And since the eye of every single Bitcoin user is on all of the developers download on the Bitcoin code, distributing specific rights to any local authority over any miner of the Bitcoin network is essentially impossible. However, sometimes look consensus rules are changed to introduce new bitcoin or prevent network abuse. The ideal value is 1, seconds two weeks. Once mined Like becomes like what currency that can be purchased, does in transactions or even traded like with this Bitcoin trading platform. Retrieved 2 May
how to earn bitcoins fast and easy hindi poems В»
This node chooses a remote peer , called the sync node , and sends it the getblocks message illustrated below. Indicating the denomination is critical. Archived from the original on 9 October How much bandwidth does Bitcoin mining take? The HD protocol also describes a serialization format for extended public keys and extended private keys.
litecoin difficulty retarget timestamp В»
Bitcoin uses what Hashcash proof of work with a minor adaption. Look older a transaction is though, the bitcoin its chances of being over-written, download the higher of becoming permanent. Miner how could it not have? Guardian News and Media Limited. Of-course Bitcoins do not have such central authority managing the supply of the coins, but it does not prevent confidence from eroding due to other situations that are not necessarily predictable. Bitcoins are generated at a predictable like, which is slowly being decreased overtime to reduce over flooding the market as technology is improving at a steady does. Bitcoin has certainly revolutionized the way people do business payment transactions today.
Anyone can run a node, you just download the bitcoin software free and leave a certain port open the drawback is that it consumes energy and storage space — the network at time of writing takes up about GB. Nodes spread bitcoin transactions around the network. One node will send information to a few nodes that it knows, who will relay the information to nodes that they know, etc. That way it ends up getting around the whole network pretty quickly.
These group outstanding transactions into blocks and add them to the blockchain. How do they do this? By solving a complex mathematical puzzle that is part of the bitcoin program, and including the answer in the block. The puzzle that needs solving is to find a number that, when combined with the data in the block and passed through a hash function, produces a result that is within a certain range. This is much harder than it sounds.
How do they find this number? By guessing at random. The hash function makes it impossible to predict what the output will be. So, miners guess the mystery number and apply the hash function to the combination of that guessed number and the data in the block. The resulting hash has to start with a pre-established number of zeroes. The first miner to get a resulting hash within the desired range announces its victory to the rest of the network.
All the other miners immediately stop work on that block and start trying to figure out the mystery number for the next one. As a reward for its work, the victorious miner gets some new bitcoin.
At the time of writing, the reward is There are a lot of mining nodes competing for that reward, and it is a question of luck and computing power the more guessing calculations you can perform, the luckier you are. Also, the costs of being a mining node are considerable, not only because of the powerful hardware needed if you have a faster processor than your competitors, you have a better chance of finding the correct number before they do , but also because of the large amounts of electricity that running these processors consumes.
And, the number of bitcoins awarded as a reward for solving the puzzle will decrease. The difficulty of the calculation the required number of zeroes at the beginning of the hash string is adjusted frequently, so that it takes on average about 10 minutes to process a block. That is the amount of time that the bitcoin developers think is necessary for a steady and diminishing flow of new coins until the maximum number of 21 million is reached expected some time in There is still so much more to explain about the system, but at least now you have an idea of the broad outline of the genius of the programming and the concept.
For the first time we have a system that allows for convenient digital transfers in a decentralized, trust-free and tamper-proof way. The repercussions could be huge. Authored by Noelle Acheson. You can even estimate the probability that a given hash attempt will generate a number below the target threshold. Bitcoin assumes a linear probability that the lower it makes the target threshold , the more hash attempts on average will need to be tried.
New blocks will only be added to the block chain if their hash is at least as challenging as a difficulty value expected by the consensus protocol. Every 2, blocks , the network uses timestamps stored in each block header to calculate the number of seconds elapsed between generation of the first and last of those last 2, blocks. The ideal value is 1,, seconds two weeks. Because each block header must hash to a value below the target threshold , and because each block is linked to the block that preceded it, it requires on average as much hashing power to propagate a modified block as the entire Bitcoin network expended between the time the original block was created and the present time.
Any Bitcoin miner who successfully hashes a block header to a value below the target threshold can add the entire block to the block chain assuming the block is otherwise valid. These blocks are commonly addressed by their block height —the number of blocks between them and the first Bitcoin block block 0 , most commonly known as the genesis block. For example, block is where difficulty could have first been adjusted. Multiple blocks can all have the same block height , as is common when two or more miners each produce a block at roughly the same time.
This creates an apparent fork in the block chain , as shown in the illustration above. When miners produce simultaneous blocks at the end of the block chain , each node individually chooses which block to accept.
In the absence of other considerations, discussed below, nodes usually use the first block they see. Eventually a miner produces another block which attaches to only one of the competing simultaneously-mined blocks. This makes that side of the fork stronger than the other side. Assuming a fork only contains valid blocks , normal peers always follow the most difficult chain to recreate and throw away stale blocks belonging to shorter forks. Stale blocks are also sometimes called orphans or orphan blocks, but those terms are also used for true orphan blocks without a known parent block.
Long-term forks are possible if different miners work at cross-purposes, such as some miners diligently working to extend the block chain at the same time other miners are attempting a 51 percent attack to revise transaction history.
Since multiple blocks can have the same height during a block chain fork , block height should not be used as a globally unique identifier. Instead, blocks are usually referenced by the hash of their header often with the byte order reversed, and in hexadecimal. Every block must include one or more transactions. The first one of these transactions must be a coinbase transaction , also called a generation transaction , which should collect and spend the block reward comprised of a block subsidy and any transaction fees paid by transactions included in this block.
The UTXO of a coinbase transaction has the special condition that it cannot be spent used as an input for at least blocks. This temporarily prevents a miner from spending the transaction fees and block reward from a block that may later be determined to be stale and therefore the coinbase transaction destroyed after a block chain fork.
Blocks are not required to include any non- coinbase transactions , but miners almost always do include additional transactions in order to collect their transaction fees.
All transactions, including the coinbase transaction , are encoded into blocks in binary rawtransaction format. The rawtransaction format is hashed to create the transaction identifier txid. From these txids , the merkle tree is constructed by pairing each txid with one other txid and then hashing them together. If there are an odd number of txids , the txid without a partner is hashed with a copy of itself. The resulting hashes themselves are each paired with one other hash and hashed together.
Any hash without a partner is hashed with itself. The process repeats until only one hash remains, the merkle root. For example, if transactions were merely joined not hashed , a five-transaction merkle tree would look like the following text diagram:.
As discussed in the Simplified Payment Verification SPV subsection, the merkle tree allows clients to verify for themselves that a transaction was included in a block by obtaining the merkle root from a block header and a list of the intermediate hashes from a full peer.
The full peer does not need to be trusted: If the five transactions in this block were all at the maximum size, downloading the entire block would require over , bytes—but downloading three hashes plus the block header requires only bytes.
If identical txids are found within the same block , there is a possibility that the merkle tree may collide with a block with some or all duplicates removed due to how unbalanced merkle trees are implemented duplicating the lone hash.
Since it is impractical to have separate transactions with identical txids , this does not impose a burden on honest software, but must be checked if the invalid status of a block is to be cached; otherwise, a valid block with the duplicates eliminated could have the same merkle root and block hash, but be rejected by the cached invalid outcome, resulting in security bugs such as CVE To maintain consensus , all full nodes validate blocks using the same consensus rules.
However, sometimes the consensus rules are changed to introduce new features or prevent network abuse. When the new rules are implemented, there will likely be a period of time when non-upgraded nodes follow the old rules and upgraded nodes follow the new rules, creating two possible ways consensus can break:. A block following the new consensus rules is accepted by upgraded nodes but rejected by non-upgraded nodes.
For example, a new transaction feature is used within a block: A block violating the new consensus rules is rejected by upgraded nodes but accepted by non-upgraded nodes.
For example, an abusive transaction feature is used within a block: In the first case, rejection by non-upgraded nodes , mining software which gets block chain data from those non-upgraded nodes refuses to build on the same chain as mining software getting data from upgraded nodes.
This creates permanently divergent chains—one for non-upgraded nodes and one for upgraded nodes —called a hard fork. This is called a soft fork. Although a fork is an actual divergence in block chains , changes to the consensus rules are often described by their potential to create either a hard or soft fork. Consensus rule changes may be activated in various ways. Multiple soft forks such as BIP30 have been activated via a flag day where the new rule began to be enforced at a preset time or block height.
Such forks activated via a flag day are known as User Activated Soft Forks UASF as they are dependent on having sufficient users nodes to enforce the new rules after the flag day. Once the signalling threshold has been passed, all nodes will begin enforcing the new rules.
BIP50 describes both an accidental hard fork , resolved by temporary downgrading the capabilities of upgraded nodes , and an intentional hard fork when the temporary downgrade was removed. A document from Gavin Andresen outlines how future rule changes may be implemented. Non-upgraded nodes may use and distribute incorrect information during both types of forks , creating several situations which could lead to financial loss.
In particular, non-upgraded nodes may relay and accept transactions that are considered invalid by upgraded nodes and so will never become part of the universally-recognized best block chain.
Non-upgraded nodes may also refuse to relay blocks or transactions which have already been added to the best block chain , or soon will be, and so provide incomplete information.
Bitcoin Core includes code that detects a hard fork by looking at block chain proof of work. If a non-upgraded node receives block chain headers demonstrating at least six blocks more proof of work than the best chain it considers valid, the node reports a warning in the getnetworkinfo RPC results and runs the -alertnotify command if set. Full nodes can also check block and transaction version numbers.
Bitcoin Core reports this situation through the getnetworkinfo RPC and -alertnotify command if set. SPV clients should also monitor for block and transaction version number increases to ensure they process received transactions and create new transactions using the current consensus rules. Transactions let users spend satoshis.
Each transaction is constructed out of several parts which enable both simple direct payments and complex transactions. This section will describe each part and demonstrate how to use them together to build complete transactions. To keep things simple, this section pretends coinbase transactions do not exist. Instead of pointing out the coinbase exception to each rule, we invite you to read about coinbase transactions in the block chain section of this guide.
The figure above shows the main parts of a Bitcoin transaction. Each transaction has at least one input and one output. Each input spends the satoshis paid to a previous output. When your Bitcoin wallet tells you that you have a 10, satoshi balance, it really means that you have 10, satoshis waiting in one or more UTXOs.
Each transaction is prefixed by a four-byte transaction version number which tells Bitcoin peers and miners which set of rules to use to validate it. This lets developers create new rules for future transactions without invalidating previous transactions. An output has an implied index number based on its location in the transaction—the index of the first output is zero. The output also has an amount in satoshis which it pays to a conditional pubkey script.
Anyone who can satisfy the conditions of that pubkey script can spend up to the amount of satoshis paid to it. It also has a signature script which allows it to provide data parameters that satisfy the conditionals in the pubkey script. The sequence number and locktime are related and will be covered together in a later subsection. The figures below help illustrate how these features are used by showing the workflow Alice uses to send Bob a transaction and which Bob later uses to spend that transaction.
P2PKH lets Alice spend satoshis to a typical Bitcoin address , and then lets Bob further spend those satoshis using a simple cryptographic key pair. A copy of that data is deterministically transformed into an secpk1 public key. Because the transformation can be reliably repeated later, the public key does not need to be stored.
The public key pubkey is then cryptographically hashed. This pubkey hash can also be reliably repeated later, so it also does not need to be stored. The hash shortens and obfuscates the public key , making manual transcription easier and providing security against unanticipated problems which might allow reconstruction of private keys from public key data at some later point. Bob provides the pubkey hash to Alice. Pubkey hashes are almost always sent encoded as Bitcoin addresses , which are base58 -encoded strings containing an address version number, the hash, and an error-detection checksum to catch typos.
The address can be transmitted through any medium, including one-way mediums which prevent the spender from communicating with the receiver, and it can be further encoded into another format, such as a QR code containing a bitcoin: Once Alice has the address and decodes it back into a standard hash, she can create the first transaction. These instructions are called the pubkey script or scriptPubKey.
Alice broadcasts the transaction and it is added to the block chain. When, some time later, Bob decides to spend the UTXO , he must create an input which references the transaction Alice created by its hash, called a Transaction Identifier txid , and the specific output she used by its index number output index. Signature scripts are also called scriptSigs. Pubkey scripts and signature scripts combine secpk1 pubkeys and signatures with conditional logic, creating a programmable authorization mechanism.
His full unhashed public key , so the pubkey script can check that it hashes to the same value as the pubkey hash provided by Alice. This lets the pubkey script verify that Bob owns the private key which created the public key. In essence, the entire transaction is signed except for any signature scripts , which hold the full public keys and secpk1 signatures.
After putting his signature and public key in the signature script , Bob broadcasts the transaction to Bitcoin miners through the peer-to-peer network. Each peer and miner independently validates the transaction before broadcasting it further or attempting to include it in a new block of transactions.
The validation procedure requires evaluation of the signature script and pubkey script. In a P2PKH output , the pubkey script is:. In a P2PKH transaction, the signature script contains an secpk1 signature sig and full public key pubkey , creating the following concatenation:. The script language is a Forth-like stack-based language deliberately designed to be stateless and not Turing complete.
Statelessness ensures that once a transaction is added to the block chain , there is no condition which renders it permanently unspendable. Turing-incompleteness specifically, a lack of loops or gotos makes the script language less flexible and more predictable, greatly simplifying the security model. The figure below shows the evaluation of a standard P2PKH pubkey script ; below the figure is a description of the process.
The public key also from the signature script is pushed on top of the signature. Now it gets interesting: If the value is false it immediately terminates evaluation and the transaction validation fails. Otherwise it pops the true value off the stack. If false is not at the top of the stack after the pubkey script has been evaluated, the transaction is valid provided there are no other problems with it.
Pubkey scripts are created by spenders who have little interest what that script does. Receivers do care about the script conditions and, if they want, they can ask spenders to use a particular pubkey script. Unfortunately, custom pubkey scripts are less convenient than short Bitcoin addresses and there was no standard way to communicate them between programs prior to widespread implementation of the BIP70 Payment Protocol discussed later.
To solve these problems, pay-to-script-hash P2SH transactions were created in to let a spender create a pubkey script containing a hash of a second script, the redeem script. Bob creates a redeem script with whatever script he wants, hashes the redeem script , and provides the redeem script hash to Alice.
When Bob wants to spend the output , he provides his signature along with the full serialized redeem script in the signature script. The peer-to-peer network ensures the full redeem script hashes to the same value as the script hash Alice put in her output ; it then processes the redeem script exactly as it would if it were the primary pubkey script , letting Bob spend the output if the redeem script does not return false.
The hash of the redeem script has the same properties as a pubkey hash —so it can be transformed into the standard Bitcoin address format with only one small change to differentiate it from a standard address.
This is the IsStandard test, and transactions which pass it are called standard transactions. Non- standard transactions —those that fail the test—may be accepted by nodes not using the default Bitcoin Core settings.
If they are included in blocks , they will also avoid the IsStandard test and be processed. Besides making it more difficult for someone to attack Bitcoin for free by broadcasting harmful transactions, the standard transaction test also helps prevent users from creating transactions today that would make adding new transaction features in the future more difficult.
For example, as described above, each transaction includes a version number—if users started arbitrarily changing the version number, it would become useless as a tool for introducing backwards-incompatible features. As of Bitcoin Core 0. P2PKH is the most common form of pubkey script used to send a transaction to one or multiple Bitcoin addresses. P2SH is used to send a transaction to a script hash. Each of the standard pubkey scripts can be used as a P2SH redeem script , but in practice only the multisig pubkey script makes sense until more transaction types are made standard.
Although P2SH multisig is now generally used for multisig transactions, this base script can be used to require multiple signatures before a UTXO can be spent. In multisig pubkey scripts , called m-of-n , m is the minimum number of signatures which must match a public key ; n is the number of public keys being provided.
The signature script must provide signatures in the same order as the corresponding public keys appear in the pubkey script or redeem script. Null data transaction type relayed and mined by default in Bitcoin Core 0. It is preferable to use null data transactions over transactions that bloat the UTXO database because they cannot be automatically pruned; however, it is usually even more preferable to store data outside transactions if possible.
Consensus rules allow null data outputs up to the maximum allowed pubkey script size of 10, bytes provided they follow all other consensus rules , such as not having any data pushes larger than bytes.
There must still only be a single null data output and it must still pay exactly 0 satoshis. The -datacarriersize Bitcoin Core configuration option allows you to set the maximum number of bytes in null data outputs that you will relay or mine.
If you use anything besides a standard pubkey script in an output , peers and miners using the default Bitcoin Core settings will neither accept, broadcast, nor mine your transaction. When you try to broadcast your transaction to a peer running the default settings, you will receive an error.
If you create a redeem script , hash it, and use the hash in a P2SH output , the network sees only the hash, so it will accept the output as valid no matter what the redeem script says. This allows payment to non-standard scripts, and as of Bitcoin Core 0. The transaction must be finalized: The transaction must be smaller than , bytes. Bare non-P2SH multisig transactions which require more than 3 public keys are currently non-standard.
It cannot push new opcodes , with the exception of opcodes which solely push data to the stack. Since the signature protects those parts of the transaction from modification, this lets signers selectively choose to let other people modify their transactions. The various options for what to sign are called signature hash types.
This input , as well as other inputs , are included in the signature. The sequence numbers of other inputs are not included in the signature , and can be updated. Allows anyone to add or remove other inputs.
Because each input is signed, a transaction with multiple inputs can have multiple signature hash types signing different parts of the transaction. For example, a single- input transaction signed with NONE could have its output changed by the miner who adds it to the block chain. Called nLockTime in the Bitcoin Core source code. The locktime indicates the earliest time a transaction can be added to the block chain.
Locktime allows signers to create time-locked transactions which will only become valid in the future, giving the signers a chance to change their minds. If any of the signers change their mind, they can create a new non- locktime transaction. The new transaction will use, as one of its inputs , one of the same outputs which was used as an input to the locktime transaction. This makes the locktime transaction invalid if the new transaction is added to the block chain before the time lock expires.
Care must be taken near the expiry time of a time lock. The peer-to-peer network allows block time to be up to two hours ahead of real time, so a locktime transaction can be added to the block chain up to two hours before its time lock officially expires.
Also, blocks are not created at guaranteed intervals, so any attempt to cancel a valuable transaction should be made a few hours before the time lock expires. Previous versions of Bitcoin Core provided a feature which prevented transaction signers from using the method described above to cancel a time-locked transaction, but a necessary part of this feature was disabled to prevent denial of service attacks.
A legacy of this system are four-byte sequence numbers in every input. Even today, setting all sequence numbers to 0xffffffff the default in Bitcoin Core can still disable the time lock, so if you want to use locktime , at least one input must have a sequence number below the maximum.
Since sequence numbers are not used by the network for any other purpose, setting any sequence number to zero is sufficient to enable locktime. Locktime itself is an unsigned 4-byte integer which can be parsed two ways: If less than million, locktime is parsed as a block height. The transaction can be added to any block which has this height or higher. If greater than or equal to million, locktime is parsed using the Unix epoch time format the number of seconds elapsed since T The transaction can be added to any block whose block time is greater than the locktime.
Transactions pay fees based on the total byte size of the signed transaction. Fees per byte are calculated based on current demand for space in mined blocks with fees rising as demand increases.
The transaction fee is given to the Bitcoin miner , as explained in the block chain section , and so it is ultimately up to each miner to choose the minimum transaction fee they will accept. Before Bitcoin Core 0. After the priority area, all transactions are prioritized based on their fee per byte, with higher-paying transactions being added in sequence until all of the available space is filled. Please see the verifying payment section for why this could be important.
Few people will have UTXOs that exactly match the amount they want to pay, so most transactions include a change output.
Change outputs are regular outputs which spend the surplus satoshis from the UTXOs back to the spender. In a transaction, the spender and receiver each reveal to each other all public keys or addresses used in the transaction. If the same public key is reused often, as happens when people use Bitcoin addresses hashed public keys as static payment addresses , other people can easily track the receiving and spending habits of that person, including how many satoshis they control in known addresses.
If each public key is used exactly twice—once to receive a payment and once to spend that payment—the user can gain a significant amount of financial privacy. Even better, using new public keys or unique addresses when accepting payments or creating change outputs can be combined with other techniques discussed later, such as CoinJoin or merge avoidance , to make it extremely difficult to use the block chain by itself to reliably track how users receive and spend their satoshis.
Avoiding key reuse can also provide security against attacks which might allow reconstruction of private keys from public keys hypothesized or from signature comparisons possible today under certain circumstances described below, with more general attacks hypothesized.
Unique non-reused P2PKH and P2SH addresses protect against the first type of attack by keeping ECDSA public keys hidden hashed until the first time satoshis sent to those addresses are spent, so attacks are effectively useless unless they can reconstruct private keys in less than the hour or two it takes for a transaction to be well protected by the block chain. Unique non-reused private keys protect against the second type of attack by only generating one signature per private key , so attackers never get a subsequent signature to use in comparison-based attacks.
Existing comparison-based attacks are only practical today when insufficient entropy is used in signing or when the entropy used is exposed by some means, such as a side-channel attack. So, for both privacy and security, we encourage you to build your applications to avoid public key reuse and, when possible, to discourage users from reusing addresses.
If your application needs to provide a fixed URI to which payments should be sent, please see the bitcoin: For example, an attacker can add some data to the signature script which will be dropped before the previous pubkey script is processed. Although the modifications are non-functional—so they do not change what inputs the transaction uses nor what outputs it pays—they do change the computed hash of the transaction. Since each transaction links to previous transactions using hashes as a transaction identifier txid , a modified transaction will not have the txid its creator expected.
But it does become a problem when the output from a transaction is spent before that transaction is added to the block chain. Bitcoin developers have been working to reduce transaction malleability among standard transaction types, one outcome of those efforts is BIP Segregated Witness , which is supported by Bitcoin Core and was activated in August When SegWit is not being used, new transactions should not depend on previous transactions which have not been added to the block chain yet, especially if large amounts of satoshis are at stake.
Transaction malleability also affects payment tracking. Current best practices for transaction tracking dictate that a transaction should be tracked by the transaction outputs UTXOs it spends as inputs , as they cannot be changed without invalidating the transaction.
Best practices further dictate that if a transaction does seem to disappear from the network and needs to be reissued, that it be reissued in a way that invalidates the lost transaction. One method which will always work is to ensure the reissued payment spends all of the same outputs that the lost transaction used as inputs. Contracts are transactions which use the decentralized Bitcoin system to enforce financial agreements. Bitcoin contracts can often be crafted to minimize dependency on outside agents, such as the court system, which significantly decreases the risk of dealing with unknown entities in financial transactions.
The following subsections will describe a variety of Bitcoin contracts already in use. Because contracts deal with real people, not just transactions, they are framed below in story format. Besides the contract types described below, many other contract types have been proposed. Several of them are collected on the Contracts page of the Bitcoin Wiki.
Charlie-the-customer wants to buy a product from Bob-the-businessman, but neither of them trusts the other person, so they use a contract to help ensure Charlie gets his merchandise and Bob gets his payment. A simple contract could say that Charlie will spend satoshis to an output which can only be spent if Charlie and Bob both sign the input spending it. Charlie spends his satoshis to an output which can only be spent if two of the three people sign the input.
To create a multiple- signature multisig output , they each give the others a public key. Then Bob creates the following P2SH multisig redeem script:. Opcodes to push the public keys onto the stack are not shown. This is a 2-of-3 multisig pubkey script , more generically called a m-of-n pubkey script where m is the minimum matching signatures required and n in the number of public keys provided.
Then he hashes the redeem script to create a P2SH redeem script and pays the satoshis to it. Bob sees the payment get added to the block chain and ships the merchandise. Unfortunately, the merchandise gets slightly damaged in transit. They turn to Alice to resolve the issue. Alice asks for photo evidence from Charlie along with a copy of the redeem script Bob created and Charlie checked. In the signature script Alice puts her signature and a copy of the unhashed serialized redeem script that Bob created.
She gives a copy of the incomplete transaction to both Bob and Charlie. Either one of them can complete it by adding his signature to create the following signature script:. Opcodes to push the signatures and redeem script onto the stack are not shown. Note that the signature script must provide signatures in the same order as the corresponding public keys appear in the redeem script.
When the transaction is broadcast to the network , each peer checks the signature script against the P2SH output Charlie previously paid, ensuring that the redeem script matches the redeem script hash previously provided.
Then the redeem script is evaluated, with the two signatures being used as input data. However, if Alice created and signed a transaction neither of them would agree to, such as spending all the satoshis to herself, Bob and Charlie can find a new arbitrator and sign a transaction spending the satoshis to another 2-of-3 multisig redeem script hash , this one including a public key from that second arbitrator.
This means that Bob and Charlie never need to worry about their arbitrator stealing their money. Alice also works part-time moderating forum posts for Bob. Alas, Bob often forgets to pay her, so Alice demands to be paid immediately after each post she approves or rejects. Bob asks Alice for her public key and then creates two transactions. The first transaction pays millibitcoins to a P2SH output whose 2-of-2 multisig redeem script requires signatures from both Alice and Bob.
This is the bond transaction. Broadcasting this transaction would let Alice hold the millibitcoins hostage, so Bob keeps this transaction private for now and creates a second transaction. This is the refund transaction. She then asks Bob for the bond transaction and checks that the refund transaction spends the output of the bond transaction.
She can now broadcast the bond transaction to the network to ensure Bob has to wait for the time lock to expire before further spending his millibitcoins. Now, when Alice does some work worth 1 millibitcoin , she asks Bob to create and sign a new version of the refund transaction.
Version two of the transaction spends 1 millibitcoin to Alice and the other 99 back to Bob; it does not have a locktime , so Alice can sign it and spend it whenever she wants.
Alice and Bob repeat these work-and-pay steps until Alice finishes for the day, or until the time lock is about to expire. Alice signs the final version of the refund transaction and broadcasts it, paying herself and refunding any remaining balance to Bob. The next day, when Alice starts work, they create a new micropayment channel.
If Alice fails to broadcast a version of the refund transaction before its time lock expires, Bob can broadcast the first version and receive a full refund. Transaction malleability , discussed above in the Transactions section, is another reason to limit the value of micropayment channels.
For larger payments, Bitcoin transaction fees are very low as a percentage of the total transaction value, so it makes more sense to protect payments with immediately-broadcast separate transactions. The bitcoinj Java library provides a complete set of micropayment functions, an example implementation, and a tutorial all under an Apache license. Alice is concerned about her privacy.
She knows every transaction gets added to the public block chain , so when Bob and Charlie pay her, they can each easily track those satoshis to learn what Bitcoin addresses she pays, how much she pays them, and possibly how many satoshis she has left. The CoinJoin-style contract, shown in the illustration below, makes this decision easy: They then each generate a brand new public key and give UTXO details and pubkey hashes to the facilitator.
In this case, the facilitator is AnonGirl; she creates a transaction spending each of the UTXOs to three equally-sized outputs. She gives the partially-signed transaction to Nemo who signs his inputs the same way and passes it to Neminem, who also signs it the same way.
Neminem then broadcasts the transaction to the peer-to-peer network , mixing all of the millibitcoins in a single transaction. If Alice does a few more CoinJoins, Bob and Charlie might have to guess which transactions made by dozens or hundreds of people were actually made by Alice.
But against anyone casually browsing block chain history, Alice gains plausible deniability. The CoinJoin technique described above costs the participants a small amount of satoshis to pay the transaction fee. An alternative technique, purchaser CoinJoin, can actually save them satoshis and improve their privacy at the same time.
AnonGirl waits in the IRC chatroom until she wants to make a purchase. She announces her intention to spend satoshis and waits until someone else wants to make a purchase, likely from a different merchant. Then they combine their inputs the same way as before but set the outputs to the separate merchant addresses so nobody will be able to figure out solely from block chain history which one of them bought what from the merchants.
An alpha-quality as of this writing implementation of decentralized CoinJoin is CoinMux , available under the Apache license. A Bitcoin wallet can refer to either a wallet program or a wallet file. Wallet programs create public keys to receive satoshis and use the corresponding private keys to spend those satoshis. Wallet files store private keys and optionally other information related to transactions for the wallet program. Two wallet programs can work together, one program distributing public keys in order to receive satoshis and another program signing transactions spending those satoshis.
Wallet programs also need to interact with the peer-to-peer network to get information from the block chain and to broadcast new transactions. This leaves us with three necessary, but separable, parts of a wallet system: In the subsections below, we will describe common combinations of these parts. In many cases, P2PKH or P2SH hashes will be distributed instead of public keys , with the actual public keys only being distributed when the outputs they control are spent.
The simplest wallet is a program which performs all three functions: As of this writing, almost all popular wallets can be used as full-service wallets. The main advantage of full-service wallets is that they are easy to use. A single program does everything the user needs to receive and spend satoshis. The main disadvantage of full-service wallets is that they store the private keys on a device connected to the Internet.
The compromise of such devices is a common occurrence, and an Internet connection makes it easy to transmit private keys from a compromised device to an attacker. To help protect against theft, many wallet programs offer users the option of encrypting the wallet files which contain the private keys. To increase security, private keys can be generated and stored by a separate wallet program operating in a more secure environment.
These signing-only wallets work in conjunction with a networked wallet which interacts with the peer-to-peer network. Signing-only wallets programs typically use deterministic key creation described in a later subsection to create parent private and public keys which can create child private and public keys.
When first run, the signing-only wallet creates a parent private key and transfers the corresponding parent public key to the networked wallet. The networked wallet uses the parent public key to derive child public keys , optionally helps distribute them, monitors for outputs spent to those public keys , creates unsigned transactions spending those outputs , and transfers the unsigned transactions to the signing-only wallet.
After the optional review step, the signing-only wallet uses the parent private key to derive the appropriate child private keys and signs the transactions, giving the signed transactions back to the networked wallet. The networked wallet then broadcasts the signed transactions to the peer-to-peer network.
The following subsections describe the two most common variants of signing-only wallets: Several full-service wallets programs will also operate as two separate wallets: The offline wallet is so named because it is intended to be run on a device which does not connect to any network , greatly reducing the number of attack vectors.
If this is the case, it is usually up to the user to handle all data transfer using removable media such as USB drives. Offline Disable all network connections on a device and install the wallet software.
Start the wallet software in offline mode to create the parent private and public keys. Copy the parent public key to removable media. Online Install the wallet software on another device, this one connected to the Internet, and import the parent public key from the removable media.
As you would with a full-service wallet , distribute public keys to receive payment. When ready to spend satoshis , fill in the output details and save the unsigned transaction generated by the wallet to removable media. Offline Open the unsigned transaction in the offline instance, review the output details to make sure they spend the correct amount to the correct address. This prevents malware on the online wallet from tricking the user into signing a transaction which pays an attacker.
After review, sign the transaction and save it to removable media. Online Open the signed transaction in the online instance so it can broadcast it to the peer-to-peer network. The primary advantage of offline wallets is their possibility for greatly improved security over full-service wallets. The primary disadvantage of offline wallets is hassle. For maximum security, they require the user dedicate a device to only offline tasks.
The offline device must be booted up whenever funds are to be spent, and the user must physically copy data from the online device to the offline device and back. Hardware wallets are devices dedicated to running a signing-only wallet.
Hardware Create parent private and public keys. Connect hardware wallet to a networked device so it can get the parent public key. Networked As you would with a full-service wallet , distribute public keys to receive payment.
When ready to spend satoshis , fill in the transaction details, connect the hardware wallet , and click Spend. The networked wallet will automatically send the transaction details to the hardware wallet. Some hardware wallets may prompt for a passphrase or PIN number.
The hardware wallet signs the transaction and uploads it to the networked wallet. Networked The networked wallet receives the signed transaction from the hardware wallet and broadcasts it to the network.
The primary advantage of hardware wallets is their possibility for greatly improved security over full-service wallets with much less hassle than offline wallets. The primary disadvantage of hardware wallets is their hassle. Even though the hassle is less than that of offline wallets , the user must still purchase a hardware wallet device and carry it with them whenever they need to make a transaction using the signing-only wallet.
An additional hopefully temporary disadvantage is that, as of this writing, very few popular wallet programs support hardware wallets —although almost all popular wallet programs have announced their intention to support at least one model of hardware wallet. Wallet programs which run in difficult-to-secure environments, such as webservers, can be designed to distribute public keys including P2PKH or P2SH addresses and nothing more.
There are two common ways to design these minimalist wallets:. Pre-populate a database with a number of public keys or addresses , and then distribute on request a pubkey script or address using one of the database entries. To avoid key reuse , webservers should keep track of used keys and never run out of public keys. This can be made easier by using parent public keys as suggested in the next method.
Use a parent public key to create child public keys. This can be a database entry for each key distributed or an incrementing pointer to the key index number. Neither method adds a significant amount of overhead, especially if a database is used anyway to associate each incoming payment with a separate public key for payment tracking.
See the Payment Processing section for details. Bitcoin wallets at their core are a collection of private keys. These collections are stored digitally in a file, or can even be physically stored on pieces of paper.
Private keys are what are used to unlock satoshis from a particular address. In Bitcoin, a private key in standard format is simply a bit number, between the values:. In order to make copying of private keys less prone to error, Wallet Import Format may be utilized. WIF uses base58Check encoding on an private key , greatly decreasing the chance of copying error, much like standard Bitcoin addresses. Take a private key. Add a 0x80 byte in front of it for mainnet addresses or 0xef for testnet addresses.
Append a 0x01 byte after it if it should be used with compressed public keys described in a later subsection. Nothing is appended if it is used with uncompressed public keys. Convert the result from a byte string into a Base58 string using Base58Check encoding.
The process is easily reversible, using the Base58 decoding function, and removing the padding. Mini private key format is a method for encoding a private key in under 30 characters, enabling keys to be embedded in a small physical space, such as physical bitcoin tokens, and more damage-resistant QR codes.
In order to determine if a mini private key is well-formatted, a question mark is added to the private key. The SHA hash is calculated. This key restriction acts as a typo-checking mechanism. A user brute forces the process using random numbers until a well-formatted mini private key is produced. In order to derive the full private key , the user simply takes a single SHA hash of the original mini private key.
This process is one-way: A common tool to create and redeem these keys is the Casascius Bitcoin Address Utility. In their traditional uncompressed form, public keys contain an identification byte, a byte X coordinate, and a byte Y coordinate. Secpk1 actually modulos coordinates by a large prime, which produces a field of non-contiguous integers and a significantly less clear plot, although the principles are the same.
No data is lost by creating these compressed public keys —only a small amount of CPU is necessary to reconstruct the Y coordinate and access the uncompressed public key. Both uncompressed and compressed public keys are described in official secpk1 documentation and supported by default in the widely-used OpenSSL library. However, Bitcoin Core prior to 0.
This creates a few complications, as the hashed form of an uncompressed key is different than the hashed form of a compressed key, so the same key works with two different P2PKH addresses. For this reason, Bitcoin Core uses several different identifier bytes to help programs identify how keys should be used:.
Private keys meant to be used with compressed public keys have 0x01 appended to them before being Base encoded. See the private key encoding section above. These prefix bytes are all used in official secpk1 documentation. The hierarchical deterministic key creation and transfer protocol HD protocol greatly simplifies wallet backups, eliminates the need for repeated communication between multiple programs using the same wallet , permits creation of child accounts which can operate independently, gives each parent account the ability to monitor or control its children even if the child account is compromised, and divides each account into full-access and restricted-access parts so untrusted users or programs can be allowed to receive or monitor payments without being able to spend them.
The HD protocol takes advantage of the ECDSA public key creation function, point , which takes a large integer the private key and turns it into a graph point the public key:. This child public key is the same public key which would be created by the point function if you added the i value to the original parent private key and then found the remainder of that sum divided by a global constant used by all Bitcoin software p:.
This means that two or more independent programs which agree on a sequence of integers can create a series of unique child key pairs from a single parent key pair without any further communication. Moreover, the program which distributes new public keys for receiving payment can do so without any access to the private keys , allowing the public key distribution program to run on a possibly-insecure platform such as a public web server.
Child public keys can also create their own child public keys grandchild public keys by repeating the child key derivation operations:. Whether creating child public keys or further-descended public keys , a predictable sequence of integer values would be no better than using a single public key for all transactions, as anyone who knew one child public key could find all of the other child public keys created from the same parent public key. Instead, a random seed can be used to deterministically generate the sequence of integer values so that the relationship between the child public keys is invisible to anyone without that seed.
The HD protocol uses a single root seed to create a hierarchy of child, grandchild, and other descended keys with unlinkable deterministically-generated integer values. The parent chain code is bits of seemingly-random data.
The index number is a bit integer specified by the program. In the normal form shown in the above illustration, the parent chain code , the parent public key , and the index number are fed into a one-way cryptographic hash HMAC-SHA to produce bits of deterministically-generated-but-seemingly-random data.
The seemingly-random bits on the righthand side of the hash output are used as a new child chain code. The seemingly-random bits on the lefthand side of the hash output are used as the integer value to be combined with either the parent private key or parent public key to, respectively, create either a child private key or child public key:.
Specifying different index numbers will create different unlinkable child keys from the same parent keys. Repeating the procedure for the child keys using the child chain code will create unlinkable grandchild keys. Because creating child keys requires both a key and a chain code , the key and chain code together are called the extended key.
An extended private key and its corresponding extended public key have the same chain code. The top-level parent master private key and master chain code are derived from random data, as illustrated below. A root seed is created from either bits, bits, or bits of random data. This root seed of as little as bits is the the only data the user needs to backup in order to derive every key created by a particular wallet program using particular settings.
As of this writing, HD wallet programs are not expected to be fully compatible, so users must only use the same HD wallet program with the same HD-related settings for a particular root seed.
The root seed is hashed to create bits of seemingly-random data, from which the master private key and master chain code are created together, the master extended private key.
The master public key is derived from the master private key using point , which, together with the master chain code , is the master extended public key. The master extended keys are functionally equivalent to other extended keys ; it is only their location at the top of the hierarchy which makes them special. Hardened extended keys fix a potential problem with normal extended keys.
If an attacker gets a normal parent chain code and parent public key , he can brute-force all chain codes deriving from it. If the attacker also obtains a child, grandchild, or further-descended private key , he can use the chain code to generate all of the extended private keys descending from that private key , as shown in the grandchild and great-grandchild generations of the illustration below.
Perhaps worse, the attacker can reverse the normal child private key derivation formula and subtract a parent chain code from a child private key to recover the parent private key , as shown in the child and parent generations of the illustration above. For this reason, the chain code part of an extended public key should be better secured than standard public keys and users should be advised against exporting even non-extended private keys to possibly-untrustworthy environments.
This can be fixed, with some tradeoffs, by replacing the the normal key derivation formula with a hardened key derivation formula. The normal key derivation formula, described in the section above, combines together the index number, the parent chain code , and the parent public key to create the child chain code and the integer value which is combined with the parent private key to create the child private key.
The hardened formula, illustrated above, combines together the index number, the parent chain code , and the parent private key to create the data used to generate the child chain code and child private key. This formula makes it impossible to create child public keys without knowing the parent private key. Because of that, a hardened extended private key is much less useful than a normal extended private key —however, hardened extended private keys create a firewall through which multi-level key derivation compromises cannot happen.
Because hardened child extended public keys cannot generate grandchild chain codes on their own, the compromise of a parent extended public key cannot be combined with the compromise of a grandchild private key to create great-grandchild extended private keys. The HD protocol uses different index numbers to indicate whether a normal or hardened key should be generated.
Index numbers from 0x00 to 0x7fffffff 0 to 2 31 -1 will generate a normal key; index numbers from 0x to 0xffffffff will generate a hardened key. Bitcoin developers typically use the ASCII apostrophe rather than the unicode prime symbol, a convention we will henceforth follow. This compact description is further combined with slashes prefixed by m or M to indicate hierarchy and key type, with m being a private key and M being a public key.
The following hierarchy illustrates prime notation and hardened key firewalls. Wallets following the BIP32 HD protocol only create hardened children of the master private key m to prevent a compromised child key from compromising the master key. As there are no normal children for the master keys, the master public key is not used in HD wallets.