[cryptography] Bitcoin observation

Seth David Schoen schoen at loyalty.org
Fri Jul 8 02:04:53 EDT 2011

lodewijk andr de la porte writes:

> I honestly don't see how. A transaction has an orgin, which is verified to
> have the coins, and a destination, which is a public key that must have a
> private key. AFAIK every public key has a computable private key
> counterpart.
> But please correct me.

The reason Taral says that you could "create transactions that
transfer money into black holes that are unrecoverable" is that
the destination of a transaction is actually not a public key
but rather a _script_ in a scripting language.  To claim the coins
later, a recipient creates a new transaction that satisfies the
conditions of the script associated with the previous transaction.

The normal case is that each script has the effect of transferring
coins to a public key.


However, this documentation emphasizes that the script can be valid
even if it has a different effect.

  For example, it's possible to create an output that can be claimed
  by anyone without any authorization. It's also possible to require
  that an input be signed by ten different keys, or be redeemable
  with a password instead of a key.

You could equally easily write a script that cannot be executed
successfully, for instance because the condition for claiming its
output would be that 0=1.  (An even simpler case is that the script
just returns false immediately, via OP_RETURN.)  It seems like the
standard Bitcoin client should accept transactions _containing_
such a script as valid (i.e., the script reflects the intention of
the previous owner of some coins and successfully claims the output
of the previous transaction involving those coins), even though the
standard client would not be willing to generate those transactions.

You could think of a transaction as like a machine-readable will,
and the Bitcoin network as like a probate court that happens to
be implemented by a P2P software network.  Prospective heirs can
show up and prove that they have a legitimate claim to some of the
inheritance.  However, since the will is being interpreted by
software, the testator can (rather than the common case of naming
specific heirs) actually implement wacky conditions that are the
stuff of fiction in our world.  For example, "BTC 1700 to the
first person to claim it, provided that 1+1=3".

Unlike a human-operated probate court, the Bitcoin network has no
notion of intestacy or escheat.  If it becomes clear that some coins
can never ever be claimed, well, wasn't that testator odd to do that?

Seth David Schoen <schoen at loyalty.org>      |  No haiku patents
     http://www.loyalty.org/~schoen/        |  means I've no incentive to
  FD9A6AA28193A9F03D4BF4ADC11B36DC9C7DD150  |        -- Don Marti

More information about the cryptography mailing list