xOP_IFDUP 115 0x73 x x / x x If the input is true or false, duplicate it.

Shouldn't it be: "If the input is true, duplicate it."?
--[[User:ThePiachu|ThePiachu]] 11:37, 20 December 2011 (GMT)

The byte vectors in the stack are specified as being signed integers of variable-length. Then there's an explanation that these integers are considered false if they are either zero or negative zero, which is 0x80. For this to be the case, the elements should be represented in an old binary format called sign-magnitude, which is important to state explicitly, since today virtually all computers use two's complement as representation, and there's no such thing as a negative zero. There's even another representation, one's complement, where negative zero looks like 0xff.

Reading the source code of the application, I see that arithmetic operations expect unsigned integers, for example, operations OP_2MUL and OP_2DIV are implemented as byte-shifting, which wouldn't work with signed representations.

It seems to me that, at best, variable-length sign-magnitued integer format is only used for testing for truth, although I haven't read all the code yet.

--[[User:Jpierre|Jean-Pierre Rupp]] 10:43, 4 March 2012 (GMT)

== Provably Unspendable/Prunable Outputs ==

If im not mistaken this kind of transaction would not result in donating the output to the miner. It would instead make the output unusable by anyone forever. In my opinion the best and easiest way to donate to miner is just transfer BTC between your own addresses and set a high fee. [[User:Norill|Norill]] ([[User talk:Norill|talk]]) 22:32, 14 April 2013 (GMT)

normill: Fixed wording for OP_RETURN; it is mining fee in the example because the output value is zero, not 0.125BTC as I think you thought. Sorry about that.
[[User:Petertodd|Peter Todd]] ([[User talk:Petertodd|talk]]) 02:51, 23 July 2013 (GMT)

Talk:Script

2013-07-23T02:50:36Z

Petertodd:

2013-04-15T12:39:16Z

Petertodd: /* Rational */

An off-chain transaction is the movement of value outside of the [[block chain]]. While an [[Transactions|on-chain transaction]] - usually referred to as simply 'a transaction' - modifies the blockchain and depends on the blockchain to determine its validity an off-chain transaction relies on other methods to record and validate the transaction. Like on-chain transactions all parties must agree to accept the particular method by which the transaction occurs, the question then being, how can those parties be convinced that the movement of value has actually happened, will not be reversed, and can be exchanged in the future for something of value?

With an on-chain transaction those questions are answered by the parties faith in the Bitcoin system as a whole. For instance a transaction (after some number of confirmations) can only be reversed if a majority of hashing power agrees to reverse the transaction. The parties to the transaction are trusting that the majority of hashing power in existence is controlled by "honest" parties who will not attempt to reverse the transaction.

== Rational ==

On-chain transactions have disadvantages that make them unsuitable for some applications:

=== Speed ===

On-chain transactions take some time to accumulate enough [[Confirmation|confirmations]] to ensure that they can-not be reversed; accepting a transaction [[Zero-Conf Transactions|without any confirmations]] is potentially risky. Confirmations take time and the time they take to accumulate is random. Off-chain transaction systems can record that a transaction has happened immediately, and, subject to the guarantees of the system itself, immediately guarantee it won't be reversed.

=== Privacy/Anonymity ===

All on-chain transactions are recorded publicly on the block chain; Bitcoin transactions are not inherently [[Anonymity|anonymous]]. It may be possible for a third-party to use the block chain transaction data to determine the source and/or destination of a transaction if they can gather enough information linking addresses to identities. Because off-chain transactions do not happen on the block chain they need not be public. Using cryptographic techniques such as [http://en.wikipedia.org/wiki/Blind_signature chaum tokens] it can be made impossible for even the operators of the system itself to determine who participated in a transaction.

=== Cost/Scalability ===

Miners usually charge [[Transaction fees|fees]] to confirm a transaction. While currently the demand for transactions is sufficiently low that fees are relatively small, and transactions can often be confirmed for free, for many applications even paying a few cents per transaction is unaffordable.<ref>[https://bitcointalk.org/index.php?topic=156334.0 How to send BitCoins with LOW TX FEE (Not No TX Fee)]</ref> In addition Bitcoin currently has a limit of 7 transactions per second, the [[blocksize limit]]. This limit is related to the [[Scalability|scalability]] of the system as a whole, and one option to achieve higher transaction volumes is to keep the blocksize limit as is and use off-chain transactions for lower-value transactions; with higher volumes fees for transactions done on-chain will rise due to supply and demand.

== Methods ==

The most simple example of an off-chain transaction is perhaps two friends who agree on a debt between them. The "transaction" happens by the act of agreeing that the debt exists, and the validity of it is based solely on the trust that one friend has in the other. Further transactions can be agreed upon, possibly in exchange for something of value such one friend buying the other a meal. Multiple mutually trusting parties can participate, creating a network of value owed from one to the other. As an example the [http://en.wikipedia.org/wiki/Ripple_monetary_system Ripple monetary system] takes this concept, and adds to it an automated ledger to record all the mutual debts between participating parties. However actually acting upon those debts is still a matter of trust between the parties, the system only records and can-not by itself cause Bitcoins or some other object of value to change hands.

=== Trusted Third Parties ===

If the sender and recipient do not trust each other, or would simply prefer someone else record and guarantee the transaction, they can use a [http://en.wikipedia.org/wiki/Trusted_third_party trusted third party] to record and guarantee the transaction. The vast majority of conventional banking and electronic payment systems work this way. For instance in the PayPal system, PayPal is trusted to keep an accurate record of all transactions, including within the PayPal system, as well as transactions that move funds to and from PayPal. Within Bitcoin [[Redeemable_code|redeemable code]] systems exist where a third party, such as Mt. Gox, records codes issued and promise to redeem them for either new codes, balances within the system, or Bitcoins via on-chain transactions. In addition [[E-Wallet]] services such as [[Easywallet.org]] often allow users to transfer funds between addresses within the system without creating an on-chain transaction.

The difficulty with third-parties is achieving that trust. Outside of Bitcoin PayPal has been criticized<ref>[http://en.wikipedia.org/wiki/PayPal#Criticism PayPal - Criticism]</ref> for arbitrarily freezing accounts. Within Bitcoin multiple E-Wallet services such as [[MyBitcoin]] and [[Instawallet]] have failed due to hacks as well as technical mistakes resulting in the loss of some or all funds held on behalf of their customers.

=== Auditing Third Parties ===

In addition to hacks, currently no trusted third party payment systems in Bitcoin provide any way for users to determine if the services actually hold the Bitcoins they claim to hold. Conventionally banks and payment processors are [http://en.wikipedia.org/wiki/Financial_audit audited] regularly by third-parties - because Bitcoin is based on cryptography auditing can be done in a cryptographically provable way.

Gregory Maxwell has proposed<ref>private communication on IRC (gmaxwell: do you have a writeup somewhere?)</ref> to use [[merkle-sum trees]] of accounts to audit funds held by third parties. Each account with the service is assigned a number, such as a SHA256 digest, and those digests are formed into a merkle tree. Additionally for every node in the tree the sum of the account balances on both leaves is computed, and that sum becomes part of the data hashed by the parent node. The tip of the tree is then the sum of all balances for all accounts.

The service proves they control the Bitcoins they claim to by signing statements with the private keys capable of spending transaction outputs present on the blockchain, and in addition regularly sign statements attesting what is the current tip of the account merkle-sum tree.

Clients check that their account is included in that tree by regularly demanding proof, in the form of a merkle path, that their account leads to the claimed tip. Any discrepancy is evidence of fraud on by the service, or at least poor record-keeping.

== References ==

<references/>

Off-chain transactions

2013-04-15T11:55:00Z

Petertodd: grammar

2013-04-14T10:58:00Z

Petertodd: Wording

What Bitcoin provides is a means to determine what is the consensus version
of the transaction history, with the consensus determined by what a majority of
hashing power applied to the proof of work problem by miners accepts as the
true history. Since those who own Bitcoins, and who have access to hashing
power, are not necessarily the same group there needs to be a mechanism for the
former to fund the latter. The risk is that mechanism failing, and the majority
of hashing power acting in a way that is against the wishes of the majority of
economic interests.

An attacker with a majority of hashing power can either publish blocks they
mine as they mine them, or withhold them. The former simply makes it impossible
to get transactions confirmed that the attacker does not wish to be confirmed.
The latter however can be used to rewrite the blockchain after the fact,
causing transactions that appeared to be confirmed to become unconfirmed and
vulnerable to reversal. In addition the attacker can exploit [[Transaction Malleability]] to make it impossible for those transactions to ever be included
in the blockchain again.

The hashing power majority does not need to constitute a single individual or
coherent group. For instance the economic majority may see [[fungibility]] as
important, and thus want to ensure transaction outputs can not be blacklisted<ref>[https://bitcointalk.org/index.php?topic=157130.0 Decentralised crime fighting using private set intersection protocols]</ref> to prevent transactions spending them from being confirmed,
even if those outputs are known to be involved with illegal activity such as theft or fraud.
However the actions of mining pools are usually public knowledge; which blocks
they mine is usually published on the pool website. If mining a transaction
output known to be involved in illegal activity is made illegal, mining pools
may independently seek out sources of information on transaction outputs known
to be involved in illegal activity, and prohibit transactions spending those
outputs from the blocks they mine, as well as delibrately trying to mine blocks
that would [[Orphan Block|orphan blocks]] with such transactions.

Similarly it could be made illegal to mine a transaction if the identity of the
person making the transaction is not known, in conjunction with ways for
transactions to make that identity public. Again, even if the economic majority
would prefer to be able to make anonymous transactions, the hashing power
majority may not want to take that risk.

Conversely the opposite may be true in either example; what "security" is may not always be obvious or easily agreed upon.

== Inflation Subsidy ==

Currently each block [[Controlled_Currency_Supply|creates 25 BTC]] as the block
reward; as of April 2013 that inflates the currency supply by about 11% per
year, in effect transferring 11% of the value of all the Bitcoins in existence
to miners to pay for the security they provide. However, every four years the
block reward is decreased by half, thus halving the overall inflation subsidy
that pays miners.

The inflation subsidy pays miners directly from Bitcoin as a whole; in effect
everyone holding Bitcoins is paying for security directly. However at some
point it will become small enough that Bitcoin could be attacked by someone
with very little resources. In addition a miner can still collect the inflation
subsidy without including any transactions at all in the blocks they mine.

It is predicted that the inflation subsidy will reach less than 1% of the
Bitcoin nominal market cap sometime in 2033. However that figure is subject to
the amount of [[lost coins]] from the early days of Bitcoin; it is unknown what
the market cap of coins with owners able to spend them actually is.

== Transaction Fees ==

Transactions may include [[transaction_fees|fees]] which are given to the miner
who included the transaction in a block. These fees can range from 0% to 100%
of the transaction inputs technically speaking, although what is economically
practical is a subset of that.

Fees can align the economic interests of Bitcoin users with the interests of
miners. For instance in the above example of anonymous transactions fees can
encourage miners to mine anonymous transactions regardless of the legal risk,
or to take (possibly expensive) measures to reduce that risk.

=== The Blocksize Limit ===

Currently blocks are limited to 1MB in size, and further limited by "gentlemans
agreement" in the form of a 500KB default maximum. While miners can choose to
mine blocks exceeding the 500KB limit, the 1MB limit is fixed and any block
larger than it is invalid; block space is a scarce resource. Provided that the
demand for transactions is greater than about [[Maximum transaction rate|seven
per second]] we can expect transaction fees to be greater than the marginal
costs required to accept a transaction, thus creating a profit that can be used
to fund the operation of hashing power.

=== Off-chain Transactions ===

If making a transaction becomes too expensive it can become worthwhile to use
an off-chain payment system to move the funds instead, either one denominated
in Bitcoins, or in a different currency entirely; the availability of off-chain
transactions limits the maximum fees that miners can charge, in turn limiting the value of transactions as a way to fund security.

== Alternatives ==

If transaction fees and the inflation subsidy do not pay for adequate security
alternatives exist. In particular users who own Bitcoins, yet do not perform
transactions, possibly because they are holding onto their Bitcoins as an
investment and/or use off-chain transactions, only pay for security through the
inflation subsidy.

In addition one approach to the [[scalability|scalability problem]] posed by
the current 1MB blocksize limit is to remove or increase that limit. Without
the blocksize limit it is expected that transaction fees will fall to the
[[marginal costs of a transaction]], which means that fees will not pay for any
security at all.

=== Individual ===

As individuals Bitcoin owners can fund network security in a variety of ways,
including artifical fee-paying transactions, paying abnormally high fees,
donating directly to known miners, and operating their own mining equipment.
The latter two methods have the advantage that the donator has control over the
policy followed by the miner being funded.

However mining is a public good: any individual can also simply hope that
others will fund security for them, also known as the
[http://en.wikipedia.org/wiki/Free_rider_problem free rider problem].

=== Assurance Contracts ===

An assurance contract, also known as a provision point mechanism, is a game
theoretic mechanism and a financial technology that facilitates the voluntary
creation of public goods and club goods in the face of the free rider
problem.<ref>http://en.wikipedia.org/wiki/Assurance_contract</ref>

The free rider problem is that there may be actions that would benefit a large
group of people, but once the action is taken, there is no way to exclude those
who did not pay for the action from the benefits. In Bitcoin the problem is
that mining is costly and benefits everyone who owns Bitcoins and/or performs
transactions. A mining assurance contract needs to be constructed in such a way
that participants agree that if some large amount of funds are commited, those
funds will go to mining in some way, with the amount set to be large enough for
a sufficiently high percentage of the economic activity of Bitcoin must have
participated to avoid the free rider problem.

Bitcoin already supports assurance contracts as a transaction
type<ref>[[Contracts#Example_3:_Assurance_contracts]]</ref> - for a
mining assurance contract the transaction output would be set to either an
[[Script#Anyone-Can-Spend_Outputs|anyone can spend]] output, or an address owned
by a specific miner. However as-is they have a serious problem: a miner can
always collect the funds pledged to date by simply adding a sufficient amount
of their own funds to the outstanding contract, and mining that transaction
themselves, thus turning the contract into a simple
donation.<ref>[https://bitcointalk.org/index.php?topic=157141.msg1821770#msg1821770]</ref>
(modulo the small chance of the block being orphaned; if the chance is large, the assurance contract is not encouraging orderly mining) The problem can be mitigated somewhat by forcing donators to reveal their identity in a provable way, but then high participation is difficult to achieve.

With [[nLockTime]] a transaction can be created where the miner who will
actually collect it is unknown in advance. As the deadline approaches, if the
contract is not fully funded, participants double-spend their pledged
transaction outputs to invalidate the contract. However this mechanism has the
problem that anyone can make the contract fail, even if it is fully funded.
That problem can be solved if Bitcoin's scripting language is extended to allow
for transaction outputs that can only be spent by transactions following
certain forms - the outputs would be locked to the contract until some time
after the contract
expires.<ref>[https://bitcointalk.org/index.php?topic=157141.msg1822138#msg1822138]</ref>

== References ==
<references/>
* [https://bitcointalk.org/index.php?topic=157141.0 Bitcointalk thread]
[[Category:Technical]]