27 comments

[ 3.0 ms ] story [ 77.4 ms ] thread
A little note about the "make a privkey" section of the signature example; it can sometimes* make invalid privkeys that are off the end of the EC curve. Only integers between 0x1 and 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 are valid in our particular case. Super unlikely to ever get a sha256 hash that matches the invalid portion, but it's worthwhile to point out.

* probably never, but worth mentioning

Excellent point, added as annotation, thanks!
This curve order limit actually introduces a small bias. You can choose a number greater than a curve order, but then it'll be taken modulo the order, so some incredibly small amount of numbers will be biased closer to zero. In practice the probability to hit such numbers is less than 2^-128, so you may easily skip all checks and take the number as is. Of course, nitpickers will nitpick and that's why in all standards that describe key and nonce generation (BIP32, RFC 6979 etc), you'll see boilerplate code that checks for such numbers and does some extra cumbersome computations just to avoid these from happening.
Possible bug:

The instructions BOOLAND and BOOLOR don't interpret the stack values the same way IF, VERIFY etc do. They decode the top stack values as integers and compare against zero, thus they have to fail when the top stack item size is greater than 4 bytes.

Edit: littleEndian.decode also doesn't seem to respect the size limits

Edit2: .. or signed integers for that matter. So while this is a very cool basic concept, it's not a complete implementation.

The reference client provides test suites

https://github.com/bitcoin/bitcoin/blob/master/src/test/data...

https://github.com/bitcoin/bitcoin/blob/master/src/test/data...

Yes, you're right, numbers treatment is not exactly the same as in Bitcoin Core. The script interpreter supports only basics and it was implemented to show how Bitcoin Script works in general for another article [0].

But it was not clear from this text whether it's a complete implementation or not so it looks like a bug. I've added the annotation [1] and will update the interpreter in the future.

Of course if one wanted to use Bitcoin in real projects I'd rather recommend Bitcoin.js [2] but that's another topic.

Thanks for comment!

[0]: https://curiosity-driven.org/bitcoin-contracts

[1]: https://curiosity-driven.org/low-level-bitcoin#operators

[2]: http://bitcoinjs.org/

No problem - I wasn't sure if this is something you're currently working on or just a demonstration. The script interpreter is a tricky beast that looks easy but has a lot of edge cases. If one client behaves slightly different, a blockchain fork could happen: https://bitcoin.org/en/alert/2013-03-11-chain-fork
Yes, exactly. And there are a lot of tricky corner cases like SIGHASH_SINGLE when number of inputs != number of outputs with hash 0x01 [0]. Actually the entire implementation (Bitcoin Core) is the specification :) It's interesting from the software design point of view - an extreme case of backwards compatibility. It's hard even within Bitcoin Core as some changes already caused forks [1].

The article is just a demonstration but it won't hurt if it was as accurate as possible (while still being readable) :)

[0] https://en.bitcoin.it/wiki/OP_CHECKSIG#Procedure_for_Hashtyp...

[1] http://bitcoinmagazine.com/3668/bitcoin-network-shaken-by-bl...

This article had me wondering what will happen when people start storing copyrighted data (or worse, pedopornographic images) inside the blockchain.
So what happens if someone puts CP into the block chain and publishes the instructions to retrieve after two months?
The same thing that happens to every other data put in transactions - if they're included in blocks every node (full verifying node [0]) downloads it and stores it locally forever.

[0]: https://code.google.com/p/bitcoinj/wiki/FullVerification

So a lawless space? What if a judge wants the data to be removed?
Then they'd need some very powerful mining equipment! Bitcoin uses merkel trees to ensure transactions in blocks never change.
An unregulated/unregulatable space. Might as well try to regulate math - "PI is 3"
How is that related? If someone puts CP intentionally into the block chain that has nothing to do with math. The spread of child pornography is a criminal offense and they could just force every miner to split the chain or charge them for spread of CP.
Pi is a number. A picture is also a number (a very long one, just like any other file), including CP.
By that logic you could make anything illegal, legal.
> By that logic you could make anything illegal, legal.

I'm not a lawyer but from a technical point of view it's almost impossible to remove any kind of data from a truly distributed network. Be it Bitcoin's Blockchain, BitTorrent or the internet itself. That's just a fact, no judge order will change it, sorry.

And as M4v3R said it'd be very expensive to add a big file like a picture to Blockchain anyway.

You probably have it on your computer already, if someone publishes interesting enough instructions for "retrieving" it.
Its pissing into the wind to try to regulate some things. Like trying to teach a pig to sing? Doesn't work, and annoys the pig.
If the judge is really determined to put you in jail he will find CP, cocaine and unpaid taxes everywhere in your life. Law operates beyond logic and reason: only authoritative opinions and scripture interpretations matter. Ask that question to those who will put handcuffs on you, not to fellow peaceful citizens.
It is perfectly possible to do so, but it would be quite expensive to do so. It is easy to embed ASCII data (some 40-80 bytes) in one transaction, but that's it. To embed an image, requiring at least few kilobytes of binary data, you would need to pay a significant amount of fees.
On related note, you can think of a JPEG image as an instruction to retrieve CP from your CPU and LED screen if you will. When it comes to law, there's no logic since all laws are written and interpreted by faulty humans with some weird ideas in their heads (like "lets beat the shit out of people who disobey").
Nothing. The way arbitrary data is stored in the blockchain is encoding it in the financial transactional data.

For example, you could use a similar method to "store" data using Paypal: use the amount of cents in each transaction to encode a byte of data (e.g. $1.17 means 0x75 etc.) and make transfers to random people until enough bytes have been transferred. That's it, your copyrighted data or CP is now forever "stored" on Paypal servers.

I don't think this accusation will hold up in any reasonable court. Taking into account the cost of storing data (20 bytes in a single output of minimum 5400 satoshi + fees) your hypothetical instructions and code to retrieve the images would be of comparable size to any images you can reasonably store.

There is no minimum output size. Outputs can be zero-valued.
The standard client and by extension most miners will reject outputs smaller than a certain value ("dust")

You are correct that the protocol itself doesn't have a minimum output size, so if you mine a block yourself you can include dust reliably.

(comment deleted)