best way to buy bitcoin in usa - Buying Bitcoin in the United States is a lot easier than it used to be. Growing up in the United States, I have vivid memories of friends approaching me around asking me how to buy Bitcoin. I’d refer them to ridiculous methods that were somehow the best available at the time. - 4. Bank Account, Debit Card, or Credit Card. j0nn9 posts to Gapcoin bitcointalk thread. GitHub Gist: instantly share code, notes, and snippets. j0nn9's distilled technical posts. GitHub Gist: instantly share code, notes, and snippets.
Alicea bitcointalkUnderstanding Bitcoin - Cryptography, Engineering and Economics by Medjitena Nadir - Issuu
One way to create a fidelity bond is to lock up bitcoins in a time-locked address. We can code the taker bots to behave in a way that creates market pressure for maker bot operators to publish fidelity bonds.
These fidelity bonds can be created anonymously by anyone who owns bitcoin. Fidelity bonds are a genuine sacrifice which can't be faked, they can be compared to proof-of-work which backs bitcoin mining. Then for a sybil attacker to be successful they would have to lock up a huge value in bitcoin for a long time. I've previously analyzed fidelity bonds for JoinMarket, and using realistic numbers I calculate that such a system would require about BTC around million USD at today's price to be locked up for 6 months in time-locked addresses.
This is a huge amount and provides strong sybil resistance. This problem happens because either Alice or Bob must broadcast their funding transaction first, but if the other side halts the protocol then they can cause Alice or Bob's to waste time and miner fees as they're forced to use the contract transactions to get their money back.
This is a DOS attack. If a malicious CoinSwapper could keep halting the protocol they could stop an honest user from doing a CoinSwap indefinitely. Fidelity bonds solve this by having the fidelity bond holder go second. If the fidelity bond holder halts the protocol then their fidelity bond can be avoid by the user in all later CoinSwaps.
And the malicious CoinSwapper couldnt pack the orderbook with their sybils without sacrificing a lot of value for fidelity bonds. As a concrete example, Alice is a taker and Bob is a maker.
Bob publishes a fidelity bond. Alice "goes first" by sending her coins into a 2-of-2 multisig between her and Bob. When Bob sees the transaction is confirmed he broadcasts his own transactions into another 2-of-2 multisig. If Bob is actually malicious and halts the protocol then he will cost Alice some time and money, but Alice will refuse to ever CoinSwap with Bob's fidelity bond again. If DOS becomes a big problem even with fidelity bonds, then its possible to have Alice request a "DOS proof" from Bob before broadcasting, which is a set of data containing transactions, merkle proofs and signatures which are a contract where Bob promises to broadcast his own transaction if Alice does so first.
The proof will have enough information to convince anyone else that the DOS really happened, and it means that nobody else will ever CoinSwap with Bob's fidelity bond either or at least assign some kind of ban score to lower the probability.
I doubt it will come to this so I haven't expanded the idea much, but theres a longer writeup in the reference. The original proposal for CoinSwap involved four transactions. Two to pay into the multisig addresses and two to pay out.
We can do better than this with private key handover. This is an observation that once the CoinSwap preimage is revealed, Alice and Bob don't have to sign each other's multisig spend, instead they could hand over their private key to the other party.
The other party will know both keys of the 2-of-2 multisig and therefore have unilateral control of the coins. Although they would still need to watch the chain and respond in case a hash-time-locked contract transaction is broadcasted. As well as saving block space, it also improves privacy because the coins could stay unspent for a long time, potentially indefinitely.
While in the original coinswap proposal an analyst of the chain would always see a funding transaction followed closely in time by a settlement transaction, and this could be used as a fingerprint.
This scheme uses adapter signatures to create a similar outcome to CoinSwap-with-private-key-handover, but only one party in the CoinSwap must watch and respond to blockchain events until they spend the coin.
The other party just gets unilateral control of their coins without needing to watch and respond. CoinSwap can be combined with CoinJoin. In original CoinSwap, Alice might pay into a CoinSwap address with a regular transaction spending multiple of her own inputs:. This leaks information that all of those inputs are owned by the same person. We can make this example transaction a CoinJoin by involving Bob's inputs too.
CoinJoin requires interaction but because Alice and Bob are already interacting to follow the CoinSwap protocol, so it's not too hard to have them interact a bit more to do a CoinJoin too. The CoinJoin transaction which funds the CoinSwap address would look like this:. Alice's and Bob's inputs are both spent in a same transaction, which breaks the common-input-ownership heuristic.
As with the rest of this design, this protocol does not have any special patterns and so is indistinguishable from any regular bitcoin transaction. Then when creating the CoinJoin, Bob doesn't just send his own input but sends perhaps 50 or other inputs which don't belong to him.
For the protocol to continue Alice must partially-sign many CoinJoin transactions; one for each of those inputs, and send them back to Bob. Then Bob can sign the transaction which contains his genuine input and broadcast it. If Alice is actually a malicious spy she won't learn Bob's input for sure but will only know other inputs, the majority of which have nothing to do with Bob. This is subpar for a number of reasons, and we can do better. I propose that there be a small number of volunteer-operated HTTP servers run on Tor hidden services.
They can be called message board servers. Makers are also servers run on hidden services, and to advertise themselves they connect to these message board servers to post the makers own. To protect from spam, makers must provide a fidelity bond before being allowed to write to the HTTP server.
Takers connect to all these HTTP message boards and download the list of all known maker. They connect to each maker's onion to obtain parameters like offered coinswap fee and maximum coinswap size. This is equivalent to downloading the orderbook on JoinMarket. Once takers have chosen which makers they'll do a CoinSwap with, they communicate with those maker again directly through their. These HTTP message board servers can be run quite cheaply, which is required as they'd be volunteer run.
They shouldn't require much bandwidth or disk space, as they are well-protected from spam with the fidelity bond requirement. The system can also tolerate temporary downtimes so the servers don't need to be too reliable either.
It's easy to imagine the volunteers running them on a raspberry pi in their own home. These message board servers are similar in some ways to the DNS seeds used by Bitcoin Core to find its first peers on bitcoin's p2p network.
If the volunteers ever lose interest or disappear, then the community of users could find new volunteer operators and add those URLs to the default list. In order to censor a maker, all the message board servers would have to co-operate to censor him. If censorship is happening on a large scale for example if the message board servers only display sybil makers run by themselves then takers could also notice a drop in the total value of all fidelity bonds.
CoinSwap and Lightning Network have many similarities, so it's natural to ask why are they different, and why do we need a CoinSwap system at all if we already have Lightning? Today we see some centralized exchange not supporting so-called ''privacy altcoins'' because of regulatory compliance concerns.
We also see some exchanges frowning upon or blocking CoinJoin transactions they detect. There is some debate over whether the exchanges really blocked transactions because they were CoinJoin, but the principle remains that equal-output CoinJoins are inherently visible as such. It's possible that those exchanges will never adopt Lightning because of its privacy features.
Such a refusal would simply not be possible with CoinSwap, because it is fundamentally an on-chain technology. CoinSwap users pay to bitcoin addresses, not Lightning invoices. Anybody who accepts bitcoin today will accept CoinSwap. And because CoinSwap transactions can be made indistinguishable from regular transactions, it would be very difficult to even determine whether they got paid via a CoinSwap or not.
So CoinSwap is not a replacement for Lightning, instead it is a replacement for on-chain privacy technology such as equal-output CoinJoins which are implemented today in JoinMarket, Wasabi Wallet and Samourai Wallet. Ideally this design, if implemented, would be possible to include into the many already-existing bitcoin wallets, and so the CoinSwaps would be accessible to everyone. This feature of CoinSwap will in turn help Lightning Network, because those censoring exchanges won't be able to stop transactions with undetectable privacy no matter what they do.
When they realize this they'll likely just implement Lightning Network anyway regardless of the privacy. Bitcoin needs on-chain privacy as well, otherwise the bad privacy can leak into layer-2 solutions.
Lightning Network cannot support large payment amounts. Liquidity in payment channels on the Lightning network is a scarce resource. Nodes which relay lightning payments always take care that a payment does not exhaust their liquidity. Users of Lightning today must often be aware of inbound liquidity, outbound liquidity and channel rebalancing.
There even exist services today which sell Lightning liquidity. This CoinSwap design solves its liquidity problem in a completely different way. Because of the liquidity market similar to JoinMarket, all the required liquidity is always available. There are never any concerns about exhausting channel capacity or a route not being found, because such liquidity is simply purchased from the liquidity market right before it is used. It is still early days for Lightning, and liquidity has been a known issue since the start.
Many people are confident that the liquidity issue will be improved. Yet it seems hard to imagine that Lightning Network will ever reliably route payments of BTC to any node in the network and it doesn't have to to be successful , yet on JoinMarket today as I write these words there are offers to create CoinJoins with amounts up to around BTC.
They do not yet make the Funding Transaction F spendable. Since the Delivery transaction is just a P2PKH output bitcoin addresses beginning with 1 or P2SH transaction commonly recognized as addresses beginning with the 3 which the counterparties designate beforehand, For simplicity, these output addresses will remain the same throughout the channel, since its funds are fully controlled by its designated recipient after the Commitment Transaction enters the blockchain.
Each set of Commitment Transactions use their own public keys and are not ever reused. After both parties know the output values from the Commitment Transactions, both parties create the pair of Commitment Transactions, e. When both parties have the Revocable Delivery transaction, they exchange signatures for the Commitment Transactions. Note that Commitments older than the prior Commitment are invalidated via penalties.
This is more For example, if Bob wishes to invalidate C1b, he sends his private keys used in C1b to Alice he does NOT disclose his keys used in C1a, as that would permit coin theft. Similarly, Alice discloses all her private key outputs in C1a to Bob to invalidate C1a. If Bob incorrectly broadcasts C1b, then because Alice has all the private keys used in the outputs of C1b, she can take the money. However, only Bob is able to broadcast C1b. To prevent this coin theft risk, Bob should destroy all old Commitment Transactions.
Both parties are able to send as many payments to their counterparty as they wish, as long as they have funds available in the channel, knowing that in the event of disagreements they can broadcast to the blockchain the current state at any time. In the vast majority of cases, all the outputs from the Funding Transaction will never be broadcast on the blockchain.
They are just there in case the other party is non-cooperative, much like how a contract is rarely enforced in the courts.
A proven ability for the contract to be enforced in a deterministic manner is sufficient incentive for both parties to act honestly. When either party wishes to close out a channel cooperatively, they will be able to do so by contacting the other party and spending from the Funding Transaction with an output of the most current Commitment Transaction directly with no script encumbering conditions. No further payments may occur in the channel.
Figure If both counterparties are cooperative, they take the balances in the current Commitment Transaction and spend from the Funding Transaction with a Exercise Settlement Transaction ES. If the most recent Commitment Transaction gets broadcast instead, the payout less fees will be the same.
The purpose of closing out cooperatively is to reduce the number of transactions that occur on the blockchain and both parties will be able to receive their funds immediately instead of one party waiting for the Revocation Delivery transaction to become valid. Channels may remain in perpetuity until they decide to cooperatively close out the transaction, or when one party does not cooperate with another and the channel gets closed out and enforced on the blockchain.
By ensuring channels can update only with the consent of both parties, it is possible to construct channels which perpetually exist in the blockchain.
If one party becomes malicious, either party may immediately close out the channel and broadcast the most current state to the blockchain. By using a fidelity bond construction Revocable Delivery Transactions , if a party violates the terms of the channel, the funds will be sent to the counterparty,.
If both parties are cooperative, the channel can remain open indefinitely, possibly for many years. This type of construction is only possible because adjudication occurs programatically over the blockchain as part of the Bitcoin consensus, so one does not need to trust the other party. A bidirectional payment channel only permits secure transfer of funds inside a channel. To be able to construct secure transfers using a network of channels across multiple hops to the final destination requires an additional construction, a Hashed Timelock Contract HTLC.
The purpose of an HTLC is to allow for global state across multiple nodes via hashes. This global state is ensured by time commitments and time-based unencumbering of resources via disclosure of preimages. Additionally, this data must be revocable, as one must be able to undo an HTLC. The counterparties in a channel agree to the following terms for a Hashed Timelock Contract: 1. If Bob can produce to Alice an unknown byte random input data R from a known hash H, within three days, then Alice will settle the contract by paying Bob 0.
If three days have elapsed, then the above clause is null and void and the clearing process is invalidated, both parties must not attempt to settle and claim payment after three days. Either party may and should pay out according to the terms of this contract in any method of the participants choosing and close out this contract early so long as both participants in this contract agree.
Violation of the above terms will incur a maximum penalty of the funds locked up in this contract, to be paid to the non-violating counterparty as a fidelity bond.
In reality, the HTLC should also be defined as a block height e. In effect, one desires to construct a payment which is contingent upon knowledge of R by the recipient within a certain timeframe. After this timeframe, the funds are refunded back to the sender. Similar to RSMCs, these contract terms are programatically enforced on the Bitoin blockchain and do not require trust in the counterparty to adhere to the contract terms, as all violations are penalized via unilaterally enforced fidelity bonds, which are constructed using penalty transactions spending from commitment states.
If Bob knows R within three days, then he can redeem the funds by broadcasting a transaction; Alice is unable to withhold the funds in any way, because the script returns as valid when the transaction is spent on the Bitcoin blockchain. The second path is redeemed using a 3-day timelocked refund to Alice.
The 3-day timelock is enforced using nLockTime from the spending transaction. Note that there are two possible spends from an HTLC output.
If Bob can produce the preimage R within 3 days and he can redeem path 1. After three days, Alice is able to broadcast path 2. When 3 days have elapsed either is valid. When 3 days have elapsed and R has been disclosed, either transaction may be valid. It is within both parties individual responsibility to ensure that they can get their transaction into the blockchain in order to ensure the balances are correct.
Yet this kind of simplistic construction has similar problems as an. When an old Commitment Transaction gets broadcast, either party may attempt to steal funds as both paths may be valid after the fact. For example, if R gets disclosed 1 year later, and an incorrect Commitment Transaction gets broadcast, both paths are valid and are redeemable by either party; the contract is not yet enforcible on the blockchain.
Closing out the HTLC is absolutely necessary, because in order for Alice to get her refund, she must terminate the contract and receive her refund. Otherwise, when Bob discovers R after 3 days have elapsed, he may be able to steal the funds which should be going to Alice.
To be able to terminate this contract off-chain without a broadcast to the Bitcoin blockchain requires embedding RSMCs in the output, which will have a similar construction to the bidirectional channel.
Figure If Alice broadcasts C2a, then the left half will execute. If Bob broadcasts C2b, then the right half will execute. Either party may broadcast their Commitment transaction at any time. HTLC Timeout is only valid after 3 days. Prior Commitments and their dependent transactions are not displayed for brevity.
Presume Alice and Bob wish to update their balance in the channel at Commitment 1 with a balance of 0. Alice wishes to send 0. The new Commitment Transaction will have a full refund of the current balance to Alice and Bob Outputs 0 and 1 , with output 2 being the HTLC, which describes the funds in transit. Similar to the bidirectional payment channel, when one party broadcasts their Commitment, payments to the counterparty will be assumed to be valid and not invalidated.
This can occur because when one broadcasts a Commitment Transaction, one is attesting this is the most recent Commitment Transaction. Note that HTLC transaction names beginning with the letter H will begin with the number 1, whose values do not correlate with Commitment Transactions. This is simply the first HTLC transaction. It assumes that this HTLC has never been terminated off-chain, as Alice is attesting that the broadcasted Commitment Transaction is the most recent.
This transaction is an RSMC. This transaction cannot enter into the blockchain until 3 days have elapsed. This transaction can be revocable when another transaction supersedes HTRD1a using multisig PAlice4 , PBob4 which does not have any block maturity requirements. This transaction directly refunds the funds to the original sender Alice and is not encumbered in an RSMC.
If 3 days have elapsed, Alice can broadcast HTD1b and take the refund. This transaction is an This transaction can be revocable when another transaction supersedes HERD1b using multisig PAlice8 , PBob8 which does not have any block maturity requirements. If the recipient can prove knowledge of R to the counterparty, the recipient is proving that they are able to immediately close out the channel on the Bitcoin blockchain and receive the funds.
At this point, if both parties wish to keep the channel open, they should terminate the HTLC off-chain and create a new Commitment Transaction reflecting the new balance. The payout will be the same whether C2 or C3 is broadcast at this time. Similarly, if the recipient is not able to prove knowledge of R by disclosing R, both parties should agree to terminate the HTLC and create a new Commitment Transaction with the balance in the HTLC refunded to the sender.
If the counterparties cannot come to an agreement or become otherwise unresponsive, they should close out the channel by broadcasting the necessary channel transactions on the Bitcoin blockchain.
After the private keys are disclosed to the counterparty, if Alice broadcasts C2a, Bob will be able to take all the funds from the HTLC immediately. If either party broadcasts Commitment 2, they will lose all their money to the counterparty. Other commitments e. Since both parties are able to prove the current state to each other, they can come to agreement on the current balance inside the channel. Since they may broadcast the current state on the blockchain, they are able to come to agreement on netting out and terminating the HTLC with a new Commitment Transaction.
Alice signs and sends her signature for RD3b and C3b. Bob is willing after receiving C3b to close out C2b. At this point Bob should only broadcast C3b and should not broadcast C2b as he will lose all his money if he does so. Alice is willing after receiving C3a to close out C2b. At this point neither party should broadcast Commitment 2, if they do so, their funds will be going to the counterparty. When the HTLC has been closed, the funds are updated so that the present balance in the channel is what would occur had the HTLC contract been completed and broadcast on the blockchain.
Instead, both parties elect to do off-chain novation and update their payments inside the channel. It is absolutely necessary for both parties to complete off-chain novation within their designated time window. For the receiver Bob , he must If the counterparty is unwilling to novate or is stalling, then one must broadcast the current channel state, including HTLC transactions onto the Bitcoin blockchain. If one establishes a contract that the HTLC must be resolved within 1 day, then if the transaction times out Alice must resolve it by day 4 3 days plus 1 , else Alice risks losing funds.
Keys are pre-generated by both parties. Keys are generated in a merkle tree and are very deep within the tree. For instance, Alice pre-generates one million keys, each key being a child of the previous key. Alice allocates which keys to use according to some deterministic manner. For example, she starts with the child deepest in the tree to generate many sub-keys for day 1.
This key is used as a master key for all keys generated on day 1. She gives Bob the address she wishes to use for the next transaction, and discloses the private key to Bob when it becomes invalidated. When Alice discloses to Bob all private keys derived from the day 1 master key and does not wish to continue using that master key, she can disclose the day 1 master key to Bob.
At this point, Bob does not need to store all the keys derived from the day 1 master key. Bob does the same for Alice and gives her his day 1 key. When all Day 2 private keys have been exchanged, for example by day 5, Alice discloses her Day 2 key.
Bob is able to generate the Day 1 key from the Day 2 key, as the Day 1 key is a child of the Day 2 key as well. If a counterparty broadcasts the wrong Commitment Transaction, which private key to use in a transaction to recover funds can either be brute forced, or if both parties agree, they can use the sequence id number This enables participants in a channel to have prior output states transactions invalidated by both parties without using much data at all. By disclosing private keys pre-arranged in a merkle-tree, it is possible to invalidate millions of old transactions with only a few kilobytes of data per channel.
Core channels in the Lightning Network can conduct billions of transactions without a need for significant storage costs. It is possible for each participant to generate different versions of transactions to ascribe blame as to who broadcast the transaction on the blockchain. By having knowledge of who broadcast a transaction and the ability to ascribe blame, a third party service can be used to hold fees in a 2-of-3 multisig escrow.
If one wishes to broadcast the transaction chain instead of agreeing to do a Funding Close or replacement with a new Commitment Transaction, one would communicate with the third party and broadcast the chain to the blockchain.
If the counterparty refuses the notice from the third party to cooperate, the penalty is rewarded to the non-cooperative party. In most instances, participants may be indifferent to the transaction fees in the event of an uncooperative counterparty. One should pick counterparties in the channel who will be cooperative, but is not an absolute necessity for the system to function.
Note that this does not require trust among the rest of the network, and is only relevant for the comparatively minor transaction fees. The less trusted party may just be the one responsible for transaction fees. The Lightning Network fees will likely be significantly lower than blockchain transaction fees. The fees are largely derived from the time-value of locking up funds for a particular route, as well as paying for the chance of channel close on the blockchain.
These should be significantly lower than on-chain transactions, as many transactions on a Lightning Network channel can be settled into one single blockchain transaction. With a sufficiently robust and interconnected network, the fees should asymptotically approach negligibility for many types of transactions. With cheap fees and fast transactions, it will be possible to build scalable micropayments, even amongst This proof can be established as knowledge of the input R from hash R as payment of a certain value.
By embedding a clause into the contract between the buyer and seller stating that knowing R is proof of funds sent, the recipient of funds has no incentive to disclose R unless they have certainty that they will receive payment. When the funds eventually get pulled from the buyer by their counterparty in their micropayment channel, R is disclosed as part of that pull of funds. One can design paper legal documents that specify that knowledge or disclosure of R implies fulfillment of payment.
The sender can then arrange a cryptographically signed contract with knowledge of inputs for hashes treated as fulfillment of the paper contract before payment occurs.
By having a micropayment channel with contracts encumbered by hashlocks and timelocks, it is possible to clear transactions over a multi-hop payment network using a series of decrementing timelocks without additional central clearinghouses.
Traditionally, financial markets clear transactions by transferring the obligation for delivery at a central point and settle by transferring ownership through this central hub. As Bitcoin enables programmatic money, it is possible to create transactions without contacting a central clearinghouse. Transactions can execute off-chain with no third party which collects all funds before disbursing it — only transactions with uncooperative channel counterparties become automatically adjudicated on the blockchain.
The obligation to deliver funds to an end-recipient is achieved through a process of chained delegation. Each participant along the path assumes the obligation to deliver to a particular recipient. Each participant passes on this obligation to the next participant in the path.
The obligation of each subsequent participant along the path, defined in their respective HTLCs, has a shorter time to completion compared to the prior participant. This way each participant is sure that they will be able to claim funds when the obligation is sent along the path. Presume Alice wishes to send 0.
She locates a route through Bob and Carol. The transfer path would be Alice to Bob to Carol to Dave. Alice then counts the amount of hops until the recipient and uses that as the HTLC expiry.
In this case, she sets the HTLC expiry at 3 days. Dave is now free to disclose R to Carol, and both parties will likely agree to immediate settlement via novation with a replacement Commitment Transaction.
This then occurs step-by-step back to Alice. Note that this occurs off-chain, and nothing is broadcast to the blockchain when all parties are cooperative.
Decrementing timelocks are used so that all parties along the path know that the disclosure of R will allow the disclosing party to pull funds, since they will at worst be pulling funds after the date whereby they must receive R.
If Dave broadcasts R after 1 day, then he will not be able to pull funds from Carol. In the event that R gets disclosed to the participants halfway through expiry along the path e. The sender will be able to know R, so due to Pay to Contract, the payment will have been fulfilled even though the receiver did not receive the funds. Therefore, the receiver must never disclose R unless they have received an HTLC from their channel counterparty; they are guaranteed to receive payment from one of their channel counterparties upon disclosure of the preimage.
In the event a party outright disconnects, the counterparty will be responsible for broadcasting the current Commitment Transaction state in the channel to the blockchain. Only the failed non-responsive channel state gets closed out on the blockchain, all other channels should continue to update their Commitment Transactions via novation inside the channel. Therefore, counterparty risk for transaction fees are only exposed to direct channel counterparties.
If a node along the path decides to become unresponsive, the participants not directly connected to that node suffer only decreased timevalue of their funds by not conducting early settlement before the HTLC close.
Figure Only the non-responsive channels get broadcast on the blockchain, all others are settled off-chain via novation. It is preferable to use a small payment per HTLC. One should not use an extremely high payment, in case the payment does not fully route to its destination. If the payment does not reach its destination and one of the participants along the path is uncooperative, it is possible that the sender must wait until the expiry before receiving a refund.
Delivery may be lossy, similar to packets on the internet, but the network cannot outright steal funds in transit. A tradeoff exists between locking up transaction fees on each hop versus the desire to use as small a transaction amount as possible the latter of which may incur higher total fees. Smaller transfers with more intermediaries imply a higher percentage paid as Lightning Network fees to the intermediaries. If a transaction fails to reach its final destination, the receiver should send an equal payment to the sender with the same hash, but not disclose R.
This will net out the disclosure of the hash for the sender, but may not for the receiver. The receiver, who generated the hash, should discard R and never broadcast it. If one channel along the path cannot be contacted, then the channels may elect to wait until the path expires, which all participants Figure Dave creates a path back to Alice after Alice fails to send funds to Dave, because Carol is uncooperative.
The input R from hash R is never brodcast by Dave, because Carol did not complete her actions. If R was broadcast, Alice will break-even. Dave, who controls R should never broadcast R because he may not receive funds from Carol, he should let the contracts expire.
Alice and Bob have the option to net out and close the contract early, as well, in this diagram. If the refund route is the same as the payment route, and there are no half-signed contracts whereby one party may be able to steal funds, it is possible to outright cancel the transaction by replacing it with a new Commitment Transaction starting with the most recent node who participated in the HTLC.
This will create a time-value of money for disclosing inputs to hashes on the Lightning Network. Participants may specialize in high connectivity between nodes and offering to offload contract hashlocks from other nodes for a fee. These participants will agree to payments which net out to zero plus fees , but are loaning bitcoins for a set time period. Most likely, these entities with low demand for channel resources will be end-users who are already connected to multiple well-connected nodes.
When an end-user connects to a node, the node may ask the client to lock up their funds for several days to another channel the client has established for a fee. This can be achieved by having the new transactions require a new hash Y from input Y in addition to the existing hash which may be generated by any participant, but must disclose Y only after a full circle is established.
The new participant has the same responsibility as well as the same timelocks It is also possible that the one new participant replaces multiple hops.
Figure Erin is connected to both Bob and Dave. If Bob wishes to free up his channel with Carol, since that channel is active and very profitable, Bob can offload the payment to Dave via Erin. Since Erin has extra bitcoin available, she will be able to collect some fee for offloading the channel between Bob and Carol as well as between Carol and Dave.
Payment will occur on the path involving Erin. The payment in dashed lines red are netted out to zero and settled via a new Commitment Contract.
It is theoretically possible to build a route map implicitly from observing 2-of-2 multisigs on the blockchain to build a routing table. Note, however, this is not feasible with pay-to-script-hash transaction outputs, which can be resolved out-of-band from the bitcoin protocol via a third party routing service.
Building a routing table will become necessary for large operators e. BGP, Cjdns. Eventually, with optimizations, the network will look a lot like the correspondent banking network, or Tier-1 ISPs.
Similar to how packets still reach their destination on your home network connection, not all participants need to have a full routing table. Node discovery can occur along the edges by pre-selecting and offering partial routes to well-known nodes.
Lightning Network fees, which differ from blockchain fees, are paid directly between participants within the channel. The fees pay for the time-value of money for consuming the channel for a determined maximum period of time, and for counterparty risk of non-communication.
Each participant or node in the network stores the transaction ledger as a linked chain of blocks, called the Bitcoin Blockchain. Each block in the chain stores a set of transactions that have been validated.
When a new block is added to the chain at any node, that block is broadcast to all other nodes in the network, who in turn check its validity and then update their own chain with that new block.
In order for any node to add a new block to the blockchain, a large amount of computation or work needs to be performed. This computation is required to prove the validity of the transactions in the block. The key element here is that it requires considerable computation for any node to prove a block, but once that block has been proved, it is fairly easy for any other node to check that proof.
The process of adding a new block to the blockchain is called mining. The easiest way to think about it is to picture this process as a game. Every node in the network has a replicated copy of the transaction ledger, stored as a blockchain.
As time passes by, new transactions are broadcast to the nodes in the network, such as when Alice sends some money to Bob, or Bob sends some money to Eve. As all of these transactions occur, each of the nodes in the network is competing against each other to try to find a solution to a specific problem that will allow them to generate a new block.
Whichever node finds the solution first broadcasts it to. The node who found the solution first is declared the winner and the game repeats with the next set of transactions that occur. Because the solution is difficult to find and requires a large amount of computation, why would these nodes spend their time trying to solve it? Well just like a game, the winner receives a prize.
In this case, whoever solves the problem first is paid two separate amounts of Bitcoin. The first amount is the sum of all the transaction fees of the transactions included in the new block. These fees are the differences between the inputs of a transaction, and the outputs. For example the missing 10, satoshis for each transaction that we identified in figure 1.
These fees will act as an incentive for the miners and because the miner can choose which transactions to include in the new block, it will naturally choose the transactions paying the highest transaction fees. The second amount of money the winning miner receives is a pre-defined amount of new bitcoin.
Just like when a central bank prints new coins and notes, the Bitcoin network creates new bitcoins whenever a block is added to the blockchain. The amount created for each new block depends on the number of blocks in the blockchain. At present this amount is 25 BTC, but it halves every , blocks. By halving the amount of newly generated bitcoins at these intervals, it introduces a fundamental limit in the total number of bitcoins that will ever be produced, a limit of around 21 million bitcoins .
This imposed limit therefore makes Bitcoin a deflationary currency. The process of mining can therefore be considered a game of rounds, where at each round a new block is generated, validating a set of transactions and rewarding the winner.
Because of the competitive nature of this game, you might try to think of ways of beating it, or increasing your chances of winning. One way might be to try and throw more and more computing power at the problem. This is where the ingenuity of the Bitcoin network begins to reveal itself. The difficulty of the challenge to solve for each block is dynamic and continuously adapts to the power of the miners. The network tries to keep the difficulty of the problem at a level that limits the generation of new blocks to around 1 every 10 minutes.
This allows it to control the rate of generation of new coins and the growth of the blockchain. It does this by monitoring the speed at which new blocks are generated and every blocks either increases or decreases the difficulty depending on how the miners coped .
The challenge that the miners need to solve in order to generate a new block is to repeatedly hash the header of the potential block with a random number until the generated answer is less than or equal to some target shared by the network .
Hashing is a cryptographic 1 way function that is designed to be irreversible. The idea is to take some input, a string or a message, and apply some function to that input in order to generate a fixed length output string or hash. The function is designed in such a way that you cannot derive the original message or input from the output hash. The hashing algorithm used by the bitcoin network is SHA, an algorithm that given any length input string produces a hash of length characters.
The network can vary the difficulty of the challenge by increasing or decreasing the network target. One great property of this challenge is that, arguably, there is no pre-defined method for selecting which random number to use when hashing the head of the block and so finding a solution to the problem is considered luck. Therefore the only real approach to solving the challenge is to repeatedly calculate a new hash each time, brute forcing the possible inputs, until you get lucky.
At the current time, it is estimated that the combined power of the network, measured in hashes computed per second, is around 3. This illustrates just how powerful the network has grown to become. Figure 2 shows the networks combined power in billions of hashes per second, called the hash-rate, plotted against time for the past 2 years. From this graph we can see that the hash-rate of the combined Bitcoin network has nearly quadrupled in the past 6 months. Figure 2: The combined power of the Bitcoin network measured in hashes per second  When we consider the nature of the challenge that miners are required to solve in order to mine a block, we see that the challenge to solve is also ideal when we look at the required number of transactions per block.
As the network enforces no minimum or maximum number of required transactions per mined block, just some spatial requirements, one might think that the challenge would be easier to solve with fewer transactions in the block. This however is not the case. As mentioned above, the challenge is to hash the block header with some random number. Due to the way in which the block header is derived, through the use of a structure called a merkel tree, the difficulty of the problem does not depend on the number of transactions per block.
Because of this, it would make sense for miners to want to include as many transactions per block as possible, because of the additional transaction fees at no increased difficulty.
Likewise, during its infancy, when there were not that many transactions occuring regularly on the network, the ability to mine blocks without needing transactions was an incentive for miners to invest their computation power in order to keep the network running.
With the public transaction ledger replicated across every node in the network, one might ask what happens in the case that two nodes disagree. For example, if two nodes successfully mine different blocks at exactly the same time and broadcast them across the network.
In order to answer that it is necessary to understand exactly how the chain is built and what we mean we say two blocks are chained together. As mentioned in the previous section, in order to solve a block, a miner needs to solve the challenge of finding an appropriate hash for the header of a block. The header of a block is dependent on the transactions in the block, via a merkel tree, as well as on the hash of the header of the previous block. To illustrate this point take a look at figure 3.
Figure 3: Block chaining  In this diagram we can see three block headers represented by big boxes labelled Block 1 Header, Block 2 Header and Block 3 Header. These block headers correspond to blocks in the blockchain.
If we look at the Block 2 Header, we can see that it depends on the hash of the Block 1 Header, i. It also depends on the root of the merkel tree representing the transactions in block 2.
This structure is identical for all the blocks in the block chain right down to the beginning of the chain where the very first block was created, called the genesis block. The way in which these blocks are chained together has some important and surprising implications. The first of which is that the solution to each block relies on the solution to the previous block, meaning that it is impossible to attempt to solve blocks out of order, i.
This requirement enforces the sequential generation of blocks. The implications of sequential block generation are actually very strong. We know that the time taken on average to solve a single block is around 10 minutes, it therefore means that the longer the block chain, the more time and computational resource that has been invested into it. For example, imagine if someone was trying to attack the blockchain shown in figure 3. What they wanted to do was remove the details of a single transaction from block 1, i.
If they applied this change, they would need to update the merkel root in the block, as the merkel tree is calculated based upon the transactions in the block. Likewise, because that would change the contents of the first block header itself, they would need to re-solve the challenge issued by the network, as the output hash would change because the input block header changed. This would change the solution of the first block.
Now because the solution to the second block in the chain depends on the solution of the first block, the solution to the second block would also need to be recalculated, thereby affecting the solution to the third block, and so on. This cascade causes every single block after the modified block to change.
This is a powerful property, because it means that if you insert a piece of information into a block in the blockchain, as you add subsequent blocks to that chain, you increase the amount of work that would need to be done in order for someone to corrupt that piece of information i. This feature is often called proof of work and is the way in which the network generates trust. We will revisit this property later.
This mechanism can also be used to solve disputes among nodes and achieve consensus as to the. If we go back to the question raised earlier about what might happen if two nodes were to disagree, we can see how this comes into play. For instance, imagine that two nodes find a solution to the challenge for the next block at the same time. These nodes then broadcast their solutions to the rest of the network.
Who should the network side with? This problem is often referred to as blockchain forking. Figure 4 illustrates the problem. We have two valid solutions to the next block after Block 2, Block 3.
Both of these solutions were found at the same time and are valid. Figure 4: Block forking What will happen is the two chains will develop side by side simultaneously. Each node will keep a copy of both chains until one of the chains becomes longer than the other, at which point the longer chain will be accepted as the real one, and the smaller chain will be discarded or orphaned. Why will the network select the longer chain as the correct one? As discussed, the longer the chain, the more time and computational resource invested into it, meaning a greater proof of work, and hence more trust.
Furthermore, this property also protects the entire network from corruption. If an attacker wanted to create its own fake chain fork and trick the network into accepting it, this chain would have to be longer than the current one. As such, the attacker would need to have more computational power than the entire network combined to grow its own chain faster than the one produced by the network.
This is extremely unlikely considering the size of the network and it has been argued that if profit was the main focus of the attacker, they would actually gain more to follow the rules than to attack it .
A double spend attack is when an attacker is effectively able to spend the same transaction twice. It is best illustrated with an example. Imagine Alice wants to buy a cup of coffee from Bob using bitcoin.
When she pays Bob, she broadcasts a transaction on the network that sends some amount of BTC to the address that Bob requested. Bob sees that the transaction has been broadcast, makes Alice her cup of coffee and Alice leaves the shop. Note that even though Bob saw the transaction was broadcast, this transaction was unconfirmed, meaning that it had yet to be added to a new block in the blockchain by a miner. The problem with this is that, if Alice was able to mine blocks more quickly than the rest of the network, she could immediately create a different transaction, sending the amount of money she sent to Bob back to herself, or to someone else.
She would then add that transaction to a new block, broadcast the solution, and everyone would add that block to their chains.
However, when the transaction that Alice originally sent to Bob was to be verified and added into a new block, the network would see that the transactions referenced as input to that payment had already been spent in the block that Alice just recently added. What went wrong?
The problem with this situation is a result of the way in which the network solves disagreement. It effectively says that the longest chain, or the chain with the highest proof of work is correct. If Alice has the ability to mine a block before the rest of the network, she could spend the transactions referenced in the payment she sent to Bob before the payment is confirmed. Theoretically there is no strict limit as to when it becomes impossible for Alice to generate a longer chain.
There are however practical limits and trade-offs. The practical cost of having a majority of network power completely dwarfs the costs saved by stealing a cup of coffee. The story changes however, if instead of Alice purchasing a cup of coffee from Bob, she buys a new Ferrari.
Now the cost trade-off is different, and it would be wise for Bob to wait some amount of time for new blocks to be added to the chain, re-confirming the transaction.
A natural question to ask is how long should he wait in this case? Although there is no concrete answer it has been recommended that waiting for 6 block confirmations or 5 new blocks on-top of the particular transaction block. With around 1 block being mined every 10 minutes, this would require a wait time of 1 hour, which is more than reasonable considering that banks may take more than 24 hours for a payment to be processed.
In fact, the double spend attack is only one particular example under a class of attacks called consensus attacks. Up until now, whenever we have referred to a Bitcoin transaction we have assumed a construct that sends money from one public key to another.
In reality this is only one type of transaction supported by the network and for the sake of the Alice-Bob example is a simplification of the protocol.
The Bitcoin network can actually support several different and more complicated types of transactions, allowing much more than direct money transfers from one person to another. The first thing we need to understand in order to visualise this is the notion of a bitcoin address.
A bitcoin address, like a public key is a string of alphanumeric characters that can be publicly distributed to allow the transfer of funds. This type of transaction is typically referred to as a Pay-to-Public-Key-Hash or P2PKH for short, as the amount in the transaction is being paid directly to the hash of the public key.
As discussed earlier, in order to display ownership of a public key, it is sufficient to sign something with the corresponding private key.
Whenever a transaction is being validated for use in a new block, the mining node will execute what is a called a script, or a sequence of instructions, in order to check that the inputs of any transaction can actually be spent. In order to do this, the mining node executes two scripts, the locking script, and the unlocking script. The locking script is a form of lock placed on the outputs of any transaction. In order for someone to spend those transactions i.
Likewise, an unlocking script is a script placed on the inputs of a transaction. These scripts are run in order to unlock the locking scripts placed on these inputs by the previous transactions. The easiest way to think about it is like a puzzle. In order to spend any transaction, you need to solve the puzzle placed on the transaction by that transactions locking script.
When you have found a solution to the puzzle you enter it by writing the steps in the unlocking script. This is so that when the transactions are being validated by a mining node, these scripts when executed together will solve the puzzle and at the end of the execution will allow the amount to be spent.
Successfully unlocking the script occurs when after execution of both scripts together, the result is 1, representing TRUE. The script language that is used by Bitcoin is a very simple stack-based language. It was deliberately designed not to be Turing complete, meaning that not every program can be represented or built using it.
The reason for this is to protect the network from potential attacks such as infinite loops or denial of service, by using very long, complex programs in an attempt to slow the network down. To provide concrete script examples, imagine Alice constructs a transaction with a locking script that simply returns 1 or TRUE always.
In this case, anybody can spend the transaction because the answer to the puzzle is trivial, an empty unlocking script will do, because when executed together the result will be 1 and thus the transaction will be valid.
Likewise Alice could also construct a transaction with a locking script that simply returns 0 in all cases. This transaction will be provably unspendable, because regardless of any unlocking script, there is no way that the combined scripts can result in TRUE.
A more common example is that of a Pay-to-Public-Key-Hash transaction. An illustration of this transaction script can be seen in figure 5 below. This new transaction will need to unlock the locking script that Alice placed on her payment. In order to do this Bob generates an unlocking script that he thinks will do the job. When a mining node attempts to verify the new transction that Bob has made, it will execute the scripts together from left to right.
This verification will succeed, and a resultant 1 will be pushed onto the Now that the script has finished being executed, the mining node will pop the top value of the stack, in this case the 1 we just pushed, and check if the final result is TRUE. This will succeed as 1 and TRUE are the same, and therefore the mining node will accept the transaction as valid.
Figure 5: Bitcoin Pay-to-Public-Key-Hash Script At present, the developers of Bitcoin have limited the types of supported transactions on the network to 5 specific constructs. Although this may only be a temporary limitation, these supported constructs are referred to as standard transactions and are currently supported by all mining nodes in the network. Although the other script types are technically unsupported, there are mining nodes who will take these scripts to be valid when generating new blocks.
At the current time however, these transactions are under no guarantee to be mined. And as such, we will only discuss the 5 supported types below. As we have previously seen, the Pay-To-Public-Key-Hash transaction type allows a payment to occur from one party to the public key hash of another. In order for that transaction to be spent by the receiving party, they need to provide a signature using the corresponding private key from the key-pair. Likewise, a Pay-To-Public-Key transaction allows the transfer of funds from one party directly to the public key of another.
This is effectively a simpler form of the Pay-To-Public-KeyHash transaction and is more commonly associated with older mining nodes. This is because it requires more space to store a public key than a hash of that key.
Similarly, a Multi-Signature transaction is one that requires multiple signatures in order for the transaction to be spent. For example, requiring 2 out of 3 signatures in order to release the funds. These types of transactions support M of N schemes, for example, to provide redundancy and additional security features such as forms of escrow.
The Pay-To-Script-Hash transaction type was developed to allow a payment to be sent to the hash of a script. Although this construct seems strange at first, the motivation behind it was to allow the complexity of implementing scripts to be moved away from the party creating the transaction to the one wanting to spend it. For example, imagine that a company implements some type of internal security features to prevent its employees from running away with its money.
These security features are implemented as a complex script that they require all customers to attach to their transactions. Instead, by using a Pay-To-Script-Hash transaction type the company can be responsible for implementing those scripts, and the customers can pay to the bitcoin addresses provided by the company, hiding these complexities.
This data can be used to store any type of additional information associated with a transaction. As mentioned in the Blockchain section above, one of the great properties of the Bitcoin blockchain is the ability to protect data in the chain from corruption, through proof of work. This has some interesting consequences and as a result, people have come up with ingenious and novel ways of using this transaction type to create a whole host of unique and unrelated applications.
Examples include smart contracts, proof of existence and certification. As you increase the number of blocks on the chain, you increase the amount of work required to undo the blocks. This effectively adds more and more trust to the existence of the piece of information stored in a transaction. As these novel applications have gained popularity among users, concerns have been raised about the amount of unnecessary information that the blockchain is currently storing.
It has been argued that adding data to the blockchain that is unrelated to Bitcoin bloats the chain, making it bigger for no reason. Because the entire blockchain has to be replicated at every node in the network you effectively waste large amounts of space of many different nodes. However, decentralized replication and proof of work actually make the blockchain perfect for embedding information without worry of loss or corruption, and as such users have argued that these applications will only ever promote the use of Bitcoin as a currency.
One of which was to take some piece of information, hash it to a fixed length and use the hash as the destination address of a new transaction. This had two implications. The first of which was that, because the destination address of the transaction does not correspond to any real bitcoin address, these transactions can never be spent, meaning that the amount of bitcoin provided as inputs to the transaction are forever lost, decreasing the total amount of bitcoin available globally.
The second implication was that, because mining nodes store unspent transactions in main memory in order to allow efficient generation of new blocks, these types of transactions will too be stored in memory.
However, because they can never be spent, they will exist forever in main-memory, effectively requiring miners to continuously increase the size of their RAM in order to continue operating.
By making the transaction provably unspendable through the transaction script, the miners will be able to identify these transactions and will not store them in main-memory. The embedded data however will still exist forever in the block chain. A Bitcoin wallet is a storage container that stores the access information for Bitcoin accounts. As previously mentioned, a Bitcoin account is a private-public key-pair and in order for someone to spend the funds in an account, they must have the correct private key to unlock those funds.
All a wallet therefore needs to do is store a set of private keys as public keys are easily derivable from a private keys. A question one might naturally ask is why then would someone want more than 1 account, or 1 private-public key-pair? Typically the reason for this is anonymity. To protect against this it is common practice for people to use a new account or key-pair for every transaction that they perform. This makes. Although this might seem wasteful, as you effectively create a new account for every transaction, the length of a private key is bits long.
This means that there are different bitcoin accounts. This number is equivalent to around and is so sufficiently large that running out of addresses should not be a concern. Furthermore, it also means that the chance of any two people generating the same private-public key-pair is nearly impossible, assuming that the generation of key pairs is randomly and evenly distributed.
Note that this may not be the case for incorrect or insecure implementations of account generators. A Bitcoin wallet is therefore simply a private key store. It can be in the form of a hard drive, a CD, an application on your mobile phone or even a piece of paper that you keep in a safe. Anything that can store data can act as a Bitcoin wallet.
Arguably, the biggest problem with wallets today is that if you lose your wallet, or the keys are removed, you permanently lose access to the money in those accounts. In fact over the past couple years there have been several unfortunate cases where people have lost their private keys and hence forfeited large amounts of bitcoin. Likewise, because keys are regularly being generated for new transactions, wallets also need to be backed up on a regular basis to prevent data loss.
To protect against these problems there have been several developments in wallet technology over the past few years. These technologies range from software based wallets, such as seeded hierarchical deterministic wallets, to hardware based wallets, such as Bitcoin Trezor . Each type of wallet has its own unique advantages and design purpose. Software based seeded wallets for instance, only need to be backed up once because the generation of new keys is deterministic upon some seed.
Hardware based wallets on the other hand are designed to protect from viruses, cyber-attacks and malware. For example, figure 6 shows Bitcoin Trezor, a type of hardware based wallet.
This wallet is designed to prevent private key theft. It does so by never exposing the private keys stored in the wallet when transactions are signed. This means that regardless of how insecure the computer is that is being used to generate the transactions, the private keys will not be made vulnerable. This type of offline Bitcoin storage is often referred to as cold storage. A year after the initial Bitcoin whitepaper was released, a reference implementation  was published online by Nakamoto.
This implementation was released under an open-source license, allowing the bitcoin community to verify its correctness and contribute to the project. Since then, the implementation has been revised and updated by many different bitcoin developers and enthusiasts worldwide. In Nakamoto withdrew from the community, leaving the primary control of development to a group of community volunteers. By open-sourcing the project, Nakamoto also gave individuals the ability to fork the reference implementation and create their own digital currency based on its design.
This decision has resulted in the release of hundreds of different online alternative currencies. Each currency providing some unique spin or variant on the original Bitcoin implementation.
These alternative currencies are often referred to as altcoins and usually differ from Bitcoin through some small alterations. For example some modify the total number of coins that will be released over the currencies lifetime while others modify the speed at which blocks can be generated or the proof of work algorithm used to generate those blocks. Although many of these coins are based on bitcoin, some do not re-use any of its code and instead borrow the principles and ideas behind the currency.
Nonetheless it is still common for these currencies to be called altcoins. For example, one of the very first altcoins, Litecoin , was released in Litecoin is the second most successful digital currency, second only to Bitcoin itself.
The primary differences between Bitcoin and Litecoin are that Litecoin has an average block mining time of 2. The change in the proof of work algorithm used by Litecoin means that the network is more resistant to rapidly accelerating hardware as the algorithm is very memory intensive and much more serialised than SHA used by Bitcoin. They are not quickly outdone by specialised harware rigs, such as application specific integrated circuits, or ASICs.
Furthermore, the increase in the speed of block mining means that the network can cope with transactions much more quickly, providing confirmations much earlier. Another intersting example of an altcoin is Curecoin  that was released in Curecoin provides an interesting innovation on the foundation already set by Bitcoin. The idea is to replace the wasted computation in the Bitcoin network with computation that would help medical research at the same time. Curecoin has a current block generation time of 10 minutes, and an unlimited currency generation.
As well as innovation in proof of work mechanisms, there have also been several alternate currencies based on improving the anonymity of Bitcoin transactions. One such currency is Bytecoin , a currency launched in based on the CryptoNote  reference implementation. The idea behind CryptoNote and Bytecoin was to use ring signatures, a mechanism where transactions between parties are signed by multiple individuals. The idea is that the verifier of the transaction cannot distinguish the direct paticipants from the rest of the signing group.
This makes blockchain analysis and transaction tracking much more difficult and thus increases the anonymity of the network. Figure 7 shows the different logos for each of the digital currencies mentioned above. These logos are for Bitcoin, Litecoin, Curecoin and Bytecoin respectively.
Figure 7: Logos of Various Digital Currencies In addition to altcoin technology, the open-source nature of Bitcoin has also driven development in altchain technologies. These type of developments innovate on the block chaining algorithm used inside Bitcoin in order to achieve consensus on a variety of different problems.
For instance, providing a decentralized DNS registrar, resource distribution and contract generation. One concrete example of an altchain is Bitmessage . Bitmessage is a distributed secure messaging service. It uses a block chaining algorithm to provide peer-to-peer and trust-less communication where the parties involved are kept anonymous and their messages hidden through encryption. Bitmessage circumvents the single point of failure associated with email servers, making denial of service attacks, eavesdropping and message observation much more difficult.
Furthermore messages are not persistent, they only live for a certain period of time before they disappear from the chain. Just like alternative currencies and chains Bitcoin has also inspired the development of many different metacoins and metachains. These innovations build software layers and protocols directly on top of the Bitcoin blockchain, allowing them to support many different applications such as currencies inside currencies, or the creation of much more powerful protocols.
These types of innovation are much more widely referred to as Bitcoin 2. One such example of a metacoin is Mastercoin . The idea of Mastercoin is to provide a framework and a set of tools that can be used to develop new applications. One example is supporting the creation of new user currencies where individuals can build their own customised currencies without needing to do any software development.
Mastercoin uses a special Bitcoin address, called the Exodus address, to embed data into the blockchain. This allows it to differentiate normal transactions in the network from Mastercoin specific ones.
Mastercoin uses its own currency MST as a token for building Mastercoin transactions. The distribution of MST was based on early payments to the Exodus address, allowing users to effectively trade Bitcoin for Mastercoin. Another example of a Bitcoin 2. Ethereum models its blockchain as a state transition system and uses it to act as an abstraction layer for a Turingcomplete programming language. This would allow anyone to write decentralized applications and smart contracts in a very simple way, often reducing the complexity of many existing altchains to.
Ethereum uses an internal currrency called Ether to drive the protocol. Finally, Counterparty  is another Bitcoin innovation that builds a protocol layer on top of a blockchain. Counterparty provides peer-to-peer financial tools and a platform on which to create smart contracts, perform asset exchange and generate custom tokens. Counterparty is actually a port of Ethereums open-source reference implementation. Instead of using a new custom block chain to build upon, Counterparty uses the Bitcoin blockchain as its foundation, arguing that there is no need to create a new blockchain as suggested by Ethereum.
In contrast to how Mastercoin and Ethereum distributes their tokens, Counterparty uses a proof-of-burn  scheme where miners show that they have burnt an amount of Bitcoin in order to recieve XCP.
Burning Bitcoin effectively means sending an amount of Bitcoin to an unspendable address. This act effectively bootstraps value, demonstrating a belief that by burning something valuable, you believe the purpose of that burn to have value too, i.
In doing this, XCP is given value through the lost Bitcoin. Figure 8 shows the different logos for each of the three Bitcoin 2. These logos are for Mastercoin, Ethereum and Counterparty respectively.