Script. All about cryptocurrency - BitcoinWiki

You can call you a Bitcoiner if you know/can explain these terms...

03/Jan/2009
10 Minutes
10,000 BTC Pizza
2016 Blocks
21 Million
210,000 Blocks
51% Attack
Address
Altcoin
Antonopoulos
Asic
Asic Boost
Base58
Batching
Bech32
Bit
Bitcoin Cash
Bitcoin Improvement Proposal (BIP)
Bitcoin SV
Bitmain
Block
Block height
Block reward
Blockchain
Blockexplorer
Bloom Filter
Brain Wallet
Buidl
Change Address
Child pays for parent (CPFP)
Coinbase (not the exchange)
CoinJoin
Coinmarketcap (CMC)
Colored Coin
Confirmation
Consensus
Custodial Wallet
Craig Wright
David Kleinman
Difficulty
Difficulty adjustment
Difficulty Target
Dogecoin
Dorian Nakamoto
Double spend
Elliptic Curve Digital Signature Algorithm (ECDSA)
Ethereum
Faketoshi
Fork
Full Node
Gavin Andresen
Genesis Block
Getting goxed
Halving
Hard Fork
Hardware Wallet
Hash
Hashing
Hierarchical Deterministic (HD) Wallet
Hodl
Hot Wallet
Initial Coin Offering (ICO)
Initial Exchange Offering (IEO)
Ledger
Light Node
Lightning
Litecoin
Locktime
Mainnet
Malleability
Master Private Key
Master Public Key
Master Seed
mBTC
Mempool
Merkle Tree
Mining
Mining Farm
Mining Pool
Mixing
MtGox
Multisig
Nonce
Not your keys,...
Opcode
Orphan block
P2PKH
P2SH
Paper Wallet
Peers
Pieter Wuille
Premining
Private key
Proof of Stake (PoS)
Proof of Work (PoW)
Pruning
Public key
Pump'n'Dump
Replace by Fee (RBF)
Ripemd160
Roger Ver
sat
Satoshi Nakamoto
Schnorr Signatures
Script
Segregated Witness (Segwit)
Sha256
Shitcoin
Sidechain
Signature
Signing
Simplified Payment Verification (SPV)
Smart Contract
Soft Fork
Stratum
Syncing
Testnet
Transaction
Transaction Fees
TransactionId (Txid)
Trezor
User Activated Soft Fork (UASF)
Utxo
Wallet Import Format (WIF)
Watch-Only Address
Whitepaper
List obviously not complete. Suggestions appreciated.
Refs:
https://bitcoin.org/en/developer-glossary https://en.bitcoin.it/wiki/Main_Page https://www.youtube.com/channel/UCgo7FCCPuylVk4luP3JAgVw https://www.youtube.com/useaantonop
submitted by PolaT1x to Bitcoin [link] [comments]

Attention, benevolent BCH miners: A BCH segwit-recovery service is sorely needed!

These BCH are now recoverable; please read the update at the end of the post!

 
 

Background

In the short while since segwit activated on the BTC network and segwit addresses even-more-recently became the default for receiving BTC in the Trezor wallet - and perhaps other wallets too (soon?) - people have started accidentally sending their BCH to BTC-segwit addresses.
 
Due to the fact(s) that...
a) the BCH network supports P2SH (i.e. addresses starting with 3), but not segwit
... and ...
b) the sending wallets thus have no way of knowing that P2SH-wrapped segwit addresses really are "hiding" a segwit redeemscript
... people are losing access to their BCH, there's currently no way to prevent this, and it will continue happening.
 

Examples

(These are just the ones that I've noticed, but I'm sure there are many more that go straight to the various wallet service providers' support teams instead of via Reddit.)
 
To add insult to injury, the unlucky BCH owners are routinely told that there's no way to recover the coins (including by myself at the start) due to BCH not supporting segwit. And while that's currently true, it is ultimately only a half-truth.
After all, segwit opponents have often said that the satoshis in segwit addresses would be "anyone-can-spend" if the miners didn't enforce the segwit rules (i.e. ensuring that there's a proper witness/signature in the "segregated" part of the txs).
And on the BCH network the segwit rules aren't being enforced!
 

A Partial Solution

So I did some digging (e.g. in the segwit documentation and P2SH specification, BIP16) and came to the conclusion, which I'm sure that many have before me, that in order to spend money sent to a P2SH-wrapped segwit address, you only need to know the public key of the address (or more precisely: the RIPEMD160 hash of the SHA256 hash of a the public key).
Yes, a hash derived from the public key, not the private key.
Luckily, the 3-addresses don't by themselves reveal this public key hash, or anyone could've made "signed" txs from these "BCH-segwit" addresses - and someone probably already would have.
 

More Problems

So, given that it's relatively easy (for a technically inclined person, anyway) to get the public key corresponding to an address from their BIP39 mnemonic (aka wallet recovery seed), why aren't people re-claiming their BCH from these addresses?
Well, the "signature" that's needed isn't really a digital signature in the normal sense. Regular cryptocurrency transactions include a digital signature that doesn't reveal the private key that was used to make the signature in question. What's needed to "sign" for BCH-segwit addresses, however, is just literally including the public key hash that was mentioned above instead of a proper digital signature.
This means that anyone who sees such a transaction can just extract the public key hash from it - and then go on to create a conflicting transaction, using the same public key hash, that sends the same money elsewhere (to themselves, I would presume).
Technically, the second transaction would be a double-spend of the original and, as with all double-spends, it's the miners that would be the final arbiters of which transaction gets recorded in the block chain.
Additionally, a malicious miner could just create their own version of the transaction, either overtly redirecting the money to themselves, or covertly by changing the transaction to have no monetary outputs (i.e. all the money would go to the miner as "fee").
But the problems don't stop there. These segwit-spending transactions would be non-standard and as such wouldn't be relayed to the miners in the first place, nor would it be mined by miners even if it reached them (provided that the nodes and miners run with the default policy of ignoring non-standard txs, that is).
 

Suggested Solution

What we need is one or more trustworthy (yes, trust would unfortunately be required) miners to step up and make a BCH Segwit-Recovery Service for this particular purpose, in a somewhat similar way that they provided acceleration services for the BTC network (example1 and example2).
 
So... Does anyone know if a) miners are already working on this or b) know how to get in touch with them about this?
Or are there any benevolent miners here, that would like to:
 
/btc users, feel free to notify any miner contacts you may have - let's make this happen!
 
 

Update 1 (2017-09-11)

I made a proof-of-concept frontend to "show" what I'm envisioning such a service would look like for the end users (obviously it's ugly and needs to include javascript for key/hash/address validation, etc., but it should get the intention across), here:
https://btctroubadour.github.io/bch-recovery.html

Update 2 (2017-11-21)

It looks like some greyhat/vigilante, working with an unknown miner, was able to unilaterally claim some of the BCH that were "stuck" in BTC-segwit addresses (namely, the ones for which the public keys were revealed by the owners spending BTC from the same addresses), as explained in this post and comments: https://np.reddit.com/Bitcoin/comments/7eixcu/recovering_bch_sent_to_segwit_addresses/
For those that are affected by this, it means you no longer control your BCH (they were "stolen" by the greyhat), but he seems to be offering to give them back if you agree to letting him keep 30 % for his service (or "service", however you look at it). Either way, and given the alternative (100 % loss), you should certainly check if you're affected and decide how you want to proceed. As if that wasn't enough to deal with, there seems to be a ~2 week deadline, until "December 5th, 2017 at 23:59:59 UTC", after which it seems he's decided he's entitled to keep your money. :(

Update 3 (2017-11-28)

It looks like the greyhat has turned white! He's now offering to give back, for free, any and all BCH that were transferred to him (yes, 100 %!). Read his new update post and check if you were affected by this transfer.

Update 4 (2017-12-05)

Benevolent BCH miner finally found! The good people at btc.com have announced an automated BCH-segwit-recovery service, just as I outlined in my original post. Thanks a lot to Stellaluna19 for bringing it to my attention.
Here are links to btc.com's Twitter announcement as well as the recovery service itself:
https://twitter.com/btccom_official/status/933682190424199169
https://bch.btc.com/docs/help/bch_segwit_recovery
(Note that SatoshiLabs/Trezor developer, and well-known whitehat, -johoe have suggested some improvements to secure the process outlined by btc.com. You can read his suggestions in the last paragraph of this post - or in this one.)
submitted by btctroubadour to btc [link] [comments]

Atomic Swap with USDT: Swap Online solution in two hundred lines of code

Atomic Swap with USDT: Swap Online solution in two hundred lines of code
https://preview.redd.it/3mx7amtio9g11.png?width=696&format=png&auto=webp&s=f2bd956843196fa2f51048a86f9608b6e714f62e
On the eve of the release on the mainnet, the team of the cross-chain wallet Swap Online is publishing a research study and the code of the atomic swapusing USDT.

USD Tether — the equivalent of the dollar on Omni Layer

The solution described above with the protocol “over” the Bitcoin network gave life to one of the most controversial cryptocurrency projects of the last two years — Tether. Tether (symbol Tether — ₮, ticker — USDT) is a hybrid cryptocurrency with a rate binding to one US dollar. Moreover, according to the assurances of Tether Limited, the issuer of the given tokens, the “binding” is to be understood literally, as each purchased token of USDT corresponds to one US dollar available at the disposal of the company.
If we take the three largest exchanges based on their daily turnover of transactions at the time of writing (Binance, OKEx and HuObi), and then track the five most popular trading pairs for each, we will encounter USDT in 13 out of 15 cases.

USDT — the token with the largest capitalization in the world.

All this generates great community interest in faster, safer and cheaper solutions for exchanging Tether into other currencies. Obviously, such a solution could be atomic swaps, which are instant, decentralized cross-chain exchanges. The Komodo laboratory, the main headliners of this technology, who presented it in the autumn of 2017, reported on the successful exchange of KMD to USDT carried out on the BarterDEX platform, Komodo’s own exchanger.
https://preview.redd.it/z7tx3cv0p9g11.png?width=597&format=png&auto=webp&s=f0944434f691d69ae45c5b80e00fed2736423f7a
At the same time, according to our data, the developers of Komodo made a swap on the ERC20-a version of Tether, which is only available in 3% of cases. Approximately 60 million USDT from global turnover can thus be exchanged using this method, which, obviously, cannot be considered as a solution to the problem. Striking examples of imperfections of existing solutions can be found even on Etherscan.
https://preview.redd.it/39nc2ji6p9g11.png?width=800&format=png&auto=webp&s=992a4adc022175d90d111f030047ba8adeda14f8
This fall, the team of Swap Online is ready to present an atomic swap with Tether. And here’s how we did it.

How Omni conducts transactions

To carry out the Omni transaction, a user needs to create a regular Bitcoin transaction-transfer of 546 satoshi (minimum) with an additional output storing payload using the OP_RETURN op-code. An example of such a transaction. The payload is a mandatory part of any Omni transaction, as it is a sequence of bytes containing all the necessary information about the transaction.

Let us consider what information is stored in the payload itself

transaction marker — 4 bytes, the mandatory part of any Omni payload is always equal to 0x6f6d6e69 — ASCII code omni. If the first 4 bytes of the sequence are not equal to 0x6f6d6e69, then this sequence is not a payload of Omni.
version — 2 bytes, an analog version of the transaction in Bitcoin. For the described algorithm to work, version 0 is used, or that is the same as 0x0000.
transaction type — 2 bytes, transaction type, for an atomic swap it is sufficient to use only “Simple send” transactions, as simple send is the usual sending of omni currency from its address to the address of the recipient. Simple send corresponds to the transaction type code 0, that is, the next 2 bytes 0x0000. Other possible types of transactions exist in Omni.
token identifier — 4 bytes, identifier of the currency used. For example TetherUS has the identifier 31 or 0x0000001f. All tokens created by the Omni protocol at this time can be seen via the following link.
amount — 8 bytes, for a transaction of type Simple send, this is the amount of the sent currency.
As you can see, payload does not store the addresses of senders and recipients of the transactions, these addresses are determined by the Bitcoin transaction in which the payload output was detected. By scanning inputs, the Omni protocol determines who makes the transfer by finding the output of the corresponding address from among the inputs of the transaction p2pkh.
Thus, for a transfer from Alice to Bob of, for example, 50,000,000 TetherUS, we need to create a Bitcoin transaction where one of the inputs will refer to the p2pkh output corresponding to the Alice address. It is also important that this entry be the first in this transaction (the index of this entry in the received transaction would be is minimal or none at all). One of the outputs of this transaction should be the output of p2pkh to Bob’s address, and another output must have been one of the outputs with the following payload:
https://preview.redd.it/0kmuzds8p9g11.png?width=575&format=png&auto=webp&s=af2f496596684af18091fb044f4e20b7e546c32f
Example 1
Example 2

Atomic Swap on Omni Layer

Suppose that Alice and Bob are willing to make an inter-blockchain exchange of cryptocurrencies. Alice wants to exchange the units of any Omni currency, for example TetherUS (the given currency has the currency identifier # 31 in the Mainnet, then in the text we will only talk about this currency of the Omni protocol, since it is the most popular at the moment, but the algorithm below will work for any currency of the Omni protocol as well) for b units of a cryptocurrency working on another blockchain. (Omni works on top of the Bitcoin blockchain, of course, according to the algorithm below it is possible to exchange TetherUS for Bitcoins, but due to their work on one and the same blockchain, this exchange can be done in a different, more efficient way).

Glossary

A — blockchain of Bitcoin.
B — the blockchain of the cryptocurrency for which TetherUS is being exchanged.
a — the sum of TetherUS, which Alice wants to exchange.
b — the sum of the cryptocurrency of the adjoining blockchain B, to which Alice wants to exchange her a TetherUS.

Creating a Transaction

1) Bob generates a random value secret.
2) Bob calculates the secretHash by performing the following operation: secretHash = RIPEMD160 (secret)
3) Bob creates and sends an htlc transaction sealed by secretHash
4) Bob sends Alice a secretHash value, and a hash of the hrlc transaction he created in the previous paragraph in order for Alice to make sure that the correct htlc transaction is actually present in the B blockchain.
5) Alice received from Bob the secretHash and hash of the htlc-transaction Bob created, and is convinced that such a transaction is really present in the B blockchain, and that this is indeed a htlc-transaction sealed by the secretHash value.
6) using the received secretHash, Alice creates the following transaction and translates it into the Bitcoin blockchain:
https://preview.redd.it/oxri5a7gp9g11.png?width=735&format=png&auto=webp&s=14e88db4fc4d1743406939343d42e33352b05782
Let us call such a transaction financing_tx. In fact, it is almost an ordinary Bitcoin htlc transaction that is used in atomic swap with the only difference that in the amount field, 546 satoshi is the minimum number of Bitcoins that can be at the output of the transaction, below this value, Bitcoin counts the transaction as dust and does not conduct it.
7) Alice creates a transaction according to the following scheme:
https://preview.redd.it/awz9uzuhp9g11.png?width=1000&format=png&auto=webp&s=9ca79e77ca6aff631a39ae95dfaa70aa06d695ec
Let us call this transaction redeem_tx. Alice creates such a transaction with two inputs: the first is the input referencing the output of funding_tx, which contains the htlc script. Alice does not sign this script, that is, the SigScript field remains completely empty. The second input is the input referring to any unspent exits of Alice, the main condition is that at this output stage there are enough Bitcoins to pay the transaction fee, and this entry is signed by Alice with her private key with the signature type SIGHASH_ALL (that is, she signs the entire transaction except for SigScript fields on the inputs transaction, which makes this transaction immutable. The outputs of the same transaction are the elementary Simple Send and a TetherUS from Alice to Bob (details of what Simple Send, payload is and how it works can be found in another section).
8) Alice sends Bob the redeem_tx created in the previous paragraph and the one she signed herself.
9) Bob got the redeem_tx sent by Alice, checks it, just looks through the inputs and outputs, making sure that this is really a transaction that Alice should have created using the real algorithm. After that, Bob signs the transaction with his private key and provides the secret value in the SigScript of the corresponding redeem_tx entry.
10) Bob sends the signed redeem_tx transaction to the blockchain, thereby transferring the TetherUS currency from Alice to himself. Note — before carrying out this step, we still need to check that Alice’s address has the necessary amount of TetherUS.
11) Alice looks through blockchain A and gets the value secret and uses it in the B blockchain to transfer the funds using the htlc transaction Bob created in point 3. The exchange ends here.
Stating the obvious: naturally the timelock value used by Bob when creating the htlc-transaction must be significantly longer than the timelock that Alice uses, since her htlc transaction should be spent earlier than the htlc created by Bob. This is necessary so that Bob cannot manage to spend both htlc.

Conclusion

Thus, connecting Omni Layer to Swap Online allows users to cover transactions.

Full research you may find in our Github

C++ source code for creating TX
C++ source code for redeem TX

Swap.Online Essential Links

Website: https://testnet.swap.online GitHub: https://github.com/swaponline Email: [email protected] Telegram: https://t.me/swaponline Facebook: https://www.facebook.com/Swaponline Twitter: https://twitter.com/SwapOnlineTeam Wiki: https://wiki.swap.online/ Bitcointalk: https://bitcointalk.org/index.php?topic=4636633
submitted by noxonsu to SwapOnline [link] [comments]

Time to worry about 80-bit collision attacks or not? | Gavin Andresen | Jan 07 2016

Gavin Andresen on Jan 07 2016:
I'm hoisting this from some private feedback I sent on the segregated
witness BIP:
I said:
"I'd also use RIPEMD160(SHA256()) as the hash function and save the 12
bytes-- a successful preimage attack against that ain't gonna happen before
we're all dead. I'm probably being dense, but I just don't see how a
collision attack is relevant here."
Pieter responded:
"The problem case is where someone in a contract setup shows you a script,
which you accept as being a payment to yourself. An attacker could use a
collision attack to construct scripts with identical hashes, only one of
which does have the property you want, and steal coins.
So you really want collision security, and I don't think 80 bits is
something we should encourage for that. Normal pubkey hashes don't have
that problem, as they can't be constructed to pay to you."
... but I'm unconvinced:
"But it is trivial for contract wallets to protect against collision
attacks-- if you give me a script that is "gavin_pubkey CHECKSIG
arbitrary_data OP_DROP" with "I promise I'm not trying to rip you off, just
ignore that arbitrary data" a wallet can just refuse. Even more likely, a
contract wallet won't even recognize that as a pay-to-gavin transaction.
I suppose it could be looking for some form of "gavin_pubkey
somebody_else_pubkey CHECKMULTISIG ... with the attacker using
somebody_else_pubkey to force the collision, but, again, trivial contract
protocol tweaks ("send along a proof you have the private key corresponding
to the public key" or "everybody pre-commits pubkeys they'll use at
protocol start") would protect against that.
Adding an extra 12 bytes to every segwit to prevent an attack that takes
280 computation and 280 storage, is unlikely to be a problem in practice,
and is trivial to protect against is the wrong tradeoff to make."
20 bytes instead of 32 bytes is a savings of almost 40%, which is
significant.
The general question I'd like to raise on this list is:
Should we be worried, today, about collision attacks against RIPEMD160 (our
160-bit hash)?
Mounting a successful brute-force collision attack would require at least
O(280) CPU, which is kinda-sorta feasible (Pieter pointed out that Bitcoin
POW has computed more SHA256 hashes than that). But it also requires
O(280) storage, which is utterly infeasible (there is something on the
order of 235 bytes of storage in the entire world). Even assuming
doubling every single year (faster than Moore's Law), we're four decades
away from an attacker with THE ENTIRE WORLD's storage capacity being able
to mount a collision attack.
References:
https://en.wikipedia.org/wiki/Collision_attack
https://vsatglobalseriesblog.wordpress.com/2013/06/21/in-2013-the-amount-of-data-generated-worldwide-will-reach-four-zettabytes/

Gavin Andresen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20160107/09860830/attachment.html
original: http://lists.linuxfoundation.org/pipermail/bitcoin-dev/2016-January/012198.html
submitted by dev_list_bot to bitcoin_devlist [link] [comments]

BIP Number Request: Open Asset | Nicolas Dorier | May 26 2016

Nicolas Dorier on May 26 2016:
Open Asset is a simple and well known colored coin protocol made by Flavien
Charlon, which has been around for more than two years ago.
Open Asset is OP_RETURN to store coin's color. Since then, the only
modification to the protocol has been for allowing OA data to be into any
push into an OP_RETURN.
The protocol is here:
https://github.com/OpenAssets/open-assets-protocol/blob/mastespecification.mediawiki
I asked to Flavien Charlon if he was OK if I submit the protocol to the
mailing list before posting.
Additional BIP number might be required to cover for example the "colored
address" format:
https://github.com/OpenAssets/open-assets-protocol/blob/masteaddress-format.mediawiki
But I will do it in a separate request.
Here is the core of the Open Asset specification:
Title: Open Assets Protocol (OAP/1.0)
Author: Flavien Charlon
Created: 2013-12-12
==Abstract==
This document describes a protocol used for storing and transferring
custom, non-native assets on the Blockchain. Assets are represented by
tokens called colored coins.
An issuer would first issue colored coins and associate them with a
formal or informal promise that he will redeem the coins according to
terms he has defined. Colored coins can then be transferred using
transactions that preserve the quantity of every asset.
==Motivation==
In the current Bitcoin implementation, outputs represent a quantity of
Bitcoin, secured by an output script. With the Open Assets Protocol,
outputs can encapsulate a quantity of a user-defined asset on top of
that Bitcoin amount.
There are many applications:
could then be traded frictionlessly through the Bitcoin
infrastructure.
could withdraw and deposit money in colored coins, and trade those, or
use them to pay for goods and services. The Blockchain becomes a
system allowing to transact not only in Bitcoin, but in any currency.
of colored coins. The door would only open when presented with a
wallet containing that specific coin.
==Protocol Overview==
Outputs using the Open Assets Protocol to store an asset have two new
characteristics:
asset stored on the output.
many units of that asset are stored on the output.
This document describes how the asset ID and asset quantity of an
output are calculated.
Each output in the Blockchain can be either colored or uncolored:
both undefined).
non-null asset ID.
The ID of an asset is the RIPEMD-160 hash of the SHA-256 hash of the
output script referenced by the first input of the transaction that
initially issued that asset (script_hash =
RIPEMD160(SHA256(script))). An issuer can reissue more of an
already existing asset as long as they retain the private key for that
asset ID. Assets on two different outputs can only be mixed together
if they have the same asset ID.
Like addresses, asset IDs can be represented in base 58. They must use
version byte 23 (115 in TestNet3) when represented in base 58. The
base 58 representation of an asset ID therefore starts with the
character 'A' in MainNet.
The process to generate an asset ID and the matching private key is
described in the following example:

The issuer first generates a private key:

18E14A7B6A307F426A94F8114701E7C8E774E7F9A47E2C2035DB29A206321725.

He calculates the corresponding address:

16UwLL9Risc3QfPqBUvKofHmBQ7wMtjvM.

Next, he builds the Pay-to-PubKey-Hash script associated to that

address: OP_DUP OP_HASH160
010966776006953D5567439E5E39F86A0D273BEE OP_EQUALVERIFY
OP_CHECKSIG.

The script is hashed: 36e0ea8e93eaa0285d641305f4c81e563aa570a2

Finally, the hash is converted to a base 58 string with checksum

using version byte 23:
ALn3aK1fSuG27N96UGYB1kUYUpGKRhBuBC.
The private key from the first step is required to issue assets
identified by the asset ID
ALn3aK1fSuG27N96UGYB1kUYUpGKRhBuBC. This acts as a
digital signature, and gives the guarantee that nobody else but the
original issuer is able to issue assets identified by this specific
asset ID.
==Open Assets Transactions==
Transactions relevant to the Open Assets Protocol must have a special
output called the marker output. This allows clients to recognize such
transactions. Open Assets transactions can be used to issue new
assets, or transfer ownership of assets.
Transactions that are not recognized as an Open Assets transaction are
considered as having all their outputs uncolored.
===Marker output===
The marker output can have a zero or non-zero value. The marker output
starts with the OP_RETURN opcode, and can be followed by any sequence
of opcodes, but it must contain a PUSHDATA opcode containing a
parsable Open Assets marker payload. If multiple parsable PUSHDATA
opcodes exist in the same output, the first one is used, and the other
ones are ignored.
If multiple valid marker outputs exist in the same transaction, the
first one is used and the other ones are considered as regular
outputs. If no valid marker output exists in the transaction, all
outputs are considered uncolored.
The payload as defined by the Open Assets protocol has the following format:
{|
! Field !! Description !! Size
|-
! OAP Marker || A tag indicating that this transaction is an
Open Assets transaction. It is always 0x4f41. || 2 bytes
|-
! Version number || The major revision number of the Open Assets
Protocol. For this version, it is 1 (0x0100). || 2 bytes
|-
! Asset quantity count || A
[https://en.bitcoin.it/wiki/Protocol_specification#Variable_length_integer
var-integer] representing the number of items in the asset
quantity list field. || 1-9 bytes
|-
! Asset quantity list || A list of zero or more
[http://en.wikipedia.org/wiki/LEB128 LEB128-encoded] unsigned integers
representing the asset quantity of every output in order (excluding
the marker output). || Variable
|-
! Metadata length || The
[https://en.bitcoin.it/wiki/Protocol_specification#Variable_length_integer
var-integer] encoded length of the metadata field. || 1-9
bytes
|-
! Metadata || Arbitrary metadata to be associated with
this transaction. This can be empty. || Variable
|}
Possible formats for the metadata field are outside of
scope of this protocol, and may be described in separate protocol
specifications building on top of this one.
The asset quantity list field is used to determine the
asset quantity of each output. Each integer is encoded using variable
length [http://en.wikipedia.org/wiki/LEB128 LEB128] encoding (also
used in [https://developers.google.com/protocol-buffers/docs/encoding#varints
Google Protocol Buffers]). If the LEB128-encoded asset quantity of any
output exceeds 9 bytes, the marker output is deemed invalid. The
maximum valid asset quantity for an output is 263 - 1
units.
If the marker output is malformed, it is considered non-parsable.
Coinbase transactions and transactions with zero inputs cannot have a
valid marker output, even if it would be otherwise considered valid.
If there are less items in the asset quantity list than
the number of colorable outputs (all the outputs except the marker
output), the outputs in excess receive an asset quantity of zero. If
there are more items in the asset quantity list than the
number of colorable outputs, the marker output is deemed invalid. The
marker output is always uncolored.
After the asset quantity list has been used to assign an
asset quantity to every output, asset IDs are assigned to outputs.
Outputs before the marker output are used for asset issuance, and
outputs after the marker output are used for asset transfer.
====Example====
This example illustrates how a marker output is decoded. Assuming the
marker output is output 1:
Data in the marker output Description ----------------------------- 
0x6a The OP_RETURN opcode. 0x10 The PUSHDATA opcode for a 16 bytes payload. 0x4f 0x41 The Open Assets Protocol tag. 0x01 0x00 Version 1 of the protocol. 0x03 There are 3 items in the asset quantity list. 0xac 0x02 0x00 0xe5 0x8e 0x26 The asset quantity list: - '0xac 0x02' means output 0 has an 
asset quantity of 300.
 - Output 1 is skipped and has an 
asset quantity of 0
 because it is the marker output. - '0x00' means output 2 has an 
asset quantity of 0.
 - '0xe5 0x8e 0x26' means output 3 
has an asset quantity of 624,485.
 - Outputs after output 3 (if any) 
have an asset quantity of 0.
0x04 The metadata is 4 bytes long. 0x12 0x34 0x56 0x78 Some arbitrary metadata. 
===Asset issuance outputs===
All the outputs before the marker output are used for asset issuance.
All outputs preceding the marker output and with a non-zero asset ...[message truncated here by reddit bot]...
original: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2016-May/012741.html
submitted by dev_list_bot to bitcoin_devlist [link] [comments]

2 humble proposals for Litecoin's proposition

One of the key aspects of success on the web is the proposition. I'm into Litecoin because it has a great proposition (zero pre-mining, stronger crypto for mining, 2m30s block, etc). Let me just give you one example of a failed proposition just so everyone knows where I'm coming from.
Failed proposition Microsoft once had its encyclopedia, Encarta. But MS saw the writing on the wall: wikipedia and user-generated content would kill them. So at one point, they "opened" Encarta for people to edit. Unfortunately, if you clicked edit, unlike wikipedia, you were first led to a page full of legalese telling you that you were about to transfer your intellectual property rights to Microsoft Corporation, etc. As people saw that, they basically went FU and didn't bother improving Encarta. These days, you can read about Encarta on wikipedia, ironically.
Proposition is extremely important, and it's mostly psychological. The best book about it is "Here comes everybody".
I have been thinking a lot about this, and I think it would be productive for all of our community if we were to discuss how can we subtly improve Litecoin without alterations to code (i.e., no risks). What I mean are minor tweaks in the perception and the proposition of Litecoin.
So I would like to throw some ideas out there:
Idea #1. 256-bit standard address: instead of reducing the SHA256 to RIPEMD160, and creating even the (minute) probability of collusion, we should think about having more security than Bitcoin and use RIPEMD256. The core of the system doesn't even have the idea of "address", so this could be done, correct me if I'm wrong, easily--zero risk. There might opposition to this, as it increases our blockchain size, by 92bits per new, changed, address. Yet, I would love to be able to brag about Litecoin's stronger crypto in addresses and in mining. Scrypt is way better than SHA2 and Litecoin is already more secure than bitcoin (architecturally, not in hashing power, due to the influx of ASICs). But we may also want to differentiate by having stronger, harder to break addresses.
Idea #2. The "unit" (or "Schelling point"). In bitcoin, there are two clear "units": one bitcoin and one satoshi. But 1 bitcoin = 100 million satoshis makes for unnatural calculations and some cognitive overload (see, for instance, this card experiment, or this simple cognitive reflection task, or the hard Monty hall problem). These situations and experiments show that people have a hard time (cognitively) dealing with even simple problems. I think we can do better if we use what's on already people's minds: cents, and create/name the "Lite", with 1 Litecoin = 1,000,000 Lites (with 1 Lite being 100 Lite-cents).
As a silly example, it is smoother and easier to tell friends "Just paid 2 bucks on a million Lites" than "Just paid 200 bucks on a bitcoin". The words million and billion are associated with wealth, in a way that "coin" isn't. "You have 56 million lites?" sounds and feels better than "you have 56 litecoin?" I'm not talking about dropping the name litecoin (it's awesome), but about naming the quote-"smallest unit"-endquote as something that makes for immediate calculation (and of course the real "smallest unit" would be a cent of a "Lite").
I'm sorry for the wall of text. But I think we can improve Litecoin's proposition, and that if we do so, we'll have an even bigger lead against the other cryptocurrencies out there. From Zimbabwe dollars to gold, money is about trust and confidence. Let's be cryptographically stronger than anyone out there, and let's let those who join us make immediate, natural, system 1 calculations.
Again, I'm sorry for the wall of text, I thank you for reading this far, and may Litecoin have a long prosperous life!
submitted by asymmetric_bet to litecoin [link] [comments]

[Kali 17.1] JtR support for pkzip dropped?

Hi all, I'm just trying my hand on the okcupid challenge (view source of okcupid.com). It includes four encrypted zip files. I wanted to try the easy way first and use john, but it seems on Kali 17.1 JtR does not support the pkzip format anymore?
[email protected]:~# john --list=formats 
descrypt, bsdicrypt, md5crypt, bcrypt, scrypt, LM, AFS, tripcode, dummy, dynamic_n, bfegg, dmd5, dominosec, dominosec8, EPI, Fortigate, FormSpring, has-160, hdaa, ipb2, krb4, krb5, KeePass, MSCHAPv2, mschapv2-naive, mysql, nethalflm, netlm, netlmv2, netntlm, netntlm-naive, netntlmv2, md5ns, NT, osc, PHPS, po, skey, SybaseASE, xsha, xsha512, agilekeychain, aix-ssha1, aix-ssha256, aix-ssha512, asa-md5, Bitcoin, Blackberry-ES10, WoWSRP, Blockchain, chap, Clipperz, cloudkeychain, cq, CRC32, sha1crypt, sha256crypt, sha512crypt, Citrix_NS10, dahua, Django, django-scrypt, dmg, dragonfly3-32, dragonfly3-64, dragonfly4-32, dragonfly4-64, Drupal7, eCryptfs, EFS, eigrp, EncFS, EPiServer, fde, gost, gpg, HAVAL-128-4, HAVAL-256-3, HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, HMAC-SHA512, hMailServer, hsrp, IKE, keychain, keyring, keystore, known_hosts, krb5-18, krb5pa-sha1, kwallet, lp, lotus5, lotus85, LUKS, MD2, md4-gen, mdc2, MediaWiki, MongoDB, Mozilla, mscash, mscash2, krb5pa-md5, mssql, mssql05, mssql12, mysql-sha1, mysqlna, net-md5, net-sha1, nk, nsldap, o5logon, ODF, Office, oldoffice, OpenBSD-SoftRAID, openssl-enc, oracle, oracle11, Oracle12C, Panama, pbkdf2-hmac-md5, PBKDF2-HMAC-SHA1, PBKDF2-HMAC-SHA256, PBKDF2-HMAC-SHA512, PDF, PFX, phpass, pix-md5, plaintext, pomelo, postgres, PST, PuTTY, pwsafe, RACF, RAdmin, RAKP, rar, RAR5, Raw-SHA512, Raw-Blake2, Raw-Keccak, Raw-Keccak-256, Raw-MD4, Raw-MD5, Raw-SHA1, Raw-SHA1-Linkedin, Raw-SHA224, Raw-SHA256, Raw-SHA256-ng, Raw-SHA3, Raw-SHA384, Raw-SHA512-ng, Raw-SHA, Raw-MD5u, ripemd-128, ripemd-160, rsvp, Siemens-S7, Salted-SHA1, SSHA512, sapb, sapg, saph, 7z, sha1-gen, Raw-SHA1-ng, SIP, skein-256, skein-512, aix-smd5, Snefru-128, Snefru-256, LastPass, SSH, SSH-ng, Stribog-256, Stribog-512, STRIP, SunMD5, sxc, Sybase-PROP, tcp-md5, Tiger, tc_aes_xts, tc_ripemd160, tc_sha512, tc_whirlpool, VNC, vtp, wbb3, whirlpool, whirlpool0, whirlpool1, wpapsk, ZIP, NT-old, crypt
Am I missing something? Thanks!
submitted by mrquisda to AskNetsec [link] [comments]

How to steal coins if some one-way function is flawed?

Dear Bitcoin
I'm trying to grasp the different implications if any one-way function of the address creation process is flawed. I've come up with two different types of potential flaws
Both of these imaginary flaws can be found in either the specification or in an implementation. I only focus on specification flaws here, but I do think the same analysis holds for implementation flaws as well.
The tables list my understanding of what needs to be done in order to steal someone's coins, given that only the public key hash or script hash is known.
Are these tables correct? Is there any important information to add?
Version 0 addresses
Function Small output space Can craft input
Random number generator Doomed! N/A
Public key derivation Doomed! Must pre-image attack RIPEMD(SHA())
SHA256 Doomed! Must pre-image attack RIPEMD AND brute force public key derivation
RIPEMD160 Doomed! Must brute force SHA(pubkeyderivation())
Pay-to-script-hash addresses
Function Small output space Can craft input
SHA256 Doomed! If I know the script [1], I can craft a second script with same SHA256 value. If script is not known, I need to pre-image attack RIPEMD160
RIPEMD160 Doomed! Must pre-image attack SHA256
[1] is very likely. For example a party in a multisig address knows the script and can rip off the other parties.
We are doomed if any of the functions are brute-forceable. That means that the more fancy one-way functions we use, the more vulnerable we are.
Sources:
submitted by kallerosenbaum to Bitcoin [link] [comments]

Technical ? about btc address algorithm

Can someone help clarify a small detail about btc addresses? I am following the steps of address creation from a private key.
The public key consists of a 1 byte compression code followed by two 32 byte numbers representing an x,y coordinate on the ECDSA function.
What exactly is fed into the SHA256 and RIPEMD160 hashes? The entire 65 byte number, the 64 byte number (minus the compression code), or each 32 byte coordinate separately?
A second question involves compressed public keys. If you are starting with a 33 byte compressed public key, your first step in creating an address would be to recreate the full 65 byte public key then apply the address algorithm.
I am assuming its either the first or second option, but can't seem to find an answer on the various wikis and reddit posts. I'm presenting on this topic for our local bitcoin meetup and just want to make sure I understand it perfectly. Thanks in advance for any help someone can provide.
submitted by sc_jp to Bitcoin [link] [comments]

A quick reminder on what Bitcoin addresses are

It is because my answer got downvoted here http://www.reddit.com/Bitcoin/comments/2v4imf/which_one_will_be_claimed_first/coei6x1?context=3
A Bitcoin address is the SHA256 and RIPEMD160(not exactly in this order) hashing of the public key. The whole process is described here https://en.bitcoin.it/wiki/Technical_background_of_version_1_Bitcoin_addresses
My point is, that while a bitcoin address is derived from a public key, it is not A public key as it's not possible to get the public key from a Bitcoin address, not unless the owner of that address has spent any coins. In fact, today most transactions pay to the resulting ripemd160 hash of a public key, and not to a pubkey directly.
submitted by farmdve to Bitcoin [link] [comments]

Blockchain scripting contest, second stage

This blockchain scripting contest is a way to raise awareness about the possibilities and powers of the scripting mechanism integrated in the bitcoin protocol.
Every stage will be about a non-standard transaction output (scriptPubKey) broadcast by me and funded with a given amount. Objective of the stage is to find an appropriate script (scriptSig) that will succesfully resolve the stacked scripts, as requested by the bitcoin protocol. The amount in the tx output is the award of the stage and can be claimed at will.
The difficulty of the stages will increase in each step.
Link to 1st stage and solution
2nd stage
Funding transaction/output: 948aeca2003bf0bdc4f0dc7d61615d05010da8bca744dd9cfa12fb57e2540a2d, n=0
Claimable amount: 5 mBTC !!remember to reserve at least 0.1mBTC for transaction fees!!
scriptPubKey to solve:
OP_DEPTH OP_1 OP_NUMEQUAL OP_IF 6e616d65206f66206e616b616b616d6f746f OP_DROP OP_RIPEMD160 OP_RIPEMD160 9c864b8bb110c05cb9c77381ad5d6868f0fd9f9f OP_EQUAL OP_ELSE OP_DUP OP_HASH160 897b934876ff50bfebe218e30382d7eaa6559a12 OP_EQUALVERIFY OP_CHECKSIG OP_ENDIF 
Difficulty level: medium
State: Unclaimed!
Recommended Toolchain:
Documentation: Transactions, Raw Transactions API, Scripts and OPcodes reference.
Have fun!
PS: Any amount sent to the address 1JHCn9wLLXHc4yfo968FrT259Um2hzeUpy will be used to fund the next stages.
submitted by tartare4562 to Bitcoin [link] [comments]

Série [3/4] - Curvas elípticas no Bitcoin - Gerando chaves públicas Advanced Bitcoin Scripting -- Part 1: Transactions & Multisig

RIPEMD-160 (RACE Integrity Primitives Evaluation Message Digest) is a cryptographic hash function based upon the Merkle–Damgård construction.. RIPEMD-160 is an improved, 160-bit version of the original RIPEMD, and the most common version in the family. RIPEMD-160 was designed in the open academic community, in contrast to the NSA-designed SHA-1 and SHA-2 algorithms. It is used in the Bitcoin standard. It is a a strengthened version of the RIPEMD algorithm which produces a 128 bit hash digest while the RIPEMD-160 algorithm produces a 160-bit output. The compression function is made up of 80 stages made up of 5 blocks that run 16 times each. This pattern runs twice with the results being combined at the bottom using modulo 32 addition. Padding. The ... RIPEMD-160 (RACE Integrity Primitives Evaluation Message Digest) ist eine kryptographische Hashfunktion mit einer Ausgabe von 160 Bit.. RIPEMD-160 wurde von Hans Dobbertin, Antoon Bosselaers und Bart Preneel in Europa entwickelt und 1996 erstmals publiziert. Es handelt sich dabei um eine verbesserte Version von RIPEMD, welcher wiederum auf den Designprinzipien von MD4 basiert und in Hinsicht ... OP_RIPEMD160 166 0xa6 in hash The input is hashed using RIPEMD-160. OP_SHA1 167 0xa7 in hash The input is hashed using SHA-1. OP_SHA256 168 0xa8 in hash The input is hashed using SHA-256. OP_HASH160 169 0xa9 in hash The input is hashed twice: first with SHA-256 and then with RIPEMD-160. OP_HASH256 170 0xaa in hash The input is hashed two times with SHA-256. OP_CODESEPARATOR 171 0xab Nothing ... RIPEMD-160 is another hash function; it computes a 160-bit message digest.. There is a RIPEMD-160 home page, with test vectors and pseudocode for RIPEMD-160.For padding the message, RIPEMD-160 acts like MD4 ().. Find the RIPEMD-160 message digest of a string of octets.Use the ASCII encoded string “Rosetta Code”.You may either call an RIPEMD-160 library, or implement RIPEMD-160 in your ...

[index] [47691] [39408] [12693] [42615] [51529] [21074] [50164] [17464] [14807] [996]

Série [3/4] - Curvas elípticas no Bitcoin - Gerando chaves públicas

This is the first part of a more technical talk where Andreas explores Bitcoin script, with examples from the 2nd edition of Mastering Bitcoin, focusing on t... Nota: Hoje em dia dentro dos endereços bitcoin usa-se um hash ripemd160(sha256()) da chave pública, também conhecido como endereço P2PKH, e isto tem somente 20 bytes, ocupando muito menos ...

#