mirror of
https://github.com/bitcoinbook/bitcoinbook
synced 2024-12-23 15:18:11 +00:00
4877 lines
191 KiB
Plaintext
4877 lines
191 KiB
Plaintext
++++
|
||
<?hard-pagebreak?>
|
||
++++
|
||
|
||
= Appendix: Selected Bitcoin Improvement Proposals (BIPs)
|
||
|
||
== Introduction
|
||
|
||
A Bitcoin Improvement Proposal, or "BIP" is a design document that, through a process of comment, review and community consensus can become an influential standard for the improvement of the bitcoin system. This appendix contains a number of selected BIPs that are important in the history and future of bitcoin. The original BIPs can be found on github at https://github.com/bitcoin/bips, which is considered the authoritative source for BIPs. They are included here as a handy reference.
|
||
|
||
++++
|
||
<?hard-pagebreak?>
|
||
++++
|
||
|
||
= BIP 1: BIP Purpose and Guidelines
|
||
|
||
-----------------------------------
|
||
BIP: 1
|
||
Title: BIP Purpose and Guidelines
|
||
Status: Accepted
|
||
Type: Standards Track
|
||
Created: 2011-08-19
|
||
-----------------------------------
|
||
|
||
[[what-is-a-bip]]
|
||
What is a BIP?
|
||
~~~~~~~~~~~~~~
|
||
|
||
BIP stands for Bitcoin Improvement Proposal. A BIP is a design document
|
||
providing information to the Bitcoin community, or describing a new
|
||
feature for Bitcoin or its processes or environment. The BIP should
|
||
provide a concise technical specification of the feature and a rationale
|
||
for the feature.
|
||
|
||
We intend BIPs to be the primary mechanisms for proposing new features,
|
||
for collecting community input on an issue, and for documenting the
|
||
design decisions that have gone into Bitcoin. The BIP author is
|
||
responsible for building consensus within the community and documenting
|
||
dissenting opinions.
|
||
|
||
Because the BIPs are maintained as text files in a versioned repository,
|
||
their revision history is the historical record of the feature proposal
|
||
.
|
||
|
||
[[bip-types]]
|
||
BIP Types
|
||
~~~~~~~~~
|
||
|
||
There are three kinds of BIP:
|
||
|
||
* A Standards Track BIP describes any change that affects most or all
|
||
Bitcoin implementations, such as a change to the network protocol, a
|
||
change in block or transaction validity rules, or any change or addition
|
||
that affects the interoperability of applications using Bitcoin.
|
||
* An Informational BIP describes a Bitcoin design issue, or provides
|
||
general guidelines or information to the Bitcoin community, but does not
|
||
propose a new feature. Informational BIPs do not necessarily represent a
|
||
Bitcoin community consensus or recommendation, so users and implementors
|
||
are free to ignore Informational BIPs or follow their advice.
|
||
* A Process BIP describes a process surrounding Bitcoin, or proposes a
|
||
change to (or an event in) a process. Process BIPs are like Standards
|
||
Track BIPs but apply to areas other than the Bitcoin protocol itself.
|
||
They may propose an implementation, but not to Bitcoin's codebase; they
|
||
often require community consensus; unlike Informational BIPs, they are
|
||
more than recommendations, and users are typically not free to ignore
|
||
them. Examples include procedures, guidelines, changes to the
|
||
decision-making process, and changes to the tools or environment used in
|
||
Bitcoin development. Any meta-BIP is also considered a Process BIP.
|
||
|
||
[[bip-work-flow]]
|
||
BIP Work Flow
|
||
~~~~~~~~~~~~~
|
||
|
||
The BIP editors assign BIP numbers and change their status. Please send
|
||
all BIP-related email to the BIP editor, which is listed under
|
||
link:#BIP_Editors[BIP Editors] below. Also see
|
||
link:#BIP_Editor_Responsibilities__Workflow[BIP Editor Responsibilities
|
||
& Workflow].
|
||
|
||
The BIP process begins with a new idea for Bitcoin. It is highly
|
||
recommended that a single BIP contain a single key proposal or new idea.
|
||
Small enhancements or patches often don't need a BIP and can be injected
|
||
into the Bitcoin development work flow with a patch submission to the
|
||
Bitcoin issue tracker. The more focused the BIP, the more successful it
|
||
tends to be. The BIP editor reserves the right to reject BIP proposals
|
||
if they appear too unfocused or too broad. If in doubt, split your BIP
|
||
into several well-focused ones.
|
||
|
||
Each BIP must have a champion -- someone who writes the BIP using the
|
||
style and format described below, shepherds the discussions in the
|
||
appropriate forums, and attempts to build community consensus around the
|
||
idea. The BIP champion (a.k.a. Author) should first attempt to ascertain
|
||
whether the idea is BIP-able. Posting to the
|
||
http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development[bitcoin-development@lists.sourceforge.net]
|
||
mailing list (and maybe the
|
||
https://bitcointalk.org/index.php?board=6.0[Development&Technical
|
||
Discussion] forum) is the best way to go about this.
|
||
|
||
Vetting an idea publicly before going as far as writing a BIP is meant
|
||
to save the potential author time. Many ideas have been brought forward
|
||
for changing Bitcoin that have been rejected for various reasons. Asking
|
||
the Bitcoin community first if an idea is original helps prevent too
|
||
much time being spent on something that is guaranteed to be rejected
|
||
based on prior discussions (searching the internet does not always do
|
||
the trick). It also helps to make sure the idea is applicable to the
|
||
entire community and not just the author. Just because an idea sounds
|
||
good to the author does not mean it will work for most people in most
|
||
areas where Bitcoin is used.
|
||
|
||
Once the champion has asked the Bitcoin community as to whether an idea
|
||
has any chance of acceptance, a draft BIP should be presented to
|
||
http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development[bitcoin-development@lists.sourceforge.net].
|
||
This gives the author a chance to flesh out the draft BIP to make
|
||
properly formatted, of high quality, and to address initial concerns
|
||
about the proposal.
|
||
|
||
Following a discussion, the proposal should be sent to the Bitcoin-dev
|
||
list and the BIP editor with the draft BIP. This draft must be written
|
||
in BIP style as described below, else it will be sent back without
|
||
further regard until proper formatting rules are followed.
|
||
|
||
If the BIP editor approves, he will assign the BIP a number, label it as
|
||
Standards Track, Informational, or Process, give it status "Draft", and
|
||
add it to the git repository. The BIP editor will not unreasonably deny
|
||
a BIP. Reasons for denying BIP status include duplication of effort,
|
||
being technically unsound, not providing proper motivation or addressing
|
||
backwards compatibility, or not in keeping with the Bitcoin philosophy.
|
||
|
||
The BIP author may update the Draft as necessary in the git repository.
|
||
Updates to drafts may also be submitted by the author as pull requests.
|
||
|
||
Standards Track BIPs consist of two parts, a design document and a
|
||
reference implementation. The BIP should be reviewed and accepted before
|
||
a reference implementation is begun, unless a reference implementation
|
||
will aid people in studying the BIP. Standards Track BIPs must include
|
||
an implementation -- in the form of code, a patch, or a URL to same --
|
||
before it can be considered Final.
|
||
|
||
BIP authors are responsible for collecting community feedback on a BIP
|
||
before submitting it for review. However, wherever possible, long
|
||
open-ended discussions on public mailing lists should be avoided.
|
||
Strategies to keep the discussions efficient include: setting up a
|
||
separate SIG mailing list for the topic, having the BIP author accept
|
||
private comments in the early design phases, setting up a wiki page or
|
||
git repository, etc. BIP authors should use their discretion here.
|
||
|
||
For a BIP to be accepted it must meet certain minimum criteria. It must
|
||
be a clear and complete description of the proposed enhancement. The
|
||
enhancement must represent a net improvement. The proposed
|
||
implementation, if applicable, must be solid and must not complicate the
|
||
protocol unduly.
|
||
|
||
Once a BIP has been accepted, the reference implementation must be
|
||
completed. When the reference implementation is complete and accepted by
|
||
the community, the status will be changed to "Final".
|
||
|
||
A BIP can also be assigned status "Deferred". The BIP author or editor
|
||
can assign the BIP this status when no progress is being made on the
|
||
BIP. Once a BIP is deferred, the BIP editor can re-assign it to draft
|
||
status.
|
||
|
||
A BIP can also be "Rejected". Perhaps after all is said and done it was
|
||
not a good idea. It is still important to have a record of this fact.
|
||
|
||
BIPs can also be superseded by a different BIP, rendering the original
|
||
obsolete. This is intended for Informational BIPs, where version 2 of an
|
||
API can replace version 1.
|
||
|
||
The possible paths of the status of BIPs are as follows:
|
||
|
||
Some Informational and Process BIPs may also have a status of "Active"
|
||
if they are never meant to be completed. E.g. BIP 1 (this BIP).
|
||
|
||
[[what-belongs-in-a-successful-bip]]
|
||
What belongs in a successful BIP?
|
||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
Each BIP should have the following parts:
|
||
|
||
* Preamble -- RFC 822 style headers containing meta-data about the BIP,
|
||
including the BIP number, a short descriptive title (limited to a
|
||
maximum of 44 characters), the names, and optionally the contact info
|
||
for each author, etc.
|
||
|
||
* Abstract -- a short (~200 word) description of the technical issue
|
||
being addressed.
|
||
|
||
* Copyright/public domain -- Each BIP must either be explicitly labelled
|
||
as placed in the public domain (see this BIP as an example) or licensed
|
||
under the Open Publication License.
|
||
|
||
* Specification -- The technical specification should describe the
|
||
syntax and semantics of any new feature. The specification should be
|
||
detailed enough to allow competing, interoperable implementations for
|
||
any of the current Bitcoin platforms (Satoshi, BitcoinJ, bitcoin-js,
|
||
libbitcoin).
|
||
|
||
* Motivation -- The motivation is critical for BIPs that want to change
|
||
the Bitcoin protocol. It should clearly explain why the existing
|
||
protocol specification is inadequate to address the problem that the BIP
|
||
solves. BIP submissions without sufficient motivation may be rejected
|
||
outright.
|
||
|
||
* Rationale -- The rationale fleshes out the specification by describing
|
||
what motivated the design and why particular design decisions were made.
|
||
It should describe alternate designs that were considered and related
|
||
work, e.g. how the feature is supported in other languages.
|
||
|
||
* The rationale should provide evidence of consensus within the
|
||
community and discuss important objections or concerns raised during
|
||
discussion.
|
||
|
||
* Backwards Compatibility -- All BIPs that introduce backwards
|
||
incompatibilities must include a section describing these
|
||
incompatibilities and their severity. The BIP must explain how the
|
||
author proposes to deal with these incompatibilities. BIP submissions
|
||
without a sufficient backwards compatibility treatise may be rejected
|
||
outright.
|
||
|
||
* Reference Implementation -- The reference implementation must be
|
||
completed before any BIP is given status "Final", but it need not be
|
||
completed before the BIP is accepted. It is better to finish the
|
||
specification and rationale first and reach consensus on it before
|
||
writing code.
|
||
|
||
* The final implementation must include test code and documentation
|
||
appropriate for the Bitcoin protocol.
|
||
|
||
[[bip-formats-and-templates]]
|
||
BIP Formats and Templates
|
||
~~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
BIPs should be written in mediawiki or markdown format. Image files
|
||
should be included in a subdirectory for that BIP.
|
||
|
||
[[bip-header-preamble]]
|
||
BIP Header Preamble
|
||
~~~~~~~~~~~~~~~~~~~
|
||
|
||
Each BIP must begin with an RFC 822 style header preamble. The headers
|
||
must appear in the following order. Headers marked with "*" are optional
|
||
and are described below. All other headers are required.
|
||
|
||
-------------------------------------------------------------------
|
||
BIP: <BIP number>
|
||
Title: <BIP title>
|
||
Author: <list of authors' real names and optionally, email addrs>
|
||
* Discussions-To: <email address>
|
||
Status: <Draft | Active | Accepted | Deferred | Rejected |
|
||
Withdrawn | Final | Superseded>
|
||
Type: <Standards Track | Informational | Process>
|
||
Created: <date created on, in ISO 8601 (yyyy-mm-dd) format>
|
||
* Post-History: <dates of postings to bitcoin mailing list>
|
||
* Replaces: <BIP number>
|
||
* Superseded-By: <BIP number>
|
||
* Resolution: <url>
|
||
-------------------------------------------------------------------
|
||
|
||
The Author header lists the names, and optionally the email addresses of
|
||
all the authors/owners of the BIP. The format of the Author header value
|
||
must be
|
||
|
||
` Random J. User `
|
||
|
||
if the email address is included, and just
|
||
|
||
` Random J. User`
|
||
|
||
if the address is not given.
|
||
|
||
If there are multiple authors, each should be on a separate line
|
||
following RFC 2822 continuation line conventions.
|
||
|
||
Note: The Resolution header is required for Standards Track BIPs only.
|
||
It contains a URL that should point to an email message or other web
|
||
resource where the pronouncement about the BIP is made.
|
||
|
||
While a BIP is in private discussions (usually during the initial Draft
|
||
phase), a Discussions-To header will indicate the mailing list or URL
|
||
where the BIP is being discussed. No Discussions-To header is necessary
|
||
if the BIP is being discussed privately with the author, or on the
|
||
bitcoin email mailing lists.
|
||
|
||
The Type header specifies the type of BIP: Standards Track,
|
||
Informational, or Process.
|
||
|
||
The Created header records the date that the BIP was assigned a number,
|
||
while Post-History is used to record the dates of when new versions of
|
||
the BIP are posted to bitcoin mailing lists. Both headers should be in
|
||
yyyy-mm-dd format, e.g. 2001-08-14.
|
||
|
||
BIPs may have a Requires header, indicating the BIP numbers that this
|
||
BIP depends on.
|
||
|
||
BIPs may also have a Superseded-By header indicating that a BIP has been
|
||
rendered obsolete by a later document; the value is the number of the
|
||
BIP that replaces the current document. The newer BIP must have a
|
||
Replaces header containing the number of the BIP that it rendered
|
||
obsolete. Auxiliary Files
|
||
|
||
BIPs may include auxiliary files such as diagrams. Such files must be
|
||
named BIP-XXXX-Y.ext, where "XXXX" is the BIP number, "Y" is a serial
|
||
number (starting at 1), and "ext" is replaced by the actual file
|
||
extension (e.g. "png").
|
||
|
||
[[transferring-bip-ownership]]
|
||
Transferring BIP Ownership
|
||
~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
It occasionally becomes necessary to transfer ownership of BIPs to a new
|
||
champion. In general, we'd like to retain the original author as a
|
||
co-author of the transferred BIP, but that's really up to the original
|
||
author. A good reason to transfer ownership is because the original
|
||
author no longer has the time or interest in updating it or following
|
||
through with the BIP process, or has fallen off the face of the 'net
|
||
(i.e. is unreachable or not responding to email). A bad reason to
|
||
transfer ownership is because you don't agree with the direction of the
|
||
BIP. We try to build consensus around a BIP, but if that's not possible,
|
||
you can always submit a competing BIP.
|
||
|
||
If you are interested in assuming ownership of a BIP, send a message
|
||
asking to take over, addressed to both the original author and the BIP
|
||
editor. If the original author doesn't respond to email in a timely
|
||
manner, the BIP editor will make a unilateral decision (it's not like
|
||
such decisions can't be reversed :).
|
||
|
||
[[bip-editors]]
|
||
BIP Editors
|
||
~~~~~~~~~~~
|
||
|
||
The current BIP editor is Gregory Maxwell who can be contacted at
|
||
gmaxwell@gmail.com.
|
||
|
||
[[bip-editor-responsibilities-workflow]]
|
||
BIP Editor Responsibilities & Workflow
|
||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
A BIP editor must subscribe to the Bitcoin development mailing list. All
|
||
BIP-related correspondence should be sent (or CC'd) to
|
||
gmaxwell@gmail.com.
|
||
|
||
For each new BIP that comes in an editor does the following:
|
||
|
||
* Read the BIP to check if it is ready: sound and complete. The ideas
|
||
must make technical sense, even if they don't seem likely to be
|
||
accepted.
|
||
* The title should accurately describe the content.
|
||
* Edit the BIP for language (spelling, grammar, sentence structure,
|
||
etc.), markup (for reST BIPs), code style (examples should match BIP 8 &
|
||
7).
|
||
|
||
If the BIP isn't ready, the editor will send it back to the author for
|
||
revision, with specific instructions.
|
||
|
||
Once the BIP is ready for the repository, the BIP editor will:
|
||
|
||
* Assign a BIP number (almost always just the next available number, but
|
||
sometimes it's a special/joke number, like 666 or 3141).
|
||
|
||
* Add the BIP to the https://github.com/bitcoin/bips[bitcoin/bips]
|
||
repository on GitHub.
|
||
|
||
* List the BIP in README.mediawiki
|
||
|
||
* Send email back to the BIP author with next steps (post to bitcoin
|
||
mailing list).
|
||
|
||
Many BIPs are written and maintained by developers with write access to
|
||
the Bitcoin codebase. The BIP editors monitor BIP changes, and correct
|
||
any structure, grammar, spelling, or markup mistakes we see.
|
||
|
||
The editors don't pass judgement on BIPs. We merely do the
|
||
administrative & editorial part. Except for times like this, there's
|
||
relatively low volume.
|
||
|
||
[[history]]
|
||
History
|
||
~~~~~~~
|
||
|
||
This document was derived heavily from Python's PEP-0001. In many places
|
||
text was simply copied and modified. Although the PEP-0001 text was
|
||
written by Barry Warsaw, Jeremy Hylton, and David Goodger, they are not
|
||
responsible for its use in the Bitcoin Improvement Process, and should
|
||
not be bothered with technical questions specific to Bitcoin or the BIP
|
||
process. Please direct all comments to the BIP editors or the Bitcoin
|
||
development mailing list.
|
||
|
||
++++
|
||
<?hard-pagebreak?>
|
||
++++
|
||
|
||
= BIP 11: M-of-N Standard Transactions
|
||
|
||
--------------------------------------------------
|
||
BIP: 11
|
||
Title: M-of-N Standard Transactions
|
||
Author: Gavin Andresen <gavinandresen@gmail.com>
|
||
Status: Accepted
|
||
Type: Standards Track
|
||
Created: 2011-10-18
|
||
Post-History: 2011-10-02
|
||
--------------------------------------------------
|
||
|
||
[[abstract]]
|
||
Abstract
|
||
~~~~~~~~
|
||
|
||
This BIP proposes M-of-N-signatures required transactions as a new
|
||
'standard' transaction type.
|
||
|
||
[[motivation]]
|
||
Motivation
|
||
~~~~~~~~~~
|
||
|
||
Enable secured wallets, escrow transactions, and other use cases where
|
||
redeeming funds requires more than a single signature.
|
||
|
||
A couple of motivating use cases:
|
||
|
||
* A wallet secured by a "wallet protection service" (WPS). 2-of-2
|
||
signatures required transactions will be used, with one signature coming
|
||
from the (possibly compromised) computer with the wallet and the second
|
||
signature coming from the WPS. When sending protected bitcoins, the
|
||
user's bitcoin client will contact the WPS with the proposed transaction
|
||
and it can then contact the user for confirmation that they initiated
|
||
the transaction and that the transaction details are correct. Details
|
||
for how clients and WPS's communicate are outside the scope of this BIP.
|
||
Side note: customers should insist that their wallet protection service
|
||
provide them with copies of the private key(s) used to secure their
|
||
wallets that they can safely store off-line, so that their coins can be
|
||
spent even if the WPS goes out of business.
|
||
|
||
* Three-party escrow (buyer, seller and trusted dispute agent). 2-of-3
|
||
signatures required transactions will be used. The buyer and seller and
|
||
agent will each provide a public key, and the buyer will then send coins
|
||
into a 2-of-3 CHECKMULTISIG transaction and send the seller and the
|
||
agent the transaction id. The seller will fulfill their obligation and
|
||
then ask the buyer to co-sign a transaction ( already signed by seller )
|
||
that sends the tied-up coins to him (seller). +
|
||
If the buyer and seller cannot agree, then the agent can, with the
|
||
cooperation of either buyer or seller, decide what happens to the
|
||
tied-up coins. Details of how buyer, seller, and agent communicate to
|
||
gather signatures or public keys are outside the scope of this BIP.
|
||
|
||
[[specification]]
|
||
Specification
|
||
~~~~~~~~~~~~~
|
||
|
||
A new standard transaction type (scriptPubKey) that is relayed by
|
||
clients and included in mined blocks:
|
||
|
||
` m {pubkey}...{pubkey} n OP_CHECKMULTISIG`
|
||
|
||
But only for n less than or equal to 3.
|
||
|
||
OP_CHECKMULTISIG transactions are redeemed using a standard scriptSig:
|
||
|
||
` OP_0 ...signatures...`
|
||
|
||
(OP_0 is required because of a bug in OP_CHECKMULTISIG; it pops one too
|
||
many items off the execution stack, so a dummy value must be placed on
|
||
the stack).
|
||
|
||
The current Satoshi bitcoin client does not relay or mine transactions
|
||
with scriptSigs larger than 200 bytes; to accomodate 3-signature
|
||
transactions, this will be increased to 500 bytes.
|
||
|
||
[[rationale]]
|
||
Rationale
|
||
~~~~~~~~~
|
||
|
||
OP_CHECKMULTISIG is already an enabled opcode, and is the most
|
||
straightforward way to support several important use cases.
|
||
|
||
One argument against using OP_CHECKMULTISIG is that old clients and
|
||
miners count it as "20 sigops" for purposes of computing how many
|
||
signature operations are in a block, and there is a hard limit of 20,000
|
||
sigops per block-- meaning a maximum of 1,000 multisig transactions per
|
||
block. Creating multisig transactions using multiple OP_CHECKSIG
|
||
operations allows more of them per block.
|
||
|
||
The counter-argument is that these new multi-signature transactions will
|
||
be used in combination with OP_EVAL (see the OP_EVAL BIP), and *will* be
|
||
counted accurately. And in any case, as transaction volume rises the
|
||
hard-coded maximum block size will have to be addressed, and the rules
|
||
for counting number-of-signature-operations-in-a-block can be addressed
|
||
at that time.
|
||
|
||
A weaker argument is OP_CHECKMULTISIG should not be used because it pops
|
||
one too many items off the stack during validation. Adding an extra OP_0
|
||
placeholder to the scriptSig adds only 1 byte to the transaction, and
|
||
any alternative that avoids OP_CHECKMULTISIG adds at least several bytes
|
||
of opcodes.
|
||
|
||
[[implementation]]
|
||
Implementation
|
||
~~~~~~~~~~~~~~
|
||
|
||
OP_CHECKMULTISIG is already supported by old clients and miners as a
|
||
non-standard transaction type.
|
||
|
||
https://github.com/gavinandresen/bitcoin-git/tree/op_eval
|
||
|
||
[[post-history]]
|
||
Post History
|
||
~~~~~~~~~~~~
|
||
|
||
* https://bitcointalk.org/index.php?topic=46538[OP_EVAL proposal]
|
||
|
||
--------------------------------------------------
|
||
BIP: 13
|
||
Title: Address Format for pay-to-script-hash
|
||
Author: Gavin Andresen <gavinandresen@gmail.com>
|
||
Status: Final
|
||
Type: Standards Track
|
||
Created: 2011-10-18
|
||
--------------------------------------------------
|
||
|
||
[[abstract]]
|
||
Abstract
|
||
~~~~~~~~
|
||
|
||
This BIP describes a new type of Bitcoin address to support arbitrarily
|
||
complex transactions. Complexity in this context is defined as what
|
||
information is needed by the recipient to respend the received coins, in
|
||
contrast to needing a single ECDSA private key as in current
|
||
implementations of Bitcoin.
|
||
|
||
In essence, an address encoded under this proposal represents the
|
||
encoded hash of a script, rather than the encoded hash of an ECDSA
|
||
public key.
|
||
|
||
[[motivation]]
|
||
Motivation
|
||
~~~~~~~~~~
|
||
|
||
Enable "end-to-end" secure wallets and payments to fund escrow
|
||
transactions or other complex transactions. Enable third-party wallet
|
||
security services.
|
||
|
||
[[specification]]
|
||
Specification
|
||
~~~~~~~~~~~~~
|
||
|
||
The new bitcoin address type is constructed in the same manner as
|
||
existing bitcoin addresses (see link:Base58Check encoding[Base58Check
|
||
encoding]):
|
||
|
||
` base58-encode: [one-byte version][20-byte hash][4-byte checksum]`
|
||
|
||
Version byte is 5 for a main-network address, 196 for a testnet address.
|
||
The 20-byte hash is the hash of the script that will be used to redeem
|
||
the coins. And the 4-byte checksum is the first four bytes of the double
|
||
SHA256 hash of the version and hash.
|
||
|
||
[[rationale]]
|
||
Rationale
|
||
~~~~~~~~~
|
||
|
||
One criticism is that bitcoin addresses should be deprecated in favor of
|
||
a more user-friendly mechanism for payments, and that this will just
|
||
encourage continued use of a poorly designed mechanism.
|
||
|
||
Another criticism is that bitcoin addresses are inherently insecure
|
||
because there is no identity information tied to them; if you only have
|
||
a bitcoin address, how can you be certain that you're paying who or what
|
||
you think you're paying?
|
||
|
||
Furthermore, truncating SHA256 is not an optimal checksum; there are
|
||
much better error-detecting algorithms. If we are introducing a new form
|
||
of Bitcoin address, then perhaps a better algorithm should be used.
|
||
|
||
This is one piece of the simplest path to a more secure bitcoin
|
||
infrastructure. It is not intended to solve all of bitcoin's usability
|
||
or security issues, but to be an incremental improvement over what
|
||
exists today. A future BIP or BIPs should propose more user-friendly
|
||
mechanisms for making payments, or for verifying that you're sending a
|
||
payment to the Free Software Foundation and not Joe Random Hacker.
|
||
|
||
Assuming that typing in bitcoin addresses manually will become
|
||
increasingly rare in the future, and given that the existing checksum
|
||
method for bitcoin addresses seems to work "well enough" in practice and
|
||
has already been implemented multiple times, the Author believes no
|
||
change to the checksum algorithm is necessary.
|
||
|
||
The leading version bytes are chosen so that, after base58 encoding, the
|
||
leading character is consistent: for the main network, byte 5 becomes
|
||
the character '3'. For the testnet, byte 196 is encoded into '2'.
|
||
|
||
[[backwards-compatibility]]
|
||
Backwards Compatibility
|
||
~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
This proposal is not backwards compatible, but it fails gracefully-- if
|
||
an older implementation is given one of these new bitcoin addresses, it
|
||
will report the address as invalid and will refuse to create a
|
||
transaction.
|
||
|
||
[[reference-implementation]]
|
||
Reference Implementation
|
||
~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
See base58.cpp1/base58.h at https://github.com/bitcoin/bitcoin/src
|
||
|
||
[[see-also]]
|
||
See Also
|
||
~~~~~~~~
|
||
|
||
* link:bip-0012.mediawiki[BIP 12: OP_EVAL, the original P2SH design]
|
||
* link:bip-0016.mediawiki[BIP 16: Pay to Script Hash (aka "/P2SH/")]
|
||
* link:bip-0017.mediawiki[BIP 17: OP_CHECKHASHVERIFY, another P2SH
|
||
design]
|
||
|
||
------------------------------------------------------------
|
||
BIP: 14
|
||
Title: BIP Protocol Version and User Agent
|
||
Author: Amir Taaki <genjix@riseup.net>
|
||
Patrick Strateman <bitcoin-bips@covertinferno.org>
|
||
Status: Accepted
|
||
Type: Standards Track
|
||
Created: 2011-11-10
|
||
Post-History: 2011-11-02
|
||
------------------------------------------------------------
|
||
|
||
In this document, bitcoin will be used to refer to the protocol while
|
||
Satoshi will refer to the current client in order to prevent confusion.
|
||
|
||
[[past-situation]]
|
||
Past Situation
|
||
~~~~~~~~~~~~~~
|
||
|
||
Bitcoin as a protocol began life with the Satoshi client. Now that the
|
||
community is diversifying, a number of alternative clients with their
|
||
own codebases written in a variety of languages (Java, Python,
|
||
Javascript, C++) are rapidly developing their own feature-sets.
|
||
|
||
Embedded in the protocol is a version number. Primarily this version
|
||
number is in the "version" and "getblocks" messages, but is also in the
|
||
"block" message to indicate the software version that created that
|
||
block. Currently this version number is the same version number as that
|
||
of the client. This document is a proposal to separate the protocol
|
||
version from the client version, together with a proposed method to do
|
||
so.
|
||
|
||
[[rationale]]
|
||
Rationale
|
||
~~~~~~~~~
|
||
|
||
With non-separated version numbers, every release of the Satoshi client
|
||
will increase its internal version number. Primarily this holds every
|
||
other client hostage to a game of catch-up with Satoshi version number
|
||
schemes. This plays against the decentralised nature of bitcoin, by
|
||
forcing every software release to remain in step with the release
|
||
schedule of one group of bitcoin developers.
|
||
|
||
Version bumping can also introduce incompatibilities and fracture the
|
||
network. In order that the health of the network is maintained, the
|
||
development of the protocol as a shared common collaborative process
|
||
requires being split off from the implementation of that protocol.
|
||
Neutral third entities to guide the protocol with representatives from
|
||
all groups, present the chance for bitcoin to grow in a positive manner
|
||
with minimal risks.
|
||
|
||
By using a protocol version, we set all implementations on the network
|
||
to a common standard. Everybody is able to agree within their confines
|
||
what is protocol and what is implementation-dependent. A user agent
|
||
string is offered as a 'vanity-plate' for clients to distinguish
|
||
themselves in the network.
|
||
|
||
Separation of the network protocol from the implemention, and forming
|
||
development of said protocol by means of a mutual consensus among
|
||
participants, has the democratic disadvantage when agreement is hard to
|
||
reach on contentious issues. To mitigate this issue, strong
|
||
communication channels and fast release schedules are needed, and are
|
||
outside the scope of this document (concerning a process-BIP type).
|
||
|
||
User agents provide extra tracking information that is useful for
|
||
keeping tabs on network data such as client implementations used or
|
||
common architectures/operating-systems. In the rare case they may even
|
||
provide an emergency method of shunning faulty clients that threaten
|
||
network health- although this is strongly unrecommended and extremely
|
||
bad form. The user agent does not provide a method for clients to work
|
||
around and behave differently to different implementations, as this will
|
||
lead to protocol fracturing.
|
||
|
||
In short:
|
||
|
||
* Protocol version: way to distinguish between nodes and behave
|
||
different accordingly.
|
||
* User agent: simple informational tool. Protocol should not be modified
|
||
depending on user agent.
|
||
|
||
[[browser-user-agents]]
|
||
Browser User-Agents
|
||
~~~~~~~~~~~~~~~~~~~
|
||
|
||
http://tools.ietf.org/html/rfc1945[RFC 1945] vaguely specifies a user
|
||
agent to be a string of the product with optional comments.
|
||
|
||
` Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.6) Gecko/20100127 Gentoo Shiretoko/3.5.6`
|
||
|
||
User agents are most often parsed by computers more than humans. The
|
||
space delimited format, does not provide an easy, fast or efficient way
|
||
for parsing. The data contains no structure indicating hierarchy in this
|
||
placement.
|
||
|
||
The most immediate pieces of information there are the browser product,
|
||
rendering engine and the build (Gentoo Shiretoko) together with version
|
||
number. Various other pieces of information as included as comments such
|
||
as desktop environment, platform, language and revision number of the
|
||
build.
|
||
|
||
[[proposal]]
|
||
Proposal
|
||
~~~~~~~~
|
||
|
||
The version field in "version" and "getblocks" packets will become the
|
||
protocol version number. The version number in the "blocks" reflects the
|
||
protocol version from when that block was created.
|
||
|
||
The currently unused sub_version_num field in "version" packets will
|
||
become the new user-agent string.
|
||
|
||
Bitcoin user agents are a modified browser user agent with more
|
||
structure to aid parsers and provide some coherence. In bitcoin, the
|
||
software usually works like a stack starting from the core code-base up
|
||
to the end graphical interface. Therefore the user agent strings codify
|
||
this relationship.
|
||
|
||
Basic format:
|
||
|
||
` /Name:Version/Name:Version/.../`
|
||
|
||
Example:
|
||
|
||
` /Satoshi:5.64/bitcoin-qt:0.4/` +
|
||
` /Satoshi:5.12/Spesmilo:0.8/`
|
||
|
||
Here bitcoin-qt and Spesmilo may use protocol version 5.0, however the
|
||
internal codebase they use are different versions of the same software.
|
||
The version numbers are not defined to any strict format, although this
|
||
guide recommends:
|
||
|
||
* Version numbers in the form of Major.Minor.Revision (2.6.41)
|
||
* Repository builds using a date in the format of YYYYMMDD (20110128)
|
||
|
||
For git repository builds, implementations are free to use the git
|
||
commitish. However the issue lies in that it is not immediately obvious
|
||
without the repository which version precedes another. For this reason,
|
||
we lightly recommend dates in the format specified above, although this
|
||
is by no means a requirement.
|
||
|
||
Optional -r1, -r2, ... can be appended to user agent version numbers.
|
||
This is another light recommendation, but not a requirement.
|
||
Implementations are free to specify version numbers in whatever format
|
||
needed insofar as it does not include (, ), : or / to interfere with the
|
||
user agent syntax.
|
||
|
||
An optional comments field after the version number is also allowed.
|
||
Comments should be delimited by brackets (...). The contents of comments
|
||
is entirely implementation defined although this BIP recommends the use
|
||
of semi-colons ; as a delimiter between pieces of information.
|
||
|
||
Example:
|
||
|
||
` /BitcoinJ:0.2(iPad; U; CPU OS 3_2_1)/AndroidBuild:0.8/`
|
||
|
||
Reserved symbols are therefore: / : ( )
|
||
|
||
They should not be misused beyond what is specified in this section.
|
||
|
||
* / separates the code-stack
|
||
* ::
|
||
specifies the implementation version of the particular stack
|
||
* ( and ) delimits a comment which optionally separates data using ;
|
||
|
||
[[timeline]]
|
||
Timeline
|
||
~~~~~~~~
|
||
|
||
When this document was published, the bitcoin protocol and Satoshi
|
||
client versions were currently at 0.5 and undergoing changes. In order
|
||
to minimise disruption and allow the undergoing changes to be completed,
|
||
the next protocol version at 0.6 became peeled from the client version
|
||
(also at 0.6). As of that time (January 2012), protocol and
|
||
implementation version numbers are distinct from each other.
|
||
--------------------------------------------------
|
||
--------------------------------------------------
|
||
BIP: 16
|
||
Title: Pay to Script Hash
|
||
Author: Gavin Andresen <gavinandresen@gmail.com>
|
||
Status: Final
|
||
Type: Standards Track
|
||
Created: 2012-01-03
|
||
--------------------------------------------------
|
||
|
||
[[abstract]]
|
||
Abstract
|
||
~~~~~~~~
|
||
|
||
This BIP describes a new "standard" transaction type for the Bitcoin
|
||
scripting system, and defines additional validation rules that apply
|
||
only to the new transactions.
|
||
|
||
[[motivation]]
|
||
Motivation
|
||
~~~~~~~~~~
|
||
|
||
The purpose of pay-to-script-hash is to move the responsibility for
|
||
supplying the conditions to redeem a transaction from the sender of the
|
||
funds to the redeemer.
|
||
|
||
The benefit is allowing a sender to fund any arbitrary transaction, no
|
||
matter how complicated, using a fixed-length 20-byte hash that is short
|
||
enough to scan from a QR code or easily copied and pasted.
|
||
|
||
[[specification]]
|
||
Specification
|
||
~~~~~~~~~~~~~
|
||
|
||
A new standard transaction type that is relayed and included in mined
|
||
blocks is defined:
|
||
|
||
` OP_HASH160 [20-byte-hash-value] OP_EQUAL`
|
||
|
||
[20-byte-hash-value] shall be the push-20-bytes-onto-the-stack opcode
|
||
(0x14) followed by exactly 20 bytes.
|
||
|
||
This new transaction type is redeemed by a standard scriptSig:
|
||
|
||
` ...signatures... {serialized script}`
|
||
|
||
Transactions that redeem these pay-to-script outpoints are only
|
||
considered standard if the _serialized script_ - also referred to as the
|
||
_redeemScript_ - is, itself, one of the other standard transaction
|
||
types.
|
||
|
||
The rules for validating these outpoints when relaying transactions or
|
||
considering them for inclusion in a new block are as follows:
|
||
|
||
1. Validation fails if there are any operations other than "push data"
|
||
operations in the scriptSig.
|
||
2. Normal validation is done: an initial stack is created from the
|
||
signatures and \{serialized script}, and the hash of the script is
|
||
computed and validation fails immediately if it does not match the hash
|
||
in the outpoint.
|
||
3. \{serialized script} is popped off the initial stack, and the
|
||
transaction is validated again using the popped stack and the
|
||
deserialized script as the scriptPubKey.
|
||
|
||
These new rules should only be applied when validating transactions in
|
||
blocks with timestamps >= 1333238400 (Apr 1 2012)
|
||
footnote:[https://github.com/bitcoin/bitcoin/commit/8f188ece3c82c4cf5d52a3363e7643c23169c0ff[Remove
|
||
-bip16 and -paytoscripthashtime command-line arguments]]. There are
|
||
transaction earlier than 13333238400 in the block chain that fail these
|
||
new validation rules.
|
||
footnote:[http://blockexplorer.com/tx/6a26d2ecb67f27d1fa5524763b49029d7106e91e3cc05743073461a719776192[Transaction
|
||
6a26d2ecb67f27d1fa5524763b49029d7106e91e3cc05743073461a719776192]].
|
||
Older transactions must be validated under the old rules. (see the
|
||
Backwards Compatibility section for details).
|
||
|
||
For example, the scriptPubKey and corresponding scriptSig for a
|
||
one-signature-required transaction is:
|
||
|
||
` scriptSig: [signature] {[pubkey] OP_CHECKSIG}` +
|
||
` scriptPubKey: OP_HASH160 [20-byte-hash of {[pubkey] OP_CHECKSIG} ] OP_EQUAL`
|
||
|
||
Signature operations in the \{serialized script} shall contribute to the
|
||
maximum number allowed per block (20,000) as follows:
|
||
|
||
1. OP_CHECKSIG and OP_CHECKSIGVERIFY count as 1 signature operation,
|
||
whether or not they are evaluated.
|
||
2. OP_CHECKMULTISIG and OP_CHECKMULTISIGVERIFY immediately preceded by
|
||
OP_1 through OP_16 are counted as 1 to 16 signature operation, whether
|
||
or not they are evaluated.
|
||
3. All other OP_CHECKMULTISIG and OP_CHECKMULTISIGVERIFY are counted as
|
||
20 signature operations.
|
||
|
||
Examples:
|
||
|
||
+3 signature operations:
|
||
|
||
` {2 [pubkey1] [pubkey2] [pubkey3] 3 OP_CHECKMULTISIG}`
|
||
|
||
+22 signature operations
|
||
|
||
` {OP_CHECKSIG OP_IF OP_CHECKSIGVERIFY OP_ELSE OP_CHECKMULTISIGVERIFY OP_ENDIF}`
|
||
|
||
[[rationale]]
|
||
Rationale
|
||
~~~~~~~~~
|
||
|
||
This BIP replaces BIP 12, which proposed a new Script opcode ("OP_EVAL")
|
||
to accomplish everything in this BIP and more.
|
||
|
||
The Motivation for this BIP (and BIP 13, the pay-to-script-hash address
|
||
type) is somewhat controversial; several people feel that it is
|
||
unnecessary, and complex/multisignature transaction types should be
|
||
supported by simply giving the sender the complete \{serialized script}.
|
||
The author believes that this BIP will minimize the changes needed to
|
||
all of the supporting infrastructure that has already been created to
|
||
send funds to a base58-encoded-20-byte bitcoin addresses, allowing
|
||
merchants and exchanges and other software to start supporting
|
||
multisignature transactions sooner.
|
||
|
||
Recognizing one 'special' form of scriptPubKey and performing extra
|
||
validation when it is detected is ugly. However, the consensus is that
|
||
the alternatives are either uglier, are more complex to implement,
|
||
and/or expand the power of the expression language in dangerous ways.
|
||
|
||
The signature operation counting rules are intended to be easy and quick
|
||
to implement by statically scanning the \{serialized script}. Bitcoin
|
||
imposes a maximum-number-of-signature-operations per block to prevent
|
||
denial-of-service attacks on miners. If there was no limit, a rogue
|
||
miner might broadcast a block that required hundreds of thousands of
|
||
ECDSA signature operations to validate, and it might be able to get a
|
||
head start computing the next block while the rest of the network worked
|
||
to validate the current one.
|
||
|
||
There is a 1-confirmation attack on old implementations, but it is
|
||
expensive and difficult in practice. The attack is:
|
||
|
||
1. Attacker creates a pay-to-script-hash transaction that is valid as
|
||
seen by old software, but invalid for new implementation, and sends
|
||
themselves some coins using it.
|
||
2. Attacker also creates a standard transaction that spends the
|
||
pay-to-script transaction, and pays the victim who is running old
|
||
software.
|
||
3. Attacker mines a block that contains both transactions.
|
||
|
||
If the victim accepts the 1-confirmation payment, then the attacker wins
|
||
because both transactions will be invalidated when the rest of the
|
||
network overwrites the attacker's invalid block.
|
||
|
||
The attack is expensive because it requires the attacker create a block
|
||
that they know will be invalidated by the rest of the network. It is
|
||
difficult because creating blocks is difficult and users should not
|
||
accept 1-confirmation transactions for higher-value transactions.
|
||
|
||
[[backwards-compatibility]]
|
||
Backwards Compatibility
|
||
~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
These transactions are non-standard to old implementations, which will
|
||
(typically) not relay them or include them in blocks.
|
||
|
||
Old implementations will validate that the serialize script's hash
|
||
value matches when they validate blocks created by software that fully
|
||
support this BIP, but will do no other validation.
|
||
|
||
Avoiding a block-chain split by malicious pay-to-script transactions
|
||
requires careful handling of one case:
|
||
|
||
* A pay-to-script-hash transaction that is invalid for new
|
||
clients/miners but valid for old clients/miners.
|
||
|
||
To gracefully upgrade and ensure no long-lasting block-chain split
|
||
occurs, more than 50% of miners must support full validation of the new
|
||
transaction type and must switch from the old validation rules to the
|
||
new rules at the same time.
|
||
|
||
To judge whether or not more than 50% of hashing power supports this
|
||
BIP, miners are asked to upgrade their software and put the string
|
||
"/P2SH/" in the input of the coinbase transaction for blocks that they
|
||
create.
|
||
|
||
On February 1, 2012, the block-chain will be examined to determine the
|
||
number of blocks supporting pay-to-script-hash for the previous 7 days.
|
||
If 550 or more contain "/P2SH/" in their coinbase, then all blocks with
|
||
timestamps after 15 Feb 2012, 00:00:00 GMT shall have their
|
||
pay-to-script-hash transactions fully validated. Approximately 1,000
|
||
blocks are created in a week; 550 should, therefore, be approximately
|
||
55% of the network supporting the new feature.
|
||
|
||
If a majority of hashing power does not support the new validation
|
||
rules, then rollout will be postponed (or rejected if it becomes clear
|
||
that a majority will never be achieved).
|
||
|
||
[[byte-limitation-on-serialized-script-size]]
|
||
520-byte limitation on serialized script size
|
||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||
|
||
As a consequence of the requirement for backwards compatiblity the
|
||
serialized script is itself subject to the same rules as any other
|
||
PUSHDATA operation, including the rule that no data greater than 520
|
||
bytes may be pushed to the stack. Thus is it not possible to spend a
|
||
P2SH output if the redemption script it refers to is >520 bytes in
|
||
length. For instance while the OP_CHECKMULTISIG opcode can itself accept
|
||
up to 20 pubkeys, with 33-byte compressed pubkeys it is only possible to
|
||
spend a P2SH output requiring a maximum of 15 pubkeys to redeem: 3 bytes
|
||
+ 15 pubkeys * 34 bytes/pubkey = 513 bytes.
|
||
|
||
[[reference-implementation]]
|
||
Reference Implementation
|
||
~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
https://gist.github.com/gavinandresen/3966071
|
||
|
||
[[see-also]]
|
||
See Also
|
||
~~~~~~~~
|
||
|
||
* https://bitcointalk.org/index.php?topic=46538
|
||
* The link:bip-0013.mediawiki[Address format for Pay to Script Hash BIP]
|
||
* M-of-N Multisignature Transactions link:bip-0011.mediawiki[BIP 11]
|
||
* link:bip-0016/qa.mediawiki[Quality Assurance test checklist]
|
||
|
||
[[references]]
|
||
References
|
||
~~~~~~~~~~
|
||
|
||
---------------------------------------------------
|
||
BIP: 21
|
||
Title: URI Scheme
|
||
Author: Nils Schneider <nils.schneider@gmail.com>
|
||
Matt Corallo <bip21@bluematt.me>
|
||
Status: Accepted
|
||
Type: Standards Track
|
||
Created: 2012-01-29
|
||
---------------------------------------------------
|
||
|
||
This BIP is a modification of an earlier link:bip-0020.mediawiki[BIP
|
||
0020] by Luke Dashjr. BIP 0020 was based off an earlier document by Nils
|
||
Schneider. The alternative payment amounts in BIP 0020 have been
|
||
removed.
|
||
|
||
[[abstract]]
|
||
Abstract
|
||
~~~~~~~~
|
||
|
||
This BIP proposes a URI scheme for making Bitcoin payments.
|
||
|
||
[[motivation]]
|
||
Motivation
|
||
~~~~~~~~~~
|
||
|
||
The purpose of this URI scheme is to enable users to easily make
|
||
payments by simply clicking links on webpages or scanning QR Codes.
|
||
|
||
[[specification]]
|
||
Specification
|
||
~~~~~~~~~~~~~
|
||
|
||
[[general-rules-for-handling-important]]
|
||
General rules for handling (important!)
|
||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||
|
||
Bitcoin clients MUST NOT act on URIs without getting the user's
|
||
authorization. They SHOULD require the user to manually approve each
|
||
payment individually, though in some cases they MAY allow the user to
|
||
automatically make this decision.
|
||
|
||
[[operating-system-integration]]
|
||
Operating system integration
|
||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||
|
||
Graphical bitcoin clients SHOULD register themselves as the handler for
|
||
the "bitcoin:" URI scheme by default, if no other handler is already
|
||
registered. If there is already a registered handler, they MAY prompt
|
||
the user to change it once when they first run the client.
|
||
|
||
[[general-format]]
|
||
General Format
|
||
^^^^^^^^^^^^^^
|
||
|
||
Bitcoin URIs follow the general format for URIs as set forth in RFC
|
||
3986. The path component consists of a bitcoin address, and the query
|
||
component provides additional payment options.
|
||
|
||
Elements of the query component may contain characters outside the valid
|
||
range. These must first be encoded according to UTF-8, and then each
|
||
octet of the corresponding UTF-8 sequence must be percent-encoded as
|
||
described in RFC 3986.
|
||
|
||
[[abnf-grammar]]
|
||
ABNF grammar
|
||
^^^^^^^^^^^^
|
||
|
||
(See also link:#Simpler_syntax[a simpler representation of syntax])
|
||
|
||
`bitcoinurn = "bitcoin:" bitcoinaddress [ "?" bitcoinparams ]` +
|
||
`bitcoinaddress = *base58` +
|
||
`bitcoinparams = bitcoinparam [ "&" bitcoinparams ]` +
|
||
`bitcoinparam = [ amountparam / labelparam / messageparam / otherparam / reqparam ]` +
|
||
`amountparam = "amount=" *digit [ "." *digit ]` +
|
||
`labelparam = "label=" *qchar` +
|
||
`messageparam = "message=" *qchar` +
|
||
`otherparam = qchar *qchar [ "=" *qchar ]` +
|
||
`reqparam = "req-" qchar *qchar [ "=" *qchar ]`
|
||
|
||
Here, "qchar" corresponds to valid characters of an RFC 3986 URI query
|
||
component, excluding the "=" and "&" characters, which this BIP takes as
|
||
separators.
|
||
|
||
The scheme component ("bitcoin:") is case-insensitive, and
|
||
implementations must accept any combination of uppercase and lowercase
|
||
letters. The rest of the URI is case-sensitive, including the query
|
||
parameter keys.
|
||
|
||
[[query-keys]]
|
||
Query Keys
|
||
^^^^^^^^^^
|
||
|
||
* label: Label for that address (e.g. name of receiver)
|
||
* address: bitcoin address
|
||
* message: message that describes the transaction to the user
|
||
(link:#Examples[see examples below])
|
||
* size: amount of base bitcoin units (link:#Transfer_amount/size[see
|
||
below])
|
||
* (others): optional, for future extensions
|
||
|
||
[[transfer-amountsize]]
|
||
Transfer amount/size
|
||
++++++++++++++++++++
|
||
|
||
If an amount is provided, it MUST be specified in decimal BTC. All
|
||
amounts MUST contain no commas and use a period (.) as the separating
|
||
character to separate whole numbers and decimal fractions. I.e.
|
||
amount=50.00 or amount=50 is treated as 50 BTC, and amount=50,000.00 is
|
||
invalid.
|
||
|
||
Bitcoin clients MAY display the amount in any format that is not
|
||
intended to deceive the user. They SHOULD choose a format that is
|
||
foremost least confusing, and only after that most reasonable given the
|
||
amount requested. For example, so long as the majority of users work in
|
||
BTC units, values should always be displayed in BTC by default, even if
|
||
mBTC or TBC would otherwise be a more logical interpretation of the
|
||
amount.
|
||
|
||
[[rationale]]
|
||
Rationale
|
||
~~~~~~~~~
|
||
|
||
[[payment-identifiers-not-person-identifiers]]
|
||
Payment identifiers, not person identifiers
|
||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||
|
||
Current best practices are that a unique address should be used for
|
||
every transaction. Therefore, a URI scheme should not represent an
|
||
exchange of personal information, but a one-time payment.
|
||
|
||
[[accessibility-uri-scheme-name]]
|
||
Accessibility (URI scheme name)
|
||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||
|
||
Should someone from the outside happen to see such a URI, the URI scheme
|
||
name already gives a description. A quick search should then do the rest
|
||
to help them find the resources needed to make their payment. Other
|
||
proposed names sound much more cryptic; the chance that someone googles
|
||
that out of curiosity are much slimmer. Also, very likely, what he will
|
||
find are mostly technical specifications - not the best introduction to
|
||
bitcoin.
|
||
|
||
[[forward-compatibility]]
|
||
Forward compatibility
|
||
~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
Variables which are prefixed with a req- are considered required. If a
|
||
client does not implement any variables which are prefixed with req-, it
|
||
MUST consider the entire URI invalid. Any other variables which are not
|
||
implemented, but which are not prefixed with a req-, can be safely
|
||
ignored.
|
||
|
||
[[backward-compatibility]]
|
||
Backward compatibility
|
||
~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
As this BIP is written, several clients already implement a bitcoin: URI
|
||
scheme similar to this one, however usually without the additional
|
||
"req-" prefix requirement. Thus, it is recommended that additional
|
||
variables prefixed with req- not be used in a mission-critical way until
|
||
a grace period of 6 months from the finalization of this BIP has passed
|
||
in order to allow client developers to release new versions, and users
|
||
of old clients to upgrade.
|
||
|
||
[[appendix]]
|
||
Appendix
|
||
~~~~~~~~
|
||
|
||
[[simpler-syntax]]
|
||
Simpler syntax
|
||
^^^^^^^^^^^^^^
|
||
|
||
This section is non-normative and does not cover all possible syntax.
|
||
Please see the BNF grammar above for the normative syntax.
|
||
|
||
[foo] means optional, <bar> are placeholders
|
||
|
||
`bitcoin:<address>[?amount=<amount>][?label=<label>][?message=<message>]`
|
||
|
||
[[examples]]
|
||
Examples
|
||
^^^^^^^^
|
||
|
||
Just the address:
|
||
|
||
bitcoin:175tWpb8K1S7NmH4Zx6rewF9WQrcZv245W[`bitcoin:175tWpb8K1S7NmH4Zx6rewF9WQrcZv245W`]
|
||
|
||
Address with name:
|
||
|
||
bitcoin:175tWpb8K1S7NmH4Zx6rewF9WQrcZv245W?label=Luke-Jr[`bitcoin:175tWpb8K1S7NmH4Zx6rewF9WQrcZv245W?label=Luke-Jr`]
|
||
|
||
Request 20.30 BTC to "Luke-Jr":
|
||
|
||
bitcoin:175tWpb8K1S7NmH4Zx6rewF9WQrcZv245W?amount=20.3&label=Luke-Jr[`bitcoin:175tWpb8K1S7NmH4Zx6rewF9WQrcZv245W?amount=20.3&label=Luke-Jr`]
|
||
|
||
Request 50 BTC with message:
|
||
|
||
bitcoin:175tWpb8K1S7NmH4Zx6rewF9WQrcZv245W?amount=50&label=Luke-Jr&message=Donation%20for%20project%20xyz[`bitcoin:175tWpb8K1S7NmH4Zx6rewF9WQrcZv245W?amount=50&label=Luke-Jr&message=Donation%20for%20project%20xyz`]
|
||
|
||
Some future version that has variables which are (currently) not
|
||
understood and required and thus invalid:
|
||
|
||
bitcoin:175tWpb8K1S7NmH4Zx6rewF9WQrcZv245W?req-somethingyoudontunderstand=50&req-somethingelseyoudontget=999[`bitcoin:175tWpb8K1S7NmH4Zx6rewF9WQrcZv245W?req-somethingyoudontunderstand=50&req-somethingelseyoudontget=999`]
|
||
|
||
Some future version that has variables which are (currently) not
|
||
understood but not required and thus valid:
|
||
|
||
bitcoin:175tWpb8K1S7NmH4Zx6rewF9WQrcZv245W?somethingyoudontunderstand=50&somethingelseyoudontget=999[`bitcoin:175tWpb8K1S7NmH4Zx6rewF9WQrcZv245W?somethingyoudontunderstand=50&somethingelseyoudontget=999`]
|
||
|
||
Characters must be URI encoded properly.
|
||
|
||
[[reference-implementations]]
|
||
Reference Implementations
|
||
~~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
[[bitcoin-clients]]
|
||
Bitcoin clients
|
||
^^^^^^^^^^^^^^^
|
||
|
||
* Bitcoin-Qt supports the old version of Bitcoin URIs (ie without the
|
||
req- prefix), with Windows and KDE integration as of commit
|
||
70f55355e29c8e45b607e782c5d76609d23cc858.
|
||
|
||
---------------------------------------------
|
||
BIP: 22
|
||
Title: getblocktemplate - Fundamentals
|
||
Author: Luke Dashjr <luke+bip22@dashjr.org>
|
||
Status: Accepted
|
||
Type: Standards Track
|
||
Created: 2012-02-28
|
||
---------------------------------------------
|
||
|
||
[[abstract]]
|
||
Abstract
|
||
~~~~~~~~
|
||
|
||
This BIP describes a new JSON-RPC method for "smart" Bitcoin miners and
|
||
proxies. Instead of sending a simple block header for hashing, the
|
||
entire block structure is sent, and left to the miner to (optionally)
|
||
customize and assemble.
|
||
|
||
[[specification]]
|
||
Specification
|
||
~~~~~~~~~~~~~
|
||
|
||
[[block-template-request]]
|
||
Block Template Request
|
||
^^^^^^^^^^^^^^^^^^^^^^
|
||
|
||
A JSON-RPC method is defined, called "getblocktemplate". It accepts
|
||
exactly one argument, which MUST be an Object of request parameters. If
|
||
the request parameters include a "mode" key, that is used to explicitly
|
||
select between the default "template" request or a
|
||
link:bip-0023.mediawiki#Block_Proposal["proposal"].
|
||
|
||
Block template creation can be influenced by various parameters:
|
||
|
||
[cols="",options="header",]
|
||
|=======================================================================
|
||
|colspan=4|template request
|
||
|Key |Required |Type |Description
|
||
|capabilities a| |Array of Strings |SHOULD contain a list of the
|
||
following, to indicate client-side support:
|
||
#Optional:_Long_Polling["longpoll"], "coinbasetxn", "coinbasevalue",
|
||
link:bip-0023.mediawiki#Block_Proposal["proposal"],
|
||
link:bip-0023.mediawiki#Logical_Services["serverlist"], "workid", and
|
||
any of the link:bip-0023.mediawiki#Mutations[mutations]
|
||
|
||
|mode a| |String |MUST be "template" or omitted
|
||
|=======================================================================
|
||
|
||
getblocktemplate MUST return a JSON Object containing the following
|
||
keys:
|
||
|
||
[cols="",options="header",]
|
||
|=======================================================================
|
||
|colspan=4| template
|
||
|Key |Required |Type |Description
|
||
|
||
|bits a| |String |the compressed difficulty in hexadecimal
|
||
|
||
|curtime a| |Number |the current time as seen by the server (recommended
|
||
for block time) - note this is not necessarily the system clock, and
|
||
must fall within the mintime/maxtime rules
|
||
|
||
|height a| |Number |the height of the block we are looking for
|
||
|
||
|previousblockhash a| |String |the hash of the previous block, in
|
||
big-endian hexadecimal
|
||
|
||
|sigoplimit a| |Number |number of sigops allowed in blocks
|
||
|
||
|sizelimit a| |Number |number of bytes allowed in blocks
|
||
|
||
|transactions a| |Array of Objects |Objects containing
|
||
link:#Transactions_Object_Format[information for Bitcoin transactions]
|
||
(excluding coinbase)
|
||
|
||
|version a| |Number |always 1 or 2 (at least for bitcoin) - clients MUST
|
||
understand the implications of the version they use (eg, comply with
|
||
link:bip-0034.mediawiki[BIP 0034] for version 2)
|
||
|
||
|coinbaseaux a| |Object |data that SHOULD be included in the coinbase's
|
||
scriptSig content. Only the values (hexadecimal byte-for-byte) in this
|
||
Object should be included, not the keys. This does not include the block
|
||
height, which is required to be included in the scriptSig by
|
||
link:bip-0034.mediawiki[BIP 0034]. It is advisable to encode values
|
||
inside "PUSH" opcodes, so as to not inadvertantly expend SIGOPs (which
|
||
are counted toward limits, despite not being executed).
|
||
|
||
|coinbasetxn a| |Object |link:#Transactions_Object_Format[information
|
||
for coinbase transaction]
|
||
|
||
|coinbasevalue a| |Number |total funds available for the coinbase (in
|
||
Satoshis)
|
||
|
||
|workid a| |String |if provided, this value must be returned with
|
||
results (see link:#Block_Submission[Block Submission])
|
||
|=======================================================================
|
||
|
||
[[transactions-object-format]]
|
||
Transactions Object Format
|
||
++++++++++++++++++++++++++
|
||
|
||
The Objects listed in the response's "transactions" key contains these
|
||
keys:
|
||
|
||
[cols="",options="header",]
|
||
|=======================================================================
|
||
|colspan=3|template "transactions" element
|
||
|Key |Type |Description
|
||
|
||
|data |String |transaction data encoded in hexadecimal (byte-for-byte)
|
||
|
||
|depends |Array of Numbers |other transactions before this one (by
|
||
1-based index in "transactions" list) that must be present in the final
|
||
block if this one is; if key is not present, dependencies are unknown
|
||
and clients MUST NOT assume there aren't any
|
||
|
||
|fee |Number |difference in value between transaction inputs and outputs
|
||
(in Satoshis); for coinbase transactions, this is a negative Number of
|
||
the total collected block fees (ie, not including the block subsidy); if
|
||
key is not present, fee is unknown and clients MUST NOT assume there
|
||
isn't one
|
||
|
||
|hash |String |hash/id encoded in little-endian hexadecimal
|
||
|
||
|required |Boolean |if provided and true, this transaction must be in
|
||
the final block
|
||
|
||
|sigops |Number |total number of SigOps, as counted for purposes of
|
||
block limits; if key is not present, sigop count is unknown and clients
|
||
MUST NOT assume there aren't any
|
||
|=======================================================================
|
||
|
||
Only the "data" key is required, but servers should provide the others
|
||
if they are known.
|
||
|
||
[[block-submission]]
|
||
Block Submission
|
||
^^^^^^^^^^^^^^^^
|
||
|
||
A JSON-RPC method is defined, called "submitblock", to submit potential
|
||
blocks (or shares). It accepts two arguments: the first is always a
|
||
String of the hex-encoded block data to submit; the second is an Object
|
||
of parameters, and is optional if parameters are not needed.
|
||
|
||
[cols="",options="header",]
|
||
|=======================================================================
|
||
|colspan=3|submitblock parameters (2nd argument)
|
||
|Key |Type |Description
|
||
|
||
|workid |String |if the server provided a workid, it MUST be included
|
||
with submissions
|
||
|=======================================================================
|
||
|
||
This method MUST return either null (when a share is accepted), a String
|
||
describing briefly the reason the share was rejected, or an Object of
|
||
these with a key for each merged-mining chain the share was submitted
|
||
to.
|
||
|
||
[[optional-long-polling]]
|
||
Optional: Long Polling
|
||
^^^^^^^^^^^^^^^^^^^^^^
|
||
|
||
[cols="",options="header",]
|
||
|=======================================================================
|
||
|template request
|
||
|Key |Type |Description
|
||
|
||
|capabilities |Array of Strings |miners which support long polling
|
||
SHOULD provide a list including the String "longpoll"
|
||
|
||
|longpollid |String |"longpollid" of job to monitor for expiration;
|
||
required and valid only for long poll requests
|
||
|=======================================================================
|
||
|
||
[cols="",options="header",]
|
||
|=======================================================================
|
||
|template
|
||
|Key |Type |Description
|
||
|
||
|longpollid |String |identifier for long poll request; MUST be omitted
|
||
if the server does not support long polling
|
||
|
||
|longpolluri |String |if provided, an alternate URI to use for long poll
|
||
requests
|
||
|
||
|submitold |Boolean |only relevant for long poll responses: indicates if
|
||
work received prior to this response remains potentially valid (default)
|
||
and should have its shares submitted; if false, the miner may wish to
|
||
discard its share queue
|
||
|=======================================================================
|
||
|
||
If the server supports long polling, it MUST include a "longpollid" key
|
||
in block templates, and it MUST be unique for each event: any given
|
||
"longpollid" should check for only one condition and not be reused. For
|
||
example, a server which has a long poll wakeup only for new blocks might
|
||
use the previous block hash. However, clients should not assume the
|
||
"longpollid" has any specific meaning. It MAY supply the "longpolluri"
|
||
key with a relative or absolute URI, which MAY specify a completely
|
||
different resource than the original connection, including port number.
|
||
If "longpolluri" is provided by the server, clients MUST only attempt to
|
||
use that URI for longpoll requests.
|
||
|
||
Clients MAY start a longpoll request with a standard JSON-RPC request
|
||
(in the case of HTTP transport, POST with data) and same authorization,
|
||
setting the "longpollid" parameter in the request to the value provided
|
||
by the server.
|
||
|
||
This request SHOULD NOT be processed nor answered by the server until it
|
||
wishes to replace the current block data as identified by the
|
||
"longpollid". Clients SHOULD make this request with a very long request
|
||
timeout and MUST accept servers sending a partial response in advance
|
||
(such as HTTP headers with "chunked" Transfer-Encoding), and only
|
||
delaying the completion of the final JSON response until processing.
|
||
|
||
Upon receiving a completed response:
|
||
|
||
* Only if "submitold" is provided and false, the client MAY discard the
|
||
results of past operations and MUST begin working on the new work
|
||
immediately.
|
||
* The client SHOULD begin working on the new work received as soon as
|
||
possible, if not immediately.
|
||
* The client SHOULD make a new request to the same long polling URI.
|
||
|
||
If a client receives an incomplete or invalid response, it SHOULD retry
|
||
the request with an exponential backoff. Clients MAY implement this
|
||
backoff with limitations (such as maximum backoff time) or any algorithm
|
||
as deemed suitable. It is, however, forbidden to simply retry
|
||
immediately with no delay after more than one failure. In the case of a
|
||
"Forbidden" response (for example, HTTP 403), a client SHOULD NOT
|
||
attempt to retry without user intervention.
|
||
|
||
[[optional-template-tweaking]]
|
||
Optional: Template Tweaking
|
||
^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||
|
||
[cols="",options="header",]
|
||
|=======================================================================
|
||
|template request
|
||
|Key |Type |Description
|
||
|
||
|sigoplimit |Number or Boolean |maximum number of sigops to include in
|
||
template
|
||
|
||
|sizelimit |Number or Boolean |maximum number of bytes to use for the
|
||
entire block
|
||
|
||
|maxversion |Number |highest block version number supported
|
||
|=======================================================================
|
||
|
||
For "sigoplimit" and "sizelimit", negative values and zero are offset
|
||
from the server-determined block maximum. If a Boolean is provided and
|
||
true, the default limit is used; if false, the server is instructed not
|
||
to use any limits on returned template. Servers SHOULD respect these
|
||
desired maximums, but are NOT required to: clients SHOULD check that the
|
||
returned template satisfies their requirements appropriately.
|
||
|
||
[[appendix-example-rejection-reasons]]
|
||
Appendix: Example Rejection Reasons
|
||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||
|
||
Possible reasons a share may be rejected include, but are not limited
|
||
to:
|
||
|
||
[cols="",options="header",]
|
||
|=======================================================================
|
||
|colspan=2| share rejection reasons
|
||
|Reason |Description
|
||
|
||
|bad-cb-flag |the server detected a feature-signifying flag that it does
|
||
not allow
|
||
|
||
|bad-cb-length |the coinbase was too long (bitcoin limit is 100 bytes)
|
||
|
||
|bad-cb-prefix |the server only allows appending to the coinbase, but it
|
||
was modified beyond that
|
||
|
||
|bad-diffbits |"bits" were changed
|
||
|
||
|bad-prevblk |the previous-block is not the one the server intends to
|
||
build on
|
||
|
||
|bad-txnmrklroot |the block header's merkle root did not match the
|
||
transaction merkle tree
|
||
|
||
|bad-txns |the server didn't like something about the transactions in
|
||
the block
|
||
|
||
|bad-version |the version was wrong
|
||
|
||
|duplicate |the server already processed this block data
|
||
|
||
|high-hash |the block header did not hash to a value lower than the
|
||
specified target
|
||
|
||
|rejected |a generic rejection without details
|
||
|
||
|stale-prevblk |the previous-block is no longer the one the server
|
||
intends to build on
|
||
|
||
|stale-work |the work this block was based on is no longer accepted
|
||
|
||
|time-invalid |the time was not acceptable
|
||
|
||
|time-too-new |the time was too far in the future
|
||
|
||
|time-too-old |the time was too far in the past
|
||
|
||
|unknown-user |the user submitting the block was not recognized
|
||
|
||
|unknown-work |the template or workid could not be identified
|
||
|=======================================================================
|
||
|
||
[[motivation]]
|
||
Motivation
|
||
~~~~~~~~~~
|
||
|
||
bitcoind's JSON-RPC server can no longer support the load of generating
|
||
the work required to productively mine Bitcoin, and external software
|
||
specializing in work generation has become necessary. At the same time,
|
||
new independent node implementations are maturing to the point where
|
||
they will also be able to support miners.
|
||
|
||
A common standard for communicating block construction details is
|
||
necessary to ensure compatibility between the full nodes and work
|
||
generation software.
|
||
|
||
[[rationale]]
|
||
Rationale
|
||
~~~~~~~~~
|
||
|
||
Why not just deal with transactions as hashes (txids)?
|
||
|
||
* Servers might not have access to the transaction database, or miners
|
||
may wish to include transactions not broadcast to the network as a
|
||
whole.
|
||
* Miners may opt not to do full transaction verification, and may not
|
||
have access to the transaction database on their end.
|
||
|
||
What is the purpose of "workid"?
|
||
|
||
* If servers allow all mutations, it may be hard to identify which job
|
||
it is based on. While it may be possible to verify the submission by its
|
||
content, it is much easier to compare it to the job issued. It is very
|
||
easy for the miner to keep track of this. Therefore, using a "workid" is
|
||
a very cheap solution to enable more mutations.
|
||
|
||
Why should "sigops" be provided for transactions?
|
||
|
||
* Due to the link:bip-0016.mediawiki[BIP 0016] changes regarding rules
|
||
on block sigops, it is impossible to count sigops from the transactions
|
||
themselves (the sigops in the scriptCheck must also be included in the
|
||
count).
|
||
|
||
[[reference-implementation]]
|
||
Reference Implementation
|
||
~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
* https://gitorious.org/bitcoin/eloipool[Eloipool (server)]
|
||
* http://gitorious.org/bitcoin/libblkmaker[libblkmaker (client)]
|
||
* https://github.com/bitcoin/bitcoin/pull/936/files[bitcoind (minimal
|
||
server)]
|
||
|
||
[[see-also]]
|
||
See Also
|
||
~~~~~~~~
|
||
|
||
* link:bip-0023.mediawiki[BIP 23: getblocktemplate - Pooled Mining]
|
||
|
||
---------------------------------------------
|
||
BIP: 23
|
||
Title: getblocktemplate - Pooled Mining
|
||
Author: Luke Dashjr <luke+bip22@dashjr.org>
|
||
Status: Accepted
|
||
Type: Standards Track
|
||
Created: 2012-02-28
|
||
---------------------------------------------
|
||
|
||
[[abstract]]
|
||
Abstract
|
||
~~~~~~~~
|
||
|
||
This BIP describes extensions to the getblocktemplate JSON-RPC call to
|
||
enhance pooled mining.
|
||
|
||
[[specification]]
|
||
Specification
|
||
~~~~~~~~~~~~~
|
||
|
||
Note that all sections of this specification are optional extensions on
|
||
top of link:BIP 0022[BIP 22].
|
||
|
||
[[summary-support-levels]]
|
||
Summary Support Levels
|
||
^^^^^^^^^^^^^^^^^^^^^^
|
||
|
||
Something can be said to have BIP 23 Level 1 support if it implements at
|
||
least:
|
||
|
||
* http://www.ietf.org/rfc/rfc1945.txt[RFC 1945]
|
||
* http://json-rpc.org/wiki/specification[JSON-RPC 1.0]
|
||
* link:bip-0022.mediawiki[BIP 22 (non-optional sections)]
|
||
* bip-0022.mediawiki#Optional:_Long_Polling[BIP 22 Long Polling]
|
||
* link:#Basic_Pool_Extensions[BIP 23 Basic Pool Extensions]
|
||
* link:#Mutations[BIP 23 Mutation "coinbase/append"]
|
||
* link:#Submission_Abbreviation[BIP 23 Submission Abbreviation
|
||
"submit/coinbase"]
|
||
* link:#Mutations[BIP 23 Mutation "time/increment"] (only required for
|
||
servers)
|
||
|
||
It can be said to have BIP 23 Level 2 support if it also implements:
|
||
|
||
* link:#Mutations[BIP 23 Mutation "transactions/add"]
|
||
* link:#Block_Proposals[BIP 23 Block Proposals]
|
||
|
||
[[basic-pool-extensions]]
|
||
Basic Pool Extensions
|
||
^^^^^^^^^^^^^^^^^^^^^
|
||
|
||
[cols="",options="header",]
|
||
|==================================================================
|
||
|template request
|
||
|Key |Type |Description
|
||
|target |String |desired target for block template (may be ignored)
|
||
|==================================================================
|
||
|
||
[cols="",options="header",]
|
||
|=======================================================================
|
||
|template
|
||
|Key |Type |Description
|
||
|
||
|expires |Number |how many seconds (beginning from when the server sent
|
||
the response) this work is valid for, at most
|
||
|
||
|target |String |the number which valid results must be less than, in
|
||
big-endian hexadecimal
|
||
|=======================================================================
|
||
|
||
[[block-proposal]]
|
||
Block Proposal
|
||
^^^^^^^^^^^^^^
|
||
|
||
Servers may indicate support for proposing blocks by including a
|
||
capability string in their original template:
|
||
|
||
[cols="",options="header",]
|
||
|=======================================================================
|
||
|template
|
||
|Key |Type |Description
|
||
|
||
|capabilities |Array of Strings |MAY contain "proposal" to indicate
|
||
support for block proposal
|
||
|
||
|reject-reason |String |Reason the proposal was invalid as-is (only
|
||
applicable in response to proposals)
|
||
|=======================================================================
|
||
|
||
If supported, a miner MAY propose a block to the server for general
|
||
validation at any point before the job expires. This is accomplished by
|
||
calling getblocktemplate with two keys:
|
||
|
||
[cols="",options="header",]
|
||
|=======================================================================
|
||
|colspan=3| getblocktemplate parameters
|
||
|Key |Type |Description
|
||
|
||
|data |String |MUST be hex-encoded block data
|
||
|
||
|mode |String |MUST be "proposal"
|
||
|
||
|workid |String |if the server provided a workid, it MUST be included
|
||
with proposals
|
||
|=======================================================================
|
||
|
||
The block data MUST be validated and checked against the server's usual
|
||
acceptance rules (excluding the check for a valid proof-of-work). If it
|
||
is found to be in violation of any of these rules, the server MUST
|
||
return one of the following:
|
||
|
||
* Null if it is acceptable as-is, with the same workid (if any) as
|
||
provided. Note that this SHOULD NOT invalidate the old template's claim
|
||
to the same workid.
|
||
* A String giving the reason for the rejection (see
|
||
link:bip-0022.mediawiki#appendix-example-rejection-reasons[example
|
||
rejection reasons]).
|
||
* A "delta" block template (with changes needed); in this case, any
|
||
missing keys are assumed to default to those in the proposed block or,
|
||
if not applicable, the original block template it was based on. This
|
||
template MAY also include a "reject-reason" key with a String of the
|
||
reason for rejection.
|
||
|
||
It is RECOMMENDED that servers which merely need to track the proposed
|
||
block for later share/* submissions, return a simple Object of the form:
|
||
|
||
`{"workid":"new workid"}`
|
||
|
||
Clients SHOULD assume their proposed block will remain valid if the only
|
||
changes they make are to the portion of the coinbase scriptSig they
|
||
themselves provided (if any) and the time header. Servers SHOULD NOT
|
||
break this assumption without good cause.
|
||
|
||
[[mutations]]
|
||
Mutations
|
||
^^^^^^^^^
|
||
|
||
[cols="",options="header",]
|
||
|=======================================================================
|
||
|template request
|
||
|Key |Type |Description
|
||
|
||
|nonces |Number |size of nonce range the miner needs; if not provided,
|
||
the server SHOULD assume the client requires 2^32^
|
||
|=======================================================================
|
||
|
||
[cols="",options="header",]
|
||
|=======================================================================
|
||
|colspan=3| template
|
||
|Key |Type |Description
|
||
|
||
|maxtime |Number |the maximum time allowed
|
||
|
||
|maxtimeoff |Number |the maximum time allowed (as a moving offset from
|
||
"curtime" - every second, the actual maxtime is incremented by 1; for
|
||
example, "maxtimeoff":0 means "time" may be incremented by 1 every
|
||
second)
|
||
|
||
|mintime |Number |the minimum time allowed
|
||
|
||
|mintimeoff |Number |the minimum time allowed (as a moving offset from
|
||
"curtime")
|
||
|
||
|mutable |Array of Strings |different manipulations that the server
|
||
explicitly allows to be made
|
||
|
||
|noncerange |String |two 32-bit integers, concatenated in big-endian
|
||
hexadecimal, which represent the valid ranges of nonces the miner may
|
||
scan
|
||
|=======================================================================
|
||
|
||
If the block template contains a "mutable" key, it is a list of these to
|
||
signify modifications the miner is allowed to make:
|
||
|
||
[cols="",options="header",]
|
||
|=======================================================================
|
||
|colspan=2| mutations
|
||
|Value |Significance
|
||
|
||
|coinbase/append |append the provided coinbase scriptSig
|
||
|
||
|coinbase |provide their own coinbase; if one is provided, it may be
|
||
replaced or modified (implied if "coinbasetxn" omitted)
|
||
|
||
|generation |add or remove outputs from the coinbase/generation
|
||
transaction (implied if "coinbasetxn" omitted)
|
||
|
||
|time/increment |change the time header to a value after "time" (implied
|
||
if "maxtime" or "maxtimeoff" are provided)
|
||
|
||
|time/decrement |change the time header to a value before "time"
|
||
(implied if "mintime" is provided)
|
||
|
||
|time |modify the time header of the block
|
||
|
||
|transactions/add (or "transactions") |add other valid transactions to
|
||
the block (implied if "transactions" omitted from result)
|
||
|
||
|prevblock |use the work with other previous-blocks; this implicitly
|
||
allows removing transactions that are no longer valid (but clients
|
||
SHOULD attempt to propose removal of any required transactions); it also
|
||
implies adjusting "height" as necessary
|
||
|
||
|version/force |encode the provide block version, even if the miner
|
||
doesn't understand it
|
||
|
||
|version/reduce |use an older block version than the one provided (for
|
||
example, if the client does not support the version provided)
|
||
|=======================================================================
|
||
|
||
[[submission-abbreviation]]
|
||
Submission Abbreviation
|
||
^^^^^^^^^^^^^^^^^^^^^^^
|
||
|
||
[cols="",options="header",]
|
||
|=======================================================================
|
||
|colspan=3| template
|
||
|Key |Type |Description
|
||
|
||
|fulltarget |String |the number which full results should be less than,
|
||
in big-endian hexadecimal (see "share/*" mutations)
|
||
|
||
|mutable |Array of Strings |different manipulations that the server
|
||
explicitly allows to be made, including abbreviations
|
||
|=======================================================================
|
||
|
||
If the block template contains a "mutable" key, it is a list of these to
|
||
signify modifications the miner is allowed to make:
|
||
|
||
[cols="",options="header",]
|
||
|=======================================================================
|
||
|colspan=2| abbreviation mutations
|
||
|Value |Significance
|
||
|
||
|submit/hash |each transaction being sent in a request, that the client
|
||
is certain the server knows about, may be replaced by its hash in
|
||
little-endian hexadecimal, prepended by a ":" character
|
||
|
||
|submit/coinbase |if the "transactions" provided by the server are used
|
||
as-is with no changes, submissions may omit transactions after the
|
||
coinbase (transaction count varint remains included with the full number
|
||
of transactions)
|
||
|
||
|submit/truncate |if the "coinbasetxn" and "transactions" provided by
|
||
the server are used as-is with no changes, submissions may contain only
|
||
the block header; if only the scriptSig of "coinbasetxn" is modified,
|
||
the params Object MUST contain a "coinbasesig" key with the content, or
|
||
a "coinbaseadd" with appended data (if only appending)
|
||
|
||
|share/coinbase |same as "submit/coinbase", but only if the block hash
|
||
is greater than "fulltarget"
|
||
|
||
|share/merkle |if the block hash is greater than "fulltarget", the
|
||
non-coinbase transactions may be replaced with a merkle chain connecting
|
||
it to the root
|
||
|
||
|share/truncate |same as "submit/truncate", but only if the block hash
|
||
is greater than "fulltarget"
|
||
|=======================================================================
|
||
|
||
[[format-of-data-for-merkle-only-shares]]
|
||
Format of Data for Merkle-Only Shares
|
||
+++++++++++++++++++++++++++++++++++++
|
||
|
||
The format used for submitting shares with the "share/merkle" mutation
|
||
shall be the 80-byte block header, the total number of transactions
|
||
encoded in Bitcoin variable length number format, the coinbase
|
||
transaction, and then finally the little-endian SHA256 hashes of each
|
||
link in the merkle chain connecting it to the merkle root.
|
||
|
||
[[logical-services]]
|
||
Logical Services
|
||
^^^^^^^^^^^^^^^^
|
||
|
||
[cols="",options="header",]
|
||
|=======================================================================
|
||
|template request
|
||
|Key |Type |Description
|
||
|
||
|capabilities |Array of Strings |miners which support this SHOULD
|
||
provide a list including the String "serverlist"
|
||
|=======================================================================
|
||
|
||
[cols="",options="header",]
|
||
|=======================================================================
|
||
|colspan=3| template
|
||
|Key |Type |Description
|
||
|
||
|serverlist |Array of Objects |list of servers in this single logical
|
||
service
|
||
|=======================================================================
|
||
|
||
If the "serverlist" parameter is provided, clients MAY choose to
|
||
intelligently treat the server as part of a larger single logical
|
||
service.
|
||
|
||
Each host Object in the Array is comprised of the following fields:
|
||
|
||
[cols="",options="header",]
|
||
|=======================================================================
|
||
|colspan=3| serverlist element
|
||
|Key |Type |Description
|
||
|
||
|uri |String |URI of the individual server; if authentication
|
||
information is omitted, the same authentication used for this request
|
||
MUST be assumed
|
||
|
||
|avoid |Number |number of seconds to avoid using this server
|
||
|
||
|priority |Number |an integer priority of this host (default: 0)
|
||
|
||
|sticky |Number |number of seconds to stick to this server when used
|
||
|
||
|update |Boolean |whether this server may update the serverlist
|
||
(default: true)
|
||
|
||
|weight |Number |a relative weight for hosts with the same priority
|
||
(default: 1)
|
||
|=======================================================================
|
||
|
||
When choosing which actual server to get the next job from, URIs MUST be
|
||
tried in order of their "priority" key, lowest Number first. Where the
|
||
priority of URIs is the same, they should be chosen from in random
|
||
order, weighed by their "weight" key. Work proposals and submissions
|
||
MUST be made to the same server that issued the job. Clients MAY attempt
|
||
to submit to other servers if, and only if, the original server cannot
|
||
be reached. If cross-server share submissions are desired, services
|
||
SHOULD instead use the equivalent domain name system (DNS) features
|
||
(RFCs http://tools.ietf.org/html/rfc1794[1794] and
|
||
http://tools.ietf.org/html/rfc2782[2782]).
|
||
|
||
Updates to the Logical Service server list may only be made by the
|
||
original server, or servers listed with the "update" key missing or
|
||
true. Clients MAY choose to advertise serverlist capability to servers
|
||
with a false "update" key, but if so, MUST treat the server list
|
||
provided as a subset of the current one, only considered in the context
|
||
of this server. At least one server with "update" privilege MUST be
|
||
attempted at least once daily.
|
||
|
||
If the "sticky" key is provided, then when that server is used, it
|
||
should be used consistently for at least that many seconds, if possible.
|
||
|
||
A permanent change in server URI MAY be indicated with a simple
|
||
"serverlist" parameter:
|
||
|
||
`"serverlist":[{"uri": "`http://newserver[`http://newserver`]`"}]`
|
||
|
||
A temporary delegation to another server for 5 minutes MAY be indicated
|
||
likewise:
|
||
|
||
`"serverlist":[{"uri": "", avoid: 300}, {"uri": "`http://newserver[`http://newserver`]`", "update": false}]`
|
||
|
||
[[motivation]]
|
||
Motivation
|
||
~~~~~~~~~~
|
||
|
||
There is reasonable concerns about mining currently being too
|
||
centralized on pools, and the amount of control these pools hold. By
|
||
exposing the details of the block proposals to the miners, they are
|
||
enabled to audit and possibly modify the block before hashing it.
|
||
|
||
To encourage widespread adoption, this BIP should be a complete superset
|
||
of the existing centralized getwork protocol, so pools are not required
|
||
to make substantial changes to adopt it.
|
||
|
||
[[rationale]]
|
||
Rationale
|
||
~~~~~~~~~
|
||
|
||
Why allow servers to restrict the complete coinbase and nonce range?
|
||
|
||
* This is necessary to provide a complete superset of JSON-RPC getwork
|
||
functionality, so that pools may opt to enable auditing without
|
||
significantly changing or increasing the complexity of their share
|
||
validation or mining policies.
|
||
* Since noncerange is optional (both for getwork and this BIP), neither
|
||
clients nor servers are required to support it.
|
||
|
||
Why specify "time/*" mutations at all?
|
||
|
||
* In most cases, these are implied by the
|
||
mintime/mintimecur/maxtime/maxtimecur keys, but there may be cases that
|
||
there are no applicable minimums/maximums.
|
||
|
||
What is the purpose of the "prevblock" mutation?
|
||
|
||
* There are often cases where a miner has processed a new block before
|
||
the server. If the server allows "prevblock" mutation, the miner may
|
||
begin mining on the new block immediately, without waiting for a new
|
||
template.
|
||
|
||
Why must both "mintime"/"maxtime" and "mintimeoff"/"maxtimeoff" keys be
|
||
defined?
|
||
|
||
* In some cases, the limits may be unrelated to the current time (such
|
||
as the Bitcoin network itself; the minimum is always a fixed median
|
||
time)
|
||
* In other cases, the limits may be bounded by other rules (many pools
|
||
limit the time header to within 5 minutes of when the share is submitted
|
||
to them).
|
||
|
||
Is "target" really needed?
|
||
|
||
* Some pools work with lower targets, and should not be expected to
|
||
waste bandwidth ignoring shares that don't meet it.
|
||
* Required to be a proper superset of getwork.
|
||
* As mining hashrates grow, some miners may need the ability to request
|
||
a lower target from their pools to be able to manage their bandwidth
|
||
use.
|
||
|
||
What is the purpose of the "hash" transaction list format?
|
||
|
||
* Non-mining tools may wish to simply get a list of memory pool
|
||
transactions.
|
||
* Humans may wish to view their current memory pool.
|
||
|
||
[[reference-implementation]]
|
||
Reference Implementation
|
||
~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
* http://gitorious.org/bitcoin/libblkmaker[libblkmaker]
|
||
* https://gitorious.org/bitcoin/eloipool[Eloipool]
|
||
* https://github.com/bitcoin/bitcoin/pull/936/files[bitcoind]
|
||
|
||
[[see-also]]
|
||
See Also
|
||
~~~~~~~~
|
||
|
||
* link:bip-0022.mediawiki[BIP 22: getblocktemplate - Fundamentals]
|
||
|
||
-------------------------------------------------
|
||
BIP: 30
|
||
Title: Duplicate transactions
|
||
Author: Pieter Wuille <pieter.wuille@gmail.com>
|
||
Status: Final
|
||
Type: Standards Track
|
||
Created: 2012-02-22
|
||
-------------------------------------------------
|
||
|
||
[[abstract]]
|
||
Abstract
|
||
~~~~~~~~
|
||
|
||
This document gives a specification for dealing with duplicate
|
||
transactions in the block chain, in an attempt to solve certain problems
|
||
the reference implementations has with them.
|
||
|
||
[[motivation]]
|
||
Motivation
|
||
~~~~~~~~~~
|
||
|
||
So far, the Bitcoin reference implementation always assumed duplicate
|
||
transactions (transactions with the same identifier) didn't exist. This
|
||
is not true; in particular coinbases are easy to duplicate, and by
|
||
building on duplicate coinbases, duplicate normal transactions are
|
||
possible as well. Recently, an attack that exploits the reference
|
||
implementation's dealing with duplicate transactions was described and
|
||
demonstrated. It allows reverting fully-confirmed transactions to a
|
||
single confirmation, making them vulnerable to become unspendable
|
||
entirely. Another attack is possible that allows forking the block chain
|
||
for a subset of the network.
|
||
|
||
[[specification]]
|
||
Specification
|
||
~~~~~~~~~~~~~
|
||
|
||
To counter this problem, the following network rule is introduced:
|
||
|
||
* Blocks are not allowed to contain a transaction whose identifier
|
||
matches that of an earlier, not-fully-spent transaction in the same
|
||
chain.
|
||
|
||
This rule initially applied to all blocks whose timestamp is after March
|
||
15, 2012, 00:00 UTC (testnet: February 20, 2012 00:00 UTC). It was later
|
||
extended by Commit
|
||
https://github.com/bitcoin/bitcoin/commit/ab91bf39b7c11e9c86bb2043c24f0f377f1cf514[Apply
|
||
BIP30 checks to all blocks except the two historic violations.] to apply
|
||
to all blocks except the two historic blocks at heights 91842 and 91880
|
||
on the main chain that had to be grandfathered in.
|
||
|
||
[[rationale]]
|
||
Rationale
|
||
~~~~~~~~~
|
||
|
||
Whatever solution is used, the following law must be obeyed to guarantee
|
||
sane behaviour: the set of usable transactions outputs must not be
|
||
modified by adding blocks to the chain and removing them again. This
|
||
happens during a reorganisation, and the current Bitcoin reference
|
||
implementation does not obey this law in case the temporarily added
|
||
blocks contain a duplicate transaction.
|
||
|
||
There are several potential solutions to this problem:
|
||
|
||
1. Guarantee that all coinbases are unique, making duplicate
|
||
transactions very hard to create.
|
||
2. Remember previous remaining outputs of a given transaction
|
||
identifier, in case a new transaction with the same identifier is added.
|
||
3. Only allow duplicate transactions in case the previous instance of
|
||
the transaction had no spendable outputs left. Removing a block from the
|
||
chain can then safely reset the removed transaction's outputs to
|
||
nothing.
|
||
|
||
The first option is probably the most complete one, as it also
|
||
guarantees transaction identifiers are unique. However, implementing it
|
||
requires several changes that need to be accepted throughout the
|
||
network. Furthermore, it does not prevent duplicate transactions based
|
||
on earlier duplicate coinbases. The second option is impossible to
|
||
implement in a forward-compatible way, as it potentially renders
|
||
currently-invalid blocks valid. In this document we choose for the third
|
||
option, because it only requires a trivial change.
|
||
|
||
Fully-spent transactions are allowed to be duplicated in order not to
|
||
hinder pruning at some point in the future. Not allowing any transaction
|
||
to be duplicated would require evidence to be kept for each transaction
|
||
ever made.
|
||
|
||
[[backward-compatibility]]
|
||
Backward compatibility
|
||
~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
The addition of this rule only makes some previously-valid blocks
|
||
invalid. This implies that if the rule is implemented by a supermajority
|
||
of miners, it is not possible to fork the block chain in a permanent way
|
||
between nodes with and without the new rule.
|
||
|
||
[[implementation]]
|
||
Implementation
|
||
~~~~~~~~~~~~~~
|
||
|
||
A patch for the reference client can be found on
|
||
https://github.com/sipa/bitcoin/tree/nooverwritetx
|
||
|
||
This BIP was implemented in Commit
|
||
https://github.com/bitcoin/bitcoin/commit/a206b0ea12eb4606b93323268fc81a4f1f952531[Do
|
||
not allow overwriting unspent transactions (BIP 30)] There have been
|
||
additional commits to refine the implementation of this BIP.
|
||
|
||
[[acknowledgements]]
|
||
Acknowledgements
|
||
~~~~~~~~~~~~~~~~
|
||
|
||
Thanks to Russell O'Connor for finding and demonstrating this problem,
|
||
and helping test the patch.
|
||
RECENT CHANGES:
|
||
|
||
* (16 Apr 2013) Added private derivation for i ≥ 0x80000000 (less risk
|
||
of parent private key leakage)
|
||
* (30 Apr 2013) Switched from multiplication by I~L~ to addition of I~L~
|
||
(faster, easier implementation)
|
||
* (25 May 2013) Added test vectors
|
||
* (15 Jan 2014) Rename keys with index ≥ 0x8000000 to hardened keys, and
|
||
add explicit conversion functions.
|
||
|
||
-------------------------------------------
|
||
BIP: 32
|
||
Title: Hierarchical Deterministic Wallets
|
||
Author: Pieter Wuille
|
||
Status: Accepted
|
||
Type: Informational
|
||
Created: 2012-02-11
|
||
-------------------------------------------
|
||
|
||
[[abstract]]
|
||
Abstract
|
||
~~~~~~~~
|
||
|
||
This document describes hierarchical determinstic wallets (or "HD
|
||
Wallets"): wallets which can be shared partially or entirely with
|
||
different systems, each with or without the ability to spend coins.
|
||
|
||
The specification is intended to set a standard for deterministic
|
||
wallets that can be interchanged between different clients. Although the
|
||
wallets described here have many features, not all are required by
|
||
supporting clients.
|
||
|
||
The specification consists of two parts. In a first part, a system for
|
||
deriving a tree of keypairs from a single seed is presented. The second
|
||
part demonstrates how to build a wallet structure on top of such a tree.
|
||
|
||
[[motivation]]
|
||
Motivation
|
||
~~~~~~~~~~
|
||
|
||
The Bitcoin reference client uses randomly generated keys. In order to
|
||
avoid the necessity for a backup after every transaction, (by default)
|
||
100 keys are cached in a pool of reserve keys. Still, these wallets are
|
||
not intended to be shared and used on several systems simultaneously.
|
||
They support hiding their private keys by using the wallet encrypt
|
||
feature and not sharing the password, but such "neutered" wallets lose
|
||
the power to generate public keys as well.
|
||
|
||
Deterministic wallets do not require such frequent backups, and elliptic
|
||
curve mathematics permit schemes where one can calculate the public keys
|
||
without revealing the private keys. This permits for example a webshop
|
||
business to let its webserver generate fresh addresses (public key
|
||
hashes) for each order or for each customer, without giving the
|
||
webserver access to the corresponding private keys (which are required
|
||
for spending the received funds).
|
||
|
||
However, deterministic wallets typically consist of a single "chain" of
|
||
keypairs. The fact that there is only one chain means that sharing a
|
||
wallet happens on an all-or-nothing basis. However, in some cases one
|
||
only wants some (public) keys to be shared and recoverable. In the
|
||
example of a webshop, the webserver does not need access to all public
|
||
keys of the merchant's wallet; only to those addresses which are used to
|
||
receive customer's payments, and not for example the change addresses
|
||
that are generated when the merchant spends money. Hierarchical
|
||
deterministic wallets allow such selective sharing by supporting
|
||
multiple keypair chains, derived from a single root.
|
||
|
||
[[specification-key-derivation]]
|
||
Specification: Key derivation
|
||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
[[conventions]]
|
||
Conventions
|
||
^^^^^^^^^^^
|
||
|
||
In the rest of this text we will assume the public key cryptography used
|
||
in Bitcoin, namely elliptic curve cryptography using the field and curve
|
||
parameters defined by secp256k1
|
||
(http://www.secg.org/index.php?action=secg,docs_secg). Variables below
|
||
are either:
|
||
|
||
* Integers modulo the order of the curve (referred to as n).
|
||
* Coordinates of points on the curve.
|
||
* Byte sequences.
|
||
|
||
Addition (+) of two coordinate pair is defined as application of the EC
|
||
group operation. Concatenation (||) is the operation of appending one
|
||
byte sequence onto another.
|
||
|
||
As standard conversion functions, we assume:
|
||
|
||
* point(p): returns the coordinate pair resulting from EC point
|
||
multiplication (repeated application of the EC group operation) of the
|
||
secp256k1 base point with the integer p.
|
||
* ser~32~(i): serialize a 32-bit unsigned integer i as a 4-byte
|
||
sequence, most significant byte first.
|
||
* ser~256~(p): serializes the integer p as a 32-byte sequence, most
|
||
significant byte first.
|
||
* ser~P~(P): serializes the coordinate pair P = (x,y) as a byte sequence
|
||
using SEC1's compressed form: (0x02 or 0x03) || ser~256~(x), where the
|
||
header byte depends on the parity of the omitted y coordinate.
|
||
* parse~256~(p): interprets a 32-byte sequence as a 256-bit number, most
|
||
significant byte first.
|
||
|
||
[[extended-keys]]
|
||
Extended keys
|
||
^^^^^^^^^^^^^
|
||
|
||
In what follows, we will define a function that derives a number of
|
||
child keys from a parent key. In order to prevent these from depending
|
||
solely on the key itself, we extend both private and public keys first
|
||
with an extra 256 bits of entropy. This extension, called the chain
|
||
code, is identical for corresponding private and public keys, and
|
||
consists of 32 bytes.
|
||
|
||
We represent an extended private key as (k, c), with k the normal
|
||
private key, and c the chain code. An extended public key is represented
|
||
as (K, c), with K = point(k) and c the chain code.
|
||
|
||
Each extended key has 2^31^ normal child keys, and 2^31^ hardened child
|
||
keys. Each of these child keys has an index. The normal child keys use
|
||
indices 0 through 2^31^-1. The hardened child keys use indices 2^31^
|
||
through 2^32^-1. To ease notation for hardened key indices, a number
|
||
i~H~ represents i+2^31^.
|
||
|
||
[[child-key-derivation-ckd-functions]]
|
||
Child key derivation (CKD) functions
|
||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||
|
||
Given a parent extended key and an index i, it is possible to compute
|
||
the corresponding child extended key. The algorithm to do so depends on
|
||
whether the child is a hardened key or not (or, equivalently, whether i
|
||
≥ 2^31^), and whether we're talking about private or public keys.
|
||
|
||
[[private-parent-key-private-child-key]]
|
||
Private parent key → private child key
|
||
++++++++++++++++++++++++++++++++++++++
|
||
|
||
The function CKDpriv((k~par~, c~par~), i) → (k~i~, c~i~) computes a
|
||
child extended private key from the parent extended private key:
|
||
|
||
* Check whether i ≥ 2^31^ (whether the child is a hardened key).
|
||
** If so (hardened child): let I = HMAC-SHA512(Key = c~par~, Data = 0x00
|
||
|| ser~256~(k~par~) || ser~32~(i)). (Note: The 0x00 pads the private key
|
||
to make it 33 bytes long.)
|
||
** If not (normal child): let I = HMAC-SHA512(Key = c~par~, Data =
|
||
ser~P~(point(k~par~)) || ser~32~(i)).
|
||
* Split I into two 32-byte sequences, I~L~ and I~R~.
|
||
* The returned child key k~i~ is parse~256~(I~L~) + k~par~ (mod n).
|
||
* The returned chain code c~i~ is I~R~.
|
||
* In case parse~256~(I~L~) ≥ n or k~i~ = 0, the resulting key is
|
||
invalid, and one should proceed with the next value for i. (Note: this
|
||
has probability lower than 1 in 2^127^.)
|
||
|
||
The HMAC-SHA512 function is specified in
|
||
http://tools.ietf.org/html/rfc4231[RFC 4231].
|
||
|
||
[[public-parent-key-public-child-key]]
|
||
Public parent key → public child key
|
||
++++++++++++++++++++++++++++++++++++
|
||
|
||
The function CKDpub((K~par~, c~par~), i) → (K~i~, c~i~) computes a child
|
||
extended public key from the parent extended public key. It is only
|
||
defined for non-hardened child keys.
|
||
|
||
* Check whether i ≥ 2^31^ (whether the child is a hardened key).
|
||
** If so (hardened child): return failure
|
||
** If not (normal child): let I = HMAC-SHA512(Key = c~par~, Data =
|
||
ser~P~(K~par~) || ser~32~(i)).
|
||
* Split I into two 32-byte sequences, I~L~ and I~R~.
|
||
* The returned child key K~i~ is point(parse~256~(I~L~)) + K~par~.
|
||
* The returned chain code c~i~ is I~R~.
|
||
* In case parse~256~(I~L~) ≥ n or K~i~ is the point at infinity, the
|
||
resulting key is invalid, and one should proceed with the next value for
|
||
i.
|
||
|
||
[[private-parent-key-public-child-key]]
|
||
Private parent key → public child key
|
||
+++++++++++++++++++++++++++++++++++++
|
||
|
||
The function N((k, c)) → (K, c) computes the extended public key
|
||
corresponding to an extended private key (the "neutered" version, as it
|
||
removes the ability to sign transactions).
|
||
|
||
* The returned key K is point(k).
|
||
* The returned chain code c is just the passed chain code.
|
||
|
||
To compute the public child key of a parent private key:
|
||
|
||
* N(CKDpriv((k~par~, c~par~), i)) (works always).
|
||
* CKDpub(N(k~par~, c~par~), i) (works only for non-hardened child keys).
|
||
|
||
The fact that they are equivalent is what makes non-hardened keys useful
|
||
(one can derive child public keys of a given parent key without knowing
|
||
any private key), and also what distinguishes them from hardened keys.
|
||
The reason for not always using non-hardened keys (which are more
|
||
useful) is security; see further for more information.
|
||
|
||
[[public-parent-key-private-child-key]]
|
||
Public parent key → private child key
|
||
+++++++++++++++++++++++++++++++++++++
|
||
|
||
This is not possible.
|
||
|
||
[[the-key-tree]]
|
||
The key tree
|
||
^^^^^^^^^^^^
|
||
|
||
The next step is cascading several CKD constructions to build a tree. We
|
||
start with one root, the master extended key m. By evaluating
|
||
CKDpriv(m,i) for several values of i, we get a number of level-1 derived
|
||
nodes. As each of these is again an extended key, CKDpriv can be applied
|
||
to those as well.
|
||
|
||
To shorten notation, we will write CKDpriv(CKDpriv(CKDpriv(m,3~H~),2),5)
|
||
as m/3~H~/2/5. Equivalently for public keys, we write
|
||
CKDpub(CKDpub(CKDpub(M,3),2,5) as M/3/2/5. This results in the following
|
||
identities:
|
||
|
||
* N(m/a/b/c) = N(m/a/b)/c = N(m/a)/b/c = N(m)/a/b/c = M/a/b/c.
|
||
* N(m/a~H~/b/c) = N(m/a~H~/b)/c = N(m/a~H~)/b/c.
|
||
|
||
However, N(m/a~H~) cannot be rewritten as N(m)/a~H~, as the latter is
|
||
not possible.
|
||
|
||
Each leaf node in the tree corresponds to an actual key, while the
|
||
internal nodes correspond to the collections of keys that descend from
|
||
them. The chain codes of the leaf nodes are ignored, and only their
|
||
embedded private or public key is relevant. Because of this
|
||
construction, knowing an extended private key allows reconstruction of
|
||
all descendant private keys and public keys, and knowing an extended
|
||
public keys allows reconstruction of all descendant non-hardened public
|
||
keys.
|
||
|
||
[[key-identifiers]]
|
||
Key identifiers
|
||
^^^^^^^^^^^^^^^
|
||
|
||
Extended keys can be identified by the Hash160 (RIPEMD160 after SHA256)
|
||
of the serialized public key, ignoring the chain code. This corresponds
|
||
exactly to the data used in traditional Bitcoin addresses. It is not
|
||
advised to represent this data in base58 format though, as it may be
|
||
interpreted as an address that way (and wallet software is not required
|
||
to accept payment to the chain key itself).
|
||
|
||
The first 32 bits of the identifier are called the key fingerprint.
|
||
|
||
[[serialization-format]]
|
||
Serialization format
|
||
^^^^^^^^^^^^^^^^^^^^
|
||
|
||
Extended public and private keys are serialized as follows:
|
||
|
||
* 4 byte: version bytes (mainnet: 0x0488B21E public, 0x0488ADE4 private;
|
||
testnet: 0x043587CF public, 0x04358394 private)
|
||
* 1 byte: depth: 0x00 for master nodes, 0x01 for level-1 derived keys,
|
||
....
|
||
* 4 bytes: the fingerprint of the parent's key (0x00000000 if master
|
||
key)
|
||
* 4 bytes: child number. This is ser~32~(i) for i in x~i~ = x~par~/i,
|
||
with x~i~ the key being serialized. (0x00000000 if master key)
|
||
* 32 bytes: the chain code
|
||
* 33 bytes: the public key or private key data (ser~P~(K) for public
|
||
keys, 0x00 || ser~256~(k) for private keys)
|
||
|
||
This 78 byte structure can be encoded like other Bitcoin data in Base58,
|
||
by first adding 32 checksum bits (derived from the double SHA-256
|
||
checksum), and then converting to the Base58 representation. This
|
||
results in a Base58-encoded string of up to 112 characters. Because of
|
||
the choice of the version bytes, the Base58 representation will start
|
||
with "xprv" or "xpub" on mainnet, "tprv" or "tpub" on testnet.
|
||
|
||
Note that the fingerprint of the parent only serves as a fast way to
|
||
detect parent and child nodes in software, and software must be willing
|
||
to deal with collisions. Internally, the full 160-bit identifier could
|
||
be used.
|
||
|
||
When importing a serialized extended public key, implementations must
|
||
verify whether the X coordinate in the public key data corresponds to a
|
||
point on the curve. If not, the extended public key is invalid.
|
||
|
||
[[master-key-generation]]
|
||
Master key generation
|
||
^^^^^^^^^^^^^^^^^^^^^
|
||
|
||
The total number of possible extended keypairs is almost 2^512^, but the
|
||
produced keys are only 256 bits long, and offer about half of that in
|
||
terms of security. Therefore, master keys are not generated directly,
|
||
but instead from a potentially short seed value.
|
||
|
||
* Generate a seed byte sequence S of a chosen length (between 128 and
|
||
512 bits; 256 bits is advised) from a (P)RNG.
|
||
* Calculate I = HMAC-SHA512(Key = "Bitcoin seed", Data = S)
|
||
* Split I into two 32-byte sequences, I~L~ and I~R~.
|
||
* Use parse~256~(I~L~) as master secret key, and I~R~ as master chain
|
||
code.
|
||
|
||
In case I~L~ is 0 or ≥n, the master key is invalid.
|
||
|
||
[[specification-wallet-structure]]
|
||
Specification: Wallet structure
|
||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
The previous sections specified key trees and their nodes. The next step
|
||
is imposing a wallet structure on this tree. The layout defined in this
|
||
section is a default only, though clients are encouraged to mimick it
|
||
for compatibility, even if not all features are supported.
|
||
|
||
[[the-default-wallet-layout]]
|
||
The default wallet layout
|
||
^^^^^^^^^^^^^^^^^^^^^^^^^
|
||
|
||
An HDW is organized as several 'accounts'. Accounts are numbered, the
|
||
default account ("") being number 0. Clients are not required to support
|
||
more than one account - if not, they only use the default account.
|
||
|
||
Each account is composed of two keypair chains: an internal and an
|
||
external one. The external keychain is used to generate new public
|
||
addresses, while the internal keychain is used for all other operations
|
||
(change addresses, generation addresses, ..., anything that doesn't need
|
||
to be communicated). Clients that do not support separate keychains for
|
||
these should use the external one for everything.
|
||
|
||
* m/i~H~/0/k corresponds to the k'th keypair of the external chain of
|
||
account number i of the HDW derived from master m.
|
||
* m/i~H~/1/k corresponds to the k'th keypair of the internal chain of
|
||
account number i of the HDW derived from master m.
|
||
|
||
[[use-cases]]
|
||
Use cases
|
||
^^^^^^^^^
|
||
|
||
[[full-wallet-sharing-m]]
|
||
Full wallet sharing: m
|
||
++++++++++++++++++++++
|
||
|
||
In cases where two systems need to access a single shared wallet, and
|
||
both need to be able to perform spendings, one needs to share the master
|
||
private extended key. Nodes can keep a pool of N look-ahead keys cached
|
||
for external chains, to watch for incoming payments. The look-ahead for
|
||
internal chains can be very small, as no gaps are to be expected here.
|
||
An extra look-ahead could be active for the first unused account's
|
||
chains - triggering the creation of a new account when used. Note that
|
||
the name of the account will still need to be entered manually and
|
||
cannot be synchronized via the block chain.
|
||
|
||
[[audits-nm]]
|
||
Audits: N(m/*)
|
||
++++++++++++++
|
||
|
||
In case an auditor needs full access to the list of incoming and
|
||
outgoing payments, one can share all account public extended keys. This
|
||
will allow the auditor to see all transactions from and to the wallet,
|
||
in all accounts, but not a single secret key.
|
||
|
||
[[per-office-balances-mih]]
|
||
Per-office balances: m/i~H~
|
||
+++++++++++++++++++++++++++
|
||
|
||
When a business has several independent offices, they can all use
|
||
wallets derived from a single master. This will allow the headquarters
|
||
to maintain a super-wallet that sees all incoming and outgoing
|
||
transactions of all offices, and even permit moving money between the
|
||
offices.
|
||
|
||
[[recurrent-business-to-business-transactions-nmih0]]
|
||
Recurrent business-to-business transactions: N(m/i~H~/0)
|
||
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||
|
||
In case two business partners often transfer money, one can use the
|
||
extended public key for the external chain of a specific account (M/i
|
||
h/0) as a sort of "super address", allowing frequent transactions that
|
||
cannot (easily) be associated, but without needing to request a new
|
||
address for each payment. Such a mechanism could also be used by mining
|
||
pool operators as variable payout address.
|
||
|
||
[[unsecure-money-receiver-nmih0]]
|
||
Unsecure money receiver: N(m/i~H~/0)
|
||
++++++++++++++++++++++++++++++++++++
|
||
|
||
When an unsecure webserver is used to run an e-commerce site, it needs
|
||
to know public addresses that are used to receive payments. The
|
||
webserver only needs to know the public extended key of the external
|
||
chain of a single account. This means someone illegally obtaining access
|
||
to the webserver can at most see all incoming payments, but will not
|
||
(trivially) be able to distinguish outgoing transactions, nor see
|
||
payments received by other webservers if there are several ones.
|
||
|
||
[[compatibility]]
|
||
Compatibility
|
||
~~~~~~~~~~~~~
|
||
|
||
To comply with this standard, a client must at least be able to import
|
||
an extended public or private key, to give access to its direct
|
||
descendants as wallet keys. The wallet structure
|
||
(master/account/chain/subchain) presented in the second part of the
|
||
specification is advisory only, but is suggested as a minimal structure
|
||
for easy compatibility - even when no separate accounts or distinction
|
||
between internal and external chains is made. However, implementations
|
||
may deviate from it for specific needs; more complex applications may
|
||
call for a more complex tree structure.
|
||
|
||
[[security]]
|
||
Security
|
||
~~~~~~~~
|
||
|
||
In addition to the expectations from the EC public-key cryptography
|
||
itself:
|
||
|
||
* Given a public key K, an attacker cannot find the corresponding
|
||
private key more efficiently than by solving the EC discrete logarithm
|
||
problem (assumed to require 2^128^ group operations).
|
||
|
||
the intended security properties of this standard are:
|
||
|
||
* Given a child extended private key (k~i~,c~i~) and the integer i, an
|
||
attacker cannot find the parent private key k~par~ more efficiently than
|
||
a 2^256^ brute force of HMAC-SHA512.
|
||
* Given any number (2 ≤ N ≤ 2^32^-1) of (index, extended private key)
|
||
tuples (i~j~,(k~i~j~~,c~i~j~~)), with distinct i~j~'s, determining
|
||
whether they are derived from a common parent extended private key
|
||
(i.e., whether there exists a (k~par~,c~par~) such that for each j in
|
||
(0..N-1) CKDpriv((k~par~,c~par~),i~j~)=(k~i~j~~,c~i~j~~)), cannot be
|
||
done more efficiently than a 2^256^ brute force of HMAC-SHA512.
|
||
|
||
Note however that the following properties does not exist:
|
||
|
||
* Given a parent extended public key (K~par~,c~par~) and a child public
|
||
key (K~i~), it is hard to find i.
|
||
* Given a parent extended public key (K~par~,c~par~) and a non-hardened
|
||
child private key (k~i~), it is hard to find k~par~.
|
||
|
||
[[implications]]
|
||
Implications
|
||
^^^^^^^^^^^^
|
||
|
||
Private and public keys must be kept safe as usual. Leaking a private
|
||
key means access to coins - leaking a public key can mean loss of
|
||
privacy.
|
||
|
||
Somewhat more care must be taken regarding extended keys, as these
|
||
correspond to an entire (sub)tree of keys.
|
||
|
||
One weakness that may not be immediately obvious, is that knowledge of
|
||
the extended public key + any non-hardened private key descending from
|
||
it is equivalent to knowing the extended private key (and thus every
|
||
private and public key descending from it). This means that extended
|
||
public keys must be treated more carefully than regular public keys. It
|
||
is also the reason for the existence of hardened keys, and why they are
|
||
used for the account level in the tree. This way, a leak of
|
||
account-specific (or below) private key never risks compromising the
|
||
master or other accounts.
|
||
|
||
[[test-vectors]]
|
||
Test Vectors
|
||
~~~~~~~~~~~~
|
||
|
||
[[test-vector-1]]
|
||
Test vector 1
|
||
^^^^^^^^^^^^^
|
||
|
||
Master (hex): 000102030405060708090a0b0c0d0e0f
|
||
|
||
* Chain m
|
||
** ext pub:
|
||
xpub661MyMwAqRbcFtXgS5sYJABqqG9YLmC4Q1Rdap9gSE8NqtwybGhePY2gZ29ESFjqJoCu1Rupje8YtGqsefD265TMg7usUDFdp6W1EGMcet8
|
||
** ext prv:
|
||
xprv9s21ZrQH143K3QTDL4LXw2F7HEK3wJUD2nW2nRk4stbPy6cq3jPPqjiChkVvvNKmPGJxWUtg6LnF5kejMRNNU3TGtRBeJgk33yuGBxrMPHi
|
||
* Chain m/0~H~
|
||
** ext pub:
|
||
xpub68Gmy5EdvgibQVfPdqkBBCHxA5htiqg55crXYuXoQRKfDBFA1WEjWgP6LHhwBZeNK1VTsfTFUHCdrfp1bgwQ9xv5ski8PX9rL2dZXvgGDnw
|
||
** ext prv:
|
||
xprv9uHRZZhk6KAJC1avXpDAp4MDc3sQKNxDiPvvkX8Br5ngLNv1TxvUxt4cV1rGL5hj6KCesnDYUhd7oWgT11eZG7XnxHrnYeSvkzY7d2bhkJ7
|
||
* Chain m/0~H~/1
|
||
** ext pub:
|
||
xpub6ASuArnXKPbfEwhqN6e3mwBcDTgzisQN1wXN9BJcM47sSikHjJf3UFHKkNAWbWMiGj7Wf5uMash7SyYq527Hqck2AxYysAA7xmALppuCkwQ
|
||
** ext prv:
|
||
xprv9wTYmMFdV23N2TdNG573QoEsfRrWKQgWeibmLntzniatZvR9BmLnvSxqu53Kw1UmYPxLgboyZQaXwTCg8MSY3H2EU4pWcQDnRnrVA1xe8fs
|
||
* Chain m/0~H~/1/2~H~
|
||
** ext pub:
|
||
xpub6D4BDPcP2GT577Vvch3R8wDkScZWzQzMMUm3PWbmWvVJrZwQY4VUNgqFJPMM3No2dFDFGTsxxpG5uJh7n7epu4trkrX7x7DogT5Uv6fcLW5
|
||
** ext prv:
|
||
xprv9z4pot5VBttmtdRTWfWQmoH1taj2axGVzFqSb8C9xaxKymcFzXBDptWmT7FwuEzG3ryjH4ktypQSAewRiNMjANTtpgP4mLTj34bhnZX7UiM
|
||
* Chain m/0~H~/1/2~H~/2
|
||
** ext pub:
|
||
xpub6FHa3pjLCk84BayeJxFW2SP4XRrFd1JYnxeLeU8EqN3vDfZmbqBqaGJAyiLjTAwm6ZLRQUMv1ZACTj37sR62cfN7fe5JnJ7dh8zL4fiyLHV
|
||
** ext prv:
|
||
xprvA2JDeKCSNNZky6uBCviVfJSKyQ1mDYahRjijr5idH2WwLsEd4Hsb2Tyh8RfQMuPh7f7RtyzTtdrbdqqsunu5Mm3wDvUAKRHSC34sJ7in334
|
||
* Chain m/0~H~/1/2~H~/2/1000000000
|
||
** ext pub:
|
||
xpub6H1LXWLaKsWFhvm6RVpEL9P4KfRZSW7abD2ttkWP3SSQvnyA8FSVqNTEcYFgJS2UaFcxupHiYkro49S8yGasTvXEYBVPamhGW6cFJodrTHy
|
||
** ext prv:
|
||
xprvA41z7zogVVwxVSgdKUHDy1SKmdb533PjDz7J6N6mV6uS3ze1ai8FHa8kmHScGpWmj4WggLyQjgPie1rFSruoUihUZREPSL39UNdE3BBDu76
|
||
|
||
[[test-vector-2]]
|
||
Test vector 2
|
||
^^^^^^^^^^^^^
|
||
|
||
Master (hex):
|
||
fffcf9f6f3f0edeae7e4e1dedbd8d5d2cfccc9c6c3c0bdbab7b4b1aeaba8a5a29f9c999693908d8a8784817e7b7875726f6c696663605d5a5754514e4b484542
|
||
|
||
* Chain m
|
||
** ext pub:
|
||
xpub661MyMwAqRbcFW31YEwpkMuc5THy2PSt5bDMsktWQcFF8syAmRUapSCGu8ED9W6oDMSgv6Zz8idoc4a6mr8BDzTJY47LJhkJ8UB7WEGuduB
|
||
** ext prv:
|
||
xprv9s21ZrQH143K31xYSDQpPDxsXRTUcvj2iNHm5NUtrGiGG5e2DtALGdso3pGz6ssrdK4PFmM8NSpSBHNqPqm55Qn3LqFtT2emdEXVYsCzC2U
|
||
* Chain m/0
|
||
** ext pub:
|
||
xpub69H7F5d8KSRgmmdJg2KhpAK8SR3DjMwAdkxj3ZuxV27CprR9LgpeyGmXUbC6wb7ERfvrnKZjXoUmmDznezpbZb7ap6r1D3tgFxHmwMkQTPH
|
||
** ext prv:
|
||
xprv9vHkqa6EV4sPZHYqZznhT2NPtPCjKuDKGY38FBWLvgaDx45zo9WQRUT3dKYnjwih2yJD9mkrocEZXo1ex8G81dwSM1fwqWpWkeS3v86pgKt
|
||
* Chain m/0/2147483647~H~
|
||
** ext pub:
|
||
xpub6ASAVgeehLbnwdqV6UKMHVzgqAG8Gr6riv3Fxxpj8ksbH9ebxaEyBLZ85ySDhKiLDBrQSARLq1uNRts8RuJiHjaDMBU4Zn9h8LZNnBC5y4a
|
||
** ext prv:
|
||
xprv9wSp6B7kry3Vj9m1zSnLvN3xH8RdsPP1Mh7fAaR7aRLcQMKTR2vidYEeEg2mUCTAwCd6vnxVrcjfy2kRgVsFawNzmjuHc2YmYRmagcEPdU9
|
||
* Chain m/0/2147483647~H~/1
|
||
** ext pub:
|
||
xpub6DF8uhdarytz3FWdA8TvFSvvAh8dP3283MY7p2V4SeE2wyWmG5mg5EwVvmdMVCQcoNJxGoWaU9DCWh89LojfZ537wTfunKau47EL2dhHKon
|
||
** ext prv:
|
||
xprv9zFnWC6h2cLgpmSA46vutJzBcfJ8yaJGg8cX1e5StJh45BBciYTRXSd25UEPVuesF9yog62tGAQtHjXajPPdbRCHuWS6T8XA2ECKADdw4Ef
|
||
* Chain m/0/2147483647~H~/1/2147483646~H~
|
||
** ext pub:
|
||
xpub6ERApfZwUNrhLCkDtcHTcxd75RbzS1ed54G1LkBUHQVHQKqhMkhgbmJbZRkrgZw4koxb5JaHWkY4ALHY2grBGRjaDMzQLcgJvLJuZZvRcEL
|
||
** ext prv:
|
||
xprvA1RpRA33e1JQ7ifknakTFpgNXPmW2YvmhqLQYMmrj4xJXXWYpDPS3xz7iAxn8L39njGVyuoseXzU6rcxFLJ8HFsTjSyQbLYnMpCqE2VbFWc
|
||
* Chain m/0/2147483647~H~/1/2147483646~H~/2
|
||
** ext pub:
|
||
xpub6FnCn6nSzZAw5Tw7cgR9bi15UV96gLZhjDstkXXxvCLsUXBGXPdSnLFbdpq8p9HmGsApME5hQTZ3emM2rnY5agb9rXpVGyy3bdW6EEgAtqt
|
||
** ext prv:
|
||
xprvA2nrNbFZABcdryreWet9Ea4LvTJcGsqrMzxHx98MMrotbir7yrKCEXw7nadnHM8Dq38EGfSh6dqA9QWTyefMLEcBYJUuekgW4BYPJcr9E7j
|
||
|
||
[[implementations]]
|
||
Implementations
|
||
~~~~~~~~~~~~~~~
|
||
|
||
Two Python implementations exist:
|
||
|
||
PyCoin (https://github.com/richardkiss/pycoin) is a suite of utilities
|
||
for dealing with Bitcoin that includes BIP0032 wallet features.
|
||
BIP32Utils (https://github.com/jmcorgan/bip32utils) is a library and
|
||
command line interface specifically focused on BIP0032 wallets and
|
||
scripting.
|
||
|
||
A Java implementation is available at
|
||
https://github.com/bitsofproof/supernode/blob/1.1/api/src/main/java/com/bitsofproof/supernode/api/ExtendedKey.java
|
||
|
||
A C++ implementation is available at
|
||
https://github.com/CodeShark/CoinClasses/tree/master/tests/hdwallets
|
||
|
||
An Objective-C implementation is available at
|
||
https://github.com/oleganza/CoreBitcoin/blob/master/CoreBitcoin/BTCKeychain.h
|
||
|
||
A Ruby implementation is available at https://github.com/wink/money-tree
|
||
|
||
A Go implementation is available at
|
||
https://github.com/WeMeetAgain/go-hdwallet
|
||
|
||
A JavaScript implementation is available at
|
||
https://github.com/sarchar/brainwallet.github.com/tree/bip32
|
||
|
||
A PHP implemetation is available at
|
||
https://github.com/Bit-Wasp/bitcoin-lib-php
|
||
|
||
A C# implementation is available at
|
||
https://github.com/NicolasDorier/NBitcoin (ExtKey, ExtPubKey)
|
||
|
||
[[acknowledgements]]
|
||
Acknowledgements
|
||
~~~~~~~~~~~~~~~~
|
||
|
||
* Gregory Maxwell for the original idea of type-2 deterministic wallets,
|
||
and many discussions about it.
|
||
* Alan Reiner for the implementation of this scheme in Armory, and the
|
||
suggestions that followed from that.
|
||
* Mike Caldwell for the version bytes to obtain human-recognizable
|
||
Base58 strings.
|
||
|
||
--------------------------------------------------
|
||
BIP: 34
|
||
Title: Block v2, Height in Coinbase
|
||
Author: Gavin Andresen <gavinandresen@gmail.com>
|
||
Status: Accepted
|
||
Type: Standards Track
|
||
Created: 2012-07-06
|
||
--------------------------------------------------
|
||
|
||
[[abstract]]
|
||
Abstract
|
||
~~~~~~~~
|
||
|
||
Bitcoin blocks and transactions are versioned binary structures. Both
|
||
currently use version 1. This BIP introduces an upgrade path for
|
||
versioned transactions and blocks. A unique value is added to newly
|
||
produced coinbase transactions, and blocks are updated to version 2.
|
||
|
||
[[motivation]]
|
||
Motivation
|
||
~~~~~~~~~~
|
||
|
||
1. Clarify and exercise the mechanism whereby the bitcoin network
|
||
collectively consents to upgrade transaction or block binary structures,
|
||
rules and behaviors.
|
||
2. Enforce block and transaction uniqueness, and assist unconnected
|
||
block validation.
|
||
|
||
[[specification]]
|
||
Specification
|
||
~~~~~~~~~~~~~
|
||
|
||
1. Treat transactions with a version greater than 1 as non-standard
|
||
(official Satoshi client will not mine or relay them).
|
||
2. Add height as the first item in the coinbase transaction's
|
||
scriptSig, and increase block version to 2. The format of the height is
|
||
"serialized CScript" -- first byte is number of bytes in the number
|
||
(will be 0x03 on main net for the next 300 or so years), following bytes
|
||
are little-endian representation of the number. Height is the height of
|
||
the mined block in the block chain, where the genesis block is height
|
||
zero (0).
|
||
3. 75% rule: If 750 of the last 1,000 blocks are version 2 or greater,
|
||
reject invalid version 2 blocks. (testnet3: 51 of last 100)
|
||
4. 95% rule ("Point of no return"): If 950 of the last 1,000 blocks are
|
||
version 2 or greater, reject all version 1 blocks. (testnet3: 75 of last
|
||
100)
|
||
|
||
[[backward-compatibility]]
|
||
Backward compatibility
|
||
~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
All older clients are compatible with this change. Users and merchants
|
||
should not be impacted. Miners are strongly recommended to upgrade to
|
||
version 2 blocks. Once 95% of the miners have upgraded to version 2, the
|
||
remainder will be orphaned if they fail to upgrade.
|
||
|
||
[[implementation]]
|
||
Implementation
|
||
~~~~~~~~~~~~~~
|
||
|
||
https://github.com/bitcoin/bitcoin/pull/1526
|
||
-------------------------------------------
|
||
BIP: 35
|
||
Title: mempool message
|
||
Author: Jeff Garzik <jgarzik@exmulti.com>
|
||
Status: Accepted
|
||
Type: Standards Track
|
||
Created: 2012-08-16
|
||
-------------------------------------------
|
||
|
||
[[abstract]]
|
||
Abstract
|
||
~~~~~~~~
|
||
|
||
Make a network node's transaction memory pool accessible via a new
|
||
"mempool" message. Extend the existing "getdata" message behavior to
|
||
permit accessing the transaction memory pool.
|
||
|
||
[[motivation]]
|
||
Motivation
|
||
~~~~~~~~~~
|
||
|
||
Several use cases make it desireable to expose a network node's
|
||
transaction memory pool:
|
||
|
||
1. SPV clients, wishing to obtain zero-confirmation transactions sent
|
||
or received.
|
||
2. Miners, to avoid missing lucrative fees, downloading existing
|
||
network transactions after a restart.
|
||
3. Remote network diagnostics.
|
||
|
||
[[specification]]
|
||
Specification
|
||
~~~~~~~~~~~~~
|
||
|
||
1. The mempool message is defined as an empty message where pchCommand
|
||
== "mempool"
|
||
2. Upon receipt of a "mempool" message, the node will respond with an
|
||
"inv" message containing MSG_TX hashes of all the transactions in the
|
||
node's transaction memory pool, if any.
|
||
3. The typical node behavior in response to an "inv" is "getdata".
|
||
However, the reference Satoshi implementation ignores requests for
|
||
transaction hashes outside that which is recently relayed. To support
|
||
"mempool", an implementation must extend its "getdata" message support
|
||
to querying the memory pool.
|
||
4. Feature discovery is enabled by checking two "version" message
|
||
attributes:
|
||
1. Protocol version >= 60002
|
||
2. NODE_NETWORK bit set in nServices
|
||
|
||
Note that existing implementations drop "inv" messages with a vector
|
||
size > 50000.
|
||
|
||
[[backward-compatibility]]
|
||
Backward compatibility
|
||
~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
Older clients remain 100% compatible and interoperable after this
|
||
change.
|
||
|
||
[[implementation]]
|
||
Implementation
|
||
~~~~~~~~~~~~~~
|
||
|
||
https://github.com/bitcoin/bitcoin/pull/1641
|
||
-----------------------------------------------------------------------
|
||
BIP: 37
|
||
Title: Connection Bloom filtering
|
||
Author: Mike Hearn <hearn@google.com>, Matt Corallo <bip@bluematt.me>
|
||
Status: Accepted
|
||
Type: Standards Track
|
||
Created: 2012-10-24
|
||
-----------------------------------------------------------------------
|
||
|
||
[[abstract]]
|
||
Abstract
|
||
~~~~~~~~
|
||
|
||
This BIP adds new support to the peer-to-peer protocol that allows peers
|
||
to reduce the amount of transaction data they are sent. Peers have the
|
||
option of setting _filters_ on each connection they make after the
|
||
version handshake has completed. A filter is defined as a
|
||
http://en.wikipedia.org/wiki/Bloom_filter[Bloom filter] on data derived
|
||
from transactions. A Bloom filter is a probabilistic data structure
|
||
which allows for testing set membership - they can have false positives
|
||
but not false negatives.
|
||
|
||
This document will not go into the details of how Bloom filters work and
|
||
the reader is referred to Wikipedia for an introduction to the topic.
|
||
|
||
[[motivation]]
|
||
Motivation
|
||
~~~~~~~~~~
|
||
|
||
As Bitcoin grows in usage the amount of bandwidth needed to download
|
||
blocks and transaction broadcasts increases. Clients implementing
|
||
_simplified payment verification_ do not attempt to fully verify the
|
||
block chain, instead just checking that block headers connect together
|
||
correctly and trusting that the transactions in a chain of high
|
||
difficulty are in fact valid. See the Bitcoin paper for more detail on
|
||
this mode.
|
||
|
||
Today, link:Simplified_Payment_Verification[SPV] clients have to
|
||
download the entire contents of blocks and all broadcast transactions,
|
||
only to throw away the vast majority of the transactions that are not
|
||
relevant to their wallets. This slows down their synchronization
|
||
process, wastes users bandwidth (which on phones is often metered) and
|
||
increases memory usage. All three problems are triggering real user
|
||
complaints for the Android "Bitcoin Wallet" app which implements SPV
|
||
mode. In order to make chain synchronization fast, cheap and able to run
|
||
on older phones with limited memory we want to have remote peers throw
|
||
away irrelevant transactions before sending them across the network.
|
||
|
||
[[design-rationale]]
|
||
Design rationale
|
||
~~~~~~~~~~~~~~~~
|
||
|
||
The most obvious way to implement the stated goal would be for clients
|
||
to upload lists of their keys to the remote node. We take a more complex
|
||
approach for the following reasons:
|
||
|
||
* Privacy: Because Bloom filters are probabilistic, with the false
|
||
positive rate chosen by the client, nodes can trade off precision vs
|
||
bandwidth usage. A node with access to lots of bandwidth may choose to
|
||
have a high FP rate, meaning the remote peer cannot accurately know
|
||
which transactions belong to the client and which don't. A node with
|
||
very little bandwidth may choose to use a very accurate filter meaning
|
||
that they only get sent transactions actually relevant to their wallet,
|
||
but remote peers may be able to correlate transactions with IP addresses
|
||
(and each other).
|
||
* Bloom filters are compact and testing membership in them is fast. This
|
||
results in satisfying performance characteristics with minimal risk of
|
||
opening up potential for DoS attacks.
|
||
|
||
[[specification]]
|
||
Specification
|
||
~~~~~~~~~~~~~
|
||
|
||
[[new-messages]]
|
||
New messages
|
||
^^^^^^^^^^^^
|
||
|
||
We start by adding three new messages to the protocol:
|
||
|
||
* `filterload`, which sets the current Bloom filter on the connection
|
||
* `filteradd`, which adds the given data element to the connections
|
||
current filter without requiring a completely new one to be set
|
||
* `filterclear`, which deletes the current filter and goes back to
|
||
regular pre-BIP37 usage.
|
||
|
||
Note that there is no filterremove command because by their nature,
|
||
Bloom filters are append-only data structures. Once an element is added
|
||
it cannot be removed again without rebuilding the entire structure from
|
||
scratch.
|
||
|
||
The `filterload` command is defined as follows:
|
||
|
||
[cols=",,,",options="header",]
|
||
|=======================================================================
|
||
|Field Size |Description |Data type |Comments
|
||
|? |filter |uint8_t[] |The filter itself is simply a bit field of
|
||
arbitrary byte-aligned size. The maximum size is 36,000 bytes.
|
||
|
||
|4 |nHashFuncs |uint32_t |The number of hash functions to use in this
|
||
filter. The maximum value allowed in this field is 50.
|
||
|
||
|4 |nTweak |uint32_t |A random value to add to the seed value in the
|
||
hash function used by the bloom filter.
|
||
|
||
|1 |nFlags |uint8_t |A set of flags that control how matched items are
|
||
added to the filter.
|
||
|=======================================================================
|
||
|
||
See below for a description of the Bloom filter algorithm and how to
|
||
select nHashFuncs and filter size for a desired false positive rate.
|
||
|
||
Upon receiving a `filterload` command, the remote peer will immediately
|
||
restrict the broadcast transactions it announces (in inv packets) to
|
||
transactions matching the filter, where the matching algorithm is
|
||
specified below. The flags control the update behaviour of the matching
|
||
algorithm.
|
||
|
||
The `filteradd` command is defined as follows:
|
||
|
||
[cols=",,,",options="header",]
|
||
|==================================================================
|
||
|Field Size |Description |Data type |Comments
|
||
|? |data |uint8_t[] |The data element to add to the current filter.
|
||
|==================================================================
|
||
|
||
The data field must be smaller than or equal to 520 bytes in size (the
|
||
maximum size of any potentially matched object).
|
||
|
||
The given data element will be added to the Bloom filter. A filter must
|
||
have been previously provided using `filterload`. This command is useful
|
||
if a new key or script is added to a clients wallet whilst it has
|
||
connections to the network open, it avoids the need to re-calculate and
|
||
send an entirely new filter to every peer (though doing so is usually
|
||
advisable to maintain anonymity).
|
||
|
||
The `filterclear` command has no arguments at all.
|
||
|
||
After a filter has been set, nodes don't merely stop announcing
|
||
non-matching transactions, they can also serve filtered blocks. A
|
||
filtered block is defined by the `merkleblock` message and is defined
|
||
like this:
|
||
|
||
[cols=",,,",options="header",]
|
||
|=======================================================================
|
||
|Field Size |Description |Data type |Comments
|
||
|4 |version |uint32_t |Block version information, based upon the
|
||
software version creating this block
|
||
|
||
|32 |prev_block |char[32] |The hash value of the previous block this
|
||
particular block references
|
||
|
||
|32 |merkle_root |char[32] |The reference to a Merkle tree collection
|
||
which is a hash of all transactions related to this block
|
||
|
||
|4 |timestamp |uint32_t |A timestamp recording when this block was
|
||
created (Limited to 2106!)
|
||
|
||
|4 |bits |uint32_t |The calculated difficulty target being used for this
|
||
block
|
||
|
||
|4 |nonce |uint32_t |The nonce used to generate this block… to allow
|
||
variations of the header and compute different hashes
|
||
|
||
|4 |total_transactions |uint32_t |Number of transactions in the block
|
||
(including unmatched ones)
|
||
|
||
|? |hashes |uint256[] |hashes in depth-first order (including standard
|
||
varint size prefix)
|
||
|
||
|? |flags |byte[] |flag bits, packed per 8 in a byte, least significant
|
||
bit first (including standard varint size prefix)
|
||
|=======================================================================
|
||
|
||
See below for the format of the partial merkle tree hashes and flags.
|
||
|
||
Thus, a `merkleblock` message is a block header, plus a part of a merkle
|
||
tree which can be used to extract identifying information for
|
||
transactions that matched the filter and prove that the matching
|
||
transaction data really did appear in the solved block. Clients can use
|
||
this data to be sure that the remote node is not feeding them fake
|
||
transactions that never appeared in a real block, although lying through
|
||
omission is still possible.
|
||
|
||
[[extensions-to-existing-messages]]
|
||
Extensions to existing messages
|
||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||
|
||
The `version` command is extended with a new field:
|
||
|
||
[cols=",,,",options="header",]
|
||
|=======================================================================
|
||
|Field Size |Description |Data type |Comments
|
||
|1 byte |fRelay |bool |If false then broadcast transactions will not be
|
||
announced until a filter\{load,add,clear} command is received. If
|
||
missing or true, no change in protocol behaviour occurs.
|
||
|=======================================================================
|
||
|
||
SPV clients that wish to use Bloom filtering would normally set fRelay
|
||
to false in the version message, then set a filter based on their wallet
|
||
(or a subset of it, if they are overlapping different peers). Being able
|
||
to opt-out of inv messages until the filter is set prevents a client
|
||
being flooded with traffic in the brief window of time between finishing
|
||
version handshaking and setting the filter.
|
||
|
||
The `getdata` command is extended to allow a new type in the `inv`
|
||
submessage. The type field can now be `MSG_FILTERED_BLOCK (== 3)` rather
|
||
than `MSG_BLOCK`. If no filter has been set on the connection, a request
|
||
for filtered blocks is ignored. If a filter has been set, a
|
||
`merkleblock` message is returned for the requested block hash. In
|
||
addition, because a `merkleblock` message contains only a list of
|
||
transaction hashes, transactions matching the filter should also be sent
|
||
in separate tx messages after the merkleblock is sent. This avoids a
|
||
slow roundtrip that would otherwise be required (receive hashes, didn't
|
||
see some of these transactions yet, ask for them). Note that because
|
||
there is currently no way to request transactions which are already in a
|
||
block from a node (aside from requesting the full block), the set of
|
||
matching transactions that the requesting node hasn't either received or
|
||
announced with an inv must be sent and any additional transactions which
|
||
match the filter may also be sent. This allows for clients (such as the
|
||
reference client) to limit the number of invs it must remember a given
|
||
node to have announced while still providing nodes with, at a minimum,
|
||
all the transactions it needs.
|
||
|
||
[[filter-matching-algorithm]]
|
||
Filter matching algorithm
|
||
^^^^^^^^^^^^^^^^^^^^^^^^^
|
||
|
||
The filter can be tested against arbitrary pieces of data, to see if
|
||
that data was inserted by the client. Therefore the question arises of
|
||
what pieces of data should be inserted/tested.
|
||
|
||
To determine if a transaction matches the filter, the following
|
||
algorithm is used. Once a match is found the algorithm aborts.
|
||
|
||
1. Test the hash of the transaction itself.
|
||
2. For each output, test each data element of the output script. This
|
||
means each hash and key in the output script is tested independently.
|
||
*Important:* if an output matches whilst testing a transaction, the node
|
||
might need to update the filter by inserting the serialized COutPoint
|
||
structure. See below for more details.
|
||
3. For each input, test the serialized COutPoint structure.
|
||
4. For each input, test each data element of the input script (note:
|
||
input scripts only ever contain data elements).
|
||
5. Otherwise there is no match.
|
||
|
||
In this way addresses, keys and script hashes (for P2SH outputs) can all
|
||
be added to the filter. You can also match against classes of
|
||
transactions that are marked with well known data elements in either
|
||
inputs or outputs, for example, to implement various forms of
|
||
link:Smart property[Smart property].
|
||
|
||
The test for outpoints is there to ensure you can find transactions
|
||
spending outputs in your wallet, even though you don't know anything
|
||
about their form. As you can see, once set on a connection the filter is
|
||
*not static* and can change throughout the connections lifetime. This is
|
||
done to avoid the following race condition:
|
||
|
||
1. A client sets a filter matching a key in their wallet. They then
|
||
start downloading the block chain. The part of the chain that the client
|
||
is missing is requested using getblocks.
|
||
2. The first block is read from disk by the serving peer. It contains
|
||
TX 1 which sends money to the clients key. It matches the filter and is
|
||
thus sent to the client.
|
||
3. The second block is read from disk by the serving peer. It contains
|
||
TX 2 which spends TX 1. However TX 2 does not contain any of the clients
|
||
keys and is thus not sent. The client does not know the money they
|
||
received was already spent.
|
||
|
||
By updating the bloom filter atomically in step 2 with the discovered
|
||
outpoint, the filter will match against TX 2 in step 3 and the client
|
||
will learn about all relevant transactions, despite that there is no
|
||
pause between the node processing the first and second blocks.
|
||
|
||
The nFlags field of the filter controls the nodes precise update
|
||
behaviour and is a bit field.
|
||
|
||
* `BLOOM_UPDATE_NONE (0)` means the filter is not adjusted when a match
|
||
is found.
|
||
* `BLOOM_UPDATE_ALL (1)` means if the filter matches any data element in
|
||
a scriptPubKey the outpoint is serialized and inserted into the filter.
|
||
* `BLOOM_UPDATE_P2PUBKEY_ONLY (2)` means the outpoint is inserted into
|
||
the filter only if a data element in the scriptPubKey is matched, and
|
||
that script is of the standard "pay to pubkey" or "pay to multisig"
|
||
forms.
|
||
|
||
These distinctions are useful to avoid too-rapid degradation of the
|
||
filter due to an increasing false positive rate. We can observe that a
|
||
wallet which expects to receive only payments of the standard
|
||
pay-to-address form doesn't need automatic filter updates because any
|
||
transaction that spends one of its own outputs has a predictable data
|
||
element in the input (the pubkey that hashes to the address). If a
|
||
wallet might receive pay-to-address outputs and also pay-to-pubkey or
|
||
pay-to-multisig outputs then BLOOM_UPDATE_P2PUBKEY_ONLY is appropriate,
|
||
as it avoids unnecessary expansions of the filter for the most common
|
||
types of output but still ensures correct behaviour with payments that
|
||
explicitly specify keys.
|
||
|
||
Obviously, nFlags == 1 or nFlags == 2 mean that the filter will get
|
||
dirtier as more of the chain is scanned. Clients should monitor the
|
||
observed false positive rate and periodically refresh the filter with a
|
||
clean one.
|
||
|
||
[[partial-merkle-branch-format]]
|
||
Partial Merkle branch format
|
||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||
|
||
A _Merkle tree_ is a way of arranging a set of items as leaf nodes of
|
||
tree in which the interior nodes are hashes of the concatenations of
|
||
their child hashes. The root node is called the _Merkle root_. Every
|
||
Bitcoin block contains a Merkle root of the tree formed from the blocks
|
||
transactions. By providing some elements of the trees interior nodes
|
||
(called a _Merkle branch_) a proof is formed that the given transaction
|
||
was indeed in the block when it was being mined, but the size of the
|
||
proof is much smaller than the size of the original block.
|
||
|
||
[[constructing-a-partial-merkle-tree-object]]
|
||
Constructing a partial merkle tree object
|
||
+++++++++++++++++++++++++++++++++++++++++
|
||
|
||
* Traverse the merkle tree from the root down, and for each encountered
|
||
node:
|
||
** Check whether this node corresponds to a leaf node (transaction) that
|
||
is to be included OR any parent thereof:
|
||
*** If so, append a '1' bit to the flag bits
|
||
*** Otherwise, append a '0' bit.
|
||
** Check whether this node is a internal node (non-leaf) AND is the
|
||
parent of an included leaf node:
|
||
*** If so:
|
||
**** Descend into its left child node, and process the subtree beneath
|
||
it entirely (depth-first).
|
||
**** If this node has a right child node too, descend into it as well.
|
||
*** Otherwise: append this node's hash to the hash list.
|
||
|
||
[[parsing-a-partial-merkle-tree-object]]
|
||
Parsing a partial merkle tree object
|
||
++++++++++++++++++++++++++++++++++++
|
||
|
||
As the partial block message contains the number of transactions in the
|
||
entire block, the shape of the merkle tree is known before hand. Again,
|
||
traverse this tree, computing traversed node's hashes along the way:
|
||
|
||
* Read a bit from the flag bit list:
|
||
** If it is '0':
|
||
*** Read a hash from the hashes list, and return it as this node's hash.
|
||
** If it is '1' and this is a leaf node:
|
||
*** Read a hash from the hashes list, store it as a matched txid, and
|
||
return it as this node's hash.
|
||
** If it is '1' and this is an internal node:
|
||
*** Descend into its left child tree, and store its computed hash as L.
|
||
*** If this node has a right child as well:
|
||
**** Descend into its right child, and store its computed hash as R.
|
||
**** If L == R, the partial merkle tree object is invalid.
|
||
**** Return Hash(L || R).
|
||
*** If this node has no right child, return Hash(L || L).
|
||
|
||
The partial merkle tree object is only valid if:
|
||
|
||
* All hashes in the hash list were consumed and no more.
|
||
* All bits in the flag bits list were consumed (except padding to make
|
||
it into a full byte), and no more.
|
||
* The hash computed for the root node matches the block header's merkle
|
||
root.
|
||
* The block header is valid, and matches its claimed proof of work.
|
||
* In two-child nodes, the hash of the left and right branches was never
|
||
equal.
|
||
|
||
[[bloom-filter-format]]
|
||
Bloom filter format
|
||
^^^^^^^^^^^^^^^^^^^
|
||
|
||
A Bloom filter is a bit-field in which bits are set based on feeding the
|
||
data element to a set of different hash functions. The number of hash
|
||
functions used is a parameter of the filter. In Bitcoin we use version 3
|
||
of the 32-bit Murmur hash function. To get N "different" hash functions
|
||
we simply initialize the Murmur algorithm with the following formula:
|
||
|
||
`nHashNum * 0xFBA4C795 + nTweak`
|
||
|
||
i.e. if the filter is initialized with 4 hash functions and a tweak of
|
||
0x00000005, when the second function (index 1) is needed h1 would be
|
||
equal to 4221880218.
|
||
|
||
When loading a filter with the `filterload` command, there are two
|
||
parameters that can be chosen. One is the size of the filter in bytes.
|
||
The other is the number of hash functions to use. To select the
|
||
parameters you can use the following formulas:
|
||
|
||
Let N be the number of elements you wish to insert into the set and P be
|
||
the probability of a false positive, where 1.0 is "match everything" and
|
||
zero is unachievable.
|
||
|
||
The size S of the filter in bytes is given by
|
||
`(-1 / pow(log(2), 2) * N * log(P)) / 8`. Of course you must ensure it
|
||
does not go over the maximum size (36,000: selected as it represents a
|
||
filter of 20,000 items with false positive rate of < 0.1% or 10,000
|
||
items and a false positive rate of < 0.0001%).
|
||
|
||
The number of hash functions required is given by `S * 8 / N * log(2)`.
|
||
|
||
[[copyright]]
|
||
Copyright
|
||
~~~~~~~~~
|
||
|
||
This document is placed in the public domain.
|
||
----------------------------------------------------------------------------------------------------------------------------------
|
||
BIP: 38
|
||
Title: Passphrase-protected private key
|
||
Authors: Mike Caldwell
|
||
Aaron Voisine <voisine@gmail.com>
|
||
Status: Draft (Some confusion applies: The announcements for this never made it to the list, so it hasn't had public discussion)
|
||
Type: Standards Track
|
||
Created: 2012-11-20
|
||
----------------------------------------------------------------------------------------------------------------------------------
|
||
|
||
[[abstract]]
|
||
Abstract
|
||
~~~~~~~~
|
||
|
||
A method is proposed for encrypting and encoding a passphrase-protected
|
||
Bitcoin private key record in the form of a 58-character
|
||
Base58Check-encoded printable string. Encrypted private key records are
|
||
intended for use on paper wallets and physical Bitcoins. Each record
|
||
string contains all the information needed to reconstitute the private
|
||
key except for a passphrase, and the methodology uses salting and
|
||
_scrypt_ to resist brute-force attacks.
|
||
|
||
The method provides two encoding methodologies - one permitting any
|
||
known private key to be encrypted with any passphrase, and another
|
||
permitting a shared private key generation scheme where the party
|
||
generating the final key string and its associated Bitcoin address (such
|
||
as a physical bitcoin manufacturer) knows only a string derived from the
|
||
original passphrase, and where the original passphrase is needed in
|
||
order to actually redeem funds sent to the associated Bitcoin address.
|
||
|
||
A 32-bit hash of the resulting Bitcoin address is encoded in plaintext
|
||
within each encrypted key, so it can be correlated to a Bitcoin address
|
||
with reasonable probability by someone not knowing the passphrase. The
|
||
complete Bitcoin address can be derived through successful decryption of
|
||
the key record.
|
||
|
||
[[motivation]]
|
||
Motivation
|
||
~~~~~~~~~~
|
||
|
||
The motivation to make this proposal stems from observations of the way
|
||
physical bitcoins and paper wallets are used.
|
||
|
||
An issuer of physical bitcoins must be trustworthy and trusted. Even if
|
||
trustworthy, users are rightful to be skeptical about a third party with
|
||
theoretical access to take their funds. A physical bitcoin that cannot
|
||
be compromised by its issuer is always more intrinsically valuable than
|
||
one that can.
|
||
|
||
A two-factor physical bitcoin solution is highly useful to individuals
|
||
and organizations wishing to securely own bitcoins without any risk of
|
||
electronic theft and without the responsibility of climbing the
|
||
technological learning curve necessary to produce such an environment
|
||
themselves. Two-factor physical bitcoins allow a secure storage solution
|
||
to be put in a box and sold on the open market, greatly enlarging the
|
||
number of people who are able to securely store bitcoins.
|
||
|
||
Existing methodologies for creating two-factor physical bitcoins are
|
||
limited and cumbersome. At the time of this proposal, a user could
|
||
create their own private key, submit the public key to the physical
|
||
bitcoin issuer, and then receive a physical bitcoin that must be kept
|
||
together with some sort of record of the user-generated private key, and
|
||
finally, must be redeemed through a tool. The fact that the physical
|
||
bitcoin must be kept together with a user-produced private key negates
|
||
much of the benefit of the physical bitcoin - the user may as well just
|
||
print and maintain a private key.
|
||
|
||
A standardized password-protected private key format makes acquiring and
|
||
redeeming two-factor physical bitcoins simpler for the user. Instead of
|
||
maintaining a private key that cannot be memorized, the user may choose
|
||
a passphrase of their choice. The passphrase may be much shorter than
|
||
the length of a typical private key, short enough that they could use a
|
||
label or engraver to permanently commit their passphrase to their
|
||
physical Bitcoin piece once they have received it. By adopting a
|
||
standard way to encrypt a private key, we maximize the possibility that
|
||
they'll be able to redeem their funds in the venue of their choice,
|
||
rather than relying on an executable redemption tool they may not wish
|
||
to download.
|
||
|
||
Password and passphrase-protected private keys enable new practical use
|
||
cases for sending bitcoins from person to person. Someone wanting to
|
||
send bitcoins through postal mail could send a password-protected paper
|
||
wallet and give the recipient the passphrase over the phone or e-mail,
|
||
making the transfer safe from interception of either channel. A user of
|
||
paper wallets or Bitcoin banknote-style vouchers ("cash") could carry
|
||
funded encrypted private keys while leaving a copy at home as an element
|
||
of protection against accidental loss or theft. A user of paper wallets
|
||
who leaves bitcoins in a bank vault or safety deposit box could keep the
|
||
password at home or share it with trusted associates as protection
|
||
against someone at the bank gaining access to the paper wallets and
|
||
spending from them. The foreseeable and unforeseeable use cases for
|
||
password-protected private keys are numerous.
|
||
|
||
[[copyright]]
|
||
Copyright
|
||
~~~~~~~~~
|
||
|
||
This proposal is hereby placed in the public domain.
|
||
|
||
[[rationale]]
|
||
Rationale
|
||
~~~~~~~~~
|
||
|
||
::
|
||
_*User story:* As a Bitcoin user who uses paper wallets, I would like
|
||
the ability to add encryption, so that my Bitcoin paper storage can be
|
||
two factor: something I have plus something I know._
|
||
+
|
||
_*User story:* As a Bitcoin user who would like to pay a person or a
|
||
company with a private key, I do not want to worry that any part of
|
||
the communication path may result in the interception of the key and
|
||
theft of my funds. I would prefer to offer an encrypted private key,
|
||
and then follow it up with the password using a different
|
||
communication channel (e.g. a phone call or SMS)._
|
||
+
|
||
_*User story:* (EC-multiplied keys) As a user of physical bitcoins, I
|
||
would like a third party to be able to create password-protected
|
||
Bitcoin private keys for me, without them knowing the password, so I
|
||
can benefit from the physical bitcoin without the issuer having access
|
||
to the private key. I would like to be able to choose a password whose
|
||
minimum length and required format does not preclude me from
|
||
memorizing it or engraving it on my physical bitcoin, without exposing
|
||
me to an undue risk of password cracking and/or theft by the
|
||
manufacturer of the item._
|
||
+
|
||
'*'User story:* (EC multiplied keys) As a user of paper wallets, I
|
||
would like the ability to generate a large number of Bitcoin addresses
|
||
protected by the same password, while enjoying a high degree of
|
||
security (highly expensive scrypt parameters), but without having to
|
||
incur the scrypt delay for each address I generate.
|
||
|
||
[[specification]]
|
||
Specification
|
||
~~~~~~~~~~~~~
|
||
|
||
This proposal makes use of the following functions and definitions:
|
||
|
||
* *AES256Encrypt, AES256Decrypt*: the simple form of the well-known AES
|
||
block cipher without consideration for initialization vectors or block
|
||
chaining. Each of these functions takes a 256-bit key and 16 bytes of
|
||
input, and deterministically yields 16 bytes of output.
|
||
* *SHA256*, a well-known hashing algorithm that takes an arbitrary
|
||
number of bytes as input and deterministically yields a 32-byte hash.
|
||
* *scrypt*: A well-known key derivation algorithm. It takes the
|
||
following parameters: (string) password, (string) salt, (int) n, (int)
|
||
r, (int) p, (int) length, and deterministically yields an array of bytes
|
||
whose length is equal to the length parameter.
|
||
* *ECMultiply*: Multiplication of an elliptic curve point by a scalar
|
||
integer with respect to the secp256k1 elliptic curve.
|
||
* *G, N*: Constants defined as part of the secp256k1 elliptic curve. G
|
||
is an elliptic curve point, and N is a large positive integer.
|
||
* *Base58Check*: a method for encoding arrays of bytes using 58
|
||
alphanumeric characters commonly used in the Bitcoin ecosystem.
|
||
|
||
[[prefix]]
|
||
Prefix
|
||
^^^^^^
|
||
|
||
It is proposed that the resulting Base58Check-encoded string start with
|
||
a '6'. The number '6' is intended to represent, from the perspective of
|
||
the user, "a private key that needs something else to be usable" - an
|
||
umbrella definition that could be understood in the future to include
|
||
keys participating in multisig transactions, and was chosen with
|
||
deference to the existing prefix '5' most commonly observed in
|
||
link:Wallet Import Format[Wallet Import Format] which denotes an
|
||
unencrypted private key.
|
||
|
||
It is proposed that the second character ought to give a hint as to what
|
||
is needed as a second factor, and for an encrypted key requiring a
|
||
passphrase, the uppercase letter P is proposed.
|
||
|
||
To keep the size of the encrypted key down, no initialization vectors
|
||
(IVs) are used in the AES encryption. Rather, suitable values for
|
||
IV-like use are derived using scrypt from the passphrase and from using
|
||
a 32-bit hash of the resulting Bitcoin address as salt.
|
||
|
||
[[proposed-specification]]
|
||
Proposed specification
|
||
^^^^^^^^^^^^^^^^^^^^^^
|
||
|
||
* Object identifier prefix: 0x0142 (non-EC-multiplied) or 0x0143
|
||
(EC-multiplied). These are constant bytes that appear at the beginning
|
||
of the Base58Check-encoded record, and their presence causes the
|
||
resulting string to have a predictable prefix.
|
||
* How the user sees it: 58 characters always starting with '6P'
|
||
** Visual cues are present in the third character for visually
|
||
identifying the EC-multiply and compress flag.
|
||
* Count of payload bytes (beyond prefix): 37
|
||
** 1 byte (_flagbyte_):
|
||
*** the most significant two bits are set as follows to preserve the
|
||
visibility of the compression flag in the prefix, as well as to keep the
|
||
payload within the range of allowable values that keep the "6P" prefix
|
||
intact. For non-EC-multiplied keys, the bits are 11. For EC-multiplied
|
||
keys, the bits are 00.
|
||
*** the bit with value 0x20 when set indicates the key should be
|
||
converted to a bitcoin address using the compressed public key format.
|
||
*** the bits with values 0x10 and 0x08 are reserved for a future
|
||
specification that contemplates using multisig as a way to combine the
|
||
factors such that parties in possession of the separate factors can
|
||
independently sign a proposed transaction without requiring that any
|
||
party possess both factors. These bits must be 0 to comply with this
|
||
version of the specification.
|
||
*** the bit with value 0x04 indicates whether a lot and sequence number
|
||
are encoded into the first factor, and activates special behavior for
|
||
including them in the decryption process. This applies to EC-multiplied
|
||
keys only. Must be 0 for non-EC-multiplied keys.
|
||
*** remaining bits are reserved for future use and must all be 0 to
|
||
comply with this version of the specification.
|
||
** 4 bytes: SHA256(SHA256(expected_bitcoin_address))[0...3], used both
|
||
for typo checking and as salt
|
||
** 16 bytes: Contents depend on whether EC multiplication is used.
|
||
** 16 bytes: lasthalf: An AES-encrypted key material record (contents
|
||
depend on whether EC multiplication is used)
|
||
* Range in base58check encoding for non-EC-multiplied keys without
|
||
compression (prefix 6PR):
|
||
** Minimum value:
|
||
6PRHv1jg1ytiE4kT2QtrUz8gEjMQghZDWg1FuxjdYDzjUkcJeGdFj9q9Vi (based on 01
|
||
42 C0 plus thirty-six 00's)
|
||
** Maximum value:
|
||
6PRWdmoT1ZursVcr5NiD14p5bHrKVGPG7yeEoEeRb8FVaqYSHnZTLEbYsU (based on 01
|
||
42 C0 plus thirty-six FF's)
|
||
* Range in base58check encoding for non-EC-multiplied keys with
|
||
compression (prefix 6PY):
|
||
** Minimum value:
|
||
6PYJxKpVnkXUsnZAfD2B5ZsZafJYNp4ezQQeCjs39494qUUXLnXijLx6LG (based on 01
|
||
42 E0 plus thirty-six 00's)
|
||
** Maximum value:
|
||
6PYXg5tGnLYdXDRZiAqXbeYxwDoTBNthbi3d61mqBxPpwZQezJTvQHsCnk (based on 01
|
||
42 E0 plus thirty-six FF's)
|
||
* Range in base58check encoding for EC-multiplied keys without
|
||
compression (prefix 6Pf):
|
||
** Minimum value:
|
||
6PfKzduKZXAFXWMtJ19Vg9cSvbFg4va6U8p2VWzSjtHQCCLk3JSBpUvfpf (based on 01
|
||
43 00 plus thirty-six 00's)
|
||
** Maximum value:
|
||
6PfYiPy6Z7BQAwEHLxxrCEHrH9kasVQ95ST1NnuEnnYAJHGsgpNPQ9dTHc (based on 01
|
||
43 00 plus thirty-six FF's)
|
||
* Range in base58check encoding for non-EC-multiplied keys with
|
||
compression (prefix 6Pn):
|
||
** Minimum value:
|
||
6PnM2wz9LHo2BEAbvoGpGjMLGXCom35XwsDQnJ7rLiRjYvCxjpLenmoBsR (based on 01
|
||
43 20 plus thirty-six 00's)
|
||
** Maximum value:
|
||
6PnZki3vKspApf2zym6Anp2jd5hiZbuaZArPfa2ePcgVf196PLGrQNyVUh (based on 01
|
||
43 20 plus thirty-six FF's)
|
||
|
||
[[encryption-when-ec-multiply-flag-is-not-used]]
|
||
Encryption when EC multiply flag is not used
|
||
++++++++++++++++++++++++++++++++++++++++++++
|
||
|
||
Encrypting a private key without the EC multiplication offers the
|
||
advantage that any known private key can be encrypted. The party
|
||
performing the encryption must know the passphrase.
|
||
|
||
Encryption steps:
|
||
|
||
1. Compute the Bitcoin address (ASCII), and take the first four bytes
|
||
of SHA256(SHA256()) of it. Let's call this "addresshash".
|
||
2. Derive a key from the passphrase using scrypt
|
||
* Parameters: _passphrase_ is the passphrase itself encoded in UTF-8.
|
||
salt is _addresshash_ from the earlier step, n=16384, r=8, p=8,
|
||
length=64 (n, r, p are provisional and subject to consensus)
|
||
* Let's split the resulting 64 bytes in half, and call them
|
||
_derivedhalf1_ and _derivedhalf2_.
|
||
3. Do AES256Encrypt(bitcoinprivkey[0...15] xor derivedhalf1[0...15],
|
||
derivedhalf2), call the 16-byte result _encryptedhalf1_
|
||
4. Do AES256Encrypt(bitcoinprivkey[16...31] xor derivedhalf1[16...31],
|
||
derivedhalf2), call the 16-byte result _encryptedhalf2_
|
||
|
||
The encrypted private key is the Base58Check-encoded concatenation of
|
||
the following, which totals 39 bytes without Base58 checksum:
|
||
|
||
* 0x01 0x42 + _flagbyte_ + _salt_ + _encryptedhalf1_ + _encryptedhalf2_
|
||
|
||
Decryption steps:
|
||
|
||
1. Collect encrypted private key and passphrase from user.
|
||
2. Derive _derivedhalf1_ and _derivedhalf2_ by passing the passphrase
|
||
and _addresshash_ into scrypt function.
|
||
3. Decrypt _encryptedhalf1_ and _encryptedhalf2_ using AES256Decrypt,
|
||
merge them to form the encrypted private key.
|
||
4. Convert that private key into a Bitcoin address, honoring the
|
||
compression preference specified in _flagbyte_ of the encrypted key
|
||
record.
|
||
5. Hash the Bitcoin address, and verify that _addresshash_ from the
|
||
encrypted private key record matches the hash. If not, report that the
|
||
passphrase entry was incorrect.
|
||
|
||
[[encryption-when-ec-multiply-mode-is-used]]
|
||
Encryption when EC multiply mode is used
|
||
++++++++++++++++++++++++++++++++++++++++
|
||
|
||
Encrypting a private key with EC multiplication offers the ability for
|
||
someone to generate encrypted keys knowing only an EC point derived from
|
||
the original passphrase and some salt generated by the passphrase's
|
||
owner, and without knowing the passphrase itself. Only the person who
|
||
knows the original passphrase can decrypt the private key. A code known
|
||
as an _intermediate code_ conveys the information needed to generate
|
||
such a key without knowledge of the passphrase.
|
||
|
||
This methodology does not offer the ability to encrypt a known private
|
||
key - this means that the process of creating encrypted keys is also the
|
||
process of generating new addresses. On the other hand, this serves a
|
||
security benefit for someone possessing an address generated this way:
|
||
if the address can be recreated by decrypting its private key with a
|
||
passphrase, and it's a strong passphrase one can be certain only he
|
||
knows himself, then he can safely conclude that nobody could know the
|
||
private key to that address.
|
||
|
||
The person who knows the passphrase and who is the intended beneficiary
|
||
of the private keys is called the _owner_. He will generate one or more
|
||
"intermediate codes", which are the first factor of a two-factor
|
||
redemption system, and will give them to someone else we'll call
|
||
_printer_, who generates a key pair with an intermediate code can know
|
||
the address and encrypted private key, but cannot decrypt the private
|
||
key without the original passphrase.
|
||
|
||
An intermediate code should, but is not required to, embed a printable
|
||
"lot" and "sequence" number for the benefit of the user. The proposal
|
||
forces these lot and sequence numbers to be included in any valid
|
||
private keys generated from them. An owner who has requested multiple
|
||
private keys to be generated for him will be advised by applications to
|
||
ensure that each private key has a unique lot and sequence number
|
||
consistent with the intermediate codes he generated. These mainly help
|
||
protect _owner_ from potential mistakes and/or attacks that could be
|
||
made by _printer_.
|
||
|
||
The "lot" and "sequence" number are combined into a single 32 bit
|
||
number. 20 bits are used for the lot number and 12 bits are used for the
|
||
sequence number, such that the lot number can be any decimal number
|
||
between 0 and 1048575, and the sequence number can be any decimal number
|
||
between 0 and 4095. For programs that generate batches of intermediate
|
||
codes for an _owner_, it is recommended that lot numbers be chosen at
|
||
random within the range 100000-999999 and that sequence numbers are
|
||
assigned starting with 1.
|
||
|
||
Steps performed by _owner_ to generate a single intermediate code, if
|
||
lot and sequence numbers are being included:
|
||
|
||
1. Generate 4 random bytes, call them _ownersalt_.
|
||
2. Encode the lot and sequence numbers as a 4 byte quantity
|
||
(big-endian): lotnumber * 4096 + sequencenumber. Call these four bytes
|
||
_lotsequence_.
|
||
3. Concatenate _ownersalt_ + _lotsequence_ and call this
|
||
_ownerentropy_.
|
||
4. Derive a key from the passphrase using scrypt
|
||
* Parameters: _passphrase_ is the passphrase itself encoded in UTF-8.
|
||
salt is _ownersalt_. n=16384, r=8, p=8, length=32.
|
||
* Call the resulting 32 bytes _prefactor_.
|
||
* Take SHA256(SHA256(_prefactor_ + _ownerentropy_)) and call this
|
||
_passfactor_.
|
||
5. Compute the elliptic curve point G * _passfactor_, and convert the
|
||
result to compressed notation (33 bytes). Call this _passpoint_.
|
||
Compressed notation is used for this purpose regardless of whether the
|
||
intent is to create Bitcoin addresses with or without compressed public
|
||
keys.
|
||
6. Convey _ownersalt_ and _passpoint_ to the party generating the keys,
|
||
along with a checksum to ensure integrity.
|
||
* The following Base58Check-encoded format is recommended for this
|
||
purpose: magic bytes "2C E9 B3 E1 FF 39 E2 51" followed by
|
||
_ownerentropy_, and then _passpoint_. The resulting string will start
|
||
with the word "passphrase" due to the constant bytes, will be 72
|
||
characters in length, and encodes 49 bytes (8 bytes constant + 8 bytes
|
||
_ownerentropy_ + 33 bytes _passpoint_). The checksum is handled in the
|
||
Base58Check encoding. The resulting string is called
|
||
_intermediate_passphrase_string_.
|
||
|
||
If lot and sequence numbers are not being included, then follow the same
|
||
procedure with the following changes:
|
||
|
||
* _ownersalt_ is 8 random bytes instead of 4, and _lotsequence_ is
|
||
omitted. _ownerentropy_ becomes an alias for _ownersalt_.
|
||
* The SHA256 conversion of _prefactor_ to _passfactor_ is omitted.
|
||
Instead, the output of scrypt is used directly as _passfactor_.
|
||
* The magic bytes are "2C E9 B3 E1 FF 39 E2 53" instead (the last byte
|
||
is 0x53 instead of 0x51).
|
||
|
||
Steps to create new encrypted private keys given
|
||
_intermediate_passphrase_string_ from _owner_ (so we have
|
||
_ownerentropy_, and _passpoint_, but we do not have _passfactor_ or the
|
||
passphrase):
|
||
|
||
1. Set _flagbyte_.
|
||
* Turn on bit 0x20 if the Bitcoin address will be formed by hashing the
|
||
compressed public key (optional, saves space, but many Bitcoin
|
||
implementations aren't compatible with it)
|
||
* Turn on bit 0x04 if _ownerentropy_ contains a value for _lotsequence_.
|
||
(While it has no effect on the keypair generation process, the
|
||
decryption process needs this flag to know how to process
|
||
_ownerentropy_)
|
||
2. Generate 24 random bytes, call this _seedb_. Take
|
||
SHA256(SHA256(_seedb_)) to yield 32 bytes, call this _factorb_.
|
||
3. ECMultiply _passpoint_ by _factorb_. Use the resulting EC point as a
|
||
public key and hash it into a Bitcoin address using either compressed or
|
||
uncompressed public key methodology (specify which methodology is used
|
||
inside _flagbyte_). This is the generated Bitcoin address, call it
|
||
_generatedaddress_.
|
||
4. Take the first four bytes of SHA256(SHA256(_generatedaddress_)) and
|
||
call it _addresshash_.
|
||
5. Now we will encrypt _seedb_. Derive a second key from _passpoint_
|
||
using scrypt
|
||
* Parameters: _passphrase_ is _passpoint_ provided from the first party
|
||
(expressed in binary as 33 bytes). _salt_ is _addresshash_ +
|
||
_ownerentropy_, n=1024, r=1, p=1, length=64. The "+" operator is
|
||
concatenation.
|
||
* Split the result into two 32-byte halves and call them _derivedhalf1_
|
||
and _derivedhalf2_.
|
||
6. Do AES256Encrypt(seedb[0...15] xor derivedhalf1[0...15],
|
||
derivedhalf2), call the 16-byte result _encryptedpart1_
|
||
7. Do AES256Encrypt((encryptedpart1[8...15] + seedb[16...23]) xor
|
||
derivedhalf1[16...31], derivedhalf2), call the 16-byte result
|
||
_encryptedpart2_. The "+" operator is concatenation.
|
||
|
||
The encrypted private key is the Base58Check-encoded concatenation of
|
||
the following, which totals 39 bytes without Base58 checksum:
|
||
|
||
* 0x01 0x43 + _flagbyte_ + _addresshash_ + _ownerentropy_ +
|
||
_encryptedpart1_[0...7] + _encryptedpart2_
|
||
|
||
[[confirmation-code]]
|
||
Confirmation code
|
||
|
||
The party generating the Bitcoin address has the option to return a
|
||
_confirmation code_ back to _owner_ which allows _owner_ to
|
||
independently verify that he has been given a Bitcoin address that
|
||
actually depends on his passphrase, and to confirm the lot and sequence
|
||
numbers (if applicable). This protects _owner_ from being given a
|
||
Bitcoin address by the second party that is unrelated to the key
|
||
derivation and possibly spendable by the second party. If a Bitcoin
|
||
address given to _owner_ can be successfully regenerated through the
|
||
confirmation process, _owner_ can be reasonably assured that any
|
||
spending without the passphrase is infeasible. This confirmation code is
|
||
75 characters starting with "cfrm38".
|
||
|
||
To generate it, we need _flagbyte_, _ownerentropy_, _factorb_,
|
||
_derivedhalf1_ and _derivedhalf2_ from the original encryption
|
||
operation.
|
||
|
||
1. ECMultiply _factorb_ by G, call the result _pointb_. The result is
|
||
33 bytes.
|
||
2. The first byte is 0x02 or 0x03. XOR it by (derivedhalf2[31] & 0x01),
|
||
call the resulting byte _pointbprefix_.
|
||
3. Do AES256Encrypt(pointb[1...16] xor derivedhalf1[0...15],
|
||
derivedhalf2) and call the result _pointbx1_.
|
||
4. Do AES256Encrypt(pointb[17...32] xor derivedhalf1[16...31],
|
||
derivedhalf2) and call the result _pointbx2_.
|
||
5. Concatenate _pointbprefix_ + _pointbx1_ + _pointbx2_ (total 33
|
||
bytes) and call the result _encryptedpointb_.
|
||
|
||
The result is a Base58Check-encoded concatenation of the following:
|
||
|
||
* 0x64 0x3B 0xF6 0xA8 0x9A + _flagbyte_ + _addresshash_ + _ownerentropy_
|
||
+ _encryptedpointb_
|
||
|
||
A confirmation tool, given a passphrase and a confirmation code, can
|
||
recalculate the address, verify the address hash, and then assert the
|
||
following: "It is confirmed that Bitcoin address _address_ depends on
|
||
this passphrase". If applicable: "The lot number is _lotnumber_ and the
|
||
sequence number is _sequencenumber_."
|
||
|
||
To recalculate the address:
|
||
|
||
1. Derive _passfactor_ using scrypt with _ownerentropy_ and the user's
|
||
passphrase and use it to recompute _passpoint_
|
||
2. Derive decryption key for _pointb_ using scrypt with _passpoint_,
|
||
_addresshash_, and _ownerentropy_
|
||
3. Decrypt _encryptedpointb_ to yield _pointb_
|
||
4. ECMultiply _pointb_ by _passfactor_. Use the resulting EC point as a
|
||
public key and hash it into _address_ using either compressed or
|
||
uncompressed public key methodology as specifid in _flagbyte_.
|
||
|
||
[[decryption]]
|
||
Decryption
|
||
|
||
1. Collect encrypted private key and passphrase from user.
|
||
2. Derive _passfactor_ using scrypt with _ownerentropy_ and the user's
|
||
passphrase and use it to recompute _passpoint_
|
||
3. Derive decryption key for _seedb_ using scrypt with _passpoint_,
|
||
_addresshash_, and _ownersalt_
|
||
4. Decrypt _encryptedpart2_ using AES256Decrypt to yield the last 8
|
||
bytes of _seedb_ and the last 8 bytes of _encryptedpart1_.
|
||
5. Decrypt _encryptedpart1_ to yield the remainder of _seedb_.
|
||
6. Use _seedb_ to compute _factorb_.
|
||
7. Multiply _passfactor_ by _factorb_ mod N to yield the private key
|
||
associated with _generatedaddress_.
|
||
8. Convert that private key into a Bitcoin address, honoring the
|
||
compression preference specified in the encrypted key.
|
||
9. Hash the Bitcoin address, and verify that _addresshash_ from the
|
||
encrypted private key record matches the hash. If not, report that the
|
||
passphrase entry was incorrect.
|
||
|
||
[[backwards-compatibility]]
|
||
Backwards compatibility
|
||
~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
Backwards compatibility is minimally applicable since this is a new
|
||
standard that at most extends link:Wallet Import Format[Wallet Import
|
||
Format]. It is assumed that an entry point for private key data may also
|
||
accept existing formats of private keys (such as hexadecimal and
|
||
link:Wallet Import Format[Wallet Import Format]); this draft uses a key
|
||
format that cannot be mistaken for any existing one and preserves
|
||
auto-detection capabilities.
|
||
|
||
[[suggestions-for-implementers-of-proposal-with-alt-chains]]
|
||
Suggestions for implementers of proposal with alt-chains
|
||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
If this proposal is accepted into alt-chains, it is requested that the
|
||
unused flag bytes not be used for denoting that the key belongs to an
|
||
alt-chain.
|
||
|
||
Alt-chain implementers should exploit the address hash for this purpose.
|
||
Since each operation in this proposal involves hashing a text
|
||
representation of a coin address which (for Bitcoin) includes the
|
||
leading '1', an alt-chain can easily be denoted simply by using the
|
||
alt-chain's preferred format for representing an address. Alt-chain
|
||
implementers may also change the prefix such that encrypted addresses do
|
||
not start with "6P".
|
||
|
||
[[discussion-item-scrypt-parameters]]
|
||
Discussion item: scrypt parameters
|
||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
This proposal leaves the scrypt parameters up in the air. The following
|
||
items are proposed for consideration:
|
||
|
||
The main goal of scrypt is to reduce the feasibility of brute force
|
||
attacks. It must be assumed that an attacker will be able to use an
|
||
efficient implementation of scrypt. The parameters should force a highly
|
||
efficient implementation of scrypt to wait a decent amount of time to
|
||
slow attacks.
|
||
|
||
On the other hand, an unavoidably likely place where scrypt will be
|
||
implemented is using slow interpreted languages such as javascript. What
|
||
might take milliseconds on an efficient scrypt implementation may take
|
||
seconds in javascript.
|
||
|
||
It is believed, however, that someone using a javascript implementation
|
||
is probably dealing with codes by hand, one at a time, rather than
|
||
generating or processing large batches of codes. Thus, a wait time of
|
||
several seconds is acceptable to a user.
|
||
|
||
A private key redemption process that forces a server to consume several
|
||
seconds of CPU time would discourage implementation by the server owner,
|
||
because they would be opening up a denial of service avenue by inviting
|
||
users to make numerous attempts to invoke the redemption process.
|
||
However, it's also feasible for the server owner to implement his
|
||
redemption process in such a way that the decryption is done by the
|
||
user's browser, offloading the task from his own server (and providing
|
||
another reason why the chosen scrypt parameters should be tolerant of
|
||
javascript-based decryptors).
|
||
|
||
The preliminary values of 16384, 8, and 8 are hoped to offer the
|
||
following properties:
|
||
|
||
* Encryption/decryption in javascript requiring several seconds per
|
||
operation
|
||
* Use of the parallelization parameter provides a modest opportunity for
|
||
speedups in environments where concurrent threading is available - such
|
||
environments would be selected for processes that must handle bulk
|
||
quantities of encryption/decryption operations. Estimated time for an
|
||
operation is in the tens or hundreds of milliseconds.
|
||
|
||
[[reference-implementation]]
|
||
Reference implementation
|
||
~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
Added to alpha version of Casascius Bitcoin Address Utility for Windows
|
||
available at:
|
||
|
||
* via https: https://casascius.com/btcaddress-alpha.zip
|
||
* at github: https://github.com/casascius/Bitcoin-Address-Utility
|
||
|
||
Click "Tools" then "PPEC Keygen" (provisional name)
|
||
|
||
[[test-vectors]]
|
||
Test vectors
|
||
~~~~~~~~~~~~
|
||
|
||
[[no-compression-no-ec-multiply]]
|
||
No compression, no EC multiply
|
||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||
|
||
Test 1:
|
||
|
||
* Passphrase: TestingOneTwoThree
|
||
* Encrypted: 6PRVWUbkzzsbcVac2qwfssoUJAN1Xhrg6bNk8J7Nzm5H7kxEbn2Nh2ZoGg
|
||
* Unencrypted (WIF): 5KN7MzqK5wt2TP1fQCYyHBtDrXdJuXbUzm4A9rKAteGu3Qi5CVR
|
||
* Unencrypted (hex):
|
||
CBF4B9F70470856BB4F40F80B87EDB90865997FFEE6DF315AB166D713AF433A5
|
||
|
||
Test 2:
|
||
|
||
* Passphrase: Satoshi
|
||
* Encrypted: 6PRNFFkZc2NZ6dJqFfhRoFNMR9Lnyj7dYGrzdgXXVMXcxoKTePPX1dWByq
|
||
* Unencrypted (WIF): 5HtasZ6ofTHP6HCwTqTkLDuLQisYPah7aUnSKfC7h4hMUVw2gi5
|
||
* Unencrypted (hex):
|
||
09C2686880095B1A4C249EE3AC4EEA8A014F11E6F986D0B5025AC1F39AFBD9AE
|
||
|
||
[[compression-no-ec-multiply]]
|
||
Compression, no EC multiply
|
||
^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||
|
||
Test 1:
|
||
|
||
* Passphrase: TestingOneTwoThree
|
||
* Encrypted: 6PYNKZ1EAgYgmQfmNVamxyXVWHzK5s6DGhwP4J5o44cvXdoY7sRzhtpUeo
|
||
* Unencrypted (WIF):
|
||
L44B5gGEpqEDRS9vVPz7QT35jcBG2r3CZwSwQ4fCewXAhAhqGVpP
|
||
* Unencrypted (hex):
|
||
CBF4B9F70470856BB4F40F80B87EDB90865997FFEE6DF315AB166D713AF433A5
|
||
|
||
Test 2:
|
||
|
||
* Passphrase: Satoshi
|
||
* Encrypted: 6PYLtMnXvfG3oJde97zRyLYFZCYizPU5T3LwgdYJz1fRhh16bU7u6PPmY7
|
||
* Unencrypted (WIF):
|
||
KwYgW8gcxj1JWJXhPSu4Fqwzfhp5Yfi42mdYmMa4XqK7NJxXUSK7
|
||
* Unencrypted (hex):
|
||
09C2686880095B1A4C249EE3AC4EEA8A014F11E6F986D0B5025AC1F39AFBD9AE
|
||
|
||
[[ec-multiply-no-compression-no-lotsequence-numbers]]
|
||
EC multiply, no compression, no lot/sequence numbers
|
||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||
|
||
Test 1:
|
||
|
||
* Passphrase: TestingOneTwoThree
|
||
* Passphrase code:
|
||
passphrasepxFy57B9v8HtUsszJYKReoNDV6VHjUSGt8EVJmux9n1J3Ltf1gRxyDGXqnf9qm
|
||
* Encrypted key:
|
||
6PfQu77ygVyJLZjfvMLyhLMQbYnu5uguoJJ4kMCLqWwPEdfpwANVS76gTX
|
||
* Bitcoin address: 1PE6TQi6HTVNz5DLwB1LcpMBALubfuN2z2
|
||
* Unencrypted private key (WIF):
|
||
5K4caxezwjGCGfnoPTZ8tMcJBLB7Jvyjv4xxeacadhq8nLisLR2
|
||
* Unencrypted private key (hex):
|
||
A43A940577F4E97F5C4D39EB14FF083A98187C64EA7C99EF7CE460833959A519
|
||
|
||
Test 2:
|
||
|
||
* Passphrase: Satoshi
|
||
* Passphrase code:
|
||
passphraseoRDGAXTWzbp72eVbtUDdn1rwpgPUGjNZEc6CGBo8i5EC1FPW8wcnLdq4ThKzAS
|
||
* Encrypted key:
|
||
6PfLGnQs6VZnrNpmVKfjotbnQuaJK4KZoPFrAjx1JMJUa1Ft8gnf5WxfKd
|
||
* Bitcoin address: 1CqzrtZC6mXSAhoxtFwVjz8LtwLJjDYU3V
|
||
* Unencrypted private key (WIF):
|
||
5KJ51SgxWaAYR13zd9ReMhJpwrcX47xTJh2D3fGPG9CM8vkv5sH
|
||
* Unencrypted private key (hex):
|
||
C2C8036DF268F498099350718C4A3EF3984D2BE84618C2650F5171DCC5EB660A
|
||
|
||
[[ec-multiply-no-compression-lotsequence-numbers]]
|
||
EC multiply, no compression, lot/sequence numbers
|
||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||
|
||
Test 1:
|
||
|
||
* Passphrase: MOLON LABE
|
||
* Passphrase code:
|
||
passphraseaB8feaLQDENqCgr4gKZpmf4VoaT6qdjJNJiv7fsKvjqavcJxvuR1hy25aTu5sX
|
||
* Encrypted key:
|
||
6PgNBNNzDkKdhkT6uJntUXwwzQV8Rr2tZcbkDcuC9DZRsS6AtHts4Ypo1j
|
||
* Bitcoin address: 1Jscj8ALrYu2y9TD8NrpvDBugPedmbj4Yh
|
||
* Unencrypted private key (WIF):
|
||
5JLdxTtcTHcfYcmJsNVy1v2PMDx432JPoYcBTVVRHpPaxUrdtf8
|
||
* Unencrypted private key (hex):
|
||
44EA95AFBF138356A05EA32110DFD627232D0F2991AD221187BE356F19FA8190
|
||
* Confirmation code:
|
||
cfrm38V8aXBn7JWA1ESmFMUn6erxeBGZGAxJPY4e36S9QWkzZKtaVqLNMgnifETYw7BPwWC9aPD
|
||
* Lot/Sequence: 263183/1
|
||
|
||
Test 2:
|
||
|
||
* Passphrase (all letters are Greek - test UTF-8 compatibility with
|
||
this): ΜΟΛΩΝ ΛΑΒΕ
|
||
* Passphrase code:
|
||
passphrased3z9rQJHSyBkNBwTRPkUGNVEVrUAcfAXDyRU1V28ie6hNFbqDwbFBvsTK7yWVK
|
||
* Encrypted private key:
|
||
6PgGWtx25kUg8QWvwuJAgorN6k9FbE25rv5dMRwu5SKMnfpfVe5mar2ngH
|
||
* Bitcoin address: 1Lurmih3KruL4xDB5FmHof38yawNtP9oGf
|
||
* Unencrypted private key (WIF):
|
||
5KMKKuUmAkiNbA3DazMQiLfDq47qs8MAEThm4yL8R2PhV1ov33D
|
||
* Unencrypted private key (hex):
|
||
CA2759AA4ADB0F96C414F36ABEB8DB59342985BE9FA50FAAC228C8E7D90E3006
|
||
* Confirmation code:
|
||
cfrm38V8G4qq2ywYEFfWLD5Cc6msj9UwsG2Mj4Z6QdGJAFQpdatZLavkgRd1i4iBMdRngDqDs51
|
||
* Lot/Sequence: 806938/1
|
||
|
||
----------------------------------------------------------
|
||
BIP: BIP-0039
|
||
Title: Mnemonic code for generating deterministic keys
|
||
Authors: Marek Palatinus <slush@satoshilabs.com>
|
||
Pavol Rusnak <stick@satoshilabs.com>
|
||
ThomasV <thomasv@bitcointalk.org>
|
||
Aaron Voisine <voisine@gmail.com>
|
||
Sean Bowe <ewillbefull@gmail.com>
|
||
Status: Draft
|
||
Type: Standards Track
|
||
Created: 2013-09-10
|
||
----------------------------------------------------------
|
||
|
||
[[abstract]]
|
||
Abstract
|
||
~~~~~~~~
|
||
|
||
This BIP describes the implementation of a mnemonic code or mnemonic
|
||
sentence -- a group of easy to remember words -- for the generation of
|
||
deterministic wallets.
|
||
|
||
It consists of two parts: generating the mnenomic, and converting it
|
||
into a binary seed. This seed can be later used to generate
|
||
deterministic wallets using BIP-0032 or similar methods.
|
||
|
||
[[motivation]]
|
||
Motivation
|
||
~~~~~~~~~~
|
||
|
||
A mnenomic code or sentence is superior for human interaction compared
|
||
to the handling of raw binary or hexidecimal representations of a wallet
|
||
seed. The sentence could be written on paper or spoken over the
|
||
telephone.
|
||
|
||
This guide meant to be as a way to transport computer-generated
|
||
randomnes over human readable transcription. It's not a way how to
|
||
process user-created sentences (also known as brainwallet) to wallet
|
||
seed.
|
||
|
||
[[generating-the-mnemonic]]
|
||
Generating the mnemonic
|
||
~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
The mnemonic must encode entropy in any multiple of 32 bits. With larger
|
||
entropy security is improved but the sentence length increases. We can
|
||
refer to the initial entropy length as ENT. The recommended size of ENT
|
||
is 128-256 bits.
|
||
|
||
First, an initial entropy of ENT bits is generated. A checksum is
|
||
generated by taking the first
|
||
|
||
--------
|
||
ENT / 32
|
||
--------
|
||
|
||
bits of its SHA256 hash. This checksum is appended to the end of the
|
||
initial entropy. Next, these concatenated bits are are split into groups
|
||
of 11 bits, each encoding a number from 0-2047, serving as an index to a
|
||
wordlist. Later, we will convert these numbers into words and use the
|
||
joined words as a mnemonic sentence.
|
||
|
||
The following table describes the relation between the initial entropy
|
||
length (ENT), the checksum length (CS) and length of the generated
|
||
mnemonic sentence (MS) in words.
|
||
|
||
------------------------------
|
||
CS = ENT / 32
|
||
MS = (ENT + CS) / 11
|
||
|
||
| ENT | CS | ENT+CS | MS |
|
||
+-------+----+--------+------+
|
||
| 128 | 4 | 132 | 12 |
|
||
| 160 | 5 | 165 | 15 |
|
||
| 192 | 6 | 198 | 18 |
|
||
| 224 | 7 | 231 | 21 |
|
||
| 256 | 8 | 264 | 24 |
|
||
------------------------------
|
||
|
||
[[wordlist]]
|
||
Wordlist
|
||
~~~~~~~~
|
||
|
||
An ideal wordlist has the following characteristics:
|
||
|
||
\a) smart selection of words
|
||
|
||
` - wordlist is created in such way that it's enough to type the first four` +
|
||
` letters to unambiguously identify the word`
|
||
|
||
\b) similar words avoided
|
||
|
||
` - word pairs like "build" and "built", "woman" and "women", or "quick" and "quickly"` +
|
||
` not only make remembering the sentence difficult, but are also more error` +
|
||
` prone and more difficult to guess`
|
||
|
||
\c) sorted wordlists
|
||
|
||
` - wordlist is sorted which allows for more efficient lookup of the code words` +
|
||
` (i.e. implementation can use binary search instead of linear search)` +
|
||
` - this also allows trie (prefix tree) to be used, e.g. for better compression`
|
||
|
||
The wordlist can contain native characters, but they have to be encoded
|
||
in UTF-8 using Normalization Form Compatibility Decomposition (NFKD).
|
||
|
||
[[from-mnemonic-to-seed]]
|
||
From mnemonic to seed
|
||
~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
A user may decide to protect their mnemonic by passphrase. If a
|
||
passphrase is not present, an empty string "" is used instead.
|
||
|
||
To create a binary seed from the mnemonic, we use PBKDF2 function with a
|
||
mnemonic sentence (in UTF-8 NFKD) used as a password and string
|
||
"mnemonic" + passphrase (again in UTF-8 NFKD) used as a salt. Iteration
|
||
count is set to 2048 and HMAC-SHA512 is used as a pseudo-random
|
||
function. Desired length of the derived key is 512 bits (= 64 bytes).
|
||
|
||
This seed can be later used to generate deterministic wallets using
|
||
BIP-0032 or similar methods.
|
||
|
||
The conversion of the mnemonic sentence to binary seed is completely
|
||
independent from generating the sentence. This results in rather simple
|
||
code; there are no constraints on sentence structure and clients are
|
||
free to implement their own wordlists or even whole sentence generators,
|
||
allowing for flexibility in wordlists for typo detection or other
|
||
purposes.
|
||
|
||
Although using mnemonic not generated by algorithm described in
|
||
"Generating the mnemonic" section is possible, this is not advised and
|
||
software must compute checksum of the mnemonic sentence using wordlist
|
||
and issue a warning if it is invalid.
|
||
|
||
Described method also provides plausible deniability, because every
|
||
passphrase generates a valid seed (and thus deterministic wallet) but
|
||
only the correct one will make the desired wallet available.
|
||
|
||
[[wordlists]]
|
||
Wordlists
|
||
~~~~~~~~~
|
||
|
||
* link:bip-0039/english.txt[English]
|
||
|
||
[[test-vectors]]
|
||
Test vectors
|
||
~~~~~~~~~~~~
|
||
|
||
See https://github.com/trezor/python-mnemonic/blob/master/vectors.json
|
||
|
||
[[reference-implementation]]
|
||
Reference Implementation
|
||
~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
Reference implementation including wordlists is available from
|
||
|
||
http://github.com/trezor/python-mnemonic
|
||
|
||
[[other-implementations]]
|
||
Other Implementations
|
||
~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
Objective-C - https://github.com/nybex/NYMnemonic
|
||
------------------------------------------------------------
|
||
BIP: BIP-0044
|
||
Title: Multi-Account Hierarchy for Deterministic Wallets
|
||
Authors: Marek Palatinus <slush@satoshilabs.com>
|
||
Pavol Rusnak <stick@satoshilabs.com>
|
||
Status: Draft
|
||
Type: Standards Track
|
||
Created: 2014-04-24
|
||
------------------------------------------------------------
|
||
|
||
[[abstract]]
|
||
Abstract
|
||
~~~~~~~~
|
||
|
||
This BIP defines a logical hierarchy for deterministic wallets based on
|
||
an algorithm described in BIP-0032 (BIP32 from now on) and purpose
|
||
scheme described in BIP-0043 (BIP43 from now on).
|
||
|
||
This BIP is a particular application of BIP43.
|
||
|
||
[[motivation]]
|
||
Motivation
|
||
~~~~~~~~~~
|
||
|
||
The hierarchy proposed in this paper is quite comprehensive. It allows
|
||
the handling of multiple coins, multiple accounts, external and internal
|
||
chains per account and millions of addresses per chain.
|
||
|
||
[[path-levels]]
|
||
Path levels
|
||
~~~~~~~~~~~
|
||
|
||
We define the following 5 levels in BIP32 path:
|
||
|
||
-------------------------------------------------------------
|
||
m / purpose' / coin_type' / account' / change / address_index
|
||
-------------------------------------------------------------
|
||
|
||
Apostrophe in the path indicates that BIP32 hardened derivation is used.
|
||
|
||
Each level has a special meaning, described in the chapters below.
|
||
|
||
[[purpose]]
|
||
Purpose
|
||
^^^^^^^
|
||
|
||
Purpose is a constant set to 44' (or 0x8000002C) following the BIP43
|
||
recommendation. It indicates that the subtree of this node is used
|
||
according to this specification.
|
||
|
||
Hardened derivation is used at this level.
|
||
|
||
[[coin-type]]
|
||
Coin type
|
||
^^^^^^^^^
|
||
|
||
One master node (seed) can be used for unlimited number of independent
|
||
cryptocoins such as Bitcoin, Litecoin or Namecoin. However, sharing the
|
||
same space for various cryptocoins has some disadvantages.
|
||
|
||
This level creates a separate subtree for every cryptocoin, avoiding
|
||
reusing addresses across cryptocoins and improving privacy issues.
|
||
|
||
Coin type is a constant, set for each cryptocoin. Cryptocoin developers
|
||
may ask for registering unused number for their project.
|
||
|
||
The list of already allocated coin types is in the chapter "Registered
|
||
coin types" below.
|
||
|
||
Hardened derivation is used at this level.
|
||
|
||
[[account]]
|
||
Account
|
||
^^^^^^^
|
||
|
||
This level splits the key space into independent user identities, so the
|
||
wallet never mixes the coins across different accounts.
|
||
|
||
Users can use these accounts to organize the funds in the same fashion
|
||
as bank accounts; for donation purposes (where all addresses are
|
||
considered public), for saving purposes, for common expenses etc.
|
||
|
||
Accounts are numbered from index 0 in sequentially increasing manner.
|
||
This number is used as child index in BIP32 derivation.
|
||
|
||
Hardened derivation is used at this level.
|
||
|
||
Software should prevent a creation of an account if a previous account
|
||
does not have a transaction history (meaning none of its addresses have
|
||
been used before).
|
||
|
||
Software needs to discover all used accounts after importing the seed
|
||
from an external source. Such an algorithm is described in "Account
|
||
discovery" chapter.
|
||
|
||
[[change]]
|
||
Change
|
||
^^^^^^
|
||
|
||
Constant 0 is used for external chain and constant 1 for internal chain
|
||
(also known as change addresses). External chain is used for addresses
|
||
that are meant to be visible outside of the wallet (e.g. for receiving
|
||
payments). Internal chain is used for addresses which are not meant to
|
||
be visible outside of the wallet and is used for return transaction
|
||
change.
|
||
|
||
Public derivation is used at this level.
|
||
|
||
[[index]]
|
||
Index
|
||
^^^^^
|
||
|
||
Addresses are numbered from index 0 in sequentially increasing manner.
|
||
This number is used as child index in BIP32 derivation.
|
||
|
||
Public derivation is used at this level.
|
||
|
||
[[account-discovery]]
|
||
Account discovery
|
||
~~~~~~~~~~~~~~~~~
|
||
|
||
When the master seed is imported from an external source the software
|
||
should start to discover the accounts in the following manner:
|
||
|
||
1. derive the first account's node (index = 0)
|
||
2. derive the external chain node of this account
|
||
3. scan addresses of the external chain; respect the gap limit
|
||
described below
|
||
4. if no transactions are found on the external chain, stop discovery
|
||
5. if there are some transactions, increase the account index and go to
|
||
step 1
|
||
|
||
This algorithm is successful because software should disallow creation
|
||
of new accounts if previous one has no transaction history, as described
|
||
in chapter "Account" above.
|
||
|
||
Please note that the algorithm works with the transaction history, not
|
||
account balances, so you can have an account with 0 total coins and the
|
||
algorithm will still continue with discovery.
|
||
|
||
[[address-gap-limit]]
|
||
Address gap limit
|
||
^^^^^^^^^^^^^^^^^
|
||
|
||
Address gap limit is currently set to 20. If the software hits 20 unused
|
||
addresses in a row, it expects there are no used addresses beyond this
|
||
point and stops searching the address chain.
|
||
|
||
Wallet software should warn when the user is trying to exceed the gap
|
||
limit on an external chain by generating a new address.
|
||
|
||
[[registered-coin-types]]
|
||
Registered coin types
|
||
~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
These are the registered coin types for usage in level 2 of BIP44
|
||
described in chapter "Coin type" above.
|
||
|
||
All these constants are used as hardened derivation.
|
||
|
||
[cols=",,",options="header",]
|
||
|==============================
|
||
|index |hexa |coin
|
||
|0 |0x80000000 |Bitcoin
|
||
|1 |0x80000001 |Bitcoin Testnet
|
||
|==============================
|
||
|
||
[[examples]]
|
||
Examples
|
||
~~~~~~~~
|
||
|
||
[cols=",,,,",options="header",]
|
||
|====================================================================
|
||
|coin |account |chain |address |path
|
||
|Bitcoin |first |external |first |m / 44' / 0' / 0' / 0 / 0
|
||
|Bitcoin |first |external |second |m / 44' / 0' / 0' / 0 / 1
|
||
|Bitcoin |first |change |first |m / 44' / 0' / 0' / 1 / 0
|
||
|Bitcoin |first |change |second |m / 44' / 0' / 0' / 1 / 1
|
||
|Bitcoin |second |external |first |m / 44' / 0' / 1' / 0 / 0
|
||
|Bitcoin |second |external |second |m / 44' / 0' / 1' / 0 / 1
|
||
|Bitcoin |second |change |first |m / 44' / 0' / 1' / 1 / 0
|
||
|Bitcoin |second |change |second |m / 44' / 0' / 1' / 1 / 1
|
||
|Bitcoin Testnet |first |external |first |m / 44' / 1' / 0' / 0 / 0
|
||
|Bitcoin Testnet |first |external |second |m / 44' / 1' / 0' / 0 / 1
|
||
|Bitcoin Testnet |first |change |first |m / 44' / 1' / 0' / 1 / 0
|
||
|Bitcoin Testnet |first |change |second |m / 44' / 1' / 0' / 1 / 1
|
||
|Bitcoin Testnet |second |external |first |m / 44' / 1' / 1' / 0 / 0
|
||
|Bitcoin Testnet |second |external |second |m / 44' / 1' / 1' / 0 / 1
|
||
|Bitcoin Testnet |second |change |first |m / 44' / 1' / 1' / 1 / 0
|
||
|Bitcoin Testnet |second |change |second |m / 44' / 1' / 1' / 1 / 1
|
||
|====================================================================
|
||
|
||
[[compatible-wallets]]
|
||
Compatible wallets
|
||
~~~~~~~~~~~~~~~~~~
|
||
|
||
* https://mytrezor.com[myTREZOR web wallet]
|
||
(https://github.com/trezor/webwallet[source])
|
||
|
||
[[reference]]
|
||
Reference
|
||
~~~~~~~~~
|
||
|
||
* link:bip-0032.mediawiki[BIP32 - Hierarchical Deterministic Wallets]
|
||
* link:bip-0043.mediawiki[BIP43 - Purpose Field for Deterministic
|
||
Wallets]
|
||
|
||
--------------------------------------------------
|
||
BIP: 70
|
||
Title: Payment Protocol
|
||
Author: Gavin Andresen <gavinandresen@gmail.com>
|
||
Status: Draft
|
||
Type: Standards Track
|
||
Created: 2013-07-29
|
||
--------------------------------------------------
|
||
|
||
[[abstract]]
|
||
Abstract
|
||
~~~~~~~~
|
||
|
||
This BIP describes a protocol for communication between a merchant and
|
||
their customer, enabling both a better customer experience and better
|
||
security against man-in-the-middle attacks on the payment process.
|
||
|
||
[[motivation]]
|
||
Motivation
|
||
~~~~~~~~~~
|
||
|
||
The current, minimal Bitcoin payment protocol operates as follows:
|
||
|
||
1. Customer adds items to an online shopping basket, and decides to pay
|
||
using Bitcoin.
|
||
2. Merchant generates a unique payment address, associates it with the
|
||
customer's order, and asks the customer to pay.
|
||
3. Customer copies the Bitcoin address from the merchant's web page and
|
||
pastes it into whatever wallet they are using OR follows a bitcoin: link
|
||
and their wallet is launched with the amount to be paid.
|
||
4. Customer authorizes payment to the merchant's address and broadcasts
|
||
the transaction through the Bitcoin p2p network.
|
||
5. Merchant's server detects payment and after sufficient transaction
|
||
confirmations considers the transaction final.
|
||
|
||
This BIP extends the above protocol to support several new features:
|
||
|
||
1. Human-readable, secure payment destinations-- customers will be
|
||
asked to authorize payment to "example.com" instead of an inscrutable,
|
||
34-character bitcoin address.
|
||
2. Secure proof of payment, which the customer can use in case of a
|
||
dispute with the merchant.
|
||
3. Resistance from man-in-the-middle attacks that replace a merchant's
|
||
bitcoin address with an attacker's address before a transaction is
|
||
authorized with a hardware wallet.
|
||
4. Payment received messages, so the customer knows immediately that
|
||
the merchant has received, and has processed (or is processing) their
|
||
payment.
|
||
5. Refund addresses, automatically given to the merchant by the
|
||
customer's wallet software, so merchants do not have to contact
|
||
customers before refunding overpayments or orders that cannot be
|
||
fulfilled for some reason.
|
||
|
||
[[protocol]]
|
||
Protocol
|
||
~~~~~~~~
|
||
|
||
This BIP describes payment protocol messages encoded using Google's
|
||
Protocol Buffers, authenticated using X.509 certificates, and
|
||
communicated over http/https. Future BIPs might extend this payment
|
||
protocol to other encodings, PKI systems, or transport protocols.
|
||
|
||
The payment protocol consists of three messages; PaymentRequest,
|
||
Payment, and PaymentACK, and begins with the customer somehow indicating
|
||
that they are ready to pay and the merchant's server responding with a
|
||
PaymentRequest message:
|
||
|
||
[[messages]]
|
||
Messages
|
||
~~~~~~~~
|
||
|
||
The Protocol Buffers messages are defined in
|
||
link:bip-0070/paymentrequest.proto[paymentrequest.proto].
|
||
|
||
[[output]]
|
||
Output
|
||
^^^^^^
|
||
|
||
Outputs are used in PaymentRequest messages to specify where a payment
|
||
(or part of a payment) should be sent. They are also used in Payment
|
||
messages to specify where a refund should be sent.
|
||
|
||
---------------------------------------------
|
||
message Output {
|
||
optional uint64 amount = 1 [default = 0];
|
||
optional bytes script = 2;
|
||
}
|
||
---------------------------------------------
|
||
|
||
[cols=",",]
|
||
|=======================================================================
|
||
|amount |Number of satoshis (0.00000001 BTC) to be paid
|
||
|
||
|script |a "TxOut" script where payment should be sent. This will
|
||
normally be one of the standard Bitcoin transaction scripts (e.g. pubkey
|
||
OP_CHECKSIG). This is optional to enable future extensions to this
|
||
protocol that derive Outputs from a master public key and the
|
||
PaymentRequest data itself.
|
||
|=======================================================================
|
||
|
||
[[paymentdetailspaymentrequest]]
|
||
PaymentDetails/PaymentRequest
|
||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||
|
||
Payment requests are split into two messages to support future
|
||
extensibility. The bulk of the information is contained in the
|
||
PaymentDetails message. It is wrapped inside a PaymentRequest message,
|
||
which contains meta-information about the merchant and a digital
|
||
signature.
|
||
|
||
-------------------------------------------------------
|
||
message PaymentDetails {
|
||
optional string network = 1 [default = "main"];
|
||
repeated Output outputs = 2;
|
||
required uint64 time = 3;
|
||
optional uint64 expires = 4;
|
||
optional string memo = 5;
|
||
optional string payment_url = 6;
|
||
optional bytes merchant_data = 7;
|
||
}
|
||
-------------------------------------------------------
|
||
|
||
[cols=",",]
|
||
|=======================================================================
|
||
|network |either "main" for payments on the production Bitcoin network,
|
||
or "test" for payments on test network. If a client receives a
|
||
PaymentRequest for a network it does not support it must reject the
|
||
request.
|
||
|
||
|outputs |one or more outputs where Bitcoins are to be sent. If the sum
|
||
of outputs.amount is zero, the customer will be asked how much to pay,
|
||
and the bitcoin client may choose any or all of the Outputs (if there
|
||
are more than one) for payment. If the sum of outputs.amount is
|
||
non-zero, then the customer will be asked to pay the sum, and the
|
||
payment shall be split among the Outputs with non-zero amounts (if there
|
||
are more than one; Outputs with zero amounts shall be ignored).
|
||
|
||
|time |Unix timestamp (seconds since 1-Jan-1970 UTC) when the
|
||
PaymentRequest was created.
|
||
|
||
|expires |Unix timestamp (UTC) after which the PaymentRequest should be
|
||
considered invalid.
|
||
|
||
|memo |UTF-8 encoded, plain-text (no formatting) note that should be
|
||
displayed to the customer, explaining what this PaymentRequest is for.
|
||
|
||
|payment_url |Secure (usually https) location where a Payment message
|
||
(see below) may be sent to obtain a PaymentACK.
|
||
|
||
|merchant_data |Arbitrary data that may be used by the merchant to
|
||
identify the PaymentRequest. May be omitted if the merchant does not
|
||
need to associate Payments with PaymentRequest or if they associate each
|
||
PaymentRequest with a separate payment address.
|
||
|=======================================================================
|
||
|
||
The payment_url specified in the PaymentDetails should remain valid at
|
||
least until the PaymentDetails expires (or as long as possible if the
|
||
PaymentDetails does not expire). Note that this is irrespective of any
|
||
state change in the underlying payment request; for example cancellation
|
||
of an order should not invalidate the payment_url, as it is important
|
||
that the merchant's server can record mis-payments in order to refund
|
||
the payment.
|
||
|
||
A PaymentRequest is PaymentDetails optionally tied to a merchant's
|
||
identity:
|
||
|
||
------------------------------------------------------------------
|
||
message PaymentRequest {
|
||
optional uint32 payment_details_version = 1 [default = 1];
|
||
optional string pki_type = 2 [default = "none"];
|
||
optional bytes pki_data = 3;
|
||
required bytes serialized_payment_details = 4;
|
||
optional bytes signature = 5;
|
||
}
|
||
------------------------------------------------------------------
|
||
|
||
[cols=",",]
|
||
|=======================================================================
|
||
|payment_details_version |See below for a discussion of
|
||
versioning/upgrading.
|
||
|
||
|pki_type |public-key infrastructure (PKI) system being used to identify
|
||
the merchant. All implementation should support "none", "x509+sha256"
|
||
and "x509+sha1".
|
||
|
||
|pki_data |PKI-system data that identifies the merchant and can be used
|
||
to create a digital signature. In the case of X.509 certificates,
|
||
pki_data contains one or more X.509 certificates (see Certificates
|
||
section below).
|
||
|
||
|serialized_payment_details |A protocol-buffer serialized PaymentDetails
|
||
message.
|
||
|
||
|signature |digital signature over a hash of the protocol buffer
|
||
serialized variation of the PaymentRequest message, with all fields
|
||
serialized in numerical order (all current protocol buffer
|
||
implementations serialize fields in numerical order) and signed using
|
||
the public key in pki_data. Before serialization, the signature field
|
||
must be set to an empty value so that the field is included in the
|
||
signed PaymentRequest hash but contains no data.
|
||
|=======================================================================
|
||
|
||
When a Bitcoin wallet application receives a PaymentRequest, it must
|
||
authorize payment by doing the following:
|
||
|
||
1. Validate the merchant's identity and signature using the PKI system,
|
||
if the pki_type is not "none".
|
||
2. Validate that customer's system unix time (UTC) is before
|
||
PaymentDetails.expires. If it is not, then the payment request must be
|
||
rejected.
|
||
3. Display the merchant's identity and ask the customer if they would
|
||
like to submit payment (e.g. display the "Common Name" in the first
|
||
X.509 certificate).
|
||
|
||
PaymentRequest messages larger than 50,000 bytes should be rejected by
|
||
the wallet application, to mitigate denial-of-service attacks.
|
||
|
||
[[payment]]
|
||
Payment
|
||
^^^^^^^
|
||
|
||
Payment messages are sent after the customer has authorized payment:
|
||
|
||
-----------------------------------------
|
||
message Payment {
|
||
optional bytes merchant_data = 1;
|
||
repeated bytes transactions = 2;
|
||
repeated Output refund_to = 3;
|
||
optional string memo = 4;
|
||
}
|
||
-----------------------------------------
|
||
|
||
[cols=",",]
|
||
|=======================================================================
|
||
|merchant_data |copied from PaymentDetails.merchant_data. Merchants may
|
||
use invoice numbers or any other data they require to match Payments to
|
||
PaymentRequests. Note that malicious clients may modify the
|
||
merchant_data, so should be authenticated in some way (for example,
|
||
signed with a merchant-only key).
|
||
|
||
|transactions |One or more valid, signed Bitcoin transactions that fully
|
||
pay the PaymentRequest
|
||
|
||
|refund_to |One or more outputs where the merchant may return funds, if
|
||
necessary. The merchant may return funds using these outputs for up to 2
|
||
months after the time of the payment request. After that time has
|
||
expired, parties must negotiate if returning of funds becomes necessary.
|
||
|
||
|memo |UTF-8 encoded, plain-text note from the customer to the merchant.
|
||
|=======================================================================
|
||
|
||
If the customer authorizes payment, then the Bitcoin client:
|
||
|
||
1. Creates and signs one or more transactions that satisfy (pay in
|
||
full) PaymentDetails.outputs
|
||
2. Validate that customer's system unix time (UTC) is still before
|
||
PaymentDetails.expires. If it is not, the payment should be cancelled.
|
||
3. Broadcast the transactions on the Bitcoin p2p network.
|
||
4. If PaymentDetails.payment_url is specified, POST a Payment message
|
||
to that URL. The Payment message is serialized and sent as the body of
|
||
the POST request.
|
||
|
||
Errors communicating with the payment_url server should be communicated
|
||
to the user. In the scenario where the merchant's server receives
|
||
multiple identical Payment messages for an individual PaymentRequest, it
|
||
must acknowledge each. The second and further PaymentACK messages sent
|
||
from the merchant's server may vary by memo field to indicate current
|
||
state of the Payment (for example number of confirmations seen on the
|
||
network). This is required in order to ensure that in case of a
|
||
transport level failure during transmission, recovery is possible by the
|
||
Bitcoin client re-sending the Payment message.
|
||
|
||
PaymentDetails.payment_url should be secure against man-in-the-middle
|
||
attacks that might alter Payment.refund_to (if using HTTP, it must be
|
||
TLS-protected).
|
||
|
||
Wallet software sending Payment messages via HTTP must set appropriate
|
||
Content-Type and Accept headers, as specified in BIP 71:
|
||
|
||
-----------------------------------------
|
||
Content-Type: application/bitcoin-payment
|
||
Accept: application/bitcoin-paymentack
|
||
-----------------------------------------
|
||
|
||
When the merchant's server receives the Payment message, it must
|
||
determine whether or not the transactions satisfy conditions of payment.
|
||
If and only if they do, if should broadcast the transaction(s) on the
|
||
Bitcoin p2p network.
|
||
|
||
Payment messages larger than 50,000 bytes should be rejected by the
|
||
merchant's server, to mitigate denial-of-service attacks.
|
||
|
||
[[paymentack]]
|
||
PaymentACK
|
||
^^^^^^^^^^
|
||
|
||
PaymentACK is the final message in the payment protocol; it is sent from
|
||
the merchant's server to the bitcoin wallet in response to a Payment
|
||
message:
|
||
|
||
-------------------------------------
|
||
message PaymentACK {
|
||
required Payment payment = 1;
|
||
optional string memo = 2;
|
||
}
|
||
-------------------------------------
|
||
|
||
[cols=",",]
|
||
|=======================================================================
|
||
|payment |Copy of the Payment message that triggered this PaymentACK.
|
||
Clients may ignore this if they implement another way of associating
|
||
Payments with PaymentACKs.
|
||
|
||
|memo |UTF-8 encoded note that should be displayed to the customer
|
||
giving the status of the transaction (e.g. "Payment of 1 BTC for eleven
|
||
tribbles accepted for processing.")
|
||
|=======================================================================
|
||
|
||
PaymentACK messages larger than 60,000 bytes should be rejected by the
|
||
wallet application, to mitigate denial-of-service attacks. This is
|
||
larger than the limits on Payment and PaymentRequest messages as
|
||
PaymentACK contains a full Payment message within it.
|
||
|
||
[[localization]]
|
||
Localization
|
||
~~~~~~~~~~~~
|
||
|
||
Merchants that support multiple languages should generate
|
||
language-specific PaymentRequests, and either associate the language
|
||
with the request or embed a language tag in the request's merchant_data.
|
||
They should also generate a language-specific PaymentACK based on the
|
||
original request.
|
||
|
||
For example: A greek-speaking customer browsing the Greek version of a
|
||
merchant's website clicks on a "Αγορά τώρα" link, which generates a
|
||
PaymentRequest with merchant_data set to "lang=el&basketId=11252". The
|
||
customer pays, their bitcoin client sends a Payment message, and the
|
||
merchant's website responds with PaymentACK.message "σας ευχαριστούμε".
|
||
|
||
[[certificates]]
|
||
Certificates
|
||
~~~~~~~~~~~~
|
||
|
||
The default PKI system is X.509 certificates (the same system used to
|
||
authenticate web servers). The format of pki_data when pki_type is
|
||
"x509+sha256" or "x509+sha1" is a protocol-buffer-encoded certificate
|
||
chain:
|
||
|
||
---------------------------------------
|
||
message X509Certificates {
|
||
repeated bytes certificate = 1;
|
||
}
|
||
---------------------------------------
|
||
|
||
If pki_type is "x509+sha256", then the PaymentRequest message is hashed
|
||
using the SHA256 algorithm to produce the message digest that is signed.
|
||
If pki_type is "x509+sha1", then the SHA1 algorithm is used.
|
||
|
||
Each certificate is a DER [ITU.X690.1994] PKIX certificate value. The
|
||
certificate containing the public key of the entity that digitally
|
||
signed the PaymentRequest must be the first certificate. This MUST be
|
||
followed by additional certificates, with each subsequent certificate
|
||
being the one used to certify the previous one, up to (but not
|
||
including) a trusted root authority. The trusted root authority MAY be
|
||
included. The recipient must verify the certificate chain according to
|
||
[RFC5280] and reject the PaymentRequest if any validation failure
|
||
occurs.
|
||
|
||
Trusted root certificates may be obtained from the operating system; if
|
||
validation is done on a device without an operating system, the
|
||
http://www.mozilla.org/projects/security/certs/included/index.html[Mozilla
|
||
root store] is recommended.
|
||
|
||
[[extensibility]]
|
||
Extensibility
|
||
~~~~~~~~~~~~~
|
||
|
||
The protocol buffers serialization format is designed to be extensible.
|
||
In particular, new, optional fields can be added to a message and will
|
||
be ignored (but saved/re-transmitted) by old implementations.
|
||
|
||
PaymentDetails messages may be extended with new optional fields and
|
||
still be considered "version 1." Old implementations will be able to
|
||
validate signatures against PaymentRequests containing the new fields,
|
||
but (obviously) will not be able to display whatever information is
|
||
contained in the new, optional fields to the user.
|
||
|
||
If it becomes necessary at some point in the future for merchants to
|
||
produce PaymentRequest messages that are accepted *only* by new
|
||
implementations, they can do so by defining a new PaymentDetails message
|
||
with version=2. Old implementations should let the user know that they
|
||
need to upgrade their software when they get an up-version
|
||
PaymentDetails message.
|
||
|
||
Implementations that need to extend messages in this specification shall
|
||
use tags starting at 1000, and shall update the
|
||
link:bip-0070/extensions.mediawiki[extensions page] via pull-req to
|
||
avoid conflicts with other extensions.
|
||
|
||
[[references]]
|
||
References
|
||
~~~~~~~~~~
|
||
|
||
link:bip-0071.mediawiki[BIP 0071] : Payment Protocol mime types
|
||
|
||
link:bip-0072.mediawiki[BIP 0072] : Payment Protocol bitcoin: URI
|
||
extensions
|
||
|
||
Public-Key Infrastructure (X.509) working group :
|
||
http://datatracker.ietf.org/wg/pkix/charter/
|
||
|
||
Protocol Buffers : https://developers.google.com/protocol-buffers/
|
||
|
||
[[see-also]]
|
||
See Also
|
||
~~~~~~~~
|
||
|
||
Javascript Object Signing and Encryption working group :
|
||
http://datatracker.ietf.org/wg/jose/
|
||
|
||
Wikipedia's page on Invoices: http://en.wikipedia.org/wiki/Invoice
|
||
especially the list of Electronic Invoice standards
|
||
|
||
sipa's payment protocol proposal: https://gist.github.com/1237788
|
||
|
||
ThomasV's "Signed Aliases" proposal : http://ecdsa.org/bitcoin_URIs.html
|
||
|
||
Homomorphic Payment Addresses and the Pay-to-Contract Protocol :
|
||
http://arxiv.org/abs/1212.3257
|
||
--------------------------------------------------
|
||
BIP: 71
|
||
Title: Payment Protocol MIME types
|
||
Author: Gavin Andresen <gavinandresen@gmail.com>
|
||
Status: Draft
|
||
Type: Standards Track
|
||
Created: 2013-07-29
|
||
--------------------------------------------------
|
||
|
||
[[abstract]]
|
||
Abstract
|
||
~~~~~~~~
|
||
|
||
This BIP defines a MIME (RFC 2046) Media Type for Bitcoin payment
|
||
request messages.
|
||
|
||
[[motivation]]
|
||
Motivation
|
||
~~~~~~~~~~
|
||
|
||
Wallet or server software that sends payment protocol messages over
|
||
email or http should follow Internet standards for properly
|
||
encapsulating the messages.
|
||
|
||
[[specification]]
|
||
Specification
|
||
~~~~~~~~~~~~~
|
||
|
||
The Media Type (Content-Type in HTML/email headers) for bitcoin protocol
|
||
messages shall be:
|
||
|
||
[cols=",",]
|
||
|==================================================
|
||
|Message |Type/Subtype
|
||
|PaymentRequest |application/bitcoin-paymentrequest
|
||
|Payment |application/bitcoin-payment
|
||
|PaymentACK |application/bitcoin-paymentack
|
||
|==================================================
|
||
|
||
Payment protocol messages are encoded in binary.
|
||
|
||
[[example]]
|
||
Example
|
||
~~~~~~~
|
||
|
||
A web server generating a PaymentRequest message to initiate the payment
|
||
protocol would precede the binary message data with the following
|
||
headers:
|
||
|
||
------------------------------------------------
|
||
Content-Type: application/bitcoin-paymentrequest
|
||
Content-Transfer-Encoding: binary
|
||
------------------------------------------------
|
||
-----------------------------------------------------
|
||
BIP: 72
|
||
Title: bitcoin: uri extensions for Payment Protocol
|
||
Author: Gavin Andresen <gavinandresen@gmail.com>
|
||
Status: Draft
|
||
Type: Standards Track
|
||
Created: 2013-07-29
|
||
-----------------------------------------------------
|
||
|
||
[[abstract]]
|
||
Abstract
|
||
~~~~~~~~
|
||
|
||
This BIP describes an extension to the bitcoin: URI scheme (BIP 21) to
|
||
support the payment protocol (BIP 70).
|
||
|
||
[[motivation]]
|
||
Motivation
|
||
~~~~~~~~~~
|
||
|
||
Allow users to click on a link in a web page or email to initiate the
|
||
payment protocol, while being backwards-compatible with existing bitcoin
|
||
wallets.
|
||
|
||
[[specification]]
|
||
Specification
|
||
~~~~~~~~~~~~~
|
||
|
||
The bitcoin: URI scheme is extended with an additional, optional "r"
|
||
parameter, whose value is a URL from which a PaymentRequest message
|
||
should be fetched (characters not allowed within the scope of a query
|
||
parameter must be percent-encoded as described in RFC 3986 and
|
||
bip-0021).
|
||
|
||
If the "r" parameter is provided and backwards compatibility is not
|
||
required, then the bitcoin address portion of the URI may be omitted
|
||
(the URI will be of the form: bitcoin:?r=... ).
|
||
|
||
When Bitcoin wallet software that supports this BIP receives a bitcoin:
|
||
URI with a request parameter, it should ignore the bitcoin
|
||
address/amount/label/message in the URI and instead fetch a
|
||
PaymentRequest message and then follow the payment protocol, as
|
||
described in BIP 70.
|
||
|
||
Bitcoin wallets must support fetching PaymentRequests via http and https
|
||
protocols; they may support other protocols. Wallets must include an
|
||
"Accept" HTTP header in HTTP(s) requests (as defined in RFC 2616):
|
||
|
||
------------------------------------------
|
||
Accept: application/bitcoin-paymentrequest
|
||
------------------------------------------
|
||
|
||
If a PaymentRequest cannot be obtained (perhaps the server is
|
||
unavailable), then the customer should be informed that the merchant's
|
||
payment processing system is unavailable. In the case of an HTTP
|
||
request, status codes which are neither success nor error (such as
|
||
redirect) should be handled as outlined in RFC 2616.
|
||
|
||
[[compatibility]]
|
||
Compatibility
|
||
~~~~~~~~~~~~~
|
||
|
||
Wallet software that does not support this BIP will simply ignore the r
|
||
parameter and will initiate a payment to bitcoin address.
|
||
|
||
[[examples]]
|
||
Examples
|
||
~~~~~~~~
|
||
|
||
A backwards-compatible request:
|
||
|
||
------------------------------------------------------------------------------------------------------
|
||
bitcoin:mq7se9wy2egettFxPbmn99cK8v5AFq55Lx?amount=0.11&r=https://merchant.com/pay.php?h%3D2a8628fc2fbe
|
||
------------------------------------------------------------------------------------------------------
|
||
|
||
Non-backwards-compatible equivalent:
|
||
|
||
--------------------------------------------------------
|
||
bitcoin:?r=https://merchant.com/pay.php?h%3D2a8628fc2fbe
|
||
--------------------------------------------------------
|
||
|
||
[[references]]
|
||
References
|
||
~~~~~~~~~~
|
||
|
||
http://www.w3.org/Protocols/rfc2616/rfc2616.html[RFC 2616] : Hypertext
|
||
Transfer Protocol -- HTTP/1.1
|