The first transaction pays millibitcoins to a P2SH output whose 2-of-2 multisig redeem script requires comparison from both Alice and Bob. Gox had filed for bankruptcy client in Japan amid reports thatbitcoins had been stolen. If you are client to make a payment from one of these services to a BitPay invoice, and the payment hasn't been sent, we recommend contacting the institution's support services. Have their been other forks except the one? Bitcoin was to be accepted for ticket and concession sales at comparison game as part bitcoin the sponsorship, and the sponsorship itself was also paid for bitcoin bitcoin.
groestl bitcointalk annual report В»
Hi Robert, Well, exchange wallets are probably the least secure. A simple contract could say that Charlie will spend satoshis to an output which can only be spent if Charlie and Bob both sign the input spending it. I have opened an account myself and recommend it. Retrieved 13 August Instead of pointing out the coinbase exception to each rule, we invite you to read about coinbase transactions in the block chain section of this guide. Petersburg Bowl game under a two-year deal, renamed the Bitcoin St.
All transactions, including the coinbase transactionare encoded into blocks comparison binary rawtransaction format. One of the first supporters, adopters, client to bitcoin and receiver of the bitcoin bitcoin transaction was programmer Hal Finney. Comparison am sure you will give us an insight in this topic. When, some time later, Bob decides to spend the UTXOhe must create an bitcoin which references the transaction Alice created client its hash, called a Transaction Identifier txidand the bitcoin output she used by its index client output index. Accessed 8 January Each of the standard comparison scripts can be used as a P2SH redeem scriptbut in practice only the multisig pubkey script makes sense until more transaction types are made standard.
mendapatkan bitcoin dengan android market В»
However if you trade fiat currencies it seems like that exchange rate is a lot higher. So it is advised only to trade altcoins on Changelly. Transaction flexibility, no buy fee, worldwide user base, public rating system. Local Bitcoins a clever operation that adds incredible flexibility to buying bitcoins. It brings buyers and sellers together in a marketplace. It is unique in that you can transact in almost any method thinkable including Paypal, wire transfer, Western Union, Webmoney or cash.
You can find some pretty good rates to buy bitcoin through the service with sellers all over the world looking to offload funds. Fees are dependent on which side of the transaction you sit. Coinbase extension, cheap fees, ether and litecoin support. GDAX is the sister trading exchange to the world famous Coinbase.
It benefits hugely from this close working relationship. Once funds are transferred across trading can begin. The backing of such a huge player makes GDAX one of the most trusted exchanges. Historically, funds have gone missing at least once but the customer support team were able to refund any losses. The exchange supports the big 3, bitcoin, ethereum and litecoin. Public owners, regulated, trustworthy.
Limited currency support, not yet a market leader. Gemini is seen as one of the most trustworthy legitimate bitcoin exchanges. Publicly developed by Tyler and Cameron Winklevoss, it is building an encouraging mark of public support since Primarily a US-based exchange, it still does not retain the same market cap as the top echelons but worldwide expansion looks set to change this through Fees are in line with market averages the only downside is minimal currency flexibility.
Just bitcoin and ether on offer here. They accept SEPA transfers too which are zero cost. For people living in Europe, this is probably the top choice, which makes me wonder why these reviews omit it. I used LocalBitCoins just recently. Good for emergency use but not very cost efficient. Binance is capable of processing 1. Trading fee is 0. My question is, why Mr. Steven spent so much time to type these prolong answers for others benefits without getting any consultation fee?
I believe all these Questions and Answers are typed by one person. I do get a consultation fee for answering these questions, so I hope that explains things and dispells any doubts. You will never get your money when you decide to withdraw. Their good ratings are fake. Hi Steven, Thank you for the useful info.
Im an Austrian and living in Vietnam. And most of the exchanges dont accept Vietnamese to buy bitcoin. Im not sure if with my citizenship I can get a vietnam bank account and buy bitcoin or the bank needs to be out of Vietnam. Thank you very much. That does sounds a little complicated. Usually in these cases, I recommend that people use the decentralized LocalBitcoins.
LocalBTC will help you find an individual to trade with and the site will also secure your trade with them. I would never blame anyone that has falling for this scums, think about it the world is already unsafe as it is. At the time all I could think of was save for a raining day after so much years of hard work.
Cant even believe I am saying this but after reading similar comments online I am more than happy to share this with all who care to read. Going back to Gt0ptions within 8 months hurdle after hurdle I had already invested over kGBP with profits and bonuses running into a total of just over kGBP, until now I was still oblivious to what was going until I attempted to make a withdrawal that was when my 5 months of trauma began certain Mr Greg Dalston kept pressuring me to invest more before I could make a withdrawal, dawning on me that my investment had just been lost and I had been lied I turned to a recovery service another set of crooks, you wouldnt believe they also had me another 70k GBP with the promise of recovering my funds from GT0ptions after 3months of endless request for more money without any result I was hopeless and almost sucidal because my wife had no idea of this at all.
Just as I was about to loose all hope in life I came across GeminiHacks. For Filipino expats here in Qatar. I believe the best option will likely prove to be LocalBitcoins. You can look for people selling via your preferred payment method or put in your own bid with a specified payment method and amount.
I have done extensive research on Binance and concluded that it has the best fees and altcoins support.
I have opened an account myself and recommend it. Am Phillip from Uganda, Africa. I recently fell into a little money and i would like to start trading in Crypto currencies.
IO, Bittrex have all barred new users or setting up new user accounts. Can you kindly help recommend a safe, reputable and reliable platform which is still open for business that i can use to purchase Bitcoin or Ethereum?
Also i want to know about your attitude towards Bitsane. I opened up and account there and want to transfer my bitcoin there after purchase and exchange to other Alt coins. Lastly, is there any reputable general universal offline wallet one can use to store all Altcoins without having a separate wallet for each coin? Yes, Visa has shut down a whole lot of cryptocurrency-related services recently.
They are making it really hard to use your credit card for anything to do with Bitcoin. Have you checked out LocalBitcoins. This is a great site for finding a trading partner in your country. The site will also secure your trade with their escrow service, making it just as safe if not more so than using a regular exchange.
If you click the links further down for buying Bitcoins for cash in Kampala or Kajjansi, you will find many more cash sellers.
See my guide to buying Bitcoin with cash for more info:. They seem new and small. I found this forum thread on them which contains a little info but not really enough to make a judgement:.
Finally, there are wallets which can store multiple cryptocurrencies but no wallet which can store ALL altcoins there are about 1, listed on CoinMarketCap. For convenience and claiming forks, they can be very good. Sure, there are faster methods for purchase. One of the quickest and most private methods is to do a cash transaction. Please see our guide to cash purchases of Bitcoin here:. I am from India and am interested in trading crypto currencies.
Any recommendations for trading platforms best suited for indians where I can transfer cash directly from my bank account for buying currencies and then after selling the currencies I can withdraw the amount back into my bank account and trade in a variety of crypto currencies?
For Indian exchanges which accept bank transfers, I would recommend Unocoin. Once you have Bitcoin, you can exchange it for altcoins using a simplified and fast exchanger like Changelly. Best Regulated Option Trading Platforms: Few tips for good investment in Social Trading: You can use leverage like, 10x, 20x, 50x, x.. You can practice your manual as well as copy trades, to see your own performance. But, you can deposit 7 trade quickly after signing up, But, I would recommend to first verify your account to avoid any problems further in withdrawal.
They have good chat support. Here also, you need to verify your account, but, you are allowed to trade before it. I would recommend to use practice account first for some time before diving in with real money, to get familiar with the iqoptions platform. Thank you for this great review on the exchanges. Which exchanges would you recommend for safety and low fees in both markets?
An option which works in most countries for most payment methods is LocalBitcoins. As for Brazil, you have a lot more options. I have been following it for a few years now, but never made the leap. I very seldom hear complaints about them but many complaints about many other sites. They offer all the cryptos you mention and a few more. I purchased some bitcoin on coinbase and would like to exchange some into Pivx.
Bittrex is not taking any new customers, and Changelly and Binance does not exchange pivx. I used them for a single trade — BitCore in and Bitcoin out and experienced no problems.
At the time, there were no signup procedures on Cryptopia besides the usual email verification. Note that very low volume markets may not be very efficient in terms of trading for your desired price.
The site provides user ratings and information on Kenyan traders and handles the escrow third party holding of the coins until your deal goes through. After all the research, i cam across the est of the lot basis on security, volumes, no.
About the only thing you can use the USB stick for is backing up your wallet, either as a wallet. Keep in mind that anyone who finds the USB stick will then be able to access your wallet, unless you password-protect your wallet and, ideally, encrypt the USB drive too. For a proper, pluggable wallet solution, check out dedicated Hardware Wallets. While some of these resemble USB drives, they contain a lot of specialised hardware and software too which makes them uniquely suited to storing your coins securely:.
How did you find Shapeshift. Perhaps read a bit more on the subject of wallets and addresses, that should make things a lot clearer for you. Not too many exchanges are as simplified as Coinbase — but Coinbase is pretty evil so their convenience comes at a cost to the ecosystem. As you want to use fiat to purchase your altcoins, I would suggest Kraken.
Hi what about unocoin exchange review? Am from India and this is one of the reputed Bitcoin exchanges in India. I have heard nothing bad about Unocoin. Coinbase is the worst exchange…. It seems to be one of the higher-volume exchanges. My impression is that ItBit caters to very well-financed individuals, funds and companies. Compare their fees, prices, limits. Hey Steven, what are your thoughts on using IQ Option?
Is it a good company to use in purchasing Bitcoin and other crypto currencies. It just allows you to bet on the price movement of cryptos… I suggest buying actual cryptos and storing them in your personal wallet instead.
Check out our Wallet Reviews section for suitable wallets and Buying Guides for exchange options for various cryptos. Are there personal wallets for altcoins or you have to rely on a trading site or exchange? I mean specially the of the top10 cryptos. I have kept so far my btc and eth and ltc on coinbase, but now I want to store them out but also get some other coins specially some with very low prices and hold them long term safely.
Just about every altcoin has its own personal wallet, yes. I am from India and I have used many exchanges like bitfinex, bitrex, binance, zebpay. Out of which binance have lowest fee structure. Go for it if you are retail investors. Hi Ravinder, can you help me with invitation code for Bitfinex. I want to create account but they are asking for invitation code. Hi, Instead use Binance, move your cryptos there and freely do the trading.
Binance has only 0. Please use my ref to sign up: Which exchange do you suggest: Do you get killed with fees? Are these exchanges available to NY state residents because I heard some are not unless approved? Is this a common issue? Thanks for any and all help. GDAX I avoid because Coinbase made such a fuss about fees — to the extent of supporting the disastrous NYA — but have done nothing to integrate SegWit, which would greatly reduce fees across the network….
Bitfinex had some minor hack which saw my funds locked up there for a very stressful week or so. So yeah, no exchange is perfect. Best to just use them for trading and store your coins yourself, preferably on a hardware wallet!
I am in California. If I use an offshore exchange, will the IRS eventually be able to tax me on capital gains? Increasingly, offshore banks are also cooperating with the IRS. Trying to hide transactions from the IRS is a really stupid thing to do. If you succeed, you save a little bit of money. When not if they catch up with you, penalties greatly exceed any tax you might have evaded, plus you risk going to prison.
So I am new to bitcoin and have coinbase. I have been playing the free apps and faucets and have earned bucks in the past few months. I just started and buying and have noticed a discrepancy when buying and selling bitcoin.
Is this common among all of these exchanges? If you want to buy or sell at the lowest spread possible, then you should trade the actual market.
Are those exchange only for popular coins or they also support a broad range of altcoins. If not, which one would suit my needs? The hardest part of getting into cryptocurrency is the stage of converting fiat money into cryptocurrency. Full exchanges like Poloniex or simplified exchanges like Changelly are great for this purpose, and offer a wide variety of altcoins.
Hi Can you do a write up on how to create secure paper wallets. Im still no feeling good about keeping my cryptos on exchanges. An article on securing cryptos will be a good guide for some of us. Esspecially the coins that we want to buy and hold. Hi Peekay, we already have a guide about how to create a safe paper wallet, please refer to this one: Hello, I am very much a newbie. I live in Oregon, USA.
Can you suggest a good bitcoin company or two for someone who lives where I do? I want to buy like dollars worth as an investment and just see how it does. Then, I will plan further. I also then need to get some kind of virtual wallet to keep them in. Hi, probably it is best to read through the reviews we have about the different exchanges and try to pick one which suits your needs the best. Here you can read more about the different wallet types: Hey, how come you think that kraken has a good reputation?
If you ever used the platform yourself, you should know, that you can call yourself lucky if an order goes through as expected! I have had so many issues with kraken, that I can not list them all. Orders not execting, have to try multiple times to get an order through and even then I might just end up with a tiny portion 0. And as soon as there is a little bit more price movement, the whole trading website is down an not accessable like on 10,11,12 Nov Totally agree with Svens comments.
User experience is terrible on Kraken. Sometimes I think they are front running my orders why they are mysteriously rejected or fail. Often it takes a minute or more to cancel my order. I really wonder why they refuse to improve website speed and also get Error whenever activity increases.
It does have decent volume though which is why I put up with this shit. Hi Thanks for the article… But I would think it could be better if you include criteria you used to actually review these specific exchanges?
For example… why Gemini. Hi Tamer thanks for the feedback. WU and MoneyGram varies. Bitstamp Trading Platform Transaction fee varies between 0. Kraken Trading Platform Transaction fees vary between 0.
Luno Trading Platform 0. BitBay Trading Platform 0. Highly respected and good reputation, low transaction fees. Nick on January 29, When ready to spend satoshis , fill in the output details and save the unsigned transaction generated by the wallet to removable media. Offline Open the unsigned transaction in the offline instance, review the output details to make sure they spend the correct amount to the correct address. This prevents malware on the online wallet from tricking the user into signing a transaction which pays an attacker.
After review, sign the transaction and save it to removable media. Online Open the signed transaction in the online instance so it can broadcast it to the peer-to-peer network. The primary advantage of offline wallets is their possibility for greatly improved security over full-service wallets.
The primary disadvantage of offline wallets is hassle. For maximum security, they require the user dedicate a device to only offline tasks. The offline device must be booted up whenever funds are to be spent, and the user must physically copy data from the online device to the offline device and back.
Hardware wallets are devices dedicated to running a signing-only wallet. Hardware Create parent private and public keys. Connect hardware wallet to a networked device so it can get the parent public key. Networked As you would with a full-service wallet , distribute public keys to receive payment. When ready to spend satoshis , fill in the transaction details, connect the hardware wallet , and click Spend.
The networked wallet will automatically send the transaction details to the hardware wallet. Some hardware wallets may prompt for a passphrase or PIN number. The hardware wallet signs the transaction and uploads it to the networked wallet. Networked The networked wallet receives the signed transaction from the hardware wallet and broadcasts it to the network. The primary advantage of hardware wallets is their possibility for greatly improved security over full-service wallets with much less hassle than offline wallets.
The primary disadvantage of hardware wallets is their hassle. Even though the hassle is less than that of offline wallets , the user must still purchase a hardware wallet device and carry it with them whenever they need to make a transaction using the signing-only wallet. An additional hopefully temporary disadvantage is that, as of this writing, very few popular wallet programs support hardware wallets —although almost all popular wallet programs have announced their intention to support at least one model of hardware wallet.
Wallet programs which run in difficult-to-secure environments, such as webservers, can be designed to distribute public keys including P2PKH or P2SH addresses and nothing more. There are two common ways to design these minimalist wallets:.
Pre-populate a database with a number of public keys or addresses , and then distribute on request a pubkey script or address using one of the database entries. To avoid key reuse , webservers should keep track of used keys and never run out of public keys. This can be made easier by using parent public keys as suggested in the next method.
Use a parent public key to create child public keys. This can be a database entry for each key distributed or an incrementing pointer to the key index number. Neither method adds a significant amount of overhead, especially if a database is used anyway to associate each incoming payment with a separate public key for payment tracking. See the Payment Processing section for details. Bitcoin wallets at their core are a collection of private keys.
These collections are stored digitally in a file, or can even be physically stored on pieces of paper. Private keys are what are used to unlock satoshis from a particular address. In Bitcoin, a private key in standard format is simply a bit number, between the values:. In order to make copying of private keys less prone to error, Wallet Import Format may be utilized.
WIF uses base58Check encoding on an private key , greatly decreasing the chance of copying error, much like standard Bitcoin addresses. Take a private key. Add a 0x80 byte in front of it for mainnet addresses or 0xef for testnet addresses.
Append a 0x01 byte after it if it should be used with compressed public keys described in a later subsection. Nothing is appended if it is used with uncompressed public keys. Convert the result from a byte string into a Base58 string using Base58Check encoding. The process is easily reversible, using the Base58 decoding function, and removing the padding. Mini private key format is a method for encoding a private key in under 30 characters, enabling keys to be embedded in a small physical space, such as physical bitcoin tokens, and more damage-resistant QR codes.
In order to determine if a mini private key is well-formatted, a question mark is added to the private key. The SHA hash is calculated. This key restriction acts as a typo-checking mechanism.
A user brute forces the process using random numbers until a well-formatted mini private key is produced. In order to derive the full private key , the user simply takes a single SHA hash of the original mini private key.
This process is one-way: A common tool to create and redeem these keys is the Casascius Bitcoin Address Utility. In their traditional uncompressed form, public keys contain an identification byte, a byte X coordinate, and a byte Y coordinate. Secpk1 actually modulos coordinates by a large prime, which produces a field of non-contiguous integers and a significantly less clear plot, although the principles are the same.
No data is lost by creating these compressed public keys —only a small amount of CPU is necessary to reconstruct the Y coordinate and access the uncompressed public key. Both uncompressed and compressed public keys are described in official secpk1 documentation and supported by default in the widely-used OpenSSL library. However, Bitcoin Core prior to 0. This creates a few complications, as the hashed form of an uncompressed key is different than the hashed form of a compressed key, so the same key works with two different P2PKH addresses.
For this reason, Bitcoin Core uses several different identifier bytes to help programs identify how keys should be used:.
Private keys meant to be used with compressed public keys have 0x01 appended to them before being Base encoded.
See the private key encoding section above. These prefix bytes are all used in official secpk1 documentation. The hierarchical deterministic key creation and transfer protocol HD protocol greatly simplifies wallet backups, eliminates the need for repeated communication between multiple programs using the same wallet , permits creation of child accounts which can operate independently, gives each parent account the ability to monitor or control its children even if the child account is compromised, and divides each account into full-access and restricted-access parts so untrusted users or programs can be allowed to receive or monitor payments without being able to spend them.
The HD protocol takes advantage of the ECDSA public key creation function, point , which takes a large integer the private key and turns it into a graph point the public key:. This child public key is the same public key which would be created by the point function if you added the i value to the original parent private key and then found the remainder of that sum divided by a global constant used by all Bitcoin software p:.
This means that two or more independent programs which agree on a sequence of integers can create a series of unique child key pairs from a single parent key pair without any further communication.
Moreover, the program which distributes new public keys for receiving payment can do so without any access to the private keys , allowing the public key distribution program to run on a possibly-insecure platform such as a public web server. Child public keys can also create their own child public keys grandchild public keys by repeating the child key derivation operations:. Whether creating child public keys or further-descended public keys , a predictable sequence of integer values would be no better than using a single public key for all transactions, as anyone who knew one child public key could find all of the other child public keys created from the same parent public key.
Instead, a random seed can be used to deterministically generate the sequence of integer values so that the relationship between the child public keys is invisible to anyone without that seed. The HD protocol uses a single root seed to create a hierarchy of child, grandchild, and other descended keys with unlinkable deterministically-generated integer values.
The parent chain code is bits of seemingly-random data. The index number is a bit integer specified by the program.
In the normal form shown in the above illustration, the parent chain code , the parent public key , and the index number are fed into a one-way cryptographic hash HMAC-SHA to produce bits of deterministically-generated-but-seemingly-random data. The seemingly-random bits on the righthand side of the hash output are used as a new child chain code.
The seemingly-random bits on the lefthand side of the hash output are used as the integer value to be combined with either the parent private key or parent public key to, respectively, create either a child private key or child public key:.
Specifying different index numbers will create different unlinkable child keys from the same parent keys. Repeating the procedure for the child keys using the child chain code will create unlinkable grandchild keys.
Because creating child keys requires both a key and a chain code , the key and chain code together are called the extended key. An extended private key and its corresponding extended public key have the same chain code. The top-level parent master private key and master chain code are derived from random data, as illustrated below.
A root seed is created from either bits, bits, or bits of random data. This root seed of as little as bits is the the only data the user needs to backup in order to derive every key created by a particular wallet program using particular settings.
As of this writing, HD wallet programs are not expected to be fully compatible, so users must only use the same HD wallet program with the same HD-related settings for a particular root seed. The root seed is hashed to create bits of seemingly-random data, from which the master private key and master chain code are created together, the master extended private key. The master public key is derived from the master private key using point , which, together with the master chain code , is the master extended public key.
The master extended keys are functionally equivalent to other extended keys ; it is only their location at the top of the hierarchy which makes them special. Hardened extended keys fix a potential problem with normal extended keys. If an attacker gets a normal parent chain code and parent public key , he can brute-force all chain codes deriving from it.
If the attacker also obtains a child, grandchild, or further-descended private key , he can use the chain code to generate all of the extended private keys descending from that private key , as shown in the grandchild and great-grandchild generations of the illustration below. Perhaps worse, the attacker can reverse the normal child private key derivation formula and subtract a parent chain code from a child private key to recover the parent private key , as shown in the child and parent generations of the illustration above.
For this reason, the chain code part of an extended public key should be better secured than standard public keys and users should be advised against exporting even non-extended private keys to possibly-untrustworthy environments. This can be fixed, with some tradeoffs, by replacing the the normal key derivation formula with a hardened key derivation formula.
The normal key derivation formula, described in the section above, combines together the index number, the parent chain code , and the parent public key to create the child chain code and the integer value which is combined with the parent private key to create the child private key.
The hardened formula, illustrated above, combines together the index number, the parent chain code , and the parent private key to create the data used to generate the child chain code and child private key.
This formula makes it impossible to create child public keys without knowing the parent private key. Because of that, a hardened extended private key is much less useful than a normal extended private key —however, hardened extended private keys create a firewall through which multi-level key derivation compromises cannot happen. Because hardened child extended public keys cannot generate grandchild chain codes on their own, the compromise of a parent extended public key cannot be combined with the compromise of a grandchild private key to create great-grandchild extended private keys.
The HD protocol uses different index numbers to indicate whether a normal or hardened key should be generated. Index numbers from 0x00 to 0x7fffffff 0 to 2 31 -1 will generate a normal key; index numbers from 0x to 0xffffffff will generate a hardened key. Bitcoin developers typically use the ASCII apostrophe rather than the unicode prime symbol, a convention we will henceforth follow. This compact description is further combined with slashes prefixed by m or M to indicate hierarchy and key type, with m being a private key and M being a public key.
The following hierarchy illustrates prime notation and hardened key firewalls. Wallets following the BIP32 HD protocol only create hardened children of the master private key m to prevent a compromised child key from compromising the master key.
As there are no normal children for the master keys, the master public key is not used in HD wallets. All other keys can have normal children, so the corresponding extended public keys may be used instead. The HD protocol also describes a serialization format for extended public keys and extended private keys. For details, please see the wallet section in the developer reference or BIP32 for the full HD protocol specification.
Root seeds in the HD protocol are , , or bits of random data which must be backed up precisely. To make it more convenient to use non-digital backup methods, such as memorization or hand-copying, BIP39 defines a method for creating a bit root seed from a pseudo-sentence mnemonic of common natural-language words which was itself created from to bits of entropy and optionally protected by a password. The passphrase can be of any length.
It is simply appended to the mnemonic pseudo-sentence, and then both the mnemonic and password are hashed 2, times using HMAC-SHA, resulting in a seemingly-random bit seed. Because any input to the hash function creates a seemingly-random bit seed, there is no fundamental way to prove the user entered the correct password, possibly allowing the user to protect a seed even when under duress. For implementation details, please see BIP If the wallet is encrypted, new keys are only generated while the wallet is unlocked.
If a new key pair set is generated, used, and then lost prior to a backup, the stored satoshis are likely lost forever. Many older-style mobile wallets followed a similar format, but only generated a new private key upon user demand.
This wallet type is being actively phased out and discouraged from being used due to the backup hassle. Payment processing encompasses the steps spenders and receivers perform to make and accept payments in exchange for products or services. The basic steps have not changed since the dawn of commerce, but the technology has. This section will explain how receivers and spenders can, respectively, request and make payments using Bitcoin—and how they can deal with complications such as refunds and recurrent rebilling.
The following subsections will each address the three common steps and the three occasional or optional steps. It is worth mentioning that each of these steps can be outsourced by using third party APIs and services.
Because of exchange rate variability between satoshis and national currencies fiat , many Bitcoin orders are priced in fiat but paid in satoshis , necessitating a price conversion. Several organizations also aggregate data from multiple exchanges to create index prices, which are also available using HTTP-based APIs. Any applications which automatically calculate order totals using exchange rate data must take steps to ensure the price quoted reflects the current general market value of satoshis , or the applications could accept too few satoshis for the product or service being sold.
Alternatively, they could ask for too many satoshis , driving away potential spenders. To minimize problems, your applications may want to collect data from at least two separate sources and compare them to see how much they differ. If the difference is substantial, your applications can enter a safe mode until a human is able to evaluate the situation. You may also want to program your applications to enter a safe mode if exchange rates are rapidly increasing or decreasing, indicating a possible problem in the Bitcoin market which could make it difficult to spend any satoshis received today.
Exchange rates lie outside the control of Bitcoin and related technologies, so there are no new or planned technologies which will make it significantly easier for your program to correctly convert order totals from fiat into satoshis.
Because the exchange rate fluctuates over time, order totals pegged to fiat must expire to prevent spenders from delaying payment in the hope that satoshis will drop in price. Most widely-used payment processing systems currently expire their invoices after 10 to 20 minutes. Shorter expiration periods increase the chance the invoice will expire before payment is received, possibly necessitating manual intervention to request an additional payment or to issue a refund.
Longer expiration periods increase the chance that the exchange rate will fluctuate a significant amount before payment is received. Before requesting payment, your application must create a Bitcoin address , or acquire an address from another program such as Bitcoin Core. Bitcoin addresses are described in detail in the Transactions section. Also described in that section are two important reasons to avoid using an address more than once —but a third reason applies especially to payment requests:.
Using a separate address for each incoming payment makes it trivial to determine which customers have paid their payment requests.
Your applications need only track the association between a particular payment request and the address used in it, and then scan the block chain for transactions matching that address. The next subsections will describe in detail the following four compatible ways to give the spender the address and amount to be paid. For increased convenience and compatibility, providing all of these options in your payment requests is recommended. All wallet software lets its users paste in or manually enter an address and amount into a payment screen.
This is, of course, inconvenient—but it makes an effective fallback option. Almost all desktop wallets can associate with bitcoin: URIs , so spenders can click a link to pre-fill the payment screen. This also works with many mobile wallets , but it generally does not work with web-based wallets unless the spender installs a browser extension or manually configures a URI handler.
Most mobile wallets support scanning bitcoin: URIs encoded in a QR code, and almost all wallets can display them for accepting payment. While also handy for online orders, QR Codes are especially useful for in-person purchases.
Special care must be taken to avoid the theft of incoming payments. To specify an amount directly for copying and pasting, you must provide the address , the amount, and the denomination. An expiration time for the offer may also be specified. Indicating the denomination is critical. Choosing between each unit is widely supported, but other software also lets its users select denomination amounts from some or all of the following options:.
URI scheme defined in BIP21 eliminates denomination confusion and saves the spender from copying and pasting two separate values. It also lets the payment request provide some additional information to the spender.
Only the address is required, and if it is the only thing specified, wallets will pre-fill a payment request with it and let the spender enter an amount. The amount specified is always in decimal bitcoins BTC.
Two other parameters are widely supported. The message parameter is generally used to describe the payment request to the spender. Both the label and the message must be URI encoded.
All four parameters used together, with appropriate URI encoding, can be seen in the line-wrapped example below. The URI scheme can be extended, as will be seen in the payment protocol section below, with both new optional and required parameters.
Programs accepting URIs in any form must ask the user for permission before paying unless the user has explicitly disabled prompting as might be the case for micropayments. QR codes are a popular way to exchange bitcoin: URIs in person, in images, or in videos. Most mobile Bitcoin wallet apps, and some desktop wallets , support scanning QR codes to pre-fill their payment screens. The figure below shows the same bitcoin: The QR code can include the label and message parameters—and any other optional parameters—but they were omitted here to keep the QR code small and easy to scan with unsteady or low-resolution mobile cameras.
The error correction is combined with a checksum to ensure the Bitcoin QR code cannot be successfully decoded with data missing or accidentally altered, so your applications should choose the appropriate level of error correction based on the space you have available to display the code. Low-level damage correction works well when space is limited, and quartile-level damage correction helps ensure fast scanning when displayed on high-resolution screens.
The payment protocol adds many important features to payment requests:. Allows spenders to submit transactions directly to receivers without going through the peer-to-peer network. This can speed up payment processing and work with planned features such as child-pays-for-parent transaction fees and offline NFC or Bluetooth-based payments. To request payment using the payment protocol , you use an extended but backwards-compatible bitcoin: The r parameter tells payment-protocol-aware wallet programs to ignore the other parameters and fetch a PaymentRequest from the URL provided.
An example CGI program and description of all the parameters which can be used in the Payment Protocol is provided in the Developer Examples Payment Protocol subsection. In this subsection, we will briefly describe in story format how the Payment Protocol is typically used. Charlie, the client, is shopping on a website run by Bob, the businessman. An order total in satoshis , perhaps created by converting prices in fiat to prices in satoshis.
A pubkey script to which Charlie should send payment. URI for Charlie to click to pay. Charlie clicks on the bitcoin: URI in his browser. The unique public key created for the payment request can be used to create a unique identifier.
It then creates a PaymentDetails message with the following information:. The amount of the order in satoshis and the pubkey script to be paid. The time the PaymentDetails message was created plus the time it expires. That PaymentDetails message is put inside a PaymentRequest message. The Payment Protocol has been designed to allow other signing methods in the future. Among other things, the Payment message contains:. In the case of a dispute, Charlie can generate a cryptographically-proven receipt out of the various signed or otherwise-proven information.
The Bitcoin block chain can prove that the pubkey script specified by Bob was paid the specified number of satoshis. See the Refunds section below for more details. A malicious spender can create one transaction that pays the receiver and a second one that pays the same input back to himself. Only one of these transactions will be added to the block chain , and nobody can say for sure which one it will be. Two or more transactions spending the same input are commonly referred to as a double spend.
Once the transaction is included in a block , double spends are impossible without modifying block chain history to replace the transaction, which is quite difficult. Using this system, the Bitcoin protocol can give each of your transactions an updating confidence score based on the number of blocks which would need to be modified to replace a transaction.
For each block , the transaction gains one confirmation. Since modifying blocks is quite difficult, higher confirmation scores indicate greater protection. The transaction has been broadcast but is still not included in any block.
Zero confirmation transactions unconfirmed transactions should generally not be trusted without risk analysis. Although miners usually confirm the first transaction they receive, fraudsters may be able to manipulate the network into including their version of a transaction. The transaction is included in the latest block and double-spend risk decreases dramatically. Transactions which pay sufficient transaction fees need 10 minutes on average to receive one confirmation.
However, the most recent block gets replaced fairly often by accident, so a double spend is still a real possibility. The most recent block was chained to the block which includes the transaction. As of March , two block replacements were exceedingly rare, and a two block replacement attack was impractical without expensive mining equipment. The network has spent about an hour working to protect the transaction against double spends and the transaction is buried under six blocks.
Even a reasonably lucky attacker would require a large percentage of the total network hashing power to replace six blocks. Although this number is somewhat arbitrary, software handling high-value transactions, or otherwise at risk for fraud, should wait for at least six confirmations before treating a payment as accepted. Bitcoin Core provides several RPCs which can provide your program with the confirmation score for transactions in your wallet or arbitrary transactions.
For example, the listunspent RPC provides an array of every satoshi you can spend along with its confirmation score. Although confirmations provide excellent double-spend protection most of the time, there are at least three cases where double-spend risk analysis can be required:. In the case when the program or its user cannot wait for a confirmation and wants to accept unconfirmed payments. In the case when the program or its user is accepting high value transactions and cannot wait for at least six confirmations or more.
In the case of an implementation bug or prolonged attack against Bitcoin which makes the system less reliable than expected. An interesting source of double-spend risk analysis can be acquired by connecting to large numbers of Bitcoin peers to track how transactions and blocks differ from each other. Some third-party APIs can provide you with this type of service. For example, unconfirmed transactions can be compared among all connected peers to see if any UTXO is used in multiple unconfirmed transactions , indicating a double-spend attempt, in which case the payment can be refused until it is confirmed.
Another example could be to detect a fork when multiple peers report differing block header hashes at the same block height. Your program can go into a safe mode if the fork extends for more than two blocks , indicating a possible problem with the block chain. For more details, see the Detecting Forks subsection.
Another good source of double-spend protection can be human intelligence. For example, fraudsters may act differently from legitimate customers, letting savvy merchants manually flag them as high risk.
Your program can provide a safe mode which stops automatic payment acceptance on a global or per-customer basis. Occasionally receivers using your applications will need to issue refunds. The obvious way to do that, which is very unsafe, is simply to return the satoshis to the pubkey script from which they came.
Alice wants to buy a widget from Bob, so Bob gives Alice a price and Bitcoin address. Alice opens her wallet program and sends some satoshis to that address. Bob discovers Alice paid too many satoshis. Being an honest fellow, Bob refunds the extra satoshis to the mjSk… address. Now the refund is a unintentional donation to the company behind the centralized wallet , unless Alice opens a support ticket and proves those satoshis were meant for her. This leaves receivers only two correct ways to issue refunds:.
If an address was copy-and-pasted or a basic bitcoin: URI was used, contact the spender directly and ask them to provide a refund address. Many receivers worry that their satoshis will be less valuable in the future than they are now, called foreign exchange forex risk. If your application provides this business logic, it will need to choose which outputs to spend first. There are a few different algorithms which can lead to different results.
A merge avoidance algorithm makes it harder for outsiders looking at block chain data to figure out how many satoshis the receiver has earned, spent, and saved. When a receiver receives satoshis in an output , the spender can track in a crude way how the receiver spends those satoshis.
This is called a merge , and the more a receiver merges outputs , the easier it is for an outsider to track how many satoshis the receiver has earned, spent, and saved.
Merge avoidance means trying to avoid spending unrelated outputs in the same transaction. For persons and businesses which want to keep their transaction data secret from other people, it can be an important strategy. A crude merge avoidance strategy is to try to always pay with the smallest output you have which is larger than the amount being requested. For example, if you have four outputs holding, respectively, , , , and satoshis , you would pay a bill for satoshis with the satoshi output.
This way, as long as you have outputs larger than your bills, you avoid merging. More advanced merge avoidance strategies largely depend on enhancements to the payment protocol which will allow payers to avoid merging by intelligently distributing their payments among multiple outputs provided by the receiver.
Since recent outputs are at the greatest risk of being double-spent , spending them before older outputs allows the spender to hold on to older confirmed outputs which are much less likely to be double-spent. If you spend an output from one unconfirmed transaction in a second transaction, the second transaction becomes invalid if transaction malleability changes the first transaction.
In either of the above cases, the receiver of the second transaction will see the incoming transaction notification disappear or turn into an error message. However, after just a few blocks , a point of rapidly diminishing returns is reached. FIFO does have a small advantage when it comes to transaction fees , as older outputs may be eligible for inclusion in the 50, bytes set aside for no-fee-required high-priority transactions by miners running the default Bitcoin Core codebase.
However, with transaction fees being so low, this is not a significant advantage. The only practical use of FIFO is by receivers who spend all or most of their income within a few blocks , and who want to reduce the chance of their payments becoming accidentally invalid.
Automated recurring payments are not possible with decentralized Bitcoin wallets. Even if a wallet supported automatically sending non-reversible payments on a regular schedule, the user would still need to start the program at the appointed time, or leave it running all the time unprotected by encryption.
This means automated recurring Bitcoin payments can only be made from a centralized server which handles satoshis on behalf of its spenders. In practice, receivers who want to set prices in fiat terms must also let the same centralized server choose the appropriate exchange rate. Non-automated rebilling can be managed by the same mechanism used before credit-card recurring payments became common: In the future, extensions to the payment protocol and new wallet features may allow some wallet programs to manage a list of recurring transactions.
The spender will still need to start the program on a regular basis and authorize payment—but it should be easier and more secure for the spender than clicking an emailed invoice, increasing the chance receivers get paid on time.
Currently there are two primary methods of validating the block chain as a client: Full nodes and SPV clients. Other methods, such as server-trusting methods, are not discussed as they are not recommended. This security model assures the validity of the block chain by downloading and validating blocks from the genesis block all the way to the most recently discovered block.
Due to the computational difficulty required to generate a new block at the tip of the chain, the ability to fool a full node becomes very expensive after 6 confirmations. An alternative approach detailed in the original Bitcoin paper is a client that only downloads the headers of blocks during the initial syncing process and then requests transactions from full nodes as needed.
This scales linearly with the height of the block chain at only 80 bytes per block header , or up to 4. As described in the white paper, the merkle root in the block header along with a merkle branch can prove to the SPV client that the transaction in question is embedded in a block in the block chain.
This does not guarantee validity of the transactions that are embedded. Instead it demonstrates the amount of work required to perform a double-spend attack. The SPV client knows the merkle root and associated transaction information, and requests the respective merkle branch from a full node. Once the merkle branch has been retrieved, proving the existence of the transaction in the block , the SPV client can then look to block depth as a proxy for transaction validity and security.
The cost of an attack on a user by a malicious node who inserts an invalid transaction grows with the cumulative difficulty built on top of that block , since the malicious node alone will be mining this forged chain. If implemented naively, an SPV client has a few important weaknesses. First, while the SPV client can not be easily fooled into thinking a transaction is in a block when it is not, the reverse is not true.
A full node can simply lie by omission, leading an SPV client to believe a transaction has not occurred. This can be considered a form of Denial of Service. One mitigation strategy is to connect to a number of full nodes , and send the requests to each node.
However this can be defeated by network partitioning or Sybil attacks, since identities are essentially free, and can be bandwidth intensive. Care must be taken to ensure the client is not cut off from honest nodes. Second, the SPV client only requests transactions from full nodes corresponding to keys it owns. If the SPV client downloads all blocks and then discards unneeded ones, this can be extremely bandwidth intensive. If they simply ask full nodes for blocks with specific transactions, this allows full nodes a complete view of the public addresses that correspond to the user.
This is a large privacy leak, and allows for tactics such as denial of service for clients, users, or addresses that are disfavored by those running full nodes , as well as trivial linking of funds.
A client could simply spam many fake transaction requests, but this creates a large strain on the SPV client , and can end up defeating the purpose of thin clients altogether.
To mitigate the latter issue, Bloom filters have been implemented as a method of obfuscation and compression of block data requests. A Bloom filter is a space-efficient probabilistic data structure that is used to test membership of an element. The data structure achieves great data compression at the expense of a prescribed false positive rate. A Bloom filter starts out as an array of n bits all set to 0. A set of k random hash functions are chosen, each of which output a single integer between the range of 1 and n.
When adding an element to the Bloom filter , the element is hashed k times separately, and for each of the k outputs, the corresponding Bloom filter bit at that index is set to 1.
Querying of the Bloom filter is done by using the same hash functions as before. If all k bits accessed in the bloom filter are set to 1, this demonstrates with high probability that the element lies in the set.
Clearly, the k indices could have been set to 1 by the addition of a combination of other elements in the domain, but the parameters allow the user to choose the acceptable false positive rate. Removal of elements can only be done by scrapping the bloom filter and re-creating it from scratch.
Rather than viewing the false positive rates as a liability, it is used to create a tunable parameter that represents the desired privacy level and bandwidth trade-off. A SPV client creates their Bloom filter and sends it to a full node using the message filterload , which sets the filter for which transactions are desired. The command filteradd allows addition of desired data to the filter without needing to send a totally new Bloom filter , and filterclear allows the connection to revert to standard block discovery mechanisms.
If the filter has been loaded, then full nodes will send a modified form of blocks , called a merkle block. The merkle block is simply the block header with the merkle branch associated with the set Bloom filter.
An SPV client can not only add transactions as elements to the filter, but also public keys , data from signature scripts and pubkey scripts , and more. This enables P2SH transaction finding. If a user is more privacy-conscious, he can set the Bloom filter to include more false positives, at the expense of extra bandwidth used for transaction discovery. If a user is on a tight bandwidth budget, he can set the false-positive rate to low, knowing that this will allow full nodes a clear view of what transactions are associated with his client.
Used in most Android wallets. Bloom filters were standardized for use via BIP Review the BIP for implementation details. There are future proposals such as Unspent Transaction Output UTXO commitments in the block chain to find a more satisfactory middle-ground for clients between needing a complete copy of the block chain , or trusting that a majority of your connected peers are not lying.
UTXO commitments would enable a very secure client using a finite amount of storage using a data structure that is authenticated in the block chain. These type of proposals are, however, in very early stages, and will require soft forks in the network.
Until these types of operating modes are implemented, modes should be chosen based on the likely threat model, computing and bandwidth constraints, and liability in bitcoin value. The Bitcoin network protocol allows full nodes peers to collaboratively maintain a peer-to-peer network for block and transaction exchange. Full nodes download and verify every block and transaction prior to relaying them to other nodes. Archival nodes are full nodes which store the entire blockchain and can serve historical blocks to other nodes.
Pruned nodes are full nodes which do not store the entire blockchain. Many SPV clients also use the Bitcoin network protocol to connect to full nodes.
Consensus rules do not cover networking, so Bitcoin programs may use alternative networks and protocols, such as the high-speed block relay network used by some miners and the dedicated transaction information servers used by some wallets that provide SPV -level security.
To provide practical examples of the Bitcoin peer-to-peer network , this section uses Bitcoin Core as a representative full node and BitcoinJ as a representative SPV client. Both programs are flexible, so only default behavior is described. The response to the lookup should include one or more DNS A records with the IP addresses of full nodes that may accept new incoming connections.
For example, using the Unix dig command:. The DNS seeds are maintained by Bitcoin community members: In either case, nodes are added to the DNS seed if they run on the default Bitcoin ports of for mainnet or for testnet.
For this reason, programs should not rely on DNS seeds exclusively. Once a program has connected to the network , its peers can begin to send it addr address messages with the IP addresses and port numbers of other peers on the network , providing a fully decentralized method of peer discovery.
Bitcoin Core keeps a record of known peers in a persistent on-disk database which usually allows it to connect directly to those peers on subsequent startups without having to use DNS seeds. However, peers often leave the network or change IP addresses, so programs may need to make several different connection attempts at startup before a successful connection is made. This can add a significant delay to the amount of time it takes to connect to the network , forcing a user to wait before sending a transaction or checking the status of payment.
Bitcoin Core also tries to strike a balance between minimizing delays and avoiding unnecessary DNS seed use: Both Bitcoin Core and BitcoinJ also include a hardcoded list of IP addresses and port numbers to several dozen nodes which were active around the time that particular version of the software was first released.
Bitcoin Core will start attempting to connect to these nodes if none of the DNS seed servers have responded to a query within 60 seconds, providing an automatic fallback option. As a manual fallback option, Bitcoin Core also provides several command-line connection options, including the ability to get a list of peers from a specific node by IP address, or to make a persistent connection to a specific node by IP address.
See the -help text for details. BitcoinJ can be programmed to do the same thing. Connecting to a peer is done by sending a version message , which contains your version number, block , and current time to the remote node. The remote node responds with its own version message. Then both nodes send a verack message to the other node to indicate the connection has been established.
Once connected, the client can send to the remote node getaddr and addr messages to gather additional peers. In order to maintain a connection with a peer , nodes by default will send a message to peers before 30 minutes of inactivity.
If 90 minutes pass without a message being received by a peer , the client will assume that connection has closed. Before a full node can validate unconfirmed transactions and recently-mined blocks , it must download and validate all blocks from block 1 the block after the hardcoded genesis block to the current tip of the best block chain.
In this case, a node can use the IBD method to download all the blocks which were produced since the last time it was online. Bitcoin Core uses the IBD method any time the last block on its local best block chain has a block header time more than 24 hours in the past. Bitcoin Core up until version 0. The goal is to download the blocks from the best block chain in sequence. The first time a node is started, it only has a single block in its local best block chain —the hardcoded genesis block block 0.
This node chooses a remote peer , called the sync node , and sends it the getblocks message illustrated below. In the header hashes field of the getblocks message , this new node sends the header hash of the only block it has, the genesis block 6fe2… in internal byte order. It also sets the stop hash field to all zeroes to request a maximum-size response. Upon receipt of the getblocks message , the sync node takes the first and only header hash and searches its local best block chain for a block with that header hash.
It finds that block 0 matches, so it replies with block inventories the maximum response to a getblocks message starting from block 1. It sends these inventories in the inv message illustrated below. Inventories are unique identifiers for information on the network. Each inventory contains a type field and the unique identifier for an instance of the object. The block inventories appear in the inv message in the same order they appear in the block chain , so this first inv message contains inventories for blocks 1 through For example, the hash of block 1 is … as seen in the illustration above.
The IBD node uses the received inventories to request blocks from the sync node in the getdata message illustrated below. Upon receipt of the getdata message , the sync node replies with each of the blocks requested. Each block is put into serialized block format and sent in a separate block message.
The first block message sent for block 1 is illustrated below. When it has requested every block for which it has an inventory , it sends another getblocks message to the sync node requesting the inventories of up to more blocks. This second getblocks message contains multiple header hashes as illustrated below:. Upon receipt of the second getblocks message , the sync node searches its local best block chain for a block that matches one of the header hashes in the message, trying each hash in the order they were received.
If it finds a matching hash, it replies with block inventories starting with the next block from that point. But if there is no matching hash besides the stopping hash , it assumes the only block the two nodes have in common is block 0 and so it sends an inv starting with block 1 the same inv message seen several illustrations above.
This fork detection becomes increasingly useful the closer the IBD node gets to the tip of the block chain. When the IBD node receives the second inv message , it will request those blocks using getdata messages. The sync node will respond with block messages. Then the IBD node will request more inventories with another getblocks message —and the cycle will repeat until the IBD node is synced to the tip of the block chain. At that point, the node will accept blocks sent through the regular block broadcasting described in a later subsection.
The primary advantage of blocks-first IBD is its simplicity. The primary disadvantage is that the IBD node relies on a single sync node for all of its downloading.
This has several implications:. All requests are made to the sync node , so if the sync node has limited upload bandwidth, the IBD node will have slow download speeds.
The sync node can send a non-best but otherwise valid block chain to the IBD node. Bitcoin Core ships with several block chain checkpoints at various block heights selected by developers to help an IBD node detect that it is being fed an alternative block chain history—allowing the IBD node to restart its download earlier in the process. Closely related to the download restarts, if the sync node sends a non-best but otherwise valid block chain , the chain will be stored on disk, wasting space and possibly filling up the disk drive with useless data.
Orphan blocks are stored in memory while they await validation, which may lead to high memory use. All of these problems are addressed in part or in full by the headers-first IBD method used in Bitcoin Core 0. The table below summarizes the messages mentioned throughout this subsection. The links in the message field will take you to the reference page for that message.
The goal is to download the headers for the best header chain , partially validate them as best as possible, and then download the corresponding blocks in parallel.
This solves several problems with the older blocks-first IBD method. In the header hashes field of the getheaders message , the new node sends the header hash of the only block it has, the genesis block 6fe2… in internal byte order.
Upon receipt of the getheaders message , the sync node takes the first and only header hash and searches its local best block chain for a block with that header hash. It finds that block 0 matches, so it replies with 2, header the maximum response starting from block 1. It sends these header hashes in the headers message illustrated below. The IBD node can partially validate these block headers by ensuring that all fields follow consensus rules and that the hash of the header is below the target threshold according to the nBits field.
Full validation still requires all transactions from the corresponding block. After the IBD node has partially validated the block headers , it can do two things in parallel:. Those headers can be immediately validated and another batch requested repeatedly until a headers message is received from the sync node with fewer than 2, headers , indicating that it has no more headers to offer.