From 39c5f0911892126421b1d6f4c3cae88a3fd513af Mon Sep 17 00:00:00 2001 From: "Andreas M. Antonopoulos" Date: Tue, 18 Oct 2016 19:07:10 +0200 Subject: [PATCH 01/24] rename new ch06 --- ch05-orig.asciidoc => ch06.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename ch05-orig.asciidoc => ch06.asciidoc (99%) diff --git a/ch05-orig.asciidoc b/ch06.asciidoc similarity index 99% rename from ch05-orig.asciidoc rename to ch06.asciidoc index b6b23435..ad16279f 100644 --- a/ch05-orig.asciidoc +++ b/ch06.asciidoc @@ -1,8 +1,8 @@ -[[ch5]] +[[ch06]] [[transactions]] == Transactions -[[ch5_intro]] +[[ch06_intro]] === Introduction ((("transactions", id="ix_ch05-asciidoc0", range="startofrange")))Transactions are the most important part of the bitcoin system. Everything else in bitcoin is designed to ensure that transactions can be created, propagated on the network, validated, and finally added to the global ledger of transactions (the blockchain). Transactions are data structures that encode the transfer of value between participants in the bitcoin system. Each transaction is a public entry in bitcoin's blockchain, the global double-entry bookkeeping ledger. From 222b6af4f837f1dd595bb66e64d0e500f303da2d Mon Sep 17 00:00:00 2001 From: "Andreas M. Antonopoulos" Date: Fri, 21 Oct 2016 11:39:45 +0200 Subject: [PATCH 02/24] renamed index entries --- ch06.asciidoc | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/ch06.asciidoc b/ch06.asciidoc index ad16279f..6d99563a 100644 --- a/ch06.asciidoc +++ b/ch06.asciidoc @@ -5,14 +5,14 @@ [[ch06_intro]] === Introduction -((("transactions", id="ix_ch05-asciidoc0", range="startofrange")))Transactions are the most important part of the bitcoin system. Everything else in bitcoin is designed to ensure that transactions can be created, propagated on the network, validated, and finally added to the global ledger of transactions (the blockchain). Transactions are data structures that encode the transfer of value between participants in the bitcoin system. Each transaction is a public entry in bitcoin's blockchain, the global double-entry bookkeeping ledger. +((("transactions", id="ix_ch06-asciidoc0", range="startofrange")))Transactions are the most important part of the bitcoin system. Everything else in bitcoin is designed to ensure that transactions can be created, propagated on the network, validated, and finally added to the global ledger of transactions (the blockchain). Transactions are data structures that encode the transfer of value between participants in the bitcoin system. Each transaction is a public entry in bitcoin's blockchain, the global double-entry bookkeeping ledger. In this chapter we will examine all the various forms of transactions, what they contain, how to create them, how they are verified, and how they become part of the permanent record of all transactions. [[tx_lifecycle]] === Transaction Lifecycle -((("transactions","lifecycle of", id="ix_ch05-asciidoc1", range="startofrange")))A transaction's lifecycle starts with the transaction's creation, also known as((("origination of transactions"))) _origination_. The transaction is then signed with one or more signatures indicating the authorization to spend the funds referenced by the transaction. The transaction is then broadcast on the bitcoin network, where each network node (participant) validates and propagates the transaction until it reaches (almost) every node in the network. Finally, the transaction is verified by a mining node and included in a block of transactions that is recorded on the blockchain. +((("transactions","lifecycle of", id="ix_ch06-asciidoc1", range="startofrange")))A transaction's lifecycle starts with the transaction's creation, also known as((("origination of transactions"))) _origination_. The transaction is then signed with one or more signatures indicating the authorization to spend the funds referenced by the transaction. The transaction is then broadcast on the bitcoin network, where each network node (participant) validates and propagates the transaction until it reaches (almost) every node in the network. Finally, the transaction is verified by a mining node and included in a block of transactions that is recorded on the blockchain. Once recorded on the blockchain and confirmed by sufficient subsequent blocks (confirmations), the transaction is a permanent part of the bitcoin ledger and is accepted as valid by all participants. The funds allocated to a new owner by the transaction can then be spent in a new transaction, extending the chain of ownership and beginning the lifecycle of a transaction again. @@ -39,7 +39,7 @@ Once a transaction has been created, it is signed by the owner (or owners) of th The bitcoin network is a peer-to-peer network, meaning that each bitcoin node is connected to a few other bitcoin nodes that it discovers during startup through the peer-to-peer protocol. The entire network forms a loosely connected mesh without a fixed topology or any structure, making all nodes equal peers. Messages, including transactions and blocks, are propagated from each node to all the peers to which it is connected, a process called "flooding." A new validated transaction injected into any node on the network will be sent to all of the nodes connected to it (neighbors), each of which will send the transaction to all its neighbors, and so on. In this way, within a few seconds a valid transaction will propagate in an exponentially expanding ripple across the network until all nodes in the network have received it. -The bitcoin network is designed to propagate transactions and blocks to all nodes in an efficient and resilient manner that is resistant to attacks. To prevent spamming, denial-of-service attacks, or other nuisance attacks against the bitcoin system, every node independently validates every transaction before propagating it further. A malformed transaction will not get beyond one node. The rules by which transactions are validated are explained in more detail in <>.(((range="endofrange", startref="ix_ch05-asciidoc1"))) +The bitcoin network is designed to propagate transactions and blocks to all nodes in an efficient and resilient manner that is resistant to attacks. To prevent spamming, denial-of-service attacks, or other nuisance attacks against the bitcoin system, every node independently validates every transaction before propagating it further. A malformed transaction will not get beyond one node. The rules by which transactions are validated are explained in more detail in <>.(((range="endofrange", startref="ix_ch06-asciidoc1"))) [[tx_structure]] === Transaction Structure @@ -94,7 +94,7 @@ What comes first? Inputs or outputs, the chicken or the egg? Strictly speaking, [[tx_outs]] ==== Transaction Outputs -((("bitcoin ledger, outputs in", id="ix_ch05-asciidoc2", range="startofrange")))((("transactions","outputs", id="ix_ch05-asciidoc3", range="startofrange")))((("unspent transaction output (UTXO)", id="ix_ch05-asciidoc4", range="startofrange")))Every bitcoin transaction creates outputs, which are recorded on the bitcoin ledger. Almost all of these outputs, with one exception (see <>) create spendable chunks of bitcoin called _unspent transaction outputs_ or UTXO, which are then recognized by the whole network and available for the owner to spend in a future transaction. Sending someone bitcoin is creating an unspent transaction output (UTXO) registered to their address and available for them to spend. +((("bitcoin ledger, outputs in", id="ix_ch06-asciidoc2", range="startofrange")))((("transactions","outputs", id="ix_ch06-asciidoc3", range="startofrange")))((("unspent transaction output (UTXO)", id="ix_ch06-asciidoc4", range="startofrange")))Every bitcoin transaction creates outputs, which are recorded on the bitcoin ledger. Almost all of these outputs, with one exception (see <>) create spendable chunks of bitcoin called _unspent transaction outputs_ or UTXO, which are then recognized by the whole network and available for the owner to spend in a future transaction. Sending someone bitcoin is creating an unspent transaction output (UTXO) registered to their address and available for them to spend. UTXO are tracked by every full-node bitcoin client as a data set called the((("UTXO pool")))((("UTXO set"))) _UTXO set_ or _UTXO pool_, held in a database. New transactions consume (spend) one or more of these outputs from the UTXO set. @@ -144,12 +144,12 @@ b2affea89ff82557c60d635a2a3137b8f88f12ecec85082f7d0a1f82ee203ac4:0 - 10000000 Sa ===== Spending conditions (encumbrances) -((("encumbrance")))((("locking scripts")))Transaction outputs associate a specific amount (in satoshis) to a specific _encumbrance_ or locking script that defines the condition that must be met to spend that amount. In most cases, the locking script will lock the output to a specific bitcoin address, thereby transferring ownership of that amount to the new owner. When Alice paid Bob's Cafe for a cup of coffee, her transaction created a 0.015 bitcoin output _encumbered_ or locked to the cafe's bitcoin address. That 0.015 bitcoin output was recorded on the blockchain and became part of the Unspent Transaction Output set, meaning it showed in Bob's wallet as part of the available balance. When Bob chooses to spend that amount, his transaction will release the encumbrance, unlocking the output by providing an unlocking script containing a signature from Bob's private key.(((range="endofrange", startref="ix_ch05-asciidoc4")))(((range="endofrange", startref="ix_ch05-asciidoc3")))(((range="endofrange", startref="ix_ch05-asciidoc2"))) +((("encumbrance")))((("locking scripts")))Transaction outputs associate a specific amount (in satoshis) to a specific _encumbrance_ or locking script that defines the condition that must be met to spend that amount. In most cases, the locking script will lock the output to a specific bitcoin address, thereby transferring ownership of that amount to the new owner. When Alice paid Bob's Cafe for a cup of coffee, her transaction created a 0.015 bitcoin output _encumbered_ or locked to the cafe's bitcoin address. That 0.015 bitcoin output was recorded on the blockchain and became part of the Unspent Transaction Output set, meaning it showed in Bob's wallet as part of the available balance. When Bob chooses to spend that amount, his transaction will release the encumbrance, unlocking the output by providing an unlocking script containing a signature from Bob's private key.(((range="endofrange", startref="ix_ch06-asciidoc4")))(((range="endofrange", startref="ix_ch06-asciidoc3")))(((range="endofrange", startref="ix_ch06-asciidoc2"))) [[tx_inputs]] ==== Transaction Inputs -((("transactions","inputs", id="ix_ch05-asciidoc5", range="startofrange")))In simple terms, transaction inputs are pointers to UTXO. They point to a specific UTXO by reference to the transaction hash and sequence number where the UTXO is recorded in the blockchain. To spend UTXO, a transaction input also includes unlocking scripts that satisfy the spending conditions set by the UTXO. The unlocking script is usually a signature proving ownership of the bitcoin address that is in the locking script. +((("transactions","inputs", id="ix_ch06-asciidoc5", range="startofrange")))In simple terms, transaction inputs are pointers to UTXO. They point to a specific UTXO by reference to the transaction hash and sequence number where the UTXO is recorded in the blockchain. To spend UTXO, a transaction input also includes unlocking scripts that satisfy the spending conditions set by the UTXO. The unlocking script is usually a signature proving ownership of the bitcoin address that is in the locking script. When users make a payment, their wallet constructs a transaction by selecting from the available UTXO. For example, to make a 0.015 bitcoin payment, the wallet app may select a 0.01 UTXO and a 0.005 UTXO, using them both to add up to the desired payment amount. @@ -192,13 +192,13 @@ Once the UTXO is selected, the wallet then produces unlocking scripts containing [NOTE] ==== -The sequence number is used to override a transaction prior to the expiration of the transaction locktime, which is a feature that is currently disabled in bitcoin. Most transactions set this value to the maximum integer value (0xFFFFFFFF) and it is ignored by the bitcoin network. If the transaction has a nonzero locktime, at least one of its inputs must have a sequence number below 0xFFFFFFFF in order to enable locktime.(((range="endofrange", startref="ix_ch05-asciidoc5"))) +The sequence number is used to override a transaction prior to the expiration of the transaction locktime, which is a feature that is currently disabled in bitcoin. Most transactions set this value to the maximum integer value (0xFFFFFFFF) and it is ignored by the bitcoin network. If the transaction has a nonzero locktime, at least one of its inputs must have a sequence number below 0xFFFFFFFF in order to enable locktime.(((range="endofrange", startref="ix_ch06-asciidoc5"))) ==== [[tx_fees]] ==== Transaction Fees -((("fees, transaction", id="ix_ch05-asciidoc6", range="startofrange")))Most transactions include transaction fees, which compensate the bitcoin miners for securing the network. Mining and the fees and rewards collected by miners are discussed in more detail in <>. This section examines how transaction fees are included in a typical transaction. Most wallets calculate and include transaction fees automatically. However, if you are constructing transactions programmatically, or using a command-line interface, you must manually account for and include these fees. +((("fees, transaction", id="ix_ch06-asciidoc6", range="startofrange")))Most transactions include transaction fees, which compensate the bitcoin miners for securing the network. Mining and the fees and rewards collected by miners are discussed in more detail in <>. This section examines how transaction fees are included in a typical transaction. Most wallets calculate and include transaction fees automatically. However, if you are constructing transactions programmatically, or using a command-line interface, you must manually account for and include these fees. Transaction fees serve as an incentive to include (mine) a transaction into the next block and also as a disincentive against "spam" transactions or any kind of abuse of the system, by imposing a small cost on every transaction. Transaction fees are collected by the miner who mines the block that records the transaction on the blockchain. @@ -206,11 +206,11 @@ Transaction fees serve as an incentive to include (mine) a transaction into the Over time, the way transaction fees are calculated and the effect they have on transaction prioritization has been evolving. At first, transaction fees were fixed and constant across the network. Gradually, the fee structure has been relaxed so that it may be influenced by market forces, based on network capacity and transaction volume. The current minimum transaction fee is fixed at 0.0001 bitcoin or a tenth of a milli-bitcoin per kilobyte, recently decreased from one milli-bitcoin. Most transactions are less than one kilobyte; however, those with multiple inputs or outputs can be larger. In future revisions of the bitcoin protocol, it is expected that wallet applications will use statistical analysis to calculate the most appropriate fee to attach to a transaction based on the average fees of recent transactions. -The current algorithm used by miners to prioritize transactions for inclusion in a block based on their fees is examined in detail in <>.(((range="endofrange", startref="ix_ch05-asciidoc6"))) +The current algorithm used by miners to prioritize transactions for inclusion in a block based on their fees is examined in detail in <>.(((range="endofrange", startref="ix_ch06-asciidoc6"))) ==== Adding Fees to Transactions -((("fees, transaction","adding", id="ix_ch05-asciidoc7", range="startofrange")))((("transactions","fees", id="ix_ch05-asciidoc8", range="startofrange")))The data structure of transactions does not have a field for fees. Instead, fees are implied as the difference between the sum of inputs and the sum of outputs. Any excess amount that remains after all outputs have been deducted from all inputs is the fee that is collected by the miners. +((("fees, transaction","adding", id="ix_ch06-asciidoc7", range="startofrange")))((("transactions","fees", id="ix_ch06-asciidoc8", range="startofrange")))The data structure of transactions does not have a field for fees. Instead, fees are implied as the difference between the sum of inputs and the sum of outputs. Any excess amount that remains after all outputs have been deducted from all inputs is the fee that is collected by the miners. [[tx_fee_equation]] @@ -234,7 +234,7 @@ Now let's look at a different scenario. Eugenia, our children's charity director As Eugenia's wallet application tries to construct a single larger payment transaction, it must source from the available UTXO set, which is composed of many smaller amounts. That means that the resulting transaction will source from more than a hundred small-value UTXO as inputs and only one output, paying the book publisher. A transaction with that many inputs will be larger than one kilobyte, perhaps 2 to 3 kilobytes in size. As a result, it will require a higher fee than the minimal network fee of 0.0001 bitcoin. -Eugenia's wallet application will calculate the appropriate fee by measuring the size of the transaction and multiplying that by the per-kilobyte fee. Many wallets will overpay fees for larger transactions to ensure the transaction is processed promptly. The higher fee is not because Eugenia is spending more money, but because her transaction is more complex and larger in size—the fee is independent of the transaction's bitcoin value.(((range="endofrange", startref="ix_ch05-asciidoc8")))(((range="endofrange", startref="ix_ch05-asciidoc7"))) +Eugenia's wallet application will calculate the appropriate fee by measuring the size of the transaction and multiplying that by the per-kilobyte fee. Many wallets will overpay fees for larger transactions to ensure the transaction is processed promptly. The higher fee is not because Eugenia is spending more money, but because her transaction is more complex and larger in size—the fee is independent of the transaction's bitcoin value.(((range="endofrange", startref="ix_ch06-asciidoc8")))(((range="endofrange", startref="ix_ch06-asciidoc7"))) [[tx_chains]] === Transaction Chaining and Orphan Transactions @@ -248,7 +248,7 @@ There is a limit to the number of orphan transactions stored in memory, to preve [[tx_script]] === Transaction Scripts and Script Language -((("scripts", id="ix_ch05-asciidoc9", range="startofrange")))((("transactions","script language for", id="ix_ch05-asciidoc10", range="startofrange")))((("transactions","validation", id="ix_ch05-asciidoc11", range="startofrange")))((("validation (transaction)", id="ix_ch05-asciidoc12", range="startofrange")))Bitcoin clients validate transactions by executing a script, written in a Forth-like scripting language. Both the locking script (encumbrance) placed on a UTXO and the unlocking script that usually contains a signature are written in this scripting language. When a transaction is validated, the unlocking script in each input is executed alongside the corresponding locking script to see if it satisfies the spending condition. +((("scripts", id="ix_ch06-asciidoc9", range="startofrange")))((("transactions","script language for", id="ix_ch06-asciidoc10", range="startofrange")))((("transactions","validation", id="ix_ch06-asciidoc11", range="startofrange")))((("validation (transaction)", id="ix_ch06-asciidoc12", range="startofrange")))Bitcoin clients validate transactions by executing a script, written in a Forth-like scripting language. Both the locking script (encumbrance) placed on a UTXO and the unlocking script that usually contains a signature are written in this scripting language. When a transaction is validated, the unlocking script in each input is executed alongside the corresponding locking script to see if it satisfies the spending condition. Today, most transactions processed through the bitcoin network have the form "Alice pays Bob" and are based on the same script called a Pay-to-Public-Key-Hash script. However, the use of scripts to lock outputs and unlock inputs means that through use of the programming language, transactions can contain an infinite number of conditions. Bitcoin transactions are not limited to the "Alice pays Bob" form and pattern. @@ -283,7 +283,7 @@ image::images/msbt_0501.png["scriptSig_and_scriptPubKey"] [[tx_script_language]] ==== Scripting Language -((("Script language", id="ix_ch05-asciidoc13", range="startofrange")))((("scripts","language for", id="ix_ch05-asciidoc14", range="startofrange")))The bitcoin transaction script language, called _Script_, is a Forth-like reverse-polish notation stack-based execution language. If that sounds like gibberish, you probably haven't studied 1960's programming languages. Script is a very simple language that was designed to be limited in scope and executable on a range of hardware, perhaps as simple as an embedded device, such as a handheld calculator. It requires minimal processing and cannot do many of the fancy things modern programming languages can do. In the case of programmable money, that is a deliberate security feature. +((("Script language", id="ix_ch06-asciidoc13", range="startofrange")))((("scripts","language for", id="ix_ch06-asciidoc14", range="startofrange")))The bitcoin transaction script language, called _Script_, is a Forth-like reverse-polish notation stack-based execution language. If that sounds like gibberish, you probably haven't studied 1960's programming languages. Script is a very simple language that was designed to be limited in scope and executable on a range of hardware, perhaps as simple as an embedded device, such as a handheld calculator. It requires minimal processing and cannot do many of the fancy things modern programming languages can do. In the case of programmable money, that is a deliberate security feature. Bitcoin's scripting language is called a stack-based language because it uses a data structure called a((("stack, defined"))) _stack_. A stack is a very simple data structure, which can be visualized as a stack of cards. A stack allows two operations: push and pop. Push adds an item on top of the stack. Pop removes the top item from the stack. @@ -319,7 +319,7 @@ The validation software combines the locking and unlocking scripts and the resul 2 3 OP_ADD 5 OP_EQUAL ---- -As we saw in the step-by-step example in <>, when this script is executed, the result is +OP_TRUE+, making the transaction valid. Not only is this a valid transaction output locking script, but the resulting UTXO could be spent by anyone with the arithmetic skills to know that the number 2 satisfies the script. (((range="endofrange", startref="ix_ch05-asciidoc14")))(((range="endofrange", startref="ix_ch05-asciidoc13"))) +As we saw in the step-by-step example in <>, when this script is executed, the result is +OP_TRUE+, making the transaction valid. Not only is this a valid transaction output locking script, but the resulting UTXO could be spent by anyone with the arithmetic skills to know that the number 2 satisfies the script. (((range="endofrange", startref="ix_ch06-asciidoc14")))(((range="endofrange", startref="ix_ch06-asciidoc13"))) [[simplemath_script]] .Bitcoin's script validation doing simple math @@ -338,7 +338,7 @@ Transactions are valid if the top result on the stack is TRUE (noted as ++{ ==== Stateless Verification -((("stateless verification of transactions")))((("transactions","statelessness of")))The bitcoin transaction script language is stateless, in that there is no state prior to execution of the script, or state saved after execution of the script. Therefore, all the information needed to execute a script is contained within the script. A script will predictably execute the same way on any system. If your system verifies a script, you can be sure that every other system in the bitcoin network will also verify the script, meaning that a valid transaction is valid for everyone and everyone knows this. This predictability of outcomes is an essential benefit of the bitcoin system.(((range="endofrange", startref="ix_ch05-asciidoc12")))(((range="endofrange", startref="ix_ch05-asciidoc11")))(((range="endofrange", startref="ix_ch05-asciidoc10")))(((range="endofrange", startref="ix_ch05-asciidoc9"))) +((("stateless verification of transactions")))((("transactions","statelessness of")))The bitcoin transaction script language is stateless, in that there is no state prior to execution of the script, or state saved after execution of the script. Therefore, all the information needed to execute a script is contained within the script. A script will predictably execute the same way on any system. If your system verifies a script, you can be sure that every other system in the bitcoin network will also verify the script, meaning that a valid transaction is valid for everyone and everyone knows this. This predictability of outcomes is an essential benefit of the bitcoin system.(((range="endofrange", startref="ix_ch06-asciidoc12")))(((range="endofrange", startref="ix_ch06-asciidoc11")))(((range="endofrange", startref="ix_ch06-asciidoc10")))(((range="endofrange", startref="ix_ch06-asciidoc9"))) [[std_tx]] === Standard Transactions @@ -352,7 +352,7 @@ The five standard types of transaction scripts are pay-to-public-key-hash (P2PKH [[p2pkh]] ==== Pay-to-Public-Key-Hash (P2PKH) -((("pay-to-public-key-hash (P2PKH)", id="ix_ch05-asciidoc15", range="startofrange")))((("transactions","pay-to-public-key-hash", id="ix_ch05-asciidoc16", range="startofrange")))The vast majority of transactions processed on the bitcoin network are P2PKH transactions. These contain a locking script that encumbers the output with a public key hash, more commonly known as a bitcoin address. Transactions that pay a bitcoin address contain P2PKH scripts. An output locked by a P2PKH script can be unlocked (spent) by presenting a public key and a digital signature created by the corresponding private key. +((("pay-to-public-key-hash (P2PKH)", id="ix_ch06-asciidoc15", range="startofrange")))((("transactions","pay-to-public-key-hash", id="ix_ch06-asciidoc16", range="startofrange")))The vast majority of transactions processed on the bitcoin network are P2PKH transactions. These contain a locking script that encumbers the output with a public key hash, more commonly known as a bitcoin address. Transactions that pay a bitcoin address contain P2PKH scripts. An output locked by a P2PKH script can be unlocked (spent) by presenting a public key and a digital signature created by the corresponding private key. For example, let's look at Alice's payment to Bob's Cafe again. Alice made a payment of 0.015 bitcoin to the cafe's bitcoin address. That transaction output would have a locking script of the form: @@ -377,7 +377,7 @@ The two scripts together would form the following combined validation script: When executed, this combined script will evaluate to TRUE if, and only if, the unlocking script matches the conditions set by the locking script. In other words, the result will be TRUE if the unlocking script has a valid signature from the cafe's private key that corresponds to the public key hash set as an encumbrance. -Figures pass:[#P2PubKHash1] and pass:[#P2PubKHash2] show (in two parts) a step-by-step execution of the combined script, which will prove this is a valid transaction.(((range="endofrange", startref="ix_ch05-asciidoc16")))(((range="endofrange", startref="ix_ch05-asciidoc15"))) +Figures pass:[#P2PubKHash1] and pass:[#P2PubKHash2] show (in two parts) a step-by-step execution of the combined script, which will prove this is a valid transaction.(((range="endofrange", startref="ix_ch06-asciidoc16")))(((range="endofrange", startref="ix_ch06-asciidoc15"))) [[P2PubKHash1]] .Evaluating a script for a P2PKH transaction (Part 1 of 2) @@ -482,7 +482,7 @@ OP_RETURN was initially proposed with a limit of 80 bytes, but the limit was red [[p2sh]] ==== Pay-to-Script-Hash (P2SH) -((("multi-signature scripts","P2SH and", id="ix_ch05-asciidoc17", range="startofrange")))((("Pay-to-script-hash (P2SH)", id="ix_ch05-asciidoc18", range="startofrange")))((("transactions","Pay-to-script-hash", id="ix_ch05-asciidoc19", range="startofrange")))Pay-to-script-hash (P2SH) was introduced in 2012 as a powerful new type of transaction that greatly simplifies the use of complex transaction scripts. To explain the need for P2SH, let's look at a practical example. +((("multi-signature scripts","P2SH and", id="ix_ch06-asciidoc17", range="startofrange")))((("Pay-to-script-hash (P2SH)", id="ix_ch06-asciidoc18", range="startofrange")))((("transactions","Pay-to-script-hash", id="ix_ch06-asciidoc19", range="startofrange")))Pay-to-script-hash (P2SH) was introduced in 2012 as a powerful new type of transaction that greatly simplifies the use of complex transaction scripts. To explain the need for P2SH, let's look at a practical example. In <> we introduced Mohammed, an electronics importer based in Dubai. Mohammed's company uses bitcoin's multi-signature feature extensively for its corporate accounts. Multi-signature scripts are one of the most common uses of bitcoin's advanced scripting capabilities and are a very powerful feature. Mohammed's company uses a multi-signature script for all customer payments, known in accounting terms as "accounts receivable," or AR. With the multi-signature scheme, any payments made by customers are locked in such a way that they require at least two signatures to release, from Mohammed and one of his partners or from his attorney who has a backup key. A multi-signature scheme like that offers corporate governance controls and protects against theft, embezzlement, or loss. @@ -588,6 +588,6 @@ Note that because the redeem script is not presented to the network until you at [WARNING] ==== -((("Pay-to-Script-Hash (P2SH)","locking scripts")))P2SH locking scripts contain the hash of a redeem script, which gives no clues as to the content of the redeem script itself. The P2SH transaction will be considered valid and accepted even if the redeem script is invalid. You might accidentally lock bitcoin in such a way that it cannot later be spent.(((range="endofrange", startref="ix_ch05-asciidoc19")))(((range="endofrange", startref="ix_ch05-asciidoc18")))(((range="endofrange", startref="ix_ch05-asciidoc17")))(((range="endofrange", startref="ix_ch05-asciidoc0"))) +((("Pay-to-Script-Hash (P2SH)","locking scripts")))P2SH locking scripts contain the hash of a redeem script, which gives no clues as to the content of the redeem script itself. The P2SH transaction will be considered valid and accepted even if the redeem script is invalid. You might accidentally lock bitcoin in such a way that it cannot later be spent.(((range="endofrange", startref="ix_ch06-asciidoc19")))(((range="endofrange", startref="ix_ch06-asciidoc18")))(((range="endofrange", startref="ix_ch06-asciidoc17")))(((range="endofrange", startref="ix_ch06-asciidoc0"))) ==== From 0b7861dbb99acae4e0d05a9f7b597c6d437ccb21 Mon Sep 17 00:00:00 2001 From: Javier Rojas Garcia Date: Sun, 30 Oct 2016 09:47:50 +0100 Subject: [PATCH 03/24] Generalization of -taking the first N bits of its SHA256 hash- when creating a checksum of the random sequence --- ch05.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ch05.asciidoc b/ch05.asciidoc index 9186e5fd..a85a59a5 100644 --- a/ch05.asciidoc +++ b/ch05.asciidoc @@ -164,7 +164,7 @@ BIP-39 defines the creation of a mnemonic code and seed, which we describe here Mnemonic words are generated automatically by the wallet, using a standardized process defined in BIP-39. The wallet starts from a source of entropy, adds a checksum and then maps the entropy to a word list: 1. Create a random sequence (entropy) of 128 to 256 bits. -2. Create a checksum of the random sequence by taking the first four bits of its SHA256 hash. +2. Create a checksum of the random sequence by taking the first (entropy-length / 32) bits of its SHA256 hash. 3. Add the checksum to the end of the random sequence. 4. Divide the sequence into sections of 11 bits. 5. Map each 11-bit value to a word from the predefined dictionary of 2048 words. From 64af71257c90739b3271802e23e51cc67b837239 Mon Sep 17 00:00:00 2001 From: Will Binns Date: Sun, 30 Oct 2016 11:44:11 -0600 Subject: [PATCH 04/24] preface: Add GitHub contributor, Javier Rojas --- preface.asciidoc | 1 + 1 file changed, 1 insertion(+) diff --git a/preface.asciidoc b/preface.asciidoc index 38caa4d6..4fdca6ba 100644 --- a/preface.asciidoc +++ b/preface.asciidoc @@ -173,6 +173,7 @@ Many contributors offered comments, corrections, and additions to the early-rele * James Addison (jayaddison) * Jameson Lopp (jlopp) * Jason Bisterfeldt (jbisterfeldt) +* Javier Rojas (fjrojasgarcia) * JerJohn15 * Joe Bauers (joebauers) * joflynn From 6b6655853bab46173a9603b6918081cfdcccca67 Mon Sep 17 00:00:00 2001 From: "Andreas M. Antonopoulos" Date: Mon, 7 Nov 2016 14:33:16 -0300 Subject: [PATCH 05/24] segwit corrections from Johnson Lau's comments https://github.com/bitcoinbook/bitcoinbook/commit/cb0de0b41cafe13a88a8ed7be65a92d7a253670f#commitcomment-19683225 --- segwit.asciidoc | 115 ++++++++++++++++++++++++++---------------------- 1 file changed, 62 insertions(+), 53 deletions(-) diff --git a/segwit.asciidoc b/segwit.asciidoc index 8ed0ff9c..7745ce87 100644 --- a/segwit.asciidoc +++ b/segwit.asciidoc @@ -8,21 +8,21 @@ Will be merged later into chapter 6 or 7, as the book is reorganized [[segwit]] === Segregated Witness -Segregated Witness (segwit) is an upgrade to the bitcoin consensus rules and network protocol, scheduled for implementation in the second half of 2016. +Segregated Witness (segwit) is an upgrade to the bitcoin consensus rules and network protocol, scheduled for implementation in the second half of 2016. -In cryptography, the term "witness" is used to describe a solution to a cryptographic puzzle. In bitcoin terms, the witness is the unlocking script that satisfies a cryptographic condition placed on a UTXO via the locking script. +In cryptography, the term "witness" is used to describe a solution to a cryptographic puzzle. In bitcoin terms, the witness satisfies a cryptographic condition placed on a Unspent Transaction Output (UTXO). -In the context of bitcoin, a digital signature is _one type of witness_, but a witness is more broadly any script that can satisfy the conditions of a locking script and unlock a UTXO for spending. The terms “witness”, “unlocking script” and “scriptSig” all mean the same thing. +In the context of bitcoin, a digital signature is _one type of witness_, but a witness is more broadly any solution that can satisfy the conditions imposed on a UTXO and unlock that UTXO for spending. The term “witness” is a more general term for an “unlocking script” or “scriptSig”. -Before segwit’s introduction, every input in a transaction was followed by the witness data that unlocked it. The witness data was embedded in the transaction as part of each input, The term _segregated witness_ or _segwit_ for short, simply means separating the signature or unlocking script of a specific output. Think "separate scriptSig", or “separate signature” in the simplest form. +Before segwit’s introduction, every input in a transaction was followed by the witness data that unlocked it. The witness data was embedded in the transaction as part of each input, The term _segregated witness_ or _segwit_ for short, simply means separating the signature or unlocking script of a specific output. Think "separate scriptSig", or “separate signature” in the simplest form. -Segregated Witness therefore is an architectural change to bitcoin that aims to move the scriptSig (unlocking script) outside of the transaction data structure and into separate a _witness_ data structure that accompanies a transaction. Clients may request transaction data with or without the accompanying witness data. +Segregated Witness therefore is an architectural change to bitcoin that aims to move the witness data from the scriptSig (unlocking script) field of a transaction into separate a _witness_ data structure that accompanies a transaction. Clients may request transaction data with or without the accompanying witness data. In this section we will look at some of the benefits of segregated witness, describe the mechanism used to deploy and implement this architecture change and demonstrate the use of segregated witness in transactions and addresses. Segregated Witness is defined by the following Bitcoin Improvement Proposals (BIPs): -BIP141 :: The mail definition of Segregated Witness. https://github.com/bitcoin/bips/blob/master/bip-0141.mediawiki +BIP141 :: The main definition of Segregated Witness. https://github.com/bitcoin/bips/blob/master/bip-0141.mediawiki BIP143 :: Transaction Signature Verification for Version 0 Witness Program https://github.com/bitcoin/bips/blob/master/bip-0143.mediawiki @@ -34,18 +34,15 @@ BIP145 :: getblocktemplate Updates for Segregated Witness (for mining) https://github.com/bitcoin/bips/blob/master/bip-0145.mediawiki - - - ==== Why Segregated Witness? -Segregated witness is an architectural change that has several effects on the scalability, security, economic incentives and performance of bitcoin. +Segregated witness is an architectural change that has several effects on the scalability, security, economic incentives and performance of bitcoin. -Transaction malleability :: By moving the witness outside the transaction, the transaction hash used as an identifier no longer includes the witness data. Since the witness data is the only part of the transaction that can be modified by a third party (see <> and <>), removing it also removes the opportunity for transaction malleability attacks. With segregated witness, transaction hashes become immutable, which greatly improves the implementation of many other protocols that rely on advanced bitcoin transaction construction, such as payment channels, chained transactions and lightning networks. +Transaction malleability :: By moving the witness outside the transaction, the transaction hash used as an identifier no longer includes the witness data. Since the witness data is the only part of the transaction that can be modified by a third party (see <> and <>), removing it also removes the opportunity for transaction malleability attacks. With segregated witness, transaction hashes become immutable by anyone other than the creator of the transaction, which greatly improves the implementation of many other protocols that rely on advanced bitcoin transaction construction, such as payment channels, chained transactions and lightning networks. -Script Versioning :: With the introduction of segregated witness scripts, every locking script is preceded by a _script version_ number, similar to how transactions and blocks have version numbers. The addition of a script version number allows the scripting language to be upgraded in a backwards compatible way (ie. using soft-fork upgrades), to introduce new script operands, syntax or semantics. The ability to upgrade the scripting language in a non-disruptive way will greatly accelerate the rate of innovation in bitcoin. +Script Versioning :: With the introduction of segregated witness scripts, every locking script is preceded by a _script version_ number, similar to how transactions and blocks have version numbers. The addition of a script version number allows the scripting language to be upgraded in a backwards compatible way (ie. using soft-fork upgrades), to introduce new script operands, syntax or semantics. The ability to upgrade the scripting language in a non-disruptive way will greatly accelerate the rate of innovation in bitcoin. -Network and Storage Scaling :: The witness data is often a big contributor to the total size of a transaction. More complex witness scripts such as multi-sig or payment channels scripts are very large and represent the majority (more than 75%) of the data in a transaction. By moving the witness data outside the transaction, segregated witness improves bitcoin’s scalability. Nodes can prune the witness data after validating the signatures, or ignore it altogether when doing simplified payment verification. The witness data doesn’t need to be transmitted to all nodes and does not need to be stored on disk by all nodes. +Network and Storage Scaling :: The witness data is often a big contributor to the total size of a transaction. More complex scripts such as those used for multi-sig or payment channels are very large. In some cases these scripts account for the majority (more than 75%) of the data in a transaction. By moving the witness data outside the transaction, segregated witness improves bitcoin’s scalability. Nodes can prune the witness data after validating the signatures, or ignore it altogether when doing simplified payment verification. The witness data doesn’t need to be transmitted to all nodes and does not need to be stored on disk by all nodes. Signature Verification Optimization :: Segregated Witness upgrades the signature functions (OP_CHECKSIG, OP_CHECKMULTISIG etc), to reduce the algorithm's computational complexity. Before segwit, the algorithm used to produce a signature required a number of hash operations that was proportional to the size of the transaction. Data-hasing computations increased in O(n^2^) with respect to the number of signature operations, introducing a substantial computational burden on all nodes verifying the signature. With segwit, the algorithm is changed to reduce the complexity to O(n). @@ -53,26 +50,26 @@ Offline Signing Improvement :: Segregated Witness signatures incorporate the val ==== How Segregated Witness Works -At first glance, segregated witness appears to be a change to how transactions are constructed and therefore a transaction-level feature, but it is not. In fact, segregated witness is also a change to how UTXO are constructed and therefore is a per-output feature. +At first glance, segregated witness appears to be a change to how transactions are constructed and therefore a transaction-level feature, but it is not. In fact, segregated witness is also a change to how individual UTXO are spent and therefore is a per-output feature. -A transaction can spend segregated witness outputs or traditional (inline-witness) outputs or both. Therefore, it does not make much sense to refer to a transaction as a “segregated witness transaction”. Rather we should refer to specific transaction inputs as “segregated witness inputs. +A transaction can spend segregated witness outputs or traditional (inline-witness) outputs or both. Therefore, it does not make much sense to refer to a transaction as a “segregated witness transaction”. Rather we should refer to specific transaction inputs as “segregated witness inputs". When a transaction spends a UTXO, it must provide a witness. In a traditional UTXO, the locking script requires that witness data be provided _inline_ in the input part of the transaction that spends the UTXO. A segregated witness UTXO, however, specifies a locking script that can be satisfied with witness data outside of the input (segregated). ==== Soft-fork (backwards compatibility) -Segregated witness is a significant change to the way outputs and transactions are architected. Such a change would normally require a simultaneous change in every bitcoin node and wallet, to change the consensus rules -- what is known as a hard fork. Instead, segregated witness is introduced with a much less disruptive change, which is backwards compatible, known as a soft fork. This type of upgrade allows non-upgraded software to ignore the changes and continue to operate without any disruption. +Segregated witness is a significant change to the way outputs and transactions are architected. Such a change would normally require a simultaneous change in every bitcoin node and wallet, to change the consensus rules -- what is known as a hard fork. Instead, segregated witness is introduced with a much less disruptive change, which is backwards compatible, known as a soft fork. This type of upgrade allows non-upgraded software to ignore the changes and continue to operate without any disruption. Segregated witness outputs are constructed so that older systems that are not segwit-aware can still validate them. To an old wallet or node, a segregated witness output looks like an output that _anyone can spend_. Such outputs can be spent with an empty signature, therefore the fact that there is no signature inside the transaction (it is segregated), does not invalidate the transaction. Newer wallets & mining nodes however see the segregated witness output and expect to find a valid witness for it in the transaction’s witness data. ==== Segregated Witness Output and Transaction Examples -Let’s look at some of our example transactions and see how they would change with segregated witness. We’ll first look at how a Pay-to-Public-Key-Hash (P2PKH) payment is transformed with segregated witness program. Then, we’ll look at the segregated witness equivalent for Pay-to-Script-Hash (P2SH) scripts. Finally, we’ll look at how both of the above segregated witness programs can be embedded inside a P2SH script. +Let’s look at some of our example transactions and see how they would change with segregated witness. We’ll first look at how a Pay-to-Public-Key-Hash (P2PKH) payment is transformed with segregated witness program. Then, we’ll look at the segregated witness equivalent for Pay-to-Script-Hash (P2SH) scripts. Finally, we’ll look at how both of the above segregated witness programs can be embedded inside a P2SH script. [[p2wpkh]] ===== Pay-to-Witness-Public-Key-Hash (P2WPKH) -In <>, Alice created a transaction to pay Bob for a cup of coffee. That transaction created a Pay-to-Public-Key-Hash (P2PKH) output with a value of 0.015 BTC that was spendable by Bob. The output’s script looks like this: +In <>, Alice created a transaction to pay Bob for a cup of coffee. That transaction created a Pay-to-Public-Key-Hash (P2PKH) output with a value of 0.015 BTC that was spendable by Bob. The output’s script looks like this: .Example P2PKH output script ---- @@ -81,7 +78,7 @@ OP_DUP OP_HASH160 ab68025513c3dbd2f7b92a94e0581f5d50f654e7 OP_EQUALVERIFY OP_CHE With segregated witness, a Pay-to-Public-Key-Hash output, is created instead a Pay-to-Witness-Public-Key-Hash (P2WPKH), which looks like this: -.Example P2WPKH output script +.Example P2WPKH output script ---- 0 ab68025513c3dbd2f7b92a94e0581f5d50f654e7 ---- @@ -112,10 +109,21 @@ However, to spend the segregated witness output, the transaction has no signatur "scriptSig": “”, ] [...] -“witness”: “” +“witness”: “” [...] ---- +===== Wallet Construction of P2WPKH + +It is extremely important to note that P2WPKH should only be created by the payee (recipient) and not converted by the sender from a known public key, P2PKH script or address. The sender has no way of knowing if the recipient's wallet has the ability to construct segwit transactions and spend P2WPKH outputs. + +Additionally, P2WPKH outputs must be constructed from the hash of a _compressed_ public key. Uncompressed public keys are non-standard in segwit and may be explicitly disabled by a future soft fork. If the hash used in the P2WPKH came from an uncompressed public key, it may be unspendable and you may lose funds. P2WPKH outputs should be created by the payee's wallet by deriving a compressed public key from their private key. + +[WARNING] +==== +P2WPKH should be constructed by the payee (recipient), by converting a compressed public key to a P2WPKH hash. You should never transform a P2PKH script, bitcoin address or uncompressed public key to a P2WPKH witness script. +==== + [[p2wsh]] ===== Pay-to-Witness-Script-Hash (P2WSH) @@ -134,7 +142,7 @@ The P2SH script above references the hash of a _redeem script_ that defines a 2- “Vin” : [ "txid": "abcdef12345...", "vout": 0, - "scriptSig": “SigA SigB 2 PubA PubB PubC PubD PubE 5 CHECKMULTISIG”, + "scriptSig": “ <2 PubA PubB PubC PubD PubE 5 CHECKMULTISIG>”, ] ---- @@ -145,11 +153,12 @@ Now, let's look at how this entire example would be upgraded to segwit. If Moham 0 9592d601848d04b172905e0ddb0adde59f1590f1e553ffc81ddc4b0ed927dd73 ---- -Again, as with the example of P2WPKH, you can see that the segregated witness equivalent script is a lot simpler and omits the various script operands that you see in P2SH scripts. Instead, the segregated witness program consists of two values pushed to the stack: a witness version (0) and the 32-byte SHA256 hash of the redeem script. +Again, as with the example of P2WPKH, you can see that the segregated witness equivalent script is a lot simpler and omits the various script operands that you see in P2SH scripts. Instead, the segregated witness program consists of two values pushed to the stack: a witness version (0) and the 32-byte SHA256 hash of the redeem script. [TIP] ==== -While P2SH uses the 20-byte +RIPEMD160(SHA256(script))+ hash, the P2WSH witness program uses a 32-byte +SHA256(script)+ hash. This difference in the selection of the hashing algorithm is deliberate and used to differentiate between the two types of witness programs (P2WPKH and P2WSH) by the length of the hash. +While P2SH uses the 20-byte +RIPEMD160(SHA256(script))+ hash, the P2WSH witness program uses a 32-byte +SHA256(script)+ hash. This difference in the selection of the hashing algorithm is deliberate and used to differentiate between the two types of witness programs (P2WPKH and P2WSH) by the length of the hash, and to provide stronger security to P2WSH (128bits vs. 80bits of P2SH). + ==== Mohammed's company can spend outputs the Pay-to-Witness-Script-Hash output by presenting the correct redeem script and sufficient signatures to satisfy the redeem script. Both the redeem script and the signatures would be segregated _outside_ the spending transaction as part of the witness data. Within the transaction input, Mohammed's wallet would put an empty scriptSig: @@ -163,13 +172,13 @@ Mohammed's company can spend outputs the Pay-to-Witness-Script-Hash output by pr "scriptSig": “”, ] [...] -“witness”: “SigA SigB 2 PubA PubB PubC PubD PubE 5 CHECKMULTISIG” +“witness”: “ <2 PubA PubB PubC PubD PubE 5 CHECKMULTISIG>” [...] ---- ===== Differentiating between P2WPKH and P2WSH -In the previous two sections, we demonstrated two types of witness programs: <> and <>. Both types of witness programs consist of single byte version number followed by a longer hash. They look very similar, but are interpreted very differently: one is interpreted as a public key hash, which is satisfied by a signature and the other as a script hash, which is satisfied by a redeem script. The critical difference between them is the length of the hash: +In the previous two sections, we demonstrated two types of witness programs: <> and <>. Both types of witness programs consist of single byte version number followed by a longer hash. They look very similar, but are interpreted very differently: one is interpreted as a public key hash, which is satisfied by a signature and the other as a script hash, which is satisfied by a redeem script. The critical difference between them is the length of the hash: * The public key hash in P2WPKH is 20 bytes * The script hash in P2WSH is 32 bytes @@ -178,7 +187,7 @@ This is the one difference that allows a wallet to differentiate between the two ==== Upgrading to Segregated Witness -As we can see from the examples above, upgrading to segregated witness is a two-step process. First, wallets must create special segwit type outputs. Then, these outputs can be spent by wallets that know how to construct segregated witness transactions. In the examples above, Alice's wallet was segwit-aware and able to create special outputs with segregated witness scripts. Bob's wallet is also segwit-aware and able to spend those outputs. What may not be obvious from the example is that in practice, Alice's wallet needs to _know_ that Bob uses a segwit-aware wallet and can spend these outputs. Otherwise, if Bob's wallet is not upgraded and Alice tries to make segwit payments to Bob, Bob's wallet will not be able to detect these payments. +As we can see from the examples above, upgrading to segregated witness is a two-step process. First, wallets must create special segwit type outputs. Then, these outputs can be spent by wallets that know how to construct segregated witness transactions. In the examples above, Alice's wallet was segwit-aware and able to create special outputs with segregated witness scripts. Bob's wallet is also segwit-aware and able to spend those outputs. What may not be obvious from the example is that in practice, Alice's wallet needs to _know_ that Bob uses a segwit-aware wallet and can spend these outputs. Otherwise, if Bob's wallet is not upgraded and Alice tries to make segwit payments to Bob, Bob's wallet will not be able to detect these payments. [TIP] ==== @@ -191,19 +200,19 @@ Segregated witness will not be implemented simultaneously across the entire netw * Ability of a sender's wallet that is segwit-aware to recognize and distinguish between recipients that are segwit-aware and ones that are not, by their _addresses_. -===== Embedding Segregated Witness Inside P2SH +===== Embedding Segregated Witness Inside P2SH Let's assume, for example, that Alice's wallet is not upgraded to segwit, but Bob's wallet is upgraded and can handle segwit transactions. Alice and Bob can use "old" non-segwit transactions. But Bob would likely want to use segwit to reduce transaction fees, taking advantage of the discount that applies to witness data. - In this case Bob's wallet can construct a P2SH address that contains a segwit script inside it. Alice's wallet sees this as a "normal" P2SH address and can make payments to it without any knowledge of segwit. Bob's wallet can then spend this payment with a segwit transaction, taking full advantage of segwit and reducing transaction fees. + In this case Bob's wallet can construct a P2SH address that contains a segwit script inside it. Alice's wallet sees this as a "normal" P2SH address and can make payments to it without any knowledge of segwit. Bob's wallet can then spend this payment with a segwit transaction, taking full advantage of segwit and reducing transaction fees. Both forms of witness scripts, P2WPKH and P2WSH, can be embedded in a P2SH address. The first is noted as P2SH(P2WPKH) and the second is noted as P2SH(P2WSH). -===== Pay-to-Witness-Public-Key-Hash inside Pay-to-Script-Hash +===== Pay-to-Witness-Public-Key-Hash inside Pay-to-Script-Hash -The first form of witness script we will examine is P2SH(P2WPKH). This is a Pay-to-Witness-Public-Key-Hash witness program, embedded inside a Pay-to-Script-Hash script, so that it can be used by a wallet that is not aware of segwit. +The first form of witness script we will examine is P2SH(P2WPKH). This is a Pay-to-Witness-Public-Key-Hash witness program, embedded inside a Pay-to-Script-Hash script, so that it can be used by a wallet that is not aware of segwit. -Bob's wallet constructs a Pay-to-Witness-Public-Key-Hash (P2WPKH) witness program with Bob's public key. This witness program is then hashed and the resulting hash is encoded as a Pay-to-Script-Hash (P2SH) script. The P2SH script is converted to a bitcoin address, one which starts with a "3", as we saw in the <> section. +Bob's wallet constructs a Pay-to-Witness-Public-Key-Hash (P2WPKH) witness program with Bob's public key. This witness program is then hashed and the resulting hash is encoded as a Pay-to-Script-Hash (P2SH) script. The P2SH script is converted to a bitcoin address, one which starts with a "3", as we saw in the <> section. Bob's wallet starts with the P2WPKH witness program we saw earlier: @@ -212,7 +221,7 @@ Bob's wallet starts with the P2WPKH witness program we saw earlier: 0 ab68025513c3dbd2f7b92a94e0581f5d50f654e7 ---- -The P2WPKH witness program consists of the witness version and Bob's 20-byte public key hash. +The P2WPKH witness program consists of the witness version and Bob's 20-byte public key hash. Bob's wallet then hashes the above witness program, first with SHA256, then with RIPEMD160, producing another 20-byte hash: @@ -234,9 +243,9 @@ Finally, the P2SH script is converted to a P2SH bitcoin address: 3AzZFY4WJJZbVr2A6qBTbdkYRpMLbdg6gD ---- -Now, Bob can display this address for customers to pay for their coffee. Alice's wallet can make a payment to +3deadbeef+, just as it would to any other bitcoin address. Even though Alice's wallet has no support for segwit, the payment it creates can be spent by Bob with a segwit transaction. +Now, Bob can display this address for customers to pay for their coffee. Alice's wallet can make a payment to +3deadbeef+, just as it would to any other bitcoin address. Even though Alice's wallet has no support for segwit, the payment it creates can be spent by Bob with a segwit transaction. -===== Pay-to-Witness-Script-Hash inside Pay-to-Script-Hash +===== Pay-to-Witness-Script-Hash inside Pay-to-Script-Hash Similarly, a P2WSH witness program for a multisig script or other complicated script can be embedded inside a Pay-to-Script-Hash script and address, making it possible for any wallet to make payments that are segwit compatible. @@ -273,35 +282,35 @@ Now, Mohammed's clients can make payments to this address without any need to su ===== Segregated Witness Addresses -After segwit is deployed on the bitcoin network, it will take some time until wallets are upgraded. It is quite likely therefore that segwit will mostly be used embedded in P2SH, as we saw in the previous section, at least for several months. +After segwit is deployed on the bitcoin network, it will take some time until wallets are upgraded. It is quite likely therefore that segwit will mostly be used embedded in P2SH, as we saw in the previous section, at least for several months. -Eventually however, almost all wallets will be able to support segwit payments. At that time it will no longer be necessary to embed segwit in P2SH. It is therefore likely that a new form of bitcoin address will be created, one that indicates the recipient is segwit-aware and which directly encodes a witness program. There have been a number of proposals for a segregated witness address scheme, but none have been actively pursued at this time. +Eventually however, almost all wallets will be able to support segwit payments. At that time it will no longer be necessary to embed segwit in P2SH. It is therefore likely that a new form of bitcoin address will be created, one that indicates the recipient is segwit-aware and which directly encodes a witness program. There have been a number of proposals for a segregated witness address scheme, but none have been actively pursued at this time. [[segwit_txid]] ===== Transaction Identifiers -One of the greatest benefits of Segregated Witness is that it eliminates third-party transaction malleability. +One of the greatest benefits of Segregated Witness is that it eliminates third-party transaction malleability. Before segwit, transactions could have their signatures subtly modified by third parties, changing their transaction ID (hash) without changing any fundamental properties (inputs, outputs, amounts). This created opportunities for Denial-of-Service attacks as well as attacks against poorly written wallet software that assumed unconfirmed transaction-hashes were immutable. -With the introduction of Segregated Witness, transactions have two identifiers, +txid+ and +wtxid+. The traditional transaction ID +txid+ is the double-SHA256 hash of the serialized transaction, without the witness data. A transaction +wtxid+ is the double-SHA256 hash of the new serialization format of the transaction with witness data. +With the introduction of Segregated Witness, transactions have two identifiers, +txid+ and +wtxid+. The traditional transaction ID +txid+ is the double-SHA256 hash of the serialized transaction, without the witness data. A transaction +wtxid+ is the double-SHA256 hash of the new serialization format of the transaction with witness data. -The traditional +txid+ is calculated in exactly the same way as with a non-segwit transaction. However, since the segwit transaction has empty scriptSig's in every input, there is no part of the transaction that can be modified by a third party. Therefore, in a segwit transaction, the +txid+ is immutable even when the transaction is unconfirmed. +The traditional +txid+ is calculated in exactly the same way as with a non-segwit transaction. However, since the segwit transaction has empty scriptSig's in every input, there is no part of the transaction that can be modified by a third party. Therefore, in a segwit transaction, the +txid+ is immutable by a third party, even when the transaction is unconfirmed. -The +wtxid+ is like an "extended" ID, in that the hash also incorporates the witness data. If a transaction is transmitted without witness data, then the +wtxid+ and +txid+ are identical. Note than since the +wtxid+ includes witness data (signatures) and since witness data may be malleable, the +wtxid+ should be considered malleable until the transaction is confirmed. Only the +txid+ of a segwit transaction can be considered immutable and only if _all_ the inputs of the transaction are segwit inputs with empty scriptSig. +The +wtxid+ is like an "extended" ID, in that the hash also incorporates the witness data. If a transaction is transmitted without witness data, then the +wtxid+ and +txid+ are identical. Note than since the +wtxid+ includes witness data (signatures) and since witness data may be malleable, the +wtxid+ should be considered malleable until the transaction is confirmed. Only the +txid+ of a segwit transaction can be considered immutable by third parties and only if _all_ the inputs of the transaction are segwit inputs. [TIP] ==== Segregated Witness transactions have two IDs: +txid+ and +wtxid+. The +txid+ is the hash of the transaction without the witness data and the +wtxid+ is the hash inclusive of witness data. The +txid+ of a transaction where all inputs are segwit inputs, is not susceptible to third-party transaction malleability ==== -==== Segregated Witness' New Signing Algorithm +==== Segregated Witness' New Signing Algorithm Segregated Witness modifies the semantics of the four signature verification functions (OP_CHECKSIG, OP_CHECKSIGVERIFY, OP_CHECKMULTISIG and OP_CHECKMULTISIGVERIFY), changing the way a transaction commitment hash is calculated. -Signatures in bitcoin transactions are applied on a _commitment hash_ which is calculated from the transaction data, locking specific parts of the data indicating the signer's commitment to those values. For example, in a simple SIGHASH_ALL type signature, the commitment hash includes all inputs and outputs. +Signatures in bitcoin transactions are applied on a _commitment hash_ which is calculated from the transaction data, locking specific parts of the data indicating the signer's commitment to those values. For example, in a simple SIGHASH_ALL type signature, the commitment hash includes all inputs and outputs. -Unfortunately, the way the commitment hash was calculated introduced the possibility that a node verifying the signature can be forced to perform a significant number of hash computations. Specifically, the hash operations increase in O(n^2^) with respect to the number of signature operations in the transaction. An attacker could therefore create a transaction with a very large number of signature operations, causing the entire bitcoin network to have to perform hundreds or thousands of hash operations to verify the transaction. +Unfortunately, the way the commitment hash was calculated introduced the possibility that a node verifying the signature can be forced to perform a significant number of hash computations. Specifically, the hash operations increase in O(n^2^) with respect to the number of signature operations in the transaction. An attacker could therefore create a transaction with a very large number of signature operations, causing the entire bitcoin network to have to perform hundreds or thousands of hash operations to verify the transaction. Segwit represented an opportunity to address this problem by changing the way the commitment hash is calculated. For segwit version 0 witness programs, signature verification occurs using an improved commitment hash algorithm as specified in Bitcoin Improvement Proposal 143 (BIP143). @@ -309,25 +318,25 @@ The new algorithm achieves two important goals. Firstly, the number of hash oper ==== Economic Incentives for Segregated Witness -Bitcoin mining nodes and full nodes incur costs for the resources used to support the bitcoin network and the blockchain. As the volume of bitcoin transactions increases, so does the cost of resources (CPU, network bandwidth, disk space, memory). Miners are compensated for these costs through fees that are proportional to the size (in bytes) of each transaction. Non-mining full nodes are not compensated, so they incur these costs because they have a need to run an authoritative fully-validating full-index node, perhaps because they use the node to operate a bitcoin business. +Bitcoin mining nodes and full nodes incur costs for the resources used to support the bitcoin network and the blockchain. As the volume of bitcoin transactions increases, so does the cost of resources (CPU, network bandwidth, disk space, memory). Miners are compensated for these costs through fees that are proportional to the size (in bytes) of each transaction. Non-mining full nodes are not compensated, so they incur these costs because they have a need to run an authoritative fully-validating full-index node, perhaps because they use the node to operate a bitcoin business. -Without transaction fees, the growth in bitcoin data would arguably increase dramatically. Fees are intended to align the needs of bitcoin users with the burden their transactions impose on the network, through a market-based price discovery mechanism. +Without transaction fees, the growth in bitcoin data would arguably increase dramatically. Fees are intended to align the needs of bitcoin users with the burden their transactions impose on the network, through a market-based price discovery mechanism. -The calculation of fees based on transaction size treats all the data in the transaction as equal in cost. But from the perspective of full nodes and miners, some parts of a transaction carry much higher costs. Every transaction added to the bitcoin network affects the consumption of of four resources on nodes: +The calculation of fees based on transaction size treats all the data in the transaction as equal in cost. But from the perspective of full nodes and miners, some parts of a transaction carry much higher costs. Every transaction added to the bitcoin network affects the consumption of four resources on nodes: -Disk Space :: Every transaction is stored in the blockchain, adding to the total size of the blockchain. The blockchain is stored on disk, but the storage can be optimized by “pruning” older transactions. +Disk Space :: Every transaction is stored in the blockchain, adding to the total size of the blockchain. The blockchain is stored on disk, but the storage can be optimized by “pruning” older transactions. CPU :: Every transaction must be validated, which requires CPU time. Bandwidth :: Every transaction is transmitted (through flood propagation) across the network at least once. Without any optimization in the block propagation protocol, transactions are transmitted again as part of a block, doubling the impact on network capacity -Memory :: Nodes that validate transactions keep the “UTXO set”, the list of all unspent transaction outputs, in memory. Because memory is at least one order of magnitude more expensive than disk, growth of the UTXO set contributes disproportionately to the cost of running a node. +Memory :: Nodes that validate transactions keep the UTXO index or the entire UTXO set in memory to speed up validation. Because memory is at least one order of magnitude more expensive than disk, growth of the UTXO set contributes disproportionately to the cost of running a node. -As you can see from the list above, not every part of a transaction has an equal impact on the cost of running a node or on the ability of bitcoin to scale to support more transactions. The most expensive part of a transaction are the newly created outputs, as they are added to the in-memory UTXO set. By comparison, signatures (aka witness data) add the least burden to the network and the cost of running a node, because witness data are only validated once and then never used again. Furthermore, immediately after receiving a new transaction and validating witness data, nodes can discard that witness data. If fees are calculated on transaction size, without discriminating between these two types of data, then the market incentives of fees are not aligned with the actual costs imposed by a transaction. In fact, the current fee structure actually encourages the opposite behavior, because witness data is the largest part of a transaction. +As you can see from the list above, not every part of a transaction has an equal impact on the cost of running a node or on the ability of bitcoin to scale to support more transactions. The most expensive part of a transaction are the newly created outputs, as they are added to the in-memory UTXO set. By comparison, signatures (aka witness data) add the least burden to the network and the cost of running a node, because witness data are only validated once and then never used again. Furthermore, immediately after receiving a new transaction and validating witness data, nodes can discard that witness data. If fees are calculated on transaction size, without discriminating between these two types of data, then the market incentives of fees are not aligned with the actual costs imposed by a transaction. In fact, the current fee structure actually encourages the opposite behavior, because witness data is the largest part of a transaction. -The incentives created by fees matter because they affect the behavior of wallets. All wallets must implement some strategy for assembling transactions that takes into considerations a number of factors, such as privacy (reducing address re-use), fragmentation (making lots of loose change) and fees. If the fees are overwhelmingly motivating wallets to use as few inputs as possible in transactions, this can lead to UTXO picking and change address strategies that inadvertently bloat the UTXO set. +The incentives created by fees matter because they affect the behavior of wallets. All wallets must implement some strategy for assembling transactions that takes into considerations a number of factors, such as privacy (reducing address re-use), fragmentation (making lots of loose change) and fees. If the fees are overwhelmingly motivating wallets to use as few inputs as possible in transactions, this can lead to UTXO picking and change address strategies that inadvertently bloat the UTXO set. -Transactions consume UTXO in their inputs and create new UTXO with their outputs. A transaction, therefore, that has more inputs than outputs will result in a decrease in the UTXO set, whereas a transaction that has more outputs than inputs will result in an increase in the UTXO set. Let’s consider the _difference_ between inputs and output and call that the “Net new UTXO”. That’s an important metric, as it tells us what impact a transaction will have on the most expensive network-wide resource, the in-memory UTXO set. A transaction with positive Net-new-UTXO, adds to that burden. A transaction with a negative Net-new-UTXO reduces the burden. We would therefore want to encourage transactions that are either negative Net-new-UTXO or neutral with zero Net-new-UTXO. +Transactions consume UTXO in their inputs and create new UTXO with their outputs. A transaction, therefore, that has more inputs than outputs will result in a decrease in the UTXO set, whereas a transaction that has more outputs than inputs will result in an increase in the UTXO set. Let’s consider the _difference_ between inputs and output and call that the “Net new UTXO”. That’s an important metric, as it tells us what impact a transaction will have on the most expensive network-wide resource, the in-memory UTXO set. A transaction with positive Net-new-UTXO, adds to that burden. A transaction with a negative Net-new-UTXO reduces the burden. We would therefore want to encourage transactions that are either negative Net-new-UTXO or neutral with zero Net-new-UTXO. Let’s look at an example of what incentives are created by the transaction fee calculation, with and without segregated witness. We will look at two different transactions. Transaction A is a 3-input, 2-output transaction, which has a Net-new-UTXO metric of -1, meaning it consumes one more UTXO than it creates, reducing the UTXO set by one. Transaction B is a 2-input, 3-output transaction, which has a Net-new-UTXO metric of 1, meaning it adds one UTXO to the UTXO set, imposing additional cost on the entire bitcoin network. Both transactions use multi-signature (2-of-3) scripts, to demonstrate how complex scripts increase the impact of segregated witness on fees. Let’s assume a transaction fee of 30 satoshi per byte and a 75% fee discount on witness data: @@ -342,6 +351,6 @@ Transaction B fee: 12,045 satoshi -Both transactions are less expensive when segregated witness is implemented. But comparing the costs between the two transactions, we see that before segregated witness, the fee is higher for the transaction that has a negative Net-new-UTXO. After segregated witness, the transaction fees align with the incentive to minimize new UTXO creation, by not inadvertently penalizing transactions with many inputs. +Both transactions are less expensive when segregated witness is implemented. But comparing the costs between the two transactions, we see that before segregated witness, the fee is higher for the transaction that has a negative Net-new-UTXO. After segregated witness, the transaction fees align with the incentive to minimize new UTXO creation, by not inadvertently penalizing transactions with many inputs. -Segregated witness therefore has two main effects on the fees paid by bitcoin users. Firstly, segwit reduces the overall cost of transactions by discounting witness data and increasing the capacity of the bitcoin blockchain. Secondly, segwit’s discount on witness data correcting a misalignment of incentives that may have inadvertently created more bloat in the UTXO set. +Segregated witness therefore has two main effects on the fees paid by bitcoin users. Firstly, segwit reduces the overall cost of transactions by discounting witness data and increasing the capacity of the bitcoin blockchain. Secondly, segwit’s discount on witness data correcting a misalignment of incentives that may have inadvertently created more bloat in the UTXO set. From 5072ce879fd977b9121867f86ff84d2a798c2083 Mon Sep 17 00:00:00 2001 From: Jonathan Cross Date: Tue, 8 Nov 2016 04:14:00 +0100 Subject: [PATCH 06/24] Fixing typo in ch05: menmonic => mnemonic --- ch05.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ch05.asciidoc b/ch05.asciidoc index a85a59a5..8eb96bd0 100644 --- a/ch05.asciidoc +++ b/ch05.asciidoc @@ -151,7 +151,7 @@ Let's now examine each of the important industry standards that are used by many [TIP] ==== -Mnemonic words are often confused with "brainwallets". They are not the same. The primary difference is that a brainwallet consists of words chosen by the user, whereas menmonic words are created randomly by the wallet and presented to the user. This important difference makes mnemonic words much more secure, because humans are very poor sources of randomness. +Mnemonic words are often confused with "brainwallets". They are not the same. The primary difference is that a brainwallet consists of words chosen by the user, whereas mnemonic words are created randomly by the wallet and presented to the user. This important difference makes mnemonic words much more secure, because humans are very poor sources of randomness. ==== Mnemonic codes are defined in((("BIP-39"))) Bitcoin Improvement Proposal 39 (see <>). Note that BIP-39 is one implementation of a mnemonic code standard. Specifically, there is a different standard, with a different set of words, used by the((("Electrum wallet")))((("mnemonic code words","Electrum wallet and"))) Electrum wallet and predating BIP-39. BIP-39 was proposed by the((("mnemonic code words","Trezor wallet and")))((("Trezor wallet"))) company behind the Trezor hardware wallet and is incompatible with Electrum's implementation. However, BIP-39 has now achieved broad industry support across dozens of interoperable implementations and should be considered the de-facto industry standard. @@ -199,7 +199,7 @@ The process described in steps 7 through 9 below continues from the process desc [start=7] 7. The first parameter to the PBKDF2 key-stretching function is the _mnemonic_ produced from step 6 in <>. 8. The second parameter to the PBKDF2 key-stretching function is a _salt_. The salt is composed of the string constant "+mnemonic+" concatenated with an optional user-supplied passphrase string. -9. PBKDF2 stretches the menmonic and salt parameters using 2048 rounds of hashing with the HMAC-SHA512 algorithm, producing a 512-bit value as its final output. That 512-bit value is the seed. +9. PBKDF2 stretches the mnemonic and salt parameters using 2048 rounds of hashing with the HMAC-SHA512 algorithm, producing a 512-bit value as its final output. That 512-bit value is the seed. .From mnemonic to seed image::images/Mnemonic_to_seed.png["From mnemonic to seed"] From 17127e61b03f612d75dff75962f3868c6bbd5ed1 Mon Sep 17 00:00:00 2001 From: Javier Rojas Garcia Date: Tue, 8 Nov 2016 14:23:52 +0100 Subject: [PATCH 07/24] Probably just a typo in segwit.asciidoc: Added plural to output in -the difference between inputs and output- --- segwit.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/segwit.asciidoc b/segwit.asciidoc index 7745ce87..8156440b 100644 --- a/segwit.asciidoc +++ b/segwit.asciidoc @@ -336,7 +336,7 @@ As you can see from the list above, not every part of a transaction has an equal The incentives created by fees matter because they affect the behavior of wallets. All wallets must implement some strategy for assembling transactions that takes into considerations a number of factors, such as privacy (reducing address re-use), fragmentation (making lots of loose change) and fees. If the fees are overwhelmingly motivating wallets to use as few inputs as possible in transactions, this can lead to UTXO picking and change address strategies that inadvertently bloat the UTXO set. -Transactions consume UTXO in their inputs and create new UTXO with their outputs. A transaction, therefore, that has more inputs than outputs will result in a decrease in the UTXO set, whereas a transaction that has more outputs than inputs will result in an increase in the UTXO set. Let’s consider the _difference_ between inputs and output and call that the “Net new UTXO”. That’s an important metric, as it tells us what impact a transaction will have on the most expensive network-wide resource, the in-memory UTXO set. A transaction with positive Net-new-UTXO, adds to that burden. A transaction with a negative Net-new-UTXO reduces the burden. We would therefore want to encourage transactions that are either negative Net-new-UTXO or neutral with zero Net-new-UTXO. +Transactions consume UTXO in their inputs and create new UTXO with their outputs. A transaction, therefore, that has more inputs than outputs will result in a decrease in the UTXO set, whereas a transaction that has more outputs than inputs will result in an increase in the UTXO set. Let’s consider the _difference_ between inputs and outputs and call that the “Net new UTXO”. That’s an important metric, as it tells us what impact a transaction will have on the most expensive network-wide resource, the in-memory UTXO set. A transaction with positive Net-new-UTXO, adds to that burden. A transaction with a negative Net-new-UTXO reduces the burden. We would therefore want to encourage transactions that are either negative Net-new-UTXO or neutral with zero Net-new-UTXO. Let’s look at an example of what incentives are created by the transaction fee calculation, with and without segregated witness. We will look at two different transactions. Transaction A is a 3-input, 2-output transaction, which has a Net-new-UTXO metric of -1, meaning it consumes one more UTXO than it creates, reducing the UTXO set by one. Transaction B is a 2-input, 3-output transaction, which has a Net-new-UTXO metric of 1, meaning it adds one UTXO to the UTXO set, imposing additional cost on the entire bitcoin network. Both transactions use multi-signature (2-of-3) scripts, to demonstrate how complex scripts increase the impact of segregated witness on fees. Let’s assume a transaction fee of 30 satoshi per byte and a 75% fee discount on witness data: From cf9c989c3fd23f05e9b664f939049a69476bd03a Mon Sep 17 00:00:00 2001 From: Will Binns Date: Tue, 8 Nov 2016 09:03:51 -0600 Subject: [PATCH 08/24] preface: Add Contributors, jl2012 & jonathancross --- preface.asciidoc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/preface.asciidoc b/preface.asciidoc index 4fdca6ba..07e640c0 100644 --- a/preface.asciidoc +++ b/preface.asciidoc @@ -177,6 +177,8 @@ Many contributors offered comments, corrections, and additions to the early-rele * JerJohn15 * Joe Bauers (joebauers) * joflynn +* Johnson Lau (jl2012) +* Jonathan Cross (jonathancross) * Jorgeminator * Kai Bakker (kaibakker) * Mai-Hsuan Chia (mhchia) From e0c4f42d393e96cc0ae9a6cc6fd1dc02d18b673e Mon Sep 17 00:00:00 2001 From: Jonathan Cross Date: Fri, 11 Nov 2016 02:19:23 +0100 Subject: [PATCH 09/24] Fixing satoshi_whitepaper appendix id. --- appdx-bitcoinwhitepaper.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/appdx-bitcoinwhitepaper.asciidoc b/appdx-bitcoinwhitepaper.asciidoc index 8ffccaf8..0469e748 100644 --- a/appdx-bitcoinwhitepaper.asciidoc +++ b/appdx-bitcoinwhitepaper.asciidoc @@ -1,4 +1,4 @@ -[[appdxbitcoinimpproposals]] +[[satoshi_whitepaper]] [appendix] == Bitcoin - A Peer-to-Peer Electronic Cash System From 59f2017896b66d1d9045ad4518a1c6937fe7aa95 Mon Sep 17 00:00:00 2001 From: Jonathan Cross Date: Fri, 11 Nov 2016 02:46:55 +0100 Subject: [PATCH 10/24] Fixing book.asciidoc file includes to match actual file names. --- book.asciidoc | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/book.asciidoc b/book.asciidoc index 40a2820d..487a2e45 100644 --- a/book.asciidoc +++ b/book.asciidoc @@ -2,7 +2,7 @@ = Mastering Bitcoin -include::praise.asciidoc[] +include::praise.html[] include::preface.asciidoc[] @@ -18,15 +18,15 @@ include::ch04.asciidoc[] include::ch05.asciidoc[] -include::ch06.asciidoc[] +include::ch06-orig.asciidoc[] -include::ch07.asciidoc[] +include::ch07-orig.asciidoc[] -include::ch08.asciidoc[] +include::ch08-orig.asciidoc[] -include::ch09.asciidoc[] +include::ch09-orig.asciidoc[] -include::ch10.asciidoc[] +include::ch10-orig.asciidoc[] include::appdx-bitcoinwhitepaper.asciidoc[] @@ -38,6 +38,6 @@ include::appdx-pycoin.asciidoc[] include::appdx-bx.asciidoc[] -include::index.asciidoc[] +include::ix.html[] -include::colo.asciidoc[] \ No newline at end of file +include::colo.html[] From 09c6f6ab40124bfe1ed07a20f2fdd7328fe5f393 Mon Sep 17 00:00:00 2001 From: Jonathan Cross Date: Fri, 11 Nov 2016 03:56:40 +0100 Subject: [PATCH 11/24] ch05: Fixing list item content in 'mnemonic code' section. --- ch05.asciidoc | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/ch05.asciidoc b/ch05.asciidoc index 8eb96bd0..3aeb6fe1 100644 --- a/ch05.asciidoc +++ b/ch05.asciidoc @@ -169,12 +169,12 @@ Mnemonic words are generated automatically by the wallet, using a standardized p 4. Divide the sequence into sections of 11 bits. 5. Map each 11-bit value to a word from the predefined dictionary of 2048 words. 6. The mnemonic code is the sequence of words. - ++ .Generating entropy and encoding as mnemonic words image::images/Mnemonic_Words.png["Generating entropy and encoding as mnemonic words"] - ++ The table <>, shows the relationship between the size of entropy data and the length of mnemonic codes in words. - ++ [[table_4-5]] .Mnemonic codes: entropy and word length [options="header"] @@ -186,17 +186,16 @@ The table <>, shows the relationship between the size of entropy data | 224 | 7 | 231 | 21 | 256 | 8 | 264 | 24 |======= - ++ [[mnemonic_to_seed]] -===== From Mnemonic to Seed - -The mnemonic words represent entropy with a length of 128 to 256 bits. The entropy is then used to derive a longer (512-bit) seed through the use of the key-stretching function PBKDF2. The seed produced is then used to build a deterministic wallet and derive its keys. - +**From Mnemonic to Seed** ++ +The mnemonic words represent entropy with a length of 128 to 256 bits. The entropy is then used to derive a longer (512-bit) seed through the use of the key-stretching function PBKDF2. The seed produced is then used to build a deterministic wallet and derive its keys. ++ The key-stretching function takes two parameters: the mnemonic and a _salt_. The purpose of a salt in a key-stretching function is to make it difficult to build a lookup table enabling a brute force attack. In the BIP-39 standard, the salt has another purpose - it allows the introduction of a passphrase which serves as an additional security factor protecting the seed, as we will describe in more detail in <>. - ++ The process described in steps 7 through 9 below continues from the process described previously in <>. -[start=7] 7. The first parameter to the PBKDF2 key-stretching function is the _mnemonic_ produced from step 6 in <>. 8. The second parameter to the PBKDF2 key-stretching function is a _salt_. The salt is composed of the string constant "+mnemonic+" concatenated with an optional user-supplied passphrase string. 9. PBKDF2 stretches the mnemonic and salt parameters using 2048 rounds of hashing with the HMAC-SHA512 algorithm, producing a 512-bit value as its final output. That 512-bit value is the seed. From 0130a18afcd8ec75d8ab61835e19f641af22143d Mon Sep 17 00:00:00 2001 From: Javier Rojas Garcia Date: Wed, 16 Nov 2016 17:10:09 +0100 Subject: [PATCH 12/24] Just a typo in preface.asciidoc: s/to be revised for this editionn/to be revised for this edition --- preface.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/preface.asciidoc b/preface.asciidoc index 07e640c0..cb085778 100644 --- a/preface.asciidoc +++ b/preface.asciidoc @@ -13,7 +13,7 @@ This book is mostly intended for coders. If you can use a programming language, === About Early Release books from O'Reilly -This is an early release copy of __Mastering Bitcoin__'s second edition. The text, figures, and examples are a work in progress, and several chapters are yet to be revised for this editionn. We are releasing the book before it is finished because we hope that it is already useful in its current form and because we would love your feedback in order to create the best possible finished product. +This is an early release copy of __Mastering Bitcoin__'s second edition. The text, figures, and examples are a work in progress, and several chapters are yet to be revised for this edition. We are releasing the book before it is finished because we hope that it is already useful in its current form and because we would love your feedback in order to create the best possible finished product. If you find any errors or glaring omissions, if you find anything confusing, or if you have any ideas for improving the book, please email the author and editors at bookquestions@oreilly.com From 3c1d0d9cb77a6133b8b870eba3f0eded58ed27fe Mon Sep 17 00:00:00 2001 From: "Andreas M. Antonopoulos" Date: Thu, 17 Nov 2016 15:03:32 -0300 Subject: [PATCH 13/24] reorg of ch06 --- ch06.asciidoc | 348 ++++++++++++++++++++++++-------------------------- 1 file changed, 167 insertions(+), 181 deletions(-) diff --git a/ch06.asciidoc b/ch06.asciidoc index 6d99563a..299569ce 100644 --- a/ch06.asciidoc +++ b/ch06.asciidoc @@ -5,105 +5,119 @@ [[ch06_intro]] === Introduction -((("transactions", id="ix_ch06-asciidoc0", range="startofrange")))Transactions are the most important part of the bitcoin system. Everything else in bitcoin is designed to ensure that transactions can be created, propagated on the network, validated, and finally added to the global ledger of transactions (the blockchain). Transactions are data structures that encode the transfer of value between participants in the bitcoin system. Each transaction is a public entry in bitcoin's blockchain, the global double-entry bookkeeping ledger. +((("transactions", id="ix_ch06-asciidoc0", range="startofrange")))Transactions are the most important part of the bitcoin system. Everything else in bitcoin is designed to ensure that transactions can be created, propagated on the network, validated, and finally added to the global ledger of transactions (the blockchain). Transactions are data structures that encode the transfer of value between participants in the bitcoin system. Each transaction is a public entry in bitcoin's blockchain, the global double-entry bookkeeping ledger. -In this chapter we will examine all the various forms of transactions, what they contain, how to create them, how they are verified, and how they become part of the permanent record of all transactions. - -[[tx_lifecycle]] -=== Transaction Lifecycle - -((("transactions","lifecycle of", id="ix_ch06-asciidoc1", range="startofrange")))A transaction's lifecycle starts with the transaction's creation, also known as((("origination of transactions"))) _origination_. The transaction is then signed with one or more signatures indicating the authorization to spend the funds referenced by the transaction. The transaction is then broadcast on the bitcoin network, where each network node (participant) validates and propagates the transaction until it reaches (almost) every node in the network. Finally, the transaction is verified by a mining node and included in a block of transactions that is recorded on the blockchain. - -Once recorded on the blockchain and confirmed by sufficient subsequent blocks (confirmations), the transaction is a permanent part of the bitcoin ledger and is accepted as valid by all participants. The funds allocated to a new owner by the transaction can then be spent in a new transaction, extending the chain of ownership and beginning the lifecycle of a transaction again. - -[[tx_origination]] -==== Creating Transactions - -((("transactions","creating")))In some ways it helps to think of a transaction in the same way as a paper check. Like a check, a transaction is an instrument that expresses the intent to transfer money and is not visible to the financial system until it is submitted for execution. Like a check, the originator of the transaction does not have to be the one signing the transaction. - -Transactions can be created online or offline by anyone, even if the person creating the transaction is not an authorized signer on the account. For example, an accounts payable clerk might process payable checks for signature by the CEO. Similarly, an accounts payable clerk can create bitcoin transactions and then have the CEO apply digital signatures to make them valid. Whereas a check references a specific account as the source of the funds, a bitcoin transaction references a specific previous transaction as its source, rather than an account. - -Once a transaction has been created, it is signed by the owner (or owners) of the source funds. If it is properly formed and signed, the signed transaction is now valid and contains all the information needed to execute the transfer of funds. Finally, the valid transaction has to reach the bitcoin network so that it can be propagated until it reaches a miner for inclusion in the public ledger (the blockchain). - -[[tx_bcast]] -==== Broadcasting Transactions to the Bitcoin Network - -((("bitcoin network","broadcasting transactions to")))((("transactions","broadcasting to network")))First, a transaction needs to be delivered to the bitcoin network so that it can be propagated and included in the blockchain. In essence, a bitcoin transaction is just 300 to 400 bytes of data and has to reach any one of tens of thousands of bitcoin nodes. The senders do not need to trust the nodes they use to broadcast the transaction, as long as they use more than one to ensure that it propagates. The nodes don't need to trust the sender or establish the sender's "identity." Because the transaction is signed and contains no confidential information, private keys, or credentials, it can be publicly broadcast using any underlying network transport that is convenient. Unlike credit card transactions, for example, which contain sensitive information and can only be transmitted on encrypted networks, a bitcoin transaction can be sent over any network. As long as the transaction can reach a bitcoin node that will propagate it into the bitcoin network, it doesn't matter how it is transported to the first node. - -((("insecure networks, transmitting bitcoin over")))Bitcoin transactions can therefore be transmitted to the bitcoin network over insecure networks such as WiFi, Bluetooth, NFC, Chirp, barcodes, or by copying and pasting into a web form. In extreme cases, a bitcoin transaction could be transmitted over packet radio, satellite relay, or shortwave using burst transmission, spread spectrum, or frequency hopping to evade detection and jamming. A bitcoin transaction could even be encoded as smileys (emoticons) and posted in a public forum or sent as a text message or Skype chat message. Bitcoin has turned money into a data structure, making it virtually impossible to stop anyone from creating and executing a bitcoin transaction. - -[[tx_propagation]] -==== Propagating Transactions on the Bitcoin Network - -((("bitcoin network","propagating transactions on")))((("transactions","propagating")))Once a bitcoin transaction is sent to any node connected to the bitcoin network, the transaction will be validated by that node. If valid, that node will propagate it to the other nodes to which it is connected, and a success message will be returned synchronously to the originator. If the transaction is invalid, the node will reject it and synchronously return a rejection message to the originator. - -The bitcoin network is a peer-to-peer network, meaning that each bitcoin node is connected to a few other bitcoin nodes that it discovers during startup through the peer-to-peer protocol. The entire network forms a loosely connected mesh without a fixed topology or any structure, making all nodes equal peers. Messages, including transactions and blocks, are propagated from each node to all the peers to which it is connected, a process called "flooding." A new validated transaction injected into any node on the network will be sent to all of the nodes connected to it (neighbors), each of which will send the transaction to all its neighbors, and so on. In this way, within a few seconds a valid transaction will propagate in an exponentially expanding ripple across the network until all nodes in the network have received it. - -The bitcoin network is designed to propagate transactions and blocks to all nodes in an efficient and resilient manner that is resistant to attacks. To prevent spamming, denial-of-service attacks, or other nuisance attacks against the bitcoin system, every node independently validates every transaction before propagating it further. A malformed transaction will not get beyond one node. The rules by which transactions are validated are explained in more detail in <>.(((range="endofrange", startref="ix_ch06-asciidoc1"))) +In this chapter we will examine all the various forms of transactions, what they contain, how to create them, how they are verified, and how they become part of the permanent record of all transactions. [[tx_structure]] -=== Transaction Structure +=== Transactions in Detail -((("transactions","structure of")))A transaction is a((("data structure"))) _data structure_ that encodes a transfer of value from a source of funds, called an((("inputs, defined"))) _input_, to a destination, called an((("outputs, defined"))) _output_. Transaction inputs and outputs are not related to accounts or identities. Instead, you should think of them as bitcoin amounts—chunks of bitcoin—being locked with a specific secret that only the owner, or person who knows the secret, can unlock. A transaction contains a number of fields, as shown in <>. +In the second chapter, we looked at the transaction Alice used to pay for coffee at Bob's Coffee shop, using a block explorer: -[[tx_data_structure]] -.The structure of a transaction -[options="header"] -|======= -|Size| Field | Description -| 4 bytes | Version | Specifies which rules this transaction follows -| 1–9 bytes (VarInt) | Input Counter | How many inputs are included -| Variable | Inputs | One or more transaction inputs -| 1–9 bytes (VarInt) | Output Counter | How many outputs are included -| Variable | Outputs | One or more transaction outputs -| 4 bytes | Locktime | A Unix timestamp or block number -|======= +.Alice's transaction to Bob's Cafe +image::images/msbt_0208.png["Alice Coffee Transaction"] -.Transaction Locktime -**** -((("locktime")))((("transactions","locktime")))Locktime, also known as nLockTime from the variable name used in the reference client, defines the earliest time that a transaction is valid and can be relayed on the network or added to the blockchain. It is set to zero in most transactions to indicate immediate propagation and execution. If locktime is nonzero and below 500 million, it is interpreted as a block height, meaning the transaction is not valid and is not relayed or included in the blockchain prior to the specified block height. If it is above 500 million, it is interpreted as a Unix Epoch timestamp (seconds since Jan-1-1970) and the transaction is not valid prior to the specified time. Transactions with locktime specifying a future block or time must be held by the originating system and transmitted to the bitcoin network only after they become valid. The use of locktime is equivalent to postdating a paper check. -**** +The block explorer application shows a transaction from Alice's "address" to Bob's "address". This is a much simplified view of what is contained in a transaction. In fact, as we will see in this chapter, much of the information shown above is constructed by the block explorer and is not actually in the transaction. + +==== Transactions - Behind the Scenes + +Behind the scenes, an actual transaction looks very different from a transaction provided by a typical block explorer. In fact, most of the high-level constructs we see in the various bitcoin application user interfaces _do not actually exist_ in the bitcoin system. In bitcoin, there are no coins, no senders, no recipients, no balances, no accounts and no addresses. All those things are constructed at a higher level for the benefit of the user, to make things easier to understand. + +We can use Bitcoin Core's command-line interface (+getrawtransaction+ and +decoderawtransaction+) to retrieve Alice's "raw" transaction, decode it and see what it contains. The result looks like this: + +[source,json] +---- +{ + "version": 1, + "locktime": 0, + "vin": [ + { + "txid": "7957a35fe64f80d234d76d83a2a8f1a0d8149a41d81de548f0a65a8a999f6f18", + "vout": 0, + "scriptSig" : "3045022100884d142d86652a3f47ba4746ec719bbfbd040a570b1deccbb6498c75c4ae24cb02204b9f039ff08df09cbe9f6addac960298cad530a863ea8f53982c09db8f6e3813[ALL] 0484ecc0d46f1918b30928fa0e4ed99f16a0fb4fde0735e7ade8416ab9fe423cc5412336376789d172787ec3457eee41c04f4938de5cc17b4a10fa336a8d752adf", + "sequence": 4294967295 + } + ], + "vout": [ + { + "value": 0.01500000, + "scriptPubKey": "OP_DUP OP_HASH160 ab68025513c3dbd2f7b92a94e0581f5d50f654e7 OP_EQUALVERIFY OP_CHECKSIG" + }, + { + "value": 0.08450000, + "scriptPubKey": "OP_DUP OP_HASH160 7f9b1a7fb68d60c536c2fd8aeaa53a8f3cc025a8 OP_EQUALVERIFY OP_CHECKSIG", + } + ] +} +---- + +You may notice a few things about this transaction, mostly the things that are missing! Where is Alice's address? Where is Bob's address? Where is the 0.1 input "sent" by Alice? + +You may also notice a lot of strange and indecipherable fields and hexadecimal strings. Don't worry, we will explain each field shown here in detail in this chapter. [[tx_inputs_outputs]] === Transaction Outputs and Inputs -((("transactions","unspent transaction output (UTXO)")))((("unspent transaction output (UTXO)")))The fundamental building block of a bitcoin transaction is an _unspent transaction output_, or UTXO. UTXO are indivisible chunks of bitcoin currency locked to a specific owner, recorded on the blockchain, and recognized as currency units by the entire network. The bitcoin network tracks all available (unspent) UTXO currently numbering in the millions. Whenever a user receives bitcoin, that amount is recorded within the blockchain as a UTXO. Thus, a user's bitcoin might be scattered as UTXO amongst hundreds of transactions and hundreds of blocks. In effect, there is no such thing as a stored balance of a bitcoin address or account; there are only scattered UTXO, locked to specific owners. The concept of a user's bitcoin balance is a derived construct created by the wallet application. The wallet calculates the user's balance by scanning the blockchain and aggregating all UTXO belonging to that user. +((("transactions","unspent transaction output (UTXO)")))((("unspent transaction output (UTXO)")))The fundamental building block of a bitcoin transaction is a _transaction output_. Transaction outputs are indivisible chunks of bitcoin currency, recorded on the blockchain, and recognized as valid by the entire network. Bitcoin full nodes track all available and spendable outputs, known as _Unspent Transaction Outputs_ or _UTXO_. The collection of all UTXO is known as the UTXO Set and currently numbers in the millions of UTXO. -[TIP] -==== -((("accounts")))((("balances")))There are no accounts or balances in bitcoin; there are only _unspent transaction outputs_ (UTXO) scattered in the blockchain. -==== +When we say that a user's wallet has "received" bitcoin, what we mean is that the wallet has detected an unspent transaction output (UTXO) which can be spent with one of the keys controlled by that wallet. Thus, a user's bitcoin "balance" is the sum of all UTXO that user's wallet can spend and which may be scattered amongst hundreds of transactions and hundreds of blocks. The concept of a balance is a derived construct created by the wallet application. The wallet calculates the user's balance by scanning the blockchain and aggregating the value of any UTXO that the wallet can spend with the keys it controls. -A UTXO can have an arbitrary value denominated as a multiple of((("satoshis"))) satoshis. Just like dollars can be divided down to two decimal places as cents, bitcoins can be divided down to eight decimal places as satoshis. Although UTXO can be any arbitrary value, once created it is indivisible just like a coin that cannot be cut in half. If a UTXO is larger than the desired value of a transaction, it must still be consumed in its entirety and change must be generated in the transaction. ((("change, making")))In other words, if you have a 20 bitcoin UTXO and want to pay 1 bitcoin, your transaction must consume the entire 20 bitcoin UTXO and produce two outputs: one paying 1 bitcoin to your desired recipient and another paying 19 bitcoin in change back to your wallet. As a result, most bitcoin transactions will generate change. +A transaction output can have an arbitrary value denominated as a multiple of((("satoshis"))) satoshis. Just like dollars can be divided down to two decimal places as cents, bitcoins can be divided down to eight decimal places as satoshis. Although an output can have any arbitrary value, once created it is indivisible. This is an important characteristic of outputs that needs to be emphasized: outputs are *discreet* and *indivisible* units of value, denominated in satoshis. An unspent output can only be consumed in its entirety by a transaction. + +If an unspent transaction output is larger than the desired value of a transaction, it must still be consumed in its entirety and change must be generated in the transaction. ((("change, making")))In other words, if you have a UTXO worth 20 bitcoin and want to pay only 1 bitcoin, your transaction must consume the entire 20-bitcoin UTXO and produce two outputs: one paying 1 bitcoin to your desired recipient and another paying 19 bitcoin in change back to your wallet. As a result of the indivisibe nature of transaction outputs, most bitcoin transactions will have to generate change. Imagine a shopper buying a $1.50 beverage, reaching into her wallet and trying to find a combination of coins and bank notes to cover the $1.50 cost. The shopper will choose exact change if available (a dollar bill and two quarters), or a combination of smaller denominations (six quarters), or if necessary, a larger unit such as a five dollar bank note. If she hands too much money, say $5, to the shop owner, she will expect $3.50 change, which she will return to her wallet and have available for future transactions. -Similarly, a bitcoin transaction must be created from a user's UTXO in whatever denominations that user has available. Users cannot cut a UTXO in half any more than they can cut a dollar bill in half and use it as currency. The user's wallet application will typically select from the user's available UTXO various units to compose an amount greater than or equal to the desired transaction amount. +Similarly, a bitcoin transaction must be created from a user's UTXO in whatever denominations that user has available. Users cannot cut a UTXO in half any more than they can cut a dollar bill in half and use it as currency. The user's wallet application will typically select from the user's available UTXO to compose an amount greater than or equal to the desired transaction amount. -As with real life, the bitcoin application can use several strategies to satisfy the purchase amount: combining several smaller units, finding exact change, or using a single unit larger than the transaction value and making change. All of this complex assembly of spendable UTXO is done by the user's wallet automatically and is invisible to users. It is only relevant if you are programmatically constructing raw transactions from UTXO. +As with real life, the bitcoin application can use several strategies to satisfy the purchase amount: combining several smaller units, finding exact change, or using a single unit larger than the transaction value and making change. All of this complex assembly of spendable UTXO is done by the user's wallet automatically and is invisible to users. It is only relevant if you are programmatically constructing raw transactions from UTXO. -The UTXO consumed by a transaction are called transaction inputs, and the UTXO created by a transaction are called transaction outputs. This way, chunks of bitcoin value move forward from owner to owner in a chain of transactions consuming and creating UTXO. Transactions consume UTXO by unlocking it with the signature of the current owner and create UTXO by locking it to the bitcoin address of the new owner. +A transaction consumes previously-recorded unspent transaction outputs and creates new transaction outputs that can be consumed by a future transaction. This way, chunks of bitcoin value move forward from owner to owner in a chain of transactions consuming and creating UTXO. -The exception to the output and input chain is a special type of transaction called the _coinbase_ transaction, which is the first transaction in each block. This transaction is placed there by the "winning" miner and creates brand-new bitcoin payable to that miner as a reward for mining. This is how bitcoin's money supply is created during the mining process, as we will see in <>. +The exception to the output and input chain is a special type of transaction called the _coinbase_ transaction, which is the first transaction in each block. This transaction is placed there by the "winning" miner and creates brand-new bitcoin payable to that miner as a reward for mining. This special coinbase transaction does not consume UTXO, instead it has a special type of input called the "coinbase". This is how bitcoin's money supply is created during the mining process, as we will see in <>. [TIP] ==== -What comes first? Inputs or outputs, the chicken or the egg? Strictly speaking, outputs come first because coinbase transactions, which generate new bitcoin, have no inputs and create outputs from nothing. +What comes first? Inputs or outputs, the chicken or the egg? Strictly speaking, outputs come first because coinbase transactions, which generate new bitcoin, have no inputs and create outputs from nothing. ==== +Since outputs come first, we will examine the + [[tx_outs]] ==== Transaction Outputs -((("bitcoin ledger, outputs in", id="ix_ch06-asciidoc2", range="startofrange")))((("transactions","outputs", id="ix_ch06-asciidoc3", range="startofrange")))((("unspent transaction output (UTXO)", id="ix_ch06-asciidoc4", range="startofrange")))Every bitcoin transaction creates outputs, which are recorded on the bitcoin ledger. Almost all of these outputs, with one exception (see <>) create spendable chunks of bitcoin called _unspent transaction outputs_ or UTXO, which are then recognized by the whole network and available for the owner to spend in a future transaction. Sending someone bitcoin is creating an unspent transaction output (UTXO) registered to their address and available for them to spend. +((("bitcoin ledger, outputs in", id="ix_ch06-asciidoc2", range="startofrange")))((("transactions","outputs", id="ix_ch06-asciidoc3", range="startofrange")))((("unspent transaction output (UTXO)", id="ix_ch06-asciidoc4", range="startofrange")))Every bitcoin transaction creates outputs, which are recorded on the bitcoin ledger. Almost all of these outputs, with one exception (see <>) create spendable chunks of bitcoin called _unspent transaction outputs_ or UTXO, which are then recognized by the whole network and available for the owner to spend in a future transaction. Sending someone bitcoin is creating an unspent transaction output (UTXO) for them to spend. -UTXO are tracked by every full-node bitcoin client as a data set called the((("UTXO pool")))((("UTXO set"))) _UTXO set_ or _UTXO pool_, held in a database. New transactions consume (spend) one or more of these outputs from the UTXO set. +UTXO are tracked by every full-node bitcoin client as a data set called the((("UTXO pool")))((("UTXO set"))) _UTXO set_ or _UTXO pool_, held in a database. New transactions consume (spend) one or more of these outputs from the UTXO set. -Transaction outputs consist of two parts: +Transaction outputs consist of two parts: * An amount of bitcoin, denominated in _satoshis_, the smallest bitcoin unit -* A((("encumbrance")))((("locking scripts"))) _locking script_, also known as an "encumbrance" that "locks" this amount by specifying the conditions that must be met to spend the output +* A cryptographic puzzle that determines the conditions required to spend the output -The transaction scripting language, used in the locking script mentioned previously, is discussed in detail in <>. <> shows the structure of a transaction output. +The cryptographic puzzle, is also known as a ((("locking scripts"))) _locking script_, a _witness script_ or a +scriptPubKey+. + +The transaction scripting language, used in the locking script mentioned previously, is discussed in detail in <>. + +Now, let's look at Alice's transaction and see if we can identify the outputs. In the JSON encoding, the outputs are in an array (list) named +vout+: + +[source,json] +---- +"vout": [ + { + "value": 0.01500000, + "scriptPubKey": "OP_DUP OP_HASH160 ab68025513c3dbd2f7b92a94e0581f5d50f654e7 OP_EQUALVERIFY OP_CHECKSIG" + }, + { + "value": 0.08450000, + "scriptPubKey": "OP_DUP OP_HASH160 7f9b1a7fb68d60c536c2fd8aeaa53a8f3cc025a8 OP_EQUALVERIFY OP_CHECKSIG", + } +] +---- + +As you can see, the transaction contains two outputs. Each output is defined by a value and a cryptographic puzzle. In the encoding shown by Bitcoin Core above, the value is shown in bitcoin. The second part of each output is the cryptographic puzzle that sets the conditions for spending. Bitcoin Core shows this as +scriptPubKey+ and shows us a human-readable representation of the script (see <>). + +When transactions are transmitted over the network or exchanged between applications, they are _serialized_ and represented as a byte-stream, with a standardized variable-length encoding for each of the fields in the transaction. The serialization format of a transaction output is show in <>: [[tx_out_structure]] .The structure of a transaction output @@ -115,68 +129,18 @@ The transaction scripting language, used in the locking script mentioned previou | Variable | Locking-Script | A script defining the conditions needed to spend the output |======= -In <>, we use the blockchain.info API to find the unspent outputs (UTXO) of a specific address. +==== Locking and Unlocking UTXO - Cryptographic Puzzles and Witnesses -[[get_utxo]] -.A script that calls the blockchain.info API to find the UTXO related to an address -==== -[source, python] ----- -include::code/get-utxo.py[] ----- -==== -Running the script, we see a list of transaction IDs, a colon, the index number of the specific unspent transaction output (UTXO), and the value of that UTXO in satoshis. The locking script is not shown in the output in <>. - -[[get_utxo_run]] -.Running the get-utxo.py script -==== -[source,bash] ----- -$ python get-utxo.py -ebadfaa92f1fd29e2fe296eda702c48bd11ffd52313e986e99ddad9084062167:1 - 8000000 Satoshis -6596fd070679de96e405d52b51b8e1d644029108ec4cbfe451454486796a1ecf:0 - 16050000 Satoshis -74d788804e2aae10891d72753d1520da1206e6f4f20481cc1555b7f2cb44aca0:0 - 5000000 Satoshis -b2affea89ff82557c60d635a2a3137b8f88f12ecec85082f7d0a1f82ee203ac4:0 - 10000000 Satoshis -... ----- -==== - -===== Spending conditions (encumbrances) - -((("encumbrance")))((("locking scripts")))Transaction outputs associate a specific amount (in satoshis) to a specific _encumbrance_ or locking script that defines the condition that must be met to spend that amount. In most cases, the locking script will lock the output to a specific bitcoin address, thereby transferring ownership of that amount to the new owner. When Alice paid Bob's Cafe for a cup of coffee, her transaction created a 0.015 bitcoin output _encumbered_ or locked to the cafe's bitcoin address. That 0.015 bitcoin output was recorded on the blockchain and became part of the Unspent Transaction Output set, meaning it showed in Bob's wallet as part of the available balance. When Bob chooses to spend that amount, his transaction will release the encumbrance, unlocking the output by providing an unlocking script containing a signature from Bob's private key.(((range="endofrange", startref="ix_ch06-asciidoc4")))(((range="endofrange", startref="ix_ch06-asciidoc3")))(((range="endofrange", startref="ix_ch06-asciidoc2"))) [[tx_inputs]] ==== Transaction Inputs -((("transactions","inputs", id="ix_ch06-asciidoc5", range="startofrange")))In simple terms, transaction inputs are pointers to UTXO. They point to a specific UTXO by reference to the transaction hash and sequence number where the UTXO is recorded in the blockchain. To spend UTXO, a transaction input also includes unlocking scripts that satisfy the spending conditions set by the UTXO. The unlocking script is usually a signature proving ownership of the bitcoin address that is in the locking script. +((("transactions","inputs", id="ix_ch06-asciidoc5", range="startofrange")))In simple terms, transaction inputs are pointers to UTXO. They point to a specific UTXO by reference to the transaction hash and sequence number where the UTXO is recorded in the blockchain. To spend UTXO, a transaction input also includes unlocking scripts that satisfy the spending conditions set by the UTXO. The unlocking script is usually a signature proving ownership of the bitcoin address that is in the locking script. -When users make a payment, their wallet constructs a transaction by selecting from the available UTXO. For example, to make a 0.015 bitcoin payment, the wallet app may select a 0.01 UTXO and a 0.005 UTXO, using them both to add up to the desired payment amount. +When users make a payment, their wallet constructs a transaction by selecting from the available UTXO. For example, to make a 0.015 bitcoin payment, the wallet app may select a 0.01 UTXO and a 0.005 UTXO, using them both to add up to the desired payment amount. -In <>, we show the use of a "greedy" algorithm to select from available UTXO in order to make a specific payment amount. In the example, the available UTXO are provided as a constant array, but in reality, the available UTXO would be retrieved with an RPC call to Bitcoin Core, or to a third-party API as shown in <>. - -[[select_utxo]] -.A script for calculating how much total bitcoin will be issued -==== -[source, python] ----- -include::code/select-utxo.py[] ----- -==== - -If we run the _select-utxo.py_ script without a parameter, it will attempt to construct a set of UTXO (and change) for a payment of 55,000,000 satoshis (0.55 bitcoin). If you provide a target payment amount as a parameter, the script will select UTXO to make that target payment amount. In <>, we run the script trying to make a payment of 0.5 bitcoin or 50,000,000 satoshis. - -[[select_utxo_run]] -.Running the select-utxo.py script -==== ----- -$ python select-utxo.py 50000000 -For transaction amount 50000000 Satoshis (0.500000 bitcoin) use: -([<7dbc497969c7475e45d952c4a872e213fb15d45e5cd3473c386a71a1b0c136a1:0 with 25000000 Satoshis>, <7f42eda67921ee92eae5f79bd37c68c9cb859b899ce70dba68c48338857b7818:0 with 16100000 Satoshis>, <6596fd070679de96e405d52b51b8e1d644029108ec4cbfe451454486796a1ecf:0 with 16050000 Satoshis>], 'Change: 7150000 Satoshis') ----- -==== - -Once the UTXO is selected, the wallet then produces unlocking scripts containing signatures for each of the UTXO, thereby making them spendable by satisfying their locking script conditions. The wallet adds these UTXO references and unlocking scripts as inputs to the transaction. <> shows the structure of a transaction input. +Once the UTXO is selected, the wallet then produces unlocking scripts containing signatures for each of the UTXO, thereby making them spendable by satisfying their locking script conditions. The wallet adds these UTXO references and unlocking scripts as inputs to the transaction. <> shows the structure of a transaction input. [[tx_in_structure]] .The structure of a transaction input @@ -198,19 +162,19 @@ The sequence number is used to override a transaction prior to the expiration of [[tx_fees]] ==== Transaction Fees -((("fees, transaction", id="ix_ch06-asciidoc6", range="startofrange")))Most transactions include transaction fees, which compensate the bitcoin miners for securing the network. Mining and the fees and rewards collected by miners are discussed in more detail in <>. This section examines how transaction fees are included in a typical transaction. Most wallets calculate and include transaction fees automatically. However, if you are constructing transactions programmatically, or using a command-line interface, you must manually account for and include these fees. - -Transaction fees serve as an incentive to include (mine) a transaction into the next block and also as a disincentive against "spam" transactions or any kind of abuse of the system, by imposing a small cost on every transaction. Transaction fees are collected by the miner who mines the block that records the transaction on the blockchain. +((("fees, transaction", id="ix_ch06-asciidoc6", range="startofrange")))Most transactions include transaction fees, which compensate the bitcoin miners for securing the network. Mining and the fees and rewards collected by miners are discussed in more detail in <>. This section examines how transaction fees are included in a typical transaction. Most wallets calculate and include transaction fees automatically. However, if you are constructing transactions programmatically, or using a command-line interface, you must manually account for and include these fees. -((("fees, transaction","calculating")))Transaction fees are calculated based on the size of the transaction in kilobytes, not the value of the transaction in bitcoin. Overall, transaction fees are set based on market forces within the bitcoin network. Miners prioritize transactions based on many different criteria, including fees, and might even process transactions for free under certain circumstances. Transaction fees affect the processing priority, meaning that a transaction with sufficient fees is likely to be included in the next-most–mined block, whereas a transaction with insufficient or no fees might be delayed, processed on a best-effort basis after a few blocks, or not processed at all. Transaction fees are not mandatory, and transactions without fees might be processed eventually; however, including transaction fees encourages priority processing. +Transaction fees serve as an incentive to include (mine) a transaction into the next block and also as a disincentive against "spam" transactions or any kind of abuse of the system, by imposing a small cost on every transaction. Transaction fees are collected by the miner who mines the block that records the transaction on the blockchain. -Over time, the way transaction fees are calculated and the effect they have on transaction prioritization has been evolving. At first, transaction fees were fixed and constant across the network. Gradually, the fee structure has been relaxed so that it may be influenced by market forces, based on network capacity and transaction volume. The current minimum transaction fee is fixed at 0.0001 bitcoin or a tenth of a milli-bitcoin per kilobyte, recently decreased from one milli-bitcoin. Most transactions are less than one kilobyte; however, those with multiple inputs or outputs can be larger. In future revisions of the bitcoin protocol, it is expected that wallet applications will use statistical analysis to calculate the most appropriate fee to attach to a transaction based on the average fees of recent transactions. +((("fees, transaction","calculating")))Transaction fees are calculated based on the size of the transaction in kilobytes, not the value of the transaction in bitcoin. Overall, transaction fees are set based on market forces within the bitcoin network. Miners prioritize transactions based on many different criteria, including fees, and might even process transactions for free under certain circumstances. Transaction fees affect the processing priority, meaning that a transaction with sufficient fees is likely to be included in the next-most–mined block, whereas a transaction with insufficient or no fees might be delayed, processed on a best-effort basis after a few blocks, or not processed at all. Transaction fees are not mandatory, and transactions without fees might be processed eventually; however, including transaction fees encourages priority processing. + +Over time, the way transaction fees are calculated and the effect they have on transaction prioritization has been evolving. At first, transaction fees were fixed and constant across the network. Gradually, the fee structure has been relaxed so that it may be influenced by market forces, based on network capacity and transaction volume. The current minimum transaction fee is fixed at 0.0001 bitcoin or a tenth of a milli-bitcoin per kilobyte, recently decreased from one milli-bitcoin. Most transactions are less than one kilobyte; however, those with multiple inputs or outputs can be larger. In future revisions of the bitcoin protocol, it is expected that wallet applications will use statistical analysis to calculate the most appropriate fee to attach to a transaction based on the average fees of recent transactions. The current algorithm used by miners to prioritize transactions for inclusion in a block based on their fees is examined in detail in <>.(((range="endofrange", startref="ix_ch06-asciidoc6"))) - + ==== Adding Fees to Transactions -((("fees, transaction","adding", id="ix_ch06-asciidoc7", range="startofrange")))((("transactions","fees", id="ix_ch06-asciidoc8", range="startofrange")))The data structure of transactions does not have a field for fees. Instead, fees are implied as the difference between the sum of inputs and the sum of outputs. Any excess amount that remains after all outputs have been deducted from all inputs is the fee that is collected by the miners. +((("fees, transaction","adding", id="ix_ch06-asciidoc7", range="startofrange")))((("transactions","fees", id="ix_ch06-asciidoc8", range="startofrange")))The data structure of transactions does not have a field for fees. Instead, fees are implied as the difference between the sum of inputs and the sum of outputs. Any excess amount that remains after all outputs have been deducted from all inputs is the fee that is collected by the miners. [[tx_fee_equation]] @@ -221,38 +185,38 @@ Fees = Sum(Inputs) – Sum(Outputs) This is a somewhat confusing element of transactions and an important point to understand, because if you are constructing your own transactions you must ensure you do not inadvertently include a very large fee by underspending the inputs. That means that you must account for all inputs, if necessary by creating change, or you will end up giving the miners a very big tip! -For example, if you consume a 20-bitcoin UTXO to make a 1-bitcoin payment, you must include a 19-bitcoin change output back to your wallet. Otherwise, the 19-bitcoin "leftover" will be counted as a transaction fee and will be collected by the miner who mines your transaction in a block. Although you will receive priority processing and make a miner very happy, this is probably not what you intended. +For example, if you consume a 20-bitcoin UTXO to make a 1-bitcoin payment, you must include a 19-bitcoin change output back to your wallet. Otherwise, the 19-bitcoin "leftover" will be counted as a transaction fee and will be collected by the miner who mines your transaction in a block. Although you will receive priority processing and make a miner very happy, this is probably not what you intended. [WARNING] ==== If you forget to add a change output in a manually constructed transaction, you will be paying the change as a transaction fee. "Keep the change!" might not be what you intended. ==== -Let's see how this works in practice, by looking at Alice's coffee purchase again. Alice wants to spend 0.015 bitcoin to pay for coffee. To ensure this transaction is processed promptly, she will want to include a transaction fee, say 0.001. That will mean that the total cost of the transaction will be 0.016. Her wallet must therefore source a set of UTXO that adds up to 0.016 bitcoin or more and, if necessary, create change. Let's say her wallet has a 0.2-bitcoin UTXO available. It will therefore need to consume this UTXO, create one output to Bob's Cafe for 0.015, and a second output with 0.184 bitcoin in change back to her own wallet, leaving 0.001 bitcoin unallocated, as an implicit fee for the transaction. +Let's see how this works in practice, by looking at Alice's coffee purchase again. Alice wants to spend 0.015 bitcoin to pay for coffee. To ensure this transaction is processed promptly, she will want to include a transaction fee, say 0.001. That will mean that the total cost of the transaction will be 0.016. Her wallet must therefore source a set of UTXO that adds up to 0.016 bitcoin or more and, if necessary, create change. Let's say her wallet has a 0.2-bitcoin UTXO available. It will therefore need to consume this UTXO, create one output to Bob's Cafe for 0.015, and a second output with 0.184 bitcoin in change back to her own wallet, leaving 0.001 bitcoin unallocated, as an implicit fee for the transaction. -Now let's look at a different scenario. Eugenia, our children's charity director in the Philippines, has completed a fundraiser to purchase school books for the children. She received several thousand small donations from people all around the world, totaling 50 bitcoin, so her wallet is full of very small payments (UTXO). Now she wants to purchase hundreds of school books from a local publisher, paying in bitcoin. +Now let's look at a different scenario. Eugenia, our children's charity director in the Philippines, has completed a fundraiser to purchase school books for the children. She received several thousand small donations from people all around the world, totaling 50 bitcoin, so her wallet is full of very small payments (UTXO). Now she wants to purchase hundreds of school books from a local publisher, paying in bitcoin. -As Eugenia's wallet application tries to construct a single larger payment transaction, it must source from the available UTXO set, which is composed of many smaller amounts. That means that the resulting transaction will source from more than a hundred small-value UTXO as inputs and only one output, paying the book publisher. A transaction with that many inputs will be larger than one kilobyte, perhaps 2 to 3 kilobytes in size. As a result, it will require a higher fee than the minimal network fee of 0.0001 bitcoin. +As Eugenia's wallet application tries to construct a single larger payment transaction, it must source from the available UTXO set, which is composed of many smaller amounts. That means that the resulting transaction will source from more than a hundred small-value UTXO as inputs and only one output, paying the book publisher. A transaction with that many inputs will be larger than one kilobyte, perhaps 2 to 3 kilobytes in size. As a result, it will require a higher fee than the minimal network fee of 0.0001 bitcoin. -Eugenia's wallet application will calculate the appropriate fee by measuring the size of the transaction and multiplying that by the per-kilobyte fee. Many wallets will overpay fees for larger transactions to ensure the transaction is processed promptly. The higher fee is not because Eugenia is spending more money, but because her transaction is more complex and larger in size—the fee is independent of the transaction's bitcoin value.(((range="endofrange", startref="ix_ch06-asciidoc8")))(((range="endofrange", startref="ix_ch06-asciidoc7"))) +Eugenia's wallet application will calculate the appropriate fee by measuring the size of the transaction and multiplying that by the per-kilobyte fee. Many wallets will overpay fees for larger transactions to ensure the transaction is processed promptly. The higher fee is not because Eugenia is spending more money, but because her transaction is more complex and larger in size—the fee is independent of the transaction's bitcoin value.(((range="endofrange", startref="ix_ch06-asciidoc8")))(((range="endofrange", startref="ix_ch06-asciidoc7"))) [[tx_chains]] === Transaction Chaining and Orphan Transactions -((("chaining transactions")))((("orphan transactions")))((("transactions","chaining")))((("transactions","orphan")))As we have seen, transactions form a chain, whereby one transaction spends the outputs of the previous transaction (known as the parent) and creates outputs for a subsequent transaction (known as the child). Sometimes an entire chain of transactions depending on each other—say a parent, child, and grandchild transaction—are created at the same time, to fulfill a complex transactional workflow that requires valid children to be signed before the parent is signed. For example, this is a technique used in((("CoinJoin"))) CoinJoin transactions where multiple parties join transactions together to protect their privacy. +((("chaining transactions")))((("orphan transactions")))((("transactions","chaining")))((("transactions","orphan")))As we have seen, transactions form a chain, whereby one transaction spends the outputs of the previous transaction (known as the parent) and creates outputs for a subsequent transaction (known as the child). Sometimes an entire chain of transactions depending on each other—say a parent, child, and grandchild transaction—are created at the same time, to fulfill a complex transactional workflow that requires valid children to be signed before the parent is signed. For example, this is a technique used in((("CoinJoin"))) CoinJoin transactions where multiple parties join transactions together to protect their privacy. -When a chain of transactions is transmitted across the network, they don't always arrive in the same order. Sometimes, the child might arrive before the parent. In that case, the nodes that see a child first can see that it references a parent transaction that is not yet known. Rather than reject the child, they put it in a temporary pool to await the arrival of its parent and propagate it to every other node. The pool of transactions without parents is known as the((("orphan transaction pool"))) _orphan transaction pool_. Once the parent arrives, any orphans that reference the UTXO created by the parent are released from the pool, revalidated recursively, and then the entire chain of transactions can be included in the transaction pool, ready to be mined in a block. Transaction chains can be arbitrarily long, with any number of generations transmitted simultaneously. The mechanism of holding orphans in the orphan pool ensures that otherwise valid transactions will not be rejected just because their parent has been delayed and that eventually the chain they belong to is reconstructed in the correct order, regardless of the order of arrival. +When a chain of transactions is transmitted across the network, they don't always arrive in the same order. Sometimes, the child might arrive before the parent. In that case, the nodes that see a child first can see that it references a parent transaction that is not yet known. Rather than reject the child, they put it in a temporary pool to await the arrival of its parent and propagate it to every other node. The pool of transactions without parents is known as the((("orphan transaction pool"))) _orphan transaction pool_. Once the parent arrives, any orphans that reference the UTXO created by the parent are released from the pool, revalidated recursively, and then the entire chain of transactions can be included in the transaction pool, ready to be mined in a block. Transaction chains can be arbitrarily long, with any number of generations transmitted simultaneously. The mechanism of holding orphans in the orphan pool ensures that otherwise valid transactions will not be rejected just because their parent has been delayed and that eventually the chain they belong to is reconstructed in the correct order, regardless of the order of arrival. -There is a limit to the number of orphan transactions stored in memory, to prevent a denial-of-service attack against bitcoin nodes. The limit is defined as((("MAX_ORPHAN_TRANSACTIONS constant"))) +MAX_ORPHAN_TRANSACTIONS+ in the source code of the bitcoin reference client. If the number of orphan transactions in the pool exceeds +MAX_ORPHAN_TRANSACTIONS+, one or more randomly selected orphan transactions are evicted from the pool, until the pool size is back within limits. +There is a limit to the number of orphan transactions stored in memory, to prevent a denial-of-service attack against bitcoin nodes. The limit is defined as((("MAX_ORPHAN_TRANSACTIONS constant"))) +MAX_ORPHAN_TRANSACTIONS+ in the source code of the bitcoin reference client. If the number of orphan transactions in the pool exceeds +MAX_ORPHAN_TRANSACTIONS+, one or more randomly selected orphan transactions are evicted from the pool, until the pool size is back within limits. [[tx_script]] === Transaction Scripts and Script Language -((("scripts", id="ix_ch06-asciidoc9", range="startofrange")))((("transactions","script language for", id="ix_ch06-asciidoc10", range="startofrange")))((("transactions","validation", id="ix_ch06-asciidoc11", range="startofrange")))((("validation (transaction)", id="ix_ch06-asciidoc12", range="startofrange")))Bitcoin clients validate transactions by executing a script, written in a Forth-like scripting language. Both the locking script (encumbrance) placed on a UTXO and the unlocking script that usually contains a signature are written in this scripting language. When a transaction is validated, the unlocking script in each input is executed alongside the corresponding locking script to see if it satisfies the spending condition. +((("scripts", id="ix_ch06-asciidoc9", range="startofrange")))((("transactions","script language for", id="ix_ch06-asciidoc10", range="startofrange")))((("transactions","validation", id="ix_ch06-asciidoc11", range="startofrange")))((("validation (transaction)", id="ix_ch06-asciidoc12", range="startofrange")))Bitcoin clients validate transactions by executing a script, written in a Forth-like scripting language. Both the locking script (encumbrance) placed on a UTXO and the unlocking script that usually contains a signature are written in this scripting language. When a transaction is validated, the unlocking script in each input is executed alongside the corresponding locking script to see if it satisfies the spending condition. -Today, most transactions processed through the bitcoin network have the form "Alice pays Bob" and are based on the same script called a Pay-to-Public-Key-Hash script. However, the use of scripts to lock outputs and unlock inputs means that through use of the programming language, transactions can contain an infinite number of conditions. Bitcoin transactions are not limited to the "Alice pays Bob" form and pattern. +Today, most transactions processed through the bitcoin network have the form "Alice pays Bob" and are based on the same script called a Pay-to-Public-Key-Hash script. However, the use of scripts to lock outputs and unlock inputs means that through use of the programming language, transactions can contain an infinite number of conditions. Bitcoin transactions are not limited to the "Alice pays Bob" form and pattern. -This is only the tip of the iceberg of possibilities that can be expressed with this scripting language. In this section, we will demonstrate the components of the bitcoin transaction scripting language and show how it can be used to express complex conditions for spending and how those conditions can be satisfied by unlocking scripts. +This is only the tip of the iceberg of possibilities that can be expressed with this scripting language. In this section, we will demonstrate the components of the bitcoin transaction scripting language and show how it can be used to express complex conditions for spending and how those conditions can be satisfied by unlocking scripts. [TIP] ==== @@ -261,19 +225,19 @@ Bitcoin transaction validation is not based on a static pattern, but instead is ==== Script Construction (Lock + Unlock) -((("scripts","construction of")))((("validation (transaction)","script construction for")))Bitcoin's transaction validation engine relies on two types of scripts to validate transactions: a locking script and an unlocking script. +((("scripts","construction of")))((("validation (transaction)","script construction for")))Bitcoin's transaction validation engine relies on two types of scripts to validate transactions: a locking script and an unlocking script. -((("locking scripts","transaction validation and")))((("validation (transaction)","locking scripts")))A locking script is an encumbrance placed on an output, and it specifies the conditions that must be met to spend the output in the future. Historically, the locking script was called a _scriptPubKey_, because it usually contained a public key or bitcoin address. In this book we refer to it as a "locking script" to acknowledge the much broader range of possibilities of this scripting technology. In most bitcoin applications, what we refer to as a locking script will appear in the source code as +scriptPubKey+. +((("locking scripts","transaction validation and")))((("validation (transaction)","locking scripts")))A locking script is an encumbrance placed on an output, and it specifies the conditions that must be met to spend the output in the future. Historically, the locking script was called a _scriptPubKey_, because it usually contained a public key or bitcoin address. In this book we refer to it as a "locking script" to acknowledge the much broader range of possibilities of this scripting technology. In most bitcoin applications, what we refer to as a locking script will appear in the source code as +scriptPubKey+. ((("unlocking scripts","transaction validation and")))An unlocking script is a script that "solves," or satisfies, the conditions placed on an output by a locking script and allows the output to be spent. Unlocking scripts are part of every transaction input, and most of the time they contain a digital signature produced by the user's wallet from his or her private key. Historically, the unlocking script is called _scriptSig_, because it usually contained a digital signature. In most bitcoin applications, the source code refers to the unlocking script as +scriptSig+. In this book, we refer to it as an "unlocking script" to acknowledge the much broader range of locking script requirements, because not all unlocking scripts must contain signatures. -Every bitcoin client will validate transactions by executing the locking and unlocking scripts together. For each input in the transaction, the validation software will first retrieve the UTXO referenced by the input. That UTXO contains a locking script defining the conditions required to spend it. The validation software will then take the unlocking script contained in the input that is attempting to spend this UTXO and execute the two scripts. +Every bitcoin client will validate transactions by executing the locking and unlocking scripts together. For each input in the transaction, the validation software will first retrieve the UTXO referenced by the input. That UTXO contains a locking script defining the conditions required to spend it. The validation software will then take the unlocking script contained in the input that is attempting to spend this UTXO and execute the two scripts. In the original bitcoin client, the unlocking and locking scripts were concatenated and executed in sequence. For security reasons, this was changed in 2010, because of a vulnerability that allowed a malformed unlocking script to push data onto the stack and corrupt the locking script. In the current implementation, the scripts are executed separately with the stack transferred between the two executions, as described next. First, the unlocking script is executed, using the stack execution engine. If the unlocking script executed without errors (e.g., it has no "dangling" operators left over), the main stack (not the alternate stack) is copied and the locking script is executed. If the result of executing the locking script with the stack data copied from the unlocking script is "TRUE," the unlocking script has succeeded in resolving the conditions imposed by the locking script and, therefore, the input is a valid authorization to spend the UTXO. If any result other than "TRUE" remains after execution of the combined script, the input is invalid because it has failed to satisfy the spending conditions placed on the UTXO. Note that the UTXO is permanently recorded in the blockchain, and therefore is invariable and is unaffected by failed attempts to spend it by reference in a new transaction. Only a valid transaction that correctly satisfies the conditions of the UTXO results in the UTXO being marked as "spent" and removed from the set of available (unspent) UTXO. -<> is an example of the unlocking and locking scripts for the most common type of bitcoin transaction (a payment to a public key hash), showing the combined script resulting from the concatenation of the unlocking and locking scripts prior to script validation. +<> is an example of the unlocking and locking scripts for the most common type of bitcoin transaction (a payment to a public key hash), showing the combined script resulting from the concatenation of the unlocking and locking scripts prior to script validation. [[scriptSig_and_scriptPubKey]] .Combining scriptSig and scriptPubKey to evaluate a transaction script @@ -283,15 +247,15 @@ image::images/msbt_0501.png["scriptSig_and_scriptPubKey"] [[tx_script_language]] ==== Scripting Language -((("Script language", id="ix_ch06-asciidoc13", range="startofrange")))((("scripts","language for", id="ix_ch06-asciidoc14", range="startofrange")))The bitcoin transaction script language, called _Script_, is a Forth-like reverse-polish notation stack-based execution language. If that sounds like gibberish, you probably haven't studied 1960's programming languages. Script is a very simple language that was designed to be limited in scope and executable on a range of hardware, perhaps as simple as an embedded device, such as a handheld calculator. It requires minimal processing and cannot do many of the fancy things modern programming languages can do. In the case of programmable money, that is a deliberate security feature. +((("Script language", id="ix_ch06-asciidoc13", range="startofrange")))((("scripts","language for", id="ix_ch06-asciidoc14", range="startofrange")))The bitcoin transaction script language, called _Script_, is a Forth-like reverse-polish notation stack-based execution language. If that sounds like gibberish, you probably haven't studied 1960's programming languages. Script is a very simple language that was designed to be limited in scope and executable on a range of hardware, perhaps as simple as an embedded device, such as a handheld calculator. It requires minimal processing and cannot do many of the fancy things modern programming languages can do. In the case of programmable money, that is a deliberate security feature. -Bitcoin's scripting language is called a stack-based language because it uses a data structure called a((("stack, defined"))) _stack_. A stack is a very simple data structure, which can be visualized as a stack of cards. A stack allows two operations: push and pop. Push adds an item on top of the stack. Pop removes the top item from the stack. +Bitcoin's scripting language is called a stack-based language because it uses a data structure called a((("stack, defined"))) _stack_. A stack is a very simple data structure, which can be visualized as a stack of cards. A stack allows two operations: push and pop. Push adds an item on top of the stack. Pop removes the top item from the stack. -The scripting language executes the script by processing each item from left to right. Numbers (data constants) are pushed onto the stack. Operators push or pop one or more parameters from the stack, act on them, and might push a result onto the stack. For example, +OP_ADD+ will pop two items from the stack, add them, and push the resulting sum onto the stack. +The scripting language executes the script by processing each item from left to right. Numbers (data constants) are pushed onto the stack. Operators push or pop one or more parameters from the stack, act on them, and might push a result onto the stack. For example, +OP_ADD+ will pop two items from the stack, add them, and push the resulting sum onto the stack. -Conditional operators evaluate a condition, producing a boolean result of TRUE or FALSE. For example, +OP_EQUAL+ pops two items from the stack and pushes TRUE (TRUE is represented by the number 1) if they are equal or FALSE (represented by zero) if they are not equal. Bitcoin transaction scripts usually contain a conditional operator, so that they can produce the TRUE result that signifies a valid transaction. +Conditional operators evaluate a condition, producing a boolean result of TRUE or FALSE. For example, +OP_EQUAL+ pops two items from the stack and pushes TRUE (TRUE is represented by the number 1) if they are equal or FALSE (represented by zero) if they are not equal. Bitcoin transaction scripts usually contain a conditional operator, so that they can produce the TRUE result that signifies a valid transaction. -In <>, the script +2 3 OP_ADD 5 OP_EQUAL+ demonstrates the arithmetic addition operator +OP_ADD+, adding two numbers and putting the result on the stack, followed by the conditional operator +OP_EQUAL+, which checks that the resulting sum is equal to +5+. For brevity, the +OP_+ prefix is omitted in the step-by-step example. +In <>, the script +2 3 OP_ADD 5 OP_EQUAL+ demonstrates the arithmetic addition operator +OP_ADD+, adding two numbers and putting the result on the stack, followed by the conditional operator +OP_EQUAL+, which checks that the resulting sum is equal to +5+. For brevity, the +OP_+ prefix is omitted in the step-by-step example. The following is a slightly more complex script, which calculates ++2 + 7 – 3 + 1++. Notice that when the script contains several operators in a row, the stack allows the results of one operator to be acted upon by the next operator: @@ -331,10 +295,32 @@ image::images/msbt_0502.png["TxScriptSimpleMathExample"] Transactions are valid if the top result on the stack is TRUE (noted as ++{0x01}++), any other non-zero value or if the stack is empty after script execution. Transactions are invalid if the top value on the stack is FALSE (a zero-length empty value, noted as ++{}++) or if script execution is halted explicitly by an operator, such as OP_VERIFY, OP_RETURN, or a conditional terminator such as OP_ENDIF. See <> for details. ==== +==== Transaction Data Structure + +((("transactions","structure of")))A transaction is a((("data structure"))) _data structure_ that encodes a transfer of value from a source of funds, called an((("inputs, defined"))) _input_, to a destination, called an((("outputs, defined"))) _output_. Transaction inputs and outputs are not related to accounts or identities. Instead, you should think of them as bitcoin amounts—chunks of bitcoin—being locked with a specific secret that only the owner, or person who knows the secret, can unlock. A transaction contains a number of fields, as shown in <>. + +[[tx_data_structure]] +.The structure of a transaction +[options="header"] +|======= +|Size| Field | Description +| 4 bytes | Version | Specifies which rules this transaction follows +| 1–9 bytes (VarInt) | Input Counter | How many inputs are included +| Variable | Inputs | One or more transaction inputs +| 1–9 bytes (VarInt) | Output Counter | How many outputs are included +| Variable | Outputs | One or more transaction outputs +| 4 bytes | Locktime | A Unix timestamp or block number +|======= + +.Transaction Locktime +**** +((("locktime")))((("transactions","locktime")))Locktime, also known as nLockTime from the variable name used in the reference client, defines the earliest time that a transaction is valid and can be relayed on the network or added to the blockchain. It is set to zero in most transactions to indicate immediate propagation and execution. If locktime is nonzero and below 500 million, it is interpreted as a block height, meaning the transaction is not valid and is not relayed or included in the blockchain prior to the specified block height. If it is above 500 million, it is interpreted as a Unix Epoch timestamp (seconds since Jan-1-1970) and the transaction is not valid prior to the specified time. Transactions with locktime specifying a future block or time must be held by the originating system and transmitted to the bitcoin network only after they become valid. The use of locktime is equivalent to postdating a paper check. +**** + ==== Turing Incompleteness -((("Script language","flow-control/loops in")))((("Script language","statelessness of")))((("Turing Complete")))The bitcoin transaction script language contains many operators, but is deliberately limited in one important way—there are no loops or complex flow control capabilities other than conditional flow control. This ensures that the language is not _Turing Complete_, meaning that scripts have limited complexity and predictable execution times. Script is not a general-purpose language. These limitations ensure that the language cannot be used to create an infinite loop or other form of "logic bomb" that could be embedded in a transaction in a way that causes a((("denial-of-service attack","Script language and"))) denial-of-service attack against the bitcoin network. Remember, every transaction is validated by every full node on the bitcoin network. A limited language prevents the transaction validation mechanism from being used as a vulnerability. +((("Script language","flow-control/loops in")))((("Script language","statelessness of")))((("Turing Complete")))The bitcoin transaction script language contains many operators, but is deliberately limited in one important way—there are no loops or complex flow control capabilities other than conditional flow control. This ensures that the language is not _Turing Complete_, meaning that scripts have limited complexity and predictable execution times. Script is not a general-purpose language. These limitations ensure that the language cannot be used to create an infinite loop or other form of "logic bomb" that could be embedded in a transaction in a way that causes a((("denial-of-service attack","Script language and"))) denial-of-service attack against the bitcoin network. Remember, every transaction is validated by every full node on the bitcoin network. A limited language prevents the transaction validation mechanism from being used as a vulnerability. ==== Stateless Verification @@ -343,16 +329,16 @@ Transactions are valid if the top result on the stack is TRUE (noted as ++{ [[std_tx]] === Standard Transactions -In the first few years of bitcoin's development, the developers introduced some limitations in the types of scripts that could be processed by the reference client. These limitations are encoded in a function called +isStandard()+, which defines five types of "standard" transactions. These limitations are temporary and might be lifted by the time you read this. Until then, the five standard types of transaction scripts are the only ones that will be accepted by the reference client and most miners who run the reference client. Although it is possible to create a nonstandard transaction containing a script that is not one of the standard types, you must find a miner who does not follow these limitations to mine that transaction into a block. +In the first few years of bitcoin's development, the developers introduced some limitations in the types of scripts that could be processed by the reference client. These limitations are encoded in a function called +isStandard()+, which defines five types of "standard" transactions. These limitations are temporary and might be lifted by the time you read this. Until then, the five standard types of transaction scripts are the only ones that will be accepted by the reference client and most miners who run the reference client. Although it is possible to create a nonstandard transaction containing a script that is not one of the standard types, you must find a miner who does not follow these limitations to mine that transaction into a block. -Check the source code of the Bitcoin Core client (the reference implementation) to see what is currently allowed as a valid transaction script. +Check the source code of the Bitcoin Core client (the reference implementation) to see what is currently allowed as a valid transaction script. The five standard types of transaction scripts are pay-to-public-key-hash (P2PKH), public-key, multi-signature (limited to 15 keys), pay-to-script-hash (P2SH), and data output (OP_RETURN), which are described in more detail in the following sections. [[p2pkh]] ==== Pay-to-Public-Key-Hash (P2PKH) -((("pay-to-public-key-hash (P2PKH)", id="ix_ch06-asciidoc15", range="startofrange")))((("transactions","pay-to-public-key-hash", id="ix_ch06-asciidoc16", range="startofrange")))The vast majority of transactions processed on the bitcoin network are P2PKH transactions. These contain a locking script that encumbers the output with a public key hash, more commonly known as a bitcoin address. Transactions that pay a bitcoin address contain P2PKH scripts. An output locked by a P2PKH script can be unlocked (spent) by presenting a public key and a digital signature created by the corresponding private key. +((("pay-to-public-key-hash (P2PKH)", id="ix_ch06-asciidoc15", range="startofrange")))((("transactions","pay-to-public-key-hash", id="ix_ch06-asciidoc16", range="startofrange")))The vast majority of transactions processed on the bitcoin network are P2PKH transactions. These contain a locking script that encumbers the output with a public key hash, more commonly known as a bitcoin address. Transactions that pay a bitcoin address contain P2PKH scripts. An output locked by a P2PKH script can be unlocked (spent) by presenting a public key and a digital signature created by the corresponding private key. For example, let's look at Alice's payment to Bob's Cafe again. Alice made a payment of 0.015 bitcoin to the cafe's bitcoin address. That transaction output would have a locking script of the form: @@ -360,7 +346,7 @@ For example, let's look at Alice's payment to Bob's Cafe again. Alice made a pay OP_DUP OP_HASH160 OP_EQUAL OP_CHECKSIG ---- -The +Cafe Public Key Hash+ is equivalent to the bitcoin address of the cafe, without the Base58Check encoding. Most applications would show the _public key hash_ in hexadecimal encoding and not the familiar bitcoin address Base58Check format that begins with a "1". +The +Cafe Public Key Hash+ is equivalent to the bitcoin address of the cafe, without the Base58Check encoding. Most applications would show the _public key hash_ in hexadecimal encoding and not the familiar bitcoin address Base58Check format that begins with a "1". The preceding locking script can be satisfied with an unlocking script of the form: @@ -371,11 +357,11 @@ The preceding locking script can be satisfied with an unlocking script of the fo The two scripts together would form the following combined validation script: ---- - OP_DUP OP_HASH160 + OP_DUP OP_HASH160 OP_EQUAL OP_CHECKSIG ---- -When executed, this combined script will evaluate to TRUE if, and only if, the unlocking script matches the conditions set by the locking script. In other words, the result will be TRUE if the unlocking script has a valid signature from the cafe's private key that corresponds to the public key hash set as an encumbrance. +When executed, this combined script will evaluate to TRUE if, and only if, the unlocking script matches the conditions set by the locking script. In other words, the result will be TRUE if the unlocking script has a valid signature from the cafe's private key that corresponds to the public key hash set as an encumbrance. Figures pass:[#P2PubKHash1] and pass:[#P2PubKHash2] show (in two parts) a step-by-step execution of the combined script, which will prove this is a valid transaction.(((range="endofrange", startref="ix_ch06-asciidoc16")))(((range="endofrange", startref="ix_ch06-asciidoc15"))) @@ -387,10 +373,10 @@ image::images/msbt_0503.png["Tx_Script_P2PubKeyHash_1"] .Evaluating a script for a P2PKH transaction (Part 2 of 2) image::images/msbt_0504.png["Tx_Script_P2PubKeyHash_2"] -[[p2pk]] +[[p2pk]] ==== Pay-to-Public-Key -((("pay-to-public-key")))Pay-to-public-key is a simpler form of a bitcoin payment than pay-to-public-key-hash. With this script form, the public key itself is stored in the locking script, rather than a public-key-hash as with P2PKH earlier, which is much shorter. Pay-to-public-key-hash was invented by Satoshi to make bitcoin addresses shorter, for ease of use. Pay-to-public-key is now most often seen in coinbase transactions, generated by older mining software that has not been updated to use P2PKH. +((("pay-to-public-key")))Pay-to-public-key is a simpler form of a bitcoin payment than pay-to-public-key-hash. With this script form, the public key itself is stored in the locking script, rather than a public-key-hash as with P2PKH earlier, which is much shorter. Pay-to-public-key-hash was invented by Satoshi to make bitcoin addresses shorter, for ease of use. Pay-to-public-key is now most often seen in coinbase transactions, generated by older mining software that has not been updated to use P2PKH. A pay-to-public-key locking script looks like this: @@ -415,7 +401,7 @@ This script is a simple invocation of the +CHECKSIG+ operator, which validates t [[multisig]] ==== Multi-Signature -((("multi-signature scripts")))((("transactions","multi-signature scripts")))Multi-signature scripts set a condition where N public keys are recorded in the script and at least M of those must provide signatures to release the encumbrance. This is also known as an M-of-N scheme, where N is the total number of keys and M is the threshold of signatures required for validation. For example, a 2-of-3 multi-signature is one where three public keys are listed as potential signers and at least two of those must be used to create signatures for a valid transaction to spend the funds. ((("multi-signature scripts","limits on")))At this time, standard multi-signature scripts are limited to at most 15 listed public keys, meaning you can do anything from a 1-of-1 to a 15-of-15 multi-signature or any combination within that range. The limitation to 15 listed keys might be lifted by the time this book is published, so check the((("isStandard() function"))) +isStandard()+ function to see what is currently accepted by the network. +((("multi-signature scripts")))((("transactions","multi-signature scripts")))Multi-signature scripts set a condition where N public keys are recorded in the script and at least M of those must provide signatures to release the encumbrance. This is also known as an M-of-N scheme, where N is the total number of keys and M is the threshold of signatures required for validation. For example, a 2-of-3 multi-signature is one where three public keys are listed as potential signers and at least two of those must be used to create signatures for a valid transaction to spend the funds. ((("multi-signature scripts","limits on")))At this time, standard multi-signature scripts are limited to at most 15 listed public keys, meaning you can do anything from a 1-of-1 to a 15-of-15 multi-signature or any combination within that range. The limitation to 15 listed keys might be lifted by the time this book is published, so check the((("isStandard() function"))) +isStandard()+ function to see what is currently accepted by the network. The general form of a locking script setting an M-of-N multi-signature condition is: @@ -424,7 +410,7 @@ M ... N OP_CHECKMULTISIG ---- where N is the total number of listed public keys and M is the threshold of required signatures to spend the output. - + A locking script setting a 2-of-3 multi-signature condition looks like this: ---- @@ -436,10 +422,10 @@ The preceding locking script can be satisfied with an unlocking script containin ---- OP_0 ---- -or any combination of two signatures from the private keys corresponding to the three listed public keys. +or any combination of two signatures from the private keys corresponding to the three listed public keys. [NOTE] -==== +==== ((("CHECKMULTISIG implementation")))The prefix +OP_0+ is required because of a bug in the original implementation of +CHECKMULTISIG+ where one item too many is popped off the stack. It is ignored by +CHECKMULTISIG+ and is simply a placeholder. ==== @@ -449,7 +435,7 @@ The two scripts together would form the combined validation script: OP_0 2 3 OP_CHECKMULTISIG ---- -When executed, this combined script will evaluate to TRUE if, and only if, the unlocking script matches the conditions set by the locking script. In this case, the condition is whether the unlocking script has a valid signature from the two private keys that correspond to two of the three public keys set as an encumbrance. +When executed, this combined script will evaluate to TRUE if, and only if, the unlocking script matches the conditions set by the locking script. In this case, the condition is whether the unlocking script has a valid signature from the two private keys that correspond to two of the three public keys set as an encumbrance. [[op_return]] ==== Data Output (OP_RETURN) @@ -458,7 +444,7 @@ When executed, this combined script will evaluate to TRUE if, and only if, the u ((("blockchains","storing unrelated information in")))The use of bitcoin's blockchain to store data unrelated to bitcoin payments is a controversial subject. Many developers consider such use abusive and want to discourage it. Others view it as a demonstration of the powerful capabilities of blockchain technology and want to encourage such experimentation. Those who object to the inclusion of non-payment data argue that it causes "blockchain bloat," burdening those running full bitcoin nodes with carrying the cost of disk storage for data that the blockchain was not intended to carry. Moreover, such transactions create UTXO that cannot be spent, using the destination bitcoin address as a free-form 20-byte field. Because the address is used for data, it doesn't correspond to a private key and the resulting UTXO can _never_ be spent; it's a fake payment. These transactions that can never be spent are therefore never removed from the UTXO set and cause the size of the UTXO database to forever increase, or "bloat." -In version 0.9 of the Bitcoin Core client, a compromise was reached with the introduction of the +OP_RETURN+ operator. +OP_RETURN+ allows developers to add 80 bytes of nonpayment data to a transaction output. However, unlike the use of "fake" UTXO, the +OP_RETURN+ operator creates an explicitly _provably unspendable_ output, which does not need to be stored in the UTXO set. +OP_RETURN+ outputs are recorded on the blockchain, so they consume disk space and contribute to the increase in the blockchain's size, but they are not stored in the UTXO set and therefore do not bloat the UTXO memory pool and burden full nodes with the cost of more expensive RAM. +In version 0.9 of the Bitcoin Core client, a compromise was reached with the introduction of the +OP_RETURN+ operator. +OP_RETURN+ allows developers to add 80 bytes of nonpayment data to a transaction output. However, unlike the use of "fake" UTXO, the +OP_RETURN+ operator creates an explicitly _provably unspendable_ output, which does not need to be stored in the UTXO set. +OP_RETURN+ outputs are recorded on the blockchain, so they consume disk space and contribute to the increase in the blockchain's size, but they are not stored in the UTXO set and therefore do not bloat the UTXO memory pool and burden full nodes with the cost of more expensive RAM. +OP_RETURN+ scripts look like this: @@ -468,9 +454,9 @@ OP_RETURN The data portion is limited to 80 bytes and most often represents a hash, such as the output from the SHA256 algorithm (32 bytes). Many applications put a prefix in front of the data to help identify the application. For example, the http://proofofexistence.com[Proof of Existence] digital notarization service uses the 8-byte prefix +DOCPROOF+, which is ASCII encoded as +44 4f 43 50 52 4f 4f 46+ in hexadecimal. -Keep in mind that there is no "unlocking script" that corresponds to +OP_RETURN+ that could possibly be used to "spend" an +OP_RETURN+ output. The whole point of +OP_RETURN+ is that you can't spend the money locked in that output, and therefore it does not need to be held in the UTXO set as potentially spendable—+OP_RETURN+ is _provably un-spendable_. +OP_RETURN+ is usually an output with a zero bitcoin amount, because any bitcoin assigned to such an output is effectively lost forever. If an +OP_RETURN+ is encountered by the script validation software, it results immediately in halting the execution of the validation script and marking the transaction as invalid. Thus, if you accidentally reference an +OP_RETURN+ output as an input in a transaction, that transaction is invalid. +Keep in mind that there is no "unlocking script" that corresponds to +OP_RETURN+ that could possibly be used to "spend" an +OP_RETURN+ output. The whole point of +OP_RETURN+ is that you can't spend the money locked in that output, and therefore it does not need to be held in the UTXO set as potentially spendable—+OP_RETURN+ is _provably un-spendable_. +OP_RETURN+ is usually an output with a zero bitcoin amount, because any bitcoin assigned to such an output is effectively lost forever. If an +OP_RETURN+ is encountered by the script validation software, it results immediately in halting the execution of the validation script and marking the transaction as invalid. Thus, if you accidentally reference an +OP_RETURN+ output as an input in a transaction, that transaction is invalid. -A standard transaction (one that conforms to the +isStandard()+ checks) can have only one +OP_RETURN+ output. However, a single +OP_RETURN+ output can be combined in a transaction with outputs of any other type. +A standard transaction (one that conforms to the +isStandard()+ checks) can have only one +OP_RETURN+ output. However, a single +OP_RETURN+ output can be combined in a transaction with outputs of any other type. Two new command-line options have been added in Bitcoin Core as of version 0.10. The option +datacarrier+ controls relay and mining of OP_RETURN transactions, with the default set to "1" to allow them. The option +datacarriersize+ takes a numeric argument specifying the maximum size in bytes of the OP_RETURN data, 40 bytes by default. @@ -484,7 +470,7 @@ OP_RETURN was initially proposed with a limit of 80 bytes, but the limit was red ((("multi-signature scripts","P2SH and", id="ix_ch06-asciidoc17", range="startofrange")))((("Pay-to-script-hash (P2SH)", id="ix_ch06-asciidoc18", range="startofrange")))((("transactions","Pay-to-script-hash", id="ix_ch06-asciidoc19", range="startofrange")))Pay-to-script-hash (P2SH) was introduced in 2012 as a powerful new type of transaction that greatly simplifies the use of complex transaction scripts. To explain the need for P2SH, let's look at a practical example. -In <> we introduced Mohammed, an electronics importer based in Dubai. Mohammed's company uses bitcoin's multi-signature feature extensively for its corporate accounts. Multi-signature scripts are one of the most common uses of bitcoin's advanced scripting capabilities and are a very powerful feature. Mohammed's company uses a multi-signature script for all customer payments, known in accounting terms as "accounts receivable," or AR. With the multi-signature scheme, any payments made by customers are locked in such a way that they require at least two signatures to release, from Mohammed and one of his partners or from his attorney who has a backup key. A multi-signature scheme like that offers corporate governance controls and protects against theft, embezzlement, or loss. +In <> we introduced Mohammed, an electronics importer based in Dubai. Mohammed's company uses bitcoin's multi-signature feature extensively for its corporate accounts. Multi-signature scripts are one of the most common uses of bitcoin's advanced scripting capabilities and are a very powerful feature. Mohammed's company uses a multi-signature script for all customer payments, known in accounting terms as "accounts receivable," or AR. With the multi-signature scheme, any payments made by customers are locked in such a way that they require at least two signatures to release, from Mohammed and one of his partners or from his attorney who has a backup key. A multi-signature scheme like that offers corporate governance controls and protects against theft, embezzlement, or loss. The resulting script is quite long and looks like this: @@ -492,10 +478,10 @@ The resulting script is quite long and looks like this: 2 5 OP_CHECKMULTISIG ---- - -Although multi-signature scripts are a powerful feature, they are cumbersome to use. Given the preceding script, Mohammed would have to communicate this script to every customer prior to payment. Each customer would have to use special bitcoin wallet software with the ability to create custom transaction scripts, and each customer would have to understand how to create a transaction using custom scripts. Furthermore, the resulting transaction would be about five times larger than a simple payment transaction, because this script contains very long public keys. The burden of that extra-large transaction would be borne by the customer in the form of fees. Finally, a large transaction script like this would be carried in the UTXO set in RAM in every full node, until it was spent. All of these issues make using complex output scripts difficult in practice. -Pay-to-script-hash (P2SH) was developed to resolve these practical difficulties and to make the use of complex scripts as easy as a payment to a bitcoin address. With P2SH payments, the complex locking script is replaced with its digital fingerprint, a cryptographic hash. When a transaction attempting to spend the UTXO is presented later, it must contain the script that matches the hash, in addition to the unlocking script. In simple terms, P2SH means "pay to a script matching this hash, a script that will be presented later when this output is spent." +Although multi-signature scripts are a powerful feature, they are cumbersome to use. Given the preceding script, Mohammed would have to communicate this script to every customer prior to payment. Each customer would have to use special bitcoin wallet software with the ability to create custom transaction scripts, and each customer would have to understand how to create a transaction using custom scripts. Furthermore, the resulting transaction would be about five times larger than a simple payment transaction, because this script contains very long public keys. The burden of that extra-large transaction would be borne by the customer in the form of fees. Finally, a large transaction script like this would be carried in the UTXO set in RAM in every full node, until it was spent. All of these issues make using complex output scripts difficult in practice. + +Pay-to-script-hash (P2SH) was developed to resolve these practical difficulties and to make the use of complex scripts as easy as a payment to a bitcoin address. With P2SH payments, the complex locking script is replaced with its digital fingerprint, a cryptographic hash. When a transaction attempting to spend the UTXO is presented later, it must contain the script that matches the hash, in addition to the unlocking script. In simple terms, P2SH means "pay to a script matching this hash, a script that will be presented later when this output is spent." In P2SH transactions, the locking script that is replaced by a hash is referred to as the((("redeem script"))) _redeem script_ because it is presented to the system at redemption time rather than as a locking script. <> shows the script without P2SH and <> shows the same script encoded with P2SH. @@ -503,7 +489,7 @@ In P2SH transactions, the locking script that is replaced by a hash is referred .Complex script without P2SH |======= | Locking Script | 2 PubKey1 PubKey2 PubKey3 PubKey4 PubKey5 5 OP_CHECKMULTISIG -| Unlocking Script | Sig1 Sig2 +| Unlocking Script | Sig1 Sig2 |======= [[with_p2sh]] @@ -511,12 +497,12 @@ In P2SH transactions, the locking script that is replaced by a hash is referred |======= | Redeem Script | 2 PubKey1 PubKey2 PubKey3 PubKey4 PubKey5 5 OP_CHECKMULTISIG | Locking Script | OP_HASH160 <20-byte hash of redeem script> OP_EQUAL -| Unlocking Script | Sig1 Sig2 redeem script +| Unlocking Script | Sig1 Sig2 redeem script |======= -As you can see from the tables, with P2SH the complex script that details the conditions for spending the output (redeem script) is not presented in the locking script. Instead, only a hash of it is in the locking script and the redeem script itself is presented later, as part of the unlocking script when the output is spent. This shifts the burden in fees and complexity from the sender to the recipient (spender) of the transaction. +As you can see from the tables, with P2SH the complex script that details the conditions for spending the output (redeem script) is not presented in the locking script. Instead, only a hash of it is in the locking script and the redeem script itself is presented later, as part of the unlocking script when the output is spent. This shifts the burden in fees and complexity from the sender to the recipient (spender) of the transaction. -Let's look at Mohammed's company, the complex multi-signature script, and the resulting P2SH scripts. +Let's look at Mohammed's company, the complex multi-signature script, and the resulting P2SH scripts. First, the multi-signature script that Mohammed's company uses for all incoming payments from customers: @@ -527,7 +513,7 @@ First, the multi-signature script that Mohammed's company uses for all incoming If the placeholders are replaced by actual public keys (shown here as 520-bit numbers starting with 04) you can see that this script becomes very long: ---- -2 +2 04C16B8698A9ABF84250A7C3EA7EEDEF9897D1C8C6ADF47F06CF73370D74DCCA01CDCA79DCC5C395D7EEC6984D83F1F50C900A24DD47F569FD4193AF5DE762C58704A2192968D8655D6A935BEAF2CA23E3FB87A3495E7AF308EDF08DAC3C1FCBFC2C75B4B0F4D0B1B70CD2423657738C0C2B1D5CE65C97D78D0E34224858008E8B49047E63248B75DB7379BE9CDA8CE5751D16485F431E46117B9D0C1837C9D5737812F393DA7D4420D7E1A9162F0279CFC10F1E8E8F3020DECDBC3C0DD389D99779650421D65CBD7149B255382ED7F78E946580657EE6FDA162A187543A9D85BAAA93A4AB3A8F044DADA618D087227440645ABE8A35DA8C5B73997AD343BE5C2AFD94A5043752580AFA1ECED3C68D446BCAB69AC0BA7DF50D56231BE0AABF1FDEEC78A6A45E394BA29A1EDF518C022DD618DA774D207D137AAB59E0B000EB7ED238F4D800 5 OP_CHECKMULTISIG ---- @@ -561,11 +547,11 @@ If the redeem script hash matches, the unlocking script is executed on its own, ===== Pay-to-script-hash addresses -((("addresses, bitcoin","Pay-to-Script-Hash (P2SH)")))((("Pay-to-script-hash (P2SH)","addresses")))Another important part of the P2SH feature is the ability to encode a script hash as an address, as defined in BIP-13. P2SH addresses are Base58Check encodings of the 20-byte hash of a script, just like bitcoin addresses are Base58Check encodings of the 20-byte hash of a public key. P2SH addresses use the version prefix "5", which results in Base58Check-encoded addresses that start with a "3". For example, Mohammed's complex script, hashed and Base58Check-encoded as a P2SH address becomes +39RF6JqABiHdYHkfChV6USGMe6Nsr66Gzw+. Now, Mohammed can give this "address" to his customers and they can use almost any bitcoin wallet to make a simple payment, as if it were a bitcoin address. The 3 prefix gives them a hint that this is a special type of address, one corresponding to a script instead of a public key, but otherwise it works in exactly the same way as a payment to a bitcoin address. +((("addresses, bitcoin","Pay-to-Script-Hash (P2SH)")))((("Pay-to-script-hash (P2SH)","addresses")))Another important part of the P2SH feature is the ability to encode a script hash as an address, as defined in BIP-13. P2SH addresses are Base58Check encodings of the 20-byte hash of a script, just like bitcoin addresses are Base58Check encodings of the 20-byte hash of a public key. P2SH addresses use the version prefix "5", which results in Base58Check-encoded addresses that start with a "3". For example, Mohammed's complex script, hashed and Base58Check-encoded as a P2SH address becomes +39RF6JqABiHdYHkfChV6USGMe6Nsr66Gzw+. Now, Mohammed can give this "address" to his customers and they can use almost any bitcoin wallet to make a simple payment, as if it were a bitcoin address. The 3 prefix gives them a hint that this is a special type of address, one corresponding to a script instead of a public key, but otherwise it works in exactly the same way as a payment to a bitcoin address. -P2SH addresses hide all of the complexity, so that the person making a payment does not see the script. +P2SH addresses hide all of the complexity, so that the person making a payment does not see the script. -===== Benefits of pay-to-script-hash +===== Benefits of pay-to-script-hash ((("Pay-to-script-hash (P2SH)","benefits of")))The pay-to-script-hash feature offers the following benefits compared to the direct use of complex scripts in locking outputs: @@ -580,14 +566,14 @@ P2SH addresses hide all of the complexity, so that the person making a payment d ((("pay-to-script-hash (P2SH)","isStandard validation")))((("pay-to-script-hash (P2SH)","redeem script for")))Prior to version 0.9.2 of the Bitcoin Core client, pay-to-script-hash was limited to the standard types of bitcoin transaction scripts, by the +isStandard()+ function. That means that the redeem script presented in the spending transaction could only be one of the standard types: P2PK, P2PKH, or multi-sig nature, excluding +OP_RETURN+ and P2SH itself. -As of version 0.9.2 of the Bitcoin Core client, P2SH transactions can contain any valid script, making the P2SH standard much more flexible and allowing for experimentation with many novel and complex types of transactions. +As of version 0.9.2 of the Bitcoin Core client, P2SH transactions can contain any valid script, making the P2SH standard much more flexible and allowing for experimentation with many novel and complex types of transactions. Note that you are not able to put a P2SH inside a P2SH redeem script, because the P2SH specification is not recursive. You are also still not able to use +OP_RETURN+ in a redeem script because +OP_RETURN+ cannot be redeemed by definition. -Note that because the redeem script is not presented to the network until you attempt to spend a P2SH output, if you lock an output with the hash of an invalid transaction it will be processed regardless. However, you will not be able to spend it because the spending transaction, which includes the redeem script, will not be accepted because it is an invalid script. This creates a risk, because you can lock bitcoin in a P2SH that cannot be spent later. The network will accept the P2SH encumbrance even if it corresponds to an invalid redeem script, because the script hash gives no indication of the script it represents. [WARNING] ==== -((("Pay-to-Script-Hash (P2SH)","locking scripts")))P2SH locking scripts contain the hash of a redeem script, which gives no clues as to the content of the redeem script itself. The P2SH transaction will be considered valid and accepted even if the redeem script is invalid. You might accidentally lock bitcoin in such a way that it cannot later be spent.(((range="endofrange", startref="ix_ch06-asciidoc19")))(((range="endofrange", startref="ix_ch06-asciidoc18")))(((range="endofrange", startref="ix_ch06-asciidoc17")))(((range="endofrange", startref="ix_ch06-asciidoc0"))) +((("Pay-to-Script-Hash (P2SH)","locking scripts")))P2SH locking scripts contain the hash of a redeem script, which gives no clues as to the content of the redeem script itself. The P2SH transaction will be considered valid and accepted even if the redeem script is invalid. You might accidentally lock bitcoin in such a way that it cannot later be spent.(((range="endofrange", startref="ix_ch06-asciidoc19")))(((range="endofrange", startref="ix_ch06-asciidoc18")))(((range="endofrange", startref="ix_ch06-asciidoc17")))(((range="endofrange", startref="ix_ch06-asciidoc0"))) ==== +Note that because the redeem script is not presented to the network until you attempt to spend a P2SH output, if you lock an output with the hash of an invalid transaction it will be processed regardless. However, you will not be able to spend it because the spending transaction, which includes the redeem script, will not be accepted because it is an invalid script. This creates a risk, because you can lock bitcoin in a P2SH that cannot be spent later. The network will accept the P2SH encumbrance even if it corresponds to an invalid redeem script, because the script hash gives no indication of the script it represents. From c5f1a3cd899b5ea9f07d46a47c09037a379cedb5 Mon Sep 17 00:00:00 2001 From: "Andreas M. Antonopoulos" Date: Sat, 26 Nov 2016 11:12:58 -0300 Subject: [PATCH 14/24] rewriteoutputs and inputs, reorg flow --- ch06.asciidoc | 161 +++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 140 insertions(+), 21 deletions(-) diff --git a/ch06.asciidoc b/ch06.asciidoc index 299569ce..e74512ef 100644 --- a/ch06.asciidoc +++ b/ch06.asciidoc @@ -25,6 +25,8 @@ Behind the scenes, an actual transaction looks very different from a transaction We can use Bitcoin Core's command-line interface (+getrawtransaction+ and +decoderawtransaction+) to retrieve Alice's "raw" transaction, decode it and see what it contains. The result looks like this: +[[alice_tx]] +.Alice's transaction decoded [source,json] ---- { @@ -58,15 +60,15 @@ You may also notice a lot of strange and indecipherable fields and hexadecimal s [[tx_inputs_outputs]] === Transaction Outputs and Inputs -((("transactions","unspent transaction output (UTXO)")))((("unspent transaction output (UTXO)")))The fundamental building block of a bitcoin transaction is a _transaction output_. Transaction outputs are indivisible chunks of bitcoin currency, recorded on the blockchain, and recognized as valid by the entire network. Bitcoin full nodes track all available and spendable outputs, known as _Unspent Transaction Outputs_ or _UTXO_. The collection of all UTXO is known as the UTXO Set and currently numbers in the millions of UTXO. +((("transactions","unspent transaction output (UTXO)")))((("unspent transaction output (UTXO)")))The fundamental building block of a bitcoin transaction is a _transaction output_. Transaction outputs are indivisible chunks of bitcoin currency, recorded on the blockchain, and recognized as valid by the entire network. Bitcoin full nodes track all available and spendable outputs, known as _Unspent Transaction Outputs_ or _UTXO_. The collection of all UTXO is known as the _UTXO set_ and currently numbers in the millions of UTXO. The UTXO set grows as new UTXO is created and shrinks when UTXO is consumed. Every transaction represents a change (state transition) in the UTXO set. When we say that a user's wallet has "received" bitcoin, what we mean is that the wallet has detected an unspent transaction output (UTXO) which can be spent with one of the keys controlled by that wallet. Thus, a user's bitcoin "balance" is the sum of all UTXO that user's wallet can spend and which may be scattered amongst hundreds of transactions and hundreds of blocks. The concept of a balance is a derived construct created by the wallet application. The wallet calculates the user's balance by scanning the blockchain and aggregating the value of any UTXO that the wallet can spend with the keys it controls. A transaction output can have an arbitrary value denominated as a multiple of((("satoshis"))) satoshis. Just like dollars can be divided down to two decimal places as cents, bitcoins can be divided down to eight decimal places as satoshis. Although an output can have any arbitrary value, once created it is indivisible. This is an important characteristic of outputs that needs to be emphasized: outputs are *discreet* and *indivisible* units of value, denominated in satoshis. An unspent output can only be consumed in its entirety by a transaction. -If an unspent transaction output is larger than the desired value of a transaction, it must still be consumed in its entirety and change must be generated in the transaction. ((("change, making")))In other words, if you have a UTXO worth 20 bitcoin and want to pay only 1 bitcoin, your transaction must consume the entire 20-bitcoin UTXO and produce two outputs: one paying 1 bitcoin to your desired recipient and another paying 19 bitcoin in change back to your wallet. As a result of the indivisibe nature of transaction outputs, most bitcoin transactions will have to generate change. +If an unspent transaction output is larger than the desired value of a transaction, it must still be consumed in its entirety and change must be generated in the transaction. ((("change, making")))In other words, if you have a UTXO worth 20 bitcoin and want to pay only 1 bitcoin, your transaction must consume the entire 20-bitcoin UTXO and produce two outputs: one paying 1 bitcoin to your desired recipient and another paying 19 bitcoin in change back to your wallet. As a result of the indivisible nature of transaction outputs, most bitcoin transactions will have to generate change. -Imagine a shopper buying a $1.50 beverage, reaching into her wallet and trying to find a combination of coins and bank notes to cover the $1.50 cost. The shopper will choose exact change if available (a dollar bill and two quarters), or a combination of smaller denominations (six quarters), or if necessary, a larger unit such as a five dollar bank note. If she hands too much money, say $5, to the shop owner, she will expect $3.50 change, which she will return to her wallet and have available for future transactions. +Imagine a shopper buying a $1.50 beverage, reaching into her wallet and trying to find a combination of coins and bank notes to cover the $1.50 cost. The shopper will choose exact change if available (for example, a dollar bill and two quarters), or a combination of smaller denominations (six quarters), or if necessary, a larger unit such as a five dollar bank note. If she hands too much money, say $5, to the shop owner, she will expect $3.50 change, which she will return to her wallet and have available for future transactions. Similarly, a bitcoin transaction must be created from a user's UTXO in whatever denominations that user has available. Users cannot cut a UTXO in half any more than they can cut a dollar bill in half and use it as currency. The user's wallet application will typically select from the user's available UTXO to compose an amount greater than or equal to the desired transaction amount. @@ -81,14 +83,12 @@ The exception to the output and input chain is a special type of transaction cal What comes first? Inputs or outputs, the chicken or the egg? Strictly speaking, outputs come first because coinbase transactions, which generate new bitcoin, have no inputs and create outputs from nothing. ==== -Since outputs come first, we will examine the - [[tx_outs]] ==== Transaction Outputs -((("bitcoin ledger, outputs in", id="ix_ch06-asciidoc2", range="startofrange")))((("transactions","outputs", id="ix_ch06-asciidoc3", range="startofrange")))((("unspent transaction output (UTXO)", id="ix_ch06-asciidoc4", range="startofrange")))Every bitcoin transaction creates outputs, which are recorded on the bitcoin ledger. Almost all of these outputs, with one exception (see <>) create spendable chunks of bitcoin called _unspent transaction outputs_ or UTXO, which are then recognized by the whole network and available for the owner to spend in a future transaction. Sending someone bitcoin is creating an unspent transaction output (UTXO) for them to spend. +((("bitcoin ledger, outputs in", id="ix_ch06-asciidoc2", range="startofrange")))((("transactions","outputs", id="ix_ch06-asciidoc3", range="startofrange")))((("unspent transaction output (UTXO)", id="ix_ch06-asciidoc4", range="startofrange")))Every bitcoin transaction creates outputs, which are recorded on the bitcoin ledger. Almost all of these outputs, with one exception (see <>) create spendable chunks of bitcoin called UTXO, which are then recognized by the whole network and available for the owner to spend in a future transaction. -UTXO are tracked by every full-node bitcoin client as a data set called the((("UTXO pool")))((("UTXO set"))) _UTXO set_ or _UTXO pool_, held in a database. New transactions consume (spend) one or more of these outputs from the UTXO set. +UTXO are tracked by every full-node bitcoin client in the UTXO set. New transactions consume (spend) one or more of these outputs from the UTXO set. Transaction outputs consist of two parts: @@ -99,14 +99,15 @@ The cryptographic puzzle, is also known as a ((("locking scripts"))) _locking sc The transaction scripting language, used in the locking script mentioned previously, is discussed in detail in <>. -Now, let's look at Alice's transaction and see if we can identify the outputs. In the JSON encoding, the outputs are in an array (list) named +vout+: +Now, let's look at Alice's transaction (shown previously in <>) and see if we can identify the outputs. In the JSON encoding, the outputs are in an array (list) named +vout+: [source,json] ---- "vout": [ { "value": 0.01500000, - "scriptPubKey": "OP_DUP OP_HASH160 ab68025513c3dbd2f7b92a94e0581f5d50f654e7 OP_EQUALVERIFY OP_CHECKSIG" + "scriptPubKey": "OP_DUP OP_HASH160 ab68025513c3dbd2f7b92a94e0581f5d50f654e7 OP_EQUALVERIFY + OP_CHECKSIG" }, { "value": 0.08450000, @@ -115,35 +116,103 @@ Now, let's look at Alice's transaction and see if we can identify the outputs. I ] ---- -As you can see, the transaction contains two outputs. Each output is defined by a value and a cryptographic puzzle. In the encoding shown by Bitcoin Core above, the value is shown in bitcoin. The second part of each output is the cryptographic puzzle that sets the conditions for spending. Bitcoin Core shows this as +scriptPubKey+ and shows us a human-readable representation of the script (see <>). +As you can see, the transaction contains two outputs. Each output is defined by a value and a cryptographic puzzle. In the encoding shown by Bitcoin Core above, the value is shown in bitcoin. The second part of each output is the cryptographic puzzle that sets the conditions for spending. Bitcoin Core shows this as +scriptPubKey+ and shows us a human-readable representation of the script. -When transactions are transmitted over the network or exchanged between applications, they are _serialized_ and represented as a byte-stream, with a standardized variable-length encoding for each of the fields in the transaction. The serialization format of a transaction output is show in <>: +The topic of locking and unlocking UTXO will be discussed later, in <>. The scripting language that is used for the script in +scriptPubKey+ is discussed in <>. Before we delve into those topics, we need to understand the overall structure of transaction inputs and outputs. + +When transactions are transmitted over the network or exchanged between applications, they are _serialized_. (((serialization)))Serialization is the process of converting the internal representation of a data structure into a format that can be transmitted one byte at a time, also known as a byte-stream. Serialization is most commonly used for encoding data structures for transmission over a network or for storage in a file. The serialization format of a transaction output is shown in <>: [[tx_out_structure]] -.The structure of a transaction output +.Transaction output serialization [options="header"] |======= |Size| Field | Description -| 8 bytes | Amount | Bitcoin value in satoshis (10^-8^ bitcoin) +| 8 bytes (little-endian) | Amount | Bitcoin value in satoshis (10^-8^ bitcoin) | 1-9 bytes (VarInt) | Locking-Script Size | Locking-Script length in bytes, to follow | Variable | Locking-Script | A script defining the conditions needed to spend the output |======= -==== Locking and Unlocking UTXO - Cryptographic Puzzles and Witnesses +The process of converting from the byte-stream representation of a transaction to whatever data structure (e.g. a transaction object) is used to store transactions internally in your program, is called _de-serialization_ or _transaction parsing_. (((de-serialization)))Most bitcoin libraries have functions for transaction serialization and de-serialization. +See if you can manually decode Alice's transaction from the serialized hexadecimal form, finding some of the elements we saw above. The section containing the two outputs is highlighted to help you: +==== ++0100000001186f9f998a5aa6f048e51dd8419a14d8a0f1a8a2836dd73+ ++4d2804fe65fa35779000000008b483045022100884d142d86652a3f47+ ++ba4746ec719bbfbd040a570b1deccbb6498c75c4ae24cb02204b9f039+ ++ff08df09cbe9f6addac960298cad530a863ea8f53982c09db8f6e3813+ ++01410484ecc0d46f1918b30928fa0e4ed99f16a0fb4fde0735e7ade84+ ++16ab9fe423cc5412336376789d172787ec3457eee41c04f4938de5cc1+ ++7b4a10fa336a8d752adfffffffff02+*+60e31600000000001976a914ab6+* +*+8025513c3dbd2f7b92a94e0581f5d50f654e788acd0ef800000000000+* +*+1976a9147f9b1a7fb68d60c536c2fd8aeaa53a8f3cc025a888ac+* ++00000000+ +==== + +Here are some hints: + +* There are two outputs in the highlighted section, each serialized as shown in the table <> +* The value of 0.15 bitcoin is 1,500,000 satoshis. That's +16 e3 60+ in hexadecimal. +* In the serialized transaction, the value +16 e3 60+ is encoded in little-endian (least-significant-byte-first) byte order, so it looks like +60 e3 16+ +* The +scriptPubKey+ length is 25 bytes, which is +19+ in hexadecimal [[tx_inputs]] ==== Transaction Inputs -((("transactions","inputs", id="ix_ch06-asciidoc5", range="startofrange")))In simple terms, transaction inputs are pointers to UTXO. They point to a specific UTXO by reference to the transaction hash and sequence number where the UTXO is recorded in the blockchain. To spend UTXO, a transaction input also includes unlocking scripts that satisfy the spending conditions set by the UTXO. The unlocking script is usually a signature proving ownership of the bitcoin address that is in the locking script. +((("transactions","inputs", id="ix_ch06-asciidoc5", range="startofrange")))In simple terms, transaction inputs are pointers to UTXO. They point to a specific UTXO by reference to the transaction hash and sequence number where the UTXO is recorded in the blockchain. To spend UTXO, a transaction input also includes an unlocking script, also known as a _witness_, that satisfies the spending conditions set by the UTXO locking script. Most often, the unlocking script is a digital signature and public key proving ownership of the bitcoin. However, not all unlocking scripts contain signatures. -When users make a payment, their wallet constructs a transaction by selecting from the available UTXO. For example, to make a 0.015 bitcoin payment, the wallet app may select a 0.01 UTXO and a 0.005 UTXO, using them both to add up to the desired payment amount. +Let's look back at our example in <>. The transaction inputs are an array (list) called +vin+: -Once the UTXO is selected, the wallet then produces unlocking scripts containing signatures for each of the UTXO, thereby making them spendable by satisfying their locking script conditions. The wallet adds these UTXO references and unlocking scripts as inputs to the transaction. <> shows the structure of a transaction input. +[[vin]] +.The transaction inputs in Alice's transaction +[source,json] +---- +"vin": [ + { + "txid": "7957a35fe64f80d234d76d83a2a8f1a0d8149a41d81de548f0a65a8a999f6f18", + "vout": 0, + "scriptSig" : "3045022100884d142d86652a3f47ba4746ec719bbfbd040a570b1deccbb6498c75c4ae24cb02204b9f039ff08df09cbe9f6addac960298cad530a863ea8f53982c09db8f6e3813[ALL] 0484ecc0d46f1918b30928fa0e4ed99f16a0fb4fde0735e7ade8416ab9fe423cc5412336376789d172787ec3457eee41c04f4938de5cc17b4a10fa336a8d752adf", + "sequence": 4294967295 + } +] +---- + +As you can see, there is only one input in the list. It contains four elements: + +* A transaction ID, referencing the transaction which contains the UTXO being spent +* An output index (+vout+), identifying which UTXO from that transaction is referenced (first one is zero) +* A scriptSig, which satisfies the conditions placed on the UTXO, unlocking it for spending +* A sequence number (to be discussed later) + +The transaction ID and output index, together uniquely identify a previously created UTXO, by reference (transaction ID) to the transaction that contains it and an index number, which starts at zero. In Alice's transaction, the input points to transaction ID +7957a35fe64f80d234d76d83a2a8f1a0d8149a41d81de548f0a65a8a999f6f18+ and output index +0+ (ie. the first UTXO created by that transaction). + +At this point you may have noticed that we don't know anything about this UTXO, other than a reference to the transaction containing it. We don't know it's value (amount in satoshi), and we don't know the locking script that sets the conditions for spending it. To find this information, we must retrieve the transaction from the blockchain and look at the specific UTXO. + +We can use the same sequence of commands with Bitcoin Core as we used when retrieving Alice's transaction (+getrawtransaction+ and +decoderawtransaction+). With that we can get the outputs and take a look: + +[[alice_input_tx]] +.Alice's UTXO from the previous transaction, used as an input +[source,json] +---- +"vout": [ + { + "value": 0.10000000, + "scriptPubKey": "OP_DUP OP_HASH160 7f9b1a7fb68d60c536c2fd8aeaa53a8f3cc025a8 OP_EQUALVERIFY OP_CHECKSIG" + } + ] +---- + +When we retrieve the previous transaction we find it only has one output (vout index +0+). We see that it has a value of 0.1 BTC and that it has a locking script (+scriptPubKey+) which contains "OP_DUP OP_HASH160...". This UTXO of 0.1 BTC is the input that is spent (indivisibly and entirely) by Alice's transaction. + +[TIP] +==== +To fully understand Alice's transaction we had to retrieve the previous transaction(s) referenced as inputs. A function that retrieves previous transactions and unspent transaction outputs is very common and exists in almost every bitcoin library and API. +==== + +When transactions are serialized for transmission on the network, their inputs are encoded into a byte-stream as follows: [[tx_in_structure]] -.The structure of a transaction input +.Transaction input serialization [options="header"] |======= |Size| Field | Description @@ -151,14 +220,47 @@ Once the UTXO is selected, the wallet then produces unlocking scripts containing | 4 bytes | Output Index | The index number of the UTXO to be spent; first one is 0 | 1-9 bytes (VarInt) | Unlocking-Script Size | Unlocking-Script length in bytes, to follow | Variable | Unlocking-Script | A script that fulfills the conditions of the UTXO locking script. -| 4 bytes | Sequence Number | Currently disabled Tx-replacement feature, set to 0xFFFFFFFF +| 4 bytes | Sequence Number | Used for locktime or disabled (0xFFFFFFFF) |======= -[NOTE] +As with the outputs, let's see if we can find the inputs from Alice's transaction in the serialized format. First, the inputs decoded: + +[source,json] +---- +"vin": [ + { + "txid": "7957a35fe64f80d234d76d83a2a8f1a0d8149a41d81de548f0a65a8a999f6f18", + "vout": 0, + "scriptSig" : "3045022100884d142d86652a3f47ba4746ec719bbfbd040a570b1deccbb6498c75c4ae24cb02204b9f039ff08df09cbe9f6addac960298cad530a863ea8f53982c09db8f6e3813[ALL] 0484ecc0d46f1918b30928fa0e4ed99f16a0fb4fde0735e7ade8416ab9fe423cc5412336376789d172787ec3457eee41c04f4938de5cc17b4a10fa336a8d752adf", + "sequence": 4294967295 + } +], +---- + +Now, let's see if we can identify these fields in the serialized hex encoding: + ==== -The sequence number is used to override a transaction prior to the expiration of the transaction locktime, which is a feature that is currently disabled in bitcoin. Most transactions set this value to the maximum integer value (0xFFFFFFFF) and it is ignored by the bitcoin network. If the transaction has a nonzero locktime, at least one of its inputs must have a sequence number below 0xFFFFFFFF in order to enable locktime.(((range="endofrange", startref="ix_ch06-asciidoc5"))) + ++0100000001+*+186f9f998a5aa6f048e51dd8419a14d8a0f1a8a2836dd73+* +*+4d2804fe65fa35779000000008b483045022100884d142d86652a3f47+* +*+ba4746ec719bbfbd040a570b1deccbb6498c75c4ae24cb02204b9f039+* +*+ff08df09cbe9f6addac960298cad530a863ea8f53982c09db8f6e3813+* +*+01410484ecc0d46f1918b30928fa0e4ed99f16a0fb4fde0735e7ade84+* +*+16ab9fe423cc5412336376789d172787ec3457eee41c04f4938de5cc1+* +*+7b4a10fa336a8d752adfffffffff+*+0260e31600000000001976a914ab6+ ++8025513c3dbd2f7b92a94e0581f5d50f654e788acd0ef800000000000+ ++1976a9147f9b1a7fb68d60c536c2fd8aeaa53a8f3cc025a888ac00000+ ++000+ + ==== +Hints: + +* The transaction ID is serialized in reversed byte order, so it starts with (hex) +18+ and ends with +79+ +* The output index is a 4-byte group of zeroes, easy to identify +* The length of the scriptSig is 139 bytes, or +8b+ in hex. +* The sequence number is set to +FFFFFFFF+, again easy to identify + [[tx_fees]] ==== Transaction Fees @@ -174,6 +276,11 @@ The current algorithm used by miners to prioritize transactions for inclusion in ==== Adding Fees to Transactions +//// + +Fees market - bitcoin fees - confirmation time and competition +//// + ((("fees, transaction","adding", id="ix_ch06-asciidoc7", range="startofrange")))((("transactions","fees", id="ix_ch06-asciidoc8", range="startofrange")))The data structure of transactions does not have a field for fees. Instead, fees are implied as the difference between the sum of inputs and the sum of outputs. Any excess amount that remains after all outputs have been deducted from all inputs is the fee that is collected by the miners. @@ -200,15 +307,27 @@ As Eugenia's wallet application tries to construct a single larger payment trans Eugenia's wallet application will calculate the appropriate fee by measuring the size of the transaction and multiplying that by the per-kilobyte fee. Many wallets will overpay fees for larger transactions to ensure the transaction is processed promptly. The higher fee is not because Eugenia is spending more money, but because her transaction is more complex and larger in size—the fee is independent of the transaction's bitcoin value.(((range="endofrange", startref="ix_ch06-asciidoc8")))(((range="endofrange", startref="ix_ch06-asciidoc7"))) + + + + [[tx_chains]] === Transaction Chaining and Orphan Transactions +//// +CPFP +//// + ((("chaining transactions")))((("orphan transactions")))((("transactions","chaining")))((("transactions","orphan")))As we have seen, transactions form a chain, whereby one transaction spends the outputs of the previous transaction (known as the parent) and creates outputs for a subsequent transaction (known as the child). Sometimes an entire chain of transactions depending on each other—say a parent, child, and grandchild transaction—are created at the same time, to fulfill a complex transactional workflow that requires valid children to be signed before the parent is signed. For example, this is a technique used in((("CoinJoin"))) CoinJoin transactions where multiple parties join transactions together to protect their privacy. When a chain of transactions is transmitted across the network, they don't always arrive in the same order. Sometimes, the child might arrive before the parent. In that case, the nodes that see a child first can see that it references a parent transaction that is not yet known. Rather than reject the child, they put it in a temporary pool to await the arrival of its parent and propagate it to every other node. The pool of transactions without parents is known as the((("orphan transaction pool"))) _orphan transaction pool_. Once the parent arrives, any orphans that reference the UTXO created by the parent are released from the pool, revalidated recursively, and then the entire chain of transactions can be included in the transaction pool, ready to be mined in a block. Transaction chains can be arbitrarily long, with any number of generations transmitted simultaneously. The mechanism of holding orphans in the orphan pool ensures that otherwise valid transactions will not be rejected just because their parent has been delayed and that eventually the chain they belong to is reconstructed in the correct order, regardless of the order of arrival. There is a limit to the number of orphan transactions stored in memory, to prevent a denial-of-service attack against bitcoin nodes. The limit is defined as((("MAX_ORPHAN_TRANSACTIONS constant"))) +MAX_ORPHAN_TRANSACTIONS+ in the source code of the bitcoin reference client. If the number of orphan transactions in the pool exceeds +MAX_ORPHAN_TRANSACTIONS+, one or more randomly selected orphan transactions are evicted from the pool, until the pool size is back within limits. +[[tx_lock_unlock]] +==== Locking and Unlocking UTXO - Cryptographic Puzzles and Witnesses + + [[tx_script]] === Transaction Scripts and Script Language From 5ed2d570fa176f9bdab4bfa2f2b05f16e919fd84 Mon Sep 17 00:00:00 2001 From: "Andreas M. Antonopoulos" Date: Sat, 26 Nov 2016 15:11:01 -0300 Subject: [PATCH 15/24] edits and cleanup (inputs/outputs) --- ch06.asciidoc | 47 +++++++++++++++++++++++++++++++++-------------- 1 file changed, 33 insertions(+), 14 deletions(-) diff --git a/ch06.asciidoc b/ch06.asciidoc index e74512ef..83801d1f 100644 --- a/ch06.asciidoc +++ b/ch06.asciidoc @@ -7,7 +7,7 @@ ((("transactions", id="ix_ch06-asciidoc0", range="startofrange")))Transactions are the most important part of the bitcoin system. Everything else in bitcoin is designed to ensure that transactions can be created, propagated on the network, validated, and finally added to the global ledger of transactions (the blockchain). Transactions are data structures that encode the transfer of value between participants in the bitcoin system. Each transaction is a public entry in bitcoin's blockchain, the global double-entry bookkeeping ledger. -In this chapter we will examine all the various forms of transactions, what they contain, how to create them, how they are verified, and how they become part of the permanent record of all transactions. +In this chapter we will examine all the various forms of transactions, what they contain, how to create them, how they are verified, and how they become part of the permanent record of all transactions. When we use the term "wallet" in this chapter, we are referring to the software that constructs transactions, not just the database of keys. [[tx_structure]] === Transactions in Detail @@ -21,7 +21,7 @@ The block explorer application shows a transaction from Alice's "address" to Bob ==== Transactions - Behind the Scenes -Behind the scenes, an actual transaction looks very different from a transaction provided by a typical block explorer. In fact, most of the high-level constructs we see in the various bitcoin application user interfaces _do not actually exist_ in the bitcoin system. In bitcoin, there are no coins, no senders, no recipients, no balances, no accounts and no addresses. All those things are constructed at a higher level for the benefit of the user, to make things easier to understand. +Behind the scenes, an actual transaction looks very different from a transaction provided by a typical block explorer. In fact, most of the high-level constructs we see in the various bitcoin application user interfaces _do not actually exist_ in the bitcoin system. We can use Bitcoin Core's command-line interface (+getrawtransaction+ and +decoderawtransaction+) to retrieve Alice's "raw" transaction, decode it and see what it contains. The result looks like this: @@ -53,7 +53,7 @@ We can use Bitcoin Core's command-line interface (+getrawtransaction+ and +decod } ---- -You may notice a few things about this transaction, mostly the things that are missing! Where is Alice's address? Where is Bob's address? Where is the 0.1 input "sent" by Alice? +You may notice a few things about this transaction, mostly the things that are missing! Where is Alice's address? Where is Bob's address? Where is the 0.1 input "sent" by Alice? In bitcoin, there are no coins, no senders, no recipients, no balances, no accounts and no addresses. All those things are constructed at a higher level for the benefit of the user, to make things easier to understand. You may also notice a lot of strange and indecipherable fields and hexadecimal strings. Don't worry, we will explain each field shown here in detail in this chapter. @@ -62,7 +62,7 @@ You may also notice a lot of strange and indecipherable fields and hexadecimal s ((("transactions","unspent transaction output (UTXO)")))((("unspent transaction output (UTXO)")))The fundamental building block of a bitcoin transaction is a _transaction output_. Transaction outputs are indivisible chunks of bitcoin currency, recorded on the blockchain, and recognized as valid by the entire network. Bitcoin full nodes track all available and spendable outputs, known as _Unspent Transaction Outputs_ or _UTXO_. The collection of all UTXO is known as the _UTXO set_ and currently numbers in the millions of UTXO. The UTXO set grows as new UTXO is created and shrinks when UTXO is consumed. Every transaction represents a change (state transition) in the UTXO set. -When we say that a user's wallet has "received" bitcoin, what we mean is that the wallet has detected an unspent transaction output (UTXO) which can be spent with one of the keys controlled by that wallet. Thus, a user's bitcoin "balance" is the sum of all UTXO that user's wallet can spend and which may be scattered amongst hundreds of transactions and hundreds of blocks. The concept of a balance is a derived construct created by the wallet application. The wallet calculates the user's balance by scanning the blockchain and aggregating the value of any UTXO that the wallet can spend with the keys it controls. +When we say that a user's wallet has "received" bitcoin, what we mean is that the wallet has detected an unspent transaction output (UTXO) which can be spent with one of the keys controlled by that wallet. Thus, a user's bitcoin "balance" is the sum of all UTXO that user's wallet can spend and which may be scattered amongst hundreds of transactions and hundreds of blocks. The concept of a balance is created by the wallet application. The wallet calculates the user's balance by scanning the blockchain and aggregating the value of any UTXO that the wallet can spend with the keys it controls. Today, all wallets maintain a database or use a database service to store a quick reference set of all the UTXO they can spend with the keys they control. A transaction output can have an arbitrary value denominated as a multiple of((("satoshis"))) satoshis. Just like dollars can be divided down to two decimal places as cents, bitcoins can be divided down to eight decimal places as satoshis. Although an output can have any arbitrary value, once created it is indivisible. This is an important characteristic of outputs that needs to be emphasized: outputs are *discreet* and *indivisible* units of value, denominated in satoshis. An unspent output can only be consumed in its entirety by a transaction. @@ -118,7 +118,9 @@ Now, let's look at Alice's transaction (shown previously in <>) and se As you can see, the transaction contains two outputs. Each output is defined by a value and a cryptographic puzzle. In the encoding shown by Bitcoin Core above, the value is shown in bitcoin. The second part of each output is the cryptographic puzzle that sets the conditions for spending. Bitcoin Core shows this as +scriptPubKey+ and shows us a human-readable representation of the script. -The topic of locking and unlocking UTXO will be discussed later, in <>. The scripting language that is used for the script in +scriptPubKey+ is discussed in <>. Before we delve into those topics, we need to understand the overall structure of transaction inputs and outputs. +The topic of locking and unlocking UTXO will be discussed later, in <>. The scripting language that is used for the script in +scriptPubKey+ is discussed in <>. But before we delve into those topics, we need to understand the overall structure of transaction inputs and outputs. + +===== Transaction Serialization - Outputs When transactions are transmitted over the network or exchanged between applications, they are _serialized_. (((serialization)))Serialization is the process of converting the internal representation of a data structure into a format that can be transmitted one byte at a time, also known as a byte-stream. Serialization is most commonly used for encoding data structures for transmission over a network or for storage in a file. The serialization format of a transaction output is shown in <>: @@ -132,6 +134,11 @@ When transactions are transmitted over the network or exchanged between applicat | Variable | Locking-Script | A script defining the conditions needed to spend the output |======= +//// +You need a transition sentence explaining that people don't use serialized data internally in their programs - +However, most programs do not store data in the serialized format and need to.... +//// + The process of converting from the byte-stream representation of a transaction to whatever data structure (e.g. a transaction object) is used to store transactions internally in your program, is called _de-serialization_ or _transaction parsing_. (((de-serialization)))Most bitcoin libraries have functions for transaction serialization and de-serialization. See if you can manually decode Alice's transaction from the serialized hexadecimal form, finding some of the elements we saw above. The section containing the two outputs is highlighted to help you: @@ -159,9 +166,13 @@ Here are some hints: [[tx_inputs]] ==== Transaction Inputs -((("transactions","inputs", id="ix_ch06-asciidoc5", range="startofrange")))In simple terms, transaction inputs are pointers to UTXO. They point to a specific UTXO by reference to the transaction hash and sequence number where the UTXO is recorded in the blockchain. To spend UTXO, a transaction input also includes an unlocking script, also known as a _witness_, that satisfies the spending conditions set by the UTXO locking script. Most often, the unlocking script is a digital signature and public key proving ownership of the bitcoin. However, not all unlocking scripts contain signatures. +((("transactions","inputs", id="ix_ch06-asciidoc5", range="startofrange")))Transaction inputs identify (by reference) which UTXO will be consumed and provide proof of ownership through an unlocking script. -Let's look back at our example in <>. The transaction inputs are an array (list) called +vin+: +To build a transaction, a wallet selects from the UTXO it controls, UTXO with enough value to make the requested payment. Sometimes one UTXO is enough, other times more than one is needed. For each UTXO that will be consumed to make this payment, the wallet creates one input pointing to the UTXO and unlocks it with an unlocking script. + +Let's look at the components of an input in greater detail. The first part of an input is a pointer to an UTXO by reference to the transaction hash and sequence number where the UTXO is recorded in the blockchain. The second part is an unlocking script, which the wallet constructs in order to satisfy the spending conditions set in the UTXO. Most often, the unlocking script is a digital signature and public key proving ownership of the bitcoin. However, not all unlocking scripts contain signatures. The third part is a sequence number which will be discussed later. + +Consider our example in <>. The transaction inputs are an array (list) called +vin+: [[vin]] .The transaction inputs in Alice's transaction @@ -177,21 +188,25 @@ Let's look back at our example in <>. The transaction inputs are an ar ] ---- -As you can see, there is only one input in the list. It contains four elements: +As you can see, there is only one input in the list (because one UTXO contained sufficient value to make this payment). The input contains four elements: * A transaction ID, referencing the transaction which contains the UTXO being spent * An output index (+vout+), identifying which UTXO from that transaction is referenced (first one is zero) * A scriptSig, which satisfies the conditions placed on the UTXO, unlocking it for spending * A sequence number (to be discussed later) -The transaction ID and output index, together uniquely identify a previously created UTXO, by reference (transaction ID) to the transaction that contains it and an index number, which starts at zero. In Alice's transaction, the input points to transaction ID +7957a35fe64f80d234d76d83a2a8f1a0d8149a41d81de548f0a65a8a999f6f18+ and output index +0+ (ie. the first UTXO created by that transaction). +In Alice's transaction, the input points to transaction ID +7957a35fe64f80d234d76d83a2a8f1a0d8149a41d81de548f0a65a8a999f6f18+ and output index +0+ (i.e. the first UTXO created by that transaction). The unlocking script is constructed by Alice's wallet by first retrieving the referenced UTXO, examining its locking script and then using that to build the necessary unlocking script to satisfy it. -At this point you may have noticed that we don't know anything about this UTXO, other than a reference to the transaction containing it. We don't know it's value (amount in satoshi), and we don't know the locking script that sets the conditions for spending it. To find this information, we must retrieve the transaction from the blockchain and look at the specific UTXO. +Looking just at the input you may have noticed that we don't know anything about this UTXO, other than a reference to the transaction containing it. We don't know it's value (amount in satoshi), and we don't know the locking script that sets the conditions for spending it. To find this information, we must retrieve the referenced UTXO by retrieving the underlying transaction. Notice that because the value of the input is not explicitly stated, we must also use the referenced UTXO in order to calculate fees that will be paid in this transaction (see <>). -We can use the same sequence of commands with Bitcoin Core as we used when retrieving Alice's transaction (+getrawtransaction+ and +decoderawtransaction+). With that we can get the outputs and take a look: +It's not just Alice's wallet that needs to retrieve UTXO referenced in the inputs. Once this transaction is broadcast to the network, every validating node will also need to retrieve the UTXO referenced in the transaction inputs in order to validate the transaction. + +Transactions on their own seem incomplete because they lack context. They reference UTXO in their inputs but without retrieving that UTXO we cannot know the value of the inputs or their locking conditions. When writing bitcoin software, anytime you decode a transaction with the intent of validating it or counting the fees or checking the unlocking script, your code will first have to retrieve the referenced UTXO from the blockchain in order to build the context implied but not present in the UTXO references of the inputs. For example, to calculate the amount paid in fees, you must know the sum of the values of inputs and outputs. But without retrieving the UTXO referenced in the inputs, you do not know their value. So a seemingly simple operation like counting fees in a single transaction in fact involves multiple steps and data from multiple transactions. + +We can use the same sequence of commands with Bitcoin Core as we used when retrieving Alice's transaction (+getrawtransaction+ and +decoderawtransaction+). With that we can get the UTXO referenced in the input above and take a look: [[alice_input_tx]] -.Alice's UTXO from the previous transaction, used as an input +.Alice's UTXO from the previous transaction, referenced in the input [source,json] ---- "vout": [ @@ -202,13 +217,15 @@ We can use the same sequence of commands with Bitcoin Core as we used when retri ] ---- -When we retrieve the previous transaction we find it only has one output (vout index +0+). We see that it has a value of 0.1 BTC and that it has a locking script (+scriptPubKey+) which contains "OP_DUP OP_HASH160...". This UTXO of 0.1 BTC is the input that is spent (indivisibly and entirely) by Alice's transaction. +We see that this UTXO has a value of 0.1 BTC and that it has a locking script (+scriptPubKey+) which contains "OP_DUP OP_HASH160...". [TIP] ==== To fully understand Alice's transaction we had to retrieve the previous transaction(s) referenced as inputs. A function that retrieves previous transactions and unspent transaction outputs is very common and exists in almost every bitcoin library and API. ==== +===== Transaction Serialization - Inputs + When transactions are serialized for transmission on the network, their inputs are encoded into a byte-stream as follows: [[tx_in_structure]] @@ -270,7 +287,9 @@ Transaction fees serve as an incentive to include (mine) a transaction into the ((("fees, transaction","calculating")))Transaction fees are calculated based on the size of the transaction in kilobytes, not the value of the transaction in bitcoin. Overall, transaction fees are set based on market forces within the bitcoin network. Miners prioritize transactions based on many different criteria, including fees, and might even process transactions for free under certain circumstances. Transaction fees affect the processing priority, meaning that a transaction with sufficient fees is likely to be included in the next-most–mined block, whereas a transaction with insufficient or no fees might be delayed, processed on a best-effort basis after a few blocks, or not processed at all. Transaction fees are not mandatory, and transactions without fees might be processed eventually; however, including transaction fees encourages priority processing. -Over time, the way transaction fees are calculated and the effect they have on transaction prioritization has been evolving. At first, transaction fees were fixed and constant across the network. Gradually, the fee structure has been relaxed so that it may be influenced by market forces, based on network capacity and transaction volume. The current minimum transaction fee is fixed at 0.0001 bitcoin or a tenth of a milli-bitcoin per kilobyte, recently decreased from one milli-bitcoin. Most transactions are less than one kilobyte; however, those with multiple inputs or outputs can be larger. In future revisions of the bitcoin protocol, it is expected that wallet applications will use statistical analysis to calculate the most appropriate fee to attach to a transaction based on the average fees of recent transactions. +Over time, the way transaction fees are calculated and the effect they have on transaction prioritization has been evolving. At first, transaction fees were fixed and constant across the network. Gradually, the fee structure has been relaxed so that it may be influenced by market forces, based on network capacity and transaction volume. + +The current minimum transaction fee is fixed at 0.0001 bitcoin or a tenth of a milli-bitcoin per kilobyte, recently decreased from one milli-bitcoin. Most transactions are less than one kilobyte; however, those with multiple inputs or outputs can be larger. In future revisions of the bitcoin protocol, it is expected that wallet applications will use statistical analysis to calculate the most appropriate fee to attach to a transaction based on the average fees of recent transactions. The current algorithm used by miners to prioritize transactions for inclusion in a block based on their fees is examined in detail in <>.(((range="endofrange", startref="ix_ch06-asciidoc6"))) From b67216f82210539e28fa5aeb777a31898417f43c Mon Sep 17 00:00:00 2001 From: Will Binns Date: Thu, 8 Dec 2016 21:53:19 -0600 Subject: [PATCH 16/24] preface: Add contributor, venzen --- preface.asciidoc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/preface.asciidoc b/preface.asciidoc index cb085778..bf8d7a3a 100644 --- a/preface.asciidoc +++ b/preface.asciidoc @@ -197,5 +197,6 @@ Many contributors offered comments, corrections, and additions to the early-rele * Stephan Oeste (Emzy) * takaya-imai * Thiago Arrais (thiagoarrais) -* Will Binns (wbinns) +* venzen +* Will Binns (wbnns) * Wojciech Langiewicz (wlk) From 5e9f9e6e72dccebac91dfb5196b2c8ad42319a77 Mon Sep 17 00:00:00 2001 From: Will Binns Date: Thu, 8 Dec 2016 22:16:33 -0600 Subject: [PATCH 17/24] Revert "Merge pull request #208 from jonathancross/book-includes" This reverts commit 52dadba9571edd7a3caf004f24d8daff513fea32. book.asciidoc is being used for the O'Reilly early-release program and should only contain the completed chapters from the in-progress second edition of the book. Please do not modify, thanks! --- book.asciidoc | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/book.asciidoc b/book.asciidoc index 487a2e45..40a2820d 100644 --- a/book.asciidoc +++ b/book.asciidoc @@ -2,7 +2,7 @@ = Mastering Bitcoin -include::praise.html[] +include::praise.asciidoc[] include::preface.asciidoc[] @@ -18,15 +18,15 @@ include::ch04.asciidoc[] include::ch05.asciidoc[] -include::ch06-orig.asciidoc[] +include::ch06.asciidoc[] -include::ch07-orig.asciidoc[] +include::ch07.asciidoc[] -include::ch08-orig.asciidoc[] +include::ch08.asciidoc[] -include::ch09-orig.asciidoc[] +include::ch09.asciidoc[] -include::ch10-orig.asciidoc[] +include::ch10.asciidoc[] include::appdx-bitcoinwhitepaper.asciidoc[] @@ -38,6 +38,6 @@ include::appdx-pycoin.asciidoc[] include::appdx-bx.asciidoc[] -include::ix.html[] +include::index.asciidoc[] -include::colo.html[] +include::colo.asciidoc[] \ No newline at end of file From 54de3ac14dee65217049d2cf46c9b9a8e4854ff5 Mon Sep 17 00:00:00 2001 From: "Andreas M. Antonopoulos" Date: Mon, 12 Dec 2016 15:00:27 +0200 Subject: [PATCH 18/24] transaction fees --- .debris/2016-11-26/ch06.asciidoc | 698 +++++++++++++++++++++++++++++++ .debris/tmp/lock | 0 ch06.asciidoc | 70 ++-- code/p2wpkh.js | 8 + images/bitcoinfees21co.png | Bin 0 -> 1519953 bytes scratch.asciidoc | 93 ++++ 6 files changed, 834 insertions(+), 35 deletions(-) create mode 100644 .debris/2016-11-26/ch06.asciidoc create mode 100644 .debris/tmp/lock create mode 100644 code/p2wpkh.js create mode 100644 images/bitcoinfees21co.png create mode 100644 scratch.asciidoc diff --git a/.debris/2016-11-26/ch06.asciidoc b/.debris/2016-11-26/ch06.asciidoc new file mode 100644 index 00000000..e74512ef --- /dev/null +++ b/.debris/2016-11-26/ch06.asciidoc @@ -0,0 +1,698 @@ +[[ch06]] +[[transactions]] +== Transactions + +[[ch06_intro]] +=== Introduction + +((("transactions", id="ix_ch06-asciidoc0", range="startofrange")))Transactions are the most important part of the bitcoin system. Everything else in bitcoin is designed to ensure that transactions can be created, propagated on the network, validated, and finally added to the global ledger of transactions (the blockchain). Transactions are data structures that encode the transfer of value between participants in the bitcoin system. Each transaction is a public entry in bitcoin's blockchain, the global double-entry bookkeeping ledger. + +In this chapter we will examine all the various forms of transactions, what they contain, how to create them, how they are verified, and how they become part of the permanent record of all transactions. + +[[tx_structure]] +=== Transactions in Detail + +In the second chapter, we looked at the transaction Alice used to pay for coffee at Bob's Coffee shop, using a block explorer: + +.Alice's transaction to Bob's Cafe +image::images/msbt_0208.png["Alice Coffee Transaction"] + +The block explorer application shows a transaction from Alice's "address" to Bob's "address". This is a much simplified view of what is contained in a transaction. In fact, as we will see in this chapter, much of the information shown above is constructed by the block explorer and is not actually in the transaction. + +==== Transactions - Behind the Scenes + +Behind the scenes, an actual transaction looks very different from a transaction provided by a typical block explorer. In fact, most of the high-level constructs we see in the various bitcoin application user interfaces _do not actually exist_ in the bitcoin system. In bitcoin, there are no coins, no senders, no recipients, no balances, no accounts and no addresses. All those things are constructed at a higher level for the benefit of the user, to make things easier to understand. + +We can use Bitcoin Core's command-line interface (+getrawtransaction+ and +decoderawtransaction+) to retrieve Alice's "raw" transaction, decode it and see what it contains. The result looks like this: + +[[alice_tx]] +.Alice's transaction decoded +[source,json] +---- +{ + "version": 1, + "locktime": 0, + "vin": [ + { + "txid": "7957a35fe64f80d234d76d83a2a8f1a0d8149a41d81de548f0a65a8a999f6f18", + "vout": 0, + "scriptSig" : "3045022100884d142d86652a3f47ba4746ec719bbfbd040a570b1deccbb6498c75c4ae24cb02204b9f039ff08df09cbe9f6addac960298cad530a863ea8f53982c09db8f6e3813[ALL] 0484ecc0d46f1918b30928fa0e4ed99f16a0fb4fde0735e7ade8416ab9fe423cc5412336376789d172787ec3457eee41c04f4938de5cc17b4a10fa336a8d752adf", + "sequence": 4294967295 + } + ], + "vout": [ + { + "value": 0.01500000, + "scriptPubKey": "OP_DUP OP_HASH160 ab68025513c3dbd2f7b92a94e0581f5d50f654e7 OP_EQUALVERIFY OP_CHECKSIG" + }, + { + "value": 0.08450000, + "scriptPubKey": "OP_DUP OP_HASH160 7f9b1a7fb68d60c536c2fd8aeaa53a8f3cc025a8 OP_EQUALVERIFY OP_CHECKSIG", + } + ] +} +---- + +You may notice a few things about this transaction, mostly the things that are missing! Where is Alice's address? Where is Bob's address? Where is the 0.1 input "sent" by Alice? + +You may also notice a lot of strange and indecipherable fields and hexadecimal strings. Don't worry, we will explain each field shown here in detail in this chapter. + +[[tx_inputs_outputs]] +=== Transaction Outputs and Inputs + +((("transactions","unspent transaction output (UTXO)")))((("unspent transaction output (UTXO)")))The fundamental building block of a bitcoin transaction is a _transaction output_. Transaction outputs are indivisible chunks of bitcoin currency, recorded on the blockchain, and recognized as valid by the entire network. Bitcoin full nodes track all available and spendable outputs, known as _Unspent Transaction Outputs_ or _UTXO_. The collection of all UTXO is known as the _UTXO set_ and currently numbers in the millions of UTXO. The UTXO set grows as new UTXO is created and shrinks when UTXO is consumed. Every transaction represents a change (state transition) in the UTXO set. + +When we say that a user's wallet has "received" bitcoin, what we mean is that the wallet has detected an unspent transaction output (UTXO) which can be spent with one of the keys controlled by that wallet. Thus, a user's bitcoin "balance" is the sum of all UTXO that user's wallet can spend and which may be scattered amongst hundreds of transactions and hundreds of blocks. The concept of a balance is a derived construct created by the wallet application. The wallet calculates the user's balance by scanning the blockchain and aggregating the value of any UTXO that the wallet can spend with the keys it controls. + +A transaction output can have an arbitrary value denominated as a multiple of((("satoshis"))) satoshis. Just like dollars can be divided down to two decimal places as cents, bitcoins can be divided down to eight decimal places as satoshis. Although an output can have any arbitrary value, once created it is indivisible. This is an important characteristic of outputs that needs to be emphasized: outputs are *discreet* and *indivisible* units of value, denominated in satoshis. An unspent output can only be consumed in its entirety by a transaction. + +If an unspent transaction output is larger than the desired value of a transaction, it must still be consumed in its entirety and change must be generated in the transaction. ((("change, making")))In other words, if you have a UTXO worth 20 bitcoin and want to pay only 1 bitcoin, your transaction must consume the entire 20-bitcoin UTXO and produce two outputs: one paying 1 bitcoin to your desired recipient and another paying 19 bitcoin in change back to your wallet. As a result of the indivisible nature of transaction outputs, most bitcoin transactions will have to generate change. + +Imagine a shopper buying a $1.50 beverage, reaching into her wallet and trying to find a combination of coins and bank notes to cover the $1.50 cost. The shopper will choose exact change if available (for example, a dollar bill and two quarters), or a combination of smaller denominations (six quarters), or if necessary, a larger unit such as a five dollar bank note. If she hands too much money, say $5, to the shop owner, she will expect $3.50 change, which she will return to her wallet and have available for future transactions. + +Similarly, a bitcoin transaction must be created from a user's UTXO in whatever denominations that user has available. Users cannot cut a UTXO in half any more than they can cut a dollar bill in half and use it as currency. The user's wallet application will typically select from the user's available UTXO to compose an amount greater than or equal to the desired transaction amount. + +As with real life, the bitcoin application can use several strategies to satisfy the purchase amount: combining several smaller units, finding exact change, or using a single unit larger than the transaction value and making change. All of this complex assembly of spendable UTXO is done by the user's wallet automatically and is invisible to users. It is only relevant if you are programmatically constructing raw transactions from UTXO. + +A transaction consumes previously-recorded unspent transaction outputs and creates new transaction outputs that can be consumed by a future transaction. This way, chunks of bitcoin value move forward from owner to owner in a chain of transactions consuming and creating UTXO. + +The exception to the output and input chain is a special type of transaction called the _coinbase_ transaction, which is the first transaction in each block. This transaction is placed there by the "winning" miner and creates brand-new bitcoin payable to that miner as a reward for mining. This special coinbase transaction does not consume UTXO, instead it has a special type of input called the "coinbase". This is how bitcoin's money supply is created during the mining process, as we will see in <>. + +[TIP] +==== +What comes first? Inputs or outputs, the chicken or the egg? Strictly speaking, outputs come first because coinbase transactions, which generate new bitcoin, have no inputs and create outputs from nothing. +==== + +[[tx_outs]] +==== Transaction Outputs + +((("bitcoin ledger, outputs in", id="ix_ch06-asciidoc2", range="startofrange")))((("transactions","outputs", id="ix_ch06-asciidoc3", range="startofrange")))((("unspent transaction output (UTXO)", id="ix_ch06-asciidoc4", range="startofrange")))Every bitcoin transaction creates outputs, which are recorded on the bitcoin ledger. Almost all of these outputs, with one exception (see <>) create spendable chunks of bitcoin called UTXO, which are then recognized by the whole network and available for the owner to spend in a future transaction. + +UTXO are tracked by every full-node bitcoin client in the UTXO set. New transactions consume (spend) one or more of these outputs from the UTXO set. + +Transaction outputs consist of two parts: + +* An amount of bitcoin, denominated in _satoshis_, the smallest bitcoin unit +* A cryptographic puzzle that determines the conditions required to spend the output + +The cryptographic puzzle, is also known as a ((("locking scripts"))) _locking script_, a _witness script_ or a +scriptPubKey+. + +The transaction scripting language, used in the locking script mentioned previously, is discussed in detail in <>. + +Now, let's look at Alice's transaction (shown previously in <>) and see if we can identify the outputs. In the JSON encoding, the outputs are in an array (list) named +vout+: + +[source,json] +---- +"vout": [ + { + "value": 0.01500000, + "scriptPubKey": "OP_DUP OP_HASH160 ab68025513c3dbd2f7b92a94e0581f5d50f654e7 OP_EQUALVERIFY + OP_CHECKSIG" + }, + { + "value": 0.08450000, + "scriptPubKey": "OP_DUP OP_HASH160 7f9b1a7fb68d60c536c2fd8aeaa53a8f3cc025a8 OP_EQUALVERIFY OP_CHECKSIG", + } +] +---- + +As you can see, the transaction contains two outputs. Each output is defined by a value and a cryptographic puzzle. In the encoding shown by Bitcoin Core above, the value is shown in bitcoin. The second part of each output is the cryptographic puzzle that sets the conditions for spending. Bitcoin Core shows this as +scriptPubKey+ and shows us a human-readable representation of the script. + +The topic of locking and unlocking UTXO will be discussed later, in <>. The scripting language that is used for the script in +scriptPubKey+ is discussed in <>. Before we delve into those topics, we need to understand the overall structure of transaction inputs and outputs. + +When transactions are transmitted over the network or exchanged between applications, they are _serialized_. (((serialization)))Serialization is the process of converting the internal representation of a data structure into a format that can be transmitted one byte at a time, also known as a byte-stream. Serialization is most commonly used for encoding data structures for transmission over a network or for storage in a file. The serialization format of a transaction output is shown in <>: + +[[tx_out_structure]] +.Transaction output serialization +[options="header"] +|======= +|Size| Field | Description +| 8 bytes (little-endian) | Amount | Bitcoin value in satoshis (10^-8^ bitcoin) +| 1-9 bytes (VarInt) | Locking-Script Size | Locking-Script length in bytes, to follow +| Variable | Locking-Script | A script defining the conditions needed to spend the output +|======= + +The process of converting from the byte-stream representation of a transaction to whatever data structure (e.g. a transaction object) is used to store transactions internally in your program, is called _de-serialization_ or _transaction parsing_. (((de-serialization)))Most bitcoin libraries have functions for transaction serialization and de-serialization. + +See if you can manually decode Alice's transaction from the serialized hexadecimal form, finding some of the elements we saw above. The section containing the two outputs is highlighted to help you: + +==== ++0100000001186f9f998a5aa6f048e51dd8419a14d8a0f1a8a2836dd73+ ++4d2804fe65fa35779000000008b483045022100884d142d86652a3f47+ ++ba4746ec719bbfbd040a570b1deccbb6498c75c4ae24cb02204b9f039+ ++ff08df09cbe9f6addac960298cad530a863ea8f53982c09db8f6e3813+ ++01410484ecc0d46f1918b30928fa0e4ed99f16a0fb4fde0735e7ade84+ ++16ab9fe423cc5412336376789d172787ec3457eee41c04f4938de5cc1+ ++7b4a10fa336a8d752adfffffffff02+*+60e31600000000001976a914ab6+* +*+8025513c3dbd2f7b92a94e0581f5d50f654e788acd0ef800000000000+* +*+1976a9147f9b1a7fb68d60c536c2fd8aeaa53a8f3cc025a888ac+* ++00000000+ +==== + +Here are some hints: + +* There are two outputs in the highlighted section, each serialized as shown in the table <> +* The value of 0.15 bitcoin is 1,500,000 satoshis. That's +16 e3 60+ in hexadecimal. +* In the serialized transaction, the value +16 e3 60+ is encoded in little-endian (least-significant-byte-first) byte order, so it looks like +60 e3 16+ +* The +scriptPubKey+ length is 25 bytes, which is +19+ in hexadecimal + +[[tx_inputs]] +==== Transaction Inputs + +((("transactions","inputs", id="ix_ch06-asciidoc5", range="startofrange")))In simple terms, transaction inputs are pointers to UTXO. They point to a specific UTXO by reference to the transaction hash and sequence number where the UTXO is recorded in the blockchain. To spend UTXO, a transaction input also includes an unlocking script, also known as a _witness_, that satisfies the spending conditions set by the UTXO locking script. Most often, the unlocking script is a digital signature and public key proving ownership of the bitcoin. However, not all unlocking scripts contain signatures. + +Let's look back at our example in <>. The transaction inputs are an array (list) called +vin+: + +[[vin]] +.The transaction inputs in Alice's transaction +[source,json] +---- +"vin": [ + { + "txid": "7957a35fe64f80d234d76d83a2a8f1a0d8149a41d81de548f0a65a8a999f6f18", + "vout": 0, + "scriptSig" : "3045022100884d142d86652a3f47ba4746ec719bbfbd040a570b1deccbb6498c75c4ae24cb02204b9f039ff08df09cbe9f6addac960298cad530a863ea8f53982c09db8f6e3813[ALL] 0484ecc0d46f1918b30928fa0e4ed99f16a0fb4fde0735e7ade8416ab9fe423cc5412336376789d172787ec3457eee41c04f4938de5cc17b4a10fa336a8d752adf", + "sequence": 4294967295 + } +] +---- + +As you can see, there is only one input in the list. It contains four elements: + +* A transaction ID, referencing the transaction which contains the UTXO being spent +* An output index (+vout+), identifying which UTXO from that transaction is referenced (first one is zero) +* A scriptSig, which satisfies the conditions placed on the UTXO, unlocking it for spending +* A sequence number (to be discussed later) + +The transaction ID and output index, together uniquely identify a previously created UTXO, by reference (transaction ID) to the transaction that contains it and an index number, which starts at zero. In Alice's transaction, the input points to transaction ID +7957a35fe64f80d234d76d83a2a8f1a0d8149a41d81de548f0a65a8a999f6f18+ and output index +0+ (ie. the first UTXO created by that transaction). + +At this point you may have noticed that we don't know anything about this UTXO, other than a reference to the transaction containing it. We don't know it's value (amount in satoshi), and we don't know the locking script that sets the conditions for spending it. To find this information, we must retrieve the transaction from the blockchain and look at the specific UTXO. + +We can use the same sequence of commands with Bitcoin Core as we used when retrieving Alice's transaction (+getrawtransaction+ and +decoderawtransaction+). With that we can get the outputs and take a look: + +[[alice_input_tx]] +.Alice's UTXO from the previous transaction, used as an input +[source,json] +---- +"vout": [ + { + "value": 0.10000000, + "scriptPubKey": "OP_DUP OP_HASH160 7f9b1a7fb68d60c536c2fd8aeaa53a8f3cc025a8 OP_EQUALVERIFY OP_CHECKSIG" + } + ] +---- + +When we retrieve the previous transaction we find it only has one output (vout index +0+). We see that it has a value of 0.1 BTC and that it has a locking script (+scriptPubKey+) which contains "OP_DUP OP_HASH160...". This UTXO of 0.1 BTC is the input that is spent (indivisibly and entirely) by Alice's transaction. + +[TIP] +==== +To fully understand Alice's transaction we had to retrieve the previous transaction(s) referenced as inputs. A function that retrieves previous transactions and unspent transaction outputs is very common and exists in almost every bitcoin library and API. +==== + +When transactions are serialized for transmission on the network, their inputs are encoded into a byte-stream as follows: + +[[tx_in_structure]] +.Transaction input serialization +[options="header"] +|======= +|Size| Field | Description +| 32 bytes | Transaction Hash | Pointer to the transaction containing the UTXO to be spent +| 4 bytes | Output Index | The index number of the UTXO to be spent; first one is 0 +| 1-9 bytes (VarInt) | Unlocking-Script Size | Unlocking-Script length in bytes, to follow +| Variable | Unlocking-Script | A script that fulfills the conditions of the UTXO locking script. +| 4 bytes | Sequence Number | Used for locktime or disabled (0xFFFFFFFF) +|======= + +As with the outputs, let's see if we can find the inputs from Alice's transaction in the serialized format. First, the inputs decoded: + +[source,json] +---- +"vin": [ + { + "txid": "7957a35fe64f80d234d76d83a2a8f1a0d8149a41d81de548f0a65a8a999f6f18", + "vout": 0, + "scriptSig" : "3045022100884d142d86652a3f47ba4746ec719bbfbd040a570b1deccbb6498c75c4ae24cb02204b9f039ff08df09cbe9f6addac960298cad530a863ea8f53982c09db8f6e3813[ALL] 0484ecc0d46f1918b30928fa0e4ed99f16a0fb4fde0735e7ade8416ab9fe423cc5412336376789d172787ec3457eee41c04f4938de5cc17b4a10fa336a8d752adf", + "sequence": 4294967295 + } +], +---- + +Now, let's see if we can identify these fields in the serialized hex encoding: + +==== + ++0100000001+*+186f9f998a5aa6f048e51dd8419a14d8a0f1a8a2836dd73+* +*+4d2804fe65fa35779000000008b483045022100884d142d86652a3f47+* +*+ba4746ec719bbfbd040a570b1deccbb6498c75c4ae24cb02204b9f039+* +*+ff08df09cbe9f6addac960298cad530a863ea8f53982c09db8f6e3813+* +*+01410484ecc0d46f1918b30928fa0e4ed99f16a0fb4fde0735e7ade84+* +*+16ab9fe423cc5412336376789d172787ec3457eee41c04f4938de5cc1+* +*+7b4a10fa336a8d752adfffffffff+*+0260e31600000000001976a914ab6+ ++8025513c3dbd2f7b92a94e0581f5d50f654e788acd0ef800000000000+ ++1976a9147f9b1a7fb68d60c536c2fd8aeaa53a8f3cc025a888ac00000+ ++000+ + +==== + +Hints: + +* The transaction ID is serialized in reversed byte order, so it starts with (hex) +18+ and ends with +79+ +* The output index is a 4-byte group of zeroes, easy to identify +* The length of the scriptSig is 139 bytes, or +8b+ in hex. +* The sequence number is set to +FFFFFFFF+, again easy to identify + +[[tx_fees]] +==== Transaction Fees + +((("fees, transaction", id="ix_ch06-asciidoc6", range="startofrange")))Most transactions include transaction fees, which compensate the bitcoin miners for securing the network. Mining and the fees and rewards collected by miners are discussed in more detail in <>. This section examines how transaction fees are included in a typical transaction. Most wallets calculate and include transaction fees automatically. However, if you are constructing transactions programmatically, or using a command-line interface, you must manually account for and include these fees. + +Transaction fees serve as an incentive to include (mine) a transaction into the next block and also as a disincentive against "spam" transactions or any kind of abuse of the system, by imposing a small cost on every transaction. Transaction fees are collected by the miner who mines the block that records the transaction on the blockchain. + +((("fees, transaction","calculating")))Transaction fees are calculated based on the size of the transaction in kilobytes, not the value of the transaction in bitcoin. Overall, transaction fees are set based on market forces within the bitcoin network. Miners prioritize transactions based on many different criteria, including fees, and might even process transactions for free under certain circumstances. Transaction fees affect the processing priority, meaning that a transaction with sufficient fees is likely to be included in the next-most–mined block, whereas a transaction with insufficient or no fees might be delayed, processed on a best-effort basis after a few blocks, or not processed at all. Transaction fees are not mandatory, and transactions without fees might be processed eventually; however, including transaction fees encourages priority processing. + +Over time, the way transaction fees are calculated and the effect they have on transaction prioritization has been evolving. At first, transaction fees were fixed and constant across the network. Gradually, the fee structure has been relaxed so that it may be influenced by market forces, based on network capacity and transaction volume. The current minimum transaction fee is fixed at 0.0001 bitcoin or a tenth of a milli-bitcoin per kilobyte, recently decreased from one milli-bitcoin. Most transactions are less than one kilobyte; however, those with multiple inputs or outputs can be larger. In future revisions of the bitcoin protocol, it is expected that wallet applications will use statistical analysis to calculate the most appropriate fee to attach to a transaction based on the average fees of recent transactions. + +The current algorithm used by miners to prioritize transactions for inclusion in a block based on their fees is examined in detail in <>.(((range="endofrange", startref="ix_ch06-asciidoc6"))) + +==== Adding Fees to Transactions + +//// + +Fees market - bitcoin fees - confirmation time and competition +//// + +((("fees, transaction","adding", id="ix_ch06-asciidoc7", range="startofrange")))((("transactions","fees", id="ix_ch06-asciidoc8", range="startofrange")))The data structure of transactions does not have a field for fees. Instead, fees are implied as the difference between the sum of inputs and the sum of outputs. Any excess amount that remains after all outputs have been deducted from all inputs is the fee that is collected by the miners. + + +[[tx_fee_equation]] +.Transaction fees are implied, as the excess of inputs minus outputs: +---- +Fees = Sum(Inputs) – Sum(Outputs) +---- + +This is a somewhat confusing element of transactions and an important point to understand, because if you are constructing your own transactions you must ensure you do not inadvertently include a very large fee by underspending the inputs. That means that you must account for all inputs, if necessary by creating change, or you will end up giving the miners a very big tip! + +For example, if you consume a 20-bitcoin UTXO to make a 1-bitcoin payment, you must include a 19-bitcoin change output back to your wallet. Otherwise, the 19-bitcoin "leftover" will be counted as a transaction fee and will be collected by the miner who mines your transaction in a block. Although you will receive priority processing and make a miner very happy, this is probably not what you intended. + +[WARNING] +==== +If you forget to add a change output in a manually constructed transaction, you will be paying the change as a transaction fee. "Keep the change!" might not be what you intended. +==== + +Let's see how this works in practice, by looking at Alice's coffee purchase again. Alice wants to spend 0.015 bitcoin to pay for coffee. To ensure this transaction is processed promptly, she will want to include a transaction fee, say 0.001. That will mean that the total cost of the transaction will be 0.016. Her wallet must therefore source a set of UTXO that adds up to 0.016 bitcoin or more and, if necessary, create change. Let's say her wallet has a 0.2-bitcoin UTXO available. It will therefore need to consume this UTXO, create one output to Bob's Cafe for 0.015, and a second output with 0.184 bitcoin in change back to her own wallet, leaving 0.001 bitcoin unallocated, as an implicit fee for the transaction. + +Now let's look at a different scenario. Eugenia, our children's charity director in the Philippines, has completed a fundraiser to purchase school books for the children. She received several thousand small donations from people all around the world, totaling 50 bitcoin, so her wallet is full of very small payments (UTXO). Now she wants to purchase hundreds of school books from a local publisher, paying in bitcoin. + +As Eugenia's wallet application tries to construct a single larger payment transaction, it must source from the available UTXO set, which is composed of many smaller amounts. That means that the resulting transaction will source from more than a hundred small-value UTXO as inputs and only one output, paying the book publisher. A transaction with that many inputs will be larger than one kilobyte, perhaps 2 to 3 kilobytes in size. As a result, it will require a higher fee than the minimal network fee of 0.0001 bitcoin. + +Eugenia's wallet application will calculate the appropriate fee by measuring the size of the transaction and multiplying that by the per-kilobyte fee. Many wallets will overpay fees for larger transactions to ensure the transaction is processed promptly. The higher fee is not because Eugenia is spending more money, but because her transaction is more complex and larger in size—the fee is independent of the transaction's bitcoin value.(((range="endofrange", startref="ix_ch06-asciidoc8")))(((range="endofrange", startref="ix_ch06-asciidoc7"))) + + + + + +[[tx_chains]] +=== Transaction Chaining and Orphan Transactions + +//// +CPFP +//// + +((("chaining transactions")))((("orphan transactions")))((("transactions","chaining")))((("transactions","orphan")))As we have seen, transactions form a chain, whereby one transaction spends the outputs of the previous transaction (known as the parent) and creates outputs for a subsequent transaction (known as the child). Sometimes an entire chain of transactions depending on each other—say a parent, child, and grandchild transaction—are created at the same time, to fulfill a complex transactional workflow that requires valid children to be signed before the parent is signed. For example, this is a technique used in((("CoinJoin"))) CoinJoin transactions where multiple parties join transactions together to protect their privacy. + +When a chain of transactions is transmitted across the network, they don't always arrive in the same order. Sometimes, the child might arrive before the parent. In that case, the nodes that see a child first can see that it references a parent transaction that is not yet known. Rather than reject the child, they put it in a temporary pool to await the arrival of its parent and propagate it to every other node. The pool of transactions without parents is known as the((("orphan transaction pool"))) _orphan transaction pool_. Once the parent arrives, any orphans that reference the UTXO created by the parent are released from the pool, revalidated recursively, and then the entire chain of transactions can be included in the transaction pool, ready to be mined in a block. Transaction chains can be arbitrarily long, with any number of generations transmitted simultaneously. The mechanism of holding orphans in the orphan pool ensures that otherwise valid transactions will not be rejected just because their parent has been delayed and that eventually the chain they belong to is reconstructed in the correct order, regardless of the order of arrival. + +There is a limit to the number of orphan transactions stored in memory, to prevent a denial-of-service attack against bitcoin nodes. The limit is defined as((("MAX_ORPHAN_TRANSACTIONS constant"))) +MAX_ORPHAN_TRANSACTIONS+ in the source code of the bitcoin reference client. If the number of orphan transactions in the pool exceeds +MAX_ORPHAN_TRANSACTIONS+, one or more randomly selected orphan transactions are evicted from the pool, until the pool size is back within limits. + +[[tx_lock_unlock]] +==== Locking and Unlocking UTXO - Cryptographic Puzzles and Witnesses + + +[[tx_script]] +=== Transaction Scripts and Script Language + +((("scripts", id="ix_ch06-asciidoc9", range="startofrange")))((("transactions","script language for", id="ix_ch06-asciidoc10", range="startofrange")))((("transactions","validation", id="ix_ch06-asciidoc11", range="startofrange")))((("validation (transaction)", id="ix_ch06-asciidoc12", range="startofrange")))Bitcoin clients validate transactions by executing a script, written in a Forth-like scripting language. Both the locking script (encumbrance) placed on a UTXO and the unlocking script that usually contains a signature are written in this scripting language. When a transaction is validated, the unlocking script in each input is executed alongside the corresponding locking script to see if it satisfies the spending condition. + +Today, most transactions processed through the bitcoin network have the form "Alice pays Bob" and are based on the same script called a Pay-to-Public-Key-Hash script. However, the use of scripts to lock outputs and unlock inputs means that through use of the programming language, transactions can contain an infinite number of conditions. Bitcoin transactions are not limited to the "Alice pays Bob" form and pattern. + +This is only the tip of the iceberg of possibilities that can be expressed with this scripting language. In this section, we will demonstrate the components of the bitcoin transaction scripting language and show how it can be used to express complex conditions for spending and how those conditions can be satisfied by unlocking scripts. + +[TIP] +==== +Bitcoin transaction validation is not based on a static pattern, but instead is achieved through the execution of a scripting language. This language allows for a nearly infinite variety of conditions to be expressed. This is how bitcoin gets the power of "programmable money." +==== + +==== Script Construction (Lock + Unlock) + +((("scripts","construction of")))((("validation (transaction)","script construction for")))Bitcoin's transaction validation engine relies on two types of scripts to validate transactions: a locking script and an unlocking script. + +((("locking scripts","transaction validation and")))((("validation (transaction)","locking scripts")))A locking script is an encumbrance placed on an output, and it specifies the conditions that must be met to spend the output in the future. Historically, the locking script was called a _scriptPubKey_, because it usually contained a public key or bitcoin address. In this book we refer to it as a "locking script" to acknowledge the much broader range of possibilities of this scripting technology. In most bitcoin applications, what we refer to as a locking script will appear in the source code as +scriptPubKey+. + +((("unlocking scripts","transaction validation and")))An unlocking script is a script that "solves," or satisfies, the conditions placed on an output by a locking script and allows the output to be spent. Unlocking scripts are part of every transaction input, and most of the time they contain a digital signature produced by the user's wallet from his or her private key. Historically, the unlocking script is called _scriptSig_, because it usually contained a digital signature. In most bitcoin applications, the source code refers to the unlocking script as +scriptSig+. In this book, we refer to it as an "unlocking script" to acknowledge the much broader range of locking script requirements, because not all unlocking scripts must contain signatures. + +Every bitcoin client will validate transactions by executing the locking and unlocking scripts together. For each input in the transaction, the validation software will first retrieve the UTXO referenced by the input. That UTXO contains a locking script defining the conditions required to spend it. The validation software will then take the unlocking script contained in the input that is attempting to spend this UTXO and execute the two scripts. + +In the original bitcoin client, the unlocking and locking scripts were concatenated and executed in sequence. For security reasons, this was changed in 2010, because of a vulnerability that allowed a malformed unlocking script to push data onto the stack and corrupt the locking script. In the current implementation, the scripts are executed separately with the stack transferred between the two executions, as described next. + +First, the unlocking script is executed, using the stack execution engine. If the unlocking script executed without errors (e.g., it has no "dangling" operators left over), the main stack (not the alternate stack) is copied and the locking script is executed. If the result of executing the locking script with the stack data copied from the unlocking script is "TRUE," the unlocking script has succeeded in resolving the conditions imposed by the locking script and, therefore, the input is a valid authorization to spend the UTXO. If any result other than "TRUE" remains after execution of the combined script, the input is invalid because it has failed to satisfy the spending conditions placed on the UTXO. Note that the UTXO is permanently recorded in the blockchain, and therefore is invariable and is unaffected by failed attempts to spend it by reference in a new transaction. Only a valid transaction that correctly satisfies the conditions of the UTXO results in the UTXO being marked as "spent" and removed from the set of available (unspent) UTXO. + +<> is an example of the unlocking and locking scripts for the most common type of bitcoin transaction (a payment to a public key hash), showing the combined script resulting from the concatenation of the unlocking and locking scripts prior to script validation. + +[[scriptSig_and_scriptPubKey]] +.Combining scriptSig and scriptPubKey to evaluate a transaction script +image::images/msbt_0501.png["scriptSig_and_scriptPubKey"] + + +[[tx_script_language]] +==== Scripting Language + +((("Script language", id="ix_ch06-asciidoc13", range="startofrange")))((("scripts","language for", id="ix_ch06-asciidoc14", range="startofrange")))The bitcoin transaction script language, called _Script_, is a Forth-like reverse-polish notation stack-based execution language. If that sounds like gibberish, you probably haven't studied 1960's programming languages. Script is a very simple language that was designed to be limited in scope and executable on a range of hardware, perhaps as simple as an embedded device, such as a handheld calculator. It requires minimal processing and cannot do many of the fancy things modern programming languages can do. In the case of programmable money, that is a deliberate security feature. + +Bitcoin's scripting language is called a stack-based language because it uses a data structure called a((("stack, defined"))) _stack_. A stack is a very simple data structure, which can be visualized as a stack of cards. A stack allows two operations: push and pop. Push adds an item on top of the stack. Pop removes the top item from the stack. + +The scripting language executes the script by processing each item from left to right. Numbers (data constants) are pushed onto the stack. Operators push or pop one or more parameters from the stack, act on them, and might push a result onto the stack. For example, +OP_ADD+ will pop two items from the stack, add them, and push the resulting sum onto the stack. + +Conditional operators evaluate a condition, producing a boolean result of TRUE or FALSE. For example, +OP_EQUAL+ pops two items from the stack and pushes TRUE (TRUE is represented by the number 1) if they are equal or FALSE (represented by zero) if they are not equal. Bitcoin transaction scripts usually contain a conditional operator, so that they can produce the TRUE result that signifies a valid transaction. + +In <>, the script +2 3 OP_ADD 5 OP_EQUAL+ demonstrates the arithmetic addition operator +OP_ADD+, adding two numbers and putting the result on the stack, followed by the conditional operator +OP_EQUAL+, which checks that the resulting sum is equal to +5+. For brevity, the +OP_+ prefix is omitted in the step-by-step example. + + +The following is a slightly more complex script, which calculates ++2 + 7 – 3 + 1++. Notice that when the script contains several operators in a row, the stack allows the results of one operator to be acted upon by the next operator: + +---- +2 7 OP_ADD 3 OP_SUB 1 OP_ADD 7 OP_EQUAL +---- +Try validating the preceding script yourself using pencil and paper. When the script execution ends, you should be left with the value TRUE on the stack. + +Although most locking scripts refer to a bitcoin address or public key, thereby requiring proof of ownership to spend the funds, the script does not have to be that complex. Any combination of locking and unlocking scripts that results in a TRUE value is valid. The simple arithmetic we used as an example of the scripting language is also a valid locking script that can be used to lock a transaction output. + +Use part of the arithmetic example script as the locking script: + +---- +3 OP_ADD 5 OP_EQUAL +---- + +which can be satisfied by a transaction containing an input with the unlocking script: +---- +2 +---- + +The validation software combines the locking and unlocking scripts and the resulting script is: +---- +2 3 OP_ADD 5 OP_EQUAL +---- + +As we saw in the step-by-step example in <>, when this script is executed, the result is +OP_TRUE+, making the transaction valid. Not only is this a valid transaction output locking script, but the resulting UTXO could be spent by anyone with the arithmetic skills to know that the number 2 satisfies the script. (((range="endofrange", startref="ix_ch06-asciidoc14")))(((range="endofrange", startref="ix_ch06-asciidoc13"))) + +[[simplemath_script]] +.Bitcoin's script validation doing simple math +image::images/msbt_0502.png["TxScriptSimpleMathExample"] + + +[TIP] +==== +Transactions are valid if the top result on the stack is TRUE (noted as ++{0x01}++), any other non-zero value or if the stack is empty after script execution. Transactions are invalid if the top value on the stack is FALSE (a zero-length empty value, noted as ++{}++) or if script execution is halted explicitly by an operator, such as OP_VERIFY, OP_RETURN, or a conditional terminator such as OP_ENDIF. See <> for details. +==== + +==== Transaction Data Structure + +((("transactions","structure of")))A transaction is a((("data structure"))) _data structure_ that encodes a transfer of value from a source of funds, called an((("inputs, defined"))) _input_, to a destination, called an((("outputs, defined"))) _output_. Transaction inputs and outputs are not related to accounts or identities. Instead, you should think of them as bitcoin amounts—chunks of bitcoin—being locked with a specific secret that only the owner, or person who knows the secret, can unlock. A transaction contains a number of fields, as shown in <>. + +[[tx_data_structure]] +.The structure of a transaction +[options="header"] +|======= +|Size| Field | Description +| 4 bytes | Version | Specifies which rules this transaction follows +| 1–9 bytes (VarInt) | Input Counter | How many inputs are included +| Variable | Inputs | One or more transaction inputs +| 1–9 bytes (VarInt) | Output Counter | How many outputs are included +| Variable | Outputs | One or more transaction outputs +| 4 bytes | Locktime | A Unix timestamp or block number +|======= + +.Transaction Locktime +**** +((("locktime")))((("transactions","locktime")))Locktime, also known as nLockTime from the variable name used in the reference client, defines the earliest time that a transaction is valid and can be relayed on the network or added to the blockchain. It is set to zero in most transactions to indicate immediate propagation and execution. If locktime is nonzero and below 500 million, it is interpreted as a block height, meaning the transaction is not valid and is not relayed or included in the blockchain prior to the specified block height. If it is above 500 million, it is interpreted as a Unix Epoch timestamp (seconds since Jan-1-1970) and the transaction is not valid prior to the specified time. Transactions with locktime specifying a future block or time must be held by the originating system and transmitted to the bitcoin network only after they become valid. The use of locktime is equivalent to postdating a paper check. +**** + + +==== Turing Incompleteness + +((("Script language","flow-control/loops in")))((("Script language","statelessness of")))((("Turing Complete")))The bitcoin transaction script language contains many operators, but is deliberately limited in one important way—there are no loops or complex flow control capabilities other than conditional flow control. This ensures that the language is not _Turing Complete_, meaning that scripts have limited complexity and predictable execution times. Script is not a general-purpose language. These limitations ensure that the language cannot be used to create an infinite loop or other form of "logic bomb" that could be embedded in a transaction in a way that causes a((("denial-of-service attack","Script language and"))) denial-of-service attack against the bitcoin network. Remember, every transaction is validated by every full node on the bitcoin network. A limited language prevents the transaction validation mechanism from being used as a vulnerability. + +==== Stateless Verification + +((("stateless verification of transactions")))((("transactions","statelessness of")))The bitcoin transaction script language is stateless, in that there is no state prior to execution of the script, or state saved after execution of the script. Therefore, all the information needed to execute a script is contained within the script. A script will predictably execute the same way on any system. If your system verifies a script, you can be sure that every other system in the bitcoin network will also verify the script, meaning that a valid transaction is valid for everyone and everyone knows this. This predictability of outcomes is an essential benefit of the bitcoin system.(((range="endofrange", startref="ix_ch06-asciidoc12")))(((range="endofrange", startref="ix_ch06-asciidoc11")))(((range="endofrange", startref="ix_ch06-asciidoc10")))(((range="endofrange", startref="ix_ch06-asciidoc9"))) + +[[std_tx]] +=== Standard Transactions + +In the first few years of bitcoin's development, the developers introduced some limitations in the types of scripts that could be processed by the reference client. These limitations are encoded in a function called +isStandard()+, which defines five types of "standard" transactions. These limitations are temporary and might be lifted by the time you read this. Until then, the five standard types of transaction scripts are the only ones that will be accepted by the reference client and most miners who run the reference client. Although it is possible to create a nonstandard transaction containing a script that is not one of the standard types, you must find a miner who does not follow these limitations to mine that transaction into a block. + +Check the source code of the Bitcoin Core client (the reference implementation) to see what is currently allowed as a valid transaction script. + +The five standard types of transaction scripts are pay-to-public-key-hash (P2PKH), public-key, multi-signature (limited to 15 keys), pay-to-script-hash (P2SH), and data output (OP_RETURN), which are described in more detail in the following sections. + +[[p2pkh]] +==== Pay-to-Public-Key-Hash (P2PKH) + +((("pay-to-public-key-hash (P2PKH)", id="ix_ch06-asciidoc15", range="startofrange")))((("transactions","pay-to-public-key-hash", id="ix_ch06-asciidoc16", range="startofrange")))The vast majority of transactions processed on the bitcoin network are P2PKH transactions. These contain a locking script that encumbers the output with a public key hash, more commonly known as a bitcoin address. Transactions that pay a bitcoin address contain P2PKH scripts. An output locked by a P2PKH script can be unlocked (spent) by presenting a public key and a digital signature created by the corresponding private key. + +For example, let's look at Alice's payment to Bob's Cafe again. Alice made a payment of 0.015 bitcoin to the cafe's bitcoin address. That transaction output would have a locking script of the form: + +---- +OP_DUP OP_HASH160 OP_EQUAL OP_CHECKSIG +---- + +The +Cafe Public Key Hash+ is equivalent to the bitcoin address of the cafe, without the Base58Check encoding. Most applications would show the _public key hash_ in hexadecimal encoding and not the familiar bitcoin address Base58Check format that begins with a "1". + +The preceding locking script can be satisfied with an unlocking script of the form: + +---- + +---- + +The two scripts together would form the following combined validation script: + +---- + OP_DUP OP_HASH160 + OP_EQUAL OP_CHECKSIG +---- + +When executed, this combined script will evaluate to TRUE if, and only if, the unlocking script matches the conditions set by the locking script. In other words, the result will be TRUE if the unlocking script has a valid signature from the cafe's private key that corresponds to the public key hash set as an encumbrance. + +Figures pass:[#P2PubKHash1] and pass:[#P2PubKHash2] show (in two parts) a step-by-step execution of the combined script, which will prove this is a valid transaction.(((range="endofrange", startref="ix_ch06-asciidoc16")))(((range="endofrange", startref="ix_ch06-asciidoc15"))) + +[[P2PubKHash1]] +.Evaluating a script for a P2PKH transaction (Part 1 of 2) +image::images/msbt_0503.png["Tx_Script_P2PubKeyHash_1"] + +[[P2PubKHash2]] +.Evaluating a script for a P2PKH transaction (Part 2 of 2) +image::images/msbt_0504.png["Tx_Script_P2PubKeyHash_2"] + +[[p2pk]] +==== Pay-to-Public-Key + +((("pay-to-public-key")))Pay-to-public-key is a simpler form of a bitcoin payment than pay-to-public-key-hash. With this script form, the public key itself is stored in the locking script, rather than a public-key-hash as with P2PKH earlier, which is much shorter. Pay-to-public-key-hash was invented by Satoshi to make bitcoin addresses shorter, for ease of use. Pay-to-public-key is now most often seen in coinbase transactions, generated by older mining software that has not been updated to use P2PKH. + +A pay-to-public-key locking script looks like this: + +---- + OP_CHECKSIG +---- + +The corresponding unlocking script that must be presented to unlock this type of output is a simple signature, like this: + +---- + +---- + +The combined script, which is validated by the transaction validation software, is: + +---- + OP_CHECKSIG +---- + +This script is a simple invocation of the +CHECKSIG+ operator, which validates the signature as belonging to the correct key and returns TRUE on the stack. + +[[multisig]] +==== Multi-Signature + +((("multi-signature scripts")))((("transactions","multi-signature scripts")))Multi-signature scripts set a condition where N public keys are recorded in the script and at least M of those must provide signatures to release the encumbrance. This is also known as an M-of-N scheme, where N is the total number of keys and M is the threshold of signatures required for validation. For example, a 2-of-3 multi-signature is one where three public keys are listed as potential signers and at least two of those must be used to create signatures for a valid transaction to spend the funds. ((("multi-signature scripts","limits on")))At this time, standard multi-signature scripts are limited to at most 15 listed public keys, meaning you can do anything from a 1-of-1 to a 15-of-15 multi-signature or any combination within that range. The limitation to 15 listed keys might be lifted by the time this book is published, so check the((("isStandard() function"))) +isStandard()+ function to see what is currently accepted by the network. + +The general form of a locking script setting an M-of-N multi-signature condition is: + +---- +M ... N OP_CHECKMULTISIG +---- + +where N is the total number of listed public keys and M is the threshold of required signatures to spend the output. + +A locking script setting a 2-of-3 multi-signature condition looks like this: + +---- +2 3 OP_CHECKMULTISIG +---- + +The preceding locking script can be satisfied with an unlocking script containing pairs of signatures and public keys: + +---- +OP_0 +---- +or any combination of two signatures from the private keys corresponding to the three listed public keys. + +[NOTE] +==== +((("CHECKMULTISIG implementation")))The prefix +OP_0+ is required because of a bug in the original implementation of +CHECKMULTISIG+ where one item too many is popped off the stack. It is ignored by +CHECKMULTISIG+ and is simply a placeholder. +==== + +The two scripts together would form the combined validation script: + +---- +OP_0 2 3 OP_CHECKMULTISIG +---- + +When executed, this combined script will evaluate to TRUE if, and only if, the unlocking script matches the conditions set by the locking script. In this case, the condition is whether the unlocking script has a valid signature from the two private keys that correspond to two of the three public keys set as an encumbrance. + +[[op_return]] +==== Data Output (OP_RETURN) + +((("ledger, storing unrelated information in")))((("OP_RETURN operator")))((("transactions","storing unrelated information in")))Bitcoin's distributed and timestamped ledger, the blockchain, has potential uses far beyond payments. Many developers have tried to use the transaction scripting language to take advantage of the security and resilience of the system for applications such as((("digital notary services")))((("smart contracts")))((("stock certificates"))) digital notary services, stock certificates, and smart contracts. Early attempts to use bitcoin's script language for these purposes involved creating transaction outputs that recorded data on the blockchain; for example, to record a digital fingerprint of a file in such a way that anyone could establish proof-of-existence of that file on a specific date by reference to that transaction. + +((("blockchains","storing unrelated information in")))The use of bitcoin's blockchain to store data unrelated to bitcoin payments is a controversial subject. Many developers consider such use abusive and want to discourage it. Others view it as a demonstration of the powerful capabilities of blockchain technology and want to encourage such experimentation. Those who object to the inclusion of non-payment data argue that it causes "blockchain bloat," burdening those running full bitcoin nodes with carrying the cost of disk storage for data that the blockchain was not intended to carry. Moreover, such transactions create UTXO that cannot be spent, using the destination bitcoin address as a free-form 20-byte field. Because the address is used for data, it doesn't correspond to a private key and the resulting UTXO can _never_ be spent; it's a fake payment. These transactions that can never be spent are therefore never removed from the UTXO set and cause the size of the UTXO database to forever increase, or "bloat." + +In version 0.9 of the Bitcoin Core client, a compromise was reached with the introduction of the +OP_RETURN+ operator. +OP_RETURN+ allows developers to add 80 bytes of nonpayment data to a transaction output. However, unlike the use of "fake" UTXO, the +OP_RETURN+ operator creates an explicitly _provably unspendable_ output, which does not need to be stored in the UTXO set. +OP_RETURN+ outputs are recorded on the blockchain, so they consume disk space and contribute to the increase in the blockchain's size, but they are not stored in the UTXO set and therefore do not bloat the UTXO memory pool and burden full nodes with the cost of more expensive RAM. + ++OP_RETURN+ scripts look like this: + +---- +OP_RETURN +---- + +The data portion is limited to 80 bytes and most often represents a hash, such as the output from the SHA256 algorithm (32 bytes). Many applications put a prefix in front of the data to help identify the application. For example, the http://proofofexistence.com[Proof of Existence] digital notarization service uses the 8-byte prefix +DOCPROOF+, which is ASCII encoded as +44 4f 43 50 52 4f 4f 46+ in hexadecimal. + +Keep in mind that there is no "unlocking script" that corresponds to +OP_RETURN+ that could possibly be used to "spend" an +OP_RETURN+ output. The whole point of +OP_RETURN+ is that you can't spend the money locked in that output, and therefore it does not need to be held in the UTXO set as potentially spendable—+OP_RETURN+ is _provably un-spendable_. +OP_RETURN+ is usually an output with a zero bitcoin amount, because any bitcoin assigned to such an output is effectively lost forever. If an +OP_RETURN+ is encountered by the script validation software, it results immediately in halting the execution of the validation script and marking the transaction as invalid. Thus, if you accidentally reference an +OP_RETURN+ output as an input in a transaction, that transaction is invalid. + +A standard transaction (one that conforms to the +isStandard()+ checks) can have only one +OP_RETURN+ output. However, a single +OP_RETURN+ output can be combined in a transaction with outputs of any other type. + +Two new command-line options have been added in Bitcoin Core as of version 0.10. The option +datacarrier+ controls relay and mining of OP_RETURN transactions, with the default set to "1" to allow them. The option +datacarriersize+ takes a numeric argument specifying the maximum size in bytes of the OP_RETURN data, 40 bytes by default. + +[NOTE] +==== +OP_RETURN was initially proposed with a limit of 80 bytes, but the limit was reduced to 40 bytes when the feature was released. In February 2015, in version 0.10 of Bitcoin Core, the limit was raised back to 80 bytes. Nodes may choose not to relay or mine OP_RETURN, or only relay and mine OP_RETURN containing less than 80 bytes of data. +==== + +[[p2sh]] +==== Pay-to-Script-Hash (P2SH) + +((("multi-signature scripts","P2SH and", id="ix_ch06-asciidoc17", range="startofrange")))((("Pay-to-script-hash (P2SH)", id="ix_ch06-asciidoc18", range="startofrange")))((("transactions","Pay-to-script-hash", id="ix_ch06-asciidoc19", range="startofrange")))Pay-to-script-hash (P2SH) was introduced in 2012 as a powerful new type of transaction that greatly simplifies the use of complex transaction scripts. To explain the need for P2SH, let's look at a practical example. + +In <> we introduced Mohammed, an electronics importer based in Dubai. Mohammed's company uses bitcoin's multi-signature feature extensively for its corporate accounts. Multi-signature scripts are one of the most common uses of bitcoin's advanced scripting capabilities and are a very powerful feature. Mohammed's company uses a multi-signature script for all customer payments, known in accounting terms as "accounts receivable," or AR. With the multi-signature scheme, any payments made by customers are locked in such a way that they require at least two signatures to release, from Mohammed and one of his partners or from his attorney who has a backup key. A multi-signature scheme like that offers corporate governance controls and protects against theft, embezzlement, or loss. + +The resulting script is quite long and looks like this: + +---- +2 5 OP_CHECKMULTISIG +---- + + +Although multi-signature scripts are a powerful feature, they are cumbersome to use. Given the preceding script, Mohammed would have to communicate this script to every customer prior to payment. Each customer would have to use special bitcoin wallet software with the ability to create custom transaction scripts, and each customer would have to understand how to create a transaction using custom scripts. Furthermore, the resulting transaction would be about five times larger than a simple payment transaction, because this script contains very long public keys. The burden of that extra-large transaction would be borne by the customer in the form of fees. Finally, a large transaction script like this would be carried in the UTXO set in RAM in every full node, until it was spent. All of these issues make using complex output scripts difficult in practice. + +Pay-to-script-hash (P2SH) was developed to resolve these practical difficulties and to make the use of complex scripts as easy as a payment to a bitcoin address. With P2SH payments, the complex locking script is replaced with its digital fingerprint, a cryptographic hash. When a transaction attempting to spend the UTXO is presented later, it must contain the script that matches the hash, in addition to the unlocking script. In simple terms, P2SH means "pay to a script matching this hash, a script that will be presented later when this output is spent." + +In P2SH transactions, the locking script that is replaced by a hash is referred to as the((("redeem script"))) _redeem script_ because it is presented to the system at redemption time rather than as a locking script. <> shows the script without P2SH and <> shows the same script encoded with P2SH. + +[[without_p2sh]] +.Complex script without P2SH +|======= +| Locking Script | 2 PubKey1 PubKey2 PubKey3 PubKey4 PubKey5 5 OP_CHECKMULTISIG +| Unlocking Script | Sig1 Sig2 +|======= + +[[with_p2sh]] +.Complex script as P2SH +|======= +| Redeem Script | 2 PubKey1 PubKey2 PubKey3 PubKey4 PubKey5 5 OP_CHECKMULTISIG +| Locking Script | OP_HASH160 <20-byte hash of redeem script> OP_EQUAL +| Unlocking Script | Sig1 Sig2 redeem script +|======= + +As you can see from the tables, with P2SH the complex script that details the conditions for spending the output (redeem script) is not presented in the locking script. Instead, only a hash of it is in the locking script and the redeem script itself is presented later, as part of the unlocking script when the output is spent. This shifts the burden in fees and complexity from the sender to the recipient (spender) of the transaction. + +Let's look at Mohammed's company, the complex multi-signature script, and the resulting P2SH scripts. + +First, the multi-signature script that Mohammed's company uses for all incoming payments from customers: + +---- +2 5 OP_CHECKMULTISIG +---- + +If the placeholders are replaced by actual public keys (shown here as 520-bit numbers starting with 04) you can see that this script becomes very long: + +---- +2 +04C16B8698A9ABF84250A7C3EA7EEDEF9897D1C8C6ADF47F06CF73370D74DCCA01CDCA79DCC5C395D7EEC6984D83F1F50C900A24DD47F569FD4193AF5DE762C58704A2192968D8655D6A935BEAF2CA23E3FB87A3495E7AF308EDF08DAC3C1FCBFC2C75B4B0F4D0B1B70CD2423657738C0C2B1D5CE65C97D78D0E34224858008E8B49047E63248B75DB7379BE9CDA8CE5751D16485F431E46117B9D0C1837C9D5737812F393DA7D4420D7E1A9162F0279CFC10F1E8E8F3020DECDBC3C0DD389D99779650421D65CBD7149B255382ED7F78E946580657EE6FDA162A187543A9D85BAAA93A4AB3A8F044DADA618D087227440645ABE8A35DA8C5B73997AD343BE5C2AFD94A5043752580AFA1ECED3C68D446BCAB69AC0BA7DF50D56231BE0AABF1FDEEC78A6A45E394BA29A1EDF518C022DD618DA774D207D137AAB59E0B000EB7ED238F4D800 5 OP_CHECKMULTISIG +---- + +This entire script can instead be represented by a 20-byte cryptographic hash, by first applying the SHA256 hashing algorithm and then applying the RIPEMD160 algorithm on the result. The 20-byte hash of the preceding script is: + +---- +54c557e07dde5bb6cb791c7a540e0a4796f5e97e +---- + +A P2SH transaction locks the output to this hash instead of the longer script, using the locking script: + +---- +OP_HASH160 54c557e07dde5bb6cb791c7a540e0a4796f5e97e OP_EQUAL +---- +which, as you can see, is much shorter. Instead of "pay to this 5-key multi-signature script," the P2SH equivalent transaction is "pay to a script with this hash." A customer making a payment to Mohammed's company need only include this much shorter locking script in his payment. When Mohammed wants to spend this UTXO, they must present the original redeem script (the one whose hash locked the UTXO) and the signatures necessary to unlock it, like this: + +---- + <2 PK1 PK2 PK3 PK4 PK5 5 OP_CHECKMULTISIG> +---- + +The two scripts are combined in two stages. First, the redeem script is checked against the locking script to make sure the hash matches: + +---- +<2 PK1 PK2 PK3 PK4 PK5 5 OP_CHECKMULTISIG> OP_HASH160 OP_EQUAL +---- +If the redeem script hash matches, the unlocking script is executed on its own, to unlock the redeem script: + +---- + 2 PK1 PK2 PK3 PK4 PK5 5 OP_CHECKMULTISIG +---- + +===== Pay-to-script-hash addresses + +((("addresses, bitcoin","Pay-to-Script-Hash (P2SH)")))((("Pay-to-script-hash (P2SH)","addresses")))Another important part of the P2SH feature is the ability to encode a script hash as an address, as defined in BIP-13. P2SH addresses are Base58Check encodings of the 20-byte hash of a script, just like bitcoin addresses are Base58Check encodings of the 20-byte hash of a public key. P2SH addresses use the version prefix "5", which results in Base58Check-encoded addresses that start with a "3". For example, Mohammed's complex script, hashed and Base58Check-encoded as a P2SH address becomes +39RF6JqABiHdYHkfChV6USGMe6Nsr66Gzw+. Now, Mohammed can give this "address" to his customers and they can use almost any bitcoin wallet to make a simple payment, as if it were a bitcoin address. The 3 prefix gives them a hint that this is a special type of address, one corresponding to a script instead of a public key, but otherwise it works in exactly the same way as a payment to a bitcoin address. + +P2SH addresses hide all of the complexity, so that the person making a payment does not see the script. + +===== Benefits of pay-to-script-hash + +((("Pay-to-script-hash (P2SH)","benefits of")))The pay-to-script-hash feature offers the following benefits compared to the direct use of complex scripts in locking outputs: + +* Complex scripts are replaced by shorter fingerprints in the transaction output, making the transaction smaller. +* Scripts can be coded as an address, so the sender and the sender's wallet don't need complex engineering to implement P2SH. +* P2SH shifts the burden of constructing the script to the recipient, not the sender. +* P2SH shifts the burden in data storage for the long script from the output (which is in the UTXO set) to the input (stored on the blockchain). +* P2SH shifts the burden in data storage for the long script from the present time (payment) to a future time (when it is spent). +* P2SH shifts the transaction fee cost of a long script from the sender to the recipient, who has to include the long redeem script to spend it. + +===== Redeem script and isStandard validation + +((("pay-to-script-hash (P2SH)","isStandard validation")))((("pay-to-script-hash (P2SH)","redeem script for")))Prior to version 0.9.2 of the Bitcoin Core client, pay-to-script-hash was limited to the standard types of bitcoin transaction scripts, by the +isStandard()+ function. That means that the redeem script presented in the spending transaction could only be one of the standard types: P2PK, P2PKH, or multi-sig nature, excluding +OP_RETURN+ and P2SH itself. + +As of version 0.9.2 of the Bitcoin Core client, P2SH transactions can contain any valid script, making the P2SH standard much more flexible and allowing for experimentation with many novel and complex types of transactions. + +Note that you are not able to put a P2SH inside a P2SH redeem script, because the P2SH specification is not recursive. You are also still not able to use +OP_RETURN+ in a redeem script because +OP_RETURN+ cannot be redeemed by definition. + + +[WARNING] +==== +((("Pay-to-Script-Hash (P2SH)","locking scripts")))P2SH locking scripts contain the hash of a redeem script, which gives no clues as to the content of the redeem script itself. The P2SH transaction will be considered valid and accepted even if the redeem script is invalid. You might accidentally lock bitcoin in such a way that it cannot later be spent.(((range="endofrange", startref="ix_ch06-asciidoc19")))(((range="endofrange", startref="ix_ch06-asciidoc18")))(((range="endofrange", startref="ix_ch06-asciidoc17")))(((range="endofrange", startref="ix_ch06-asciidoc0"))) +==== + +Note that because the redeem script is not presented to the network until you attempt to spend a P2SH output, if you lock an output with the hash of an invalid transaction it will be processed regardless. However, you will not be able to spend it because the spending transaction, which includes the redeem script, will not be accepted because it is an invalid script. This creates a risk, because you can lock bitcoin in a P2SH that cannot be spent later. The network will accept the P2SH encumbrance even if it corresponds to an invalid redeem script, because the script hash gives no indication of the script it represents. diff --git a/.debris/tmp/lock b/.debris/tmp/lock new file mode 100644 index 00000000..e69de29b diff --git a/ch06.asciidoc b/ch06.asciidoc index 83801d1f..abb3ac11 100644 --- a/ch06.asciidoc +++ b/ch06.asciidoc @@ -281,28 +281,50 @@ Hints: [[tx_fees]] ==== Transaction Fees -((("fees, transaction", id="ix_ch06-asciidoc6", range="startofrange")))Most transactions include transaction fees, which compensate the bitcoin miners for securing the network. Mining and the fees and rewards collected by miners are discussed in more detail in <>. This section examines how transaction fees are included in a typical transaction. Most wallets calculate and include transaction fees automatically. However, if you are constructing transactions programmatically, or using a command-line interface, you must manually account for and include these fees. +((("fees, transaction", id="ix_ch06-asciidoc6", range="startofrange")))Most transactions include transaction fees, which compensate the bitcoin miners for securing the network. Fees also serve as a security mechanism themselves, by making it economically infeasible for attackers to flood the network with transactions. Mining and the fees and rewards collected by miners are discussed in more detail in <>. -Transaction fees serve as an incentive to include (mine) a transaction into the next block and also as a disincentive against "spam" transactions or any kind of abuse of the system, by imposing a small cost on every transaction. Transaction fees are collected by the miner who mines the block that records the transaction on the blockchain. +This section examines how transaction fees are included in a typical transaction. Most wallets calculate and include transaction fees automatically. However, if you are constructing transactions programmatically, or using a command-line interface, you must manually account for and include these fees. -((("fees, transaction","calculating")))Transaction fees are calculated based on the size of the transaction in kilobytes, not the value of the transaction in bitcoin. Overall, transaction fees are set based on market forces within the bitcoin network. Miners prioritize transactions based on many different criteria, including fees, and might even process transactions for free under certain circumstances. Transaction fees affect the processing priority, meaning that a transaction with sufficient fees is likely to be included in the next-most–mined block, whereas a transaction with insufficient or no fees might be delayed, processed on a best-effort basis after a few blocks, or not processed at all. Transaction fees are not mandatory, and transactions without fees might be processed eventually; however, including transaction fees encourages priority processing. +Transaction fees serve as an incentive to include (mine) a transaction into the next block and also as a disincentive against abuse of the system, by imposing a small cost on every transaction. Transaction fees are collected by the miner who mines the block that records the transaction on the blockchain. -Over time, the way transaction fees are calculated and the effect they have on transaction prioritization has been evolving. At first, transaction fees were fixed and constant across the network. Gradually, the fee structure has been relaxed so that it may be influenced by market forces, based on network capacity and transaction volume. +((("fees, transaction","calculating")))Transaction fees are calculated based on the size of the transaction in kilobytes, not the value of the transaction in bitcoin. Overall, transaction fees are set based on market forces within the bitcoin network. Miners prioritize transactions based on many different criteria, including fees, and might even process transactions for free under certain circumstances. Transaction fees affect the processing priority, meaning that a transaction with sufficient fees is likely to be included in the next block mined, whereas a transaction with insufficient or no fees might be delayed, processed on a best-effort basis after a few blocks, or not processed at all. Transaction fees are not mandatory, and transactions without fees might be processed eventually; however, including transaction fees encourages priority processing. -The current minimum transaction fee is fixed at 0.0001 bitcoin or a tenth of a milli-bitcoin per kilobyte, recently decreased from one milli-bitcoin. Most transactions are less than one kilobyte; however, those with multiple inputs or outputs can be larger. In future revisions of the bitcoin protocol, it is expected that wallet applications will use statistical analysis to calculate the most appropriate fee to attach to a transaction based on the average fees of recent transactions. +Over time, the way transaction fees are calculated and the effect they have on transaction prioritization has been evolving. At first, transaction fees were fixed and constant across the network. Gradually, the fee structure has been relaxed so that it may be influenced by market forces, based on network capacity and transaction volume. Since at least the beginning of 2016, capacity limits in bitcoin (see <>) have created competition between transactions, resulting in higher fees and effectively making free transactions a thing of the past. Zero fee or very low fee transactions rarely get mined and sometimes will not even be propagated across the network. -The current algorithm used by miners to prioritize transactions for inclusion in a block based on their fees is examined in detail in <>.(((range="endofrange", startref="ix_ch06-asciidoc6"))) +In Bitcoin Core, fee relay policies are set by the +minrelaytxfee+ option. The current default +minrelaytxfee+ is 0.00001 bitcoin or a hundredth of a milli-bitcoin per kilobyte. Therefore by default, transactions with a fee less than 0.0001 bitcoin are treated as free and are only relayed if there is space in the mempool, otherwise they are dropped. Bitcoin nodes can override the default fee relay policy by adjusting the value of +minrelaytxfee+. + +Any bitcoin service that creates transactions, including wallets, exchanges, retail applications, etc. *must* implement dynamic fees. Dynamic fees can be implemented through a third party fee estimation service or with a built-in fee estimation algorithm. If you're unsure, begin with a third party service and as you gain experience design and implement your own algorithm if you wish to remove the third party dependency. + +Fee estimation algorithms calculate the appropriate fee, based on capacity and the fees offered by "competing" transactions. These algorithms range from simplistic (average or median fee in the last block) to sophisticated (statistical analysis). They estimate the necessary fee (in satoshis per byte) that will give a transaction a high probability of being selected and included within a certain number of blocks. Most services offer users the option of choosing high, medium, or low priority fees. High priority means users pay higher fees but the transaction is likely to be included in the next block. Medium and low priority means users pay lower transaction fees but the transactions may take much longer to confirm. + +Many wallet applications use third-party services for fee calculations. One popular service is http://bitcoinfees.21.co/[http://bitcoinfees.21.co], which provides an API and a visual chart showing the fee in satoshi/byte for different priorities. + +[TIP] +==== +Static fees are no longer viable on the bitcoin network. Wallets that set static fees will produce a poor user experience as transactions will often get "stuck" and remain unconfirmed. Users who don't understand bitcoin transactions and fees, are dismayed by "stuck" transactions because they think they've lost their money. +==== + +[[bitcoinfees21co]] +.Fee Estimation Service bitcoinfees.21.co +image::images/bitcoinfees21co.png [Fee Estimation Service bitcoinfees.21.co] + +The chart in <> shows the real-time estimate of fees in 10 satoshi/byte increments and the expected confirmation time (in minutes and number of blocks) for transactions with fees in each range. For each fee range (eg. 61-70 satoshi/byte), two horizontal bars show the number of unconfirmed transactions (1405) and total number of transactions in the past 24 hours (102975), with fees in that range. Based on the graph, the recommended high-priority fee at this time was 80 satoshi/byte, a fee likely to result in the transaction being mined in the very next block (zero block delay). For perspective, the median transaction size is 226 bytes, so the recommended fee for a transaction size would be 18,080 satoshis (0.00018080 BTC). + +The fee estimation data can be retrieved via a simple HTTP REST API, at https://bitcoinfees.21.co/api/v1/fees/recommended[https://bitcoinfees.21.co/api/v1/fees/recommended]. For example, on the command-line using the +curl+ command: + +.Using the fee estimation API +---- +$ curl https://bitcoinfees.21.co/api/v1/fees/recommended + +{"fastestFee":80,"halfHourFee":80,"hourFee":60} +---- + +The API returns a JSON object with the current fee estimate for fastest confirmation (fastestFee), confirmation within 3 blocks (halfHourFee) and 6 blocks (hourFee), in satoshi per byte. ==== Adding Fees to Transactions -//// - -Fees market - bitcoin fees - confirmation time and competition -//// - ((("fees, transaction","adding", id="ix_ch06-asciidoc7", range="startofrange")))((("transactions","fees", id="ix_ch06-asciidoc8", range="startofrange")))The data structure of transactions does not have a field for fees. Instead, fees are implied as the difference between the sum of inputs and the sum of outputs. Any excess amount that remains after all outputs have been deducted from all inputs is the fee that is collected by the miners. - [[tx_fee_equation]] .Transaction fees are implied, as the excess of inputs minus outputs: ---- @@ -322,31 +344,10 @@ Let's see how this works in practice, by looking at Alice's coffee purchase agai Now let's look at a different scenario. Eugenia, our children's charity director in the Philippines, has completed a fundraiser to purchase school books for the children. She received several thousand small donations from people all around the world, totaling 50 bitcoin, so her wallet is full of very small payments (UTXO). Now she wants to purchase hundreds of school books from a local publisher, paying in bitcoin. -As Eugenia's wallet application tries to construct a single larger payment transaction, it must source from the available UTXO set, which is composed of many smaller amounts. That means that the resulting transaction will source from more than a hundred small-value UTXO as inputs and only one output, paying the book publisher. A transaction with that many inputs will be larger than one kilobyte, perhaps 2 to 3 kilobytes in size. As a result, it will require a higher fee than the minimal network fee of 0.0001 bitcoin. +As Eugenia's wallet application tries to construct a single larger payment transaction, it must source from the available UTXO set, which is composed of many smaller amounts. That means that the resulting transaction will source from more than a hundred small-value UTXO as inputs and only one output, paying the book publisher. A transaction with that many inputs will be larger than one kilobyte, perhaps a kilobyte or several kilobytes in size. As a result, it will require a much higher fee than the median sized transaction. Eugenia's wallet application will calculate the appropriate fee by measuring the size of the transaction and multiplying that by the per-kilobyte fee. Many wallets will overpay fees for larger transactions to ensure the transaction is processed promptly. The higher fee is not because Eugenia is spending more money, but because her transaction is more complex and larger in size—the fee is independent of the transaction's bitcoin value.(((range="endofrange", startref="ix_ch06-asciidoc8")))(((range="endofrange", startref="ix_ch06-asciidoc7"))) - - - - -[[tx_chains]] -=== Transaction Chaining and Orphan Transactions - -//// -CPFP -//// - -((("chaining transactions")))((("orphan transactions")))((("transactions","chaining")))((("transactions","orphan")))As we have seen, transactions form a chain, whereby one transaction spends the outputs of the previous transaction (known as the parent) and creates outputs for a subsequent transaction (known as the child). Sometimes an entire chain of transactions depending on each other—say a parent, child, and grandchild transaction—are created at the same time, to fulfill a complex transactional workflow that requires valid children to be signed before the parent is signed. For example, this is a technique used in((("CoinJoin"))) CoinJoin transactions where multiple parties join transactions together to protect their privacy. - -When a chain of transactions is transmitted across the network, they don't always arrive in the same order. Sometimes, the child might arrive before the parent. In that case, the nodes that see a child first can see that it references a parent transaction that is not yet known. Rather than reject the child, they put it in a temporary pool to await the arrival of its parent and propagate it to every other node. The pool of transactions without parents is known as the((("orphan transaction pool"))) _orphan transaction pool_. Once the parent arrives, any orphans that reference the UTXO created by the parent are released from the pool, revalidated recursively, and then the entire chain of transactions can be included in the transaction pool, ready to be mined in a block. Transaction chains can be arbitrarily long, with any number of generations transmitted simultaneously. The mechanism of holding orphans in the orphan pool ensures that otherwise valid transactions will not be rejected just because their parent has been delayed and that eventually the chain they belong to is reconstructed in the correct order, regardless of the order of arrival. - -There is a limit to the number of orphan transactions stored in memory, to prevent a denial-of-service attack against bitcoin nodes. The limit is defined as((("MAX_ORPHAN_TRANSACTIONS constant"))) +MAX_ORPHAN_TRANSACTIONS+ in the source code of the bitcoin reference client. If the number of orphan transactions in the pool exceeds +MAX_ORPHAN_TRANSACTIONS+, one or more randomly selected orphan transactions are evicted from the pool, until the pool size is back within limits. - -[[tx_lock_unlock]] -==== Locking and Unlocking UTXO - Cryptographic Puzzles and Witnesses - - [[tx_script]] === Transaction Scripts and Script Language @@ -395,7 +396,6 @@ Conditional operators evaluate a condition, producing a boolean result of TRUE o In <>, the script +2 3 OP_ADD 5 OP_EQUAL+ demonstrates the arithmetic addition operator +OP_ADD+, adding two numbers and putting the result on the stack, followed by the conditional operator +OP_EQUAL+, which checks that the resulting sum is equal to +5+. For brevity, the +OP_+ prefix is omitted in the step-by-step example. - The following is a slightly more complex script, which calculates ++2 + 7 – 3 + 1++. Notice that when the script contains several operators in a row, the stack allows the results of one operator to be acted upon by the next operator: ---- diff --git a/code/p2wpkh.js b/code/p2wpkh.js new file mode 100644 index 00000000..31ec1ca8 --- /dev/null +++ b/code/p2wpkh.js @@ -0,0 +1,8 @@ +var btc = require('bitcore-lib') +var oldAddress = btc.Address.fromString("1Ek9S3QNnutPV7GhtzR8Lr8yKPhxnUP8iw") // here's the old address +var oldHash = oldAddress.hashBuffer +var segwitP2PKH = Buffer.concat([new Buffer("0014","hex"), oldHash]) // 0x00 + 0x14 (pushdata 20 bytes) + old pubkeyhash +var p2shHash = btc.crypto.Hash.sha256ripemd160(segwitP2PKH) +var p2shAddress = btc.Address.fromScriptHash(p2shHash) +var newAddress = p2shAddress.toString() +// 36ghjA1KSAB1jDYD2RdiexEcY7r6XjmDQk diff --git a/images/bitcoinfees21co.png b/images/bitcoinfees21co.png new file mode 100644 index 0000000000000000000000000000000000000000..3f0a581e04c35b96d833b08d324ac1b8e063a042 GIT binary patch literal 1519953 zcmeF43tSUN{=nCSge5T{5{Z!z8bL4>!3cr~f+&?zt&i5LZS|^cuP^Uf`|$p?w%1)Q71qA%fhY#7E zoyTv!vpe(KncvQAShV174l9U-VHoG0jJxi~FuDN4Xm8>)f00e*l5a<;FP@#H- z3jzZHAOHk_01yBIK!79wDiquYKmZ8zl)&2aul>(q3((Uz5Do|c0U&T25CC=RHmGDM zA`k!qKmZ5;0U*%V1VDxAYod@I5C8%|00;m9AaENH02S&ssAMQ25C8%|00;nqTSMU8 z@+~872U`G8r*6&t1-SwNAOHk_01yBILz)1nP(!-eg_F zT!8=(00KY&2mpa0O#oD=AzghS{NN>^=LYY-9c%#xZw-KCKmZ5;fq^3c>eRrohMa%^ z5C8%|00;nqVM72^s9{r;P!J#h1b_e#00KZ@;0S;UHE^sUCm;X>fB+Bx0^SLX{yy>= z*aCRxGq|s0u6y7O(5VJ@9f5Q}00;m9AOHk_z@Q`mD%7B?77z*u00AHX1b_e#7~BMW z2Df;0zd!=00AH{mbU0R(`+&>^6!eBrqtH`aC)nEUjb4}W@>f7c7()2{@E!K7Zh zBJ;lq4qeJWdH%WGPuHxMj-jyCpDLLCT)v{MUl|U3;`-w!r$>KB8~fdqkFTh9>_-Q8 zzI~-%#UPIVGHUF1wEOFbe$A#o5+^P_JOQ!#UsivL-hBKoPe1*_7Zv9ID8WFaX;OUk zo5x;X_?L562O_r~=V89|<@2vEd~9RZG8ig#a6>~k&o zlKjz4mz+8hKGI*p_s7PvU2}Qoa~}F{xcs+$G~#(>ZSuhl=kezc-TUDrx~+sri3wfP z;=g3prHuktww+7ghv&v^Z&VdDVw0ChpHIYjSlF5;TgS{Akeodf!uaW3Kdl{~a_Q5t zw@LyJLN(XkGx-Fu<-Vi$Ffp9_;Im;uj3?_oYqf^Ny{nkVN*Ty`MEX{c(xVU&!|rx}K%B?duOdH0Az` zft`VAmH+L}<~5WLiE9^{k^G$JUz_}>03A$tC-&AA zr{U7}atyP-2;Dj{I_9h|IiKBzCD=XLi=LahsAGV>K5JI1uVH>-G0QFCQPMl7n9;|} z?Z#S_(tu&y;7K7kdK#D^JXfRV7Jk4Fubue?z2*q*`HqfWu{64WWw=~cfH;5y0>7F7 zWBzk_gT)qr>gKT4W^GNK@p@uT+=e) z+4OU-;kMk@YzfX@qtq@;JN01Io%gErsqx=Ts#>{OSI_0F*f8VIzULlZqbg`*OnY+r z&u@+8k%Aku-Y!`Co$hp_)qlKj&4&0_68%WQDk~maS^8bM)jv}7=j9eMU`Iz3|1$Po z4XN7g&SCB5@2^SHFD8rc6yV&ue%Wsqytt#W0tp<*Tk%@_mIp`S-ik(1(ifjw`Np|j zCFVAac1Mip&vr@{#jcYp->yAYXT^N+naihaeJeyl3S&|Id}`(Tngi#p7?*W7@_%it z{_US8ZYC%2jy?V(Ek<^6C-+5?7!vQU4BQ)SO!4vFiR)XZZAe*h{N&o*t<4mxt&6xQ z9WNr0+1s6MKuQ?l{=UEnPG9n7ItpN}`|qYd?AP;R=Kgtwn5^*Tk{2HPq=r9zRZPv6 zLsygk^wRVG=fC`Ne^!MaO$oBaQNLSxU)oso*fj3^&zX$)HNV~z9eJmk|(0BqQRlP<&L3VMxBTUI$L?9WL1DI!mYM4d4sH5x(HR|T z7;(|0Da%*PNg(s>y+~yCq`O-3*|Lw3_J(2EpFB_y_3p+c6U^#8+xP4&)S@>ZByIAd zxxbqwCdb2&wA;VllBYHL@TR0srwTyEBi-e5T|g0s|MKppYM&`Dz5HerdDqq--1yWt zmw8D~eencEn~DejfIwdoaCL2F?XgXN`C6&`dV7&aVr?@FUY! zthm3+SXHa~@K@WiPS&BP&xaq8w)BbnC$Xxxy}IFqfq&n+^%>;*jrq(cFMNEuecXz7 zUvbXi=ued$>re*6##jHdv4anJa(aJ_c8SdKlGNpLKX@=g@BjTOGF@}^7yq~6OO|Nta(-$XnoE-LQ-SBc1wlH%2LcHy~_V+I+Rb+_3b2D~nAS<|Qed_xy&4nPkt- zcyL|phfBC_<81aQ+t$?Lvm_5C`r*EGG?CSIqI5$;;F?D`zJ`|VE05l@*}U*s$uwVc z!54+=&LG9eB7ft5b2m5Y6DNJWB|3x9zPdDTTLV&{F0WlGNBYx*CDL~mV%y)=B4Il@ ze0;=*Pf~+0kzt=~iIm};1<>v|hEi6I5Bt|g(uJ6Q`wKZ#j$Vp}Qb#nFmVS4h`^-Ao zzt)L_@Z0R;rE}`0GECt%)%m`{KmIJB%neQG9aN<5dS5Mm_y%#M9%6 z1Do?^eQe+@j9wE%N_xj5(f|6RO-Ce8N#~U|hFGEN1@E2QEg1jKvwVNV>V-mk1$h#Q zO3v}GxlW5-2*g5)g~QY9FT)2ZBbe^gKMQb#ukP9O_1+47aO(V3bH`)qvQ2+G zL_QOk4}%P+-Ld@~Z`Pdo6L7P(Y}1$Lkp0`$vL9aiUQstT?sv=QFP}EDrf~0{zN|5! z7VN(}Hs#fs!;)7npFXa&?!c#C?;*{J%w^j@e=oc4O30M^=S~T3R_*=x^X->L&R#lw z9J+{&oc-{94@o;rcwQ~}@x@P1oM|3Cd+wb3<40=FoOtIidnuEz-ikzKU~?nGX8$gp zRFD{<(^syTE5PV9Sy6YZ3ETthg`ITz=q#Eyu`5(9M}EzCt}<9X9#CrAwysb;<)De_7Pb5T{K= zZMyDwIThNhKB+|g)wr}s*Kkt1wvue}>~7@vqld|!?)opQew^s=wEZ^KYdef8bi8^C z&lo;v4C9(SGY3mdo6N_q)#Ys2u;~ONasE_vqCBwe1X*@3n!qg-`$k#!=fF&R^^co2 z9U;2`%5kSIeKg{97P>dMvzOh6#-7YVZTVl16lGN}TW0v_BpQ91x@1Yp1O^syP5xTu z>8$eRNMQ}KHo^FjiPL9_Su>}`RT~(5_dzIo%8sAY?|mjL|E=n^Ak_Uh{BFswC1m-!{k&f##j>Gn*K^GmQYeVdpD7P-h_?UZ}^VDeEA=~6_LTkQhhJ&dc1Mt zF5^Rqs$FQ%013QdvJA&kF>;W`m51%fU+~Z@_R23>@$sTZ7a_YSsuRO7rvUoOsYiBV zyhwq}-y$nl?f!zuE+;U@z+~5=NenFt)MJk4KltE;1b=MNtjj9Q4|VUjK(b}02oK~Z zgfj`T_S41Mf}gJt%NbeksV-pH%#V_`+~bEm7|460O4ZncO$u2Ud1^z6Su!i^(OFE4 zaJ4+zEN`@fF`E)Ge$v*r#tE?y?C4LwFE{KyZ&@VpERs74vzD}q68CcQAD_MY@h3vi z<8iHS>Eq)te4KRbNVB-&m-7bnY{F zqPkgeC8Q4IGwq2bE6}LYG`#MGy-IsBc#KC-Q7JJ#sscq(jd>iYilJn=Q5obg9ylN{ z00jKUg>tcagRa`p>X&sKwFD7MmZiy9SR|wT^q0!Rr!UV;bAPwur>%T0g&_s2B(^ViJ zv4Apgrc0M6ezP2%Tk^jkU$P~$Mo|-LNZa7uf$1-t*J&}E3gw;@{f{ANcvOPjbJwij z*ptQF#-LC-T^vm|i`!vT)OHz`G%ucDjKc!=xtU4GZvgjXLy2b@_Oox=#n@Db{>y*72kg`Yg5l*vr`96&1vTy%eR-q#t zgRSi*#}OJ_nP9WuXN?+#VH&d;sjOpSri}akP|cx#Ej#2R5KE@aNL)ONd_>q-sE* zR9(elY!6f~M50pg@b601C8XstLc(pgJag=L5q3(cQ#Z8USwr4syh&rJ+*#rYT#U3Z zBb^se{*w7IctK(1;ac;!))Mr{31-A~Y%*-o;Xe@QCj#W-ipGx(^{630gHvC={H!x0 zU4_o}^W|$j(qW>C;!+o>_l})B=zjDSl{tAC;6& zsm2z)OBJvX)I1~Z>zp99Op8Pf6V%5w|F|kaii!2|nbgX-E6`i|so3 z-VEw77tWliJD6Ii~=IPaiAXSWdfpT@teN(tdGt?!R4{fn(N^%EFN^>giwD zd9Q4@a{I1J*(db7|E=G>yWxl28IsL8k7p8N7RrvS9?L5~Ield#iT@^%c2_8b$VSO6 zkVlbbqOm}SYt@nir{j7#AjM#iHd4r4IYtI zu76`w-u=7y$ibpqMNNhJ{DE)IA1Qm_i&dk(d4KN_q$4kX98J>IeEs>RGh};CYEgac zdMwiFXr%V_#*q)HSAo5PVoXTClUI1Epg^14sxo7|j2WZ?3=Rkk2!Up0HTlGH#e5%1 z!|{n&vhu!h&OVCe?9xbS(4^I-A5XXQr>|I(7Rpe5@z=~cyO5)&rj5(oUX!ELnv3d@ z1~ogvnFJMrHzjH&cIlWsv|!Dvvr|W+6Fgz%J@5SM;M!Am!_~=i(TMs`agMPO(tN@3 z+J|KCstF9@0y(?=0g;h`R8W*rYb!UDbV8Q7)r|SESo~1Z``R^znDiENNpA+S?{B@V zuD;Bjy6pF>-}>mYw^xiqT6pe zSGpO3avNK66Php_C`YHGo_;V`7LM!ByVsjrF!w{ks3HWxdu-nR>5rXLI1_B^WDZZi8QPvja!c8a z-ZRl_!8qqTfiwRe9bCOssX+ll;_i+b8|-gx=%7D&PQlcCsp68)w53blerwJ5A1$5c zhnW>+b?|WNVcZN-esDlw00@}1hqv#oN6$xOMg+@0 zScqN%+M6*nWrrLe^>i4^&!H!f(x8t}>d^hqjZBLR74tEz`A4QjU|3C7R!$wM zK~Z+rq`$-QrEjJ=UpDDHW}Ey}CF<9x0J_mrGa@p#D^Gs8g_{xCUi3pwP5Zc|Z@)4#^4`gQAD>o!wdE^=%%?o-NV#Fm zed}INxt#eo^o;`ghA$<;uU&moizF3BaNTc73>!Oj+p0<#wPe(VpAX*ibC=SLpSJCR zzMDN}rmh}8Axl}2nK!nCmk?-Cm9$(yLn7nD-pN2S4_@D(@ktTS$5g#kQuXi)^ryv! z&o(z!_y#^do+*rsToIVJJ?q4MFGnmCw`_mE1;bd+Jd4(ya_gkK6sa#gaKV}f@$bH9 zdGVP7;z7LN3&nS6HLRcR{V-CpD7b24o$BEin54ivs1CSm#=cB6Y}0(aeC_AN)5}F2 zujA5S>_FX>jhoMF+f*CWsNT$qUFWlAp@zbD2yF{Q^PyD}R!vG5ck(Wu`TfWCIBfxdNS_n1ng61%`*qcI(?YqhFS1tssM3J7KW8%ykdE zF|fl@NcB!!x#qsfW6b48GBb0u{K@yNL2GTG`)|^dtCvmdZ&FkDX|_fIhT;M0WhAsR>=CggWNNec|hr^$R)r-O86XYxObWPkx&55SktG z58kqG`tzx{{NIX~)@!umh3j|T^^Rk8&yFed(-~d%>Z~80#lcV z=@>rxovqOegRzR;%5_H>Yc|*bBa@^K4v&$pnNGtDx{aG_736fAo5M%1c~>$m(0Xih z@rKI4tv}3oJ`#O9sN8V8Q#e-?#P;Vcl9|M%S6?W8e2p^OKXA?0GoKMNQ{S4pB9d00 zrFb#ZykhIDZ_1h5Oo^VOY}^^6Gv_7BF;Z@O; zsBSAUX1(}b;+71QpT~gCw|O4P;MTV^2C}Y9UmP3xMfQs`IzBk=8r{; zjMb}_Mfzc=gUg{NTUe2^sbzWmBGIg$Cn-3gpKhK1bcm-*7V=+v}i1 z4fDDlzQwzI_>I>x>$xd^TE9%}QHQb>{i=L_!AC#WpuLGNT&0f*5u_$Zy|6?EdlTQ1 z8)NvWP`3mhWC{d;z%3?lxpe!!vQxh(YT8HM{im0HAJ$FZbBiT~?16w60<9H?_nwfS zJb?@xDO(q6P|HhL@E%MANOOhZ<)*x{Wdqm(46izc(g1-T5ingYJCLm~V!SE8S^5O% zQaxe@fd(6a*1F?IP9UqO;OUR9B+XpF4HW_~A~jTM3giR=KmZ5;0U!Vb1`&aQHZ31S zMF&xU01yBIKmZ5;0U&U*1o~xCue!RrsHn(d8K{r;Z?^EA;?Zcd`1p9V*heRSI0XVg zV3-qlCH7zF(?I(k0mHnkP&^<21p0$Ozo=9B`T2_$E$R<(`#a5DyLN#()!&dIeINh? zfB+Bx0>gknzo<~{?d?{pW7o4G1qn%hV|j_%LM1mg8dn#pc=6<7hIVJtDNBkK+E!F@ z8Y?I=AvTOlx9E%a9jZ1n7`8hton-PyPF>2&Ra+RK3m>LfVmBmM+lufmVcNfv)=A}}*1zNOuhg9Kn5(JpO zD!))c2DMn|Xk+OF#KDfps60p|$ZJ7ZJjibgMwL!2oH;+9-1rYAqbuHbgbXdSty!V(EvjwJc#IZ@SB1FStP!$)IUu;3*(eOZNTwDa-Rv(@Vn5B-I zmt+&eUIy~Vq&b{b6*(^@K;w~sy|{>vr|2E460>y1B_WCr9luDps={^GSakBkc`EV_ zLj^Hg_~?ERnpH))rCO7fh6lx_#FIs&oTVXeUzsE$&33n0v^o0}VHxDzLugA2<<<78 z7e~d(LfCYZCOfN2Ixj_N?9-Am}hP$RNJZ+ws5ZWhejUmaq%bmJrF*IU)AySU?bY74vG@;7Rt7gZi zFG9M7#aLUEon6GvNI<)K(fucr2QbJq9rziQiafMP4|zo2eufL zC<#qaY6#iG8`LVomrhh_2~h~uNz$3Vbd6jkO>-zkD3C>0THGK^&X6LNh3stQDua;R z<^}bdRV@r(tV&}HqXaQl<>uE0Cd^Gi9imC6$j!}D&PhvIfYvM|`%;y3UXraZHR^5h zqQr8G4dE&CQ+ae-gdD}}baIzt25u-XZ4lda9V#@TE>>WXbLNqKw^5aod$v)WAf&Vu zTVl5Vp5%93r_&j2?$ z=gZO;$jB3uwlKR&6v#Ab^UDco+9Cp`6C7So@YnV(Qc#Wizyfml zhZ1%+bm$#AC+|2tE!C}CaAe#0ci0r9bHN7i{O#W~plWs60`!ZSInt#%xR&ZNwco_V zWaMT{9b>FkHJLkHCr`{R>I)Z*UHv-;L<$e3tU3LCMN{J?Ea$2BgTlhX18xqTdJNlb zU08I=!hE?_UsaNiMt*cvXEkV(ddeAVm3l#peFTWk4vCTR8p^dD7KZLN8;Nu&h@pFWFDQA?A?h9ONHditGT(h^o*LoXjY6fPIf0pQ*p7mwW(AU zJ&}LqY^l1HhB{%+xadhiK01Y5c?He2S$+6YSs3#=W^Jx2E@*Bgtp4FsCkd^!1#;7* z_`pW_*-J>Bu+sd)WD|wXJse%k#*G_y<;oT3IXXoul=IYfaHA0^IzJ*dyrtM06(87C zD5u5B9Me4(VX2KCLiAJNvHgMZ1o1UCnbgGLcj*J|BLLHylB1{m8jMe36 zOe%z$L&Gq3h)h(Suh7qlwl6qH=TD4eWgptB;s*u>Nx~!|9;GCa8Wb-wNQg$T@fy^+o%$DbUIBVbv|$pJ>xbMqr7YO>|Ek`y$aMLD)4TBOR` zw}%rb6oyE`!~*-Yr2Vq%r;GfqONd`!7_E|gFXQX08gWUuRbd|;a}VS=zF}aKPOYQ! z!fCB)BQwB8g^G(*E4E49Vx)O5pd$~jzg-D<4eF^XdyLC1Rg?Ct3XhykjdId)oYV&` zdWC`z%BVSBM@Vzi@x418FG*G_FANQp>dc%-x2nf^e0n9))4dK!Inu(6T9tt*eYm$bf*+0-KT>c^#PxuP zsp3%#uWW(SmrC5%Y@l!TjYky-`}6d^L&w;a#5U+?vY{?K(>dLc_&LbGn^%u{4(*-lHH@%r+W-LOeBs zV`-_8wpfS$m3Y$4o)|9CF$ejVIk8FrCQ{ONiss zTh+FhuK%5tXxEjVA9W$%HL8cI#Cwd(nX0K#sSl8%o6zAbdSzZ-Q%F*>L!-A{U<4#O zCO|2>C}(h_`8tl#a3Ia0WjXy^2W=OR@7sf}o7>E6u`Ds1d?V<+z^?S*2nY;u0*)q{ zEC!P&OHB#6iANX@k}!@}=?S5#B_KS2CZ|U2O^uZeOvywpolTeE3T2aL9m?@YqU`B- zNJ5&7oEq%pXmr;D-szI-bl4QcRis;S)L$x8$Kf1YFfm~?p}&0jazkyYsx~MlCX|KK z3<`NMMnlR}JJ0G+KP+hKiaDC=gW}^n96dA6hssa`^%fJM8C41xo=Ok}^r z#A(*{cAFg&jV0g`%97JfWGLZCTF302U?mcXTrNka=)hwTkDkux$She|T!Ln>w0SxL zsbbnfdK76tjsnoxLY&a(O%lh8gQ=y##FntoHJ7QADNF@TML9Mrl933vvpf&M?-rrhq9@nDM5g6ZL++}QNrSnj^?Zd^~P#N!# zT!ki*D2Jq=GjYBs4E;q^9XzOLvIuN;R<`SI|2xU=b_JPS1%`3tN>ybmOCn=nmG*0- znYG9<&2zUxY`jJ)-ovSj8(Q{n3 zbg8lb2-kR%u_`a`q97?*YMW^FmO1H9XY&~?npTUDX>VfDZERsnaJrR-nN0{KV+o!llgTCq zvqwQD9_3QoQR!CALV)(-q4#l@b;7SE?q+hsjWW zBrCtxZaqb`v{-N!gS5pF&zx_IJ%9Ec*hQ6rD-LICOXN1wEmK2jPJVf#*_C9MBRXFi zVm(`=)Ki97$T+=7#Rv~~>%p0VC@Ed3plq2?_nVbnN=^Ku!AFDMOm`?SUD72z+~w~S z0L|BNn##4fQ%~)5y~AnG0y6_A3JmgMm4Rw|2yI!3mJ@+YrEXNf4q16RaVOyEI_2l7 zD)qg?h0?LKYFZgCV=;pwzmgr7*aL+M#YMB5;pj8d@&>9VErzP%a%)H=pHAn6aE+DK zRIMRnG=-ikvDr`A%Yt;@NT#x+3f*|UtY3Qq@B;*fD}kGOBG5~?gr=_4^FkdD8X9cY zv0^f8E%kzVF+60_Ks~0t;f8F@QIjT>+>}AduqjAyi2drY{W2_NQ%an&5tqtNUlv3~ zj%6W*&15vT`}q4<(Hxy0)5qH0+Su4?^+hqr3A*c~qJ&e7bG?q}Blt7u9c`abu#oWEN{1^c-X=oI`YnnD6 z7XkMW?$KqFnO&>0ftM05=mjp6IAJs~g?4*5OkZ8q)MC!hBF8L|rJ5`)$-9VT5OzdT zB2iefpQ?Itv5RCGSv_<~LcAV{p+sMJP)lHtRNU$pnMB1zD6{1nQBp7Km&_C#5EwQD z(1e)7QiE(lBuQzq-nDpk5^P}@htU{{+Ggsd*W6g8=SIXkM*eY8IJdk?YZ8Sx8aoF- zSCfK#$VMp%NA?c+S$i0$TSGPujwa0!-s|tMDTvn+4#BKR{^U6!tkYYq1DVBzh zwl-8K)K{+~3l93o5NQ~$IbG>{rz{A^S}&YZGVYWGG|A7IBO*s$QlM`hP^b}pW2I92 zT1jpq^z3l&-o4K}^GwgeLMR{r1b_e#00KauTLPaoo*Lz_1?V>5P`}tO>eQAkTkgI0 z-l2%*r=NaWxpL)DlpJIR0zd!=00AHX1O}48KuqclWO;sNUN@Z7`<3ZKbRYl(fB+Bx z0zhDR5a<^b3T^T`M0F7)`S7S$COQ8baC*;3!O z%K~&cSw&4&jNFl&#$eDfhA=TBN`E+8ADa=6KFBp{s_d*%R_Z*mh&G1`m8FidZ^%o6 zJE)DCN2cP5fU)Xew$26!#U?j)u9D76;Z$YqKTR;~>k%*lCMG3CpcMtsLRzdqaXfFGv|HalXCNLTf{39Vq7{FG}K|md|TTp2{oRS0+qPqxuE3;-UOdK0YnM zRFqTQY9%`uTZhM+n3jm=?=H}j-3{f?(h(_XGM0WwwUhm#LQx&OLlr=a@&M@+}D&HpKz;sag40Y_zek zxKrPs98hwgQ(j2FxZz#Zvj7%DBgPjZ`8u#i?@H|65!5_&(R~-wXmU{ieOL9(jb@XLsI8S zxkT0B!)1*Us)VSiQVE>gO&h#(bUPwtxU=F*19-n3t-abXUUZYQM9vTbA&Z% zi?YixS?YXpdvrouoSk=^nf~cl!EZZk0a7IleQ9>FJ~U-+D%t^*3X;!CPjW0CXlf|V zt;A(WmqPJXJ!y3vS$qAxL7^Co7PJnih|v`;=S8P4h^BO_LOeNL zN_EYqTFf^n+41gblh9B)wA##mQKt|Jr&{3D3iueh!_r(zI|^iJz-R#p_Dw!ehjl1V z-XL@iA)o-xt4QfMRN5GpBAiI>KT>5Rl_O)7T+5TqL5t-t5O>l8jLI%~*{bK){Si$3D)oYxB-^4@baqILOqErxC7kPK_Bv;@1$ZE{8tq_0 zs#D}TT3&stXVu~`YyRKrfqFtbE4z0wPo@PHLHzy8|$>^nLHO2^X z%bBW5LKGKiTh@}vmnP4V(7RJMEjmRl4JmH6b^}F-4OQh;>cXSY&Q8L}fJS+xA)Qj& zsQfzb5iYSy(ecNl{2haIIHOkomc#~Wi_ymC)Fv}t3fm!;^MuZiNlT@ZyZGX4oNgw~ z_vj{VX*qqOly|nl8O+;(Hv&>`5nTRkp$IS65f%%b-1>;h7^8EgY3Z&Ya0CQ^z>p)r z5l7-`xjMo&An#3ltI0xVxowB;3}@0R8n{szq%MUVntq58>?=_j#eqsS7Lgobi-HSd zXQ!K(I7YqLT8wA}t0go!**56VvzFGGq1S`%3xW$ct<*Z8OblsIn2<+D?Ug$^e*Z9y&KB^QL@TvOt0!VkKQz3smHW`@# zZn_of0NEy83%Pk0FTm}M7ByV9bj^)r*~P74F%gb#rpGO5oOCQL+6EJ+>xiZ^faAc_sM2BlaL48rl()61 zC~HqKxgjq$CT@;x5QHs>6;DY4HYHp+PC&W{;VV0IE4JJ(B(Q!^FSB`WjiNr>U#+w+$IV4wy z#n@A$bHh>=hz$)FFRE+Hvd>mV%}EVo8#O9|A05bK(!&L&l8XjuxR<jY>{kaA36Z2F=|omQh!SLJ7w3zO%>ci6|pnNJt_omV;^c-r{fV_`c-?09Ze<>glK z;!;JpMPDj6N)lpmy0&8w^2}{)nX-%O8sbJiR0CQ|!%#J1oY0sg%0Pe}k}ywXY|v;f zsuj8AiqNz)&+`E{N*t~O0U$6a2ynw>frpAK4Jlph0%)8t+q6EKhRMy%*UU*l_8m8H zju`}G)at>ZH(&Y$2~8v>DwC2rfrNYT!82DRQIau_oa4O$aV$hE)h*pqhq!FgPZ3XPla9U7~# zp_R@<yCy*T z5Ssj4B|9cnhIBiNzE*40o3r;R(D+=dS)a>GPVMe)@kWELrz5jTM}AfURRz^DI2u!A z#hzWu7uXn@Oco}SEeMG~f1#yWxmEheZdGeXvhWK8fWY7+Kn=(rmTSDfqSCn{F{4t` zV(Fw#(OH3PQzbImaO~P{(KiryAP47g=q*|!Ca`y27Nb^&1)@Dv>HgtS(GeK?@ZmgV zKpNFr^`h0i5x(vULgz^WjAd1o7P=$}r!{&^s$;K2XVB4%qa&b&u+TW(`fcB!#Ey1R z*idUHGuJ)vMt|v44&A_klKgdaE>1rSfmB{fYeHt@hl=QYw{cEqAnE`Ql<-Vt=wmTT zjbd^*IF7Nr>Hwbd>X_b5p3%7xkz&187$0U)6gG+DB@QJ6&1Z?Eyz*kXCJlXO+m+3NM(JtRw=7c#J(bRKg(&S{7Ym5@--o)%MnXocXZNbr# zY$!jH-7+!VwmU63LW~O;q*;}C=6svUnMH>_Xj2)Y!@}8$61g@tmi*?fp)@DIF)Xbc zor=zvhFG(Ul!8QZ${rb~7pWNGq}jP$r^1+mC@KB0LPzI^qi@#ovdVcWwjmdjL2srz z8VZll-R1Wf0D0OsKDU2sh>XP#qRBmuu4`evC4l@1RbiPWic+G`ncdhC9g!ay)=H_Z zmb;1VjR4LNcfQWD!xEx3hx1DXY0)fguUguUxpzJ5rXWnd zB+!_v!lN?S^iHL4rQ_C;(>WqOA+OX)WT*&6b$J6lWTLC9bVc!Wgua6sTJ2yr8@>8>}&Z57l$Jn8au2%-w$JC;ub0nBaYhZHhqcC;}(5Pe*QBr(x zR}mVZWpIKblSvKAa+4|)hKR^`Sw-a%S!*Lh;xtod3Z()$TGPO(LZN_>QCw94X>7xd zOo%KhJh(?ribQ9NWCo#ky1| zR3}ImuF97;1jdIY$aML+`^w2TG&(MbOz56@R~f(u2mpb>M}Qj|El}ik`bfpvQklIE z&Fv$HKFA@Tb&C!|R+oEsQT-buASNv(BrY|&xF~zC9Q7FJt9EHp0ySgDi%yNR=I8I< zMK-o9VPr}IdMmeoIE|8HOX6cS2lM2@IkCNKX>Ul*V?n4`biPD@>jTJ7sl2LC?mZDx z7?U8$M`k&M)k@<8MJI=QofUF1K{-)ahFCk~wkYr) z2mk>f00f2{f!9w;avin+Lr!=Qc-Ru?7j;Fs*K2SA2mk>f00e-*ttJ2}RPSn_qWDTY&z*dmslO00e*l5C8%|fFzK)?twRkr%na+3j}}w z5C8%|00;nqekA}ZRKMbd#DM@100KY&2mpcMNdQ!+;aRUxDj)y^dQKoQ*|ZC60ea30 zLIMFG(1ie~Q(ce@F%N&g)bArUo5#iYI|L_v#=qMleYa8ir|$zKr2mM3C1Y2s@7!#T z{7^ma!6ghwQ1Un6Ny&%i@pC4)`@t~~00KY&2mk>f&^-ZAp}OZY$glePE&g9{tp1vT za0)s?^s;E-9r}%<6)y*?O79r++m~^lJ9v-%lhgEC)eDTX@4b6H;U8n8o%+@t+=t%4 zF;{eFI&c64fB+Bx0zd!=bVC4CsBYj4flKYBf2i5`cVnwd)Dis2K88YLeH(_gwUriH zxRV(SqV1PIT>O5AsU5qn$!xC2nE^ao1fS^l$8a+nD)p}Ta0CQ^01yBIKmZ8bfPmk> z{5#kJfI4*pV1xT|o4K;Ey}g5s*1Fw*7n?%UWD?ivTMKqvZ9&0&8PP9~ z3Q!p;wPYN>biv{YE#JOtGIvM;PJjRq00KY&2mpZ_5`Z;0Z-{891!&r#-T$EE`OBls z7!50^-}s$fK?-;-^sNv4Fn#O6#g{c`yvm=o;C*)GAF5OYYp4|wpQpnb9+S>UT6#c2TC%9VWkNBLkzjsZX*v zsHAP}s_%5Adf(Vdcyzii|H0t5TJHSt@*R_fz6(!=|27@&hGBL$^ha_26ZP0SSQnr_ z$U>Sx00<0a0x+pJlxxp}>}~Be7qDqdMshL@EtpUE5+-(`sl|^q>jTc13pG0rTKs16 zqJ@^?^TeL0@;$cr{v)3}BUIgW{!oR7^uP-U00AHX1b_e#@I(MqC{I*|il0yX*w^y{ z_>{PhUyghnYyEd{P4VwE;a>?~ZwW$67_?V3|9e@>l?zw5zRLLRR}(%$AL!}ZPQO)m z==AlWQbv#y2mk>f00cY|Fw5&d`OW3Z3m9j)5dVEA*L$C1E>2T! z&A~WJ0_HB~C*SQMovtb0jE_l^z594$$C$LBnTwJHbdyd|RHV4rg1%&81%|~Y$b@*u za2Q6GWp=`edmXj_gQr}bCHx7CPLTgB$5Upp4{=dJ6f^L5AGf9{V@^S|HusN`27 zgy=v32mk>f00cS_Fer15oUZTkR%oov&n{5At@qa{S}#tmhGrDnC-(I*$f1g(IETjC{@zuKvEEv)H?fCOM zPotpi*-__SScV3M`pwb#(J5&Tmmp@KkG%aSM)K(U5?V~CSxr>3T-hNHD}nkqHM zZp5(M`m%H*-OXIOom41YS;bZU^af(|Pu!>3mswT5JfX=Y1~&AAw=k;?)gJcaL7MoPk}qc4%3B9p*dZ{n2-hL8*=i ze_Qy-Q+N+GvR_$3V^#j?CX6*99t}8IS{e-~IhK$|&M9()WSNZG7E3o-463qpBWI5< z^}HH;oaA5)*w%9CD#qcDbjat+89Ned(_M9(!!Ho%I|9jDzj@eU3($9|LP|gY2n}BTHc>$YC%h!=_Wvn8?pcP=3hUlN(HB@g!gG{cbDcsLpsyojq=R{;KhnZUXJz z`j>95!X+R81b_e#00LbJSPY81<0{HxiWVSCjqkd*1b?P4sU_h)0Z46XzTSQdHk7yM zmGXKk#)+IL?9QzHxjg1KmZ5; z0U!VbejNd`p{d1g+C)RzQCAfTb9@FjAj3_b3S-eJs*#fCA1>kAFEhxQ#5R+e+6=>D zHKFM|8jjP=4THWcp2~Mqez%bdh4G`JMs6;yxQt0C9ZFYRtQ(seWz(l_3LZoP0zd!= z00AKIs|nEg@rxda|JUOGmUOiRAZ?EZnX~AswP+5HBXO>8K<5a#SaoBo)?ks~SgTe~ znxBg}OsZTi=?7t1T*Cd@quWWH@{M?SF@MdY3Sjg~EI%JoVYz zEw6sCY{5E=IX3p;_ug9^)VDYxH6Q>4fB+Bx0?6)KUsYL6F6u5@_%db`)fA9UDl~IpxTRF~VhKGDMeR;G%OECD- z<*Sw~2%+Y;FPCoIwD*V_d5(X0<&wo=eklE}al6SBE&%}`00e*l5C8%LPvACM>|h|_ znyP+yc}t}r%(=1xdL>cs*mTsG{?vcBzVXpK;@eG!s!5gp%AQSo>!vOLYU>;SSmcwt z>)aKz7;M+L11b8z=aufCe7LJEz`)A^IRXJ700e*l5V%PKpibQ+xbCAd{o`JJYw3az zAJ<0}m(QItOBT-vWMYiq8R^r^=Z;)5W0#7uTJL-!T|5$FjG3|Qqt!8^&{T8RxZP(4 zSAhT!00KY&2mpZrCvaQYMGYX`(c)mtT-Q0nc87-#8@pO_x&11p)-%SQ`SKs@%k-GP z1WoE?pqW0;aUD_N7YG0WAOHk_01y}i1Yi_upekYXol_WfJAY|3Vdnah++0IDTJY1{ zN*J}3S7t2V{>jUKo^|!h_kX5l`UXlQ$Oi}j0U$6m3A`1;SqHWNL$mINtJI)Q4OGoC z#LHLBVjui`>F+;yuY@;^kFyy*4D`pJk`aZr`D296NSR=+Iph4WW1!@Me1HHD00KY& z2mpbbA&|N5fj3}g?`Fu|T%3_%iLbtsNXBigT)*~Q%vc7qIgoAE8_AV8ZZ1iP1q6Tq z5C8%|00`U~0x%RcP~6Rzwy%Bv?*QT9y%Io((HOHK_d ze3Jh_$piTS0U!VbfB+Bx0>6R)EE?52cs*M*%3QJK-Iohp`$e+j$)%%=C41I=SyXck zV~gWftzM8oX-lTsgov7yX2O8`csdPlCJ_*m~EKxiNU1b_e#7$O8B9~&Zqf|!GY z0N6zhj(PwofB+Bx0zd!=0D&Pz092?URb3z~5C8)GM8N;-g3kxQ7NDP`hh%{O5V*wz zK%Kh96#&@-0U!VbfB+Bx0z;BO=DG*o06l6*Rvicp1b_e#00KY&2;5o%U|)V~`9tnN z;Fb{Z=RRL24#!=28$Pdo>vPW9lYxAPU+aO|Ki}JO%^y$wXYkyGzAVCA^ZCWkS6^)* z12Cfh5&Y0oEG~vTwOjvSXmZ4YUmySkfWYlQ;NbhuhIX(80CnnisCFnL5a>jp*|3pQ zZuj$N{q|&#`8%TBe-x%_dT-JtRhu*P2+14bg%esn2|i!L<306D@I%MWf3c@M;7QSM zQ;7eJSDnQ;kNm`+F}Y>W>FdroZ~z2=01&u62*9M??NQHAN+95czzEUHLE)$C_vc(^ z;B*FIF?R^(BT4tE-*maM9&4{?-oL{V{*<2|8jgAj*Zifi^uqP_3x=&xHK0FrU<~!dl3Z5}}gd>9O;QBS~ zb;cbGuD@@%&|;V-d_^t&urd7k_eXLZ;ouht00AIyI}rdC>UOGaC@T=?NMM9$)#%`Y z#)1lJ8cs``J#h8lZz^6GUA415#WDI9O00`U`1VEj-Evgv`2?RV5@Wm6B&?-MS zUZXBv%h7)E8*RyHYkRY);I+#-2{&ALUGrAm?uwC5)=A&`o_FnFn;FgewOvR5D>oT5 zZCLy1=A#F!!3&t6LwVv0en0>S3~vI^@(u6$h0*~5?*x3LoI82Mo&u{ah~EU31Sig& zrcQD6c4cix7n-kS|K@x)8Dd2Em*LT;+YE%YPLBoiNH5Z%&;6QhNAMpA00AIyTM>X! zsN1T#p|C)}jey?-HecIXPuRRhaMOiP{S*{)#|X@q8S{DoUty@!ju`WQ|yk7eGwf45Q;>>o*>!YceKL1%WX*CB3QrQ9r1b_e#@I>IriVvAiTL4c1hJ_!D zNDYf>ghBv;n;^itgN_mHt@fo2uGfEF_wBUcht5xY9K#IqE8qTBSKoFW+tFCMFlg=7 zu^7>I`c?JrLeiQF&GhY=5d8bgfedm%sk(pfv5#rpgbWY`2mk>fFk}ggxPE=;t@C1P zP#iyA)`&;V&5*Lap>Ml*;Qc?o_JeBXXGh|g#Y!}A631p+_-2mpa0P9Sn~$JIXitvDu~vZ(0n#TJwujTI<~ij#$~>0NWP>UL{C z|J@Z$GbZ_7`p1Q~5LWGXm;UpYW)=B$$cTV+|Aqe;8!H)z*(Hmiswlrq-He3x4G5Jb z#D;k2fQf7QFJ0WdgJ@~PeD1(w-wt}{K|fcwNf^JKr26Fo=CdT^?_Y6{zgf}r@88vz z6k0J~AIVd~$3F0Pt^nK>$KdlB2<&}YYKuW}c>nQQ8p+C(-*v12;~X{*@$ z^lQh0p53}9YtPoFM(+LN)7w-X0>B9n00KY&2mpb8CP38YXP-v;ldpe(Kg-(MSY41^ zZs?MysrYy2|NI+Le{y$bxpw1k^(qx3=Klg_Eb(bNsNZ^Tz1BTMKOI|i^6V0%Kd}M= z1AN<>sta;UyUJ{-d`b16FNhZO0dEQeyFe8DR`spJ@)DU^*1e@c`jg8Mtvm0%g!HF? zbe2TeuKKv{lTEe{U0gv1_tB73p)fN|oREh;cO{dHi`Db%Rz44jshmYS9p=U1ty-vlv`w&Y}!1vAjz| z=SM_fnB@ldOHk@kq)D}0?2wMGtl}zv{shNbft-j~zOGo=f=zHt`E>{lCqMuQ00AHX z1p1x;QU(u{Z zYE8Vq>&w{=Vf*sL*hJ1ivI2PIR-8DG$H1D~bb2$!bDxXE*^iu=_=r8*>xO31X2|aj zTglpf`Q7FE$)i_4)%HmyX49$+1q2#^3b-3*p>VwaXYX9Vn!3`xzXWy&fj}TZf?Nzb zf!HxxVHB#^fm$xrik(tDmCk6b)*jo6JwpAIPHoYn^t9k<@xmEvtMs(ggT<*(Tg6eZ zpamHyiZc=!C2}$05(wnNPBy`B?LfGR7nDnYcTFF%_sY7w>$mdE{`;vf-9jhX95di?V3V@^jsI!v8PrbcY8ov8(DwyPb|DbxrJGC<1I0DJ-gAOHk_ z01$X|0(!-j3nlo?-Ymgy`FKNHzck?D3n6mZ^fi_EN9E^Yqd&pN{`Cy*@COtbD2*PQ zXK8CR)6$ZGjiV?M=MAiRI^?NUhtuyM7xuC+dK`+>nv6?CP?58{uEsRXjy9=LXgL^P zl)#*1kIzx5GqmDi;ft}6#)pJ5$bbGmugf@c0DC+Dm6I-qIrLDRYCKkj-;rE+0~?BX~{l$oEjejZu3^{mT?x^j9J^fb~77s^$%(H3mc zf&~I&^tqwpW9k0)@axWPBLC+81lC6Krmx>3*{=&0KWTvqyN5CkF2;wPvUK(f38B5C zw10Gf{R75{GJ2p?(ryowPIbGFhiV+mCJX@x00AHX1jYgZEIrN?-KH#@d=@U8HQDIq z=^$HMR50w0clJdq;EP+YNM@La;+3=Lm!sggCFMIt&IA` zn3GTjJxNjq1F1J41F6wyux4f2GW+{Gb&ZW!%c~XmSH@_RH8$EIYaWm7y)u&f%ASNQ zLCjNZMRvkL+02cRf>ECWFaQVu0U!VbCJ+IQwB#o3xFN{uqP*(PfipdP=T7gtbf+u+ zSWzLr(`r01pzfgj==n)bVZ6Xqwl?YNy3Mz~l-k+XsdFU=x!5iA8CDk*ZK5StBw$rn zG!&i9l`>oF@DtWSDC`qljtePU{x6Q!bT*_WBeIgNhOfh1)?_@fuk!{6Qx#Ul1*)jd zL!(HozfWs!c5TuUrHw>Qd)K0!Xus8%Nn=ey85#;sc11uTRB`^t3M_=hVM|1PBcX0* zyb-a-bTY+zFNI?vWjubGxsp9s$5)qFWu6`>M6Z;;CFlJ_LTp7CK-Jk!@6bmq} z1_pxx0zd!=Jb-|KRCNaE>RK8aOl1isg{GTsjGv^gU`O+{F3%Hc%U0%RW0~R*e87Fv zq1#7ys!Be=@#&MCp5`px?ak(Ao8%t7>e>zu9+HwV9>!MbRZ1BGeZszf00hP# zfwAV18hHpfX9j=;^^mkISd=pmqG@eN~*1R+( zE@C<=OFIysTr?+P{-)1%ZtAMlkh%S<%3!?xmb!WDt8cZzpC0s`Ec-eBP|j8V6~6QV zACQ0m5C8%|00>NI0>i$RI-%)~#^4zabK`bIMR;2E95vE-?Odb#%fYVLd*tXF9KotM zRYf6|aMijM;nT4@%ErfEXsfO1y&I%CKQqfAWEFN+QSz)ptB5FHcLFgypWd|t^wVfe zD)b2ifIuGtui1F-fLMS&NZ@9)34ljxv}a(*`{#MMBdVrXv-*~rW|lM7L&jw1=Fpxe zBN-y$!p=>K+J?gHYe@8>TetqAs=xYP9T+pi5m(U4Dk&x>C-u$38YSZRFOS*~=m?8? zz39Rv5C8%|00>M_0wAF#z{FD&McAP(g=EDbtn^xZ$Qw?SnXWLd`_tEan zCD|ps;7?tR6||(LP5vwK+Q*-Hpc_AK`RJ=t(>F!9P5@{yL?8eJfB+Bx0{0~Vi+cCP zGd{i~2!c`@4@kq~X~+7B!RnOGgwMM7P8{6)pMlNEJ2NF+CyuBJPs+VQg|rI_C&G%b z;w=sJzyix|`oc(8WnR_Tdi!?gFyJo`00KY&2mpa0CIAv@h=C4kbK$JrIAFZ<9RZKl z5yL^?sFl@sswGN!wT0>C$y8TeIa_8tE0=H-2haCvsl3`~Y`&%PY$IEp>Hg&XSup{@5LkBBSh-V@2@peNPXj%3>j}>x4N1D7h?m{Q?~C&ZbyW@Abi7%o#z?9NGA;i+UzG{q^-}lnwux)luQ_ z>YTCp%K)o^01yBIKwxMIz`2`)<2feI-5lJIpfnHw0^^jxhL2pZ1Nw1d0mdm97#0v1 zdIGSrH}p)QMIZnKfB+Bx0zhEg695S{?xz?A2n2ut5C8%|00;~{0gzBb&lFk&0zd!= z00AHX1japq@hG7_KNj&l!~%@_pDqj#2mk>f00e-5xe$PzdV`w@KR>_0Re;h!00;m9 zAOHk_z<4A8JM{)PtL=xM9bAQnE^W2uZx3A-3IYKj00e*l5C8(BOaQ!4gPQfFqR2`gc{4U2etzNAOHk_01yBIqeH-1ko#75EC9%<(U}D3 z6$k(UAOHk_01z0{1VBQW?etMM(~_3GnJ%GvS=e&r!`I(`Cr4$>qH6Nf-+A->WozPB zf0SLO?NtmefdCKy0zd!=0D<8qkRHE$JLst4ru>NQ>t#8~`RzoX+Ny%opROa*4og|i z?$m~bF>xmjMz3T2nwVOl?o$|UfB+Bx0zd!=0D)m701|2#;XX#w&8H5PxhsrOMt;tH%^QM%-1*vB=p|34+K&Y{+j$Zal za*4-=9UctSOC`Am$3-af00e-*&=YuL(q{ZX z6QJjw4Ss3pTQ{2);l+A`n~HzDJzSdQxBHAziK^JW>8rvvD*_AM_I5hUM)1c)>aTxj zB&_HxsvT!pO%8f(|7xtRx{|&s^Q~mGEg@psa9L;S2|j@U5C8%|00;m9BLVP8nb{A4 z5XK$Y*=1AXrFV8pHzcm`A<**3&OE9tWzQF)H$M$#qsB|`esnE-Yt$l###3o!g#UWb zPi8ikU=9!f0zd!=jAsHMp~md&^2F=>%XYuJBN;K><~f{s}mp=V9d=6 z7z_l=jsSk96%>@!>5%obXO{SJEeABPLvccWaBXvK3le-Mie1)Os6+mLvaffxNF{d= zn&cGfux!7ppI{`mj2T*Q6cvX2Kadn@GvIZ3O3(9@fE4kA*-oOzg<&a z{x_SRXcJO%bfz@_7P4C5`N=nIoKKZE{qNekl1m-P+DfpVzh;jEcR&(mnmH2KA8qJ* zMQQe#Vg=D}iVUsgXMem{WkIvQXKKuf-MCNcx9xD|sqg->+B!S_jeQaw7E_XaZ@hPY z%G)?Q^YD7Rtk^e>NblJOd;tW201yBIKwuaM7!+5|W}Tc&St!uhjn0KZ1uC5Ffo26fW zPO3Nz;nM`VMHc>1dbF^^RIH-lyJT$!(g z>Y$j@7lsFkIQ_H|W#JJJzGxP=Uv_WSI)%dSske8>go&r{1b&g5pXVxyud0yldTN%! zZ}YaLID3jXa$Ah|t#31EX$1)g00AHX1c1Ou5uj8}6o2;bLuRw@(<4b$lv@RTH|@<; zeV)^8m)r2Wz-<0)%Aa<-zWfDWh}T*qZFS1~G&D3{85HH!_;Km%zi3g=qD8)V>zztk zp)~YuoFof=zGLOW`s3e)o6i1b)9cvsj*9bLJItx_hQpswE-P%hgNdlijm20|g}QG& z=@pyLcSEQyxw(ey+ooCHbq~ettYq><(-AV%_cP3r>+OxR@B4eP_IWiask@$DCR5qD zx>_SenMBQ9>SOxNvc3JVw7RZBKJ;=QBp?6;fB+Bx0wY0yDOeaTutb_0cXf8|qi=8k z%U$OJFl{3*;LSrFm6?5N*!Z)Y5ZP3y{AalpSJEQK5@()+d#|&a`;;EK8%>i6%OaK& zhkl_3lY<={EjopgLY&^qkxbh^U47zDU7g-(ZNbZq$YyG%9Mt8nZLFKki&?KbkluBM zPirBG9Z*hTOcpN3v2k}nwYS=^oO17aX-8K>X8d8ka%za6HRdKH6nn2vo6pusWNO6b z+L;=*X1m%UodQQu4Khy3)Bt<}0U!VbfB+D91OmNv$33eLxb8xTTsD18CH_(Qx!CAd z@UeeAgFF1OLEg9H2iXw5|z;dTUo?3M{{SIOaty{lNvRa!z4O~ImsRi!8$`L9@g+HLX!=T`8hr$ltKRU_jz^3wO5u;*pgZH zom6zvjJP+FWTAWi5+%SK%exBY-Riz=-<@JE%(g%z@k<0MgLe$x7RWZl-YE+gu>=~>IuNH1I{SJ6gW zutf_N2#k@;hKi4+``;tm9c&{1=KciML-MAt-y+$s3l=|VfeP<2{IQvx9>0A1_|Q?7 z&VC^wl=0_h!R!i1R~7GlV`B#Q?ZbzoI+yN@t|yhW+x4VV-R|R>8k>^{Rs#Vb00e-* zcp%V0wzjBn;1f=Iyi7K5>X7bL)*=k0QW&bPlQd7=l=Rf)PiJ=;}_M_)o zGHEB2&Oke)u=B}aeDfHS$uN-07FFkqTn(gAUQz#iv+}^_6q?6*J;QA_A9vYNxudQ^ zH%XvVW^Ptex9Al-bh+v1#~n|JXq(%Ni++ggpq)_2k~?PnP}th>A)&B`k#+<2B%S2Q z8ykNReDK}wu%4wlu2^ihuUOKE1jal?ak0WRNZj*%Pj$E&IRfJImrf243ovp9Ku1Z=XX5UMEJ-D@pF2Qud@lYyllafUCOj6NAM@n%y zggs};a#2qs9rENVT1!36+j_FwQ+B7V4%>W3`jt}JT~eYhOtuI}W7;5n(`iy0ZOxKv zrC2BWu-y7Q*t;v3=Y{#oDFdm&^437==|5VHhC)~oGc65zlB5h>*&2-o>sLCv4_%$) zVC+8C^T}`fp~l9px6@hkcx>;Lk=$4IBxDI+h`ai2x21<#aU`W?cUR=y%umxi8zDGytia%CV$nUfoPYkF#C_j3Bl2aHjaFwl1 zy1H)jtuLi^_I2u92|_M*3w?&w9YxcyWYSAD$^lq`w`oHW_#qD_|A|5eZ{Z=L>Mo#H20T)032mk>f00c&W04cAi zxY@Z9hI>=pzC{ZXj;ODMB6S5jny;CndfT#<`Po>SI0PSX-*o8q(VeQ2Pnzg+H=pJ# z-tQ_L0nd#kN4#*ZzM%A0L!H*b+F9rq;N9;`M=YV*Ta5;{U24M*XH#lN(Wc9OpG?-W zAEvauA}`EV<8wEK@4Bv8Keo2doA)v1{b-xP?XorR-^Yqx@#R!qepW)-ua#}cmM>bh zVMVwn-lfo1b}TJ9TUw9oynI7q*ZI2BI~Up{C({$Z|5trG(`&)fZR=*aXs^8c*0Jl| z-Ar5l&HJ;uHx_nh!vzok0zhDb5?Fp|9zMF}u5$q?hIhbGC%q-=2Y4S1_$8NUkTS|UU09^xmJhTu4h+Hejy})M`>BAH@h~kvMPh}AQoVFCk$E#0zd!=00AH{cmg1& z2G8taYfv@$-)u=$MQn{)L?2LPWlOYERC`x#N=*?2gU+<_UNQ&2F$r%RjSRG_ENRrc z&fBzM@j_1&JB%uOud69@nS zAOHk_fSC{g2{k+u(NdC_rd}HJ2Re|vD-mA7Ui!jw1^5swZFR;mxm&Q%5wU%P`L!qW z%J9h{EftxCq?bPr-N=sr=y+ZuUddBQPG(CSgmZctF*OFCKmZ5;frlY5>1pm+hy{2U zQcwm6JQe{sJ8E$F9`fv{=KTGyej)GGG=IY?r@|=wqVj5~_mK zwB+0x4Ptr+y%@K8h9gpyq@{nBBUQE|TMzNt4S!hF<fF!}_>p@a(f z(=PlrA9zQ==>NFD0w4ecfB+Bx0uzJ4IFwTpW8z?xKmZ5;0U!VbfWT-H00}jk^r3Gc z00e*l5C8%|V2lzlovJ-X%^z{I{rvn!yie#52mpcMCUEsXeiII{0K-ig+6MyTm;h|o z8{Fi!AAWXl6&|m&)tbLOUIS1Y2mk>f00e*l5EvE$;E@^}R!Q;s!Bu#?(!X8vc=e$+ z5C8%|00;m9ATT@xATDZnxI(Ky00;m9AOHk_z&Ivgx2xH|Cl&zY)Ht4M7#a`&0zd!= z00AH{Tm(Qu4HsEx7YG0WAOHk_01z0*1VBQKI(q={BYU z@CgKlgun|&_O$fG0t`u$&e1PaWKF829kHw! zeY$MdXxj+~W}iG+(JAeWO`#rGY1sw7@@Zh7FX09V00AHX1b_e#7%~Fs@yoY^jv6wY z!`hIhk<`o1ZP}Do*@`C5436FKv=0mGD6%&D%hwOd>k(&Wa71jBkdRd?3D>KK_U|rJ zA_oCp*$c;OeUN|v5C8%|00@i@fh{aX*+hs1fLQa<`F#zxSHe^1FP^hu#|J0&zqVAH z6Mv{ejjS9+;z0k!A0OCxY)7zdep+I_iqeuAc|~*Js?-BpJ_uGHO8V($cW~8UyM*#U z00;m9AOHk_z`Y58gt|8ybNa@`KjPih^L!i-VtIr|%^+@+)lxRTQ7hgI^>QQ-!&SU0 z*iKR?M}!r@of9r*BScIKeA$ZCb> zC*QC;-45DP#nHDKuUu+xN62P2%YT>KOJVdAoi4n#uH;e&vbGYe=dao0z#U?%hqXDg zUDVUp7UW)5u%GyS*y6C?i`fljc|~$PMqy|zKl|gwDvPdZ84!+6vhR)evKT9qzRNuI z-QLyg+=S?)G94CBbpH7%Zy(M)m3er*T~_QHN2CKb0GU7l2mk>f00f4KfI)HPY}R>N zKlMwC%l|EZz*qo%@!EfV@Di=1`X*gYWL0K5Ma{Mm%tlR_P5aljX#18JmOF!@G`9q6 zDVCG7leMntW?|ly*1J0DP^4DIiDf0_eZL`9N1v6KTr#-4?i8|-g)VDzpRdl7BSdO5 zo|j=QH-VEQR0ZZA-;dcvHlY+hV+LeVZY< z>-TKtGX~}X0U!VbfWVk0K&hH2{_Nj}%*LCl@0m!dqTDLzyJ>H(>hqkYN*l9(M(An& z`+uJnn?L>a{rs2L_dTBZo-IDs7Y0RnHGW(=`!8A)v}lnpj=oh%E0pv@xp%r#m)$Pd z<@x7t`o4}#s+D3PIMwk_2V9r!af_ITtLUytI;hKy#kUX&b>Di@D>k3+hEQE{a}C+M zK{LNL*W))W?Y#q@?q+8om6U}ohe>-hx!&H`FQx4MZh#AGL0FWaE5A{aedHIt_i8^L zQe;ci+@(II-z?kPkEaIhtu!v1Hx?X=ThiX`_XSSO>~3}%ZWq3I)lmK5U53` zz>&Hf(@LYUY0D?R5I(^~+S3hvdJ@Hya_?WF zrr;$#93{o(cE63zn(bIEo^1UcU!(zuQien6@wf zFu5tPKKI$1xj4s~5p>eikKa)vrH5eSFo`b3oMexqyXp+B*h4ZRVP15nkDJV0LK!qw zMY%-^?%bezh2GHw4Dz49&#UX8FIhfeOJ>>AS8Trz(!P=1zMh?$wDDEO;k5O1W}ig= zAO@M@G+PH*1D!a$bFft=TKP<7v2?&#fQbeI#tQ_101%)F=;Z~urOM8S+O+u#yzK|p zT*fu8b`ED#zKhGP`u%}TwR`KYY+(oRN04IATAoIF;X=8JHrj$MTChMcVBk4Ys*b)? zU(rJNCh=x7+j2H5bC=w5xhn7)L6e84E3=kU24#6}?mrBIg&|K)zVEuPrL$j12xa`` zSune2(3&Uk!T*W98D-(|2d}P=!5%1;wA%xvQ{C?4p&A~*&?*oB0zd!=0D%V+=pb8L zRCvJ-Cp}&*yGOFYtAVJ)X@#SZZ;ANafZ0tMm)oWCjsSk2@Tq&$e&lRRChd#T8EC&0 zb~+jGiO=|g$-p5uEvnAQb_3a?tort&Eo>;n3wfdZm!s`jsKcdP{n6ewywh-#h_<<{ z#pqfiJ7`}NvgD2#cNDhPd?l2j^?F`zx#bffLHE+)z2?Z$mi7jAC7opN8?jd-5C3Ip z=W3lbGM;mQxMH#0zG6uu5*YIp#l;HOATg}ynYh6x5C8%|00@j40j3~yx!^&)TX6lE zR)}gkPquEcu_vh-T6S2taE4Vs(MBM!)0tf&BAOHl$0D(<{ss7_87C>Kr z{h!q;1Ac`UCa-HKFD_;>*aES4-(#e7#UCpw{tr_hos60oW(8j8;5N|~*7*nQ?86!r}?$2N4-q}JtMzC+!j zH^R3UHf3y9S&7)85gdVaoAl?~2j0{Qnfl_-@ra07q1J?m>+jQ=n_ZiYV@c%} z?KF}rl#fl#T+iSnrP*0U{f^3Tn!jujzo|PU$~1PCIBbc?7#d~D!M{mqR?>$Df4C~c zPDs0{zhD31hf(zVdV8J0$#A95;M_QWkY1@}Yu@ka<>9U%Q0n10K`9^r1c1QAAkcc{ zDJp`qm@*_g6m&j>M@wU@^Sj}Rag7MhOaj_;WIdKM&}uv z%fgKD>eA+;ugD9HXK)ImUDxck@AowC+m^ZAnX7~{H%=yd9#=xOR2)jlJS9<5R(3Ok zUyO|sI-=%`ZF|0wn>w%&{pV+|h>7OBLurRf==E`qXyK-HPviH#AZ=wv%5me%VC-gw zM8rnTa5PndPapsUfB+Bx0zhDd37GAo-UxFTneJ41Dd~B<7x%}^aBM8uy)!+#cXq`ROS)g#Y0U!VbfB+D{VQBzi1PNHVg)WVYn&CnqhU<()y!Lt-j=IAV%F2<| z`*aYhxk^oV3f<{EwzsdHrm6uiNOGpu+5OoR3*i4;?7Dfl0E0Ip+_k-?u`_ya1cw4$ z0RbQY1b_e#00Jfg;E^(s7>Q4tX}+_J{ZP&2d6|v8g(4iRCD&-xc_~TX-c%xc_k~d_ zHuyVE7JH!7U$1Jte2Io%3rR134?ARI=kMEPqqZim(av{z_i3UdVLJ2y1b_e#00KY& z2=pcZ5~??i5xH(DdFP$KRwCxim9H&z#RtLKiG790KV+$|U2{p+pHsfd^4t_Des06` z1MzRg6R4f?cZzy%qsS#BS&W2mk>f00e*l5a=NQ5~_#A2wge& zetOtfExYnX(wFh9=v{%XksDTYcJ1OD^0MomtQ#u-lCM%47w$he-fOv9AG;TFn0nFBQ=sU)LfE( z<)(3mtDWnNNPlK!pf00e+QF9NWr*9*pQUlPtMW1g!|PJ3ky-dM+UoA+F7s52rsvFmCQQa)bR zhHz+k*oLTZ9)Y4(M5Y}7k2in977@G|o1*79Qu40~mGy03y>g+;O51s_9ogUoa%#9I z4cZ3+KmZ5;0U$6SfpL1|=70J9@S9IFdy3jTd00KY&2mk>fFir`8 zgc_$43&R2eKmZ5;0U!VbhLZqDsNtjwZ3BVvM<8?S+b{Hr1sHz=gb@J&AOHjgPXOf9 z;F&=UAOHk_01yBIKw!cXfY9=>@DtEpdH1bj*Sjs9w)~s-XW4b#He_y3{(^}5=KUEs zM}6bx z{$14NWM;Hj5j z_%S6w&pjLb(n$6@l6}FV-bm7Z)V{Q8J;AoUyLQW!l#^DGOZbeguk04CUa=|A8Q(gJ z=Xepyn_BAbN{|BtfB+Bx0zd!=JU#)CP>;`W*jvz3YE4UJ%JyB$*1R9JE&Wtgr!ZiFl^d9fhqRoCExY#$~)VNzTPemN0;KmkVpyjfD3%TlBE{EM>UzZkQ^2NYBv zHgE$3fB+Bx0zhEs2&Bg^-wrxz=y(oaORn=aZRl!U{6eTt&X2#!s_W8Zfg6^(6G+{+ zUxs+~cZb{R%5oBtzqEV*tw`6tU&Gx95m>Z*TKag81sEZe&JB89--5&C3v`1w*ni=Tjh-_TM3zzbWPF1NQ zUD>8u@CgKf01yBIKmZ5~83B+`Lxytr8q(j$jz46zVaJMvJW_HpTjC&GJ8SWZ!x5c5 zs!RT|{^ZjK@rehGmp)6)DPg_2$(OCKDmx`(dhwXUXBD&z1b_e#00KZ@A`<`!H3nwi z&iBRG!1T|y?MQ4#wjSaQF(K0ijC$hDi(MyAO#OJ-UWBYTb6$vAHGRNxV_?W&A`k!q zKw!cVn0b1s2gCx5)oGt}=gu87wVjlgUMiK=sqo%3g6$&m4G>N4+S#wKFTZ%Ptbr+B z94;E*9Dv^Axt;N9M1pMPH<>X$);M2x`*c#=p5s>)2yy*ZZrc?T)V;sdnVu;AOHk_z}O|AsVXigl{V=*5aHk<4wyUL-g1D!bSO^953X&lZ9#(X zM6t`di|GIPaqZ#vv~7rptndyN3{Z18vJ9;^iVDiATkw;~+G*O80e+qXK7gt6rvLq; ztmHDXTH*Q0H|)-5rnXdZ^sUA#m)hGAvYE~D-{tmF82v=23$Lv!xzvHItpw}&YxX#B zhr{&YYSU~_JZLS?&AUPI=Y}j^y!aV0TUnM@P^-rj46Ws7f4o>_(KRji=hB!JzxQfS z5uIe;8}FT;^7i4(Q<;a?+hxVRaYWklEnEQsAOHk_01y}f0c&St!uhjn0KZ1E(aIyTsLPGT zw-5?--+Iz3HlOc?P+f9!jqyqUC?<|VoxW2u3I^PxOG{f%Z*R9wC!t;`{bx1F;u~)* zx!&IVhY6TgUEH(hYS4#o`*rV5Q6+^2j@_iS%JuA-R!AwwEn0-ER69D`VZ(VYY6 z9S8t{Q6WGn6ZmA2-x5*1tS0o5I z*!cNav=)-s0p%3NWZ^bBHtsICOxu`}Q|29JZm2KFI$w?Fi0$DYV3(AkRf**koiP@Yc}plu?vu}i z2(`-E>sJcT7BIpCx?daDm#snm^Y?jm9dstkCv3?q>#~C%=6Y}bZay2`Z_SSWK@2j* zX|@isMpy9@hj%_&MW_V?fB+Bx0^^Fnz#>R5FUTuZc0S0a&0pX>V6eG)aOhdf(?~B| zC|A)&Td+k776=9mHb*#?>!tdN7Q#1)H=Eg(vsszDVg%*y-6?I-zy0Tr&LvtLLEW&Gt?Fl}{`10QBhiAf9V>s>N>omA3puai!7yN_4u zF(^V+AOHk_01y~S0=Cxtuf{_x0KuevO_aVkHiEM3Ab%vbi?^-PzNzMcH zWyz#{Q91+dm%@)^gPwM(F_{blsccbcjWrBpkIL%XgtoAu5HI9~@?Va&XQ2+4a`i`h z+s>p@n?$s*Y-=%|7eIE%33wnWZi5 z4eU%h$q(7L)Ux=9-^H7yE^L&bLciY1LmVANTP;$nqskhrhrGSz@jAOHk_ z01yBI!$E*y&t;(|Z4=%)#kD1sO;~{tTqj%Rad^9v_bl&)1)@qnkCmt>k#r`xphCxAK2{Z z7cf@|#hlDRmn$xnapwuS1X*8Rdb`76wzE#sA)xX3>?Gq#(ep@`np0P5L`^uh#EJ4guY(;j$LD|fWkpfde_yht#00;m9ATR<1 zI6|RA#pRaEXV1#*$+`wCMg*d}1AleJA1f;4cUlW+!BKZme)Rk#r!ZdVY%)7p-9)xm zN^y33@y^;h2Ma;8OMqbDrNW^ajwM$lU{zN%6rIhLGF$7gx6DB(?DTQ;>Y}42wJ!hi z9qJYxPt#u5l(AW5C1Qt0a0J$E(w}c1cvCB6>We?eBO+#nS`#9!zfWs!c5TuUrHw?5 z6_i`F6Teq;W`AkEM{XK4Ri#B`(grPNZNYM${vQB_NKf3pSp`1 zgX0Bcgm;YuI5xpDp=olwixyx+fvhr5TksE6YOrGNks00I+$09jjnq1brjrnSS= zSquCGw!J+8Gyt-7Kd<^)-_Ty0*9GzGl^@Ji_B&Nc_=9LuSpNowoT8ysiq8qXg^%2{ zuy&sAXM862>x3#;aQ*8`eKUQW{(RNdzOdoz%}w~oP5fQwk()4Xr1W^$JvzkIv->L@dT)X$6|(NXFfKPMl`E0mMShX2g!s7?Nkcx}8U z|F4N@WtDAK9G|CRqeI0ksw8Q5{8jo#*O}fx-$r-G0&t)D?}WwE2)b7M7iE(-#_jU$ zzZKS04?cka5C8%|00;nq;U!?MD|^E`>QQZ-s!U1B(?_j87U--gNq;Bhc%EqOLT%3O z)P_Y{<39By^HL5brh4t)AoPv-;6#_DlqBuIXK0Q))=$R{#^3Pp=33E#c#wbq5C8%| z00;nqQ6ezBtErM^eJVKfB+Bx0zd!=0D(~>01|4%(G$)A{zANr zhxc|$axPY~gaN$1r>hZm1f{I)+%{?~R*?1!u_UBZHaU8_+Vw3y;sbyVfdCK~D+Erz zWQT)x1?ahFgI^jeHiMl&U`!GKIW;=drY}o`45|Y2P zd;hIS*WkD)Wn%K4(}*)OaE6yvwWG=HRFhNGEPin&tm2K%L_x1W00;m9AOHjgCIAv@ zU@pU$+ftcVhGqtOIU*Yu@xrCNqEl6>NLRLd@QP1^>2CE^nQs-kx^-!$=8_V%Pt-l$ zfHRC%LeoG12mk>f00e-*{RoWDg}gie&pmHU!~#$anW^btmC)z?>#NF6$(UX|CThI& zZfxq=Mha1~Q)y*{|5MXCJyKeEVT;{NSCf0{e$xuy0RbQY1b_e#00JXN06bD7$GWR0 z-n`g#^2F4Sm+i$b;^EABA!^lhtdPX({L6N~yCWGf-R3f00e*l z5HLRi<8x8Z{5XR}KmZ7sIRTHDq94aZEP$DF1oMEv#3TT6YGTeij2Z|40U!VbfB+D9 zECL{*9t$5-1_D3;2mk>f00br`0gzA=bKYUpKmZ5;0U!VbfWYGsu-JWYr70F5J%0Ii z*seD?o_>CQgR20gfdCKy0zd!=0D^{G0gM0wKmZ5;0U!Vb#ufpPP-APpz*-;x1b_e#00Kb3 zEC_&vGK*;dBY*%900KY&2#iw#Kl~RnYTU;HK$!VB{q;WNu(Xw_$;Y!KO3H>87`19s zpd$kz^^J?khjI$#B*7J}ie3@niC>*e-OTxG^0BhYHe|~euZsRdxGT(oI z=susPezMOS_pt!?89#gl1b_e#m@ovuBQ;^B`tE@eyoJ--^G{x@qma6)D5H$jQ|*X1 zV-8W1k>8+4R9#74UTeEiVByM?-+4hjmXE9E&>S%00AHX z1cr`)JO64a!~zT*&k<}XJ%0IiSlJsv;AYnqRdy)p&9q82!rrDcU&-8;V%0>+Qnw|2 zQli3}`6MT^ukxPq=ONVi>lZ1<&*GqSMAejBsw8+`4rVtPFbD_$0U!VbfWSx+fR(+$ z(H?IrdyOTZBxU8x+X;KY(hX6oMR-FVYA(r)KU74Y59Kj8Iwm53R!gdqwDgo5X?;7w zCBxUPSckz!WbI7ugOp zd5u}GhR0v+^^NP>-(|fjKuCA{bW+@&<5v|3as5_q+Z7XpT`Yr1<4r;hX6#TF2mk>f z00f4W04cvxP+ZZV?LZc6m*36}5OL{!(*2WCmHn3NOghzuCOJho{^<)>A*X+lk-XPb z6&I9Bn{*wBaPSZZ%$;uE^{nn?gtk<1^sUA#m)h}eaGTjI|6Oh`h0#N!%A5XoZC%Nw z4rFa5SkGUx$AR0cmf2sL{X!mDTU^@E(ZkWuT7LG&i&Ylv`$aeFRVp;~?ZcU;OzH4S z0d7Jk+4shK=cmwLWFB5`mlgZQ5ou4$a5YK<1b=zu8HfcKCHT-S5C8(^NkAjLkSA%- zS~@s8vyrN_OETx_WF9HFI&s=3U4;)2q$M} zmZ7D(B)3>$=x+n5I{K`<-hoWfB+Bx0zhD55YW_?Hz8y#3|bTv6td8RKpnTsBgBKO^)s|NXyDi_M?@`hNb)>j&~$^{X~qw+7|S>o|;-J$n&tbbzx3(p8r?^w&^Q zt+WN9sg8d-;JR#&Tf{tUjqaMHgSy;Ud<&sa_pK+rV)OZK2-PJw*YqFpaG5?7?V7cO zGAPQ5<(wz|ru6!KSaQ9+`OF6l9ebqoimVS`4VyoIeo*Abq}?fA;qsI zZWJI%MpAt28r|W{7=}!Z*xc?DBdyu4c1WjCBQ(g^s0a5CC4c}B00KZ@7zrd4?!hY& z0`%Oo!7mMCH>1|HK~Lde7J^}6T!FD5Xg`91G@bU>WmZRPIsMLwx}DObTX*QZPa4l` z^xV3KJxYqI(?EjJxoX5Pt{xd$DXal|){zim+P?h52pANlxkYlLk|OwXpLQ^=d9`ymoAO;;Zq@G(Y^vQ`e`O0hfIn0n4z8Vn zm$mfrg1k~?=R~8Zw>=zP3>v!xBW!|-Sk1KFx=x?hg(HSKHpdr;tQ~Qr^9K5qY&?1=W_#QH)ULI zm&!W=_ydcXVKB6JleB?&zn#8w=}~W7g0!?JCXuZzc)J&!^h!!w*;0rX@XHHqT zr2D`FQ+DU4r7i6NG^NJez5B}iVm8k241rQeqL5Mo+XESY(zUefnjkadVwbD9-d{}P19_HOGnCpd^N+{duL5tl?0d?4od9H|h zG9+M%ttD3IBuNW zZEcNKMsi=-laM8dd5W#bPBBT`mEid^w(D0R|j2WC8&o00br)0b4hb zb7^5iMef;FPDeung$NIkbFW=iMjnJeFVIJon|(WBQ7gYiQ-OE7&Ew1xj2bJBQ0P!` zx#jZNvvPZ~t^pyIK*a6)ct$LLj=;K2`t$7rZ)$~1eevg5P7$+0tqBp=-={SIQB{TBap(yW9J_x(U0 zv&nGvi;VdoCTI#>zUTN&oQ;p)+&F)b4yk2p-Z%AYcApRzWp+~n1_1#e00ag@Kwp2Q zps1n_AHPYkr-%arrgQqK5o2TWmhaZq z@DpIqNB^WPZ1{R}6Fz6h^zQ*=^tNY2Lpf^SU1k z63U#2jTH%{zHu=z>8I=B*N$xP>ikEHzOf`F`KNQ$q%BtvwvK+^i@q#1YR|vAw|;o7 z-27>%qw)25>51R}tG=D-wP5MCb+hpHQ`}nep`1cFNpMB0qE|$C-si9`bDAx%1qc8E zAOHk_z_1Z8(?z{u8}Ec@SbyXAmK4>@>2}w9hTD89`KL<%*N*LQ)s&>alal3|u)>QX z8PlSUyg#G+{0CfIU6!>whrJ=)8Cb!~&T06oGN$fUk-M~E-FXg;0RX5sVa(UX-6!pzANu-*Rv}pzYr3@BM{4L-TQB?n@*s{Yrj&0 z$UwYCPq+t$`cv1=$+~@6=86F90s=q)2mk>fFw6wNEj7%5N2Ph5hdZKbdUdUDscB|8 zyLU+{J2!{+JQ=BJB=xd$TQ;RtwxY>1gJU;5?L(-`WXMsL^ImLOrIzXCzc_aF47}Kf z5WS#nOjfo?UD?=IMYi)mo z^GYWMWf&z800KY&2uvUX<5EIBf6Czk!~)#&S4Md0^`ynHKAtk z;ReeShV$e{Ps;FmTyx2}JW3ehiE6Xcwj^J?iCt4#*{Sa<2$9&GVEYF1Yft8t;iG6< zDl!X6FMl3`lBI4-`lJLO>fa_gnSGV_l>Z=4+Ilz>p%f4R0zd!=0D-YY01k~B+-!}7 zL!&53%EwzSVNX(5vYlrB;17zn z2#5t34>Jj400N^z0OZu*u#W{fHMkK$X&?XufB+Bx0zlvq2*9G=BS3>HKmZ5;0U!Vb zfWSm201|4V{{mqAKmZ5;0U!VbfWRXV`0knSrkP>^Ku$dZK&S!)fB+Bx0zd!=OmqSu zp(gq-0LBjlfB+Bx0zd!=JOTkYFKTem{QUd|R{=@`0U!VbfB+Bx0^^YY?9LnHtlqL8 zWQD%Pr?&RJhdUrJ1_|u=!sU`F7GMmT4<-WvAOHl0oLp(8^2s*8y!XA0%*$cF#S>ZlF=j;Jg(YR|tYlbK#C zH-8$63qk?{KmZ5;0U!VbMw0+YsL`UY%1cSlCv-k)JNT9!h;k4PXT>f@#3KNjE-;XpMY00e-*xFP_H zdZRU+R&Jq7X`4PL85EGYPe%g`!&85zC4(T4qAO zKmZ5;0U!VbfWSZmz#}yfm66D^ndUpo*bmiQo|oCkTPR{90tEziE!gR+%B~Y0(L6#^ zNa|(hwronPY(IFo-aWlFm*ii$sip7j zTxUf3Gb;<_daR#hm*SI(yf(bqt)J9Y)i+yA)hI+EE09kn9PkMQfB+Bx0zhEY2!Mnd zCG=E#+4p}<{Jv6+``6Z-Dp7Mp90qF0O35LjURx)!F_}fxW~XgQzIYR#cA%A=`o4k? ziQPd%ndrbL5C8%|00;nq(INl~d4nTAgbR7t;q+PZnS43DDbHieh9xj0Z5C8%|U`!E6k6*ss zY&Df$o_iv%p%+iWF=2+g?R_U+N@T@$pI7*VXtyfv47g zxcgN)2yy*ZZrc?T#Oqz@!Pi5msUF-JlmG%i00;nqi9~>uUnwZA zXwY^b3%1K|=LU$l_dM>Vy}b0>8P}Q-;{P>r#S8Z=HUjiCRmBCR(k5L8A{;!#0duF@ z8=utudRE`qTKMz-)T>&MMa zs>Lz01E6V z1qlcM0U!Vb#t;F|6LWtU-?0Fi+VUoZtc5{~f`UR8dJw4Nb~zmfGC*oQQjk~3^jyXq z;JXpcGAM6eS0Tiny@)nCz}W)ns>>Vt>nXCX@P9PO!8N?}`4ze0E5G#({?rSfgxFsC z&+E4k3Y#BwYSD^<-{A$K=1(OJ1CMw_NA=L1nX8;KP+9{b<;7=DW*p1NIC=Kc4Q1z? zSaQ9+`49NjsIKQq+1@B)BrK5q^tp?|f&x4&ZlfFYKN3{hKpJ#XdUVzt;{p@YlEuMylvauVj+JDt$Cz7kpA3KD$u5eVSpkNotip1+ z-pzBs_&J08=kN3C@Q)86mQUCco(|8J-^Pt$0_<^Ohi!iQ+w7!_>zh~ipOkwpIQK8u zbAR;LKlj`W{_5zO_Xl5T_aftRxM@`AilW#>bA+I)Y~Kx-(2k!#jmB~(8Gge}_|HE8jVXg~>N>FgI0LhE~+Emt~lvbxBGadjG5;BN4R29==hEWFmL`~9S{HlKwv}&STdMcn;7&RSbA8Z z4vPK3Ar8*Ah$et~)QzerWN!CHhXlR8`g z*&xzj^hGi4X}{E1Nuz=MVc6gupQW|-Vn0FWVFr{+sk30-dv~6tZExyKA3s-pc9{(M z3Fy95QmLLhlg;3Y#diCOC5=d6)KiM$VufpvxKmp_j7?Am2mk>f00e-*FcGk1^V#Tj zi&CyN@EHbWE&ZAcdp9`=Nop(?pl)~FQPa`1k8S{+*REm?d=22!a`HS6B7 zx0Wm9bqM)z9YI3%fP2&{g4v?z&ZUJ76}e|yIUNlR6e2uC^kc7AV)8MEB{g>8GQ|CV8 z$EOukL&3?e2q=Uq&i`0}=Sv*6MAT1yPl-%Sz8#;iF(OruxHDhe^_REtVFy^>uK&v} zRotFeBI5BuoPH}46C|)Ox%4B@%#*G6)ALmqilt51XlsY5vlfUs{nZo>&6)Z?q0cf4E*`0`k|4%xx8MCw zfHxlx%yIrHf8EO^*G|ju@tbb{Z*KU%ckcu<^I>3z<{c;gnAG}&nYUD= zCZ`>5nfu=fi>DbEzHg@P`Hx(+sSD21_~><>c*(xGAnmJ!T(senP2pV&q^g3nw3IV7 zN@O*8=2Nj7LVbwp&tear>vgJ{?Y!5HZ16Jw|8Fo27CwOh5C8%|00{IaV6Gmi{&vFs z$P&#PR!37Wi0zd!=0D-#+47^YA?sAYbu?P^n zm$$yTDbSI2KXs*cjkcX|=y%#F(>rSYCs8wct17~E?xqdT1@H(&xcd8ZG*!yphe|Z( zXJ$EstP2?et7z0Wh`-kZCe^Ev6{=Q+Q7 z!b~~au`uD3qUyw+zwWN7CEVc1If?Q9F2rtx4ztItGTTMmz&0e7%9pl_| z#et*Elh7pz0Klo>Ucaf@o>5+s-$`t*mNZ#evZBhn+JyGG9O?9|!S)0x-@0SG_<0uV5L0fbPd-$o`< zLc5Uog)c|>GJ}0APr>3yhmyRS&O>%xOWBmWd)KC`g0*X&)aIt^-fYVIrp7ml>A=DQ z0SG_<0uV5J0fbOy--H8If!mc=D{e9~%xV`E-SdR<+Ba_(?%%VsA$;T8PX=m!P*cA& zl%0~ePV+-rlpX}HrX-MJKgS=r0H)L;C<_G4O90`Nd9|1EN=rAN+PNqBXazInfvURj z(0N6`eIB`ME0)|g~#L-E7~`)0s#m>00Izz zKpzPpgz6*6KD>-|V8HydBbv@Ow~p<0RV$D8#s_fKZF_CqC++)_^|lkAZEtj0H6?am zNKMeC7Ou52>xaFws+a%^3j`nl0SG_<0{td{LA`#X?fr#i(u-jyP9N>wdt^OE5IL_g zZ=bwXdui*jK994jf7&NglRJ`qzg=g$2aL6{&_eH>&5P$##ATZzpcYkl) zj9h>LXYZ36BAn_I#y-7>`lht%`kn5Vv~?8xk59{c`PXaO-m&Jp*vsmh8nl}Y%{4MR zS3b*{Yi&Cve$!Tvs=W8=NB-T* z#kN+W?9Z~{+7N&M1Rwx`!6=~r1|E!cH=jDQ!hDDGT_4YVHk2@3O-#SiloxYEU#+fh z;kr6HlX_+>&)LDlN!S%wO|Jk@~KFW(INr%;y7%l0pCi5P(2e z0fbXsJxp^;b?n^dkF^!e<*nKC!}9;dOm<+)yRMiL`U1CVyWHh(!CtbeV+A%ISrJne z`RVh1ulMi_ecPoaE1&7a!U6#ZKmY;|fIwdhAcX2`(La7YmsPX>&o(FRbzJ|?-La&& z;9p~Z>md?SN-sS3-&u#EUfD*J#npMw71k)}x)*Z24uvdKjJF}GTSp7Nep_lDT~dEs z4Of5w1Rwwb2n?veV|VY~9nc#Za5HtISaj)^>$jA|%614}7$zLf(VeZTExvfMu#PQw zIy$IrSC`A)NR6Gd^?H|G4pDoLZxYxlZyevUcI%NMDIq*zT++rhQ(U_o_Rx)kJM_Il z4?T1+9l$&cIGC!7xssy*E61Uu#)k#*SUsuVzW(=% z-zC+mh~vbvKmRX&PlpWPK6$w)w?KSLd52KW-h#04eops3-qc!r?abePzH*Mq?IoM6L?*NDA|pyDS6j!68lh|lcK&RuPQtG zqLX-vpG-Ry;!yXI&$UHeHbFewd+uP$JJOODtTWj-N>%mW3TwYTKr4x{BgD;UtgFfmExwwl#=1{JG#i zZyRPy>MsOkiAw6Pi`9=4?Tpc3fsxz1Og0#KAgrmDS}nUFvv%~T$;~=-qv?*7y_>%< zY_tdSL9*rr1TYVw$sSm%jyG?7{oX$E!oC>I0G_n4q?s2J$iz?D#W6t0lZu$eM+ns> zf)@xt00Iy&mVmmchM5)6itAyo2|t`X>`6rfvrFxxc}BZq2?|_zmf2DNL&q*7uF*0n z^9&O;gr|w~SdPrMbX|)~CMO=9N91hAj-7W_S4g$Ipt?%TJYw$hINzES+}1n*Rs7#H zezxQ~Gs@@lVYpU~Zs%be*-@GFA7(aXd+^54lSp4|bI_k<>*(n~l+tGXw&}lac=|Nc^TsE$rbj+&`lUq)Apijg zK%jR5Y8B1=euXv5N*hjCQJN7wwc_3s7L$rLbOoeXx&5T)9=iO0 zyI%#{gdBSDT`)iZ0uV5Ffn$3&m|PXq(t@*>YP69QWKqC3M>W9_;^~f6QHa0l=pxm18=@({46gN-uPycrPdQowR z=U9^p6CXfqsv(p$i((pvqS}gX&EZg_P7{uI%e2$IZ|x?WF+&r-GaaJr_6PVRIR^`Q zQAzqSJ8chClbGp&(v0wFdZ=!6>7ml@#2*Mi00IzzfDr_&S#0KOPp!Jc^vqb3JGAB> z`4pRZl&VqI)TH}bRV$eISFMoCnWQ{xHm7S6o=#mU7Kv5E{>)5tpkHhQ;$nHvZ%xVMuL*aQo=DkM z9lS!9KBYebuMmI$1Rwwb;|Oqu2e}pG)s>z-)yTb5S4R`dJ4o}j*LA6>{ApWtqvCdr znAtDC^4_IJu9e5?v43K+wvDlH{r#Owe{T5s)TtUL#Z6{PFMEDa_i;x~n6I0ywC2m~ zy<*-F(pZzn^shON40Cp=VarQu>tD=DJ>+6jT&wv#v#0(v)|}GJO*VugZ2rUuMee0b z$1|C^yc~y(i5TypiJWBBb=(x1~&b31-d?>ikeZ+o!0hT1t4l&N)%Gfy@4} zv1#qr=jS97mZvao^XAxL#`wtLo)CZl1Rwx`?gDI|i4n5gOQkoNP=xu~8ylwm+Ut5$ zD-%L}P^Qo7y(8KGyM%dcFIr%%5Q=aDo}AcpK_tG#6x!DL@zIk6nkkC9E`0yFXX%rx z|9dS@$~-H@8sjPWd+7fPA|xnm;X&)~-@aaRyq4Hfu1o$Dxy_6w-DK)$%F~#4Z35HS znu{E2(`X2k!Y~0F*Qrb5S4}4SlXe_o{x3|kIE;&nUlr-?LT*)JU;Ex&NY)cfd zagBNVrKys#n{-FUAZOg1#L(uQNy+D1JQlybIB{OZ>Z9zxtc>KIKd|IzB`f5a50}oL zTKM^C=g6c5u6bKNc;za4>dIw_OUhpPr1<;?@1JjTVh8`_a#ZN*m5}G~2*~Z1s-=#Vyy`-76O0th$mIqA;wChlyydx5VY7QI~ z)07Q|YL)9B$muu&YY>0{1T0s;QhTHg4v`?ycG9^}npd@e%lvnlGwbiJ#^qU2-ek(o9qS?#_g?jn+9tEEuOcu_wQgxwsw2 zo*TM!WsHvtX{pXTd_+4S*y)B?g#ZK~U~vNIg|fINMTH>nPyrho7t*St^@DD-f>1W? z4*^l$;}aA7%l3cEBsSF-m)3iR#{{y8jqBvu!e2M8POS@$Ul`|YhW|W!V_Qf%aseLt>A?XIfItrdX83=3J=6lbAOHbF1X>mK z#D-`Go~CG9P53&L!C zCkr^m8AZC@soUZ&J`w9mAir=jefG-eAcq4LokkH2DIJc500bal9s+5}3)boXkJLO$ zj8Z}X0(~N&sH|?~`f;fX%}l2f$J3M3QdoPNnW83QeZt7f{kwKtZr0yMaph#{D- zD`vq+RsN+C-Eg42Td-?$A(K6&T_|V&zpPxGFoDaA`wgEEImcC!UECgo-KPlH4FL#1 zz^nyacI0_=h(+A{-n>3)UfpvNHtx{Ke>7L zE6X(2$+WeCXh0Zb~2e#B7`!mDG)*#=7pmn009V? zj{rg_^Jy!SC@BW@OrjZ32nav`0uX=z1k6hSA(VNw7fK5OqYM1zw;8D z0SK6Y0KzE~Xap1i0uX=z1Rwwba}z)aWo|8o@4uZN3400Izz00bb=O9Avq z83uPF&8R)=>QR(T@0f;P zHt#I;O?dOz-Zv9G%hJ!+5z>^sGcDWo>Cbj;IQ;$$>U`SHVw%upJGW%3W-mLucf-D= zZuz^9WH*>zT~HzjKmY;|fPfhaAcQi*MkA!YFsIV*>F0tR32_Wt`pU-HZiLtjkBV6v zKXNEVSe_%Nxwh6;D+qCjSh8@{WH%NeE`o8sllulw(*Z6J0UO?UFMW z%k2H*Tq*4){y+c%5P$##An=C-5JLSSK4YCMZ&B2i%R=5=xyrdYd*|mVyM1@9^mkxN z(~!S<^?%9;J2>v87|*uSsS5YUZ~dLN@tD76VW3GyP)`TWK8aiaV||!#UkE?|0ucDa z0vOc$!-U4T07cnw1>vDg_Y&n2I(sBl{#&hXu+BMT+ujZT-W210Vo&nUmxv`yz8uL+w} z<%L<*Y+qNlQ45ZnLjVF0=o5kA8=pCZT!22I#6|i<;IX@R@Ak=s2FXP{zcgk5TD|Cw z-kH96{y)j7g;lq0xPjq`E15KNqN@IJ`;L?6nQ5X3d-#MIiAyJppvcX6X#AF&OEkHRJFwyFBaCZ z1y4r@aeA!3^2YHk$)A2Ls%FN$cmYw%)+faVG7|$3&HlApj}%Fn-NLw}jcca3_IUn% zcbZHHb>9-=4G2I00uZod0d?`0c`t6P$g3l^UcA4(AO7*Ip1%kO%0ON&$}JGzQr;ny zv$r5@yq}ZxJ-1dDAN?s|WBIwtJH(a>jUM^&2P4CnNu!CW)#aXoKX`{R`&1rOGPd`V zPj@UcBSzR;4e{nO@sql-_|&%-%dH$A^vId`;EH!nI4ny&^V3fkGLnJ|QpB{js&&0gJ5k$+YsRd+9s>|#!2g7{n|D|8BPj4hpa?3Y<@Rmuo4 zwYqdK_d~Z$HH0G8Y)<<^>VB=T_8;%34YX-1@381;qj?Vqp_DgruCoNOQGBN3$#z(H zY&fs^%9SRfys|%2DttXDMlj5Em>@Q3O~Cbo=_O2PWlqcWwSW2%xd7(WVkj#FAOL~> z5l|QWv-~wrLJk{(fwSYcvy>4l)lhEpANQIv}c<-ADH6c>w_) z4@s4_4VW(^h3O~6Ov5T~h|+VK0-}VjL|RzV%nR2J?rE;>7$D?HMViLP0s#m>00Iy& z2LXBRugugo_A`U+n9_1bafcFeT_iJF2t~`JOrHcbgs1shW;trUo$ttG@~)EBV^=(N z=E&5KCo-c-w+nKlVnUpS9(=Zm)un5pA8jiwdBHl9pMz5^D=w^a96j6p-oe)U*V1+7 z=FOrPRz4et* z4@qE3O2#Z4yY~Yxu0mp3b?F74sfSRix?jb#N7%3jcRs0WemI(aQ~UUuec;U5qnp!L ztUbqH|L=Vx8U#9^t6|I%ICvyZv=(T(^_J zvAr8QZDADxW-L&B{KZYk1u)|VG^?WbJhr8($;~d1>As*xOq>*;9ads{dn}ql3i4$? zr~UHUDBgFA&8nh37S_bWDOFu@4e^N3{I>3c7Hc=*j2X1HwXE12BHq8Rh_@soMmvZ% zY~r$I!t}MNSCZB+Jy1>J_8ur@(~T}YR1dlV-h%)HAOHaf7+rvE7sx#2R;iY0b9@y_ zm8OTsiEW(jDCX7_Ta&a*t90p5D!Jy>+KGBh(b&+W%bQWjG<{Z@g)JO&@ZcEIQ2xxA zoMY70i;2f=*NTAx5QGy_2%B&IoR!{)*L6UZgFB;E0wBleNCEe zCE*DK4pLExr0ra(NF?0wcLb z3!zv}JbNaDx+T@5XDMX2n4i+1ctbdBe$;}tWzGbi;!xaSE6>AmXLMi9y0}9nQ<_*^ zdeP*j9YV=#Wp~&^96R?xsZ|O&vnZIDSFK%>D|FFsN9Aq#QBU!%@Bj3;HosgV+P6!@ z62=H@Z3E(Bc|}`OGD~hqZWN}b?5YlaA(r299@ZcL0SG_<0wyhBJ$A7#^N8E=gzsm) z_pkeh{x)w+AO|o{KHH^JV_6d%?`vK~DND-Rtzv z7M;=O0w~4Dx4gIY>mn%=|2i;pa3&?i3%bt1$@0|9!MS3hfgMtFUqqHtS9VL>LXMOr zwkqlb0ZS23i;w;kw@$2?gYyZu)$fO=L~0)0Gv1=85?v5!=isz;eth&KA)nJNoMMWm z%02MoYoAo*RWj?;m}uXW55`5iGwY^S7XuYdI-D}FE(3A61%y!C;2Eoyj1O_OBQ4e0 zhtsy7mC!aGGndYf3-NTJ=$pkkJ9nPE%=~f;^Y5I%8Hp>O^ex`M?33Ty9$>ZeidnjF zafl0xuFpT5w)tcw8TZn@mA>tLhLwl6ul`n|9|a$X7U_?BAcX100Iyg zGy_VE`-IoPGGn&NDS~(ppuRUq(B4Ia|xiH9b#x(pGZ2GP|&u7RygnCT z5Hq0a5P(2$1kfYZ8#OaN=XT}!v)ba@I0Q#d^ld3SRIRMNed)AzAIE!SOenkT8_iET z(>3BN#3rC~Rh>P3spk5~#k)eiTxdz&(Id=&Aj{Q;Ws^*afQ`EcdJxU2s-RbG~FUz2(CQVH!9w{mgf(u!BM7Gr?#;cb8;AOHafK)}oe zFsNtd4cM#V%YWRn;IA83@2&_=cxkb>HjHkq{NjywpH2KCokae>m4cq<9-&(aEy+6Z zyR4PSin22$+;Kis)rJ40e34TmZKWH<=|_JjJ_29kJ}1&E5S#=72tWV=5HM80ij2*# zN<=Pzp>CFNJjHur=9DMgnFy*?QTAhYRs(mOAJ2DE_*89BMN7q}PgD}0Ag`W!D(Qxb zTADr7zVmz5+!0R%^E&TorI9dY37-_y0Rj+!00bT)fF7xb09o4Glv{NC{KX-z%oMns z!0}UE6;;*ETtQ^Q(n!sZh18M_6T$y>g|2bY^Gj7G}?}c;>(lzI6r;c)Z z;x8-bNBcRlTIzC{Nu$oz&`wV*PM8xD#GFgtEX>)lQ=e^Rn5$_WjY*?St36N}2tWV= zCMkdr%CKfJ{}9Ts`VP*c5kftv-Bb2`za6;%4-&$A5P-lS6u`*dAZ&D083GW100bZa zfj=sM5bBQ#;(Q1|00Izz00ai1079ri*yyM-1Rwwb2tZ)q1m->e>u^iY1wc48aGxjK z2?7v+00bZa0gDmnJl&7QRH`2#0uX=z1O}}DLa0I8^r$!lAOHafKmY>07eENrdpn#70SG_<0ubn1 zf&V^NU4vYJzBL_?t09~k5N6y20uX=z1Rwwb%Mw7E`9QX3Q*LVN&XbigV&fhho|q67 zXis0;zxB1V&H6%cW0F@c^=VE|+IoQbCy8#c3;KWCpBGU2O}s(?0uX=z1R!7v0%^$$ z)*+4>xR$6tpSC&ACGn$|!ki@;f8Vv~u;8CdT;&bKH}3UqQ7#?jpcVDBE}%m2)S-ek z2tWV=5P*P531BpD;F^Q-9KR}IR+uYAD9_MPuDo2PBCYb4R?3;(wGd1QW#eK$c;Y8X z!#`#t7oh8B09z1%00balP6FtW8o1VS@EaY`cDJUY{ARCE4+l*+rKmcw=dZhKY6&+u za!z8rzl&yPbN0?H2d~M9lUGFi!h}#4*1#1LcY*)}AOHafK;Yp5=#hH3QC}Z%yCn6% z0Xkx3Br}j_;}Rs89QyQ!pKmz)ekA97>gMxJgg6L7{3B++l)87_XG`3Qb|1*B?&~7p zdJupB1Rwwb2>dYt{1S{|ex6?%9CTJMy3^?%O}V@G?5rNQcFmK4_MLWXR_V&aJ64y^ zNnPXLsn4nD)Vi&iQLk^C?AYySY(fA65E#4y@vHwf1GxZ$xBX49<^~4`CRhjaDbnr2 z{d;ycgl~MiJ(jv%d9~su-Btq?O*DZNU0-swPX7d7D@_w>@T5zbPg|m-5P$##ATY=U z5JC;y2cWs|$mU}I^(!ZMwTDD>^QoPCl8;s}0h6k_@X&chK%@t&p>+4(_k2;vjPB9( z`DfB4uG9R`9W`*xggZe10uX=z1Rg~IgL;pm)N#xo7}TTlx4fTR)Nv`oi})-h%3bo~ z_8lkB*C>b$H#lm3(gI%xLf_2GOxb_A>^5Oi%V#cG_;N_6sSr9{0ILvy00bZa0SFjN zz=T66MO8s=!PUAJCaZ{Y96Dm`gwY;tlLDw}i!WX*tYZtFjt=7VEO+DVmgFtzqG}a! zc>Jjqo8F5J)OO@3ZyevUcI%NMDIq*zT++rhQ(SvK|9*S_KnQieOB%HQ`-tbiK`wwn zWH=ZC5P*Qi3aE>}%zJTTMP41T_2T{Q{qT=x-RDbjfCS{_qTB-UE#)0TIeQDj#``&0 z-*abm@zI|WHkO~OyhCiM(CCpLe=su4nK{bT>T*xPAH2h42leDvFI>E;_L~y3V8Q&D zFprj!3%TVAjdx@5sc$cqTRFB5jP+1K@xB#_=_GdZS6NwKy*IIX%kuXwGDBoUS@P-f zcg_uab#F#i#@=NPnTgByiF-I3yC47o2tWV=rYWE(x;$%jMP8%*%xIoRrF8pC=eCs^ zv!sp1*?HG)DXAfDZuaViiu|)8sk(c4WEXQH6U65#S)o&SV{GZXW53LLi}^thVrq5i zUhao(n`#K9me(~AM?XG~>4dUodyL@Q-)X$1(6kF}+p6?gIR~d-{yHF#kOonWSYcvy=>?#vhEUdAz8lqaRb0z_Fw}}#u~=d2G0c(a z9JJ;I1n39%?pI%xN<~=h+1R#@fjpI1bVDgEENSM2>qhsOQyl|@JgG?2_*ftS0SH*G zz>B-fbC3&QiR~-T{grvR+kR%S9aB5*DDF@~u8U+w3#VwAl>*y&A=UqRz@9YhxWtBJ1?%Q{TG)bG4P1ViBk>{X4$JWu)fheW= zSq1dF@d^P5KmY;|Fiio4>UslHGHb4_rhIH$7Skm~8Wqd{nQ<1iLNi+r#nOE}vnb80 zx{>bIC8aBy?C5bT&y0|_q(KYEp4sNbHMP3*LeOM?1V&Mwn=NJuo{I5zrxdln=4NMK z;6^{`)0Sx7t)}XlAC6|<)Xs8gA2@UNXu*ojuU=0~oHL0zju#&H=U|eq{kU~IP1SAt z5jH1ez4Hi1bva~i*1KJ{2kXYMy&DE=)lqKr6F{l9&JYrj_?pe|I($*mB%Q35H)gS6rj; z;rAFwS-S~m%%HVRX2sS#tKcYj;UC9eP&P3MR*tqeQezJ~dh(n!T~AG7rt3-fh@P_P zMwhNB3usYP0Rj+!00b;qfNdAZJlR&MmTB{P6-t$+6UvFL>5wwYLa{Z8%Ct(?_oR|* zUag&|#}thX%ong`QOPu&Rhoq@9CPsC7}8Mw%$S^G>kG0Lg_~Agbfq-tZ_iPrL6_*i zgFE*Jc3!{tj@BF}u5NMC#9Z9@WyAEj08J%lk6)A!TPBtwL?SwI-9a$Xlkfxr2dSt; z(sn7SNF?Lzn=j<#-V@!yu{2m);~KFp_JuaEj%` zV}9U_z9rS9XDMX2T9{!z-VhF(AGM%unKOZ>I23o-%JXpC8QoZrE(TG_lqOb}UNoSo z_DHeahuQyJT6ooOVgQe&kd_wK(9QxkraMZlQYdJ(TEWD>YK2_RWU*PZIhqiv^P;@6 zFFA!&f3oS%p4BIkQ;Hs6_Fk|pu?>ie#>V{1OIj9c*6IyBJGN^m|h?5s(D77rkU&S?_BzG!_TKq)i^0`)-kE?{2*Sp zuVhZxJQv%u(l6t`7Kb~L-=%p>ciJf5Fn4RdY1PH>W;fwEIOSEMO9f)>9Gq76ZhpeB zu}t!Rr!**iW$gtsX9qdyx7uEB9N)Ayx+H$pWU@bL$B`NxkHfgQ_*IeKF64G);mOTAFO}&|*S*=# ze-T3UGcYdy2L)30S7hjO0si2na5@AaFz5tKI!9{IwMN$pQ{It@@!lo7w>lFL z#wA4fGGnk#g0*i)amyvm`pi8hZVFzo@HzXOH(ySU-%`kld~zJqKWF0_^Y%+IRQ1h{ z!w6^GoW#)P-AT!FR~^W6osl@t;{g+yb}b9GAOHafKmY;|=puj+stbo{ZO|1NsYec6 zmeH-vMdwTF?cKOc$V1nqZ`rjYuhSGEc3#mT@?=#lMbYnZ6(N(mu$-koaW z;N@u}%WHe?R4%EL+k3lHq-p@i^*R*>s}O(y1Rwwb^A@oB`=0&BkqclpjcDUO;hCh# z&4+ehuI;JJ6vd_NJ%Z^U-dy$mUw2mo#4n8V?kP&Pv2h`-Dq0^s(F#J@Fw^p5fdB*` z009UK%QdbJ0t$Xc*o2wshKtU=%?HLnW%`CWS#h3)=FeW*_jgVxE^PF zZ&lP28p)Omv8HiR1(9_=d2zS?8FrMPlN%nF?v;bBAU__4EH zYtNMSI5Ie36~v9qR^YnL{0ig(m~Hc+;1Ga7-wR;wD8oz#a_%ViDJ%cE#H~~L>UJmX zIPJ46HK9}Txa7w-k}|K@Kk=89^P~M7SuJ(B%-m5-nz={#XDLs6b(~zcKk4%$HEjLd zQBBwKPj23Qc_4GlF?Uo)YhVom5P$##%wGT@lwoZ+kRg;|B{TV>5ki@K6QO_*fB*y_ zV2D6k@`803*)v28$3g%C5P$##AYhn4{k!?ESbQ!3!YRW(6gV0J5P$##AOHafFaijn z@G*b@1Rwwb2tWV=1`8mBGMEe}KmY;|fB*y_00I3hjF5OV0ijU%Xb0jb2$0zS@%_-^ za{AiO)|ekX_?yLG>}upa^tfB*y_009dVK#!DR4SFL@cHa{g z-S-{50Rad=00IzzfQ1PlFUrCi6xD$M1Rwwb^A#wX#@>fq0CQ|Vgj43&YA7=VAOHaf zKmYD|Q0CZbC^G~g009U<00Kr9KnT@84bV`!e?#)z z#BZ`AA+hvRX{b||bs00Izz00hiL03lRAG!*6f+}kg&n(RV#T-zaH$--5W-B^UU2*&wR zvTH3&R~0)Te%VLyBV9TU!x{u2009U<00L$rke0k)9pb2dXe`QYglnf5in#;j78dHS zjhAkhoVi$L?;oZ)z;1+(V?W#;mxKTWAYkDFzOM#8j$8l>Z)7v89tM>LuEA7=`{TF% zPTP3QU$Zc<^@ZZ2U4tc9^3~q8yH@&M-mxdW`q9q8 zQ4oLt1Rwwb2$-Y*LZ|_0mWHzI^JUs+^z4QTB4S)6x#dj*a%0>C0uX=z1Rwx`ei1+j z)i12wFG|;C>`yz8uL+w}<%L<*Y+qM)_hTMqd+Gm7eHpm`k0OO*AOHafKmY;*C-B(a zyLSifZsva{&oA#AfL1TMqpM$Y{ueKNBG%6wMF=na2)?wn2@X;&Lt{vN0g8&2|009U_5 z;4u>eXcu`^L2hp8EpF)CX+HXW_fRTJ(vuTYPN?Gkov|j+w(V`r&g4%{TxljO&+xeS zHmwk9pNUi6IKE}=)+0qyCa@94C2d?Y#lVo|Q9`JDN{Ag0fB*y_0D(RdP#1rh_u|Hi zygFj*#rxa);UCZHn4z$bZeh@6#n&azAw2=;4&SrlQ5xPdLiMiOu2qj2+Lnswu8fFy+2Ov;88Xrvz~yG%bKq zr4lBk?oEp75>7RV_MIS6YuC&Sbafpjd?6{0$LzR4lvnm=N`0d>JY%dZnMbLaH$_D;{)#wDa_ds@BbOVcQeT6XOUll|*B zX4vwxj3}98~ zh?Ua9l4f3bpnk?n#{eNuD$+DQ76?E90uX?JIS9yee`T_6?PmttF{R~>;tnO`x=3cU z5Q>&bnSKar2v76m6wA?rdATE#$-7Egk6rQ9nIls_p2#HU+%CwGiV1NRdhppMR+p}Y zexxmzbcpwdQKS;n=n;rW=YhDwshr<1D)G zYl@}o24PW}S9K%Zts6>LHrdhRR-PFlZ%Km|jy4l)tXDzqpjhz^H@nYV$ zNAd`q_<=VrZozqfk5|JdFQy*?KwLI45~fB*#gSD@!U8C6Ygc7aU$^t%0siIW1f ziRWx@k3~~RLB8zgv|nBu#rtk?|CVeZu5R>jis=S)A3bH>Xq7@i*ld=(IO`glbKfY5 zJ#5m98M^)|%KpAbISg|oB27nQ+xQ*R8O3sRGlLnTw1SY3M4m}$ui))~Jm zik1~$Dj}E|&NF)|5>Cns7(yiIiQ{ z!7F0DBm!5 zYrbjKrBjg~an%Io;3V?$A1~xzZ=i{lt(%`PZ0vB&ke#ah#IZbGN|e4T&g17s@w;?J zDNDA@dHx_Xp=QUzoB!{OwSl%uaeDGv-5i{cKlSQ+@5KwWqkJ86aI!o#b8xPhXkf3@ z+!y;k1FEC&_pBi~>K+p8fB*y_Ft`QO;-f#strKhJ;C#Yu_50x|k(x*MjJGJNL>ENb zIXG>dA0ItQ$mewL_+Y-$a}WIZ+9y?cl}s_IG10y$AB>B3XVy)vE(R)^LI`DGk&Sw| z(LyM?VteAQ)65Ua=oij}m-Z$2vLwH3-;sH`LP7DKh)Y-)>&N_;RG+;&b$7mIJenI6 zv1;j)ftr5T>WrPK2QJHqoofj5J2X+AT|!a)HSr1o2tWV=5P-lV3K)M-?-2_+*bk$; zS8d<0s!gFTW8HzWNDmgN&)AV!8M^r2?|aD4r==YIZR(m3az1V6Rsa9DJ!%Bil)Yug zro;aKT;f`JIQ0-6v2E7`_lEpU>rxK{tz7E!p!rM(yEf_%0SG_<0uXqZfHJOnwmuiY z__^i}D=psdE>M3yBhz`t;vhRxeJQJD<{QR~xAufcjFK?!N{Jk{6l4C%K zgS@;>MN3ZSw}#Fe$LwUe3gSXq^Uh0pG227;a$p+*5P$##ATWpp5JH(-GY!ZlPORSrn3@Ot+2Apk&{91cvBy0nDJdC?W(P0D*oN zz@T2g6Zho}8p=*dT&HOs$I~nJ;#zyp;moLZx~t4DlRJC4+q+H+wYhxsawW~oRC@VPA$#&< zqs@7%D>?o`00Izz00hik0E2qw)PkypdO0QFw2#P9-b+_TZr<_vf-hPrUeMx|Ge$6@ zb@2;hcOH4|6~Lfg|N7$U5P$##AOHafSfl_# zD2r@XR0;wRfB*y_0D*oMNK0O@4sldJBjfUeSKw2J4WC$aF2LYzTGSi@5P(280fbZC zK(Gk`2tWV=5P$##9xi~#^&W22`3Rv<*m)D{5P$##AOHaf3{C+&qGwpU3-1nj@Cl;F zZaw$_ybA#cKmY;|=vknpC}BEs0eZGE@xADgGOU4aq{$v~!lH+~kGCNJ0SG_<0uZnO z0pvwlKqI0G5P$##AOHaf47313sDT#8{U87V2tWV=5U>CNgisdHh!#+V?@xcj{6aFH z%$gqgtOZmDRe%5lAOL~EC4g{haJ4sT3jqi~00IzzK%WR8gz6K<`&^`Sby+*NKl|dlbN{-1)0sMzZZ}<@yMO!K7q@3g^oQXU0uX=z1Rwwb(-uGo)o<<7 z^4q2j-`4tga60ZlUpsu@U`xcdT^kO+J5GM)Oi>H-UVYY&5PRl5 zc0l~HkK#wVv>%2Q2tWV=5P$##OkM!pApO=vl-mebqH5@L{g&!7n$114|K+?&8R3R5 zh)#hR&Vl!@6I6lqKoOi76*kasSR(6KLChl=8;$Es5_O z5kK{hGh2lE-I|?iw;m~y62cS4C2d?Y#lXPj(Zi|sf?x##5P$##Akb$5>f$f+Uffub zS4V8Ucz=68{Nq`j<|*v6yFB`Z79YQ&K3&O_xIqARMJFcNFKKfI_#`1HO zcZe+&8a?vk4@QPLGjE$(T{=qqNNW%2UwNc!JnBJm@rA6jrD{igJfk~LRdea=&$1yQ zGoFr_ImugHdf~!Vx#k^}wBW=^k(7GyN8`rvHP0?jSMqsX3(<6OQ+)iVQcuq=yOkxM zE`R6TuvhnHWM%AK=8&1Ve4n_>0oZ^51Rwwb2$-^fqUiFh)fIV-_A{e-9+lGVFP+;~ zYRvLB7H8*OyQQRtxVhP@8!Gb8ilpl9<&j;?iA)fmt7L^v;f=AS^N#&8>n&#DA7W~C z>0a)KZVzAxrBe!kzvBIK3opl$zznzkA17OLK8#Xq1k>B(NluB z9rIS+TN|ZHB}_`)n-tYOgi`UB?fdGz*kPSdQC``fDHXn+6eAesI!q9ov?k#C!SoVk z=R>d#0SG_<0uV4=0d>JY%dZnMbLaH$_D;{)#wDa_ds@B1SOr$gu3c#&#Bt2DX;Y@m z2y?R{%8KH;ZZVWvEK&!ByRAx}m2+_V<*x$*326}3h!rMQmtGhSU5S zDDF@~u8U+w3#VwAl$}JHZs^zRz0%(rVz zZgzo8+Zkd%V&bF#ZL&Gr+hfrbQjjnEIqjF%M)AH|-1!XiTsL|MMX@O&S9J6`(F(N{ zyHl@JS6240Ni$|>VqPZdwKp(+()KzviJ4v}-4l7rrW;*)rMlh;TM&T2pcB{|JGM}t z3oz&^j|!We0NXB*dBCkwEz_p=DwHZsUz8JD(=TO|Me}t|2(8j}L8;`LS8FHgF-2oT zlP+aOCDVO>Gif`*F$WKhAr0lvjLA8+z94H+xM|g;7l1tnlfAf5FHd2TqMWRnsx(Pa znnf+ElHK8WINmomipAl!Eu8xvqr23-e|Z9dgH%)^X?sU15=lLU0t06|xc9Qy0|5v? z00Iyg7y#4xI-mVnpjrxveZeFM4}|B zYE5oilT<2^u!yazt0PfLBuxClnfWt27T)}SXRLKhkDarXc^tH3Vd-Yx?3i+s<*Au+bHzjhJE7*jXw0;y zj{4kZ4S7-bfx&JFKmY=kBA^x@{V8spSTp736K<>D4^N3S?$3!Sszet=+9@|}ogW`P zNyzX1NInCv%02MoYoAo*RWj?;m}uXW55`5iGwY^S7ehZIX~_$&Zu{VjJ{Mr!z{OOC zmee$lH>a42uFp+9kaCtJe6&jcGc&gf52x-pA+9A3z9BObmxg#TJ;V*A`*&s>FK4=C z*}jwKB*yzQ|G;U!dU40@GkG-%iWjta<-$2WB!A1MNpl_5P$## zAOHc&6Bx*mJvzZP|0m)pxi}MSCfmi!(Q$cTCv4AQ zn?zAr-Rc$MrI||0-Ye9#wX#}4B)?sz`LUDTScLML92H9ccDh>shy`<4bA`2972M02egmb*>Fg6nWTO5c5Z48HG77Dc_;(RU=_F=G~fnhceL00bZa0SMer03p=Ehrwac#;(O&wcGHzoZR;;Bm`ug}kK4vhCeMwA)0K8g$h z2tdGy0u6PwO!5ey%$gqgtPzXRkGDpTR6pXH*rh4oNMBXn>D&e;NUBIbTr)h<--Y7( z+BatxGUIp5M6`8GwB+K)Wzp69leT=6&&=(1yX2b_MXuqYx@oprYVsN!g4;qX6RRAG z0|5v?00IygSON4%4XpQo-A(f2>NhgWw6`mIsP;OfrM{kKyJJL8 zr-8o^fB*y_Ft`OU<)&fnZ%$Kg8dftL4FL#100IzzfB^y+$TI*7heE(mftvN|ZI+!2 zV5kU=hX4d1V2J_x%sOzkfq6fLXU73J(DYKwwY{Aer7^5P$## zAOHaf3~B*{P=mVpQF#bJ00L$z@R<7(2ayY4rj2Kb#YUQWzqKk|pPPChv$h)5P$##AOHafn4|y(_4=t<*a7j&KI+<~L^re&dmC2Q8*)QuB`%%dMG=~x$Yb5T$k%FcOaFHcasl)jc!dB2AOHafn1BGnsex+*%Ev#n#beIA z34v5a#+E(FyFGWU^lyuv=<19eN6JDMCiqYTS0LO80uX=z1Rwx`-U?t)ueWlBpEopg z&KpZ61UeI9?;RaKlDb-0rOPvKDcika&uP#3AIAGWtUt=|yW$K8KmY;|fB*#gK>#6C zKcL>{lFj86*BbQi(S#;8njR;*djH?kNi=syaWUvs)OKv~kT8?Tnc1 z1$pSoqlQoqy$}w700bZa0SNR$KwbQ0-isS6^6H4K7w>QHhkrba(~GP0-6`^NQEq|w zmhujvoV^8MMqPaLr-Y5==PK_ITPieqv zhaN5$U&uOJs&>?eIc+B>s(#Em`K!X-zUu{4(t;BwMN;a)AB`Kw*F3vCUCHNlIa!j) zT4~Qrc*!TTrbj-TxZ+c>Fllc_)>r>nVtXQa`KKjHCYUPuboo2yhP}${&e*%mAv1CL zK5>_8U;_dWfB*y_V9ElDqRX>ZSL8L?&y41IR7$tMbZ%RzG0WRnoSk>=mXaFc=4P*M zsK`GnlB&CxM|LqMGC_Q1MX8T1%PYL2aXbJ$ON+nE6-J2BEC7e=9r4He*Zdx-_FwB)N zjD7vjJgKOti72n^&y)&ZPl{o74->>DtqHh(FkKT`VSxYyAOHafn1g`2;GgB!37NTb z`geP$=WOE=(zHFT-e{9It7X@&G!f!BX4BTx=5xVF5P+|2B_$?Ov>~_P(yf{+p`=! z*rcvSCX*8n=G(q~u^zkPsWU5do3{&cq+&vxg&usie4k0xrM)`yzC2QL zHYG(Aux!OdM`crWGjZg#Ps?QM=;=U|QYLc>3j`nl0YbJvF?5bhnU z9c!*OQ-*EJV!EVAqk1&s7sgC;OADV8fdq?k7 z_gw#>J0@hk^MGUKX1)7>ca8YgvAr9Ncz4_y0uX=z1T0ga=RO%#O>TC9O#A4%{fLQ^ z0xZn61`m{|zL9yV#l3{A|-M7{P8j-Q%DpDbUI&U>7LG0Hr?pbLuLMri5frv0uX?JMGLU)G(Uw=sg`Lw1r$n^rvJ%_ zt?7$0%0jWVb4jao-A*dG=GEGXdQ8#S(4cu zaMP+wF93TEAbWA40Xl`n;kGTDZW-!b3ZN|6w|vFd{Pkab(iT5y-sK4d4pLExr0qzl zNF?pv!Hr0Rad=00IygKmqpH5GH78IbNihXs{+x*PqE^TiYC<#rWB%xNv)L?b-EOsl33Szp7P*`z z)@%-2H}=|5=_ZLpNmSLEJhvvPR3c#!TUS?B$*#mtoBq7xRUwf`+M*|Bw_`wDEbsZP zDVh8=;f~T1DZ8qJSH$u=u7x!SKmY;|fPhI0SdU%o8~Cp)#}mGv6=_$T#q|1cSIu)V zUXi)}{?4U8H~f6+RE?A3W*w6O&kyP}Go-d)oUnN=wr8bZ#(ymicOt(_^O$e!QNCgB z)_l{di{Xj`H~pqsD*ER1wJym?wvSJpJ%L@C^=)C7$Mmd*M$CJ1NY#mBdF?+#r>&Ut z__^3G-#*AA!_gOO#<7F={H%Pn&~%JOf;}V zYVM0Bn)%eJu05lt|4}d&XN7RiX(Us@_ll(=Y`--(2Lv;V;(KpX$rlejjyG=MAL5mX>M*C2z!u|1Ef7g#^6W_Sk zw+Sx2yf(Y4Q_BQvu3&TTxt$KdDg+<^0SG|AG6l>mwcIirVL)p|S03J#eAPREXVdXS zY;{iZ{)&*5Z*CLVl%(!@XJ<}u%9C7L!5R_2@7iM>sifz*zx-p)@wql%gn!8|t7)43f7 zVhsWifB*y_V4(u&ma@=>y??b_d_0+C{4Vc1`%epP+fi9qCijW(qKI6gP*tCPb5&|t zBXJLoOiXw(us!Ok&fb01chypDN@GvwcDXn@O^dv_ldRhh>D{BdDs5P5Y5g+c{Q(W4`>vkH`?q#5iv zX@%xG?MB)jh;0E~$P{-~=m;60g%w9L5js02DMzVIv~AVJ6>x(z=meNbh=9q+;0!P? zhuCMB;bnxCxdJnHX1@0ixOeXJ%zd8EL&smw{oUsxoU+n^W!x>Afd2Q*x$>1;#LIdf zVVoSe@{Pzv+7;3qr-X^;aIRI}(j}gE)D>1bg$4FZN9nI}e_h5GM+FE#00IzzfTal_ zgtD{|8=LmFmgOg(;Jlg=8Rn&*Xj0VQyiWfILbuU0DPpfXp}tm8>naSOp;hlTxNh$m z{DuGoAOHafSgim;D61V>1|4gw$dD+WO?W=2KQPkVIwRSfb@4i#dFp5?I&qaVTS$|o z==O7UGx3_zKL<5LT?SW1Q3yZ)0uX?Jg$f|G+(HNLVVkXK%H8^5fo`eNeW|Mmp$k7H zc9c}zYpzO4`B?w0o-ygKhl$1Ovhz1bouczkj|M!Q6zSXZq@Jd=ML9vx{~p8E%Ax8q zT+Q@hJH!5ZKFhLRvhrL2_74JD2muH{VC)631}8IPt5}1RS(i~70uX=z1Rwx`!2-Cc zH`oN9KmY;|fB*y_0D)ly5JC+Dgwqg!00bZa0n-UI1^=}Wxd5i~9<3`OoEj}jd=CU5 z009U<00K57fDp=t1{+<400bZa0SG`~v;^>^9y3XiNW`oHN<#nw5P$##AYhFGcsh^S zsEWELGOAEM?k=P9He9&DV+no1pH;sjz=lT`U55Y!AYkPJ`N?axV_J&YAUEdAm{nNI ztT;+T00Izz00bal5duh#vWQ_qBOw3*2tWV=5MY-8LMV2P2U-IG2tWV=MhNV9b59&{ z0gQk`5fcd@oH7wKE&~AwKmY;|fPgg#AcV4}(L`S$009U<00Iy&kpNQ5O$1Gdyi_8| z{;EMn>?h3&PK;UM=SURS{+)HOxU5-8#(O>$DUJ_xZ@sYpm5&<+v`G+?9v_BR{SFYp zE(9O|0SG{V4FU+EOf(9u7xFX8+!NC`1i7{pzI`C|GvP;KWp-w^)ydc+syf zUeYvu{trb+++$8AZXGTM0SH*3z+>B9%0e!H6%H)A#3ljU)HCI1$V(3%NWCUZN_cX5 zZ{)-kMjp#aIuPgkZPuaVP5Q>D>r0A>FbvaCrW_nx3jz>;00bbwL;xWa6Ri=I?X1i_ zl-(A*Ys-`L89nXRcBA;hjaKd6_{qYMX9X>#^>XbI(KKAR!4=M#)N_Cz5P$##AOHaf zuuuRYl!*pKQCW~tJ#$CgBJbY$C!)Din46zhp$(hV^_4|U4!#11p4KRDTvNEs7SNP) zY!H9|1Rwwb2(VMYn)9MOayq-%mu5EBln$E`v|dj z3wTca@{FEPOQX2aVejs0&BMgb|1i)h2tWV=5P$#!f&An(+sAcxcQdGB#-ggm)0v6e z3hI{ZKbtAy=^G-iIi8lh?@XUi0;eA_I^@(p{cGaJ6_=WH|fnjs@?w%9mO3SdVFZVTjxI< zQ^n%WVzyM9;2ndsr+*wuEk z;#|3u-Vid}WEV?9W9rT~a08d}{dtmF4ybq_T%sfrNJM85X&TxU-Qa;HNkYbTyA16pFYAa=>w zSltJmmrJB|gt&@4eH_{kv#KuxT5RmDg@jPUc1K?R{?0S}i2W-JUqd%+JrsZd1Rwwb z2v~}MQvFjKZL6JIPj;{ak4vYaZr@YV8)S6H3|p5{`vNl#SC)&55Z>@Aynh(ozcnVqSTxOVQgwo%CbjNN zV(4$^4%h32{l}6XP-)QDEGpVI=(7iXu&U^94>~>e=T7FlHTD<56(9fs2tdFl1%}QH zQa6_tUzYVeS>-tW@h4{WB%3=-@m#xhz-Eg#ID>?VPpR+0;#s*%J+ zzpskeCy5menG)4IUOZuJPGJ;1Qk2Ark3>kamS~gEd4m5Rfc4hIZwNpD0uX=z8w4E2 z`_Tv78oFfkRvJyyR;jf!JT4CAnU12D<~V2<>d~lmnNaF>?Qc65&N$`0Ho5L`F11WM zXQka7ME*yP_>;E!=lx4g?zmjEHke&~(Y2D%PYa)sYCN78eSjM)$%^n9J`{2m2(&>K z&zZ~R^7*<0Mp!5e0SG_<0uV5#fWv}cbIA7{r>i{sg7$ZU>F3_!B2MOj@zVr;n-q({*2p&ylr~RYyYU;?lZFEVWFLU6tqg(uQ`gh%%zBTmf zGiSP9z0!8&>#v(#l(+BDtaqQ;{QGjECImg_&O0YPD*mD_*oFKkEu;UG&-D$OWaq=K zzA*Q*j3qZ4B@rw4&__D^H!fXyb8BOCSaMbWXWBhc#@YSBwF#lo=k*Cty3^A}Yvs*V z>&=|!WZ2!|kB}ENyb($;7kKSwmrt!E7l3)^Q3C?(5$LKr@y)vJb=u`OAM@Cl5}X#Q zeQM8qoAOrqf69B7-{iSYoBxE!XTp8q6m6QiH1E=;eYeUQ=sw3k%r|X!K$!OBv25!L zLq*F7rx42xTKIHhSVmE@(JBQfdmVfsfJ<)soy_E&TrH2X>Of)is_=-!*GxOOok z^Hi;H!{HcT{rmlfs7sgpxSE?KDQH``H|@96`(7A0hWz+y2tWV=5P$$%1cpwsXG`nQ zj?oloEy_G}Tr=g-0XK46FXU&GxyPh$KY1YP*^ZLb&$Lf6s;?Dn&b~Tn#=!O8hp0%f&c^{009UXEr1ZpXex^@=rBthl`ft$@CG`^Yhip$c#wcY zI9`E)Zte9l8bWbh7bc~MS5CDbFt0R3UBVIkZp)wI7rPHAX7NVo00bZa0SJtZz+w_W zSIPDv;mbo;kIfa#`mFW#!sJ02z`uVz~(e#eu(~1UR9y+4)oMcLkXsM z6OH!nb^kU*UBdC0E+A^{N^sa9009U<00Oorke|F}JEo;FFklDyD10p#0*tyBz7PTsfPke6;HI9Xj@+oUTTxk%Q9W}< z9Ac?a;l!6f00IzzfDH*?(I{qvZNZC1wOrcx#^*QsyXzT~9yKX9#b6ave#i%Dq3s9X z*?dXaS8&3j4Tsm<*?fQ9*B94+{K~$%-nS$X!VkvMQGICGfdB*`00FBPKnTTbh%GpT zV%AZVh5!U000A=yOzwVz-X20OfEnmVc1hgS8<`(!LjVF0fB*y_V3Ps}p=@&4(P;=k z00Izz00c%RfDmeAey9xr2tWV=5P*P93Lu2C$zf+ literal 0 HcmV?d00001 diff --git a/scratch.asciidoc b/scratch.asciidoc new file mode 100644 index 00000000..7bdc3005 --- /dev/null +++ b/scratch.asciidoc @@ -0,0 +1,93 @@ + +==== Outputs - The fundamental unit of bitcoin + +If we accept that bitcoin transactions don't actually contain "senders" and "recipients", that concepts such as accounts, balances and addresses are not part of the low-level transaction structure, then what are transactions actually... transacting? + +The answer is that the fundamental building block "transacted" in bitcoin is an _output_. An output is a discreet and indivisible unit of value. Bitcoin transactions consume previously created outputs and create new outputs. The set of all outputs in the bitcoin system that are spendable and have not yet been spent is called the _Unspent Transaction Output Set_ or UTXO Set. In a sense, the bitcoin system is a system for keeping track of the ownership and state of unspent transaction outputs (UTXO), across a decentralized network. + +[TIP] +==== +_Outputs_ are the fundamental building blocks of bitcoin. They are indivisible units of value, consumed and created by transactions. +==== + +Each bitcoin transaction is therefore an _atomic state change_ applied to the UTXO Set. Transactions are _atomic_ meaning they happen in their entirety or not at all. + +.Bitcoin is not "transmitted" +**** +To make things easier for bitcoin users to understand, we say that someone is "sending" bitcoin. But in practice, bitcoin is not transmitted. Instead, a transaction simultaneously consumes outputs (perhaps those controlled by one user's wallet), while creating outputs (which may be controlled by a different user's wallet). As such, there is no time in which bitcoin is "in transit" between users or accounts. A transaction either happens, instantaneously changing the state of outputs, or it doesn't. +**** + +==== Balances, Accounts and Outputstcoin ccooiinn sssystem yysstteemm iiss tthis t + +Balances and accounts are abstractions created by wallets. A wallet counts all the unspent outputs that are controlled by the keys it contains. That sum of outputs is the "wallet balance". But nowhere in the bitcoin system is there any concept of balance, account, wallet or user. + + +[TIP] +==== +((("accounts")))((("balances")))There are no accounts or balances in bitcoin; there are only _unspent transaction outputs_ (UTXO) scattered in the blockchain. +==== + + + +In <>, we use the blockchain.info API to find the unspent outputs (UTXO) of a specific address. + +[[get_utxo]] +.A script that calls the blockchain.info API to find the UTXO related to an address +==== +[source, python] +---- +include::code/get-utxo.py[] +---- +==== + +Running the script, we see a list of transaction IDs, a colon, the index number of the specific unspent transaction output (UTXO), and the value of that UTXO in satoshis. The locking script is not shown in the output in <>. + +[[get_utxo_run]] +.Running the get-utxo.py script +==== +[source,bash] +---- +$ python get-utxo.py +ebadfaa92f1fd29e2fe296eda702c48bd11ffd52313e986e99ddad9084062167:1 - 8000000 Satoshis +6596fd070679de96e405d52b51b8e1d644029108ec4cbfe451454486796a1ecf:0 - 16050000 Satoshis +74d788804e2aae10891d72753d1520da1206e6f4f20481cc1555b7f2cb44aca0:0 - 5000000 Satoshis +b2affea89ff82557c60d635a2a3137b8f88f12ecec85082f7d0a1f82ee203ac4:0 - 10000000 Satoshis +... +---- +==== + + + +===== Spending conditions (encumbrances) + +((("encumbrance")))((("locking scripts")))Transaction outputs associate a specific amount (in satoshis) to a specific _encumbrance_ or locking script that defines the condition that must be met to spend that amount. In most cases, the locking script will lock the output to a specific bitcoin address, thereby transferring ownership of that amount to the new owner. When Alice paid Bob's Cafe for a cup of coffee, her transaction created a 0.015 bitcoin output _encumbered_ or locked to the cafe's bitcoin address. That 0.015 bitcoin output was recorded on the blockchain and became part of the Unspent Transaction Output set, meaning it showed in Bob's wallet as part of the available balance. When Bob chooses to spend that amount, his transaction will release the encumbrance, unlocking the output by providing an unlocking script containing a signature from Bob's private key.(((range="endofrange", startref="ix_ch06-asciidoc4")))(((range="endofrange", startref="ix_ch06-asciidoc3")))(((range="endofrange", startref="ix_ch06-asciidoc2"))) + + + +In <>, we show the use of a "greedy" algorithm to select from available UTXO in order to make a specific payment amount. In the example, the available UTXO are provided as a constant array, but in reality, the available UTXO would be retrieved with an RPC call to Bitcoin Core, or to a third-party API as shown in <>. + +[[select_utxo]] +==== +[source, python] +---- +include::code/select-utxo.py[] +---- +==== + +If we run the _select-utxo.py_ script without a parameter, it will attempt to construct a set of UTXO (and change) for a payment of 55,000,000 satoshis (0.55 bitcoin). If you provide a target payment amount as a parameter, the script will select UTXO to make that target payment amount. In <>, we run the script trying to make a payment of 0.5 bitcoin or 50,000,000 satoshis. + +[[select_utxo_run]] +.Running the select-utxo.py script +==== +---- +$ python select-utxo.py 50000000 +For transaction amount 50000000 Satoshis (0.500000 bitcoin) use: +([<7dbc497969c7475e45d952c4a872e213fb15d45e5cd3473c386a71a1b0c136a1:0 with 25000000 Satoshis>, <7f42eda67921ee92eae5f79bd37c68c9cb859b899ce70dba68c48338857b7818:0 with 16100000 Satoshis>, <6596fd070679de96e405d52b51b8e1d644029108ec4cbfe451454486796a1ecf:0 with 16050000 Satoshis>], 'Change: 7150000 Satoshis') +---- +==== + + +[NOTE] +==== +The sequence number is used to override a transaction prior to the expiration of the transaction locktime, which is a feature that is currently disabled in bitcoin. Most transactions set this value to the maximum integer value (0xFFFFFFFF) and it is ignored by the bitcoin network. If the transaction has a nonzero locktime, at least one of its inputs must have a sequence number below 0xFFFFFFFF in order to enable locktime.(((range="endofrange", startref="ix_ch06-asciidoc5"))) +==== From 2de323d6c12afa8ab7062012b4f82aa2690613e1 Mon Sep 17 00:00:00 2001 From: "Andreas M. Antonopoulos" Date: Mon, 12 Dec 2016 15:15:42 +0200 Subject: [PATCH 19/24] ch06 fixup --- ch06.asciidoc | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/ch06.asciidoc b/ch06.asciidoc index abb3ac11..08488a7e 100644 --- a/ch06.asciidoc +++ b/ch06.asciidoc @@ -134,12 +134,9 @@ When transactions are transmitted over the network or exchanged between applicat | Variable | Locking-Script | A script defining the conditions needed to spend the output |======= -//// -You need a transition sentence explaining that people don't use serialized data internally in their programs - -However, most programs do not store data in the serialized format and need to.... -//// +Most bitcoin libraries and frameworks do not store transactions internally as byte-streams, as that would require complex parsing every time you needed to access a single field. For convenience and readability, bitcoin libraries store transactions internally in data structures (usually object-oriented structures). -The process of converting from the byte-stream representation of a transaction to whatever data structure (e.g. a transaction object) is used to store transactions internally in your program, is called _de-serialization_ or _transaction parsing_. (((de-serialization)))Most bitcoin libraries have functions for transaction serialization and de-serialization. +The process of converting from the byte-stream representation of a transaction to a library's internal representation data structure is called (((de-serialization)))_de-serialization_ or _transaction parsing_. The process of converting back to a byte-stream for transmission over the network, for hashing or for storage on disk is called (((serialization)))_serialization_. Most bitcoin libraries have built-in functions for transaction serialization and de-serialization. See if you can manually decode Alice's transaction from the serialized hexadecimal form, finding some of the elements we saw above. The section containing the two outputs is highlighted to help you: From f4ae9ae7ce851e76e1b6605bb883e3e34b657d92 Mon Sep 17 00:00:00 2001 From: "Andreas M. Antonopoulos" Date: Mon, 12 Dec 2016 18:47:36 +0200 Subject: [PATCH 20/24] move advanced transaction stuff to next chapter --- ch06.asciidoc | 237 +------------------------------------------------- 1 file changed, 1 insertion(+), 236 deletions(-) diff --git a/ch06.asciidoc b/ch06.asciidoc index 08488a7e..9cba48c9 100644 --- a/ch06.asciidoc +++ b/ch06.asciidoc @@ -134,7 +134,7 @@ When transactions are transmitted over the network or exchanged between applicat | Variable | Locking-Script | A script defining the conditions needed to spend the output |======= -Most bitcoin libraries and frameworks do not store transactions internally as byte-streams, as that would require complex parsing every time you needed to access a single field. For convenience and readability, bitcoin libraries store transactions internally in data structures (usually object-oriented structures). +Most bitcoin libraries and frameworks do not store transactions internally as byte-streams, as that would require complex parsing every time you needed to access a single field. For convenience and readability, bitcoin libraries store transactions internally in data structures (usually object-oriented structures). The process of converting from the byte-stream representation of a transaction to a library's internal representation data structure is called (((de-serialization)))_de-serialization_ or _transaction parsing_. The process of converting back to a byte-stream for transmission over the network, for hashing or for storage on disk is called (((serialization)))_serialization_. Most bitcoin libraries have built-in functions for transaction serialization and de-serialization. @@ -430,28 +430,6 @@ image::images/msbt_0502.png["TxScriptSimpleMathExample"] Transactions are valid if the top result on the stack is TRUE (noted as ++{0x01}++), any other non-zero value or if the stack is empty after script execution. Transactions are invalid if the top value on the stack is FALSE (a zero-length empty value, noted as ++{}++) or if script execution is halted explicitly by an operator, such as OP_VERIFY, OP_RETURN, or a conditional terminator such as OP_ENDIF. See <> for details. ==== -==== Transaction Data Structure - -((("transactions","structure of")))A transaction is a((("data structure"))) _data structure_ that encodes a transfer of value from a source of funds, called an((("inputs, defined"))) _input_, to a destination, called an((("outputs, defined"))) _output_. Transaction inputs and outputs are not related to accounts or identities. Instead, you should think of them as bitcoin amounts—chunks of bitcoin—being locked with a specific secret that only the owner, or person who knows the secret, can unlock. A transaction contains a number of fields, as shown in <>. - -[[tx_data_structure]] -.The structure of a transaction -[options="header"] -|======= -|Size| Field | Description -| 4 bytes | Version | Specifies which rules this transaction follows -| 1–9 bytes (VarInt) | Input Counter | How many inputs are included -| Variable | Inputs | One or more transaction inputs -| 1–9 bytes (VarInt) | Output Counter | How many outputs are included -| Variable | Outputs | One or more transaction outputs -| 4 bytes | Locktime | A Unix timestamp or block number -|======= - -.Transaction Locktime -**** -((("locktime")))((("transactions","locktime")))Locktime, also known as nLockTime from the variable name used in the reference client, defines the earliest time that a transaction is valid and can be relayed on the network or added to the blockchain. It is set to zero in most transactions to indicate immediate propagation and execution. If locktime is nonzero and below 500 million, it is interpreted as a block height, meaning the transaction is not valid and is not relayed or included in the blockchain prior to the specified block height. If it is above 500 million, it is interpreted as a Unix Epoch timestamp (seconds since Jan-1-1970) and the transaction is not valid prior to the specified time. Transactions with locktime specifying a future block or time must be held by the originating system and transmitted to the bitcoin network only after they become valid. The use of locktime is equivalent to postdating a paper check. -**** - ==== Turing Incompleteness @@ -461,14 +439,6 @@ Transactions are valid if the top result on the stack is TRUE (noted as ++{ ((("stateless verification of transactions")))((("transactions","statelessness of")))The bitcoin transaction script language is stateless, in that there is no state prior to execution of the script, or state saved after execution of the script. Therefore, all the information needed to execute a script is contained within the script. A script will predictably execute the same way on any system. If your system verifies a script, you can be sure that every other system in the bitcoin network will also verify the script, meaning that a valid transaction is valid for everyone and everyone knows this. This predictability of outcomes is an essential benefit of the bitcoin system.(((range="endofrange", startref="ix_ch06-asciidoc12")))(((range="endofrange", startref="ix_ch06-asciidoc11")))(((range="endofrange", startref="ix_ch06-asciidoc10")))(((range="endofrange", startref="ix_ch06-asciidoc9"))) -[[std_tx]] -=== Standard Transactions - -In the first few years of bitcoin's development, the developers introduced some limitations in the types of scripts that could be processed by the reference client. These limitations are encoded in a function called +isStandard()+, which defines five types of "standard" transactions. These limitations are temporary and might be lifted by the time you read this. Until then, the five standard types of transaction scripts are the only ones that will be accepted by the reference client and most miners who run the reference client. Although it is possible to create a nonstandard transaction containing a script that is not one of the standard types, you must find a miner who does not follow these limitations to mine that transaction into a block. - -Check the source code of the Bitcoin Core client (the reference implementation) to see what is currently allowed as a valid transaction script. - -The five standard types of transaction scripts are pay-to-public-key-hash (P2PKH), public-key, multi-signature (limited to 15 keys), pay-to-script-hash (P2SH), and data output (OP_RETURN), which are described in more detail in the following sections. [[p2pkh]] ==== Pay-to-Public-Key-Hash (P2PKH) @@ -507,208 +477,3 @@ image::images/msbt_0503.png["Tx_Script_P2PubKeyHash_1"] [[P2PubKHash2]] .Evaluating a script for a P2PKH transaction (Part 2 of 2) image::images/msbt_0504.png["Tx_Script_P2PubKeyHash_2"] - -[[p2pk]] -==== Pay-to-Public-Key - -((("pay-to-public-key")))Pay-to-public-key is a simpler form of a bitcoin payment than pay-to-public-key-hash. With this script form, the public key itself is stored in the locking script, rather than a public-key-hash as with P2PKH earlier, which is much shorter. Pay-to-public-key-hash was invented by Satoshi to make bitcoin addresses shorter, for ease of use. Pay-to-public-key is now most often seen in coinbase transactions, generated by older mining software that has not been updated to use P2PKH. - -A pay-to-public-key locking script looks like this: - ----- - OP_CHECKSIG ----- - -The corresponding unlocking script that must be presented to unlock this type of output is a simple signature, like this: - ----- - ----- - -The combined script, which is validated by the transaction validation software, is: - ----- - OP_CHECKSIG ----- - -This script is a simple invocation of the +CHECKSIG+ operator, which validates the signature as belonging to the correct key and returns TRUE on the stack. - -[[multisig]] -==== Multi-Signature - -((("multi-signature scripts")))((("transactions","multi-signature scripts")))Multi-signature scripts set a condition where N public keys are recorded in the script and at least M of those must provide signatures to release the encumbrance. This is also known as an M-of-N scheme, where N is the total number of keys and M is the threshold of signatures required for validation. For example, a 2-of-3 multi-signature is one where three public keys are listed as potential signers and at least two of those must be used to create signatures for a valid transaction to spend the funds. ((("multi-signature scripts","limits on")))At this time, standard multi-signature scripts are limited to at most 15 listed public keys, meaning you can do anything from a 1-of-1 to a 15-of-15 multi-signature or any combination within that range. The limitation to 15 listed keys might be lifted by the time this book is published, so check the((("isStandard() function"))) +isStandard()+ function to see what is currently accepted by the network. - -The general form of a locking script setting an M-of-N multi-signature condition is: - ----- -M ... N OP_CHECKMULTISIG ----- - -where N is the total number of listed public keys and M is the threshold of required signatures to spend the output. - -A locking script setting a 2-of-3 multi-signature condition looks like this: - ----- -2 3 OP_CHECKMULTISIG ----- - -The preceding locking script can be satisfied with an unlocking script containing pairs of signatures and public keys: - ----- -OP_0 ----- -or any combination of two signatures from the private keys corresponding to the three listed public keys. - -[NOTE] -==== -((("CHECKMULTISIG implementation")))The prefix +OP_0+ is required because of a bug in the original implementation of +CHECKMULTISIG+ where one item too many is popped off the stack. It is ignored by +CHECKMULTISIG+ and is simply a placeholder. -==== - -The two scripts together would form the combined validation script: - ----- -OP_0 2 3 OP_CHECKMULTISIG ----- - -When executed, this combined script will evaluate to TRUE if, and only if, the unlocking script matches the conditions set by the locking script. In this case, the condition is whether the unlocking script has a valid signature from the two private keys that correspond to two of the three public keys set as an encumbrance. - -[[op_return]] -==== Data Output (OP_RETURN) - -((("ledger, storing unrelated information in")))((("OP_RETURN operator")))((("transactions","storing unrelated information in")))Bitcoin's distributed and timestamped ledger, the blockchain, has potential uses far beyond payments. Many developers have tried to use the transaction scripting language to take advantage of the security and resilience of the system for applications such as((("digital notary services")))((("smart contracts")))((("stock certificates"))) digital notary services, stock certificates, and smart contracts. Early attempts to use bitcoin's script language for these purposes involved creating transaction outputs that recorded data on the blockchain; for example, to record a digital fingerprint of a file in such a way that anyone could establish proof-of-existence of that file on a specific date by reference to that transaction. - -((("blockchains","storing unrelated information in")))The use of bitcoin's blockchain to store data unrelated to bitcoin payments is a controversial subject. Many developers consider such use abusive and want to discourage it. Others view it as a demonstration of the powerful capabilities of blockchain technology and want to encourage such experimentation. Those who object to the inclusion of non-payment data argue that it causes "blockchain bloat," burdening those running full bitcoin nodes with carrying the cost of disk storage for data that the blockchain was not intended to carry. Moreover, such transactions create UTXO that cannot be spent, using the destination bitcoin address as a free-form 20-byte field. Because the address is used for data, it doesn't correspond to a private key and the resulting UTXO can _never_ be spent; it's a fake payment. These transactions that can never be spent are therefore never removed from the UTXO set and cause the size of the UTXO database to forever increase, or "bloat." - -In version 0.9 of the Bitcoin Core client, a compromise was reached with the introduction of the +OP_RETURN+ operator. +OP_RETURN+ allows developers to add 80 bytes of nonpayment data to a transaction output. However, unlike the use of "fake" UTXO, the +OP_RETURN+ operator creates an explicitly _provably unspendable_ output, which does not need to be stored in the UTXO set. +OP_RETURN+ outputs are recorded on the blockchain, so they consume disk space and contribute to the increase in the blockchain's size, but they are not stored in the UTXO set and therefore do not bloat the UTXO memory pool and burden full nodes with the cost of more expensive RAM. - -+OP_RETURN+ scripts look like this: - ----- -OP_RETURN ----- - -The data portion is limited to 80 bytes and most often represents a hash, such as the output from the SHA256 algorithm (32 bytes). Many applications put a prefix in front of the data to help identify the application. For example, the http://proofofexistence.com[Proof of Existence] digital notarization service uses the 8-byte prefix +DOCPROOF+, which is ASCII encoded as +44 4f 43 50 52 4f 4f 46+ in hexadecimal. - -Keep in mind that there is no "unlocking script" that corresponds to +OP_RETURN+ that could possibly be used to "spend" an +OP_RETURN+ output. The whole point of +OP_RETURN+ is that you can't spend the money locked in that output, and therefore it does not need to be held in the UTXO set as potentially spendable—+OP_RETURN+ is _provably un-spendable_. +OP_RETURN+ is usually an output with a zero bitcoin amount, because any bitcoin assigned to such an output is effectively lost forever. If an +OP_RETURN+ is encountered by the script validation software, it results immediately in halting the execution of the validation script and marking the transaction as invalid. Thus, if you accidentally reference an +OP_RETURN+ output as an input in a transaction, that transaction is invalid. - -A standard transaction (one that conforms to the +isStandard()+ checks) can have only one +OP_RETURN+ output. However, a single +OP_RETURN+ output can be combined in a transaction with outputs of any other type. - -Two new command-line options have been added in Bitcoin Core as of version 0.10. The option +datacarrier+ controls relay and mining of OP_RETURN transactions, with the default set to "1" to allow them. The option +datacarriersize+ takes a numeric argument specifying the maximum size in bytes of the OP_RETURN data, 40 bytes by default. - -[NOTE] -==== -OP_RETURN was initially proposed with a limit of 80 bytes, but the limit was reduced to 40 bytes when the feature was released. In February 2015, in version 0.10 of Bitcoin Core, the limit was raised back to 80 bytes. Nodes may choose not to relay or mine OP_RETURN, or only relay and mine OP_RETURN containing less than 80 bytes of data. -==== - -[[p2sh]] -==== Pay-to-Script-Hash (P2SH) - -((("multi-signature scripts","P2SH and", id="ix_ch06-asciidoc17", range="startofrange")))((("Pay-to-script-hash (P2SH)", id="ix_ch06-asciidoc18", range="startofrange")))((("transactions","Pay-to-script-hash", id="ix_ch06-asciidoc19", range="startofrange")))Pay-to-script-hash (P2SH) was introduced in 2012 as a powerful new type of transaction that greatly simplifies the use of complex transaction scripts. To explain the need for P2SH, let's look at a practical example. - -In <> we introduced Mohammed, an electronics importer based in Dubai. Mohammed's company uses bitcoin's multi-signature feature extensively for its corporate accounts. Multi-signature scripts are one of the most common uses of bitcoin's advanced scripting capabilities and are a very powerful feature. Mohammed's company uses a multi-signature script for all customer payments, known in accounting terms as "accounts receivable," or AR. With the multi-signature scheme, any payments made by customers are locked in such a way that they require at least two signatures to release, from Mohammed and one of his partners or from his attorney who has a backup key. A multi-signature scheme like that offers corporate governance controls and protects against theft, embezzlement, or loss. - -The resulting script is quite long and looks like this: - ----- -2 5 OP_CHECKMULTISIG ----- - - -Although multi-signature scripts are a powerful feature, they are cumbersome to use. Given the preceding script, Mohammed would have to communicate this script to every customer prior to payment. Each customer would have to use special bitcoin wallet software with the ability to create custom transaction scripts, and each customer would have to understand how to create a transaction using custom scripts. Furthermore, the resulting transaction would be about five times larger than a simple payment transaction, because this script contains very long public keys. The burden of that extra-large transaction would be borne by the customer in the form of fees. Finally, a large transaction script like this would be carried in the UTXO set in RAM in every full node, until it was spent. All of these issues make using complex output scripts difficult in practice. - -Pay-to-script-hash (P2SH) was developed to resolve these practical difficulties and to make the use of complex scripts as easy as a payment to a bitcoin address. With P2SH payments, the complex locking script is replaced with its digital fingerprint, a cryptographic hash. When a transaction attempting to spend the UTXO is presented later, it must contain the script that matches the hash, in addition to the unlocking script. In simple terms, P2SH means "pay to a script matching this hash, a script that will be presented later when this output is spent." - -In P2SH transactions, the locking script that is replaced by a hash is referred to as the((("redeem script"))) _redeem script_ because it is presented to the system at redemption time rather than as a locking script. <> shows the script without P2SH and <> shows the same script encoded with P2SH. - -[[without_p2sh]] -.Complex script without P2SH -|======= -| Locking Script | 2 PubKey1 PubKey2 PubKey3 PubKey4 PubKey5 5 OP_CHECKMULTISIG -| Unlocking Script | Sig1 Sig2 -|======= - -[[with_p2sh]] -.Complex script as P2SH -|======= -| Redeem Script | 2 PubKey1 PubKey2 PubKey3 PubKey4 PubKey5 5 OP_CHECKMULTISIG -| Locking Script | OP_HASH160 <20-byte hash of redeem script> OP_EQUAL -| Unlocking Script | Sig1 Sig2 redeem script -|======= - -As you can see from the tables, with P2SH the complex script that details the conditions for spending the output (redeem script) is not presented in the locking script. Instead, only a hash of it is in the locking script and the redeem script itself is presented later, as part of the unlocking script when the output is spent. This shifts the burden in fees and complexity from the sender to the recipient (spender) of the transaction. - -Let's look at Mohammed's company, the complex multi-signature script, and the resulting P2SH scripts. - -First, the multi-signature script that Mohammed's company uses for all incoming payments from customers: - ----- -2 5 OP_CHECKMULTISIG ----- - -If the placeholders are replaced by actual public keys (shown here as 520-bit numbers starting with 04) you can see that this script becomes very long: - ----- -2 -04C16B8698A9ABF84250A7C3EA7EEDEF9897D1C8C6ADF47F06CF73370D74DCCA01CDCA79DCC5C395D7EEC6984D83F1F50C900A24DD47F569FD4193AF5DE762C58704A2192968D8655D6A935BEAF2CA23E3FB87A3495E7AF308EDF08DAC3C1FCBFC2C75B4B0F4D0B1B70CD2423657738C0C2B1D5CE65C97D78D0E34224858008E8B49047E63248B75DB7379BE9CDA8CE5751D16485F431E46117B9D0C1837C9D5737812F393DA7D4420D7E1A9162F0279CFC10F1E8E8F3020DECDBC3C0DD389D99779650421D65CBD7149B255382ED7F78E946580657EE6FDA162A187543A9D85BAAA93A4AB3A8F044DADA618D087227440645ABE8A35DA8C5B73997AD343BE5C2AFD94A5043752580AFA1ECED3C68D446BCAB69AC0BA7DF50D56231BE0AABF1FDEEC78A6A45E394BA29A1EDF518C022DD618DA774D207D137AAB59E0B000EB7ED238F4D800 5 OP_CHECKMULTISIG ----- - -This entire script can instead be represented by a 20-byte cryptographic hash, by first applying the SHA256 hashing algorithm and then applying the RIPEMD160 algorithm on the result. The 20-byte hash of the preceding script is: - ----- -54c557e07dde5bb6cb791c7a540e0a4796f5e97e ----- - -A P2SH transaction locks the output to this hash instead of the longer script, using the locking script: - ----- -OP_HASH160 54c557e07dde5bb6cb791c7a540e0a4796f5e97e OP_EQUAL ----- -which, as you can see, is much shorter. Instead of "pay to this 5-key multi-signature script," the P2SH equivalent transaction is "pay to a script with this hash." A customer making a payment to Mohammed's company need only include this much shorter locking script in his payment. When Mohammed wants to spend this UTXO, they must present the original redeem script (the one whose hash locked the UTXO) and the signatures necessary to unlock it, like this: - ----- - <2 PK1 PK2 PK3 PK4 PK5 5 OP_CHECKMULTISIG> ----- - -The two scripts are combined in two stages. First, the redeem script is checked against the locking script to make sure the hash matches: - ----- -<2 PK1 PK2 PK3 PK4 PK5 5 OP_CHECKMULTISIG> OP_HASH160 OP_EQUAL ----- -If the redeem script hash matches, the unlocking script is executed on its own, to unlock the redeem script: - ----- - 2 PK1 PK2 PK3 PK4 PK5 5 OP_CHECKMULTISIG ----- - -===== Pay-to-script-hash addresses - -((("addresses, bitcoin","Pay-to-Script-Hash (P2SH)")))((("Pay-to-script-hash (P2SH)","addresses")))Another important part of the P2SH feature is the ability to encode a script hash as an address, as defined in BIP-13. P2SH addresses are Base58Check encodings of the 20-byte hash of a script, just like bitcoin addresses are Base58Check encodings of the 20-byte hash of a public key. P2SH addresses use the version prefix "5", which results in Base58Check-encoded addresses that start with a "3". For example, Mohammed's complex script, hashed and Base58Check-encoded as a P2SH address becomes +39RF6JqABiHdYHkfChV6USGMe6Nsr66Gzw+. Now, Mohammed can give this "address" to his customers and they can use almost any bitcoin wallet to make a simple payment, as if it were a bitcoin address. The 3 prefix gives them a hint that this is a special type of address, one corresponding to a script instead of a public key, but otherwise it works in exactly the same way as a payment to a bitcoin address. - -P2SH addresses hide all of the complexity, so that the person making a payment does not see the script. - -===== Benefits of pay-to-script-hash - -((("Pay-to-script-hash (P2SH)","benefits of")))The pay-to-script-hash feature offers the following benefits compared to the direct use of complex scripts in locking outputs: - -* Complex scripts are replaced by shorter fingerprints in the transaction output, making the transaction smaller. -* Scripts can be coded as an address, so the sender and the sender's wallet don't need complex engineering to implement P2SH. -* P2SH shifts the burden of constructing the script to the recipient, not the sender. -* P2SH shifts the burden in data storage for the long script from the output (which is in the UTXO set) to the input (stored on the blockchain). -* P2SH shifts the burden in data storage for the long script from the present time (payment) to a future time (when it is spent). -* P2SH shifts the transaction fee cost of a long script from the sender to the recipient, who has to include the long redeem script to spend it. - -===== Redeem script and isStandard validation - -((("pay-to-script-hash (P2SH)","isStandard validation")))((("pay-to-script-hash (P2SH)","redeem script for")))Prior to version 0.9.2 of the Bitcoin Core client, pay-to-script-hash was limited to the standard types of bitcoin transaction scripts, by the +isStandard()+ function. That means that the redeem script presented in the spending transaction could only be one of the standard types: P2PK, P2PKH, or multi-sig nature, excluding +OP_RETURN+ and P2SH itself. - -As of version 0.9.2 of the Bitcoin Core client, P2SH transactions can contain any valid script, making the P2SH standard much more flexible and allowing for experimentation with many novel and complex types of transactions. - -Note that you are not able to put a P2SH inside a P2SH redeem script, because the P2SH specification is not recursive. You are also still not able to use +OP_RETURN+ in a redeem script because +OP_RETURN+ cannot be redeemed by definition. - - -[WARNING] -==== -((("Pay-to-Script-Hash (P2SH)","locking scripts")))P2SH locking scripts contain the hash of a redeem script, which gives no clues as to the content of the redeem script itself. The P2SH transaction will be considered valid and accepted even if the redeem script is invalid. You might accidentally lock bitcoin in such a way that it cannot later be spent.(((range="endofrange", startref="ix_ch06-asciidoc19")))(((range="endofrange", startref="ix_ch06-asciidoc18")))(((range="endofrange", startref="ix_ch06-asciidoc17")))(((range="endofrange", startref="ix_ch06-asciidoc0"))) -==== - -Note that because the redeem script is not presented to the network until you attempt to spend a P2SH output, if you lock an output with the hash of an invalid transaction it will be processed regardless. However, you will not be able to spend it because the spending transaction, which includes the redeem script, will not be accepted because it is an invalid script. This creates a risk, because you can lock bitcoin in a P2SH that cannot be spent later. The network will accept the P2SH encumbrance even if it corresponds to an invalid redeem script, because the script hash gives no indication of the script it represents. From a71ed6a4a6592bdd40545224c02f0c4d74e0adfd Mon Sep 17 00:00:00 2001 From: "Andreas M. Antonopoulos" Date: Wed, 14 Dec 2016 18:23:52 +0200 Subject: [PATCH 21/24] Signatures, SIGHASH and ECDSA Math --- ch06.asciidoc | 204 +++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 195 insertions(+), 9 deletions(-) diff --git a/ch06.asciidoc b/ch06.asciidoc index 9cba48c9..3e66453e 100644 --- a/ch06.asciidoc +++ b/ch06.asciidoc @@ -350,9 +350,9 @@ Eugenia's wallet application will calculate the appropriate fee by measuring the ((("scripts", id="ix_ch06-asciidoc9", range="startofrange")))((("transactions","script language for", id="ix_ch06-asciidoc10", range="startofrange")))((("transactions","validation", id="ix_ch06-asciidoc11", range="startofrange")))((("validation (transaction)", id="ix_ch06-asciidoc12", range="startofrange")))Bitcoin clients validate transactions by executing a script, written in a Forth-like scripting language. Both the locking script (encumbrance) placed on a UTXO and the unlocking script that usually contains a signature are written in this scripting language. When a transaction is validated, the unlocking script in each input is executed alongside the corresponding locking script to see if it satisfies the spending condition. -Today, most transactions processed through the bitcoin network have the form "Alice pays Bob" and are based on the same script called a Pay-to-Public-Key-Hash script. However, the use of scripts to lock outputs and unlock inputs means that through use of the programming language, transactions can contain an infinite number of conditions. Bitcoin transactions are not limited to the "Alice pays Bob" form and pattern. +Today, most transactions processed through the bitcoin network have the form "Payment to Bob's bitcoin address" and are based on a script called a Pay-to-Public-Key-Hash script. However, the use of scripts to lock outputs and unlock inputs means that through use of the programming language, transactions can contain an infinite number of conditions. Bitcoin transactions are not limited to the "Payment to Bob's bitcoin address" script. -This is only the tip of the iceberg of possibilities that can be expressed with this scripting language. In this section, we will demonstrate the components of the bitcoin transaction scripting language and show how it can be used to express complex conditions for spending and how those conditions can be satisfied by unlocking scripts. +The Pay-to-Public-Key-Hash script is only the tip of the iceberg of possibilities that can be expressed with this scripting language. In this section, we will demonstrate the components of the bitcoin transaction scripting language and show how it can be used to express complex conditions for spending and how those conditions can be satisfied by unlocking scripts. [TIP] ==== @@ -363,15 +363,15 @@ Bitcoin transaction validation is not based on a static pattern, but instead is ((("scripts","construction of")))((("validation (transaction)","script construction for")))Bitcoin's transaction validation engine relies on two types of scripts to validate transactions: a locking script and an unlocking script. -((("locking scripts","transaction validation and")))((("validation (transaction)","locking scripts")))A locking script is an encumbrance placed on an output, and it specifies the conditions that must be met to spend the output in the future. Historically, the locking script was called a _scriptPubKey_, because it usually contained a public key or bitcoin address. In this book we refer to it as a "locking script" to acknowledge the much broader range of possibilities of this scripting technology. In most bitcoin applications, what we refer to as a locking script will appear in the source code as +scriptPubKey+. +((("locking scripts","transaction validation and")))((("validation (transaction)","locking scripts")))A locking script is an spending condition placed on an output: it specifies the conditions that must be met to spend the output in the future. Historically, the locking script was called a _scriptPubKey_, because it usually contained a public key or bitcoin address (public key hash). In this book we refer to it as a "locking script" to acknowledge the much broader range of possibilities of this scripting technology. In most bitcoin applications, what we refer to as a locking script will appear in the source code as +scriptPubKey+. You will also see the locking script referred to as a _witness script_ (see <>) or more generally as a _cryptographic puzzle_. These terms all mean the same thing, at different levels of abstraction. -((("unlocking scripts","transaction validation and")))An unlocking script is a script that "solves," or satisfies, the conditions placed on an output by a locking script and allows the output to be spent. Unlocking scripts are part of every transaction input, and most of the time they contain a digital signature produced by the user's wallet from his or her private key. Historically, the unlocking script is called _scriptSig_, because it usually contained a digital signature. In most bitcoin applications, the source code refers to the unlocking script as +scriptSig+. In this book, we refer to it as an "unlocking script" to acknowledge the much broader range of locking script requirements, because not all unlocking scripts must contain signatures. +((("unlocking scripts","transaction validation and")))An unlocking script is a script that "solves," or satisfies, the conditions placed on an output by a locking script and allows the output to be spent. Unlocking scripts are part of every transaction input. Most of the time they contain a digital signature produced by the user's wallet from his or her private key. Historically, the unlocking script is called _scriptSig_, because it usually contained a digital signature. In most bitcoin applications, the source code refers to the unlocking script as +scriptSig+. You will also see the unlocking script referred to as a _witness_ (see <>). In this book, we refer to it as an "unlocking script" to acknowledge the much broader range of locking script requirements, because not all unlocking scripts must contain signatures. -Every bitcoin client will validate transactions by executing the locking and unlocking scripts together. For each input in the transaction, the validation software will first retrieve the UTXO referenced by the input. That UTXO contains a locking script defining the conditions required to spend it. The validation software will then take the unlocking script contained in the input that is attempting to spend this UTXO and execute the two scripts. +Every bitcoin validating node will validate transactions by executing the locking and unlocking scripts together. For each input in the transaction, the validation software will first retrieve the UTXO referenced by the input. That UTXO contains a locking script defining the conditions required to spend it. The validation software will then take the unlocking script contained in the input that is attempting to spend this UTXO and execute the two scripts. In the original bitcoin client, the unlocking and locking scripts were concatenated and executed in sequence. For security reasons, this was changed in 2010, because of a vulnerability that allowed a malformed unlocking script to push data onto the stack and corrupt the locking script. In the current implementation, the scripts are executed separately with the stack transferred between the two executions, as described next. -First, the unlocking script is executed, using the stack execution engine. If the unlocking script executed without errors (e.g., it has no "dangling" operators left over), the main stack (not the alternate stack) is copied and the locking script is executed. If the result of executing the locking script with the stack data copied from the unlocking script is "TRUE," the unlocking script has succeeded in resolving the conditions imposed by the locking script and, therefore, the input is a valid authorization to spend the UTXO. If any result other than "TRUE" remains after execution of the combined script, the input is invalid because it has failed to satisfy the spending conditions placed on the UTXO. Note that the UTXO is permanently recorded in the blockchain, and therefore is invariable and is unaffected by failed attempts to spend it by reference in a new transaction. Only a valid transaction that correctly satisfies the conditions of the UTXO results in the UTXO being marked as "spent" and removed from the set of available (unspent) UTXO. +First, the unlocking script is executed, using the stack execution engine. If the unlocking script executed without errors (e.g., it has no "dangling" operators left over), the main stack (not the alternate stack) is copied and the locking script is executed. If the result of executing the locking script with the stack data copied from the unlocking script is "TRUE," the unlocking script has succeeded in resolving the conditions imposed by the locking script and, therefore, the input is a valid authorization to spend the UTXO. If any result other than "TRUE" remains after execution of the combined script, the input is invalid because it has failed to satisfy the spending conditions placed on the UTXO. Note that the UTXO is permanently recorded in the blockchain, and therefore is invariable and is unaffected by failed attempts to spend it by reference in a new transaction. Only a valid transaction that correctly satisfies the conditions of the output results in the output being considered as "spent" and removed from the set of unspent transaction outputs (UTXO set). <> is an example of the unlocking and locking scripts for the most common type of bitcoin transaction (a payment to a public key hash), showing the combined script resulting from the concatenation of the unlocking and locking scripts prior to script validation. @@ -385,7 +385,7 @@ image::images/msbt_0501.png["scriptSig_and_scriptPubKey"] ((("Script language", id="ix_ch06-asciidoc13", range="startofrange")))((("scripts","language for", id="ix_ch06-asciidoc14", range="startofrange")))The bitcoin transaction script language, called _Script_, is a Forth-like reverse-polish notation stack-based execution language. If that sounds like gibberish, you probably haven't studied 1960's programming languages. Script is a very simple language that was designed to be limited in scope and executable on a range of hardware, perhaps as simple as an embedded device, such as a handheld calculator. It requires minimal processing and cannot do many of the fancy things modern programming languages can do. In the case of programmable money, that is a deliberate security feature. -Bitcoin's scripting language is called a stack-based language because it uses a data structure called a((("stack, defined"))) _stack_. A stack is a very simple data structure, which can be visualized as a stack of cards. A stack allows two operations: push and pop. Push adds an item on top of the stack. Pop removes the top item from the stack. +Bitcoin's scripting language is called a stack-based language because it uses a data structure called a((("stack, defined"))) _stack_. A stack is a very simple data structure, which can be visualized as a stack of cards. A stack allows two operations: push and pop. Push adds an item on top of the stack. Pop removes the top item from the stack. Operations on a stack can only act on the top-most item on the stack. A stack data structure is also called a Last-In-First-Out, or "LIFO" queue. The scripting language executes the script by processing each item from left to right. Numbers (data constants) are pushed onto the stack. Operators push or pop one or more parameters from the stack, act on them, and might push a result onto the stack. For example, +OP_ADD+ will pop two items from the stack, add them, and push the resulting sum onto the stack. @@ -400,7 +400,7 @@ The following is a slightly more complex script, which calculates ++2 + 7 – 3 ---- Try validating the preceding script yourself using pencil and paper. When the script execution ends, you should be left with the value TRUE on the stack. -Although most locking scripts refer to a bitcoin address or public key, thereby requiring proof of ownership to spend the funds, the script does not have to be that complex. Any combination of locking and unlocking scripts that results in a TRUE value is valid. The simple arithmetic we used as an example of the scripting language is also a valid locking script that can be used to lock a transaction output. +Although most locking scripts refer to a public key hash (essentially, a bitcoin address), thereby requiring proof of ownership to spend the funds, the script does not have to be that complex. Any combination of locking and unlocking scripts that results in a TRUE value is valid. The simple arithmetic we used as an example of the scripting language is also a valid locking script that can be used to lock a transaction output. Use part of the arithmetic example script as the locking script: @@ -443,7 +443,7 @@ Transactions are valid if the top result on the stack is TRUE (noted as ++{ [[p2pkh]] ==== Pay-to-Public-Key-Hash (P2PKH) -((("pay-to-public-key-hash (P2PKH)", id="ix_ch06-asciidoc15", range="startofrange")))((("transactions","pay-to-public-key-hash", id="ix_ch06-asciidoc16", range="startofrange")))The vast majority of transactions processed on the bitcoin network are P2PKH transactions. These contain a locking script that encumbers the output with a public key hash, more commonly known as a bitcoin address. Transactions that pay a bitcoin address contain P2PKH scripts. An output locked by a P2PKH script can be unlocked (spent) by presenting a public key and a digital signature created by the corresponding private key. +((("pay-to-public-key-hash (P2PKH)", id="ix_ch06-asciidoc15", range="startofrange")))((("transactions","pay-to-public-key-hash", id="ix_ch06-asciidoc16", range="startofrange")))The vast majority of transactions processed on the bitcoin network spend outputs locked with a Pay-to-Public-Key-Hash or "P2PKH" script. These outputs contain a locking script that locks the output to a public key hash, more commonly known as a bitcoin address. An output locked by a P2PKH script can be unlocked (spent) by presenting a public key and a digital signature created by the corresponding private key (see >). For example, let's look at Alice's payment to Bob's Cafe again. Alice made a payment of 0.015 bitcoin to the cafe's bitcoin address. That transaction output would have a locking script of the form: @@ -477,3 +477,189 @@ image::images/msbt_0503.png["Tx_Script_P2PubKeyHash_1"] [[P2PubKHash2]] .Evaluating a script for a P2PKH transaction (Part 2 of 2) image::images/msbt_0504.png["Tx_Script_P2PubKeyHash_2"] + +[[digital_sigs]] +=== Digital Signatures (ECDSA) + +So far, we have not delved into any detail about "digital signatures". In this section we look at how digital signatures work and how they can present proof of ownership of a private key without revealing that private key. + +The digital signature algorithm used in bitcoin is the _Elliptic Curve Digital Signature Algorithm_, or _ECDSA_. ECDSA is the algorithm used for digital signatures based on elliptic curve private/public key pairs, as described in <>. + +A digital signature serves three purposes in bitcoin (see <>). First, the signature proves that the owner of the private key, who is by implication the owner of the funds, has *authorized* the spending of those funds. Secondly, the proof of authorization is *undeniable* (non-repudiation). Thirdly, the signature proves that the transaction (or specific parts of the transaction) have not and *can not be modified* by anyone other than the owner of the private key. + +Note that each transaction input is signed independently. This is critical, as neither the signatures, nor the inputs have to belong or be applied by the same "owners". In fact, a specific transaction scheme called "CoinJoin" uses this fact to create multi-party transactions for privacy. + +[NOTE] +==== +Each transaction input and any signature it may contain is _completely_ independent of any other input or signature. Multiple parties can collaborate to construct transactions and sign only one input each. +==== + +[[digital_signature_definition]] +.Wikipedia's Definition of a "Digital Signature" +**** +A digital signature is a mathematical scheme for demonstrating the authenticity of a digital message or documents. A valid digital signature gives a recipient reason to believe that the message was created by a known sender (authentication), that the sender cannot deny having sent the message (non-repudiation), and that the message was not altered in transit (integrity). + +_Source: https://en.wikipedia.org/wiki/Digital_signature_ +**** + +==== How Digital Signatures Work + +A digital signature is a _mathematical scheme_, that consists of two parts. The first part is an algorithm for creating a signature, using a private key (the signing key), from a message (the transaction). The second part is an algorithm that allows anyone to verify the signature, given also the message and a public key. + +===== Creating a Digital Signature + +In bitcoin's implementation of the ECDSA algorithm, the "message" being signed is the transaction, or more accurately a hash of a specific subset of the data in the transaction (see <>). The signing key is the user's private key. The result is the signature: + +latexmath:[\(Sig = F_sig(F_hash(m), dA\)] + +where: + +* dA is the signing private key +* m is the transaction (or parts of it) +* F~hash~ is the hashing function +* F~sig~ is the signing algorithm +* Sig is the resulting signature + +More details on the mathematics of ECDSA can be found in <> + +The function F~sig~ produces a signature +Sig+ that is composed of two values, commonly referred to as +R+ and +S+. + +---- +Sig = (R, S) +---- + +Now that the two values +R+ and +S+ have been calculated, they are serialized into a byte-stream using an international standard encoding scheme called the _Distinguished Encoding Rules_ or _DER_. + +===== Serialization of Signatures (DER) + +Let's look at the transaction Alice created again. In the transaction input there is an unlocking script that contains the following _DER_ encoded signature from Alice's wallet: + +---- +3045022100884d142d86652a3f47ba4746ec719bbfbd040a570b1deccbb6498c75c4ae24cb02204b9f039ff08df09cbe9f6addac960298cad530a863ea8f53982c09db8f6e381301 +---- + +That signature is a serialized byte-stream of the +R+ and +S+ values produced by Alice's wallet to prove she owns the private key authorized to spend that output. The serialization format consists of nine elements as follows: + +[[decoded_alice_sig]] +.Alice's DER-encoded signature - decoded +==== +* 0x30 - indicating the start of a DER sequence +* 0x45 - the length of the sequence (69 bytes) + * 0x02 - an integer value follows + * 0x21 - the length of the integer (33 bytes) + * R: 00884d142d86652a3f47ba4746ec719bbfbd040a570b1deccbb6498c75c4ae24cb + * 0x02 - another integer follows + * 0x20 - the length of the integer (32 bytes) + * S: 4b9f039ff08df09cbe9f6addac960298cad530a863ea8f53982c09db8f6e3813 +* A suffix (0x01) indicating the type of hash used (SIGHASH_ALL) +==== + +See if you can decode Alice's serialized (DER-encoded) signature using the guide above. The important numbers are +R+ and +S+, the rest of the data is part of the DER encoding scheme. + +==== Verifying the Signature + +To verify the signature, one must have the signature (+R+ and +S+), the serialized transaction and the public key (that corresponds to the private key used to create the signature). Essentially, verification of a signature means "Only the owner of the private key that generated this public key could have produced this signature on this transaction". + +The signature verification algorithm takes the message (transaction or parts of it), the signer's public key and the signature (+R+ and +S+ values) and returns TRUE if the signature is valid for this transaction and public key. + +==== Signature Hash Types (SIGHASH) + +Digital signatures are applied to messages, which in the case of bitcoin, are the transactions themselves. The signature implies a _commitment_ by the signer to specific transaction data. In the simplest form, the signature applies to the entire transaction, thereby committing all the inputs, outputs and other transaction fields. But, a signature can commit to only a subset of the data in a transaction, which is useful for a number of scenarios as we will see below. + +Bitcoin signatures have a way of indicating which part of a transaction's data is included in the data signed by the transaction, through the use of a SIGHASH flag. The SIGHASH flag is a single byte that is appended to the signature. + +Remember, each input may contain a signature in its unlocking script. As a result, a transaction that contains several inputs may have signatures with different SIGHASH flags that commit different parts of the transaction in each of the inputs. Note also that bitcoin transactions may contain inputs from different "owners", who may sign only one input in a partially constructed (and invalid) transaction, collaborating with others to gather all the necessary signatures to make a valid transaction. Many of the SIGHASH flag types only make sense if you think of multiple participants collaborating outside the bitcoin network and updating a partially signed transaction. + +There are three SIGHASH flags: ALL, NONE and SINGLE + +|======================= +|SIGHASH flag| Value | Description +| ALL | 0x01 | Signature applies to all inputs and outputs +| NONE | 0x02 | Signature applies to all inputs, none of the outputs +| SINGLE | 0x03 | Signature applies to all inputs but only the one output with the same index number as the signed input +|======================= + +In addition, there is a modifier flag SIGHASH_ANYONECANPAY, which can be combined with each of the above flags. When ANYONECANPAY is set, only one input is signed, leaving the rest (and their sequence numbers) open for modification. The ANYONECANPAY has the value +0x80+ and is applied by bitwise OR, resulting in the combined flags: + +|======================= +|SIGHASH flag| Value | Description +| SIGHASH_ALL\|ANYONECANPAY | 0x81 | Signature applies to one inputs and all outputs +| NONE\|ANYONECANPAY | 0x82 | Signature applies to one inputs, none of the outputs +| SINGLE\|ANYONECANPAY | 0x83 | Signature applies to one input & the output with the same index number +|======================= + +The way SIGHASH flags are applied during signing and verification, is that a copy of the transaction is made and certain fields within are truncated (set to zero length and emptied). The resulting transaction is serialized. The SIGHASH flag is added to the end of the serialized transaction and the result is hashed. The hash itself is the "message" that is signed. Depending on which SIGHASH flag is used, different parts of the transaction are truncated. This the resulting hash depends on different subsets of the data in the transaction. By including the SIGHASH as the last step before hashing, the signature commits the SIGHASH type as well, so it can't be changed (eg. by a miner). + +[NOTE] +==== +All SIGHASH types sign the transaction nLocktime field. In addition, the SIGHASH type itself is appended to the transaction before it is signed, so that it can't be modified one signed. +==== + +In the example of Alice's transaction (see <>), we saw that the last part of the DER-encoded signature was +01+, which is the SIGHASH_ALL flag. This locks the transaction data,so Alice's signature is committing the state of all inputs and outputs. This is the most common signature form. + +Let's look at some of the other SIGHASH types and how they can be used in practice: + +ALL|ANYONECANPAY :: This construction can be used to make a "crowdfunding"-style transaction. Someone attempting to raise funds can construct a transaction with a single output. The single output pays the "goal" amount to the fundraiser. Such a transaction, is obviously not valid, as it has no inputs. However, others can now amend it by adding an input of their own, as a donation. They sign their own input with ALL|ANYONECANPAY. Unless enough inputs are gathered to reach the value of the output, the transaction is invalid. Each donation is a "pledge", which cannot be collected by the fundraiser until the entire goal amount is raised. + +NONE :: This construction can be used to create a "bearer-check" of a specific amount. It commits to the input, but allows the output locking script to be changed. Anyone can write their own bitcoin address into the output locking script and redeem the transaction. However, the output value itself is locked by the signature. + +NONE|ANYONECANPAY :: This constuction can be used to build a "dust collector". User's who have tiny UTXO in their wallets can't spend these without the cost in fees exceeding the value of the dust. With this type of signature, the dust UTXO can be donated, for anyone to aggregate and spend whenever they want. + +There are some proposals to modify or expand the SIGHASH system. One such proposal is _Bitmask Sighash Modes_ by Blockstream's Glenn Willen, as part of the Elements project. This aims to create a flexible replacement for SIGHASH types that allows "arbitrary, miner-rewritable bitmasks of inputs and outputs" that can express "more complex contractual pre-commitment schemes, such as signed offers with change in a distributed asset exchange." + +[[ecdsa_math]] +==== ECDSA Math + +As mentioned previously, signatures are created by a mathematical function F~sig~, that produces a signature composes of two values +R+ and +S+. In this section we look at the function F~sig~ in more detail. + +The signature algorithm first generates an _ephemeral_ (temporary) private public key pair. This temporary key pair is used in the calculation of the +R+ and +S+ values, after a transformation involving the signing private key and the transaction hash. + +The temporary key pair is based on a random number +k+, which is used as the temporary private key. From +k+, we generate the corresponding temporary public key +P+ (calculated as +P = k*G+, in the same way bitcoin public keys are derived <>). The +R+ value of the digital signature is then the x-coordinate of the ephemeral public key +P+. + +From there, the algorithm calculates the +S+ value of the signature, such that: + +latexmath:[\(S = k^-1 (Hash(m) + dA * R) mod p\)] + +where: + +* k is the ephemeral private key +* R is the x-coordinate of the ephemeral public key +* dA is the signing private key +* m is the transaction data +* p is the prime order of the elliptic curve + +Verification is the inverse of the signature generation function, using the +R+, +S+ values and the public key to calculate a value +P+, which is a point on the elliptic curve (the ephemeral public key used in signature creation): + +latexmath:[\(P = S^-1 * Hash(m) * G + S^-1 * R * Qa\)] + +where: + +* R and S are the signature values +* Qa is Alice's public key +* m is the transaction data that was signed +* G is the elliptic curve generator point + +If the x-coordinate of the calculated point +P+ is equal to +R+, then the verifier can conclude that the signature is valid. + +Note that in verifying the signature, the private key is neither known nor revealed. + +[TIP] +==== +The math of ECDSA is complex and difficult to understand. There are a number of great guides online which might help. Search for "ECDSA explained" or try this one: + +http://www.instructables.com/id/Understanding-how-ECDSA-protects-your-data/?ALLSTEPS + +==== The Importance of Randomness in Signatures + +As we saw in <>, the signature generation algorithm uses a random key +k+, as the basis for an ephemeral private/public key pair. The value of +k+ is not important, *as long as it is random*. Specifically, if the same value +k+ is used to produce two signatures on different messages (transactions), then the signing private key can be calculated by anyone. Re-use of the same value for +k+ in a signature algorithm leads to exposure of the private key! + +[WARNING] +==== +If the same value +k+ is used in the signing algorithm on two different transactions, the private key can be calculated and is exposed! +==== + +This is not just a theoretical possibility. We have seen this issue lead to exposure of private keys in a few different implementations of transaction signing algorithms in bitcoin. People have lost funds to attackes because of inadvertent re-use of a +k+ value. The most common reason for re-use of a +k+ value is an improperly initialized random-number generator. + +To avoid this vulnerability, the industry best practice is to not generate +k+ with a random-number generator seeded with entropy, but instead to use a deterministic-random process seeded with the transaction data itself. That ensures that each transaction produces a different +k+. The industry-standard algorithm for deterministic initialization of +k+ is defined in https://tools.ietf.org/html/rfc6979[RFC 6979] published by the Internet Engineering Task Force. + +If you are implementing an algorithm to sign transactions in bitcoin, you *must* use RFC6979 or a similarly deterministic-random algorithm to ensure you generate a different +k+ for each transaction. From 81e79e3fdb1e88beda3d752c6031fd35d89d5dfa Mon Sep 17 00:00:00 2001 From: "Andreas M. Antonopoulos" Date: Thu, 15 Dec 2016 09:52:47 +0200 Subject: [PATCH 22/24] ch06 edits round 1 --- ch06.asciidoc | 35 ++++++++++++++++++++++------------- 1 file changed, 22 insertions(+), 13 deletions(-) diff --git a/ch06.asciidoc b/ch06.asciidoc index 3e66453e..89dd0778 100644 --- a/ch06.asciidoc +++ b/ch06.asciidoc @@ -348,17 +348,28 @@ Eugenia's wallet application will calculate the appropriate fee by measuring the [[tx_script]] === Transaction Scripts and Script Language -((("scripts", id="ix_ch06-asciidoc9", range="startofrange")))((("transactions","script language for", id="ix_ch06-asciidoc10", range="startofrange")))((("transactions","validation", id="ix_ch06-asciidoc11", range="startofrange")))((("validation (transaction)", id="ix_ch06-asciidoc12", range="startofrange")))Bitcoin clients validate transactions by executing a script, written in a Forth-like scripting language. Both the locking script (encumbrance) placed on a UTXO and the unlocking script that usually contains a signature are written in this scripting language. When a transaction is validated, the unlocking script in each input is executed alongside the corresponding locking script to see if it satisfies the spending condition. +((("scripts", id="ix_ch06-asciidoc9", range="startofrange")))((("transactions","script language for", id="ix_ch06-asciidoc10", range="startofrange")))((("transactions","validation", id="ix_ch06-asciidoc11", range="startofrange")))((("validation (transaction)", id="ix_ch06-asciidoc12", range="startofrange")))Bitcoin clients validate transactions by executing a script, written in a Forth-like scripting language, often referred to simply as _Script_. Both the locking script placed on a UTXO and the unlocking script are written in this scripting language. When a transaction is validated, the unlocking script in each input is executed alongside the corresponding locking script to see if it satisfies the spending condition. Today, most transactions processed through the bitcoin network have the form "Payment to Bob's bitcoin address" and are based on a script called a Pay-to-Public-Key-Hash script. However, the use of scripts to lock outputs and unlock inputs means that through use of the programming language, transactions can contain an infinite number of conditions. Bitcoin transactions are not limited to the "Payment to Bob's bitcoin address" script. -The Pay-to-Public-Key-Hash script is only the tip of the iceberg of possibilities that can be expressed with this scripting language. In this section, we will demonstrate the components of the bitcoin transaction scripting language and show how it can be used to express complex conditions for spending and how those conditions can be satisfied by unlocking scripts. +In this section, we will demonstrate the components of the bitcoin transaction scripting language and show how it can be used to express complex conditions for spending and how those conditions can be satisfied by unlocking scripts. [TIP] ==== Bitcoin transaction validation is not based on a static pattern, but instead is achieved through the execution of a scripting language. This language allows for a nearly infinite variety of conditions to be expressed. This is how bitcoin gets the power of "programmable money." ==== + +==== Turing Incompleteness + +((("Script language","flow-control/loops in")))((("Script language","statelessness of")))((("Turing Complete")))The bitcoin transaction script language contains many operators, but is deliberately limited in one important way—there are no loops or complex flow control capabilities other than conditional flow control. This ensures that the language is not _Turing Complete_, meaning that scripts have limited complexity and predictable execution times. Script is not a general-purpose language. These limitations ensure that the language cannot be used to create an infinite loop or other form of "logic bomb" that could be embedded in a transaction in a way that causes a((("denial-of-service attack","Script language and"))) denial-of-service attack against the bitcoin network. Remember, every transaction is validated by every full node on the bitcoin network. A limited language prevents the transaction validation mechanism from being used as a vulnerability. + +==== Stateless Verification + +((("stateless verification of transactions")))((("transactions","statelessness of")))The bitcoin transaction script language is stateless, in that there is no state prior to execution of the script, or state saved after execution of the script. Therefore, all the information needed to execute a script is contained within the script. A script will predictably execute the same way on any system. If your system verifies a script, you can be sure that every other system in the bitcoin network will also verify the script, meaning that a valid transaction is valid for everyone and everyone knows this. This predictability of outcomes is an essential benefit of the bitcoin system.(((range="endofrange", startref="ix_ch06-asciidoc12")))(((range="endofrange", startref="ix_ch06-asciidoc11")))(((range="endofrange", startref="ix_ch06-asciidoc10")))(((range="endofrange", startref="ix_ch06-asciidoc9"))) + + + ==== Script Construction (Lock + Unlock) ((("scripts","construction of")))((("validation (transaction)","script construction for")))Bitcoin's transaction validation engine relies on two types of scripts to validate transactions: a locking script and an unlocking script. @@ -369,9 +380,7 @@ Bitcoin transaction validation is not based on a static pattern, but instead is Every bitcoin validating node will validate transactions by executing the locking and unlocking scripts together. For each input in the transaction, the validation software will first retrieve the UTXO referenced by the input. That UTXO contains a locking script defining the conditions required to spend it. The validation software will then take the unlocking script contained in the input that is attempting to spend this UTXO and execute the two scripts. -In the original bitcoin client, the unlocking and locking scripts were concatenated and executed in sequence. For security reasons, this was changed in 2010, because of a vulnerability that allowed a malformed unlocking script to push data onto the stack and corrupt the locking script. In the current implementation, the scripts are executed separately with the stack transferred between the two executions, as described next. - -First, the unlocking script is executed, using the stack execution engine. If the unlocking script executed without errors (e.g., it has no "dangling" operators left over), the main stack (not the alternate stack) is copied and the locking script is executed. If the result of executing the locking script with the stack data copied from the unlocking script is "TRUE," the unlocking script has succeeded in resolving the conditions imposed by the locking script and, therefore, the input is a valid authorization to spend the UTXO. If any result other than "TRUE" remains after execution of the combined script, the input is invalid because it has failed to satisfy the spending conditions placed on the UTXO. Note that the UTXO is permanently recorded in the blockchain, and therefore is invariable and is unaffected by failed attempts to spend it by reference in a new transaction. Only a valid transaction that correctly satisfies the conditions of the output results in the output being considered as "spent" and removed from the set of unspent transaction outputs (UTXO set). +Note that the UTXO is permanently recorded in the blockchain, and therefore is invariable and is unaffected by failed attempts to spend it by reference in a new transaction. Only a valid transaction that correctly satisfies the conditions of the output results in the output being considered as "spent" and removed from the set of unspent transaction outputs (UTXO set). <> is an example of the unlocking and locking scripts for the most common type of bitcoin transaction (a payment to a public key hash), showing the combined script resulting from the concatenation of the unlocking and locking scripts prior to script validation. @@ -379,11 +388,12 @@ First, the unlocking script is executed, using the stack execution engine. If th .Combining scriptSig and scriptPubKey to evaluate a transaction script image::images/msbt_0501.png["scriptSig_and_scriptPubKey"] - [[tx_script_language]] ==== Scripting Language -((("Script language", id="ix_ch06-asciidoc13", range="startofrange")))((("scripts","language for", id="ix_ch06-asciidoc14", range="startofrange")))The bitcoin transaction script language, called _Script_, is a Forth-like reverse-polish notation stack-based execution language. If that sounds like gibberish, you probably haven't studied 1960's programming languages. Script is a very simple language that was designed to be limited in scope and executable on a range of hardware, perhaps as simple as an embedded device, such as a handheld calculator. It requires minimal processing and cannot do many of the fancy things modern programming languages can do. In the case of programmable money, that is a deliberate security feature. +((("Script language", id="ix_ch06-asciidoc13", range="startofrange")))((("scripts","language for", id="ix_ch06-asciidoc14", range="startofrange")))The bitcoin transaction script language, called Script, is a Forth-like reverse-polish notation stack-based execution language. If that sounds like gibberish, you probably haven't studied 1960's programming languages. Script is a very simple language that was designed to be limited in scope and executable on a range of hardware, perhaps as simple as an embedded device, such as a handheld calculator. It requires minimal processing and cannot do many of the fancy things modern programming languages can do. In the case of programmable money, that is a deliberate security feature. + +===== The Script Execution Stack Bitcoin's scripting language is called a stack-based language because it uses a data structure called a((("stack, defined"))) _stack_. A stack is a very simple data structure, which can be visualized as a stack of cards. A stack allows two operations: push and pop. Push adds an item on top of the stack. Pop removes the top item from the stack. Operations on a stack can only act on the top-most item on the stack. A stack data structure is also called a Last-In-First-Out, or "LIFO" queue. @@ -391,6 +401,8 @@ The scripting language executes the script by processing each item from left to Conditional operators evaluate a condition, producing a boolean result of TRUE or FALSE. For example, +OP_EQUAL+ pops two items from the stack and pushes TRUE (TRUE is represented by the number 1) if they are equal or FALSE (represented by zero) if they are not equal. Bitcoin transaction scripts usually contain a conditional operator, so that they can produce the TRUE result that signifies a valid transaction. +===== A Simple Script + In <>, the script +2 3 OP_ADD 5 OP_EQUAL+ demonstrates the arithmetic addition operator +OP_ADD+, adding two numbers and putting the result on the stack, followed by the conditional operator +OP_EQUAL+, which checks that the resulting sum is equal to +5+. For brevity, the +OP_+ prefix is omitted in the step-by-step example. The following is a slightly more complex script, which calculates ++2 + 7 – 3 + 1++. Notice that when the script contains several operators in a row, the stack allows the results of one operator to be acted upon by the next operator: @@ -430,14 +442,11 @@ image::images/msbt_0502.png["TxScriptSimpleMathExample"] Transactions are valid if the top result on the stack is TRUE (noted as ++{0x01}++), any other non-zero value or if the stack is empty after script execution. Transactions are invalid if the top value on the stack is FALSE (a zero-length empty value, noted as ++{}++) or if script execution is halted explicitly by an operator, such as OP_VERIFY, OP_RETURN, or a conditional terminator such as OP_ENDIF. See <> for details. ==== +===== Separate Execution of Unlocking and Locking Scripts -==== Turing Incompleteness +In the original bitcoin client, the unlocking and locking scripts were concatenated and executed in sequence. For security reasons, this was changed in 2010, because of a vulnerability that allowed a malformed unlocking script to push data onto the stack an corrupt the locking script. In the current implementation, the scripts are executed separately with the stack transferred between the two executions, as described next. -((("Script language","flow-control/loops in")))((("Script language","statelessness of")))((("Turing Complete")))The bitcoin transaction script language contains many operators, but is deliberately limited in one important way—there are no loops or complex flow control capabilities other than conditional flow control. This ensures that the language is not _Turing Complete_, meaning that scripts have limited complexity and predictable execution times. Script is not a general-purpose language. These limitations ensure that the language cannot be used to create an infinite loop or other form of "logic bomb" that could be embedded in a transaction in a way that causes a((("denial-of-service attack","Script language and"))) denial-of-service attack against the bitcoin network. Remember, every transaction is validated by every full node on the bitcoin network. A limited language prevents the transaction validation mechanism from being used as a vulnerability. - -==== Stateless Verification - -((("stateless verification of transactions")))((("transactions","statelessness of")))The bitcoin transaction script language is stateless, in that there is no state prior to execution of the script, or state saved after execution of the script. Therefore, all the information needed to execute a script is contained within the script. A script will predictably execute the same way on any system. If your system verifies a script, you can be sure that every other system in the bitcoin network will also verify the script, meaning that a valid transaction is valid for everyone and everyone knows this. This predictability of outcomes is an essential benefit of the bitcoin system.(((range="endofrange", startref="ix_ch06-asciidoc12")))(((range="endofrange", startref="ix_ch06-asciidoc11")))(((range="endofrange", startref="ix_ch06-asciidoc10")))(((range="endofrange", startref="ix_ch06-asciidoc9"))) +First, the unlocking script is executed, using the stack execution engine. If the unlocking script executed without errors (e.g., it has no "dangling" operators left over), the main stack (not the alternate stack) is copied and the locking script is executed. If the result of executing the locking script with the stack data copied from the unlocking script is "TRUE," the unlocking script has succeeded in resolving the conditions imposed by the locking script and, therefore, the input is a valid authorization to spend the UTXO. If any result other than "TRUE" remains after execution of the combined script, the input is invalid because it has failed to satisfy the spending conditions placed on the UTXO. [[p2pkh]] From 1192c97c8ebdbd530eabb4d90db1998e885c6c29 Mon Sep 17 00:00:00 2001 From: "Andreas M. Antonopoulos" Date: Thu, 15 Dec 2016 12:16:30 +0200 Subject: [PATCH 23/24] ch06 edits 2 --- ch06.asciidoc | 72 +++++++++++++++++++++++++++------------------------ 1 file changed, 38 insertions(+), 34 deletions(-) diff --git a/ch06.asciidoc b/ch06.asciidoc index 89dd0778..1273aaf3 100644 --- a/ch06.asciidoc +++ b/ch06.asciidoc @@ -325,7 +325,7 @@ The API returns a JSON object with the current fee estimate for fastest confirma [[tx_fee_equation]] .Transaction fees are implied, as the excess of inputs minus outputs: ---- -Fees = Sum(Inputs) – Sum(Outputs) +Fees = Sum(Inputs) -- Sum(Outputs) ---- This is a somewhat confusing element of transactions and an important point to understand, because if you are constructing your own transactions you must ensure you do not inadvertently include a very large fee by underspending the inputs. That means that you must account for all inputs, if necessary by creating change, or you will end up giving the miners a very big tip! @@ -343,16 +343,18 @@ Now let's look at a different scenario. Eugenia, our children's charity director As Eugenia's wallet application tries to construct a single larger payment transaction, it must source from the available UTXO set, which is composed of many smaller amounts. That means that the resulting transaction will source from more than a hundred small-value UTXO as inputs and only one output, paying the book publisher. A transaction with that many inputs will be larger than one kilobyte, perhaps a kilobyte or several kilobytes in size. As a result, it will require a much higher fee than the median sized transaction. -Eugenia's wallet application will calculate the appropriate fee by measuring the size of the transaction and multiplying that by the per-kilobyte fee. Many wallets will overpay fees for larger transactions to ensure the transaction is processed promptly. The higher fee is not because Eugenia is spending more money, but because her transaction is more complex and larger in size—the fee is independent of the transaction's bitcoin value.(((range="endofrange", startref="ix_ch06-asciidoc8")))(((range="endofrange", startref="ix_ch06-asciidoc7"))) +Eugenia's wallet application will calculate the appropriate fee by measuring the size of the transaction and multiplying that by the per-kilobyte fee. Many wallets will overpay fees for larger transactions to ensure the transaction is processed promptly. The higher fee is not because Eugenia is spending more money, but because her transaction is more complex and larger in size--the fee is independent of the transaction's bitcoin value.(((range="endofrange", startref="ix_ch06-asciidoc8")))(((range="endofrange", startref="ix_ch06-asciidoc7"))) [[tx_script]] === Transaction Scripts and Script Language -((("scripts", id="ix_ch06-asciidoc9", range="startofrange")))((("transactions","script language for", id="ix_ch06-asciidoc10", range="startofrange")))((("transactions","validation", id="ix_ch06-asciidoc11", range="startofrange")))((("validation (transaction)", id="ix_ch06-asciidoc12", range="startofrange")))Bitcoin clients validate transactions by executing a script, written in a Forth-like scripting language, often referred to simply as _Script_. Both the locking script placed on a UTXO and the unlocking script are written in this scripting language. When a transaction is validated, the unlocking script in each input is executed alongside the corresponding locking script to see if it satisfies the spending condition. +((("scripts", id="ix_ch06-asciidoc9", range="startofrange")))((("transactions","script language for", id="ix_ch06-asciidoc10", range="startofrange")))((("transactions","validation", id="ix_ch06-asciidoc11", range="startofrange")))((("validation (transaction)", id="ix_ch06-asciidoc12", range="startofrange")))((("Script language", id="ix_ch06-asciidoc13", range="startofrange")))((("scripts","language for", id="ix_ch06-asciidoc14", range="startofrange")))The bitcoin transaction script language, called _Script_, is a Forth-like reverse-polish notation stack-based execution language. If that sounds like gibberish, you probably haven't studied 1960's programming languages, but that's ok - we will explain it all in this chapter. Both the locking script placed on a UTXO and the unlocking script are written in this scripting language. When a transaction is validated, the unlocking script in each input is executed alongside the corresponding locking script to see if it satisfies the spending condition. -Today, most transactions processed through the bitcoin network have the form "Payment to Bob's bitcoin address" and are based on a script called a Pay-to-Public-Key-Hash script. However, the use of scripts to lock outputs and unlock inputs means that through use of the programming language, transactions can contain an infinite number of conditions. Bitcoin transactions are not limited to the "Payment to Bob's bitcoin address" script. +Script is a very simple language that was designed to be limited in scope and executable on a range of hardware, perhaps as simple as an embedded device. It requires minimal processing and cannot do many of the fancy things modern programming languages can do. For its use in validating programmable money, this is a deliberate security feature. -In this section, we will demonstrate the components of the bitcoin transaction scripting language and show how it can be used to express complex conditions for spending and how those conditions can be satisfied by unlocking scripts. +Today, most transactions processed through the bitcoin network have the form "Payment to Bob's bitcoin address" and are based on a script called a Pay-to-Public-Key-Hash script. However, bitcoin transactions are not limited to the "Payment to Bob's bitcoin address" script. In fact, locking scripts can be written to express a vast variety of complex conditions. In order to understand these more complex scripts, we must first understand the basics of transaction scripts and script language. + +In this section, we will demonstrate the basic components of the bitcoin transaction scripting language and show how it can be used to express simple conditions for spending and how those conditions can be satisfied by unlocking scripts. [TIP] ==== @@ -362,25 +364,24 @@ Bitcoin transaction validation is not based on a static pattern, but instead is ==== Turing Incompleteness -((("Script language","flow-control/loops in")))((("Script language","statelessness of")))((("Turing Complete")))The bitcoin transaction script language contains many operators, but is deliberately limited in one important way—there are no loops or complex flow control capabilities other than conditional flow control. This ensures that the language is not _Turing Complete_, meaning that scripts have limited complexity and predictable execution times. Script is not a general-purpose language. These limitations ensure that the language cannot be used to create an infinite loop or other form of "logic bomb" that could be embedded in a transaction in a way that causes a((("denial-of-service attack","Script language and"))) denial-of-service attack against the bitcoin network. Remember, every transaction is validated by every full node on the bitcoin network. A limited language prevents the transaction validation mechanism from being used as a vulnerability. +((("Script language","flow-control/loops in")))((("Script language","statelessness of")))((("Turing Complete")))The bitcoin transaction script language contains many operators, but is deliberately limited in one important way--there are no loops or complex flow control capabilities other than conditional flow control. This ensures that the language is not _Turing Complete_, meaning that scripts have limited complexity and predictable execution times. Script is not a general-purpose language. These limitations ensure that the language cannot be used to create an infinite loop or other form of "logic bomb" that could be embedded in a transaction in a way that causes a((("denial-of-service attack","Script language and"))) denial-of-service attack against the bitcoin network. Remember, every transaction is validated by every full node on the bitcoin network. A limited language prevents the transaction validation mechanism from being used as a vulnerability. ==== Stateless Verification ((("stateless verification of transactions")))((("transactions","statelessness of")))The bitcoin transaction script language is stateless, in that there is no state prior to execution of the script, or state saved after execution of the script. Therefore, all the information needed to execute a script is contained within the script. A script will predictably execute the same way on any system. If your system verifies a script, you can be sure that every other system in the bitcoin network will also verify the script, meaning that a valid transaction is valid for everyone and everyone knows this. This predictability of outcomes is an essential benefit of the bitcoin system.(((range="endofrange", startref="ix_ch06-asciidoc12")))(((range="endofrange", startref="ix_ch06-asciidoc11")))(((range="endofrange", startref="ix_ch06-asciidoc10")))(((range="endofrange", startref="ix_ch06-asciidoc9"))) - ==== Script Construction (Lock + Unlock) ((("scripts","construction of")))((("validation (transaction)","script construction for")))Bitcoin's transaction validation engine relies on two types of scripts to validate transactions: a locking script and an unlocking script. -((("locking scripts","transaction validation and")))((("validation (transaction)","locking scripts")))A locking script is an spending condition placed on an output: it specifies the conditions that must be met to spend the output in the future. Historically, the locking script was called a _scriptPubKey_, because it usually contained a public key or bitcoin address (public key hash). In this book we refer to it as a "locking script" to acknowledge the much broader range of possibilities of this scripting technology. In most bitcoin applications, what we refer to as a locking script will appear in the source code as +scriptPubKey+. You will also see the locking script referred to as a _witness script_ (see <>) or more generally as a _cryptographic puzzle_. These terms all mean the same thing, at different levels of abstraction. +((("locking scripts","transaction validation and")))((("validation (transaction)","locking scripts")))A locking script is a spending condition placed on an output: it specifies the conditions that must be met to spend the output in the future. Historically, the locking script was called a _scriptPubKey_, because it usually contained a public key or bitcoin address (public key hash). In this book we refer to it as a "locking script" to acknowledge the much broader range of possibilities of this scripting technology. In most bitcoin applications, what we refer to as a locking script will appear in the source code as +scriptPubKey+. You will also see the locking script referred to as a _witness script_ (see <>) or more generally as a _cryptographic puzzle_. These terms all mean the same thing, at different levels of abstraction. ((("unlocking scripts","transaction validation and")))An unlocking script is a script that "solves," or satisfies, the conditions placed on an output by a locking script and allows the output to be spent. Unlocking scripts are part of every transaction input. Most of the time they contain a digital signature produced by the user's wallet from his or her private key. Historically, the unlocking script is called _scriptSig_, because it usually contained a digital signature. In most bitcoin applications, the source code refers to the unlocking script as +scriptSig+. You will also see the unlocking script referred to as a _witness_ (see <>). In this book, we refer to it as an "unlocking script" to acknowledge the much broader range of locking script requirements, because not all unlocking scripts must contain signatures. -Every bitcoin validating node will validate transactions by executing the locking and unlocking scripts together. For each input in the transaction, the validation software will first retrieve the UTXO referenced by the input. That UTXO contains a locking script defining the conditions required to spend it. The validation software will then take the unlocking script contained in the input that is attempting to spend this UTXO and execute the two scripts. +Every bitcoin validating node will validate transactions by executing the locking and unlocking scripts together. Each input contains an unlocking script and refers to a previously existing UTXO. The validation software will copy the unlocking script, retrieve the UTXO referenced by the input and copy the locking script from that UTXO. The unlocking and locking script are then executed in sequence. The input is valid if the unlocking script satisfies the locking script conditions (see <>). All the inputs are validated independently, as part of the overall validation of the transaction. -Note that the UTXO is permanently recorded in the blockchain, and therefore is invariable and is unaffected by failed attempts to spend it by reference in a new transaction. Only a valid transaction that correctly satisfies the conditions of the output results in the output being considered as "spent" and removed from the set of unspent transaction outputs (UTXO set). +Note that the UTXO is permanently recorded in the blockchain, and therefore is invariable and is unaffected by failed attempts to spend it by reference in a new transaction. Only a valid transaction that correctly satisfies the conditions of the output results in the output being considered as "spent" and removed from the set of unspent transaction outputs (UTXO set)((("UTXO Set", "removing outputs")))((("UTXO", "spending"))). <> is an example of the unlocking and locking scripts for the most common type of bitcoin transaction (a payment to a public key hash), showing the combined script resulting from the concatenation of the unlocking and locking scripts prior to script validation. @@ -388,11 +389,6 @@ Note that the UTXO is permanently recorded in the blockchain, and therefore is i .Combining scriptSig and scriptPubKey to evaluate a transaction script image::images/msbt_0501.png["scriptSig_and_scriptPubKey"] -[[tx_script_language]] -==== Scripting Language - -((("Script language", id="ix_ch06-asciidoc13", range="startofrange")))((("scripts","language for", id="ix_ch06-asciidoc14", range="startofrange")))The bitcoin transaction script language, called Script, is a Forth-like reverse-polish notation stack-based execution language. If that sounds like gibberish, you probably haven't studied 1960's programming languages. Script is a very simple language that was designed to be limited in scope and executable on a range of hardware, perhaps as simple as an embedded device, such as a handheld calculator. It requires minimal processing and cannot do many of the fancy things modern programming languages can do. In the case of programmable money, that is a deliberate security feature. - ===== The Script Execution Stack Bitcoin's scripting language is called a stack-based language because it uses a data structure called a((("stack, defined"))) _stack_. A stack is a very simple data structure, which can be visualized as a stack of cards. A stack allows two operations: push and pop. Push adds an item on top of the stack. Pop removes the top item from the stack. Operations on a stack can only act on the top-most item on the stack. A stack data structure is also called a Last-In-First-Out, or "LIFO" queue. @@ -403,14 +399,9 @@ Conditional operators evaluate a condition, producing a boolean result of TRUE o ===== A Simple Script -In <>, the script +2 3 OP_ADD 5 OP_EQUAL+ demonstrates the arithmetic addition operator +OP_ADD+, adding two numbers and putting the result on the stack, followed by the conditional operator +OP_EQUAL+, which checks that the resulting sum is equal to +5+. For brevity, the +OP_+ prefix is omitted in the step-by-step example. +Now let's apply what we've learned about scripts and stacks to some simple examples. -The following is a slightly more complex script, which calculates ++2 + 7 – 3 + 1++. Notice that when the script contains several operators in a row, the stack allows the results of one operator to be acted upon by the next operator: - ----- -2 7 OP_ADD 3 OP_SUB 1 OP_ADD 7 OP_EQUAL ----- -Try validating the preceding script yourself using pencil and paper. When the script execution ends, you should be left with the value TRUE on the stack. +In <>, the script +2 3 OP_ADD 5 OP_EQUAL+ demonstrates the arithmetic addition operator +OP_ADD+, adding two numbers and putting the result on the stack, followed by the conditional operator +OP_EQUAL+, which checks that the resulting sum is equal to +5+. For brevity, the +OP_+ prefix is omitted in the step-by-step example. For more details on the available script operators and functions, see <>. Although most locking scripts refer to a public key hash (essentially, a bitcoin address), thereby requiring proof of ownership to spend the funds, the script does not have to be that complex. Any combination of locking and unlocking scripts that results in a TRUE value is valid. The simple arithmetic we used as an example of the scripting language is also a valid locking script that can be used to lock a transaction output. @@ -442,6 +433,14 @@ image::images/msbt_0502.png["TxScriptSimpleMathExample"] Transactions are valid if the top result on the stack is TRUE (noted as ++{0x01}++), any other non-zero value or if the stack is empty after script execution. Transactions are invalid if the top value on the stack is FALSE (a zero-length empty value, noted as ++{}++) or if script execution is halted explicitly by an operator, such as OP_VERIFY, OP_RETURN, or a conditional terminator such as OP_ENDIF. See <> for details. ==== +The following is a slightly more complex script, which calculates ++2 + 7 -- 3 + 1++. Notice that when the script contains several operators in a row, the stack allows the results of one operator to be acted upon by the next operator: + +---- +2 7 OP_ADD 3 OP_SUB 1 OP_ADD 7 OP_EQUAL +---- +Try validating the preceding script yourself using pencil and paper. When the script execution ends, you should be left with the value TRUE on the stack. + +[[script_exec]] ===== Separate Execution of Unlocking and Locking Scripts In the original bitcoin client, the unlocking and locking scripts were concatenated and executed in sequence. For security reasons, this was changed in 2010, because of a vulnerability that allowed a malformed unlocking script to push data onto the stack an corrupt the locking script. In the current implementation, the scripts are executed separately with the stack transferred between the two executions, as described next. @@ -492,11 +491,11 @@ image::images/msbt_0504.png["Tx_Script_P2PubKeyHash_2"] So far, we have not delved into any detail about "digital signatures". In this section we look at how digital signatures work and how they can present proof of ownership of a private key without revealing that private key. -The digital signature algorithm used in bitcoin is the _Elliptic Curve Digital Signature Algorithm_, or _ECDSA_. ECDSA is the algorithm used for digital signatures based on elliptic curve private/public key pairs, as described in <>. +The digital signature algorithm used in bitcoin is the _Elliptic Curve Digital Signature Algorithm_, or _ECDSA_. ECDSA is the algorithm used for digital signatures based on elliptic curve private/public key pairs, as described in <>. ECDSA is used by the script functions OP_CHECKSIG, OP_CHECKSIGVERIFY, OP_CHECKMULTISIG and OP_CHECKMULTISIGVERIFY. Any time you see those in a locking script, the unlocking script must contain an ECDSA signature. -A digital signature serves three purposes in bitcoin (see <>). First, the signature proves that the owner of the private key, who is by implication the owner of the funds, has *authorized* the spending of those funds. Secondly, the proof of authorization is *undeniable* (non-repudiation). Thirdly, the signature proves that the transaction (or specific parts of the transaction) have not and *can not be modified* by anyone other than the owner of the private key. +A digital signature serves three purposes in bitcoin (see <>). First, the signature proves that the owner of the private key, who is by implication the owner of the funds, has *authorized* the spending of those funds. Secondly, the proof of authorization is *undeniable* (non-repudiation). Thirdly, the signature proves that the transaction (or specific parts of the transaction) have not and *can not be modified* by anyone after it has been been signed. -Note that each transaction input is signed independently. This is critical, as neither the signatures, nor the inputs have to belong or be applied by the same "owners". In fact, a specific transaction scheme called "CoinJoin" uses this fact to create multi-party transactions for privacy. +Note that each transaction input is signed independently. This is critical, as neither the signatures, nor the inputs have to belong to or be applied by the same "owners". In fact, a specific transaction scheme called "CoinJoin" uses this fact to create multi-party transactions for privacy. [NOTE] ==== @@ -569,13 +568,13 @@ See if you can decode Alice's serialized (DER-encoded) signature using the guide To verify the signature, one must have the signature (+R+ and +S+), the serialized transaction and the public key (that corresponds to the private key used to create the signature). Essentially, verification of a signature means "Only the owner of the private key that generated this public key could have produced this signature on this transaction". -The signature verification algorithm takes the message (transaction or parts of it), the signer's public key and the signature (+R+ and +S+ values) and returns TRUE if the signature is valid for this transaction and public key. +The signature verification algorithm takes the message (a hash of the transaction or parts of it), the signer's public key and the signature (+R+ and +S+ values) and returns TRUE if the signature is valid for this message and public key. ==== Signature Hash Types (SIGHASH) Digital signatures are applied to messages, which in the case of bitcoin, are the transactions themselves. The signature implies a _commitment_ by the signer to specific transaction data. In the simplest form, the signature applies to the entire transaction, thereby committing all the inputs, outputs and other transaction fields. But, a signature can commit to only a subset of the data in a transaction, which is useful for a number of scenarios as we will see below. -Bitcoin signatures have a way of indicating which part of a transaction's data is included in the data signed by the transaction, through the use of a SIGHASH flag. The SIGHASH flag is a single byte that is appended to the signature. +Bitcoin signatures have a way of indicating which part of a transaction's data is included in the hash signed by the private key, through the use of a SIGHASH flag. The SIGHASH flag is a single byte that is appended to the signature. Every signature has a SIGHASH flag and the flag can be different from to input to input. A transaction with three signed inputs may have three signatures with different SIGHASH flags, each signature signing (committing) different parts of the transaction. Remember, each input may contain a signature in its unlocking script. As a result, a transaction that contains several inputs may have signatures with different SIGHASH flags that commit different parts of the transaction in each of the inputs. Note also that bitcoin transactions may contain inputs from different "owners", who may sign only one input in a partially constructed (and invalid) transaction, collaborating with others to gather all the necessary signatures to make a valid transaction. Many of the SIGHASH flag types only make sense if you think of multiple participants collaborating outside the bitcoin network and updating a partially signed transaction. @@ -592,7 +591,7 @@ In addition, there is a modifier flag SIGHASH_ANYONECANPAY, which can be combine |======================= |SIGHASH flag| Value | Description -| SIGHASH_ALL\|ANYONECANPAY | 0x81 | Signature applies to one inputs and all outputs +| ALL\|ANYONECANPAY | 0x81 | Signature applies to one inputs and all outputs | NONE\|ANYONECANPAY | 0x82 | Signature applies to one inputs, none of the outputs | SINGLE\|ANYONECANPAY | 0x83 | Signature applies to one input & the output with the same index number |======================= @@ -601,21 +600,26 @@ The way SIGHASH flags are applied during signing and verification, is that a cop [NOTE] ==== -All SIGHASH types sign the transaction nLocktime field. In addition, the SIGHASH type itself is appended to the transaction before it is signed, so that it can't be modified one signed. +All SIGHASH types sign the transaction nLocktime field (see <>). In addition, the SIGHASH type itself is appended to the transaction before it is signed, so that it can't be modified once signed. ==== -In the example of Alice's transaction (see <>), we saw that the last part of the DER-encoded signature was +01+, which is the SIGHASH_ALL flag. This locks the transaction data,so Alice's signature is committing the state of all inputs and outputs. This is the most common signature form. +In the example of Alice's transaction (see <>), we saw that the last part of the DER-encoded signature was +01+, which is the SIGHASH_ALL flag. This locks the transaction data, so Alice's signature is committing the state of all inputs and outputs. This is the most common signature form. Let's look at some of the other SIGHASH types and how they can be used in practice: ALL|ANYONECANPAY :: This construction can be used to make a "crowdfunding"-style transaction. Someone attempting to raise funds can construct a transaction with a single output. The single output pays the "goal" amount to the fundraiser. Such a transaction, is obviously not valid, as it has no inputs. However, others can now amend it by adding an input of their own, as a donation. They sign their own input with ALL|ANYONECANPAY. Unless enough inputs are gathered to reach the value of the output, the transaction is invalid. Each donation is a "pledge", which cannot be collected by the fundraiser until the entire goal amount is raised. -NONE :: This construction can be used to create a "bearer-check" of a specific amount. It commits to the input, but allows the output locking script to be changed. Anyone can write their own bitcoin address into the output locking script and redeem the transaction. However, the output value itself is locked by the signature. +NONE :: This construction can be used to create a "bearer-check" or "blank check" of a specific amount. It commits to the input, but allows the output locking script to be changed. Anyone can write their own bitcoin address into the output locking script and redeem the transaction. However, the output value itself is locked by the signature. -NONE|ANYONECANPAY :: This constuction can be used to build a "dust collector". User's who have tiny UTXO in their wallets can't spend these without the cost in fees exceeding the value of the dust. With this type of signature, the dust UTXO can be donated, for anyone to aggregate and spend whenever they want. +NONE|ANYONECANPAY :: This construction can be used to build a "dust collector". User's who have tiny UTXO in their wallets can't spend these without the cost in fees exceeding the value of the dust. With this type of signature, the dust UTXO can be donated, for anyone to aggregate and spend whenever they want. There are some proposals to modify or expand the SIGHASH system. One such proposal is _Bitmask Sighash Modes_ by Blockstream's Glenn Willen, as part of the Elements project. This aims to create a flexible replacement for SIGHASH types that allows "arbitrary, miner-rewritable bitmasks of inputs and outputs" that can express "more complex contractual pre-commitment schemes, such as signed offers with change in a distributed asset exchange." +[NOTE] +==== +You will not see SIGHASH flags presented as an option in a user's wallet application. With few exceptions, wallets construct P2PKH scripts and sign with SIGHASH_ALL flags. To use a different SIGHASH flag, you would have to write software to construct and sign transactions. More importantly, SIGHASH flags can be used by special purpose bitcoin applications that enable novel uses. +==== + [[ecdsa_math]] ==== ECDSA Math @@ -664,10 +668,10 @@ As we saw in <>, the signature generation algorithm uses a random ke [WARNING] ==== -If the same value +k+ is used in the signing algorithm on two different transactions, the private key can be calculated and is exposed! +If the same value +k+ is used in the signing algorithm on two different transactions, the private key can be calculated and exposed to the world! ==== -This is not just a theoretical possibility. We have seen this issue lead to exposure of private keys in a few different implementations of transaction signing algorithms in bitcoin. People have lost funds to attackes because of inadvertent re-use of a +k+ value. The most common reason for re-use of a +k+ value is an improperly initialized random-number generator. +This is not just a theoretical possibility. We have seen this issue lead to exposure of private keys in a few different implementations of transaction signing algorithms in bitcoin. People have had funds stolen because of inadvertent re-use of a +k+ value. The most common reason for re-use of a +k+ value is an improperly initialized random-number generator. To avoid this vulnerability, the industry best practice is to not generate +k+ with a random-number generator seeded with entropy, but instead to use a deterministic-random process seeded with the transaction data itself. That ensures that each transaction produces a different +k+. The industry-standard algorithm for deterministic initialization of +k+ is defined in https://tools.ietf.org/html/rfc6979[RFC 6979] published by the Internet Engineering Task Force. From 6c2b6de9938f96a1ee5acd2a0dca0dbc7ead9167 Mon Sep 17 00:00:00 2001 From: "Andreas M. Antonopoulos" Date: Thu, 15 Dec 2016 15:19:20 +0200 Subject: [PATCH 24/24] ch06 final edits --- ch06.asciidoc | 39 +++++++++++++++++++++++++++++++++++++++ images/bobs_address.png | Bin 0 -> 652069 bytes 2 files changed, 39 insertions(+) create mode 100644 images/bobs_address.png diff --git a/ch06.asciidoc b/ch06.asciidoc index 1273aaf3..7635e98a 100644 --- a/ch06.asciidoc +++ b/ch06.asciidoc @@ -661,6 +661,7 @@ Note that in verifying the signature, the private key is neither known nor revea The math of ECDSA is complex and difficult to understand. There are a number of great guides online which might help. Search for "ECDSA explained" or try this one: http://www.instructables.com/id/Understanding-how-ECDSA-protects-your-data/?ALLSTEPS +==== ==== The Importance of Randomness in Signatures @@ -676,3 +677,41 @@ This is not just a theoretical possibility. We have seen this issue lead to expo To avoid this vulnerability, the industry best practice is to not generate +k+ with a random-number generator seeded with entropy, but instead to use a deterministic-random process seeded with the transaction data itself. That ensures that each transaction produces a different +k+. The industry-standard algorithm for deterministic initialization of +k+ is defined in https://tools.ietf.org/html/rfc6979[RFC 6979] published by the Internet Engineering Task Force. If you are implementing an algorithm to sign transactions in bitcoin, you *must* use RFC6979 or a similarly deterministic-random algorithm to ensure you generate a different +k+ for each transaction. + +=== Bitcoin Addresses, Balances and other abstractions + +We began this chapter with the discovery that transactions look very different "behind the scenes" than how they are presented in wallets, blockchain explorers and other user-facing applications. Many of the simplistic and familiar concepts from the earlier chapters, such as bitcoin addresses and balances seem to be absent from the transaction structure. We saw that transactions don't contain bitcoin addresses, per se, but instead operate through scripts that lock and unlock discreet values of bitcoin. Balances are not present anywhere in this system and yet every wallet application prominently displays the balance of the user's wallet. + +Now that we have explored what is actually included in a bitcoin transaction, we can examine how the higher-level abstractions are derived from the seemingly primitive components of the transaction. + +Let's look again at how Alice's transaction was presented on a popular block explorer: + +.Alice's transaction to Bob's Cafe +image::images/msbt_0208.png["Alice Coffee Transaction"] + +On the left side of the transaction, the blockchain explorer shows Alice's bitcoin address as the "sender". In fact, this information is not in the transaction itself. When the blockchain explorer retrieved the transaction it also retrieved the previous transaction referenced in the input and extracted the first output from that older transaction. Within that output is a locking script that locks the UTXO to Alice's public key hash (a P2PKH script). The blockchain explorer extracted the public key hash and encoded it using Base58Check encoding to produce and display the bitcoin address that represents that public key. + +Similarly, on the right side, the blockchain explorer shows the two outputs, the first to Bob's bitcoin address and the second to Alice's bitcoin address (as change). Once again, to create these bitcoin addresses, the blockchain explorer extracted the locking script from each output, recognized it as a P2PKH script, and extracted the public-key-hash from within. Finally, the blockchain explorer re-encoded that public-key-hash with Base58Check to produce and display the bitcoin addresses. + +If you were to click on Bob's bitcoin address, the blockchain explorer would show you this view: + +.The balance of Bob's bitcoin address +image::images/bobs_address.png["The balance of Bob's bitcoin address"] + +The blockchain explorer displays the balance of Bob's bitcoin address. But nowhere in the bitcoin system is there a concept of a "balance". Rather, the values displayed here are constructed by the blockchain explorer as follows: + +To construct the "Total Received" amount, the blockchain explorer first will decode the Base58Check encoding of the bitcoin address, to retrieve the 160-bit hash of Bob's public key that is encoded within the address. Then, the blockchain explorer will search through the database of transactions, looking for outputs with Pay-to-Public-Key-Hash locking scripts that contain Bob's public-key-hash. By summing up the value of all the outputs, the blockchain explorer can produce the total value received. + +Constructing the current balance (displayed as "Final Balance") requires a bit more work. The blockchain explorer keeps a separate database of the outputs that are currently unspent, the UTXO set. To maintain this database, the blockchain explorer must monitor the bitcoin network, add newly created UTXO and remove spent UTXO, in real time, as they appear in unconfirmed transactions. This is a complicated process which depends on keeping track of transactions as they propagate, as well as maintaining consensus with the bitcoin network to ensure that the correct chain is followed. Sometimes, the blockchain explorer goes out of sync and its perspective of the UTXO set is incomplete or incorrect. + +From the UTXO set, the blockchain explorer sums up the value of all unspent outputs referencing Bob's public-key-hash and produces the "Final Balance" number shown to the user. + +In order to produce this one image, with these two "balances", the blockchain explorer has to index and search through dozens, hundreds or even hundreds of thousands of transactions. + +In summary, the information presented to users through wallet applications, blockchain explorers and other bitcoin user interfaces is often composed of higher-level abstractions that are derived by searching many different transactions, inspecting their content, and manipulating the data contained within them. By presenting this simplistic view of bitcoin transactions that resemble bank checks from one sender to one recipient, these applications have to abstract a lot of underlying detail. They mostly focus on the common types of transactions: Pay-to-Public-Key-Hash with SIGHASH_ALL signatures on every input. Thus, while bitcoin applications can present more than 80% of all transactions in an easy-to-read manner, they are sometimes stumped by transactions that deviate from the norm. Transactions that contain more complex locking scripts, or different SIGHASH flags, or many inputs and outputs demonstrate the simplicity and weakness of these abstractions. + +Every day, hundreds of transactions which do not contain Pay-to-Public-Key-Hash outputs are confirmed on the blockchain. The blockchain explorers often present these with red warning messages saying they cannot decode an address. The link below contains the most recent "strange transactions" that were not fully decoded: + +https://blockchain.info/strange-transactions + +As we will see in the next chapter, these are not necessarily strange transactions. They are transactions which contain more complex locking scripts than the common Pay-to-Public-Key-Hash. We will learn how to decode and understand more complex scripts and the applications they support, next. diff --git a/images/bobs_address.png b/images/bobs_address.png new file mode 100644 index 0000000000000000000000000000000000000000..c13467e8dcde8bcadded623b13c3f8f21a994ae5 GIT binary patch literal 652069 zcmeF43tUuX`uJaDW`F^lDTd2Ta!D>SEVqQ8GNp)(OIYd8pVo@5ZpOAN{n8d~Q!9U; z^s{DayGkoKl{oHKVA1`te<=g7x7 zbIyBtp6~n4d!F;0=Y7xaC5s<%XA9Vb5ch>i3zib%coO#I&Qsw3%|9hW8QhQn59fpj!VA2n^820^H@Qj!r$ahDXN>QzHQ+fCP{L z5yE#T4d!qi9r2_OL^fCP}hgd?Ea z^Aao=fUy7*uHk+efzcZNWjJFkNB{{S0VIF~kN^@u0(S}lw1DrFmOwd>01`j~NB{{S z0VIF~ei;I20sk_bu@)qN1dsp{Kmxagz?H(+pTbyx+kze|ohSs*8lEUEg>oVRB!C2v z01`j~NB{|p4*|4*$A=@9f&`EN5gGq~kpL1v0!RP} zAOR#W2??MDJP8{eRYn3x;I1YR<+&~%V*&2!CPw9u01_Bi0%#47D^4s72_OL^fCP{L z5lQJ^?0uN>{a_aDtK+i#+XCbC;d$`0}MRlOLMW&F|^AUSBXue0LcWR0jzl0VIF~kN^@u z0%IpIb_;kUGHBHbc?0}a6r4C3^Yqqr3j~&r<6UF7{_9^u71LdP^kA+;O9(SEGD+lV znQy2p<9(dF;Prnk81F)dFHcsIZw$jQByP?x=~%FEQr!g%j|o#C0VIF~kN^@u0!U!A z1b*>|2vxTtm=m{d^J1$BZkp~6X?0OY`5wfg5y_jn>0qH#2>OD{YmfB-RZhB{Plrb|L zP}Uda=NFYr8ssW{1#DiBFjl;1QGD=F0kp;}Qn|{wZUWEGUl=78Cy54S8fuLQP5u7o zwv`(42d#T&yU113QI(&ST~OVipbj%Rev$FZRxgbmbs&ePA-}{JX3Y^TT}m=uE1w8& zyo1#CHduFURaVBqe2D_0x8q((Ums>}AZ2|?ettofq=A-+l8PS`87p4ANaXKotMqPZ zNkLvw3ACp|t#42!hv)Af6(>#-$6CeG7;|f6z)XG#QM6GD3$cMj= zXznZ>^@d)v@ebIsTIwVbMTj&74!7Qbqhx1W@WjW)#z5LyX$jzY|FKX zA)5ElS$7jA|*pQE8pgT6dN7 z)ZRV0hUQfntWd~cvwgH`xdgN*Eht#NX~W`RD^--`2Y2in6bhnMDH^H^;O|7xqD`BU z!z{CO*Jtf;$XY@Ch6IoR5}?P0cc9-@FK=GXFM8jD;*?wT!PqLr5)++%4En=>`%?#-5t zs60cS?&@5V|C|#m_GhvD#j!^JthPE|VmroKc51h!JxmCj=jX@gfRKuF83(J4Hnv$X zdQVe-Y=@;iOn|eWA5C7KzwhWk`_h!#TKA*brrRA;3Zg98XW2d+KVeKb`Sk53^NP7O~X5Bpae3n0_&0 z5xD+U3O2o#MR)nZOq1Eoj#>A{Mx)FfC3|1apqoxxeehsajM2v}Eif;Q;kSI}_QfVo zdUyS)9oq~|*Kp$F`gjA(j`CBce#J}LwsW<~#SEVAeJ>xdq^)!fdH?a1>Bw@cTB6UR$5;Y(LM$g|O< zthE?YH2Z}NnGH|;A_VO8a66|!v=O%csFb)BWsXXK+m%?S`1W{q4QtMd zHWRQh#EwZKRcXe{r9+p%K5o?V^+_eh z1&r0O)I@g}W&U(mXBC(o(fs9G*TTCnP9PM0wj zz}k+0s0uS05Nn+|_JA9;dgJnP(`|(nWo3DRQC>JMOj&DM(T?RAo3deU^|m4GVGDOK z#H47gtX;YWWy!}Tr#1;%onkbF;iRW1W%a3wO!~e=TLHFx6n#>ol$x4~6C9<7pqJJ) zIBES_b%Bh{6L@-Z1je9ijk3X%gXte>8FS1MEJ#_a$d|&B)t;W7ydW!i^@R@ke^+D8 z73yTaw6dkoH^{y@JY*?&VrT*^L10Lalb6fTDaPfDuD$U1r|N{K9`&WhJgZ9kT1vna zb_*2E3iJ>-v7CMpdB#I2D=o&Oz`Lys>qfuJw6kjcanjVP%<&seeF zp$4OjYPlL>A}mgu6Asw3TrZdxZz_`IA1~tN=j#o=!7B*EL@^6DJa~_-EpLG+iGSjl z$vElp1v>geMHLDwuGCqIjfP zuS`RUR3oD2OtRS!&Y}<8P!;UWhhB5ktH60gaX6`(p(dscCbM+64 z8n9l4LISU#Gj5z<|3SY47BAA17%gC;Xz1uBqp;TbA}b@Dipce3l4e7dTFuCUf;A8o zU~+5nM3z>%zZgtl!{Qm#3c?GME$nlxLT--vg@9^f+^tDpe}5*CoAoywSIaug$2k7_ zTLohtu-JK#0y7cw@qv3hQJA&G4PnTV4s$9+?u)<8HGj3<)5>Hj5(W7o@;QcGYV^n} zN>A)7Jwag%3K9xqq9Vg02j4vLL?T|UaX}GPb#6vARKw)?34_8SVm*$Ys76&(*YE>nDybULhiphjn3HP3H>E)m`a< z({B9m2V*SG($6}b<~%NJDJ+&=^LqHHCE#Axbv0FdTTv(N?17Xl4nHI&VOEg4{%5J{ zYA8EbQP--X`wojUEhJ{H;iR2YUsz2KnqDGKjHsR#(}#5}Ff>;~ygyNAMWxizkj1Q}H~iyo2u$k9n(>d0#MuVFb27 z$N?SdBgsA}fpbrZl~xfE!`Eoph>k-ylUZw>tl-$EjUI_lEeg;-Q=k!CbBp@TZ)S7p z=BC_Jc~=4+Up0%$W&PJu+!~k?4YT3E-`aS|ZL^yly>;O}D9kLL! zT!eI0o;Y6C6ZrTlvA}dSpgee=)H&)yR&>gSGU%fEZpd=u2SkhJgwgj6hDXYx70Zo3 z5uNhUVEe20Q&wU$FfiK1dFFnE6)U zrD2!}oRu(V2Hi_ctsf#A*u5!Dhwcn^AehR8@T6fBvCGG##aLT`kl{xjTR(Y&0DX#! zCB>C6Y*E7|J!(EUD~QX0{`X;a%{4ey_sPLJ!e5xO(C`eZPgeQuxk@QD%({4l%n}<| zLrQCE9Dm`1b7%X~h6DUUj(t++@$lom5{Rqn_h0zbBlLqNgA9;W|AT+{@jz*b{#Oha z1mS}T51M|Sqbr;!E)|zlG|6eL99=x7Ma-HTt(OIO*;bj-fc_Y3G}(txZpjMyZfW%5$?$7}g6`RUdnGpKJQ&cx%7l$R$|x zm;brf7z;qAm8^kf9n1&WeD+}HER#)5Co`Id-R89q%=w1ibG4kC zM<-*lElL|YqvaWmG_S}Mk;@JeDC_IHP3N@&u;2}94_rZ5-EB@s*xbR-|7p*usc1u) z8Y_xS9&;cQCVNCWa0LUcZ;htgg0@Kon>%W`QbVZQ8CKZpO^c+jh)?Zhi4uSR(@dO7r0>CrF%}vfK~^u0L)6f8CX;#vTaE z4&*wyga^1Z)?K)$j4%iHc3sHJtLk*|pY?Ermy`O+#fmd6Fupn(%7g(o_l)EkCqy(i z#KW7cz3FjmRa;XeuRbPFmBr6^b zf=ipCEa$75et!6z*}m?Meaa?DMa@?^{q8H~dXu3~F>bcZL8C&~g-<^z>2&j-HSa+W zCvc=xl+>Kb>Hlx29+Hky7kkX@L$j-nUJPaBnKJL_gk@s5m^YrwD=x_^;jfs>3w-49 z{(?_SI=w`X&*8J(*@U{^pf~rBN0z!@JaeW-<3DdPjrb>CAz!(d! z>y)(Ue*|DGU&{OVtlW_wK99PNLzgcpE6!H-uUKL3IuX7xO+Ymcy@$>iYfg zGc2jf`?zP}ZxX2AiJnx=IW4D0TsdD*DTqn@O(L6g z))nNHfsTUZ(WblR0g_LuuY=lc{IzGXxPoBO;*F6(2Tbv|+Ul%aY20ed2!hd7Y&26x zm+MYX4eJG)=ll_MY36G~###@%g783HZ;sf=a#>Cl99S>)of$OOI%LHv5y$M!cMVQ{ z{jHdy?Cd;P`gpJjt&rsJd-0;x+&PwD;nwu9lH8B;i>ez2-?OM13Nl}=YItR5iq%?c zR`pwc>1(ZQ(hx6EAT>I8ga^9R)zn>3#LU&tRRUjeWhZeFCW@nJGe+RcBPU=6oWTOt zU8#^(`Ruy70H_Mz$Qs-rKqp9IXCr*}|#hs+ABXqCuXdkD{+>&1n8 z4@VZ)i$^z~$pR)$T%HFP8qLw&!-GCYUkdd?jig3P#k-n@Y$hwMoxr#ytupyF;tlQD z2ez;yU+8s3($v`(#)d2EH94$H17@-lp}g-z)5Tl3LaaAQr*V}npVaA64$Y=!7A7(W8dBw*tO<4?Kt|yPyo3&E@{lN$A6&@AU+NY25x}pVoa_7ehb(pa%UOb-=>MX@iz7YQTR~3RZ;J z-~ompu$aaV%Oo|OF$vyebcMq&of;kHCCt``=lKQ%@I5N!E(BEQx2rM?av()NBTPIu zh_-kI;W5)H@}y1eebI2|kK4fBcMFNQLdYrmobgo?s*Ck%a`P52xNG75#%Lqa?p@2E zU>j<%T&dO7j5%z^=xQyNyd_NTAg8X4QpfcWwK|$nz+nrvUO|}cYN5W`7!7Svh_b^* z$t*Ut8k*5FtW{{Kr>_>7h*~|^sI)vk;fPTnbyH<)KjDW502V?Rys!vPO<7~r6_NgFv8Iz+Q(#(v`G((Zny*`#K4Jlk zn3m3d;v(R?8H)qQpMWK4G=8N%9r+<%#vdJAQLceK4c4|!ryq^M8u4|hlC(fIJeIq= zBWb;G{-W1|Ap$B6fx(+G+wcmMp-*+)beWb?!oHL5+(o{Y$6UMtN@o}Kn9;C}To*gu z2K&(LBhnWOvwHL~1t1o~iHafDsQYxp5LRLocBG#psnJq#d(C83CtDE6Atg=i>S!(- zTm1Afb}-uS(ssHQ$aBrE{PeA*S?V#$FjPOZ-^0z-TkJsxGqpZ}F~+4#qLg*% zEG=M*)by^M&S1Y02S9+rhEl{1pMla?e;-vVjAY~)NCx_?m~F z!6nlPrWu|9!WTC$Zx(56hsS~*eWNR!!SOT zZt*`&c>@M@*7bV8WGvIKdxMR2tF1X}>ZhTQO7C6x}i zL4kR97DUY1MzF^Tf{0&Zq_avox>#$ve3oZ$6#T_gUtsyRW9H?Ac~H>+kD>2~==hm^On`R%UuytWm;I zmb-a;BQQ+CkOBh>Y&ta+yXE3e4OWJY!FC(ai7ayK)Ks{HM)JuKYnL(PRjR?73rG+P z^9m%zpGu1%9*plB7!nTixu_A$X~&sO`X?zG_;G7I-|b`7}AVF z7c&xb`ShNBXv3*P7vadVl8QQJl9x^}n*T;rqlMyj+G1d}E_`1XB7vBQ8SHCKGL2iH zz(dgGR@?-)KHjX(MkR3*@=aaK(Z#ak&7Neh(keVur7l9n5ft*Fy(}+D;Bf?R19WAPg#V2t`KG)vb#hP5|pxfV{(wJVQwc zk5Qn%x_g*@MwB3W>kp#th)rwQ(cQ^H0P|4NLlxCi_Tj-YYi&p$Jevxc}rBe|WRLeCwt06T%o|?4vOKxDan=K*s+-+~!T4Y#Lf8e=o zhDl_WiwCm=Fd^`qF~6dqNVeF*0js%a5o&CyldB+xPb5YYxS^oDBYuHdZRKeE)0V}; zzH3l?5Rn*GVADzpBv$PMvCjwd*B;!*R6{W zQ}5u!BR_JBinSxasA?RlElge}Lq!a3fPhsa0~45grS%%i+t-cZ=IhO>0vB<(JIq~Y z4d+}MLg0ax@es-E9R?FPkR`3V(9{(sRD%KRIE@OZq&B@pV517NsbH_*QJfnJt^WBCFrtF-k z#JRrKmkkK9G8@?T^6Cq*N}(sfFj!rqDV*UxL%cjt)ZW?%7lW1-Nr_Za>HqMuM}n+{ zGYO76BP1~17O+|=tCw0^8ZbdhC2uIt%RXl@+leW(6C`Sq-73};;$=Hx<4yLNAbznh zJJYc487z^N@uerc0hx*mfVV{KKVh`$2s3iA;pMrm!evRk3ge0b@)NuFdu}$oXhWl{ z%HEe@w2mQ&H6~eXX-}CXx^+7pCFWN~z^tqx*3f{3%Pf|1(=Q%OJ40QCVj)vvTn0{& zyZ2y_;jO{l(l0ai8CPByC_lB9+p%ND^~@R$Wn>8quPTNYRb*sXEIm9h=WyS-F^giD z`-}!C-98%(Z>UyQ9ou{CoWViNjM)?uOBJS;9NUv=FmbEZegebWJM{IyJDCei%fK=H z^=n{gr5~FbtyCfKH@+r>&Z6mnmyej9IS7Jy!wnU>c4~15mj9fDFv~mUK3UmURq`rW zEiH`AqE7U5f#=P*fy>YwX~Lo$zM3w|e{1+%>AGk)oiVlbC-{$HDDCNIdkHM(yI3cJ zH8Om|;BPiKM!wDYq^9ir72zX>rTAmdSO3@Nb4USUP-leU$%_y?`?Z{(Q6Zl+Rh`bLvsKx5;w7->WSZ&ifxxH^L zkORWwxLyKV_Pw34(6Ues^)%1)1f_>sDwRtGB-}*dr{B`dv4{m=u)PB!;14dGErlQF z)lm~kW{sozmRd}f{ZS3SBY>hV&Db{NtS(c2rf}8T0c*^f&ROozYj_#g`O-=<)7Bh? zRU9~rw!aRZTyFf@RYflzGFUw7>O(L8@ff^B8G?Mx_6gX+DdzVzz={GJmsh=Pe2tu< zG~>n6Ob9e)sx1S9A)IyYhP9)3hEfx>v z#;g|eUN$Ya1}_hOt^nQ;P1Gti*o169KW(%5Zp36I63_VLxa>V9M>xEt_>Z|%Ha$g7 z5Km=(F~#U&SX^UM)<#wv4Qi@=o<70j^O$P6+#GZaZw5?>(uX#4<5r13-ll)Y38a4U z>0>-TpXUQ>r^wBgIZ()cDhk5IZ1TXp!Uc%9w(@RR=CNC^wY%Fg8yN=L%@%8{ z1J(?)(*VX)mY<`n(Oz3v7EA9tdB7~W;<~y^%6>Okn*xqGc?WR%FVxjtQxUHiQ{ecZ zjJ6Mes4k>NCb^>X)>|Xsvi~qo>ON=HvM}2@hCa&RMufOYsxFk3X*8?=gE0&}fQn6p zDmrz>d67D0U5kde1Wp4#EyIbrvRmB$LEJO-{&}0$u-(M=FpjcCs7`8Xbo=sK;}};N z%ta5=!_5gT_B67(PMyFo6P1qqb@Yd^V$f!(>Cl}a#BL)FDs-p=_W0PyV=3Ec1Q_ke zV_7w|5(`TrZERA`Hq4Nt#^5Xc5a&xp-j8O}KfP(JyQqvYz00w$<=f&WZuqP)?~&eZ z_B1tKo5jJVL8| zG-U3wv_3oJuZ*`DJOV_#xTiO-wRre$CkrcRk(gIuGVNd)GiutFX&o@n1)H{$jNOMS zj5DIZ1UBwcrSjli$!pDSWH`d|U%Y)MJ7e!5!wPP6iI!OiJ1A-0hSdhk%#LW|drBkC zFEThup3w%H3{OyyjZqrow38*K5B*Bq8h@9 ze0u8!^X(8TIA!a)?j0GW1`@CsvQc7F9ZbKZ4VxF6Lbe5qH*Zqx*kg=<(W>OlR;@|p zSb@(ZA`V}HL(fS1kO!dJIJTeYoNgH9wG~sNIh!74;!#i_^1w)~ux&`Tu`P6Y%6s*nGr);b$tLtkU4C(-T{SMeYFqmri-QPV6j2YE0q4sFmq?_JT-e6XgrI|G9~atNlv2k+S9Gbr_7*+$q3qaJyz zs%8itjPZh%dUH<`5iDleuY{%2sNaNGNKX@UWW#ve*-}|^DUj>oJIyNVz%LBJtXce~ z;+juC?Vm+;eRU@+S|`2cA&MEr@6?ghojyZiB7E6>S1y!LKXVZ*Y7SM6u5cDh(=L@X zebO^4Jb=q~?CWZgl*x$;J$-c;l?SRd;5)r+__e|79uG)%_kR7QEMO*w#}@>J#l(x_ zqek&Q3Rdvy?VFefj}}zu-weTI^Y}p`^NS%^{tGsy$6hST%|BNzkt!&cC&V1D(G^Nya#uV|nhr%X0KC^CLga#ED1y2N}Vtfl8DnoL<(pKN=2Q1;P} zVR)WTG6qau=!e;aQf}*JQ2^+}T zQ?&j~VNy|kK}nTFDp!~s#vqY@P*_}iQhe-y-ouSb`RhC4l7hUV3WzF}n;rsC4H_hj ziC-udS-w?yC_(irM0i95+UPO#BjZL%-G$DWx!$uECH5D5E2%o$3jQuHp(rt;?vpcD z42~y;w`kG4{=%}lva?e9)fowi+_LPm>V9e+2wOijc7S+UVga3g-wRGAH zbDehgMpvVqX0lO>-el}?1V4_xKfndw18z0?VWOP*2Wlgu?L+LK#AT%9Tv=TSJU*a% zTw=m35z}92hJ3=rN0tp}iB!C2NIRRZ) zyS)7h6^`EH7QT=QD8}vf6A(Go!290=$ifBlpSbIB9D+!0NILLdPofCMHh0knoEYs;hFNB{{S0VIF~kN^^xtOU>k zo~$j8dLscOfCP{L5W>7F01`j~NB{{SfyqVyE#S%4;;1hYKmter2_OL^fCMHx0knW8dk?rR`hU%+ zF2-1Z+kze|MFL0w2_OL^fCQ`wpfzmG1HT~wB!C2v01`j~NB{}k?F7&QzS~XwKmter35=b<^y$;bUWm;SaGbY^ z1rH(tBrtXYw{GAXRyKzlH*O4@$W8){Mq}r!@zmL8UOa-a07e@4i3E@U61cSlSS;2p zs$gVe{w=B;i$wxR;BF>x>jti2sbN^eu!t}L51N zkN^@u0!RP}AOR#WQ3&|#kiUXv@I+}XloJUc0VIF~?oa~H2OMd`Sb#gUaZoHIFgyXq z@JVhig;w$1$s;F=Yub9K{4O3dWEz1RSur zJhb)AX992IP_J(O`s+r&`SSzW+U5`b{OT9#2R8rX`Ow=a&;UUA6$v1LJA=TjvVfa& zcJ2S7(`Cl5SIqHat834k{HE~0-NbZ4|YN`VBB01_Ar0e0wPE1pnk36Y=w z=$jTYb=ISaer&>I2l8&~D6jhN$on6uo|p+1Fq1d`nf0NBhnJnPv@_;K0(UEcTVw&N z6}6p&Or5jx$wX@GnKLsm;yVSC&tVd6?ce`*_xJ2yZ~rS8!-hNb@Qwd?fe-G4j}+m* zdy@It$?rRL9^t=xeu?(v+b3&a|AF6cd43L$sL%i9xdWGdSNzWJ>kqzZ(@mZ6#Iq|o zU%!2%jM`uE!V6SY+UBp{d+%gf3wWMgd}pnE_L(_+ruM?${&#N;@7GW8&wup&y-&`$ zda_s@zW&V@X0i!Uo&QVPfy*9`?)>YM{JXV{Q7O|byl zM)_yowDj<2KlT_kz!Jr0FFg$d`xEokIbW#eZ-4zs_IF3#{@|O-KNG_6dEm)so=K!U zwMYK^Y9V>(_m8P_sL|iWH{qEVo|?&l@%h5Z_l|sB(+T4_!(+z$r=DFI0Y}x1pS}HF zPEDH*t})XSo_hAFnLMZo#{MJk<$TiuCBxVcCC?!z!2t|k$wx0gUA$uFvx@ij8~wpr z`S}mv8Rex;D8t3~fyY)p^H?a`bcy+W;Q0>XSxJB{7Z2n9iLVo^Y*RHoeI8%I~S?xD_&g_|iFpv$oQ62c+2|3Gtaf2Tft1fg2J)0!U!&1dM~Z-;=*zIftkE`tJw6xy(#hzjfoI{I>6p z|NUgMaXA0^o1EH+r(Q^X$fKvF@V%3bT5y+q@b>8%GV}MFw{A|I&u;wUy$@>DL|uF2 zZy(ht0#|I_{QFtj%Z2;jJFkM_yY{_Z?|&ob{5o}g>Z5#l+55ZRYverk{0d*tVCqAu zTc4jzS;>Y?TYF^Jfx=77*}q%AG4)YD`S)=7D5ftDRDzbAubGL@Z=|jzHOG%og)55R z{^vJx{*v`uw{HAhpsMVHBlN|@SR8&L0VFW-3EU!oFyTM;f18;foIG>B?2F4~UjQfS z-v8NWDer;3&1e3T^CNhQ`95D9Z{y5{eZETJ`^Eb$3b~pXV!Eczd@^ySpO*N2wEwb8 z#FE6Bfm#yy(WOg@W)+#uOMGGb943d)=MYZB)WSkVtwNh|85&pee#jjUSsGuuPyQJLvC$LI9%wr07O z7=~QmB~Q%<7cW0C=Nsy{n)nedn8zx4ZL?x_=wtu)?n>J4LHw3%+5Q-l=f`JjN$8QX z@8z{B?M&5Y-}MleSu3BM9m<>?$_uPjF*!^Qk5BobnS8%MK1T}<4*jOBJ#+qNNc_}O z^WjP|lczZU@<*4?Tu{xKO`ms}38e%wwM!y$c0=I`?HmpzhfZGG*vy|9`plb$s6uf= z0!ZMlB59B;xk08Xso?Zoby2;b?+bg*C*}bWAo_2i%pGsZ2dq6Q4}zS z!auzWm^w@yVNwa%9DPbQsG)_8ekk@q@nz~U7rj}iHq24JNM&9v_0;OHElBYGe8(KL7eZ4!!lp*7Yl9c|f299fdJeYCMhv zkif(vVBs(wN8y=lZDZN@m&+OzwR0lC6Cl6vbs=%OIxY`g@$8aNj^03JbC^uMk*ifJn$Mrl zfhabjmN&}D?8FF{n(xbwoSgY&sN%D?Kf1(xVB?%Q@SG4XDV^UHe-}E(yfhj!@Uhub zYrZLa??~v%+3d!gGo6Gn&j_>|kj%xn%sSivgZ6Ce;nH&bp0UIpu6G6F%8R2LE4?u%o zk-!KD?Do$54r2jE01A^>5MTx_Svkvt(RO<8t`8a`o_#*SgLHoJ_Q}hGM`$_|Z~jv& zXYrbk@7?k0tGhpFseKKFT9Ph0AqxR*^vMeKmter3EW`>CTm#49o7se4iZ2DNMMWvZr#&G z42u|J(_nTafCPpjaO(!Hp=vZ8zeUsJOy%Pa5-t+-#k0ai3E@U5|DDu-n_>a(U@DVHG_-~%QDdX3NB{{S0VIF~kN^@u0zd#QVC)7+ z00|%gB!C2v01`j~lZyaaz>}-JQClQ{1dsp{Kmry7JZdlh2V(&&fZ*~T4QFkPO1dsp{Kmter2~0);XaP^gR!5zY01`j~NPu{~ zTJRml0$@i#0!RR7$YCEq0!RP}AOR$R1dsp{m}CUdA3Vt#9MwevNB{{S0VIF~kieuT zfEMti?*a$_2_S*VN1!L@z1J`nVDhy)YK#PsfNcUkJLIpRNo<=99z_C300|%gB!C2v z01~)c37`dhx3()Z*V50B#s;+LyZhEtG>ep#O38qHS_2m~gZ>#A# z-+coV^q%UP95-#(18&X(wCzLsQZwpmAB`#uVKkLqxc{uil-J*jv*po%RBw}prZc13(dK{hpX94Pl~4Nw=<})C z6W*2kEdEti2vd2vWzFXupZt7-IIR?IdYBW-okH3glY z|9r#A)g?7CFg?V{aH_L4^u6{=@MWs^56@2XX>STW+$l9>qjngZ*F>cL@E=PBp^!E6 zrl&_ZLmTzBcch+{WnIzr5y#oV`~!= zFgZc-DeF>VJqcX1|G1}GYm)MIwUxf$wFUc>EEw~+H z*+}L5MbmY*CLRAdG?>k?8uI%NfB2tN)ztLGVTFFq&bq$J`nJ^1>XLL}h5uzVm+VN{ z+qLEB<$S;CrIaa5lyyHO6<^=AIx5xsMrpyNgb#m={)2C*o$TXx%4w>1?X%MYpuk>r z*6F$x+42OadQ2USne<5DnnU%;rBe&z*v_Q)z^Nabgn>CBOmeMbNp>e!9NO~$yZ1++ z`a|md;aU271ES3@?T&lctF64Pbl&thy#T8A-DQ$9_lS8TPlTtZBKK!*OY08 z8#cB8`rd2m!kQmbPf7|O73M@Z5f4FWst?yxzOHM_XG&AuH@jn!SzGz<%L%71 z$N7b=(JOefC5}B`Z?iP+c&ATnK;dF;s2gefv2)kymgqx$rB6?T8wPr_)mUS%7)$tN z2r${&qKp&bH&)-Q_ktCi@{fO|P{PWx{`6w`qPIq2J&(VN8hL(JKHHzNfVpv7(_@$; zw&cfOmOG@x?yAf^Csd1Gd1rAjQ}*S)moqYj>03oiwVLo(rQ`j<9nwnUFNWlmw2s0r zZ(OHJc9=rk`~zlw@agzhbNfmhlVLKv*cxemzB+beyjYOGJHLLZ(MiyKF>7B&egom~ z1W~ajSDmu_;O@*K1(U<`kBw66Z!GCs@GvnKZpq`f?o8%2WMyO)G^hz-@*Us}<){s`O9kn`Il>Qqk;&S}Cu!J8j29&bX zyn0Ko>e^H{LgVhwiW}sdw$llm*-N5bIoZ8!;DNJMezJ4#;ZyZ#m;1S{jJOB5O~pSg zdHPq$&2@1F>RvsQ{u_O?cQ(M;eb-XYxTB5f_Y0RaU*2-fBY%b7@9UiU$o&ZsU=|bS z`*>?O?FUr-;JBr7t2)!Ky6%ebYO1YGzpTp&p$;l#Kb5+AR0dP-Tc42owt4&~y{<3y zzl<(ny3*17#|Vv>wx#$#hkwxQ@?a#*3rH2xQn^h{zTfe1yQY_zIyY6Svl}}pF1XO~ zVrW52p)e>xC5torgLS2!H|6`?mnLh;fu!JKKhW5_IP$RH6tMCW-fC9P`&DI}GXeko zyLC;EglG9_4u96PtzOg1AY97d@1Nv0KyYSsgh%vOKUVf?@;|?r<`q(#0K)X9zx|&L zZvH>5=5fjO(od?B89}v=FtP@r%baS^4$zO(}kP2nC~ zSy$y%O|KXKKt%6>^6pxdhWJj)|8E|+T4{ItPnCTjjAL|!ZFanFtd zg_^wjCuz#|wc6bVA8@xcFLQscL`7-Bi%h07+pZdP&fK3x38^LQAo1D_$zV!P^o=W8 zy)G!8ZajfV?0@WNgNlgQ-QC2MYcCIP)FN+s}BFu>h#3_ zVtg`wYc$a`oGM|9#r`aTD2ZF1E9s`I(bS*F$nRdX^PPXZ`Pa2U4b{|`LP&Sj!OS9V zO8UG1cyoI)r>cQINSJJvR$i`M^v1h?P4-t8?b}npOy2qKyYIfWU938``(V9>C`%8V zki~C@WADDRa~Zq3prKn+pLMW=vo@VNmcBu#EGn1X8vSmzR5!Qif%eMv+WKzgy&g-f zjZ|khCoXNywMm*%Ti7}4qMM!#N$XcaoP&AO^`swfIB>6D;bZrL31Z&*jpjAO(TAa{ zR2jdTQ<(Rhy?sm5W-9+YQ<)aFOW-&o{64U#z+UOQs_KmmDttP;a`in;XMafVv{#6^ zIQ<^@fXlnN(>=k@XS4h^$>r2$mn=%D&@|Og=lh|?DFF|Jwt*P%m+H5~$#HptcK}_Q zv-f>j^Bi{_mn5CNzGbPe!Kdryo*cn3XsuFZsaQz@eQ3w^+VT!%uuq(`(~?-{((^yH znS?W8A&y+ejW!wBsbkr$Q`sFI2*Wuk;$GU-eO>uuNBR#WA;MK}@C_(EKS)Tdr?2Xt*| z;RigF$^Wn2te~MjZDpmRb}A>?18$j|+kWVcQT)*u3(!p^zSfn~?=(ZDtc2ShU2l#I z1ZFF3wFv2KOFrAXWJP4#x?dgeQXRf}!Np2h!~T8F z_3|v}CzQKg8Su!j+R~!ip5{AWxV)xLOI3Q+5$=nu$hb{S^&_Phy6J`(y5S6Z;l~|L zfXQE!nnbeq7j#$)D$Cw|upw*%H7viiRjfL(?ul1}x zc(4L4PMZ2-yN{{FTi-eSueUaYNe=EUAPY9E4Px>ZZGUsK$nevok{#WB0+PK&X|f?o zdT@6(b%C)_HPJ|p9+U)cpi&-wBSj!Bs-}L$6MS>^7sW#e1idLG1v0iUh7bNHg;v{< zzvoYXShHr$AO5`e)J6T(euC?Y;+qNFxPIgMb=^;Iehz;Q{Tim0@^jox+by+*yQ_00 zo(totm@d!QBtb*2ekf2#s#JWjh;|%!#w`-k<_kn&HE4sxk<^gG@{eB}WTwm(&J|Mk z)7_GS26p_i80vS(@{C_3)K;I9YM2~PrlKUj=%TEf|{v>+1;)L2!1)Mc)%; zF7rnI>H1xr{mO1_uil$WothFI?%I1i(btay`FM6b^7i#Y=gXNZW9rT^@-X1X!DTGbZ4`}=#2{aAay-vPa+(_ETy&zZ?} z>~FJdj$T#TXI%-8O{3dapNtVLbXNWVX6tpJ6dLOtt@;VfR`6#xaXjJ}>cjQ@adW`d zhs2D8SdW1A&cbW@j3$|@A2_Q`n&ShvB3!?FLRD8Qdm;PPHZSiqPEQV4tCV5wlI%s5 zKe!dzWIs1e<*vC8+G9%S1A-*8$J`-0oHp5=okE=)q9f?Wb!LS!uGd2O&7Gyr+*CiB z28WyGM+$4yy?uRc#4*5mK$A`3avVvYmNE{8Xe_-x`2WNp!1Q0bHeQ{b@uj5=+)-Yx z;E9uHFCt42pX9HuE|rhY1P1MSBE26HE)1*Rc*o#!_6&>RXgk1dOKnU}Y&;!|!QusR zp_{91UIIK9Zht2ot`CrbD-`iaM~8}N^!<)S{<~A z_8${guvpAflvmN34yqbF)t+p1RY6e|TzR)Px?U ze^gxT+~wQhrsAzl@v7`S`%0)EG;Vhd0f!sJ;l>R|XD9fBohjF~PH&WW?)bvzFZqHU zpa0MM|DNcYnkohva&f!)tuZA-qlohcsa@d>lz{uijpCcw}+dVPB&V{atB?erPjFWD0== z)26Aeb;;3MirRC~Wm?y{a&RX1?eC8te^C_Xz zd29R}(_PKA8q=CSP4Ts+Bcus@21YeW>3!K9!rjl$}2xINcQY z$&||fwlMw;Dd0}7udUxP+SDA>T|sl9UqGcFG=sTqxV|2tpDQb`xmL;?lH#UvYuj?# zwM5eABXsv6eQmur&VF`*`IMt=IhG#&a{&klX@Yh+N!SAR8iNJ5WC_;MOzNpScV$$V`30s1utJ4^CCo|#jZ09 z;~F(ssIH#IC+18xhiE%S?IvWhP0!plveFX=^Qt;vW)_pE6k48<43op8uMu#$&>ymO z3D9&@XCM5yN~YFQx#e0mz_p$%ceiAld-w31azZq`9W2)f>&+d z!23A&=#E2jEkAN;%G$+Yw#EUg@+ZU>h#lFt`-D1v({>0sp(OScrK}g}MP~&kt%}Qi ztw7o>0ywzcB?KIAI83>IeF}@dT=m0t{SWiv1TLM9*ROZ~?EK!@l8LUT(e}9oddQ0M zWs#fS*&Jo~J!mfOP0OU_#xZ$JQm-_OGFr6?1|+DS$!2O5R3tDplBrd2e&D@03_I{_ zYUkjI!U9q9dQmdbD66t}@7s4G43?JQhAm8iKhiBN%G{BW5tP3D4!;qf5)jJamUm=z zdTpW2DQ7pP4_LsiQ)rXU0dBy0d#QyZsI9M0X||Lc0{oo0&W!Yx_a(i1d5Kr3(F$ZH zB+RHypwmN8>GzCe4+f!3nf_WTYSw6r^!8TvIs||>4(e)eT~g4O_GH)+%V>?hUM2XE zp_}M*P5p#x^yE1^F?`&NokvI6F(wO`u2TOWBOt^lmGhtUA2eIMod=aaK&f7%QrDZl zZ(JjD&wAPr3qhB4z3JaSq;_)iVIGz0M%>ZM>GvC~YGt!DDZ49faag*^5li}V&UZ&A zh8I3S|85lxpZN9KPzhh7K|&{Wrkw zw@}B%u7$a8akjTBOQMa7xHkZ7L=SG-Y?p1Puh#0g(4f}a_1f>RRJn2vLyOZcYVd|0 zsMj><>U|_s!d?i8K2;NaIk5CG+JtTSxmM?%&S5(HIvl9)BJER>9)cf>&d1r|k;KS+ zI_TL{ey_nq*B_X|_4Y^$mc`XvQ~uYzNq$q-)OT^OI3y)F1#sBPv#L_pzJPFdF0tJr z(D#Ura@JDv>$J6f#(rq3%+?O=;_WkZ9@^e@c6EfP=;V9*ca?Xg-^bD4t58{cuN{z) zI5C7t^krE#oONT_ssxYSu>`=Ox;8Q`<6y;dy@)I}pG_`;?MmqD0gU^E88ik{Nt(So z^P*_m&aIR!Mop!wvV&sKYjDF+?q%9r>J; zots6btF%&D-@)+@=ITLcfg;m*J2DYeLK%l8z|c)`xK11yR11SY7`E%=`rp3pnsTFm z?Mx0h^7nI20ZW`hsawW7~%o4-~ zk%oeb4v+-$<~0wN$W!28HJ%MF{I(x)zVE&R!Tm2CZ%n^T8=zoz)U~cT^^=n0>ch}KAMYsa1u?aS zr9WL7EG~FDm)_gT-TRVAgdJkP?5(B*VG7BX+hJ0AGHt? zpj4^SPq!AjdTbHEG%RK6NrjI%c#CN<2LbRG@Gy*_GWw1-ABHP0dzD zFP>px3KP=Vk>1W)6KwXlI(v8|k)L6n9JzLNNk+|C5TO z+TLqj2QFxQ1a5=O*1@U`I-=`4T+pL!$rus{{8s%v&5@`4~(lVeT&@&pZ!=$w2&lH32MtVDy2kLb`0+s0PKc{#_`GabTR>@?O$s>C#R6am+$)hR)egV|EOA>% zWqCVZ+OLlc;0pYCHq2@3^b_J6gii0xW~OXkZ#I9aCOx%h+m3Ad>I+a#R1mmC4|Q8G zA=E@6li#{0=?#Zp?{;|j4TlH!JAg~b;ks@LlL3DYH^4tc9LSA(oTtDa&1%A1zymJP zHzx7^>8 zxh%e9|EqsI299PXOa@L_A43g$cgl9Xvfw`tlpBGh4tZ+_?O%1Vg6XSU-{gf=EDb>dF<%Xzpi`c!@N>d-X5 z`*!&?u6e7XojA<6-z#S+HGd!6z|rE+e8;9O|L?-HR28taEiZpHwNh1+r1eO5ztiXc z;eJjR$zUcg{najzY$_+EAZW zKVVdfxU!PMxlxXAP1NOorKsv7+m2Rl)0gY)p0&oOF#AexY{)i)bv`9@&h%~dwaEqd z7T$m5M4yhFtj;tF;T;%61j=M|NPu~At37r-bT#?Is@<@Z^1YmGD`-1= zIz*2&t~p-)62;0pOH8eULEUSNYIEadE$v@ej|2@Q7bE&nN$S{RNHFk65Ap)~kDI#>nTF*yCRrlgFvUfp%Vao_UDeNY!I zGZhoOLSM2YW1i42pH_!>-5c6%%+7F4a?(88$2-8GMll~7tpK+fg2TY%Xl1%HGdkES zd1`m%Fw)YeIi6XI)oY*^^}%FEM#7xH1N4e@-09OxpKMJlXbL^wPubG2y0g%?R18xm zuUD22-B=->pcHNsivU-&c6C8orbKV}36^eNtIXK<+#kSFg_RXnZC*vKCEP8|J$R74 zDK5<5JRG5hEdOQ8g}XD;{s5N&wuCUl+DXC_V4)P3AL8Zk4xE@Bp@uNI8vLr?T_`#cWyRZIba#L&8spG z?07Dl(nKIyyBX3Eo6#MD_@$!i%oo>WQYkt9qO}{W*25nx>;yQXX~-{vr?nZ+{WilO zEmOGZt*uchn^t9J?)zgdT#?!QnB|++#*V?oKLI%0{UR#W%6-c=5U0!6!7X-un)aQq z9IoG(qW1w`r|n$_2RG&vM~D@6fPmo%zfq3u39keyFa&{)#6QQIV*!RpG_u3W3m1J# z@2&lVPr%61k13VuwIJ3jW{jy!%sg5GHd}#u%}QN{V3+xCA8$F=@nyfB{~@>gzISi~=`4OWN*kifVRfcTO0N@}4qc!u13C99XU zWUOxkq(y_koZu<>XXR8#3vNgN2_OL^aEB4lI$U#L5eFxtae%l=h=U-GOa}bH4){-D ziBMO@6gS2c*trWfw1Dq|Mnn~mz<3jI85JE6z zii0a_3fpOl;}i%fxT!ksq)fLeF!(m=$UXCa(s7CfxQ$xeX;pJ0!v24I=K>d1nLhqA zH|98l%y5$dm6-%#)Ic;9`mZVeOr#8Uw!|e9B?HAmqg6Lrb+fXf1q+1|!wN6CC}k|9 zi%kzHxcy90IdB5+O=Y7s|p7TO_ zJu0DahrD$TkE$_frxya9qrjASjVtJn(Z>aGVLmAS91;)!0zd!=3@ic$tc`iwz{Ly< zYKL|QGnj08HA33U!vpJn0%?E%5C8%|00;m9ATZzwAhTA> zB2YL4y`yBH6;=&su>q5zi1wM-NGmqez+@pac<>v+rj8BxfdK)501yBIKmZ5;0U!Vb z`iX#ngK7Bi1W#K0L!kOT+-0U!VbfB+Bx0*{A4%&Na>bp}0JCIVT(Y@Lpy(=l{<>eD#N zK4v2$SgU5~s4u6P3)+){+&QVH9!Ce00AHX1b_e#7_G_ zvOkF6-~)aTYET9U00AHX1b_e#00IMmz=xBLzxfcc00W>013&~=F>L@00*C+vfB+Bx z0zd!=00AKI2nm1%{0Lz~Q$PR+00AHX1b_e#00IMm09e2SU=TnAAOHk_01yBIK;V7} z%(i<)2eAP6OAYc{AOO~|1t@R|2mk>f00e*l5C8%|U?>w1ZK>M;X7ErRVdxtW00KY& z2mk>f00e+QPXb^8_hbTRfB+Bx0zd!=3{(Q~k(nPuEWkh=9gu5q5_s5!gDWa324}}X zY9IgvfWVL;o!EmwtKb#8Grx~00KauzX@1b zS@lyBpy&GuEK~~wfI$B#u6weDh=_Y4f($?a2mk>fFdzuT{q&9&VgUxkP=F9XU`P=F zYj{WvCv*k~00AHX1b_e#00KbZo&>-Gz9%Bc00e*l5C8%|00;m9ATXo|fCW6Hh7&pi z1c1O0C9o{^fA&Evzz`i==oSzF0*{#hSi_Hb0HApw00e*l5C8%|00;nqM@#@L;71G` zngaqr00;m9AOHk_01$Z01i%7*%mV<;0|6j#4+8HoPkjrq0QZ0dmw^Bf00KbZfeC;$ z{J`j-AP@ioKmZ5;0U!VbfWY7+Alg#50nFgRId&j55C8%|00;m9AOHk_z=IM13;03F zK{+7MuLO$!a&RTY0`x0ls2m6Y0U!VbfB;1RtYNqhfB+Bx0zd!=00AHX1cny@uz-ix zctdZ201yBIKmZ5;0U!VbzygMQV89VbpBWPmu>b>ZSU?~k00e*l5C8&0lK{K_y49Hb z&iWHG<3C>DU}{5||M!?o>3a!_T}@~1wbjVCzqy0AHX*`|(|cA;golV($ul-S7A%4B= zdR9;pK1$N9MY1L7NX-XT8j{8Ko#?XnS%C<{$eT^;j@-y<)}xpfvDk6fd59)+M-;S_s4*^YM5Mp#R!=KTt6ca+b+)dfCC-*tJl5OY zws3M3^}M9GrijdL$h93?|FTeMEQF-Wt&J~N*JBK^qs^A*$1Jk5{A5MmXo}9gaj-$F z#+WnQoRXh+nB4WIBP*}E9%UbUZLGMg7Xlq(Vr0@+SF&b$9`od2N@DGix>N8Oi4#`Q*sfVw+65_xOhm-WHRq^tRs?u}7QOA=y=vZ{GU zn(J-tk1cVTtnGQDTJD0W&3ls}uT+f6?lF!Fth-2Vst&e~fq+7HXqV3-D*w+%@ zpV{MfSC*cTJI|q2arXk~SW~`h-B#7AZJkOSovYrx?%lj*v)m&@Qx+_XSRmz@oqM2N zOU>O!MXJIN-pus<_~U?%>FquW55}xy+4<-tc?ZkXxX>_wUb>#U=b0UmKbvReuPb@|Lr<)D z&yUd?FaBJQ3B1Q|*(F5W@Tvwo(Olfc6zc(s4R3bC2iH&qYY0ZyQ+F*3k~wJ2WQ;kdX$=c#V&MzhN*`L3-Q zD%qwl=QwNR`{VX!mU=~aVe;Ku4{Ji+r%slmQrk1#J`QmV>zHCachlDMOPUM-Zg z5)nV#NU9t8p>tbmR$ZanxJ%FQaP6I>eODId^UnJ76eU#=HN1@1#?R)qWgWR3c7#{* zq7bXB4$9ZA51F{ynNe0!`OML3-!blsSb8PK?QWBimQEt`_t%P9XIVia=E+WrQg<@9 z>VsCtW2;6@W>ak~IdXHx5(i07fLhgtAL@!d#nnqj3R{(H_f;>+=a>4A=$Y|8&yYz! zT+4PGTM{CasBf=LuMEkzE_s$mHW0a(-OnpVBQ5!wx2Z~P%i7&FnD+=AyJI?KzSS2V zzZ!kZ{@5y!FI$zAQ4w;SS2Ew4w8)KbUeL6UhTw;qlVaCPO9aB3O-s_NBSv|Ahir5@ zkvDEcoYiqLmMOQTEqQz04^8Ts?l-(~vQ80{QJEz2SU*ZfXc@DfpK#36yew&P=<%DV z)NM~UTwrc2w6-2paOhFi7yo2%a+6#N9@%}?>M4%a(rsW_LaeN;Md>D~rmEFsW%ayK zEq0;3$-a=m-N!Y*WfHM-98G6n``8I^yw;|ELrH-Q$~U((MtmMSwO89zCC|(_A)D#z zaG!pMaZ#Ud@-^0~QOYy7Zr!@WdE46F+vyt=j@z=26EwX0l%;QV54~Ju{RazwDqHc& zjn$*EvhyL&e7|nS>y**inVOPy8uhraPRm{;Sq5^Xlqa z;7OOgzreY1$N9oe7ne$YxRkeG(;Ujh%aJaA|9z?hn$p}-j_+F9@5^zUBa>$CKT$1P z?D`l~Ann$TuhEhiCbSbI1dRMAWO=xOo3={#JijIXiU z@|sYB22CK`6;A)8wVJ|ahOawv8DbclJ8KMkLtPt*F|$k5ll>&KDT~c2c&6=!eT}C` z;Vho*mgn)M&Xh&v>0vkdcwKR;ei2tkUp=kdWzSYGIn%1-vOUKLJ=;ZKdQTs-*Nw))<|D0{ z+R#Q^Yn*rFj#_so=qvS>&~Z!KZy9}YUQM>h`RB1LjP_b7D-{cKZ=Gt^q$2l^TkK7W^bj0&+whP|wW^P5kXN<>NKi75jSQe>h%w^eRPoxGE zcXr(9+_>&H^=dn;O2=^OHb$0*o`-X75|)TOZ&qhrGPF0;N-RlNlwgL9-^xz~Jh57( z$9d*fHJwXK?m1e$u3RJJTg~v`6ULI3ZUaja-kJSdZCJU!9;@=+XP5oFm8BciV4(}f zR{BP!y)V?pY#hzb!tTH%fb{zA9U145UProKx*#GVz_o7I-%~2?VB6RIea_lVi+SgJ z%msbv392k0!1+j~yb+s<-YPaywG`G-Gm7)n#jBRlhBoyoa98H}x@L?s))$?mw7*K8 zv18YXaw?;Pmnvx(sj{O3JlC1aRxPHc zAZoVSzW=OFQCXrC8t(+%E`Ul5< zpIWT-_0-jqTwj4{(l8YlM+WYlX#LpY zw66xb#P=y**H^>$S@^-TtIqG*RVY}NkeZshZH-s?KX;sH#E|25x7=;bwlBW;BK6~C z&ei#)^n<0QxwO<_@yB1Je)--URo?D=Gc$~CU*P82)jURus!?8t39$U_@4WeXC= z_MfMG#mc%mjX-MhMev+m1tB^(Swvao@;NMx4BD)EVmL<}!Ej zrPrUV|C4n|es$7KJ=uJ_ifdJWregZeUq^i*UwHa9Wu~z4U}x;)udUQRsmiU<`%dBs zk!_@6dD@w*93EeSAwyX&93@=p-u}}hs&19>_`xW2LET2`+LC^dyKXPF`Qp-&vvjo< zPa;h)iYMx>YgnG{w(|wl%|o`{PCau+D7Hl*8N`+9kh9pPSDtKs%QJ~jgdMr1VB_;A z38`oeOi$F^Osd3YP2}O2?)yG{YMbUe1Q!~Dgtn~l+z*jxMs?fOioKUu}x zv~1Fi)#JCYnj?-Q9f?tNOmD<+E(=$ykp*v=8`-@2XtUE?&l_u=tPbM;oL{rYB)UoK zGX;Dm*-SkTP_YnauBF;JCwp)@bR$t&6O^xuTsX1%^+`WJ&5X~kK1yPWn;L>|EpCU* zkT|ld>eM8rt5@rb&s2DQ@r%v&i_aWxEJk%&9D39gpEtRiubMC17dpzDg(okQ?sI1o zYJ;MtcHYikY(D$N>z~&S-lQJz6=gNiHF(B~Nta$5w_4X+VuWDnHn1e2#>3xjuNzZ5 zQBtzRMciuXMzz=l)Nr54Pv2&Ce+xM4aZp+rp zvtfI#NqB#;tHy%GI-hI z8C;^6G84^`_2kLOy6q(?ep?r>U7dhp2~biiNnKge0Wa5o*w}nJeaV@^E){8uXEOItTC~?hD#}y$v`${?A?Y;>MwVSVRc{v=Vl;o-^9d(= zFP(4Sq2_xpJ=m@o^aj0Ndu!WK^pBxy<7hfx3J~nnqYbTA zi`h%5%6L=PZc9KuFlyIrsw?|^wG#P&9eAqJ6Zxf_sZv+3Woy0AMNJ*X86jO@jNNsX zIb;BY#Ma?ralm8L@x-lewR z`x4XB-}8o+iBnwgS?+AItj%bLak)0D-K@}Ap|gDmkI1dlt>)_LRjs*pjj;lk0 z##67cxFZ5Qbe`T$OUGKFSMVVjRbf2O>@k*3PU-;G1A|tz_N($_6($hbXU|1mUfs!( zR!l4jpdLs#^PiVq(lUg`LdqM{zpgJq5w{b^WTOhTE!hgpH^7F{R_qaBQ}7M>?UnZ= z5Qg0@v$5IdNOepkaSY-$m$c`lH^_^5q%w&wI^|7q>ydOP&otC~JP~YW9r{kOr*$hH zJQa`5Yp%jZ2TNEZF20y*PXRi^BF(g97jA4}#)^>`P6;D)w(({)m#FlZkct=95M^lWfLvE(;S!V=^RHkrwk1Nb&65ig}9twnB*A$b+43eAVD zdW^*|sZS;sNvlJKK5K@XjbM!9rb*PRfDeAC4m!du2_9)_=zH|L#|fcmn-%YK+i-L?v3#YmL)W6Ms4Xvb+g}sgU5t(tL$Oz*_qKAjcK8l6m-ioy;r$yvl8vujy6bHWi1bI)9>^H**thHFF$h zE|6yI%CFWeZm-e7caC#L?)k=m00)&kSB_p8x?y$u&#PP)FQ7ZXlLpLj_-(&_lZaUc4k;Na64RhR%N zXIwBVY@#S+X5@S!id2r6_kDy?-M%J$sWAvYv%AJQfLDS8wv3j1wn6 zI1m(+DK1%vVuj6NO*` z{ntj_!ZPTX491MHwg+GKp}7s#|0pZ0ACvv_8#i@+HlQqwdpFnEno@pZcV<4adyz@1 zQfM`Q*w$3tWQqkqYSV4;rZu^lhxfeoBUZoON5(61!vrrz+KLOI=CIdufCB@Z4cpLfKnxUgyS9Eh8@Q;*inI?VWaJ`?Fy0hiG( z0H4*NWw9OvNSzLScE&YUg|M(0oz^f4IR2p~*Vg6KpKPg!k)ElwIiZ{txr7cKFC_U%8Q--+Ntbq_I8>(Elx64ZEFyB^;i$u~H zP%fH-UfpUy#xbgP#e8vlK7nBUOnz$atum5vu;WReQ|8fJh# zXiM6w4bJE=Acc#z$`%L_ z->~T+-W5M1NrY}6?s99dz;o({s|%(dtWvDD7ok(c_4u#@soZCdWlyI2`uRtUlpjhRkW7k6b$-Y8!<>lsKc-^1 zRHa+r+(BnS;aUqKycQt+Sf0BhZu@SxZL2zp-p>xlLF&LpO00{{#RRU-93_fA_C=O3 zS}vllS}AaIHdD&?)562#)!z9ayY`gZ6Q@J0h3M7r=}XhAOx3A1$frxi$7=No^irPB zz-@3brm9EAY{x*Motw(+W~+pW=#wvW9uM{&5q+e&3>!6zr^~ph!<^|rh33{uj2lha zqv%Wgig_iRgjd9i=okj7u~t=KGkdbL6>V}+Cn)R3;z{aa&!jo|YcnRXNAbrvJ|g&O zd(Tp2QH`3xV-PBn3tHP&*31y|)LECbGbWt!C|)6XD`mJ?BTtB`M#&|#FLTsi{^Gcej!q*_OE z*;H9JZ$+@j3c3!W@~StAE}(wz7Pt{**Fs7e$*&*}0~0OEu<*+ox)6rj*(WctPo@s^ z#Yf9yMO;qD~snlS%IGi>HF!BW;*Yw&F`&S2-ZBafPidRa#rx^468r z>BP=lp|-8KPAeWuKm5=&lgMX$%hJ$mgf`%8g>U70S*u8Re6Wai;Pm_-Z0m+ zz3BgY^#l1xmU*q)u`Ay<7Og))wZa}7lF)T63Qe_ur=i|1(kexxtZURb2n0N~{qyf9 zbp0G!Q*LTc;1%GuKl6OGLn$(VHz5O9!$T!JBeunQnM(-KNyYRgWw3O((6)4Sauki{2rG1m-ZgadW0rMOV(GUAsf2cx9N^jlBdW*T%Wr*hEY;OkO1iA7uL zHkjOY-7fX>p$4fCjkH4a5*C`-z*JQYA?cM#*C>@v)ZN%v zZkXlGLm{|5Pj>vy>9#ul)0JJQ4LjOYMok2|!ryKdv$)i6_N;AtvaT1pJ(1nJ4NTdw<##X}zA50gUHHQDw`j53vPwwY*+$Gp-&|etI@DB& z`qFy)gX67YZ+jHUY?+%{OR}syDOa+tu(aW4oq=-JW8|0ryg2Wy3JoHHxvq>6Hk~gV zHM(?-7m6RI{;hBgU~!X{P1q+vha)E&;HzIUTE`r++6 zPM|0{=b2u->cc0hDJ@@~8Ta??g^fJv95-eD;r0(rs!t#v40X9PAv@Src_Q<0xgcN; zH6@@*rt-=&>8S!aWzO&4z6(uE=<7S@J1B61YEM;~djh@095xA`JSEbpYD?;MY9cB= zyCsVqLNAp@6#up-tBKMey{D>EwS;(_DX18gZ%PW;6O>d%%?ZTy)Qy+OSySkbtf@;` zWo+{RW3u?zGhPP{Qi`kPg65qq6Pdm~G0!~c_LrtQ1#jan_>3F4jqAUYiyTJ`y_U&gqkjwo z6|Kj>47NBE{iD0~kY@1FrOzWHO@cl5?3{&77EZ8w+j|8 zo3cG+Yn~cD?k;idQjg?9%x6=Q#MT zSzEn**E_GKXxTR7X0BR0hx)8Sx@@g%$BqwP-*ZQ6GxiS=YZp8gW0=iDuecW;EpyFd ziyehq=GqtkP#=)R{ZWE(ZEZY%t(bnatxCs{Y1J%F&=m15 zYCSGtYOpH$_~lV2spngPt#DtEoe1Ui7Vo-I9sO15B^|>wj8M5_sN(Mq+FWOwu_mxYrU*7jvu+3H)y!q=QWyN21={k&}S zilDJ&N9vwQszpyP0vrCO;4$-&DDGo2rd*5O{cE(2A#xP#3bGaPnR|oP5yvZ>@~PjE zhsbu{^R^<4DGC@J{KIvR?FtcpM2I)v={!|GiV?6xz-iYsGA!e_R5sgFY#V0V`ZLmu z=qW;>FHw{WE|_{{V_&k&1qFqfB?EEOfOmX1XuQB;2DocB?30%?Ye_r7-sdR=CYxspw^U*1fT&RwCzHDh{p^tTt+VFqMaqcwu*7+vdxV8@7~6{Ak-F;v5R*VWW2 z%(i=j?;v!7lL#GihKEb`Tx%4YXKCmugMP+^_6a^9sT4(lQ>&$QHj5j_%R8wCt+Ol^ z3HB`%QB%UiF$q_y!glk~70zH0=yO4Qti{`aV@X1jLz!yG;*Dyl3!PGR+3ST2 z%42C9yA*|kfkwbtwl+e!WBZ%0Q@Y&2Yw_B})XMM9zP=8}zKVJC{9iU%(Eo=wE$Txz z9A+*HIQ;JJ{c>r9)Oo?$h{hc|*1fKxml;CKIZz7SZQ0t89XsM)|L%@aFI`2=6DW_{;@HKzcEr7zNv&W+t#l!y zUTw}?wX}5W_BSFqHV!Cqcq}`=Gs=!GHkAK!TK!#MS;Y4qAGDG}yG03qrk5k9Y7h z*~uR5R|#c3iO+WGv`X;FPj3nSKGHirOwAI{^4^>Av;@^MdCqsqtr3w)T(owuKoGS4 zrM*kh3c;5WGSpSrL8nwxLrxP;U6KXweQABf(RqTO&`c$sF(ElSkk+`SJoMH)NZ854 zH7w)Lt0i4BbUP3&dZ|Qkdfk?s=^Kp;2fK#tdhNqSL*g?zLPdP`(pwm}LeIon^kXz% z{)eGAFpW-OJ#G6k7}gvn3k44|Pz3RyPn4(oVLH*)X7oxvOdU`b2mk>f00bVEfRz>X z_Od?`==uJj3Uva3fkps%f=s(K9el&sW%i|NXIss9z=r$ zq5=UR00e*l5C8%|pkD|evsS}wHCn)0Ci>Wj!8GXGBO)+8iXLDx8GI`y6D?-MM9~EO zBEzGs6fEFJNgLV%0zd!=00AHX1c1PRBw)bWn70k+FA^}Q9ohxVV6v&jwI~lTT9Sjw z;90RyOfZ`<6r8|d0aJqt2?ziIAOHk_01)VJ0_3W{o*D$P0R4?&5Y&%MTrG=0f1iuq zQ8F+lGJ-iBi)5pHCN|QF%``As$Rr;81~FK}gW#qF5rF^@00KY&2mk>f(60mx=nuW} z8&JG26D^H4qHzRc7fijfnnZ z3pE1)AOHj&9fAJ))Ed@^cyyx(EdhbYN8qn-Zr17ydbC0WvV7S(9Y?2Q==5|j1hR?Q z$nZt$wd$x9Inkd|MysWLn3(+V!uFryx~FX51HLCB$N&U@01yBIK;R(>#FafwKrFyR zLWJUvj6mqJ;78WhKxhd3!2@9wKn5TH1c1Q966im-3iyK`c5I+L5C8(b5a>U})k}k& zr;UFKuk#r8fB+Bx0zd!=00AHX1c1O0Cm`BVw*k!HAwI~^Jsf00e*l5EwE9zycmJLkS%L0zd!=00AHX1b_e# z=o103fcu0AG64Y~00i!jfNPf3S%?L=KW2~{2mk>f@K^|dHT+nxL!&?d2mk>f00e*l z5C8&?jljb$99&aV^VnpEhJgSO00Kb3L}1*wai-nhc?){}cLoa80RbRjBG7+|%hW=z z+lO5&xYvr|0uTTK!D1i%7*D11;D2mk>f00e*l5C8%|V9*f&3wY2C83;U(3A{96+D8xzFpx(GWCH>~ z00;m9Akd8fSi{|bz#$L-0zd!=00AHX1c1O0Cjb`k5FcRZ9uNQmKmZ5;0U!VbfIxQw zqAhhBzzptA1&;5Zz}9!)vV&NF`{xEFfB+Bx0zd!=0D;F(0IcE1KL#KH5C8%|00;m9 zAOHk_z@sDp7Vx8_4Q&AdAOHk_01yBIKmZ6lega?tKin9!{a?*_hy{2!hEN&^00AHX z1b_e#00NJX09eD1k3F;u1b_e#00KY&2mk>f@Hhy71^hUuLz_SV2mk>f00e*l5C8&? zkHCXlz+SIrd;_rnk8k9lWgq|qfB+Bx0zd!=0D*@m@Zi?)!?z7J00AHX1b_e#00KY& z2mpacPk`M|O}1VBI%e~6W%t@0g5tM@x^zEl>A0=f?w>vG!dbNVK=3Qp$;7?{wF$=S^ja>kT<<+fXMtgoRnT|OE*QZ{LTKR0R)54IQI7|c{*Oru@iwgZIU9QH3 z_JOgow3sp7f1xCi6Pq5otugRKY`Q-+DUk)=NuK_--dy6@f4-CFULcE`^DkY;Y0r;W z%46{~ziqD;cAP^y{I@U0#7VKDw9Kg3UkmFo!DP?4w1rVVY>cdll6?w`uc2_<`4sAd1bgn; zISU7UXUsZa$&fO;{J^_bUjjk@R378PDkd_oxN)cpcFuKcCGa>AIX>W1`s$5^M{YOql7 zfljgggT0E_obKB3e(K`dILTLykr<1#+)l~5EIWihm?@88cO%mWp*W$hJ{3yk)8_0i z3FVJh{Bh*Nbgd694x}u~Tbut^mEt87bD5A11`Q30Y zSRm--m;HdFKwMMAUJ!*&z=sj@fi(UPB#V3Wm+w7oX2MdHIB!gRiqp%zai5Ji|2Z)s zn6j!{YtMZBZt|yxCic;(a-Z!$_TC7Pip{bdc~m$NGX|5Nlli5`_{C5LXlH6n3`|Rx zN__-G$2r_@p~7IYmq3vamX_6OfBiM^h9A`!JTPRvIYqg8s%P@?oJR| z!R(hR^PcR|SZ66}Pw>ZA6q)Ww-;j#RMA>dxlths!_0QaBpe||)q7wY&G9pjfp^y~m z`+Qz*4BW9$o+pvuq&zb(DtxzJH~v`S&Jo8_y0JU zJJelv^E;^fwf;CJ&h1U!d#Xx>>gI{(E{_hKjBd=f+EZUArT@24gJB%OgrJoxpBvw) zOxvpdot$*&B62NjFoE}rtD~Rm)fLbm0zaxc^_3T^!;jxAA~BN9k@-E5=4Xv-Z^!JS z{lWZNpKqGOXX1I6$x3A#IZBlI;wUozlI*fhS@Em1`iY`H3OatBl)&1SlnVygi}vCC z2HCmRm<6-}r)`NzxuTe6k5}B5w`wXee&V8Wp~&G%-cHP_jH}j=7$&s0OMFoxGg;)# z6_d55oTzN#fLJ;vq7%pVs!j**vDYV-$_71u(KHWjHc zQp=EzcS&F1D0zTe%z9+_G=9vH+X}4{Do#{f3qRVFr^awLJJ45>GTq$k+>;wmo@Y*m zFF$)V{C{sNFeb+5$IgEu#uW*qEh@Mgntz+XInuGV(msx{MNnEY?eLY@%UT>~`};an zo@|i4>J=lPPIg7~a1PyG#txC`PFqFU!wR9GIdLVQX_9=g$9gIbiEzA_j++F7MLQBd)XtZ;{`=aQ_Q(G zS+G~4hp{6ZsmIuyMLOv}tJC}@#b~cf_qHZRO9Rn;qE*GE%5&yEnOJ+J^ZuN98{NR& zrNVB9CzoR{dZ$sZJM;zrDv@Ds@+l2|S*`V0h4dTy%$J>tj{dF~`#8{$?e`!+6l|gW z!ErFr^2F_KkaB%c}FY5V+T2d(+Nph6m8*2eKv>Y$x><({Um17 z4(^{A6(em7&-?|=Bt4Q=o|2g&e6~PljYeKUU_y~u(QdhkD=|?DS>{41t}RNxLioQB zMSXpm#zm6Q zQ2WhkjRcwuyGhk?NLI$iR7pO2BR$H2K8H(Xfth)tOhxZK>L@$tb{bCpG=1q(%;_2> zdHvYpw66wT7w#@_e|rbJw%+j5XUS(AmdB@}6d%et{@KoRt;kD!=##InOnfU5o&0>` zT;+k!_FnFMJ5Cg&9H^c39#!JYk6z-H9KV7}4824WQHKdpfETfDs^Z0w1t%-h%%e%z zY)p42oh3>Sn^+X_gkNoKY_;CUe_Wg$!*}i^c{lSHJ;~PINN3wdIkBZv97R_Z1)Um6 zms5eqEuL5qIWYxqj?GsgD^~u$6|qX&yqKxPx`~_FH^YxBJF?rjie%XBxT|Q6LP?!j z)aK*kD5|cCxn`Xn?W2g9S~M3gxTsWg4hNZXw1J#CK@sCa#EcKu5$W~x!((TLzU?6& zaA7MxN=RAHEe)ZEnsEOKM2t`6%Z`eZa@U(X-r*t75qIcn z4(eW$BK#yNd)ZqN?Ug=(%xR{d_3t5?Wl)OJil}QmM58i#yzE;2N%Uq7y|B9*qI)#c z`{kZv*9&dkogDt?oL46nMY;LcUXLn8@9fCLgOxdU;>s8wMYLOBZM7^P&Ff5ztuMRW z=Ks7j?^Uk?Uwz8)`byj`E!alDwatl=cACGa{EeFh*vP1HUF>+=#X-hzORqNG9^C}* zG78kxU_q*GMW{pERg&(*7K|Mye^o54y~~|up)8ylm;^W+O=C%w_sWg$eZ1|xAkFc; zr)rVc>fQ1gVoJ?vskP;CP%* zXnsMLinK*>Kj!(pu-WL}rCQXsSBfK3RxOt!Cs7NjB+|o^CBiMZC{Y$Gr>7umzfd24 zx&dTl=OKeVa11&k6eLlU=P!-J@huX+@6w7)wY68;WkV{iq@=a@gi9q|PIn%>A&&gX zEEa&2%k%2(qe6|QaCqJIos8%Kj?mZ6nITk1A+ zf3E7+9=2XNUB!EP`2_lLOZZgK1kOKBRkew)oNIKL8%Xd5^sicA7iFhFHm!eq1T4d6iY=`)SdvjJq6ujSrgW|sF`G%ZjQfx0 zkQdvKf@=Rgv-vR-SbpaS#RNx@@>YrxkD0*5lw4u!?UW0IaDt80L!9Y>WYWsp!7)VE zn7s5xrk$hzXkOHd?D>4&2^8*7bUL zk&2ves?j1hlT({={+??l$GL^mfgz&tqR``)Qfjq6t<7>9VLBaLEgC11@s&lU`g-45 z1f?yyND9Y}rF|A$*&pmYFVotc+Y?dm75DW@&#~iJpxuP3<3>%OZxuFQ=E6+7e1{xI zrrorPStO)>cx>x%KYVlk%}Re1tj~0EwKsbFMfO}=-KNlD^zG4ICbCtBZak{Ed1AAr zTr5Xvz)(&1PCcaZV%?)qzhJyan{fGo2wX{C@k(-MN%yzDe9yh}ki(lWcLJ@=1THQd zRW0?lV&dx0KX0?5PFguXHBpdLi+(vKrQcbyeXs67%qs`l_XSVA`nIt$$LHSra;_Dh za@7haJnev`Hy}Skhjr51)t9p8z zi3r6n$kGBst>rmJYZ=27^4K(XOo2PCY}itnyD%{?uE0Ic4@C>-rB`7>5=kQTU-qOZ z)ITavh`iO|{s&~DHwt1pMxMxwN{hw(ayBDfrWN{0Lxqx<%|1Rjk+*qYVBmKWc_<1V zHc!fbeLI5DeuC@!RAy+`%jQ|pKG{NW@!=8>%rIaKgMo!p^Do+A>NVW>GdAiLmO;m4 zFnnF@epoua8=t{-_(&~a7165UIq)crMJ2wFqp4Dro!ljn^-ZzI>nS@1C3Ty+(|kn7OdlURNm_lT z(mwEFW2KWQ&>F+7UGx4_8+We8|37Nd&L(!Q1cgPIYUGB8cwi^%5`XyZPpz!kPr9Vc zcck9Q8&liml=UB;M!_!}hi5j#M~ye#2lUmBz+kfen%`c+-)|IcR$_!wr*3WZPoyk6 zIvH?R)OiyN>>k{RR)g|JxhSE%FsZ}*S`Cyvhr*bRg0a~mR)_rU*(`1>fijS4gV2f9 zJ~Qxf;~3$idm`#|rxK^$joEpH3ITFonfTtU?#i~~gAGau+Wl<;*kkN0(ME+>Op$4n zQ4z9LPmm~(P92kaKDNDM28_=`QyNM**YsM*)Jl7nt{a@s!AUi`Ig!h|GikMQH43Ha z7>mv;7WR5bMRpFNh3x3m-7#7&17{x(0Ske_gqb89j_LmAU>xI1gx1T)_Z~QYu>q+A zOw*{u+|9E0*zE`mMv=ki4t)CV-x}ZhC{&C!lpOl{`{G)a234=D)9@yn7i{b8Y7b#F zDy4?wZc;~9d}LF%HKJIHx&!MY4;cm5s5AmGGTbp!F7uX#!9I>+5J(gW*PcjZh6?){ zYk#J*&^<1#{eHov)8bS^t#Gbh*~QOGtBPU@)?73(_)WJ}CHNiHxewLc)dCBDJDYLHUMo-+^otpUBJ zrJV#w8zIvG?RF?oE0?E3S3ez!wGqXKKKbmk0}~UM54q4_;$nrYh?(;0Bsx-;kR?|> z=wRsO7jDR(aJyx6_@P>~%FyKM^d`sHE~c%idaY{nq3S#jkAlVMi+{a5?^mCzrc1`H zlVg-!L(0WwqEzcYTSzMfro>}R3i?M`pXGsBm44Arbe6%b!{?6=pO2AEH)H;JHT2xb zBBLdXa#)QI`zSG#n*TT)VXrd@?&O>@;iiAqjVOAV3Za0*wGkGq8Y}H=19j@Q@#tRM zm_h-|$$h!+QWmDwASF)Ob6QQM`YsN2Q>&IiF>o#ez2hT|Uh`IxXt!T`A{y^+ z`l$*1{+j4bTLBzi7xS0Rk#co%C91+?m6Bu;$&d(oH!*wCMs9bVt`fbkqURGrt;e}6 zG*<~(+|B4C%r5UO^?9bw-E)hNvh~BN6EAB5y-cPI@`cnkX0~!;Tsau(Kc=Vtqmo{s zv&6H9RJ4F}QMwqZ)Aulm?}m{s1pf_E0%#$je;jCh@uT?XsQBK?DQ|q(*teeWU8V)i zbvT|=+!)IH?bFZBi2wQ#?WiSAz4ONR=2bMDy4zLroak#50jJaJ(ni!aVh(6l;<$z; ze%#{;wM)t2aq#)Cs{b>K1;8aDk)l#g%%n|Ptvs(qD0S$f$$G~^7M;t%B$>vL2P#`j zQ2`}gF)RK^CT=lCrwNbIOVt0<~bNF+WTvXX4m+s@85I`?pEzwnvtW z(p2qz_np1JQ6;Q|VzIDuE`B5uKdMGZQbV$>qWtpv&ePU*iRdfMBV|#g=-Wl=5kh|Hn(R=M&_^7F zp0bc5T&F28LauGfX@8s3F$%_NdPv1)A?v@gi5^+BR9dy6T_)stQfr8NV(b(S_68jR zjS{(F9b5!R&m*0meNm-B9@oC~0{KL8j@R+TV)WXO`lwCpLTMnPIQ!pqm`0;Po|g7> z_p7E{^cF=tcw-l{3mQ=A*5a@K_P3oSD#yvQ9O|-iF4OmN>u*_~CjC^~rO@y?zm3cLU#9h*1?~;v)vabRYD=BS6)TG49 zN&jictfdm!n2AhVvtVPg2>EsQrB@=I(~`IO#~jJDC@Gt)L{SjCVscuj67r(hG}13h zBEra=sPuH7g?XLkFLk{jcAtM}0j;51^5TBV6S;?XzM`bs?3zez2v23wqo{?Yv!^cHaMzIf?k%lt1^x_C}?8x&X{oet1-cZxzT?fa?W7HLWGtzE2{KM zBqRckzu(xz@#QZcy5zHX^j!ymbdZd>V_OC}|DEMbgd$Ni*5{A;lV<&q<&g@b2%rca?4 z?Xb3uo7NEi&tLNd9MLFinH{5m>X6y}Ip4BW;r_OnN9EEYj)>2fJ;BaFE@9Nrc%k%M zwR1A@?=TB@nvoRzKgbF2z5o28__NR6cwHb6hy%lxKU4LOo$r3_u(~6zvupp%VuGoa zgO~huIW=(vhWefRdVOTJK;SYhbor91e|)p$Gx2+Y#-c8kuLgCk*m%UBw(_mo_m$ZxzCD@ro6zxZ?9}jPNwE64O%^7*79fvs4XdjxmgkGjh ztH}8&D&5at<{&D{@tIOcdjK$O&W9*~+jqyC1=M0_T0&0ZA~T;1E=kOp9~GW%`;Hpp zawp6Db5f)zAC(C7Q5)`W=6uC{X2!|V!=)d-tY(R4`=n>il%Q-r&t|5ygokfsppQrd zf78MsdBtDHJRK#a5y@hcr^h~Tp zKSuNAe;9fL)93@%)AlZdVa;K(P^>Tm1q=`RL^-wxeJ7v;{YrrPI~5i9pS;ZMp?+;| z&{nRj_epJt=^l9SXuH!yEtM7*JyC{C+<}t@rc?um4@fdF3H)o3LyTE0z`zs|qyhr{ zLjZY#KYHoa^H;yoGcZrjSJ;97{llvZ@BH##)Ee)}Dd+a=+VfT2g)4O^Xn2mq=F9*5 zpJLN<{UgXDsYx#2A=T znF$EH-3a_L^Qlb`3(yS;90Gx1MZkcyF>f2Vn1Mm<(C%OclT9y8K-<1-CWB|iLh-?D z2C|$7eFAHE&<`PW00;m9AOHk_01yBI4@m%-wOST|!XfA#B?B$rX+TSynhZs>&%{Pr zv6%)Y3z@-#-v~B!>>;s1aUcK$fB+Bx0zd!=0D(bEz`((@{00>7%S6kejc6Q!*-@(r zSs9n7HEag2Usqnf_qZpzSWb`0?PC9wY|>KmZ8*t_1eBFy#;n@Vg>~ z%76e67<>d`R{c$@Gw9I@5y%Q=>vSBQj)7LPq=F%keauEiuvX2|QR{o7zoLv*PK*EI z%fZ)4bBRS;>NbE=*qjLL0|6ia1b_e#00KZ@I1&hpcxhO58x{^8R>KXQ1p+_-2mk>f z00e*l5I}LykbnRX814ifFkA_MH9TBL9{LRgfB+Bx0zd!= z0D<9304(6)I`YtOAOHk_01yBIKmZ5~R{~%G57&{0ej5q=9d|*0`&fcK_w1a7zyt^Y z0U!VbfB+B}egwc89)4pEJq7|m00;m9AOHk_!0;vj7Vz*Mf9O3B00KY&2mk>f00f2~ z0kD9F-Ry7@l`L^cn~N0U!VbfB+Bx0$m7* zw$yDHo+fb@3~&GhfB+Bx0zd!=00AH{tO$SwJgkNrItv7V01yBIKmZ5;f#F3UB1e4k zuCV}M4G*sy0(uJsfB+Bx0zd!=00AHX7BJicKmZ5;0U!VbfB+Bx0>g^{Sir+;yrH*1 z00;m9AOHk_z_1~3uqGq^uCV~ahQwVv3fAyl@xVnO00e*l5C8%|00;nqAx8i#;2}4p z&>f00e*l5O|CPzyf}Z@S$lS00e*l5C8%|00;nq$3Orq;Ku+Rngjws z00;m9AkcpV(*Ad>Kg0s`A77|>$PoZ*c*qSYbO;Cl0U!VbfB+Bx0zlxd1Q=FNs4Kt> zzAGcR2n2ut5C8%|00;m9ATZvk1b_e#7?uQ1{pI><3={Z0_w1a7!x8{= z8VCS^2PD9Lz;aLw2mk>f00f2&ftHq*=H}+Mwl=+9KWsYvcsh#XxUH@2h!G>YH4j73 o4ambB_6GT3>V&d`j(}a$i;LfQXXFQz;Lptqe)iD+gunm)0c-z^9smFU literal 0 HcmV?d00001