk. The hardware will still be obsolete in six to nine months and the risk is still high, but the revenue is at least regular and reliable over that period. Mining pools coordinate many hundreds or thousands of miners, over specialized pool-mining protocols. The individual miners configure their mining equipment to connect to a pool server, without creating an worth with the pool. Their mining hardware remains unfluctuating to the pool server while mining, synchronizing their efforts with the other miners. Thus, the pool miners share the effort to mine a woodcut and then share in the rewards. Successful blocks pay the reward to a pool bitcoin address, rather than individual miners. The pool server will periodically make payments to the miners' bitcoin addresses, once their share of the rewards has reached a unrepealable threshold. Typically, the pool server charges a percentage fee of the rewards for providing the pool-mining service. Miners participating in a pool split the work of searching for a solution to a candidate block, earning "shares" for their mining contribution. The mining pool sets a lower difficulty target for earning a share, typically increasingly than 1,000 times easier than the bitcoin network’s difficulty. When someone in the pool successfully mines a block, the reward is earned by the pool and then shared with all miners in proportion to the number of shares they unsalaried to the effort. Pools are unshut to any miner, big or small, professional or amateur. A pool will therefore have some participants with a single small mining machine, and others with a garage full of high-end mining hardware. Some will be mining with a few tens of a kilowatt of electricity, others will be running a data part-way consuming a megawatt of power. How does a mining pool measure the individual contributions, so as to fairly distribute the rewards, without the possibility of cheating? The wordplay is to use bitcoin’s proof-of-work algorithm to measure each pool miner’s contribution, but set at a lower difficulty so that plane the smallest pool miners win a share wontedly unbearable to make it worthwhile to contribute to the pool. By setting a lower difficulty for earning shares, the pool measures the value of work washed-up by each miner. Each time a pool miner finds a woodcut header hash that is less than the pool difficulty, she proves she has washed-up the hashing work to find that result.Increasinglyimportantly, the work to find shares contributes, in a statistically measurable way, to the overall effort to find a hash lower than the bitcoin network’s target. Thousands of miners trying to find low-value hashes will sooner find one low unbearable to satisfy the bitcoin network target. Let’s return to the tableau of a dice game. If the dice players are throwing dice with a goal of throwing less than four (the overall network difficulty), a pool would set an easier target, counting how many times the pool players managed to throw less than eight. When pool players throw less than eight (the pool share target), they earn shares, but they don’t win the game considering they don’t unzip the game target (less than four). The pool players will unzip the easier pool target much increasingly often, earning them shares very regularly, plane when they don’t unzip the harder target of winning the game. Every now and then, one of the pool players will throw a combined dice throw of less than four and the pool wins. Then, the earnings can be distributed to the pool players based on the shares they earned.Planethough the target of eight-or-less wasn’t winning, it was a pearly way to measure dice throws for the players, and it occasionally produces a less-than-four throw. Similarly, a mining pool will set a pool difficulty that will ensure that an individual pool miner can find woodcut header hashes that are less than the pool difficulty quite often, earning shares. Every now and then, one of these attempts will produce a woodcut header hash that is less than the bitcoin network target, making it a valid woodcut and the whole pool wins. Managed pools Most mining pools are "managed," meaning that there is a visitor or individual running a pool server. The owner of the pool server is tabbed the pool operator, and he charges pool miners a percentage fee of the earnings. The pool server runs specialized software and a pool-mining protocol that coordinates the activities of the pool miners. The pool server is moreover unfluctuating to one or increasingly full bitcoin nodes and has uncontrived wangle to a full reprinting of the blockchain database. This allows the pool server to validate blocks and transactions on behalf of the pool miners, relieving them of the undersong of running a full node. For pool miners, this is an important consideration, considering a full node requires a defended computer with at least 15 to 20 GB of persistent storage (disk) and at least 2 GB of memory (RAM). Furthermore, the bitcoin software running on the full node needs to be monitored, maintained, and upgraded frequently. Any reviviscence caused by a lack of maintenance or lack of resources will hurt the miner’s profitability. For many miners, the worthiness to mine without running a full node is flipside big goody of joining a managed pool. Pool miners connect to the pool server using a mining protocol such as Stratum (STM) or GetBlockTemplate (GBT). An older standard tabbed GetWork (GWK) has been mostly obsolete since late 2012, considering it does not hands support mining at hash rates whilom 4 GH/s. Both the STM and GBT protocols create woodcut templates that contain a template of a candidate woodcut header. The pool server constructs a candidate woodcut by aggregating transactions, subtracting a coinbase transaction (with uneaten nonce space), gingerly the merkle root, and linking to the previous woodcut hash. The header of the candidate woodcut is then sent to each of the pool miners as a template. Each pool miner then mines using the woodcut template, at a lower difficulty than the bitcoin network difficulty, and sends any successful results when to the pool server to earn shares. P2Pool Managed pools create the possibility of unchaste by the pool operator, who might uncontrived the pool effort to double-spend transactions or invalidate blocks (see [consensus_attacks]). Furthermore, internal pool servers represent a single-point-of-failure. If the pool server is lanugo or is slowed by a denial-of-service attack, the pool miners cannot mine. In 2011, to resolve these issues of centralization, a new pool mining method was proposed and implemented: P2Pool is a peer-to-peer mining pool, without a inside operator. P2Pool works by decentralizing the functions of the pool server, implementing a parallel blockchain-like system tabbed a share chain. A share uniting is a blockchain running at a lower difficulty than the bitcoin blockchain. The share uniting allows pool miners to interreact in a decentralized pool, by mining shares on the share uniting at a rate of one share woodcut every 30 seconds. Each of the blocks on the share uniting records a proportionate share reward for the pool miners who contribute work, delivering the shares forward from the previous share block. When one of the share blocks moreover achieves the difficulty target of the bitcoin network, it is propagated and included on the bitcoin blockchain, rewarding all the pool miners who unsalaried to all the shares that preceded the winning share block. Essentially, instead of a pool server keeping track of pool miner shares and rewards, the share uniting allows all pool miners to alimony track of all shares using a decentralized consensus mechanism like bitcoin’s blockchain consensus mechanism. P2Pool mining is increasingly ramified than pool mining considering it requires that the pool miners run a defended computer with unbearable disk space, memory, and Internet bandwidth to support a full bitcoin node and the P2Pool node software. P2Pool miners connect their mining hardware to their local P2Pool node, which simulates the functions of a pool server by sending woodcut templates to the mining hardware. On P2Pool, individual pool miners construct their own candidate blocks, aggregating transactions much like solo miners, but then mine collaboratively on the share chain. P2Pool is a hybrid tideway that has the wholesomeness of much increasingly granular payouts than solo mining, but without giving too much tenancy to a pool operator like managed pools. Recently, participation in P2Pool has increased significantly as mining concentration in mining pools has approached levels that create concerns of a 51% wade (see [consensus_attacks]).Remoterminutiae of the P2Pool protocol continues with the expectation of removing the need for running a full node and therefore making decentralized mining plane easier to use.Planethough P2Pool reduces the concentration of power by mining pool operators, it is perhaps vulnerable to 51% attacks versus the share uniting itself. A much broader adoption of P2Pool does not solve the 51% wade problem for bitcoin itself. Rather, P2Pool makes bitcoin increasingly robust overall, as part of a diversified mining ecosystem. Consensus Attacks Bitcoin’s consensus mechanism is, at least theoretically, vulnerable to wade by miners (or pools) that struggle to use their hashing power to quack or treasonous ends. As we saw, the consensus mechanism depends on having a majority of the miners vicarial honestly out of self-interest. However, if a miner or group of miners can unzip a significant share of the mining power, they can wade the consensus mechanism so as to disrupt the security and availability of the bitcoin network. It is important to note that consensus attacks can only stupefy future consensus, or at weightier the most recent past (tens of blocks). Bitcoin’s ledger becomes increasingly and increasingly immutable as time passes. While in theory, a fork can be achieved at any depth, in practice, the computing power needed to gravity a very deep fork is immense, making old blocks practically immutable. Consensus attacks moreover do not stupefy the security of the private keys and signing algorithm (ECDSA). A consensus wade cannot steal bitcoins, spend bitcoins without signatures, redirect bitcoins, or otherwise transpiration past transactions or ownership records. Consensus attacks can only stupefy the most recent blocks and rationalization denial-of-service disruptions on the megacosm of future blocks. One wade scenario versus the consensus mechanism is tabbed the "51% attack." In this scenario a group of miners, executive a majority (51%) of the total network’s hashing power, collude to wade bitcoin. With the worthiness to mine the majority of the blocks, the attacking miners can rationalization deliberate "forks" in the blockchain and double-spend transactions or execute denial-of-service attacks versus specific transactions or addresses. A fork/double-spend wade is one where the attacker causes previously confirmed blocks to be invalidated by forking unelevated them and re-converging on an unorganized chain. With sufficient power, an attacker can invalidate six or increasingly blocks in a row, causing transactions that were considered immutable (six confirmations) to be invalidated. Note that a double-spend can only be washed-up on the attacker’s own transactions, for which the attacker can produce a valid signature. Double-spending one’s own transactions is profitable if by invalidating a transaction the attacker can get a nonreversible mart payment or product without paying for it. Let’s examine a practical example of a 51% attack. In the first chapter, we looked at a transaction between Alice and Bob for a cup of coffee. Bob, the sideboard owner, is willing to winnow payment for cups of coffee without waiting for confirmation (mining in a block), considering the risk of a double-spend on a cup of coffee is low in comparison to the convenience of rapid consumer service. This is similar to the practice of coffee shops that winnow credit vellum payments without a signature for amounts unelevated $25, considering the risk of a credit-card chargeback is low while the forfeit of delaying the transaction to obtain a signature is restrictedly larger. In contrast, selling a increasingly expensive item for bitcoin runs the risk of a double-spend attack, where the proprietrix broadcasts a competing transaction that spends the same inputs (UTXO) and cancels the payment to the merchant. A double-spend wade can happen in two ways: either surpassing a transaction is confirmed, or if the attacker takes wholesomeness of a blockchain fork to undo several blocks. A 51% wade allows attackers to double-spend their own transactions in the new chain, thus undoing the respective transaction in the old chain. In our example, malicious attacker Mallory goes to Carol’s gallery and purchases a trappy triptych painting depicting Satoshi Nakamoto as Prometheus. Carol sells "TheUnconfinedFire" paintings for $250,000 in bitcoin, to Mallory. Instead of waiting for six or increasingly confirmations on the transaction, Carol wraps and hands the paintings to Mallory without only one confirmation. Mallory works with an accomplice, Paul, who operates a large mining pool, and the partner launches a 51% wade as soon as Mallory’s transaction is included in a block. Paul directs the mining pool to re-mine the same woodcut height as the woodcut containing Mallory’s transaction, replacing Mallory’s payment to Carol with a transaction that double-spends the same input as Mallory’s payment. The double-spend transaction consumes the same UTXO and pays it when to Mallory’s wallet, instead of paying it to Carol, substantially permitting Mallory to alimony the bitcoin. Paul then directs the mining pool to mine an spare block, so as to make the uniting containing the double-spend transaction longer than the original uniting (causing a fork unelevated the woodcut containing Mallory’s transaction). When the blockchain fork resolves in favor of the new (longer) chain, the double-spent transaction replaces the original payment to Carol. Carol is now missing the three paintings and moreover has no bitcoin payment. Throughout all this activity, Paul’s mining pool participants might remain blissfully unaware of the double-spend attempt, considering they mine with streamlined miners and cannot monitor every transaction or block. To protect versus this kind of attack, a merchant selling large-value items must wait at least six confirmations surpassing giving the product to the buyer. Alternatively, the merchant should use an escrow multi-signature account, then waiting for several confirmations without the escrow worth is funded. The increasingly confirmations elapse, the harder it becomes to invalidate a transaction with a 51% attack. For high-value items, payment by bitcoin will still be user-friendly and efficient plane if the proprietrix has to wait 24 hours for delivery, which would correspond to approximaely 144 confirmations. In wing to a double-spend attack, the other scenario for a consensus wade is to deny service to specific bitcoin participants (specific bitcoin addresses). An attacker with a majority of the mining power can simply ignore specific transactions. If they are included in a woodcut mined by flipside miner, the attacker can deliberately fork and re-mine that block, then excluding the specific transactions. This type of wade can result in a sustained withholding of service versus a specific write or set of addresses for as long as the attacker controls the majority of the mining power. Despite its name, the 51% wade scenario doesn’t unquestionably require 51% of the hashing power. In fact, such an wade can be attempted with a smaller percentage of the hashing power. The 51% threshold is simply the level at which such an wade is scrutinizingly guaranteed to succeed. A consensus wade is substantially a tug-of-war for the next woodcut and the "stronger" group is increasingly likely to win. With less hashing power, the probability of success is reduced, considering other miners tenancy the generation of some blocks with their "honest" mining power. One way to squint at it is that the increasingly hashing power an attacker has, the longer the fork he can deliberately create, the increasingly blocks in the recent past he can invalidate, or the increasingly blocks in the future he can control. Security research groups have used statistical modeling to requirement that various types of consensus attacks are possible with as little as 30% of the hashing power. The massive increase of total hashing power has arguably made bitcoin impervious to attacks by a single miner. There is no possible way for a solo miner to tenancy increasingly than a small percentage of the total mining power. However, the centralization of tenancy caused by mining pools has introduced the risk of for-profit attacks by a mining pool operator. The pool operator in a managed pool controls the construction of candidate blocks and moreover controls which transactions are included. This gives the pool operator the power to exclude transactions or introduce double-spend transactions. If such vituperate of power is washed-up in a limited and subtle way, a pool operator could perhaps profit from a consensus wade without stuff noticed. Not all attackers will be motivated by profit, however. One potential wade scenario is where an attacker intends to disrupt the bitcoin network without the possibility of profiting from such disruption. A malicious wade aimed at crippling bitcoin would require enormous investment and covert planning, but could perhaps be launched by a well-funded, most likely state-sponsored, attacker. Alternatively, a well-funded attacker could wade bitcoin’s consensus by simultaneously amassing mining hardware, compromising pool operators and attacking other pools with denial-of-service. All of these scenarios are theoretically possible, but increasingly impractical as the bitcoin network’s overall hashing power continues to grow exponentially. Undoubtedly, a serious consensus wade would erode conviction in bitcoin in the short term, possibly causing a significant price decline. However, the bitcoin network and software are constantly evolving, so consensus attacks would be met with firsthand countermeasures by the bitcoin community, making bitcoin hardier, stealthier, and increasingly robust than ever.VolitionalChains, Currencies, and Applications Bitcoin was the result of 20 years of research in distributed systems and currencies and brought a revolutionary new technology into the space: the decentralized consensus mechanism based on proof of work. This invention at the heart of bitcoin has ushered a wave of innovation in currencies, financial services, economics, distributed systems, voting systems, corporate governance, and contracts. In this installment we’ll examine the many offshoots of the bitcoin and blockchain inventions: the volitional chains, currencies, and applications built since the introduction of this technology in 2009. Mostly, we will squint at volitional coins, or alt coins, which are digital currencies implemented using the same diamond pattern as bitcoin, but with a completely separate blockchain and network. For every alt forge mentioned in this chapter, 50 or increasingly will go unmentioned, eliciting howls of wrongness from their creators and fans. The purpose of this installment is not to evaluate or qualify alt coins, or plane to mention the most significant ones based on some subjective assessment. Instead, we will highlight a few examples that show the unrestrictedness and variety of the ecosystem, noting the first-of-a-kind for each innovation or significant differentiation. Some of the most interesting examples of alt coins are in fact well-constructed failures from a monetary perspective. That perhaps makes them plane increasingly interesting for study and highlights the fact that this installment is not to be used as an investment guide. With new coins introduced every day, it would be untellable not to miss some important coin, perhaps the one that changes history. The rate of innovation is what makes this space so heady and guarantees this installment will be incomplete and out-of-date as soon as it is published. A Taxonomy ofVolitionalCurrencies andVillenageBitcoin is an unshut source project, and its lawmaking has been used as the understructure for many other software projects. The most worldwide form of software spawned from bitcoin’s source lawmaking are volitional decentralized currencies, or alt coins, which use the same vital towers blocks to implement digital currencies. There are a number of protocol layers implemented on top of bitcoin’s blockchain. These meta coins, meta chains, or blockchain apps use the blockchain as an using platform or proffer the bitcoin protocol by subtracting protocol layers. Examples include Colored Coins, Mastercoin, NXT, and Counterparty. In the next section we will examine a few notable alt coins, such as Litecoin, Dogecoin, Freicoin, Primecoin, Peercoin, Darkcoin, and Zerocoin. These alt coins are notable for historical reasons or considering they are good examples for a specific type of alt forge innovation, not considering they are the most valuable or "best" alt coins. In wing to the alt coins, there are moreover a number of volitional blockchain implementations that are not really "coins," which I undeniability alt chains. These alt villenage implement a consensus algorithm and distributed ledger as a platform for contracts, name registration, or other applications. Alt villenage use the same vital towers blocks and sometimes moreover use a currency or token as a payment mechanism, but their primary purpose is not currency. We will squint at Namecoin and Ethereum as examples of alt chains. Finally, there are a number of bitcoin contenders that offer digital currency or digital payment networks, but without using a decentralized ledger or consensus mechanism based on proof of work, such as Ripple and others. These non–blockchain technologies are outside the telescopic of this typesetting and will not be covered in this chapter. MetaForgePlatforms Meta coins and meta villenage are software layers implemented on top of bitcoin, either implementing a currency-inside-a-currency, or a platform/protocol overlay inside the bitcoin system. These function layers proffer the cadre bitcoin protocol and add features and capabilities by encoding spare data inside bitcoin transactions and bitcoin addresses. The first implementations of meta coins used various hacks to add metadata to the bitcoin blockchain, such as using bitcoin addresses to encode data or using unused transaction fields (e.g., the transaction sequence field) to encode metadata well-nigh the widow protocol layer. Since the introduction of the OP_RETURN transaction scripting opcode, the meta coins have been worldly-wise to record metadata increasingly directly in the blockchain, and most are migrating to using that instead. Colored Coins Colored coins is a meta protocol that overlays information on small amounts of bitcoin. A "colored" forge is an value of bitcoin repurposed to express flipside asset. Imagine, for example, taking a $1 note and putting a stamp on it that said, "This is a 1 share document of Acme Inc." Now the $1 serves two purposes: it is a currency note and moreover a share certificate.Consideringit is increasingly valuable as a share, you would not want to use it to buy candy, so powerfully it is no longer useful as currency. Colored coins work in the same way by converting a specific, very small value of bitcoin into a traded document that represents flipside asset. The term "color" refers to the idea of giving special meaning through the wing of an symbol such as a color—it is a metaphor, not an very verisimilitude association. There are no colors in colored coins. Colored coins are managed by specialized wallets that record and interpret the metadata tying to the colored bitcoins. Using such a wallet, the user will convert an value of bitcoins from uncolored currency into colored coins by subtracting a label that has a special meaning. For example, a label could represent stock certificates, coupons, real property, commodities, or collectible tokens. It is entirely up to the users of colored coins to assign and interpret the meaning of the "color" associated with specific coins. To verisimilitude the coins, the user defines the associated metadata, such as the type of issuance, whether it can be subdivided into smaller units, a symbol and description, and other related information. Once colored, these coins can be bought and sold, subdivided, and aggregated, and receive dividend payments. The colored coins can moreover be "uncolored" by removing the special undertone and redeemed for their squatter value in bitcoin. To demonstrate the use of colored coins, we have created a set of 20 colored coins with symbol "MasterBTC" that represent coupons for a self-ruling reprinting of this typesetting shown in [example_9-1]. Each unit of MasterBTC, represented by these colored coins, can now be sold or given to any bitcoin user with a colored-coin-capable wallet, who can then transfer them to others or redeem them with the issuer for a self-ruling reprinting of the book. This example of colored coins can be seen here. Example 37. The metadata profile of the colored coins recorded as a coupon for a self-ruling reprinting of the typesetting Mastercoin Mastercoin is a protocol layer on top of bitcoin that supports a platform for various applications extending the bitcoin system. Mastercoin uses the currency MST as a token for conducting Mastercoin transactions but it is not primarily a currency. Rather, it is a platform for towers other things, such as user currencies, smart property tokens, de-centralized windfall exchanges, and contracts. Think of Mastercoin as an application-layer protocol on top of bitcoin’s financial transaction transport layer, just like HTTP runs on top of TCP. Mastercoin operates primarily through transactions sent to and from a special bitcoin write tabbed the "exodus" write (1EXoDusjGwvnjZUyKkxZ4UHEf77z6A5S4P), just like HTTP uses a specific TCP port (port 80) to differentiate its traffic from the rest of the TCP traffic. The Mastercoin protocol is gradually transitioning from using the specialized exodus write and multi-signatures to using the OP_RETURN bitcoin operator to encode transaction metadata. Counterparty Counterparty is flipside protocol layer implemented on top of bitcoin. Counterparty enables user currencies, tradable tokens, financial instruments, decentralized windfall exchanges, and other features. Counterparty is implemented primarily using the OP_RETURN operator in bitcoin’s scripting language to record metadata that enhances bitcoin transactions with spare meaning. Counterparty uses the currency XCP as a token for conducting Counterparty transactions. Alt Coins The vast majority of alt coins are derived from bitcoin’s source code, moreover known as "forks." Some are implemented "from scratch" based on the blockchain model but without using any of bitcoin’s source code. Alt coins and alt villenage (in the next section) are both separate implementations of blockchain technology and both forms use their own blockchain. The difference in the terms is to indicate that alt coins are primarily used as currency, whereas alt villenage are used for other purposes, not primarily currency. Strictly speaking, the first major "alt" fork of bitcoin’s lawmaking was not an alt forge but the alt uniting Namecoin, which we will discuss in the next section. Based on the stage of announcement, the first alt forge that was a fork of bitcoin appeared in August 2011; it was tabbed IXCoin. IXCoin modified a few of the bitcoin parameters, specifically progressive the megacosm of currency by increasing the reward to 96 coins per block. In September 2011, Tenebrix was launched. Tenebrix was the first cryptocurrency to implement an volitional proof-of-work algorithm, namely scrypt, an algorithm originally designed for password stretching (brute-force resistance). The stated goal of Tenebrix was to make a forge that was resistant to mining with GPUs and ASICs, by using a memory-intensive algorithm. Tenebrix did not succeed as a currency, but it was the understructure for Litecoin, which has enjoyed unconfined success and has spawned hundreds of clones. Litecoin, in wing to using scrypt as the proof-of-work algorithm, moreover implemented a faster block-generation time, targeted at 2.5 minutes instead of bitcoin’s 10 minutes. The resulting currency is touted as "silver to bitcoin’s gold" and is intended as a light-weight volitional currency. Due to the faster confirmation time and the 84 million total currency limit, many adherents of Litecoin believe it is largest suited for retail transactions than bitcoin. Alt coins unfurled to proliferate in 2011 and 2012, either based on bitcoin or on Litecoin.By 2013, there were 20 alt coins vying for position in the market. By the end of 2013, this number had exploded to 200, with 2013 quickly rhadamanthine the "year of the alt coins." The growth of alt coins unfurled in 2014, with increasingly than 500 alt coins in existence at the time of writing.Increasinglythan half the alt coins today are clones of Litecoin. Creating an alt forge is easy, which is why there are now increasingly than 500 of them. Most of the alt coins differ very slightly from bitcoin and do not offer anything worth studying. Many are in fact just attempts to enrich their creators. Among the copycats and pump-and-dump schemes, there are, however, some notable exceptions and very important innovations. These alt coins take radically variegated approaches or add significant innovation to bitcoin’s diamond pattern. There are three primary areas where these alt coins differentiate from bitcoin:Variegatedmonetary policyVariegatedproof of work or consensus mechanism Specific features, such as strong anonymity For increasingly information, see this graphical timeline of alt coins and alt chains. Evaluating an AltForgeWith so many alt coins out there, how does one decide which ones are worthy of attention? Some alt coins struggle to unzip wholesale distribution and use as currencies. Others are laboratories for experimenting on variegated features and monetary models. Many are just get-rich-quick schemes by their creators. To evaluate alt coins, I squint at their defining characteristics and their market metrics. Here are some questions to ask well-nigh how well an alt forge differentiates from bitcoin: Does the alt forge introduce a significant innovation? Is the difference compelling unbearable to vamp users yonder from bitcoin? Does the alt forge write an interesting niche market or application? Can the alt forge vamp unbearable miners to be secured versus consensus attacks? Here are some of the key financial and market metrics to consider: What is the total market capitalization of alt coin? How many unscientific users/wallets does the alt forge have? How many merchants winnow the alt coin? How many daily transactions (volume) are executed on the alt coin? How much value is transacted daily? In this chapter, we will concentrate primarily on the technical characteristics and innovation potential of alt coins represented by the first set of questions. Monetary Parameter Alternatives: Litecoin, Dogecoin, Freicoin Bitcoin has a few monetary parameters that requite it distinctive characteristics of a deflationary fixed-issuance currency. It is limited to 21 million major currency units (or 21 quadrillion minor units), it has a geometrically unthriving issuance rate, and it has a 10-minute woodcut "heartbeat," which controls the speed of transaction confirmation and currency generation. Many alt coins have tweaked the primary parameters to unzip variegated monetary policies. Among the hundreds of alt coins, some of the most notable examples include the following. Litecoin One of the first alt coins, released in 2011, Litecoin is the second most successful digital currency without bitcoin. Its primary innovations were the use of scrypt as the proof-of-work algorithm (inherited from Tenebrix) and its faster/lighter currency parameters.Woodcutgeneration time: 2.5 minutes Total currency: 84 million coins by 2140 Consensus algorithm: Scrypt proof of work Market capitalization: $160 million in mid-2014 Dogecoin Dogecoin was released in December 2013, based on a fork of Litecoin. Dogecoin is notable considering it has a monetary policy of rapid issuance and a very upper currency cap, to encourage spending and tipping. Dogecoin is moreover notable considering it was started as a joke but became quite popular, with a large and zippy community, surpassing unthriving rapidly in 2014.Woodcutgeneration time: 60 seconds Total currency: 100,000,000,000 (100 billion) Doge by 2015 Consensus algorithm: Scrypt proof of work Market capitalization: $12 million in mid-2014 Freicoin Freicoin was introduced in July 2012. It is a demurrage currency, meaning it has a negative interest rate for stored value. Value stored in Freicoin is assessed a 4.5% APR fee, to encourage consumption and discourage hoarding of money. Freicoin is notable in that it implements a monetary policy that is the word-for-word opposite of Bitcoin’s deflationary policy. Freicoin has not seen success as a currency, but it is an interesting example of the variety of monetary policies that can be expressed by alt coins.Woodcutgeneration: 10 minutes Total currency: 100 million coins by 2140 Consensus algorithm: SHA256 proof of work Market capitalization: $130,000 in mid-2014 Consensus Innovation: Peercoin, Myriad, Blackcoin, Vericoin, NXT Bitcoin’s consensus mechanism is based on proof of work using the SHA256 algorithm. The first alt coins introduced scrypt as an volitional proof-of-work algorithm, as a way to make mining increasingly CPU-friendly and less susceptible to centralization with ASICs. Since then, innovation in the consensus mechanism has unfurled at a frenetic pace. Several alt coins unexplored a variety of algorithms such as scrypt, scrypt-N, Skein, Groestl, SHA3, X11, Blake, and others. Some alt coins combined multiple algorithms for proof of work. In 2013, we saw the invention of an volitional to proof of work, tabbed proof of stake, which forms the understructure of many modern alt coins. Proof of stake is a system by which existing owners of a currency can "stake" currency as interest-bearing collateral. Somewhat like a document of petrifaction (CD), participants can reserve a portion of their currency holdings, while earning an investment return in the form of new currency (issued as interest payments) and transaction fees. Peercoin Peercoin was introduced in August 2012 and is the first alt forge to use a hybrid proof-of-work and proof-of-stake algorithm to issue new currency.Woodcutgeneration: 10 minutes Total currency: No limit Consensus algorithm: (Hybrid) proof-of-stake with initial proof-of-work Market capitalization: $14 million in mid-2014 Myriad Myriad was introduced in February 2014 and is notable considering it uses five variegated proof-of-work algorithms (SHA256d, Scrypt, Qubit, Skein, or Myriad-Groestl) simultaneously, with difficulty varying for each algorithm depending on miner participation. The intent is to make Myriad immune to ASIC specialization and centralization as well as much increasingly resistant to consensus attacks, considering multiple mining algorithms would have to be attacked simultaneously.Woodcutgeneration: 30-second stereotype (2.5 minutes target per mining algorithm) Total currency: 2 billion by 2024 Consensus algorithm: Multi-algorithm proof-of-work Market capitalization: $120,000 in mid-2014 Blackcoin Blackcoin was introduced in February 2014 and uses a proof-of-stake consensus algorithm. It is moreover notable for introducing "multipools," a type of mining pool that can switch between variegated alt coins automatically, depending on profitability.Woodcutgeneration: 1 minute Total currency: No limit Consensus algorithm: Proof-of-stake Market capitalization: $3.7 million in mid-2014 VeriCoin VeriCoin was launched in May 2014. It uses a proof-of-stake consensus algorithm with a variable interest rate that dynamically adjusts based on market forces of supply and demand. It moreover is the first alt forge featuring auto-exchange to bitcoin for payment in bitcoin from the wallet.Woodcutgeneration: 1 minute Total currency: No limit Consensus algorithm: Proof-of-stake Market capitalization: $1.1 million in mid-2014 NXT NXT (pronounced "Next") is a "pure" proof-of-stake alt coin, in that it does not use proof-of-work mining. NXT is a from-scratch implementation of a cryptocurrency, not a fork of bitcoin or any other alt coins. NXT implements many wide features, including a name registry (similar to Namecoin), a decentralized windfall mart (similar to Colored Coins), integrated decentralized and secure messaging (similar to Bitmessage), and stake delegation (to consul proof-of-stake to others). NXT adherents undeniability it a "next-generation" or 2.0 cryptocurrency.Woodcutgeneration: 1 minute Total currency: No limit Consensus algorithm: Proof-of-stake Market capitalization: $30 million in mid-2014 Dual-Purpose Mining Innovation: Primecoin, Curecoin, Gridcoin Bitcoin’s proof-of-work algorithm has just one purpose: securing the bitcoin network. Compared to traditional payment system security, the forfeit of mining is not very high. However, it has been criticized by many as stuff “wasteful." The next generation of alt coins struggle to write this concern. Dual-purpose proof-of-work algorithms solve a specific "useful" problem, while producing proof of work to secure the network. The risk of subtracting an external use to the currency’s security is that it moreover adds external influence to the supply/demand curve. Primecoin Primecoin was spoken in July 2013. Its proof-of-work algorithm searches for prime numbers, computing Cunningham and bi-twin prime chains. Prime numbers are useful in a variety of scientific disciplines. The Primecoin blockchain contains the discovered prime numbers, thereby producing a public record of scientific discovery in parallel to the public ledger of transactions.Woodcutgeneration: 1 minute Total currency: No limit Consensus algorithm: Proof of work with prime number uniting discovery Market capitalization: $1.3 million in mid-2014 Curecoin Curecoin was spoken in May 2013. It combines a SHA256 proof-of-work algorithm with protein-folding research through the [email protected] project. Protein folding is a computationally intensive simulation of biochemical interactions of proteins, used to discover new drug targets for curing diseases.Woodcutgeneration: 10 minutes Total currency: No limit Consensus algorithm: Proof of work with protein-folding research Market capitalization: $58,000 in mid-2014 Gridcoin Gridcoin was introduced in October 2013. It supplements scrypt-based proof of work with subsidies for participation in BOINC unshut grid computing. BOINC—BerkeleyUnshutInfrastructure for Network Computing—is an unshut protocol for scientific research grid computing, which allows participants to share their spare computing cycles for a wholesale range of wonk research computing. Gridcoin uses BOINC as a general-purpose computing platform, rather than to solve specific science problems such as prime numbers or protein folding.Woodcutgeneration: 150 seconds Total currency: No limit Consensus algorithm: Proof-of-work with BOINC grid computing subsidy Market capitalization: $122,000 in mid-2014 Anonymity-Focused Alt Coins: CryptoNote, Bytecoin, Monero, Zerocash/Zerocoin, Darkcoin Bitcoin is often mistakenly characterized as "anonymous" currency. In fact, it is relatively easy to connect identities to bitcoin addresses and, using big-data analytics, connect addresses to each other to form a comprehensive picture of someone’s bitcoin spending habits. Several alt coins aim to write this issue directly by focusing on strong anonymity. The first such struggle is most likely Zerocoin, a meta-coin protocol for preserving anonymity on top of bitcoin, introduced with a paper at the 2013 IEEE Symposium on Security and Privacy. Zerocoin will be implemented as a completely separate alt forge tabbed Zerocash, in minutiae at time of writing. An volitional tideway to anonymity was launched with CryptoNote in a paper published in October 2013. CryptoNote is a foundational technology that is implemented by a number of alt forge forks discussed next. In wing to Zerocash and CryptoNotes, there are several other self-sustaining unrecognized coins, such as Darkcoin, that use stealth addresses or transaction re-mixing to unhook anonymity. Zerocoin/Zerocash Zerocoin is a theoretical tideway to digital currency anonymity introduced in 2013 by researchers at Johns Hopkins. Zerocash is an alt-coin implementation of Zerocoin that is in minutiae and not yet released. CryptoNote CryptoNote is a reference implementation alt forge that provides the understructure for unrecognized digital cash. It was introduced in October 2013. It is designed to be forked into variegated implementations and has a seated periodic reset mechanism that makes it unusable as a currency itself. Several alt coins have been spawned from CryptoNote, including Bytecoin (BCN), Aeon (AEON), Boolberry (BBR), duckNote (DUCK), Fantomcoin (FCN), Monero (XMR), MonetaVerde (MCN), and Quazarcoin (QCN). CryptoNote is moreover notable for stuff a well-constructed ground-up implementation of a crypto-currency, not a fork of bitcoin. Bytecoin Bytecoin was the first implementation spawned from CryptoNote, offering a viable unrecognized currency based on the CryptoNote technology. Bytecoin was launched in July 2012. Note that there was a previous alt forge named Bytecoin with currency symbol BTE, whereas the CryptoNote-derived Bytecoin has the currency symbol BCN. Bytecoin uses the Cryptonight proof-of-work algorithm, which requires wangle to at least 2 MB of RAM per instance, making it unsuitable for GPU or ASIC mining. Bytecoin inherits ring signatures, unlinkable transactions, and blockchain analysis–resistant anonymity from CryptoNote.Woodcutgeneration: 2 minutes Total currency: 184 billion BCN Consensus algorithm: Cryptonight proof of work Market capitalization: $3 million in mid-2014 Monero Monero is flipside implementation of CryptoNote. It has a slightly flatter issuance lines than Bytecoin, issuing 80% of the currency in the first four years. It offers the same anonymity features inherited from CryptoNote.Woodcutgeneration: 1 minute Total currency: 18.4 million XMR Consensus algorithm: Cryptonight proof of work Market capitalization: $5 million in mid-2014 Darkcoin Darkcoin was launched in January 2014. Darkcoin implements unrecognized currency using a re-mixing protocol for all transactions tabbed DarkSend. Darkcoin is moreover notable for using 11 rounds of variegated hash functions (blake, bmw, groestl, jh, keccak, skein, luffa, cubehash, shavite, simd, echo) for the proof-of-work algorithm.Woodcutgeneration: 2.5 minutes Total currency: Maximum 22 million DRK Consensus algorithm: Multi-algorithm multi-round proof of work Market capitalization: $19 million in mid-2014 Noncurrency AltVillenageAlt villenage are volitional implementations of the blockchain diamond pattern, which are not primarily used as currency. Many include a currency, but the currency is used as a token for allocating something else, such as a resource or a contract. The currency, in other words, is not the main point of the platform; it is a secondary feature. Namecoin Namecoin was the first fork of the bitcoin code. Namecoin is a decentralized key-value registration and transfer platform using a blockchain. It supports a global domain-name registry similar to the domain-name registration system on the Internet. Namecoin is currently used as an volitional domain name service (DNS) for the root-level domain .bit. Namecoin moreover can be used to register names and key-value pairs in other namespaces; for storing things like email addresses, encryption keys, SSL certificates, file signatures, voting systems, stock certificates; and a myriad of other applications. The Namecoin system includes the Namecoin currency (symbol NMC), which is used to pay transaction fees for registration and transfer of names. At current prices, the fee to register a name is 0.01 NMC or approximately 1 US cent. As in bitcoin, the fees are placid by namecoin miners. Namecoin’s vital parameters are the same as bitcoin’s:Woodcutgeneration: 10 minutes Total currency: 21 million NMC by 2140 Consensus algorithm: SHA256 proof of work Market capitalization: $10 million in mid-2014 Namecoin’s namespaces are not restricted, and anyone can use any namespace in any way. However, unrepealable namespaces have an agreed-upon specification so that when it is read from the blockchain, application-level software knows how to read and proceed from there. If it is malformed, then whatever software you used to read from the specific namespace will throw an error. Some of the popular namespaces are: d/ is the domain-name namespace for .bit domains id/ is the namespace for storing person identifiers such as email addresses, PGP keys, and so on u/ is an additional, increasingly structured specification to store identities (based on openspecs) The Namecoin vendee is very similar to Bitcoin Core, considering it is derived from the same source code. Upon installation, the vendee will download a full reprinting of the Namecoin blockchain and then will be ready to query and register names. There are three main commands: name_new Query or preregister a name name_firstupdate Register a name and make the registration public name_updateTranspirationthe details or refresh a name registration For example, to register the domain mastering-bitcoin.bit, we use the writ name_new as follows: The name_new writ registers a requirement on the name, by creating a hash of the name with a random key. The two strings returned by name_new are the hash and the random key (a05555e0fc56c023 in the preceding example) that can be used to make the name registration public. Once that requirement has been recorded on the Namecoin blockchain it can be converted to a public registration with the name_firstupdate command, by supplying the random key: $ namecoind name_firstupdate d/mastering-bitcoin a05555e0fc56c023 "{"map": {"www": {"ip":"1.2.3.4"}}}}" b7a2e59c0a26e5e2664948946ebeca1260985c2f616ba579e6bc7f35ec234b01 This example will map the domain name www.mastering-bitcoin.bit to IP write 1.2.3.4. The hash returned is the transaction ID that can be used to track this registration. You can see what names are registered to you by running the name_list command: $ namecoind name_list Namecoin registrations need to be updated every 36,000 blocks (approximately 200 to 250 days). The name_update writ has no fee and therefore renewing domains in Namecoin is free. Third-party providers can handle registration, will-less renewal, and updating via a web interface, for a small fee. With a third-party provider you stave the need to run a Namecoin client, but you lose the self-sustaining tenancy of a decentralized name registry offered by Namecoin. Ethereum Ethereum is a Turing-complete contract processing and execution platform based on a blockchain ledger. It is not a clone of Bitcoin, but a completely self-sustaining diamond and implementation. Ethereum has a seated currency, tabbed ether, which is required in order to pay for contract execution. Ethereum’s blockchain records contracts, which are expressed in a low-level, byte code–like, Turing-complete language. Essentially, a contract is a program that runs on every node in the Ethereum system. Ethereum contracts can store data, send and receive ether payments, store ether, and execute an infinite range (hence Turing-complete) of computable actions, vicarial as decentralized voluntary software agents. Ethereum can implement quite ramified systems that are otherwise implemented as alt villenage themselves. For example, the pursuit is a Namecoin-like name registration contract written in Ethereum (or increasingly accurately, written in a high-level language that can be compiled to Ethereum code): Future of Currencies The future of cryptographic currencies overall is plane brighter than the future of bitcoin. Bitcoin introduced a completely new form of decentralized organization and consensus that has spawned hundreds of incredible innovations. These inventions will likely stupefy wholesale sectors of the economy, from distributed systems science to finance, economics, currencies, inside banking, and corporate governance. Many human activities that previously required internal institutions or organizations to function as supervisory or trusted points of tenancy can now be decentralized. The invention of the blockchain and consensus system will significantly reduce the forfeit of organization and coordination on large-scale systems, while removing opportunities for concentration of power, corruption, and regulatory capture. Bitcoin Security Securing bitcoin is challenging considering bitcoin is not an utopian reference to value, like a wastefulness in a wall account. Bitcoin is very much like digital mazuma or gold. You’ve probably heard the expression, "Possession is nine-tenths of the law." Well, in bitcoin, possession is ten-tenths of the law. Possession of the keys to unlock the bitcoin is equivalent to possession of mazuma or a permafrost of precious metal. You can lose it, misplace it, have it stolen, or unwittingly requite the wrong value to someone. In every one of these cases, users have no recourse, just as if they dropped mazuma on a public sidewalk. However, bitcoin has capabilities that cash, gold, and wall finance do not. A bitcoin wallet, containing your keys, can be backed up like any file. It can be stored in multiple copies, plane printed on paper for hard-copy backup. You can’t "back up" cash, gold, or wall accounts. Bitcoin is variegated unbearable from anything that has come surpassing that we need to think well-nigh bitcoin security in a novel way too. Security Principles The cadre principle in bitcoin is decentralization and it has important implications for security. A internal model, such as a traditional wall or payment network, depends on wangle tenancy and vetting to alimony bad actors out of the system. By comparison, a decentralized system like bitcoin pushes the responsibility and tenancy to the users.Consideringsecurity of the network is based on proof of work, not wangle control, the network can be unshut and no encryption is required for bitcoin traffic. On a traditional payment network, such as a credit vellum system, the payment is open-ended considering it contains the user’s private identifier (the credit vellum number).Withoutthe initial charge, anyone with wangle to the identifier can "pull" funds and tuition the owner then and again. Thus, the payment network has to be secured end-to-end with encryption and must ensure that no eavesdroppers or intermediaries can compromise the payment traffic, in transit or when it is stored (at rest). If a bad two-face gains wangle to the system, he can compromise current transactions and payment tokens that can be used to create new transactions. Worse, when consumer data is compromised, the customers are exposed to identity theft and must take whoopee to prevent fraudulent use of the compromised accounts. Bitcoin is dramatically different. A bitcoin transaction authorizes only a specific value to a specific recipient and cannot be forged or modified. It does not reveal any private information, such as the identities of the parties, and cannot be used to qualify spare payments. Therefore, a bitcoin payment network does not need to be encrypted or protected from eavesdropping. In fact, you can unconcentrated bitcoin transactions over an unshut public channel, such as unsecured WiFi or Bluetooth, with no loss of security. Bitcoin’s decentralized security model puts a lot of power in the hands of the users. With that power comes responsibility for maintaining the secrecy of the keys. For most users that is not easy to do, expressly on general-purpose computing devices such as Internet-connected smartphones or laptops. Although bitcoin’s decentralized model prevents the type of mass compromise seen with credit cards, many users are not worldly-wise to ratherish secure their keys and get hacked, one by one. Developing Bitcoin Systems Securely The most important principle for bitcoin developers is decentralization. Most developers will be familiar with internal security models and might be tempted to wield these models to their bitcoin applications, with disastrous results. Bitcoin’s security relies on decentralized tenancy over keys and on self-sustaining transaction validation by miners. If you want to leverage Bitcoin’s security, you need to ensure that you remain within the Bitcoin security model. In simple terms: don’t take tenancy of keys yonder from users and don’t take transactions off the blockchain. For example, many early bitcoin exchanges well-matured all user funds in a single "hot" wallet with keys stored on a single server. Such a diamond removes tenancy from users and centralizes tenancy over keys in a single system. Many such systems have been hacked, with disastrous consequences for their customers.Flipsidecommon mistake is to take transactions "off blockchain" in a misguided effort to reduce transaction fees or slide transaction processing. An "off blockchain" system will record transactions on an internal, internal ledger and only occasionally synchronize them to the bitcoin blockchain. This practice, again, substitutes decentralized bitcoin security with a proprietary and internal approach. When transactions are off blockchain, improperly secured internal ledgers can be falsified, diverting funds and depleting reserves, unnoticed. Unless you are prepared to invest heavily in operational security, multiple layers of wangle control, and audits (as the traditional banks do) you should think very thoughtfully surpassing taking funds outside of Bitcoin’s decentralized security context.Planeif you have the funds and willpower to implement a robust security model, such a diamond merely replicates the fragile model of traditional financial networks, plagued by identity theft, corruption, and embezzlement. To take wholesomeness of Bitcoin’s unique decentralized security model, you have to stave the temptation of internal architectures that might finger familiar but ultimately subvert Bitcoin’s security. The Root of Trust Traditional security tracery is based upon a concept tabbed the root of trust, which is a trusted cadre used as the foundation for the security of the overall system or application. Security tracery is ripened virtually the root of trust as a series of concentric circles, like layers in an onion, extending trust outward from the center. Each layer builds upon the more-trusted inner layer using wangle controls, digital signatures, encryption, and other security primitives. As software systems wilt increasingly complex, they are increasingly likely to contain bugs, which make them vulnerable to security compromise. As a result, the increasingly ramified a software system becomes, the harder it is to secure. The root of trust concept ensures that most of the trust is placed within the least ramified part of the system, and therefore least vulnerable, parts of the system, while increasingly ramified software is layered virtually it. This security tracery is repeated at variegated scales, first establishing a root of trust within the hardware of a single system, then extending that root of trust through the operating system to higher-level system services, and finally wideness many servers layered in concentric circles of diminishing trust. Bitcoin security tracery is different. In Bitcoin, the consensus system creates a trusted public ledger that is completely decentralized. A correctly validated blockchain uses the genesis woodcut as the root of trust, towers a uniting of trust up to the current block. Bitcoin systems can and should use the blockchain as their root of trust. When designing a ramified bitcoin using that consists of services on many variegated systems, you should thoughtfully examine the security tracery in order to unearth where trust is stuff placed. Ultimately, the only thing that should be explicitly trusted is a fully validated blockchain. If your using explicitly or implicitly vests trust in anything but the blockchain, that should be a source of snooping considering it introduces vulnerability. A good method to evaluate the security tracery of your using is to consider each individual component and evaluate a hypothetical scenario where that component is completely compromised and under the tenancy of a malicious actor. Take each component of your application, in turn, and assess the impacts on the overall security if that component is compromised. If your using is no longer secure when components are compromised, that shows you have misplaced trust in those components. A bitcoin using without vulnerabilities should be vulnerable only to a compromise of the bitcoin consensus mechanism, meaning that its root of trust is based on the strongest part of the bitcoin security architecture. The numerous examples of hacked bitcoin exchanges serve to underscore this point considering their security tracery and diamond fails plane under the most unstudied scrutiny. These internal implementations had invested trust explicitly in numerous components outside the bitcoin blockchain, such as hot wallets, internal ledger databases, vulnerable encryption keys, and similar schemes. User SecurityWeightierPractices Humans have used physical security controls for thousands of years. By comparison, our wits with digital security is less than 50 years old. Modern general-purpose operating systems are not very secure and not particularly suited to storing digital money. Our computers are constantly exposed to external threats via always-on Internet connections. They run thousands of software components from hundreds of authors, often with unconstrained wangle to the user’s files. A single piece of rogue software, among the many thousands installed on your computer, can compromise your keyboard and files, stealing any bitcoin stored in wallet applications. The level of computer maintenance required to alimony a computer virus-free and trojan-free is vastitude the skill level of all but a tiny minority of computer users. Despite decades of research and advancements in information security, digital resources are still woefully vulnerable to a unswayable adversary.Planethe most highly protected and restricted systems, in financial services companies, intelligence agencies, and defense contractors, are wontedly breached. Bitcoin creates digital resources that have intrinsic value and can be stolen and diverted to new owners instantly and irrevocably. This creates a massive incentive for hackers. Until now, hackers had to convert identity information or worth tokens—such as credit cards, and wall accounts—into value without compromising them. Despite the difficulty of fencing and laundering financial information, we have seen ever-escalating thefts. Bitcoin escalates this problem considering it doesn’t need to be fenced or laundered; it is intrinsic value within a digital asset. Fortunately, bitcoin moreover creates the incentives to modernize computer security. Whereas previously the risk of computer compromise was vague and indirect, bitcoin makes these risks well-spoken and obvious. Holding bitcoin on a computer serves to focus the user’s mind on the need for improved computer security. As a uncontrived result of the proliferation and increased adoption of bitcoin and other digital currencies, we have seen an escalation in both hacking techniques and security solutions. In simple terms, hackers now have a very juicy target and users have a well-spoken incentive to defend themselves. Over the past three years, as a uncontrived result of bitcoin adoption, we have seen tremendous innovation in the realm of information security in the form of hardware encryption, key storage and hardware wallets, multi-signature technology, and digital escrow. In the pursuit sections we will examine various weightier practices for practical user security. Physical Bitcoin StorageConsideringmost users are far increasingly well-appointed with physical security than information security, a very constructive method for protecting bitcoins is to convert them into physical form. Bitcoin keys are nothing increasingly than long numbers. This ways that they can be stored in a physical form, such as printed on paper or etched on a metal coin. Securing the keys then becomes as simple as physically securing the printed reprinting of the bitcoin keys. A set of bitcoin keys that is printed on paper is tabbed a "paper wallet," and there are many self-ruling tools that can be used to create them. I personally alimony the vast majority of my bitcoins (99% or more) stored on paper wallets, encrypted with BIP0038, with multiple copies locked in safes. Keeping bitcoin offline is tabbed unprepossessed storage and it is one of the most constructive security techniques. A unprepossessed storage system is one where the keys are generated on an offline system (one never unfluctuating to the Internet) and stored offline either on paper or on digital media, such as a USB memory stick. Hardware Wallets In the long term, bitcoin security increasingly will take the form of hardware tamper-proof wallets. Unlike a smartphone or desktop computer, a bitcoin hardware wallet has just one purpose: to hold bitcoins securely. Without general-purpose software to compromise and with limited interfaces, hardware wallets can unhook an scrutinizingly foolproof level of security to nonexpert users. I expect to see hardware wallets wilt the predominant method of bitcoin storage. For an example of such a hardware wallet, see the Trezor. Balancing Risk Although most users are rightly concerned well-nigh bitcoin theft, there is an plane worthier risk. Data files get lost all the time. If they contain bitcoin, the loss is much increasingly painful. In the effort to secure their bitcoin wallets, users must be very shielding not to go too far and end up losing the bitcoin. In July of 2011, a well-known bitcoin sensation and education project lost scrutinizingly 7,000 bitcoins. In their effort to prevent theft, the owners had implemented a ramified series of encrypted backups. In the end they unwittingly lost the encryption keys, making the backups worthless and losing a fortune. Like hiding money by sepulture it in the desert, if you secure your bitcoin too well you might not be worldly-wise to find it again. Diversifying Risk Would you siphon your unshortened net worth in mazuma in your wallet? Most people would consider that reckless, yet bitcoin users often alimony all their bitcoin in a single wallet. Instead, users should spread the risk among multiple and diverse bitcoin wallets. Prudent users will alimony only a small fraction, perhaps less than 5%, of their bitcoins in an online or mobile wallet as "pocket change." The rest should be split between a few variegated storage mechanisms, such as a desktop wallet and offline (cold storage). Multi-sig and Governance Whenever a visitor or individual stores large amounts of bitcoin, they should consider using a multi-signature bitcoin address. Multi-signature addresses secure funds by requiring increasingly than one signature to make a payment. The signing keys should be stored in a number of variegated locations and under the tenancy of variegated people. In a corporate environment, for example, the keys should be generated independently and held by several visitor executives, to ensure no single person can compromise the funds. Multi-signature addresses can moreover offer redundancy, where a single person holds several keys that are stored in variegated locations. Survivability One important security consideration that is often overlooked is availability, expressly in the context of incapacity or death of the key holder. Bitcoin users are told to use ramified passwords and alimony their keys secure and private, not sharing them with anyone. Unfortunately, that practice makes it scrutinizingly untellable for the user’s family to recover any funds if the user is not misogynist to unlock them. In most cases, in fact, the families of bitcoin users might be completely unaware of the existence of the bitcoin funds. If you have a lot of bitcoin, you should consider sharing wangle details with a trusted relative or lawyer. A increasingly ramified survivability scheme can be set up with multi-signature wangle and manor planning through a lawyer specialized as a "digital windfall executor." Conclusion Bitcoin is a completely new, unprecedented, and ramified technology. Over time we will develop largest security tools and practices that are easier to use by nonexperts. For now, bitcoin users can use many of the tips discussed here to enjoy a secure and trouble-free bitcoin experience. Appendix A: Bitcoin - A Peer-to-Peer ElectronicMazumaSystem Satoshi Nakamoto [email protected] www.bitcoin.org Abstract. A purely peer-to-peer version of electronic mazuma would indulge online payments to be sent directly from one party to flipside without going through a financial institution. Digital signatures provide part of the solution, but the main benefits are lost if a trusted third party is still required to prevent double-spending. We propose a solution to the double-spendmg problem using a peer-to-peer network. The network timestamps transactions by hashing them into an ongoing uniting of hash-based proof-of-work, forming a record that cannot be reverted without redomg the proof-of-work. The longest uniting not only serves as proof of the sequence of events witnessed, but proof that it came from the largest pool of CPU power. As long as a majority of CPU power is controlled by nodes that are not cooperating to wade the network, they’11 generate the longest uniting and outpace attackers. The network itself requires minimal structure. Messages are unconcentrated on a weightier effort basis, and nodes can leave and rejoin the network at will, unsuspicious the longest proof-of-work uniting as proof of what happened while they were gone. Introduction Commerce on the Internet has come to rely scrutinizingly exclusively on financial institutions serving as trusted third parties to process electronic payments. While the system works well unbearable for most transactions, it still suffers from the inherent weaknesses of the trust based model. Completely non-reversible transactions are not really possible, since financial institutions cannot stave mediating disputes. The forfeit of mediation increases transaction costs, limiting the minimum practical transaction size and wearing off the possibility for small unstudied transactions, and there is a broader forfeit in the loss of worthiness to make non-reversible payments for nonreversible services. With the possibility of reversal, the need for trust spreads. Merchants must be wary of their customers, hassling them for increasingly information than they would otherwise need. A unrepealable percentage of fraud is wonted as unavoidable. These financing and payment uncertainties can be avoided in person by using physical currency, but no mechanism exists to make payments over a communications waterworks without a trusted party. What is needed is an electronic payment system based on cryptographic proof instead of trust, permitting any two willing parties to transact directly with each other without the need for a trusted third party. Transactions that are computationally impractical to reverse would protect sellers from fraud, and routine escrow mechanisms could hands be implemented to protect buyers. In this paper, we propose a solution to the double-spending problem using a peer-to-peer distributed timestamp server to generate computational proof of the chronological order of transactions. The system is secure as long as honest nodes collectively tenancy increasingly CPU power than any cooperating group of attacker nodes. Transactions We pinpoint an electronic forge as a uniting of digital signatures. Each owner transfers the forge to the next by digitally signing a hash of the previous transaction and the public key of the next owner and subtracting these to the end of the coin. A payee can verify the signatures to verify the uniting of ownership. The problem of undertow is the payee can’t verify that one of the owners did not double-spend the coin. A worldwide solution is to introduce a trusted inside authority, or mint, that checks every transaction for double spending.Withouteach transaction, the forge must be returned to the mint to issue a new coin, and only coins issued directly from the mint are trusted not to be double-spent. The problem with this solution is that the fate of the unshortened money system depends on the visitor running the mint, with every transaction having to go through them, just like a bank. We need a way for the payee to know that the previous owners did not sign any older transactions. For our purposes, the primeval transaction is the one that counts, so we don’t superintendency well-nigh later attempts to double-spend. The only way to personize the sparsity of a transaction is to be enlightened of all transactions. In the mint based model, the mint was enlightened of all transactions and decided which arrived first. To succeed this without a trusted party, transactions must be publicly spoken [1], and we need a system for participants to stipulate on a single history of the order in which they were received. The payee needs proof that at the time of each transaction, the majority of nodes well-set it was the first received. Timestamp Server The solution we propose begins with a timestamp server. A timestamp server works by taking a hash of a woodcut of items to be timestamped and widely publishing the hash, such as in a newspaper or Usenet post [2-5]. The timestamp proves that the data must have existed at the time, obviously, in order to get into the hash. Each timestamp includes the previous timestamp in its hash, forming a chain, with each spare timestamp reinforcing the ones surpassing it. Proof-of-Work To implement a distributed timestamp server on a peer-to-peer basis, we will need to use a proofof- work system similar to Adam Back’s Hashcash [6], rather than newspaper or Usenet posts. The proof-of-work involves scanning for a value that when hashed, such as with SHA-256, the hash begins with a number of zero bits. The stereotype work required is exponential in the number of zero shit required and can be verified by executing a single hash. For our timestamp network, we implement the proof-of-work by incrementing a nonce in the woodcut until a value is found that gives the block’s hash the required zero bits. Once the CPU effort has been expended to make it satisfy the proof-of-work, the woodcut cannot be reverted without redoing the work. As later blocks are chained without it, the work to transpiration the woodcut would include redoing all the blocks without it. The proof-of-work moreover solves the problem of determining representation in majority visualization making. If the majority were based on one-IP-address-one-vote, it could be subverted by anyone worldly-wise to intrust many IPs. Proof-of-work is substantially one-CPU-one-vote. The majority visualization is represented by the longest chain, which has the greatest proof-of-work effort invested in it. If a majority of CPU power is controlled by honest nodes, the honest uniting will grow the fastest and outpace any competing chains. To modify a past block, an attacker would have to redo the proof-of-work of the woodcut and all blocks without it and then reservation up with and surpass the work of the honest nodes. We will show later that the probability of a slower attacker transmissible up diminishes exponentially as subsequent blocks are added. To recoup for increasing hardware speed and varying interest in running nodes over time, the proof-of-work difficulty is unswayable by a moving stereotype targeting an stereotype number of blocks per hour. If they’re generated too fast, the difficulty increases. Network The steps to run the network are as follows: New transactions are unconcentrated to all nodes. Each node collects new transactions into a block. Each node works on finding a difficult proof-of-work for its block. When a node finds a proof-of-work, it broadcasts the woodcut to all nodes. Nodes winnow the woodcut only if all transactions in it are valid and not once spent. Nodes express their visa of the woodcut by working on creating the next woodcut in the chain, using the hash of the wonted woodcut as the previous hash. Nodes unchangingly consider the longest uniting to be the correct one and will alimony working on extending it. If two nodes unconcentrated variegated versions of the next woodcut simultaneously, some nodes may receive one or the other first. In that case, they work on the first one they received, but save the other workshop in specimen it becomes longer. The tie will be wrenched when the next proofof- work is found and one workshop becomes longer; the nodes that were working on the other workshop will then switch to the longer one. New transaction broadcasts do not necessarily need to reach all nodes. As long as they reach many nodes, they will get into a woodcut surpassing long.Woodcutbroadcasts are moreover tolerant of dropped messages. If a node does not receive a block, it will request it when it receives the next woodcut and realizes it missed one. Incentive By convention, the first transaction in a woodcut is a special transaction that starts a new forge owned by the creator of the block. This adds an incentive for nodes to support the network, and provides a way to initially distribute coins into circulation, since there is no inside validity to issue them. The steady wing of a unvarying of value of new coins is matching to gold miners expending resources to add gold to circulation. In our case, it is CPU time and electricity that is expended. The incentive can moreover be funded with transaction fees. If the output value of a transaction is less than its input value, the difference is a transaction fee that is widow to the incentive value of the woodcut containing the transaction. Once a predetermined number of coins have entered circulation, the incentive can transition entirely to transaction fees and be completely inflation free. The incentive may help encourage nodes to stay honest. If a greedy attacker is worldly-wise to hoke increasingly CPU power than all the honest nodes, he would have to segregate between using it to defraud people by stealing when his payments, or using it to generate new coins. He ought to find it increasingly profitable to play by the rules, such rules that favour him with increasingly new coins than everyone else combined, than to undermine the system and the validity of his own wealth. Reclaiming Disk Space Once the latest transaction in a forge is veiled under unbearable blocks, the spent transactions surpassing it can be discarded to save disk space. To facilitate this without breaking the block’s hash, transactions are hashed in a Merkle Tree [7][2][5], with only the root included in the block’s hash. Old blocks can then be compacted by stubbing off branches of the tree. The interior hashes do not need to be stored. A woodcut header with no transactions would be well-nigh 80 bytes. If we suppose blocks are generated every 10 minutes, 80 bytes * 6 * 24 * 365 == 4.2MB per year. With computer systems typically selling with 2GB of RAM as of 2008, and Moore’s Law predicting current growth of 1.2GB per year, storage should not be a problem plane if the woodcut headers must be kept in memory. Simplified Payment Verification It is possible to verify payments without running a full network node. A user only needs to alimony a reprinting of the woodcut headers of the longest proof-of-work chain, which he can get by querying network nodes until he’s convinced he has the longest chain, and obtain the Merkle workshop linking the transaction to the woodcut it’s timestamped in. He can’t trammels the transaction for himself, but by linking it to a place in the chain, he can see that a network node has wonted it, and blocks widow without it remoter personize the network has wonted it. As such, the verification is reliable as long as honest nodes tenancy the network, but is increasingly vulnerable if the network is overpowered by an attacker. While network nodes can verify transactions for themselves, the simplified method can be fooled by an attacker’s made-up transactions for as long as the attacker can protract to overpower the network. One strategy to protect versus this would be to winnow alerts from network nodes when they snift an invalid block, prompting the user’s software to download the full woodcut and alerted transactions to personize the inconsistency. Businesses that receive frequent payments will probably still want to run their own nodes for increasingly self-sustaining security and quicker verification. Combining and Splitting Value Although it would be possible to handle coins individually, it would be unwieldy to make a separate transaction for every cent in a transfer. To indulge value to be split and combined, transactions contain multiple inputs and outputs. Normally there will be either a single input from a larger previous transaction or multiple inputs combining smaller amounts, and at most two outputs: one for the payment, and one returning the change, if any, when to the sender. It should be noted that fan-out, where a transaction depends on several transactions, and those transactions depend on many more, is not a problem here. There is never the need to pericope a well-constructed standalone reprinting of a transaction’s history. Privacy The traditional financial model achieves a level of privacy by limiting wangle to information to the parties involved and the trusted third party. The necessity to signify all transactions publicly precludes this method, but privacy can still be maintained by breaking the spritz of information in flipside place: by keeping public keys anonymous. The public can see that someone is sending an value to someone else, but without information linking the transaction to anyone. This is similar to the level of information released by stock exchanges, where the time and size of individual trades, the "tape", is made public, but without telling who the parties were. As an spare firewall, a new key pair should be used for each transaction to alimony them from stuff linked to a worldwide owner. Some linking is still unavoidable with multi-input transactions, which necessarily reveal that their inputs were owned by the same owner. The risk is that if the owner of a key is revealed, linking could reveal other transactions that belonged to the same owner. Calculations We consider the scenario of an attacker trying to generate an unorganized uniting faster than the honest chain.Planeif this is accomplished, it does not throw the system unshut to wrong-headed changes, such as creating value out of thin air or taking money that never belonged to the attacker. Nodes are not going to winnow an invalid transaction as payment, and honest nodes will never winnow a woodcut containing them. An attacker can only try to transpiration one of his own transactions to take when money he recently spent. The race between the honest uniting and an attacker uniting can be characterized as a Binomial Random Walk. The success event is the honest uniting stuff extended by one block, increasing its lead by +1, and the failure event is the attacker’s uniting stuff extended by one block, reducing the gap by -1. The probability of an attacker transmissible up from a given deficit is matching to a Gambler’s Ruin problem. Suppose a gambler with unlimited credit starts at a deficit and plays potentially an infinite number of trials to try to reach breakeven. We can summate the probability he overly reaches breakeven, or that an attacker overly catches up with the honest chain, as follows [8]: p == probability an honest node finds the next woodcut q == probability the attacker finds the next woodcut qz == probability the attacker will overly reservation up from z blocks overdue Given our theorizing that p > q, the probability drops exponentially as the number of blocks the attacker has to reservation up with increases. With the odds versus him, if he doesn’t make a lucky lunge forward early on, his chances wilt vanishingly small as he falls remoter behind. We now consider how long the recipient of a new transaction needs to wait surpassing stuff sufficiently unrepealable the sender can’t transpiration the transaction. We seem the sender is an attacker who wants to make the recipient believe he paid him for a while, then switch it to pay when to himself without some time has passed. The receiver will be alerted when that happens, but the sender hopes it will be too late. The receiver generates a new key pair and gives the public key to the sender shortly surpassing signing. This prevents the sender from preparing a uniting of blocks superiority of time by working on it continuously until he is lucky unbearable to get far unbearable ahead, then executing the transaction at that moment. Once the transaction is sent, the quack sender starts working in secret on a parallel uniting containing an unorganized version of his transaction. The recipient waits until the transaction has been widow to a woodcut and z blocks have been linked without it. He doesn’t know the word-for-word value of progress the attacker has made, but thesping the honest blocks took the stereotype expected time per block, the attacker’s potential progress will be a Poisson distribution with expected value: To get the probability the attacker could still reservation up now, we multiply the Poisson density for each value of progress he could have made by the probability he could reservation up from that point: Rearranging to stave summing the infinite tail of the distribution… Converting to C code… Running some results, we can see the probability waif off exponentially with z. q=0.1 z=0 P=1.0000000 z=1 P=0.2045873 z=2 P=0.0509779 z=3 P=0.0131722 z=4 P=0.0034552 z=5 P=0.0009137 z=6 P=0.0002428 z=7 P=0.0000647 z=8 P=0.0000173 z=9 P=0.0000046 z=10 P=0.0000012 q=0.3 z=0 P=1.0000000 z=5 P=0.1773523 z=10 P=0.0416605 z=15 P=0.0101008 z=20 P=0.0024804 z=25 P=0.0006132 z=30 P=0.0001522 z=35 P=0.0000379 z=40 P=0.0000095 z=45 P=0.0000024 z=50 P=0.0000006 Solving for P less than 0.1%… P < 0.001 q=0.10 z=5 q=0.15 z=8 q=0.20 z=11 q=0.25 z=15 q=0.30 z=24 q=0.35 z=41 q=0.40 z=89 q=0.45 z=340 Conclusion We have proposed a system for electronic transactions without relying on trust. We started with the usual framework of coins made from digital signatures, which provides strong tenancy of ownership, but is incomplete without a way to prevent double-spending. To solve this, we proposed a peer-to-peer network using proof-of-work to record a public history of transactions that quickly becomes computationally impractical for an attacker to transpiration if honest nodes tenancy a majority of CPU power. The network is robust in its unstructured simplicity. Nodes work all at once with little coordination. They do not need to be identified, since messages are not routed to any particular place and only need to be delivered on a weightier effort basis. Nodes can leave and rejoin the network at will, unsuspicious the proof-of-work uniting as proof of what happened while they were gone. They vote with their CPU power, expressing their visa of valid blocks by working on extending them and rejecting invalid blocks by refusing to work on them. Any needed rules and incentives can be enforced with this consensus mechanism. References [1] W. Dai, "b-money," http://www.weidai.com/bmoney.txt, 1998. [2] H. Massias, X.S. Avila, and J.-J. Quisquater, "Design of a secure timestamping service with minimal trust requirements," In 20th Symposium on Information Theory in the Benelux, May 1999. [3] S. Haber, W.S. Stornetta, "How to time-stamp a digital document," In Journal of Cryptology, vol 3, no 2, pages 99-111, 1991. [4] D. Bayer, S. Haber, W.S. Stornetta, "Improving the efficiency and reliability of digital time-stamping," In Sequences II: Methods in Communication, Security and Computer Science, pages 329-334, 1993. [5] S. Haber, W.S. Stornetta, "Secure names for bit-strings," In Proceedings of the 4th ACM Conference on Computer and Communications Security, pages 28-35, April 1997. [6] A. Back, "Hashcash - a withholding of service counter-measure," http://www.hashcash.org/papers/hashcash.pdf, 2002. [7] R.C. Merkle, "Protocols for public key cryptosystems," In Proc. 1980 Symposium on Security and Privacy, IEEE Computer Society, pages 122-133, April 1980. [8] W. Feller, "An introduction to probability theory and its applications," 1957. License This white paper was published in October 2008 by Satoshi Nakamoto. It was later (2009) widow as supporting documentation to the bitcoin software and carries the same MIT license: The MIT License (MIT) Copyright (c) 2008 Satoshi Nakamoto Permission is hereby granted, self-ruling of charge, to any person obtaining a reprinting of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the pursuit conditions: The whilom copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Appendix B: Transaction Script Language Operators, Constants, and Symbols [tx_script_ops_table_pushdata] shows operators for pushing values onto the stack. Table 26. Push value onto stack Symbol Value (hex)UnravelmentOP_0 or OP_FALSE 0x00 An empty variety is pushed onto the stack 1-75 0x01-0x4b Push the next N bytes onto the stack, where N is 1 to 75 bytes OP_PUSHDATA1 0x4c The next script byte contains N, push the pursuit N bytes onto the stack OP_PUSHDATA2 0x4d The next two script bytes contain N, push the pursuit N bytes onto the stack OP_PUSHDATA4 0x4e The next four script bytes contain N, push the pursuit N bytes onto the stack OP_1NEGATE 0x4f Push the value "–1" onto the stack OP_RESERVED 0x50 Halt - Invalid transaction unless found in an unexecuted OP_IF clause OP_1 or OP_TRUE 0x51 Push the value "1" onto the stack OP_2 to OP_16 0x52 to 0x60 For OP_N, push the value "N" onto the stack. E.g., OP_2 pushes "2" [tx_script_ops_table_control] shows provisionary spritz tenancy operators. Table 27.Provisionaryflow tenancy Symbol Value (hex)UnravelmentOP_NOP 0x61 Do nothing OP_VER 0x62 Halt - Invalid transaction unless found in an unexecuted OP_IF clause OP_IF 0x63 Execute the statements pursuit if top of stack is not 0 OP_NOTIF 0x64 Execute the statements pursuit if top of stack is 0 OP_VERIF 0x65 Halt - Invalid transaction OP_VERNOTIF 0x66 Halt - Invalid transaction OP_ELSE 0x67 Execute only if the previous statements were not executed OP_ENDIF 0x68 End the OP_IF, OP_NOTIF, OP_ELSE woodcut OP_VERIFY 0x69Trammelsthe top of the stack, halt and invalidate transaction if not TRUE OP_RETURN 0x6a Halt and invalidate transaction [tx_script_ops_table_stack] shows operators used to manipulate the stack. Table 28. Stack operations Symbol Value (hex)UnravelmentOP_TOALTSTACK 0x6b Pop top item from stack and push to volitional stack OP_FROMALTSTACK 0x6c Pop top item from volitional stack and push to stack OP_2DROP 0x6d Pop top two stack items OP_2DUP 0x6eIndistinguishabletop two stack items OP_3DUP 0x6fIndistinguishabletop three stack items OP_2OVER 0x70Reprintingthe third and fourth items in the stack to the top OP_2ROT 0x71 Move the fifth and sixth items in the stack to the top OP_2SWAP 0x72 Swap the two top pairs of items in the stack OP_IFDUP 0x73Indistinguishablethe top item in the stack if it is not 0 OP_DEPTH 0x74 Count the items on the stack and push the resulting count OP_DROP 0x75 Pop the top item in the stack OP_DUP 0x76Indistinguishablethe top item in the stack OP_NIP 0x77 Pop the second item in the stack OP_OVER 0x78Reprintingthe second item in the stack and push it onto the top OP_PICK 0x79 Pop value N from top, then reprinting the Nth item to the top of the stack OP_ROLL 0x7a Pop value N from top, then move the Nth item to the top of the stack OP_ROT 0x7b Rotate the top three items in the stack OP_SWAP 0x7c Swap the top three items in the stack OP_TUCK 0x7dReprintingthe top item and insert it between the top and second item. [tx_script_ops_table_splice] shows string operators. Table 29. String splice operations Symbol Value (hex)UnravelmentOP_CAT 0x7e Disabled (concatenates top two items) OP_SUBSTR 0x7f Disabled (returns substring) OP_LEFT 0x80 Disabled (returns left substring) OP_RIGHT 0x81 Disabled (returns right substring) OP_SIZE 0x82Summatestring length of top item and push the result [tx_script_ops_table_binmath] shows binary arithmetic and boolean logic operators. Table 30. Binary arithmetic and conditionals Symbol Value (hex)UnravelmentOP_INVERT 0x83 Disabled (Flip the shit of the top item) OP_AND 0x84 Disabled (Boolean AND of two top items) OP_OR 0x85 Disabled (Boolean OR of two top items) OP_XOR 0x86 Disabled (Boolean XOR of two top items) OP_EQUAL 0x87 Push TRUE (1) if top two items are exactly equal, push FALSE (0) otherwise OP_EQUALVERIFY 0x88 Same as OP_EQUAL, but run OP_VERIFY without to halt if not TRUE OP_RESERVED1 0x89 Halt - Invalid transaction unless found in an unexecuted OP_IF clause OP_RESERVED2 0x8a Halt - Invalid transaction unless found in an unexecuted OP_IF clause [tx_script_ops_table_numbers] shows numeric (arithmetic) operators. Table 31. Numeric operators Symbol Value (hex)UnravelmentOP_1ADD 0x8b Add 1 to the top item OP_1SUB 0x8c Subtract 1 from the top item OP_2MUL 0x8d Disabled (multiply top item by 2) OP_2DIV 0x8e Disabled (divide top item by 2) OP_NEGATE 0x8f Flip the sign of top item OP_ABS 0x90Transpirationthe sign of the top item to positive OP_NOT 0x91 If top item is 0 or 1 Boolean flip it, otherwise return 0 OP_0NOTEQUAL 0x92 If top item is 0 return 0, otherwise return 1 OP_ADD 0x93 Pop top two items, add them and push result OP_SUB 0x94 Pop top two items, subtract first from second, push result OP_MUL 0x95 Disabled (multiply top two items) OP_DIV 0x96 Disabled (divide second item by first item) OP_MOD 0x97 Disabled (remainder divide second item by first item) OP_LSHIFT 0x98 Disabled (shift second item left by first item number of bits) OP_RSHIFT 0x99 Disabled (shift second item right by first item number of bits) OP_BOOLAND 0x9a Boolean AND of top two items OP_BOOLOR 0x9b Boolean OR of top two items OP_NUMEQUAL 0x9c Return TRUE if top two items are equal numbers OP_NUMEQUALVERIFY 0x9d Same as NUMEQUAL, then OP_VERIFY to halt if not TRUE OP_NUMNOTEQUAL 0x9e Return TRUE if top two items are not equal numbers OP_LESSTHAN 0x9f Return TRUE if second item is less than top item OP_GREATERTHAN 0xa0 Return TRUE if second item is greater than top item OP_LESSTHANOREQUAL 0xa1 Return TRUE if second item is less than or equal to top item OP_GREATERTHANOREQUAL 0xa2 Return TRUE if second item is unconfined than or equal to top item OP_MIN 0xa3 Return the smaller of the two top items OP_MAX 0xa4 Return the larger of the two top items OP_WITHIN 0xa5 Return TRUE if the third item is between the second item (or equal) and first item [tx_script_ops_table_crypto] shows cryptographic function operators. Table 32. Cryptographic and hashing operations Symbol Value (hex)UnravelmentOP_RIPEMD160 0xa6 Return RIPEMD160 hash of top item OP_SHA1 0xa7 Return SHA1 hash of top item OP_SHA256 0xa8 Return SHA256 hash of top item OP_HASH160 0xa9 Return RIPEMD160(SHA256(x)) hash of top item OP_HASH256 0xaa Return SHA256(SHA256(x)) hash of top item OP_CODESEPARATOR 0xab Mark the whence of signature-checked data OP_CHECKSIG 0xac Pop a public key and signature and validate the signature for the transaction’s hashed data, return TRUE if matching OP_CHECKSIGVERIFY 0xad Same as CHECKSIG, then OP_VERIFY to halt if not TRUE OP_CHECKMULTISIG 0xae Run CHECKSIG for each pair of signature and public key provided. All must match. Bug in implementation pops an uneaten value, prefix with OP_NOP as workaround OP_CHECKMULTISIGVERIFY 0xaf Same as CHECKMULTISIG, then OP_VERIFY to halt if not TRUE [tx_script_ops_table_nop] shows nonoperator symbols Table 33. Non-operators Symbol Value (hex)UnravelmentOP_NOP1-OP_NOP10 0xb0-0xb9 Does nothing, ignored [tx_script_ops_table_internal] shows operator codes reserved for use by the internal script parser. Table 34. Reserved OP codes for internal use by the parser Symbol Value (hex)UnravelmentOP_SMALLDATA 0xf9 Represents small data field OP_SMALLINTEGER 0xfa Represents small integer data field OP_PUBKEYS 0xfb Represents public key fields OP_PUBKEYHASH 0xfd Represents a public key hash field OP_PUBKEY 0xfe Represents a public key field OP_INVALIDOPCODE 0xff Represents any OP lawmaking not currently prescribed Appendix C: BitcoinResurgenceProposals Bitcoin resurgence proposals are diamond documents providing information to the bitcoin community, or describing a new full-length for bitcoin or its processes or environment. As per BIP0001 BIP Purpose and Guidelines, there are three kinds of BIP: Standard BIP Describes any transpiration that affects most or all bitcoin implementations, such as a transpiration to the network protocol, a transpiration in woodcut or transaction validity rules, or any transpiration or wing that affects the interoperability of applications using bitcoin. Informational BIP Describes a bitcoin diamond issue, or provides unstipulated guidelines or information to the bitcoin community, but does not propose a new feature. Informational BIPs do not necessarily represent a bitcoin polity consensus or recommendation, so users and implementors may ignore informational BIPs or follow their advice. Process BIP Describes a bitcoin process, or proposes a transpiration to (or an event in) a process. Process BIPs are like standard BIPs but wield to areas other than the bitcoin protocol itself. They might propose an implementation, but not to bitcoin’s codebase; they often require polity consensus; and unlike informational BIPs, they are increasingly than recommendations, and users are typically not self-ruling to ignore them. Examples include procedures, guidelines, changes to the decision-making process, and changes to the tools or environment used in Bitcoin development. Any meta-BIP is moreover considered a process BIP. Bitcoin resurgence proposals are recorded in a versioned repository on GitHub. [table_d-1] shows a snapshot of BIPs in the Fall of 2014. Consult the supervisory repository for up-to-date information on existing BIPs and their contents. Table 35. Snapshot of BIPs BIP# Link Title Owner Type Status 1 https://github.com/bitcoin/bips/blob/master/bip-0001.mediawiki BIP Purpose and Guidelines Amir Taaki StandardZippy10 https://github.com/bitcoin/bips/blob/master/bip-0010.mediawiki Multi-Sig Transaction Distribution Alan Reiner InformationalTyphoon11 https://github.com/bitcoin/bips/blob/master/bip-0011.mediawiki M-of-N Standard Transactions Gavin Andresen StandardWonted12 https://github.com/bitcoin/bips/blob/master/bip-0012.mediawiki OP_EVAL Gavin Andresen Standard Withdrawn 13 https://github.com/bitcoin/bips/blob/master/bip-0013.mediawikiWriteFormat for pay-to-script-hash Gavin Andresen Standard Final 14 https://github.com/bitcoin/bips/blob/master/bip-0014.mediawiki Protocol Version and User Agent Amir Taaki, Patrick Strateman StandardWonted15 https://github.com/bitcoin/bips/blob/master/bip-0015.mediawiki Aliases Amir Taaki Standard Withdrawn 16 https://github.com/bitcoin/bips/blob/master/bip-0016.mediawiki Pay To Script Hash Gavin Andresen StandardWonted17 https://github.com/bitcoin/bips/blob/master/bip-0017.mediawiki OP_CHECKHASHVERIFY (CHV) Luke Dashjr WithdrawnTyphoon18 https://github.com/bitcoin/bips/blob/master/bip-0018.mediawikilink: hashScriptCheck Luke Dashjr StandardTyphoon19 https://github.com/bitcoin/bips/blob/master/bip-0019.mediawiki M-of-N Standard Transactions (Low SigOp) Luke Dashjr StandardTyphoon20 https://github.com/bitcoin/bips/blob/master/bip-0020.mediawiki URI Scheme Luke Dashjr Standard Replaced 21 https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki URI Scheme Nils Schneider, Matt Corallo StandardWonted22 https://github.com/bitcoin/bips/blob/master/bip-0022.mediawiki getblocktemplate - Fundamentals Luke Dashjr StandardWonted23 https://github.com/bitcoin/bips/blob/master/bip-0023.mediawiki getblocktemplate - Pooled Mining Luke Dashjr StandardWonted30 https://github.com/bitcoin/bips/blob/master/bip-0030.mediawikiIndistinguishabletransactions Pieter Wuille StandardWonted31 https://github.com/bitcoin/bips/blob/master/bip-0031.mediawiki Pong message Mike Hearn StandardWonted32 https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki Hierarchical Deterministic Wallets Pieter Wuille InformationalWonted33 https://github.com/bitcoin/bips/blob/master/bip-0033.mediawiki Stratized Nodes Amir Taaki StandardTyphoon34 https://github.com/bitcoin/bips/blob/master/bip-0034.mediawikiWoodcutv2, Height in coinbase Gavin Andresen StandardWonted35 https://github.com/bitcoin/bips/blob/master/bip-0035.mediawiki mempool message Jeff Garzik StandardWonted36 https://github.com/bitcoin/bips/blob/master/bip-0036.mediawiki Custom Services Stefan Thomas StandardTyphoon37 https://github.com/bitcoin/bips/blob/master/bip-0037.mediawikiViridityfiltering Mike Hearn and Matt Corallo StandardWonted38 https://github.com/bitcoin/bips/blob/master/bip-0038.mediawiki Passphrase-protected private key Mike Caldwell StandardTyphoon39 https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki Mnemonic lawmaking for generating deterministic keys Slush StandardTyphoon40 Stratum wire protocol Slush Standard BIP number allocated 41 Stratum mining protocol Slush Standard BIP number allocated 42 https://github.com/bitcoin/bips/blob/master/bip-0042.mediawiki A finite monetary supply for bitcoin Pieter Wuille StandardTyphoon43 https://github.com/bitcoin/bips/blob/master/bip-0043.mediawiki Purpose Field for Deterministic Wallets Slush StandardTyphoon44 https://github.com/bitcoin/bips/blob/master/bip-0044.mediawiki Multi-Account Hierarchy for Deterministic Wallets Slush StandardTyphoon50 https://github.com/bitcoin/bips/blob/master/bip-0050.mediawiki March 2013UnitingFork Post-Mortem Gavin Andresen InformationalTyphoon60 https://github.com/bitcoin/bips/blob/master/bip-0060.mediawikiStock-stillLength "version" Message (Relay-Transactions Field) Amir Taaki StandardTyphoon61 https://github.com/bitcoin/bips/blob/master/bip-0061.mediawiki "reject" P2P message Gavin Andresen StandardTyphoon62 https://github.com/bitcoin/bips/blob/master/bip-0062.mediawiki Dealing with malleability Pieter Wuille StandardTyphoon63 Stealth Addresses Peter Todd Standard BIP number allocated 64 https://github.com/bitcoin/bips/blob/master/bip-0064.mediawiki getutxos message Mike Hearn StandardTyphoon70 https://github.com/bitcoin/bips/blob/master/bip-0070.mediawiki Payment protocol Gavin Andresen StandardTyphoon71 https://github.com/bitcoin/bips/blob/master/bip-0071.mediawiki Payment protocol MIME types Gavin Andresen StandardTyphoon72 https://github.com/bitcoin/bips/blob/master/bip-0072.mediawiki Payment protocol URIs Gavin Andresen StandardTyphoon73 https://github.com/bitcoin/bips/blob/master/bip-0073.mediawiki Use "Accept" header with Payment Request URLs Stephen Pair StandardTyphoonAppendix D: pycoin, ku, and tx The Python library pycoin, originally written and maintained by Richard Kiss, is a Python-based library that supports manipulation of bitcoin keys and transactions, plane supporting the scripting language unbearable to properly deal with nonstandard transactions. The pycoin library supports both Python 2 (2.7.x) and Python 3 (after 3.3), and comes with some handy command-line utilities, ku and tx. Key Utility (KU) The command-line utility ku ("key utility") is a SwissUnwashedknife for manipulating keys. It supports BIP32 keys, WIF, and addresses (bitcoin and alt coins).Pursuitare some examples. Create a BIP32 key using the default entropy sources of GPG and /dev/random: $ ku create input : create network : Bitcoin wallet key : xprv9s21ZrQH143K3LU5ctPZTBnb9kTjA5Su9DcWHvXJemiJBsY7VqXUG7hipgdWaU m2nhnzdvxJf5KJo9vjP2nABX65c5sFsWsV8oXcbpehtJi public version : xpub661MyMwAqRbcFpYYiuvZpKjKhnJDZYAkWSY76JvvD7FH4fsG3Nqiov2CfxzxY8 DGcpfT56AMFeo8M8KPkFMfLUtvwjwb6WPv8rY65L2q8Hz tree depth : 0 fingerprint : 9d9c6092 parent f'print : 00000000 child alphabetize : 0 uniting lawmaking : 80574fb260edaa4905bc86c9a47d30c697c50047ed466c0d4a5167f6821e8f3c private key : yes secret exponent : 112471538590155650688604752840386134637231974546906847202389294096567806844862 hex : f8a8a28b28a916e1043cc0aca52033a18a13cab1638d544006469bc171fddfbe wif : L5Z54xi6qJusQT42JHA44mfPVZGjyb4XBRWfxAzUWwRiGx1kV4sP uncompressed : 5KhoEavGNNH4GHKoy2Ptu4KfdNp4r56L5B5un8FP6RZnbsz5Nmb public pair x : 76460638240546478364843397478278468101877117767873462127021560368290114016034 public pair y : 59807879657469774102040120298272207730921291736633247737077406753676825777701 x as hex : a90b3008792432060fa04365941e09a8e4adf928bdbdb9dad41131274e379322 y as hex : 843a0f6ed9c0eb1962c74533795406914fe3f1957c5238951f4fe245a4fcd625 y parity : odd key pair as sec : 03a90b3008792432060fa04365941e09a8e4adf928bdbdb9dad41131274e379322 uncompressed : 04a90b3008792432060fa04365941e09a8e4adf928bdbdb9dad41131274e379322 843a0f6ed9c0eb1962c74533795406914fe3f1957c5238951f4fe245a4fcd625 hash160 : 9d9c609247174ae323acfc96c852753fe3c8819d uncompressed : 8870d869800c9b91ce1eb460f4c60540f87c15d7 Bitcoin write : 1FNNRQ5fSv1wBi5gyfVBs2rkNheMGt86sp uncompressed : 1DSS5isnH4FsVaLVjeVXewVSpfqktdiQAM Create a BIP32 key from a passphrase: Warning The passphrase in this example is way too easy to guess. $ ku P:foo input : P:foo network : Bitcoin wallet key : xprv9s21ZrQH143K31AgNK5pyVvW23gHnkBq2wh5aEk6g1s496M8ZMjxncCKZKgb5j ZoY5eSJMJ2Vbyvi2hbmQnCuHBujZ2WXGTux1X2k9Krdtq public version : xpub661MyMwAqRbcFVF9ULcqLdsEa5WnCCugQAcgNd9iEMQ31tgH6u4DLQWoQayvtS VYFvXz2vPPpbXE1qpjoUFidhjFj82pVShWu9curWmb2zy tree depth : 0 fingerprint : 5d353a2e parent f'print : 00000000 child alphabetize : 0 uniting lawmaking : 5eeb1023fd6dd1ae52a005ce0e73420821e1d90e08be980a85e9111fd7646bbc private key : yes secret exponent : 65825730547097305716057160437970790220123864299761908948746835886007793998275 hex : 91880b0e3017ba586b735fe7d04f1790f3c46b818a2151fb2def5f14dd2fd9c3 wif : L26c3H6jEPVSqAr1usXUp9qtQJw6NHgApq6Ls4ncyqtsvcq2MwKH uncompressed : 5JvNzA5vXDoKYJdw8SwwLHxUxaWvn9mDea6k1vRPCX7KLUVWa7W public pair x : 81821982719381104061777349269130419024493616650993589394553404347774393168191 public pair y : 58994218069605424278320703250689780154785099509277691723126325051200459038290 x as hex : b4e599dfa44555a4ed38bcfff0071d5af676a86abf123c5b4b4e8e67a0b0b13f y as hex : 826d8b4d3010aea16ff4c1c1d3ae68541d9a04df54a2c48cc241c2983544de52 y parity : plane key pair as sec : 02b4e599dfa44555a4ed38bcfff0071d5af676a86abf123c5b4b4e8e67a0b0b13f uncompressed : 04b4e599dfa44555a4ed38bcfff0071d5af676a86abf123c5b4b4e8e67a0b0b13f 826d8b4d3010aea16ff4c1c1d3ae68541d9a04df54a2c48cc241c2983544de52 hash160 : 5d353a2ecdb262477172852d57a3f11de0c19286 uncompressed : e5bd3a7e6cb62b4c820e51200fb1c148d79e67da Bitcoin write : 19Vqc8uLTfUonmxUEZac7fz1M5c5ZZbAii uncompressed : 1MwkRkogzBRMehBntgcq2aJhXCXStJTXHT Get info as JSON: $ ku P:foo -P -j Public BIP32 key: $ ku -w -P P:foo xpub661MyMwAqRbcFVF9ULcqLdsEa5WnCCugQAcgNd9iEMQ31tgH6u4DLQWoQayvtSVYFvXz2vPPpbXE1qpjoUFidhjFj82pVShWu9curWmb2zy Generate a subkey: $ ku -w -s3/2 P:foo xprv9wTErTSkjVyJa1v4cUTFMFkWMe5eu8ErbQcs9xajnsUzCBT7ykHAwdrxvG3g3f6BFk7ms5hHBvmbdutNmyg6iogWKxx6mefEw4M8EroLgKj Hardened subkey: $ ku -w -s3/2H P:foo xprv9wTErTSu5AWGkDeUPmqBcbZWX1xq85ZNX9iQRQW9DXwygFp7iRGJo79dsVctcsCHsnZ3XU3DhsuaGZbDh8iDkBN45k67UKsJUXM1JfRCdn1 WIF: $ ku -W P:foo L26c3H6jEPVSqAr1usXUp9qtQJw6NHgApq6Ls4ncyqtsvcq2MwKH Address: $ ku -a P:foo 19Vqc8uLTfUonmxUEZac7fz1M5c5ZZbAii Generate a tuft of subkeys: $ ku P:foo -s 0/0-5 -w xprv9xWkBDfyBXmZjBG9EiXBpy67KK72fphUp9utJokEBFtjsjiuKUUDF5V3TU8U8cDzytqYnSekc8bYuJS8G3bhXxKWB89Ggn2dzLcoJsuEdRK xprv9xWkBDfyBXmZnzKf3bAGifK593gT7WJZPnYAmvc77gUQVej5QHckc5Adtwxa28ACmANi9XhCrRvtFqQcUxt8rUgFz3souMiDdWxJDZnQxzx xprv9xWkBDfyBXmZqdXA8y4SWqfBdy71gSW9sjx9JpCiJEiBwSMQyRxan6srXUPBtj3PTxQFkZJAiwoUpmvtrxKZu4zfsnr3pqyy2vthpkwuoVq xprv9xWkBDfyBXmZsA85GyWj9uYPyoQv826YAadKWMaaEosNrFBKgj2TqWuiWY3zuqxYGpHfv9cnGj5P7e8EskpzKL1Y8Gk9aX6QbryA5raK73p xprv9xWkBDfyBXmZv2q3N66hhZ8DAcEnQDnXML1J62krJAcf7Xb1HJwuW2VMJQrCofY2jtFXdiEY8UsRNJfqK6DAdyZXoMvtaLHyWQx3FS4A9zw xprv9xWkBDfyBXmZw4jEYXUHYc9fT25k9irP87n2RqfJ5bqbjKdT84Mm7Wtc2xmzFuKg7iYf7XFHKkSsaYKWKJbR54bnyAD9GzjUYbAYTtN4ruo Generate the respective addresses: $ ku P:foo -s 0/0-5 -a 1MrjE78H1R1rqdFrmkjdHnPUdLCJALbv3x 1AnYyVEcuqeoVzH96zj1eYKwoWfwte2pxu 1GXr1kZfxE1FcK6ZRD5sqqqs5YfvuzA1Lb 116AXZc4bDVQrqmcinzu4aaPdrYqvuiBEK 1Cz2rTLjRM6pMnxPNrRKp9ZSvRtj5dDUML 1WstdwPnU6HEUPme1DQayN9nm6j7nDVEM Generate the respective WIFs: $ ku P:foo -s 0/0-5 -W L5a4iE5k9gcJKGqX3FWmxzBYQc29PvZ6pgBaePLVqT5YByEnBomx Kyjgne6GZwPGB6G6kJEhoPbmyjMP7D5d3zRbHVjwcq4iQXD9QqKQ L4B3ygQxK6zH2NQGxLDee2H9v4Lvwg14cLJW7QwWPzCtKHdWMaQz L2L2PZdorybUqkPjrmhem4Ax5EJvP7ijmxbNoQKnmTDMrqemY8UF L2oD6vA4TUyqPF8QG4vhUFSgwCyuuvFZ3v8SKHYFDwkbM765Nrfd KzChTbc3kZFxUSJ3Kt54cxsogeFAD9CCM4zGB22si8nfKcThQn8CTrammelsthat it works by choosing a BIP32 string (the one respective to subkey 0/3): $ ku -W xprv9xWkBDfyBXmZsA85GyWj9uYPyoQv826YAadKWMaaEosNrFBKgj2TqWuiWY3zuqxYGpHfv9cnGj5P7e8EskpzKL1Y8Gk9aX6QbryA5raK73p L2L2PZdorybUqkPjrmhem4Ax5EJvP7ijmxbNoQKnmTDMrqemY8UF $ ku -a xprv9xWkBDfyBXmZsA85GyWj9uYPyoQv826YAadKWMaaEosNrFBKgj2TqWuiWY3zuqxYGpHfv9cnGj5P7e8EskpzKL1Y8Gk9aX6QbryA5raK73p 116AXZc4bDVQrqmcinzu4aaPdrYqvuiBEK Yep, looks familiar. From secret exponent: $ ku 1 input : 1 network : Bitcoin secret exponent : 1 hex : 1 wif : KwDiBf89QgGbjEhKnhXJuH7LrciVrZi3qYjgd9M7rFU73sVHnoWn uncompressed : 5HpHagT65TZzG1PH3CSu63k8DbpvD8s5ip4nEB3kEsreAnchuDf public pair x : 55066263022277343669578718895168534326250603453777594175500187360389116729240 public pair y : 32670510020758816978083085130507043184471273380659243275938904335757337482424 x as hex : 79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798 y as hex : 483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8 y parity : plane key pair as sec : 0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798 uncompressed : 0479be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798 483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8 hash160 : 751e76e8199196d454941c45d1b3a323f1433bd6 uncompressed : 91b24bf9f5288532960ac687abb035127b1d28a5 Bitcoin write : 1BgGZ9tcN4rm9KBzDn7KprQz87SZ26SAMH uncompressed : 1EHNa6Q4Jz2uvNExL497mE43ikXhwF6kZm Litecoin version: $ ku -nL 1 input : 1 network : Litecoin secret exponent : 1 hex : 1 wif : T33ydQRKp4FCW5LCLLUB7deioUMoveiwekdwUwyfRDeGZm76aUjV uncompressed : 6u823ozcyt2rjPH8Z2ErsSXJB5PPQwK7VVTwwN4mxLBFrao69XQ public pair x : 55066263022277343669578718895168534326250603453777594175500187360389116729240 public pair y : 32670510020758816978083085130507043184471273380659243275938904335757337482424 x as hex : 79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798 y as hex : 483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8 y parity : plane key pair as sec : 0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798 uncompressed : 0479be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798 483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8 hash160 : 751e76e8199196d454941c45d1b3a323f1433bd6 uncompressed : 91b24bf9f5288532960ac687abb035127b1d28a5 Litecoin write : LVuDpNCSSj6pQ7t9Pv6d6sUkLKoqDEVUnJ uncompressed : LYWKqJhtPeGyBAw7WC8R3F7ovxtzAiubdM Dogecoin WIF: $ ku -nD -W 1 QNcdLVw8fHkixm6NNyN6nVwxKek4u7qrioRbQmjxac5TVoTtZuot From public pair (on Testnet): $ ku -nT 55066263022277343669578718895168534326250603453777594175500187360389116729240,even input : 550662630222773436695787188951685343262506034537775941755001873603 89116729240,even network : Bitcoin testnet public pair x : 55066263022277343669578718895168534326250603453777594175500187360389116729240 public pair y : 32670510020758816978083085130507043184471273380659243275938904335757337482424 x as hex : 79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798 y as hex : 483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8 y parity : plane key pair as sec : 0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798 uncompressed : 0479be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798 483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8 hash160 : 751e76e8199196d454941c45d1b3a323f1433bd6 uncompressed : 91b24bf9f5288532960ac687abb035127b1d28a5 Bitcoin testnet write : mrCDrCybB6J1vRfbwM5hemdJz73FwDBC8r uncompressed : mtoKs9V381UAhUia3d7Vb9GNak8Qvmcsme From hash160: $ ku 751e76e8199196d454941c45d1b3a323f1433bd6 input : 751e76e8199196d454941c45d1b3a323f1433bd6 network : Bitcoin hash160 : 751e76e8199196d454941c45d1b3a323f1433bd6 Bitcoin write : 1BgGZ9tcN4rm9KBzDn7KprQz87SZ26SAMH As a Dogecoin address: $ ku -nD 751e76e8199196d454941c45d1b3a323f1433bd6 input : 751e76e8199196d454941c45d1b3a323f1433bd6 network : Dogecoin hash160 : 751e76e8199196d454941c45d1b3a323f1433bd6 Dogecoin write : DFpN6QqFfUm3gKNaxN6tNcab1FArL9cZLE Transaction Utility (TX) The command-line utility tx will exhibit transactions in human-readable form, fetch wiring transactions from pycoin’s transaction enshroud or from web services (blockchain.info, blockr.io, and biteasy.com are currently supported), merge transactions, add or delete inputs or outputs, and sign transactions.Pursuitare some examples. View the famous "pizza" transaction [PIZZA]: $ tx 49d2adb6e476fa46d8357babf78b1b501fd39e177ac7833124b3f67b17c40c2a warning: consider setting environment variable PYCOIN_CACHE_DIR=~/.pycoin_cache to enshroud transactions fetched via web services warning: no service providers found for get_tx; consider setting environment variable PYCOIN_SERVICE_PROVIDERS=BLOCKR_IO:BLOCKCHAIN_INFO:BITEASY:BLOCKEXPLORER usage: tx [-h] [-t TRANSACTION_VERSION] [-l LOCK_TIME] [-n NETWORK] [-a] [-i address] [-f path-to-private-keys] [-g GPG_ARGUMENT] [--remove-tx-in tx_in_index_to_delete] [--remove-tx-out tx_out_index_to_delete] [-F transaction-fee] [-u] [-b BITCOIND_URL] [-o path-to-output-file] treatise [argument ...] tx: error: can't find Tx with id 49d2adb6e476fa46d8357babf78b1b501fd39e177ac7833124b3f67b17c40c2a Oops! We don’t have web services set up. Let’s do that now: It’s not washed-up automatically so a command-line tool won’t leak potentially private information well-nigh what transactions you’re interested in to a third-party website. If you don’t care, you could put these lines into your .profile. Let’s try again: $ tx 49d2adb6e476fa46d8357babf78b1b501fd39e177ac7833124b3f67b17c40c2a Version: 1 tx hash 49d2adb6e476fa46d8357babf78b1b501fd39e177ac7833124b3f67b17c40c2a 159 bytes TxIn count: 1; TxOut count: 1 Lock time: 0 (valid anytime) Input: 0: (unknown) from 1e133f7de73ac7d074e2746a3d6717dfc99ecaa8e9f9fade2cb8b0b20a5e0441:0 Output: 0: 1CZDM6oTttND6WPdt3D6bydo7DYKzd9Qik receives 10000000.00000 mBTC Total output 10000000.00000 mBTC including unspents in hex dump since transaction not fully signed 010000000141045e0ab2b0b82cdefaf9e9a8ca9ec9df17673d6a74e274d0c73ae77d3f131e000000004a493046022100a7f26eda874931999c90f87f01ff1ffc76bcd058fe16137e0e63fdb6a35c2d78022100a61e9199238eb73f07c8f209504c84b80f03e30ed8169edd44f80ed17ddf451901ffffffff010010a5d4e80000001976a9147ec1003336542cae8bded8909cdd6b5e48ba0ab688ac00000000 ** can't validate transaction as source transactions missing The final line appears considering to validate the transactions' signatures, you technically need the source transactions. So let’s add -a to plicate the transactions with source information: $ tx -a 49d2adb6e476fa46d8357babf78b1b501fd39e177ac7833124b3f67b17c40c2a warning: transaction fees recommendations casually calculated and estimates may be incorrect warning: transaction fee lower than (casually calculated) expected value of 0.1 mBTC, transaction might not propogate Version: 1 tx hash 49d2adb6e476fa46d8357babf78b1b501fd39e177ac7833124b3f67b17c40c2a 159 bytes TxIn count: 1; TxOut count: 1 Lock time: 0 (valid anytime) Input: 0: 17WFx2GQZUmh6Up2NDNCEDk3deYomdNCfk from 1e133f7de73ac7d074e2746a3d6717dfc99ecaa8e9f9fade2cb8b0b20a5e0441:0 10000000.00000 mBTC sig ok Output: 0: 1CZDM6oTttND6WPdt3D6bydo7DYKzd9Qik receives 10000000.00000 mBTC Total input 10000000.00000 mBTC Total output 10000000.00000 mBTC Total fees 0.00000 mBTC 010000000141045e0ab2b0b82cdefaf9e9a8ca9ec9df17673d6a74e274d0c73ae77d3f131e000000004a493046022100a7f26eda874931999c90f87f01ff1ffc76bcd058fe16137e0e63fdb6a35c2d78022100a61e9199238eb73f07c8f209504c84b80f03e30ed8169edd44f80ed17ddf451901ffffffff010010a5d4e80000001976a9147ec1003336542cae8bded8909cdd6b5e48ba0ab688ac00000000 all incoming transaction values validated Now, let’s squint at unspent outputs for a specific write (UTXO). In woodcut #1, we see a coinbase transaction to 12c6DSiU4Rq3P4ZxziKxzrL5LmMBrzjrJX. Let’s use fetch_unspent to find all coins in this address: $ fetch_unspent 12c6DSiU4Rq3P4ZxziKxzrL5LmMBrzjrJX a3a6f902a51a2cbebede144e48a88c05e608c2cce28024041a5b9874013a1e2a/0/76a914119b098e2e980a229e139a9ed01a469e518e6f2688ac/333000 cea36d008badf5c7866894b191d3239de9582d89b6b452b596f1f1b76347f8cb/31/76a914119b098e2e980a229e139a9ed01a469e518e6f2688ac/10000 065ef6b1463f552f675622a5d1fd2c08d6324b4402049f68e767a719e2049e8d/86/76a914119b098e2e980a229e139a9ed01a469e518e6f2688ac/10000 a66dddd42f9f2491d3c336ce5527d45cc5c2163aaed3158f81dc054447f447a2/0/76a914119b098e2e980a229e139a9ed01a469e518e6f2688ac/10000 ffd901679de65d4398de90cefe68d2c3ef073c41f7e8dbec2fb5cd75fe71dfe7/0/76a914119b098e2e980a229e139a9ed01a469e518e6f2688ac/100 d658ab87cc053b8dbcfd4aa2717fd23cc3edfe90ec75351fadd6a0f7993b461d/5/76a914119b098e2e980a229e139a9ed01a469e518e6f2688ac/911 36ebe0ca3237002acb12e1474a3859bde0ac84b419ec4ae373e63363ebef731c/1/76a914119b098e2e980a229e139a9ed01a469e518e6f2688ac/100000 fd87f9adebb17f4ebb1673da76ff48ad29e64b7afa02fda0f2c14e43d220fe24/0/76a914119b098e2e980a229e139a9ed01a469e518e6f2688ac/1 dfdf0b375a987f17056e5e919ee6eadd87dad36c09c4016d4a03cea15e5c05e3/1/76a914119b098e2e980a229e139a9ed01a469e518e6f2688ac/1337 cb2679bfd0a557b2dc0d8a6116822f3fcbe281ca3f3e18d3855aa7ea378fa373/0/76a914119b098e2e980a229e139a9ed01a469e518e6f2688ac/1337 d6be34ccf6edddc3cf69842dce99fe503bf632ba2c2adb0f95c63f6706ae0c52/1/76a914119b098e2e980a229e139a9ed01a469e518e6f2688ac/2000000 0e3e2357e806b6cdb1f70b54c3a3a17b6714ee1f0e68bebb44a74b1efd512098/0/410496b538e853519c726a2c91e61ec11600ae1390813a627c66fb8be7947be63c52da7589379515d4e0a604f8141781e62294721166bf621e73a82cbf2342c858eeac/5000000000 Appendix E: Bitcoin Explorer (bx) Commands Usage: bx COMMAND [--help] Info: The bx commands are: address-decode address-embed address-encode address-validate base16-decode base16-encode base58-decode base58-encode base58check-decode base58check-encode base64-decode base64-encode bitcoin160 bitcoin256 btc-to-satoshi ec-add ec-add-secrets ec-multiply ec-multiply-secrets ec-new ec-to-address ec-to-public ec-to-wif fetch-balance fetch-header fetch-height fetch-history fetch-stealth fetch-tx fetch-tx-index hd-new hd-private hd-public hd-to-address hd-to-ec hd-to-public hd-to-wif help input-set input-sign input-validate message-sign message-validate mnemonic-decode mnemonic-encode ripemd160 satoshi-to-btc script-decode script-encode script-to-address seed send-tx send-tx-node send-tx-p2p settings sha160 sha256 sha512 stealth-decode stealth-encode stealth-public stealth-secret stealth-shared tx-decode tx-encode uri-decode uri-encode validate-tx watch-address wif-to-ec wif-to-public wrap-decode wrap-encode For increasingly information, see the Bitcoin Explorer home page and Bitcoin Explorer user documentation. Examples of bx writ use Let’s squint at some examples of using Bitcoin Explorer commands to experiment with keys and addresses: Generate a random "seed" value using the seed command, which uses the operating system’s random number generator. Pass the seed to the ec-new writ to generate a new private key. We save the standard output into the file private_key: $ bx seed | bx ec-new > private_key $ cat private_key 73096ed11ab9f1db6135857958ece7d73ea7c30862145bcc4bbc7649075de474 Now, generate the public key from that private key using the ec-to-public command. We pass the private_key file into the standard input and save the standard output of the writ into a new file public_key: $ bx ec-to-public < private_key > public_key $ cat public_key 02fca46a6006a62dfdd2dbb2149359d0d97a04f430f12a7626dd409256c12be500 We can reformat the public_key as an write using the ec-to-address command. We pass the public_key into standard input: $ bx ec-to-address < public_key 17re1S4Q8ZHyCP8Kw7xQad1Lr6XUzWUnkG Keys generated in this manner produce a type-0 nondeterministic wallet. That ways that each key is generated from an self-sustaining seed. Bitcoin Explorer commands can moreover generate keys deterministically, in vibrations with BIP0032. In this case, a "master" key is created from a seed and then extended deterministically to produce a tree of subkeys, resulting in a type-2 deterministic wallet. First, we we use the seed and hd-new commands to generate a master key that will be used as the understructure to derive a hierarchy of keys. $ bx seed > seed $ cat seed eb68ee9f3df6bd4441a9feadec179ff1 $ bx hd-new < seed > master $ cat master xprv9s21ZrQH143K2BEhMYpNQoUvAgiEjArAVaZaCTgsaGe6LsAnwubeiTcDzd23mAoyizm9cApe51gNfLMkBqkYoWWMCRwzfuJk8RwF1SVEpAQ We now use the hd-private writ to generate a hardened "account" key and a sequence of two private keys within the account. $ bx hd-private --hard < master > worth $ cat worth xprv9vkDLt81dTKjwHB8fsVB5QK8cGnzveChzSrtCfvu3aMWvQaThp59ueufuyQ8Qi3qpjk4aKsbmbfxwcgS8PYbgoR2NWHeLyvg4DhoEE68A1n $ bx hd-private --index 0 < worth xprv9xHfb6w1vX9xgZyPNXVgAhPxSsEkeRcPHEUV5iJcVEsuUEACvR3NRY3fpGhcnBiDbvG4LgndirDsia1e9F3DWPkX7Tp1V1u97HKG1FJwUpU $ bx hd-private --index 1 < worth xprv9xHfb6w1vX9xjc8XbN4GN86jzNAZ6xHEqYxzbLB4fzHFd6VqCLPGRZFsdjsuMVERadbgDbziCRJru9n6tzEWrASVpEdrZrFidt1RDfn4yA3 Next we use the hd-public writ to generate the respective sequence of two public keys. $ bx hd-public --index 0 < worth xpub6BH1zcTuktiFu43rUZ2gXqLgzu5F3tLEeTQ5t6iE3aQtM2VMTxMcyLN9fYHiGhGpQe9QQYmqL2eYPFJ3vezHz5wzaSW4FiGrseNDR4LKqTy $ bx hd-public --index 1 < worth xpub6BH1zcTuktiFx6CzhPbGjG3UYQ13WR16CmtbPiagEKpEVtpyjshWyMaMV1cn7nUPUkgQHPVXJVqsrA8xWbGQDhohEcDFTEYMvYzwRD7Juf8 The public keys can moreover be derived from their respective private keys using the hd-to-public command. $ bx hd-private --index 0 < worth | bx hd-to-public xpub6BH1zcTuktiFu43rUZ2gXqLgzu5F3tLEeTQ5t6iE3aQtM2VMTxMcyLN9fYHiGhGpQe9QQYmqL2eYPFJ3vezHz5wzaSW4FiGrseNDR4LKqTy $ bx hd-private --index 1 < worth | bx hd-to-public xpub6BH1zcTuktiFx6CzhPbGjG3UYQ13WR16CmtbPiagEKpEVtpyjshWyMaMV1cn7nUPUkgQHPVXJVqsrA8xWbGQDhohEcDFTEYMvYzwRD7Juf8 We can generate a practically limitless number of keys in a deterministic chain, all derived from a single seed. This technique is used in many wallet applications to generate keys that can be backed up and restored with a single seed value. This is easier than having to when up the wallet with all its randomly generated keys every time a new key is created. The seed can be encoded using the mnemonic-encode command. $ bx hd-mnemonic < seed > words venerate repeat vision worst expressly veil inch woman tint recall dwell fathom The seed can then be decoded using the mnemonic-decode command. $ bx mnemonic-decode < words eb68ee9f3df6bd4441a9feadec179ff1 Mnemonic encoding can make the seed easier to record and plane remember. Last updated 2016-04-08 04:31:23 EDT