1 of 1 MULTISIG
Is a 1 of 1 "multisig" valid?
OP_1 <PubKey> OP_1 OP_CHECK_MULTISIG

Example hasn't been spent but w/ a 1 satoshi output I don't think it will be.  Is output 20 otherwise valid?
http://webbtc.com/tx/b96af3b69b48a82c5eae3e44ebb6ef93f30d7764b1d5b40243e11b0d374ac1b7

P2SH "Spend" without a signature?

http://webbtc.com/tx/6a26d2ecb67f27d1fa5524763b49029d7106e91e3cc05743073461a719776192


Ok Input references unspent previous output 9c08a4d78931342b37fd5f72900fb9983087e6f46c4a097d8a1f52c74e28eaf6:0 (txid:index) which is
"scriptPubKey": "OP_HASH160 19a7d869032368fd1f1e26e5e73a4ad0e474960e OP_EQUAL"

"Pay to the Script which hashes to 19a7d869032368fd1f1e26e5e73a4ad0e474960e".  Ok good so far.

The input ScriptSig is 5121029b6d2c97b8b7c718c325d7be3ac30f7c9d67651bce0c929f55ee77ce58efcf8451ae

The HASH-160(5121029b6d2c97b8b7c718c325d7be3ac30f7c9d67651bce0c929f55ee77ce58efcf8451ae) = 19a7d869032368fd1f1e26e5e73a4ad0e474960e
So redeemScript is correct (hashes to ScriptHash).  Looks good so far.

The bolded 0x21 means push the next 33 bytes (the compressed PubKey).  Right?

So decoded we have:
OP_1 0x029b6d2c97b8b7c718c325d7be3ac30f7c9d67651bce0c929f55ee77ce58efcf84 OP_1 OP_CHECK_MULTISIG

Ok another 1 of 1 multisig except a P2SH version this time.  We need the tx signed by 1 signatures from the set of 1 PubKey(s) {029b6d2c97b8b7c718c325d7be3ac30f7c9d67651bce0c929f55ee77ce58efcf84}.  Right?

Except there is no signature.

Here is the Raw Transaction:

0100000001f6ea284ec7521f8a7d094a6cf4e6873098b90f90725ffd372b343189d7a4089c0100000026255121029b6d2c97b8b7c718c325d7be3ac30f7c9d67651bce0c929f55ee77ce58efcf8451aeffffffff0130570500000000001976a9145a3acbc7bbcc97c5ff16f5909c9d7d3fadb293a888ac00000000

The redeemScript is bolded.  The blue is the TxOutHash, the green the TxOutIndex, and the red is the Sequence (end of input).  No signature for the 1 of 1 multisig.

Tx was included in a block so what am I missing?

It doesn't belong to you.  Taking something which doesn't belong to you is theft.  It really is that simple.

My first reaction is that the best solution is a fixed subsidy per claim tx that gets added to the block subsidy (if any).  This would be additional "minting" but the money supply would still remain finite (if that is desired) as the number of claims is finite.  


Yes but the user would need at least one unspent output referencing the particular ScriptHash that is in the snapshot ledger.  As a side note this would apply to any output type as well.  If the user has no unspent outputs referencing that identity* with which to create a transaction he would need to send some coins (any valid amount) to that P2SH address.  

This could be potentially confusing to users however I see a ClaimExplorer along the lines of blockchain.info or blockexplorer as a method to aid users.


Agreed.  Obviously the best solution is one where clients (or at least one major client) makes it easy to add an OP_RETURN output to a transaction.  Given the dislike by the core team regarding the use of OP_RETURN I don't see this happening in the Bitcoin Core but possibly in other wallets.

A potential workaround would be to use a third party application to create the raw unsigned transaction.  User supplies a bitcoin address, third party verifies there is an available claim (possibly checking multple spinoffs), and returns a raw transaction which user could use client to sign.  There is an element of trust involved but it is manageable.  One option would be to make this a function of the same open source software which generates the initial ledger.  A simpler option would be to at least make the snapshot software have the ability to decode raw Claim Request Txs into plain english.


This is one place I would advocate address reuse.  If A & C are the same address those lines can be dropped from the warning.

It is possible Bitcoin Core was offline or syncing when the tx was sent.  I assumed it was due to peer propagation but it could have been a client side "bug".  The fact that it instantly was reported by the receiver's wallet once the block was received is good.  Still not the best to have to explain to a new customer how their funds have been sent even though they can't see it.  Even more fun that it was some miners excluded it so it took longer before the block showed up.  This despite being near the top of the memory pool when ranked by fee per KB.

If it is a timing issue it would be nice feature if the client supported a query option.  Provide a tx id and the client will ask all its peers if they are aware of the tx.

Updated the Simplified Claim Verification (SCV) proposal https://bitcointalk.org/index.php?topic=563972.msg7122252#msg7122252

I will continue to update and expand the post as time permits.  Beyond the SCV I think a more complete analysis of the UXTO is useful so I will be adapting an existing block parser to that purpose.  It will have to wait until next weekend as I will be offline this weekend.  I promised my wife a real vacation.

Thanks but that is an input. There is no prohibition on the value of inputs only on the value of outputs (the goal is to prevent creating new dust, not preventing the "spending" of existing dust).  The tx only has a single output and it is above the dust limit.

Here is the raw transaction decoded: <Nope can't post it forum has a max limit of 64K char per post>

https://blockchain.info/tx/7945140310e5e22e2d38f41eba3422e11e92719aad527e6e4a4d7b660ac5cda7?show_adv=true

The tx is large (17K) but it includes >0.1mBTC per KB in fees, it has no double spent or unconfirmed inputs, and it has no dust outputs.  The interesting thing is that the tx was sent from Bitcoin Core (v0.91).  That node does not have direct connectivity to blockchain.info so it must have been relayed by at least one peer.  The recipient node is also using Bitcoin Core v0.91 but the tx is not in the memory pool and my assumption is that the recipients peers are dropping it.  The question is why?  Possibly a difference in relaying rules on older nodes (and the recipient is unlucky enough to have all older nodes as peers?  As of the time of the post it hasn't been included in a block but I am more concerned with what would keep it from being seen as an unconfirmed tx by the recipient node.

On edit: ok it was just included in a block and the recipient node instantly recognized and reported the confirmed tx but why wasn't it relayed prior to being confirmed.

Yes.  This ties into the idea of coming up with "best practices" which go beyond technical implementation.   If today a hypothetical spinoff developer decides without explanation to use a snapshot of block 187,209 that would probably be a red flag.  Technically any block could be used to build the bootstrap.bin but barring some justification using a block that far in the past is dubious.  Why such an old block? Why 187,209 and not 187,208 or 187,210?  Using a recent block preferably one announced in advance is more transparent (i.e. announcing today that the bootstrap.bin for xyzCoin will be built using a snapshot of block 320,000).

You only have a claim based on your "bitcoin balance" at the time of the snapshot block.  If you hold 0 BTC at the snapshot block, BTC acquired later will not change that.  Likewise if you have a valid claim (based on your balance at the time of the snapshot block) then any action in the future will not remove that.   In your example Alice would not have to redeem her claim prior to transferring the coins to Bob she could do it afterwards and it would still work (her claim would be valid, bob would have no claim).  As far as Alice defrauding Bob with a false promise (buy my BTC and you will get xcoin spinoff claim too) well nothing prevents that other than Bob being informed.  The snapshot.bin will be public information and most likely created in advance of the spinoff.  Someone could develop a "snapshot explorer" much like the block explorer type sites which exist today which would allow someone to lookup the claim status of keys they own (either manually or by exporting their public keys).

It is still rough but I believe the core idea is sound.  There probably are issues I haven't anticipated but I don't believe any of them would break the solution.  As rough as it is, it was good to get it down on paper at least as a starting point.  The rough concept has been rattling around in my head for a long time (probably more than a year).  The more I got interested in your spinoff idea the more I realized this could be adapted to it.


Agreed.  You probably already realize this but I will just restate it in case it is not obvious to anyone else following the thread.   The system will work even if there is only a single spinoff miner with dual network access.  The parent chain recording will be "clunky" (i.e. 10 blocks with no parent block headers and then the one dual network access miner publishes a block with a flood of parent chain headers).  Obviously it is optimal if a large number of miners have dual network access.  I see a number of ways this can be incentivized

a) Parent block header is required in spinoff block (or there must be at least one parent header in the past x blocks inclusively).  Obviously you get 100% of miners to be dual network capable.  I don't particularly like this solution as it may make some users decide to not mine at all (and healthy mining support is critical for the bootstrap phase) but it is an option and may make sense for a chain which supports merged mining with the parent.

b) Parent block header is optional and there is an increased block reward for the inclusion.  This is as you suggested and something I considered but I must be a paranoid person because anytime I have an idea the first thing I think of is how could this be abused not how it is helpful.   Still it has helped me to not lose a single satoshi (personal, company, or customer funds).   In my earlier concept I wondered about a malicious entity bloating the spinoff by including inferior chains.  I believe that keeping the spinoff's link to the parent network behind (deep in the parent blockchain) this issue isn't much of a viable attack although I wouldn't mind other people considering how they could break or abuse it.  Although the attacker isn't compensated for this bloat in the other scenarios I cover it in general below because "Some Men Just Want To Watch The World Burn".

c) parent block headers are optional but there is no increased block reward.  Miners can not collect claim fees until the parent block chain has been extended so they have an indirect incentive already.  This can optionally be strengthened by a fee subsidy on claim txs.  The subsidy fee would simply be additionally "minted" coins just applied per tx not per block.

I can see any of these options (and possibly others) working.

Security Note:
The entire parent block header system should be carefully analyzed.  I tried brainstorming but couldn't come up with any attack vectors which are particularly viable although this isn't a guarantee that I haven't missed some obvious (or not so obvious) attack vector.  The foundation of the claim security model rests of the the fact that the spinoff can learn of the "best chain" on the parent network and building a forgery chain (one which has invalid claim txs but is otherwise valid) that is better is infeasible.

This breaks down to 4 assumptions:
a) It is infeasible for one to build a chain that continues to remain longer than the best parent chain unless the attacker has a majority of the computing power.
b) If the attacker has a majority of the computing power on the parent network, the cost to use that to attack the spinoff would be prohibitively expensive.
c) If the attacker has a minority of the computing power, the length of the chain needed to forge a claim tx makes the probability that an attacker can "fool" the spinoff long enough to complete the attack.
d) There is nothing which can prevent the spinoff chain from learning of the best chain on the parent network and thus reducing the strength of the other security assumptions.

I believe these assumptions are valid and I can not find any attack vector which wouldn't be prohibitively expensive and of dubious value, although I welcome some critical analysis of possible attack vectors to the spinoffs reliance on getting "good blocks" from the parent network as it is the foundation.  The rest of the security model for the SCV (simplified claim verification analogous to SPV) relies on that foundation. 


Good points and ideas but I ran out of time. I will respond to them in a future post. 

OP please change the title to include the words release candidate 1.  

Per the release notes:

Also the infinite bitcoins bug has been fixed.

Here is a very rough draft (more like putting an idea on a napkin at this stage)

Note: As the current time the draft limits itself to an alternate verification method for claims.  In the future if Peter sees continued merit, this entire draft would likely be a subsection of a general spinoff whitepaper.

Some useful references:
Original spinoff proposal by Peter R
Bitcoin whitepaper by Satoshi Nakamoto (see section 8 on SPV clients and section 10 on attack chain calculations)
Analysis of hashrate-based double-spending by Meni Rosenfeld

Proposal for a Simplified Claim Verification (SCV) Model

Introduction
The SCV (Simplified Claim Verification) is an alternate method of verifying spinoff claims which uses the parent chain to perform signature validation.  The original claim verification method outlined by Peter R could in comparison be described as a full claim verification.  The differences between these two models has some similarities to the differences between how full nodes and SPV (Simplified Payment Verification) clients validate transactions on the Bitcoin network.  The full claim verification requires spinoff clients to implement cross chain validation, the clients are larger and heavier but they have no outside dependency.  The SCV model is tradeoff by removing the validation of parent chain signatures from the spinoff in exchange for a dependency on the parent blockchain.   This dependency can be temporary through the use of claim window.

The full verification model involves the claimant signing a claim message using a parent network client or tool and then submitting the digitally signed claim to the spinoff network.   The spinoff network matches the claim against a ledger created from the unspent outputs of the parent network.  Some outputs are relatively simple.  The "normal" Bitcoin transaction is a Pay2PubKeyHash.  The output contains a PubKeyHash and a tx spending that input (or message assigning a claim) needs to be signed by the private key of the corresponding PubKey which hashes to the PubKeyHash in the output.  Bitcoin (and other potential parent chains) have more complex scripts and this complexity is increased by the fact that the output mut ay define multiple signatures or other conditions.  In some cases the output does not contain the script but instead a hash of the script (P2SH).  This means even a full parsing of the blockchain can not identify all possible script templates.  To be handle the redemption requirements of all claimants the spinoff would need to reproduce most or all of the transaction validation engine of the parent chain inside the spinoff client.   If the parent chain is Bitcoin, and the spinoff is very Bitcoin like this may not be a significant overhead but that is also the scenario that is the least interesting.  A spinoff which is radically different would end up maintaining a large amount of code which is only used for claim processing.

The SCV model like SPV model is a simplified verification process, that relies on assumptions that can be made when a transaction is deep in the best chain of a the blockchain.  A spinoff using the SCV model can without any direct knowledge of how the parent validates txs rely on the fact that an invalid tx deep inside the longest chain of the parent blockchain is not possible unless a majority of the computing power on the parent chain is either malicious or non-compliant (protocol flaw).

As transaction validation on a single network is an easier concept, lets look first at how SPV clients on the Bitcoin network use tx depth as a proxy for direct validation.  In the Bitcoin network the input of a transaction contains a reference to the unspent output of a prior transaction.  SPV clients do not maintain a full copy of the blockchain so while an SPV client can verify the referenced output is valid it can't determine is they are spent or unspent.  The SPV security model relies on the the fact that building an alternate blockchain is an expensive task and compliant nodes will not extend a chain with an invalid block.  If a tx is invalid (i.e. the inputs reference an otherwise valid but already spent output) then the block containing it is invalid as well.  Full nodes that block and build off the best valid chain.  So a tx which is hundreds of blocks deep in the best chain of a blockchain can be assumed to be valid unless an attacker has a majority of the computing power (51% attack) and even in that case the cost of the attack and the fact that it would only fool SPV clients makes it an attack vector of limited value.  

In the SCV model, the claimant creates a tx which contains an output with claim instructions for the spinoff.  The parent network is unaware of the spinoff but it will validate the tx like any other tx on the parent network.   The spinoff client may not know how to validate the the parent tx but it can rely on the fact that the tx is in best chain of the parent blockchain as an indirect validation which like the SPV model is valid as long as the attacker doesn't have a majority of the computing power (51% attack) and the tx is sufficiently deep that it would be infeasible to out build the majority of the network for a chain that long.   The spinoff client only needs to be able to extract the identity of the signer from the inputs and compare them to the claim identities recorded in the bootstrap.bin.


Definitions (some new concepts are introduced so I found it useful to define some new terms to avoid lengthy in-line explanations)

* TODO: Bad naming convention?  Looking for a name to clearly indicate the parent tx which encapsulates the claim payload.  It is needed to distinguish between the tx on the parent network and the tx created on the spinoff network.  Maybe some diagrams showing the relationship between the Claim Request, the Claim Payload, and the Claim Redemption.  Drop the "tx" from the definition?  Is it implicit?


Generating the Bootstrap.bin
As already proposed in this thread the bootstrap.bin will contain a ledger of "claims" against the spinoff based on the unspent outputs of the parent network at a designated blockheight (snapshot block).  No significant deviation from the proposed format of the ledger is required to support a spinoff using SCV clients.  

The spinoff will need to hardcode the blockheader (80 bytes) of the snapshot block of the parent chain.  It would be beneficial for the blockheader of the snapshot block to be part of the output for open source bootstrap creation and validation tools.  The block header is not needed for spinoffs using full validation but the small size is negligible compared to the benefits of a single automated open source tool.  The snapshot block header is the root of the subset of the parent chain required by the spinoff.  The blocks prior to the snapshot are not required because the bootstrap ledger contains the value of the unspent outputs as of the snapshot block.  From the context of the spinoff chain, the snapshot block becomes the genesis block for the (reduced) parent chain.

TODO: Determine the output distribution by unspent value instead of nominal number of outputs.
TODO: Determine if handling non-P2SH non-standard outputs warrants the complexity (distribution of the long tail).
TODO: Show optional method for reducing the size of native m of n outputs in the bootstrap.bin.
TODO: Show optional method for reducing the size of entire ledger by trading computing power for space.


Creating Claim Request Tx on Parent Network
The claimant begins the process by creating a Claim Request Tx on the parent network.   The tx consists of one or more inputs signed by the same identity as an unredeemed claim in the bootstrap ledger.  The tx can have one or more non-claim (standard) outputs.  This is necessary to "spend" the value of the unspent output(s) referenced in the input(s).    So far this is a "normal" transaction on the parent network however an additional OP_RETURN output with a zero value will be added.  OP_RETURN outputs are not spendable on the parent network but allow an arbitrary payload limited to 40 bytes.   OP_RETURN is prefered over other ad-hoc solutions as the OP_RETURN output is marked by the parent network as unspendable.  It doesn't bloat the UXTO and can be optionally pruned by nodes on the parent network.  If it important that the OP_RETURN output have a zero value and the sum of the values for the other outputs equal the sum of the values of the inputs (minus any tx fee) to avoid losing funds on the parent network.  

The 40 bytes recorded in the OP_RETURN output is the Claim Payload; it embeds spinoff specific instructions inside an otherwise normal tx on the parent network.  The Claim Payload should contain a "magic bytes" header to allow rapid identification of Claim Requests by the spinoff network, spinoff specific identifier indicating the identity/account/address that is encumbering the claimed coins, and optionally a fee paid to spinoff miners.  It is important to note the Claim Payload has no significance to the parent network.  It is just a blob of data outside the scope of the parent network (and one which may be pruned in the future).  The parent network is validating the larger Claim Request Tx.  The limit of its validation of the OP_RETURN output is to ensure it meets the limits specified by the parent protocol (for example in the Bitcoin network the embedded data in an OP_RETURN output is limited to 40 bytes, and a transaction is limited to a single OP_RETURN output).  The parent network can not validate the Claim Payload, that is a task for the spinoff network.


Validating the Claim Request By Proxy (simplified)
Before moving forward lets assume a simplified scenario where all nodes on the spinoff network have a complete continually updated copy of the parent blockchain.  This would be an excessive requirement and one that can by removed but it allows for a simplified explanation of how the Claim Requests can be validated without directly verifying the signature. Once a node on the spinoff network validates that the Claim Request Tx is sufficiently deep in the longest chain of the parent network it can conclude that the tx was properly signed even without verifying the actual signature (and all the complexity and overhead that entails).   What allows that assumption?  

If the tx was improperly signed, then the tx would be invalid.  An invalid tx included in a block makes the block invalid.   Any block built on top of an invalid block is likewise invalid.  Compliant nodes would reject the invalid block and build off the last valid block.

So lets look at three different scenarios:
a) The tx is improperly signed (a forgery) and the forger has no hashrate on the parent network.  The tx is dropped by all full nodes and if it reaches a miner, no compliant miner includes the tx in a block as it would make the block invalid.    Once the tx is included in any valid block on the parent network the spinoff can conclude this is not the case.

b) The tx is improperly signed and the forger has a minority of the hashrate on the parent network.  The forger could include the invalid tx in a block but other compliant miners would see that block as invalid and not extend that chain.  The attacker by luck could temporarily produce the longest chain but the deeper the tx is in the longest chain the lower the probability that an attacker with a minority of the hashrate could extend a chain longer than the compliant miners.  Even if an attacker has 40% of the hashrate on the parent chain, the probability that the attacker will have the longest chain after 89 locks is 0.1%.

c) The tx is improperly signed and the forger has a minority of the hashrate on the parent network.  Given enough time the probability the attacker will have the longest chain approaches 1. This would be a variant of the 51% attack however the cost can be made prohibitively expensive.  In a conventional double spend attempt the attacker is replacing one valid tx with another valid tx.  If the attacker is successful he double spends the victim and since his chain is the longest he claims the block rewards as well.  The value of the block rewards offsets the cost of the double spend attempt.   However in a SCV claim forgery the tx has an invalid signature.  The blocks created by the attacker will always be invalid on the parent network.   The attacker can only use that chain to spoof the SCV validation.   Even in a successful claim forgery the attack will lose the value of the block rewards on the parent network.  The cost of the attack is unavoidable.   Since a claim request only occurs once, that cost can be made prohibitively high for an attacker by requiring an increased number of confirmations (depth in the parent blockchain) before the Claim Request is considered valid.  As an example if using the Bitcoin as the parent network, the approximate value of the block rewards paid to miners is currently $2.3M per block day (144 blocks).  By requiring a Claim require 3 block days (432 confirmations) to mature even a successful forgery would cost the attacker more than almost $7M in lost rewards on the parent chain.

In this simplified model we assume that all nodes on the spinoff network have the full blockchain of the parent network.  We have shown that if the Claim Request Tx is not orphaned and sufficiently deep in the parent blockchain then the Claim Request Tx can be assumed to be properly signed unless the forger has a majority of the parent hashrate (51% attack) and a willingness to accept an extremely high irrecoverable cost in lieu of easier and more profitable attacks on the parent network  (i.e. double spends against crypto currency exchanges).  The cost and complexity of building a long flawed chain is used as a proxy instead of full validation a the transaction.   This is very similar to how SPV clients operate although the specific elements of what is verified by proxy are different.  The SCV model would not be very useful if all nodes had to maintain a full copy of the parent blockchain however this simplified model is easier to explain. The next section shows how the tx can be verified by any node on the spinoff network without access to the parent chain.

Validating the Claim Request By Proxy (actual)
In order for the spinoff network to validate the claim redemption tx it must confirm the following
1) The the claim_tx (contained in the OP_RETURN output) in the parent chain is properly formatted and otherwise valid.
2) That at least one of the input(s) of the parent chain chain has the proper signer and is not a double claim
 a) for Pay2PubKey tx = extract the PubKey, hash it, and compare to bootstrap.bin
 b) for Pay2PubKeyHash tx = extract the PubKey, hash it, and compare to bootstrap.bin
 c) for Pay2ScriptHash tx = extract the redeemScript, hash it, and compare to bootstrap.bin
 d) for native multisig tx = extract the PubKeys, arrange in canonical order, hash it, and compare to bootstrap.bin
3) That the tx is located in a valid Bitcoin block (blockheader, merkle branch, and txid can be used to prove this)
4) That the block can be linked to the "bootstrap snapshot block in the bootstrap.bin

All of these should be pretty self explanatory except #4.  The spinoff will need to be able to perform SPV level block verification (header only).  A copy of the block headers for the parent chain from the spinoff block to the closing of the claim window will need to be available to nodes on the spinoff network.  

For this reason this method of bootstrapping makes the most sense when the spinoff is being merged mined and has a claim window however it could be used on any network but at a minimum some miners would need to have dual network access (parent and spinoff).  The simplest method to record the bitcoin blockheaders into the spinoff chain would be to have an optional field in the spinoff blockheader for recording the bitcoin/parent blocks which are "mature" since the last spinoff block.  Other nodes do not need bitcoin/parent network access.  They are only validating that the blockheaders are valid not that they actually occur on the bitcoin network.  Some block validation rules will need to be developed, namely to reduce the orphan chains which are recorded in the spinoff only "mature blocks" are recorded.  This can be verified by requiring bitcoin blocks to be a certain number of seconds older than the timestamp in the spinoff block.  Since timestamps can be loosely verified (network median time) this ensures that only "old" (and thus very unlikely to reorg) parent blocks are recorded.   As an example if the network intends to consider bitcoin blocks more than 288 blocks (2 block days) deep in the chain as "mature" then the spinoff could require the timestamp of the bitcoin block be more than 288*600 = 172,800 seconds earlier than the timestamp of the spinoff block.

Bridging the parent and spinoff network

The claimee creates a Claim Request Tx on the parent network.  The Claim Request Tx exists only on parent network.  The information in that tx (inputs and the Claim payload) combined with parent blockheaders recorded in the spinoff blocks allow the construction of the Claim Redemption Tx (existing only on spinoff network).   One important factor is that construction the Claim Redemption Tx requires Dual Network Access however validating a Claim Redemption Tx only requires access to the spinoff network.  That is the key to the security model.  By ensuring that single network nodes can still validate all txs (including Claim Redemption Txs) the peer to peer nature is preserved and there is no reliance on trusted "super peers".  

The SCV model does require one or more entities need to have Dual Network Access to act as a bridge between networks.   Without these bridge nodes the spinoff network will never become aware of the Claim Requests (as they exist on the parent network).  The bridge nodes can not alter or forge redemption txs.  A bridge node is limited to refusing to relay information from the parent network and this withholding attack would only be effective if all bridge nodes engaged in withholding.  There is no special cost in running a bridge node beyond the resource requirements of each network so the attack would not be very effective.  Miners are a logical choice to act as a bridge node but as a fallback non-mining nodes can also act as a bridge.

Dual Network Mining Nodes: Spinoff miners who have dual network access can construct the Claim Redemption Tx (part of spinoff network) by identifying Claim Request Tx (part of the parent network).  The Claim Tx can be constructed in a deterministic and trustless manner by any party with Dual Network Access.  The instructions in the claim payload of the claim request made by the claimee on the parent network ensure that a miner can't modify a request as the tx would be invalid.  The claimee doesn't need to do or submit anything on the spinoff network (the Claim Reward Tx doesn't need to be signed as it is similar to a Bitcoin coinbase tx except the output is constrained by the instructions in the Claim Payload.  Miners with dual network access will need to parse the blocks of the parent blockchain, located Claim Request Txs, construct the Claim Redemption Txs, and record them in blocks on the spinoff network.  There should be sufficient incentive (in the form of tx fees possibly subsidized as a tx reward similar to block reward in the Bitcoin network) for some miners to maintain dual network access.  Miners opting to run dual networks would not be required to broadcast these Claim Redemption Txs before including them in a block and thus it would be in their best interest to include them in the next block as a source of additional fees.

Non Mining Bridge Nodes & Single Network Miners: If the Dual Network miners fail to include Claim Redemption Txs in spinoff blocks in a timely manner non-mining "bridge nodes" (possible setup as a fallback by the developer for the public good) could parse the parent blockchain, construct the Claim Redemption Tx and broadcast the txs to peers who would validate and relay them like any other txs, and the tx would eventually be included in a block by Single Network miners.  It is probably unlikely this would be needed, but it illustrates that the miners who have Dual Network Access can't do anything malicious with that access.  At best they may learn of Claim Requests before other nodes and can include them in a block for additional fees but the value of that knowledge rapidly declines.   To encourage dual network mining, the bridges could operate on a delayed fashion waiting a few blocks beyond when a Claim Request is mature.   This would give dual network miners, "first chance" at those fees, creating a built in incentive while preventing any type of cartel behavior as the information only has "value" if acted upon immediately (before all nodes learn of the new txs and their fees).

Recording the Claim Redemption Tx in the spinoff blockchain
It is important to keep in mind that the Claim Redemption Tx will exist only on the spinoff network and the spinoff network may be radically different than the parent network.  It is thus beyond the scope of the spinoff concept to define the exact claim redemption format (for example txs on a network using ring signatures or zero knowledge proofs would look radically different than "Bitcoin txs".   Whatever the format used there are data elements required to ensure that the Claim Redemption Tx can be validated by single network nodes.  The raw Claim Request Tx (pulled from parent network), the block hash of the block containing the Claim Request Tx (on the parent network), and a merkle branch are required.  How these elements are used to validate the Claim Redemption is described below.

Example Claim Redemption Tx (actual redemption tx will vary based on the constraints and design of the spinoff network)

* Recording inputs is not required (similar to how there is no requirement for coinbase tx to show the "input value") the "inputs" are extracted from the inputs in the claim_request and validated against the unredeemed claims in the bootstrap.bin.  Explicitly recording these inputs may be useful for optimizing the "unredeemed claim set" (similar to the UXTO in Bitcoin network).  

** The exactly output structure will depend on the requirements and constraints of the spinoff network.  The format and required elements of the claim payload will work in conjunction with the output to ensure the value is secured by the claimee.  For a c


Pseudocode for validating the Claim Redemption Tx

Required:
Spinoff nodes is well connected to peers.
Node has a full copy of the spinoff blockchain according to peers.
Node has constructed a "unredeemed claim set" which is a subset of the bootstrap.bin excluding all claims which have already been redeemed.
Node has constructed a header only subset of the parent_blockchain by extending from the snapshot block using parent_blockheaders located in spinoff blocks.

Perform the following:
1) parent_block_hash = H(parent_block_header) per parent tx rules
2) parent_txid = H(parent_tx) per parent tx rules
3) Parse input(s) based on known templates, identify the signers, and match against the set of unredeemed claims.  The inputs[] = set of unredeemed claims matching input signers.
4) Extract claim_payload from parent_tx.
5) Compute c_merkle_root using the tx_id and merkle_branch.

Claim Redemption is valid only if all the following are true:
1) The parent_block_hash is located in the parent_blockchain constructed from parent_blockheaders in spinoff blocks.
2) The parent_block_hash is not part of the best chain or is not sufficiently deep in the best chain.
3) The c_merkle_root is the same as the merkle_root recorded in the parent_block.
4) The inputs[] is not null and the value of the output is equal to sum to the value of the claim inputs.
5) The claim payload is valid per the spinoff protocol and the resulting tx properly encumbers the output based to the limitations set in the Claim Payload.

Advantages & Disadvantages of SCV Model
PRO: The parent tx validation complexity is removed.  The spinoff doesn't perform a validation on the Claim Request Tx containing the claim payload (this is done by the parent).  The spinoff does needs to be able to identify the Claimee and match it against the authorized claims in the bootstrap.bin by extracting the unique identifying criteria from the input(s) of the Claim Request Tx.  The scope of this problem is significantly smaller than understanding the full validation rules in all possible permutations of the parent chain.

PRO: More than 99.9% of outputs can be categorized into less than 30 variations of 5 basic templates which reduces the code overhead imposed by the parent on the spinoff.  It is possible that 100.00% of potential claims could be validated with a significantly smaller bootstrap.bin and less code overhead than what would be required for a "full validation" claim redemption model.  **
PRO: Spinoff network doesn't need to interpret the redeem script (P2SH) which makes compatibility easier to assure because P2SH scripts are unknown until spent
PRO: Miners can handle the seamless transfer of claims from parent network to spinoff

CON: This requires the spinoff to record all blockheaders of parent chain from the snapshot block forward until all claims have been redeemed.  This is unlikely to ever occur unless a claim window is designated.
CON: Security model is different but comparable to SPV clients not full nodes.  The risk is moderated by using a parent network with very high mining difficulty/cost and requiring long maturity of parent blocks to make forgeries prohibitively expensive.
CON: Requires at least some but not all nodes to have dual network access (to transfer blocks and claim tx from parent network to spinoff network.  the effect is reduced if the network is already merge mined)

** TODO: Replace with distribution by unspent output when available.

I don't know of any and it is very small %.  Most are probably due to mistakes they just happen to be mistakes where we can definitively say the output can't be spent.  The "normal" usage of OP RETURN is to encode up to 40 bytes of data in an output with zero value so the output is unspendable but not coins are lost.  As Danny pointed out it could be used to provably destroy coins (and there are a number of other methods) but I don't believe it has been used intentionally that way for anything other than a few tests.

I think we are done here and clearly posting was a waste of time.

Peter,

In doing some research on merge mining an idea occurred to me that could potentially make claims easier by creating an OP_RETURN output on the Bitcoin network.  The spinoff could operate in a manner that would be best described as a SPV node when it comes to validating claims and thus would not need to know anything about Bitcoin scripting language.  Like a SPV node the "proof" that a claim is valid would be that it is sufficiently deep in the bitcoin primary chain.  This really would make the most sense for coins which are planning to adopt merge mining and intend to implement a claim window.  If you prefer we can discuss it by PM or in a new thread.

I doubt it.  What makes a pump & dump possible is
a) a very limited supply/float
b) very thinly traded markets (often heavily controlled by the developer)
c) a dubious (but real) fear among altcoin users that they may be missing the train.  

On c I think this is probably like trying to catch lightning in a bottle a second time but I can at least recognize the human psychology behind it.   No doubt some people will try to use a spinoff to support "yet another altcoin" but critics can and should exercise their economic power given to them by the spinoff to "vote" against it by selling off their stake.  Pumps are very difficult to accomplish in the face of large order book on the sell side and as you point out critics have nothing to lose by selling their spinoff stake if the coin ultimately ends up a failure.  Getting even 1 satoshi per xCoin is better than getting nothing (if you feel the ultimately value is 0).

Nobody can prevent the creation of a shallow clone for the purpose of fleecing idiots from their hard earned money.  However an instamine, premine solely for the devs benefit, or "IPO" all are superior choices for trying to perform a pump and dump.  A spinoff in essence is a premine where the developer has no control over who gets a "piece" of the initial supply.  Unlike other choices where the other holders are either fellow conspirators or bagholders, a spinoff gives critics a stake at no cost.  They can act as a contrary force and source of liquidity.


If you feel there is no value or merit to the spinoff you certainly should.  In doing so your economic interests will align with the "greater good" helping the market to determine the appropriate price for the asset which if you are correct is zero.  Even if the spinoff is pointless the the market is more efficient as it has more participants.  Many of those would be critical, and willing to sell for any price (if you are convinced something is worthless then getting 1 satoshi on the Bitcoin is a net gain).  This leads to a faster price discover for spinoffs regardless of their value.   In comparison in an "IPO coin" the initial stake holders are only those who were willing to buy some coins.  There is significant selection bias as those who believe the coin has no merit wouldn't buy into the IPO.  Only the "believers" hold the stake and they are reluctant to sell (especially for a loss) this distorts the market, reduces liquidity and is how you see altcoins explode 5000% in a short period of time on essentially no volume.  Eventually price will follow value but the distorted market, lack of effective shorting mechanism, and very tiny float ends up delaying price discovery leading to short term spikes before it finally circles the drain.

Despite the possibility that I am flogging a deceased equatine, there is a difference between reclaiming "inactive addresses" and a greenfield project which puts the requirements for a claim upfront.  Imagine Satoshi had decided originally designed Bitcoin (to provide a limit on blockchain growth) that an output is invalid for spending more than 1 million blocks from when it was confirmed.  I would see no problem with keeping it that way.  Anyone creating an address would be aware of the limits of the system in advance.  Changing Bitcoin now to reclaim "inactive addresses" is unethical as it is an ex post facto change.  A new coin however that uses the bootstrap as of Bitcoin block 300,000 and requires claims to be made before "newcoin" block X has no such ethical risk.  The rule is known at the point of launch (actually it probably will be known well in advance of launch).  Nobody is suggesting excluding valid unspent outputs  (except maybe very limited scenarios related to feasibility).  If Satoshi wanted to claim x coins in a spinoff he certainly could do so by creating the appropriate signatures.  If he doesn't and the claim window passes then he is making a choice to exclude himself.

The only reason I bring this up again is I feel there may be some confusion on what is being considered with a claim window.  The claim window would be on the spinoff (i.e. claim outputs are only valid before block X) it wouldn't exclude any particular bitcoin unspent output.

The same reason why people don't keep a billion (or hundred thousand) dollars in their pocket today.   Bitcoin may change how banks operate, on how much it changes the banks will depend on how widely it is adopted.  There will always be banks.  Banks predate fiat currency by a couple a couple hundred years.   There were banks (100% reserve) in the Roman Empire.  Banking concepts (letters of credit, loans, interest, etc) were used in Greece and China even before that although they didn't exist as banks as we understand them today. 

I pointed out that analyzing the blockchain for various "templates" would be a useful way to determine how common they are.  Someone has already performed a similar analysis as of block 290,000. Just to be clear it isn't exactly what we are looking for but it is an interesting datapoint.

http://www.quantabytes.com/articles/a-survey-of-bitcoin-transaction-types

The linked survey
* Based on all outputs (unspent, invalid, and spent).
* Shows the nominal # of each output template, not the value of the outputs.
* The template of the P2SH redeem scripts is unknown .

Optimal bootstrap survey
* Based on only valid, unspent outputs
* Show % of value by template type
* Break down P2SH based on known redeem scripts (spent outputs as a proxy)

The linked article breaks the outputs out into 24 templates however for our purposes many of these can be combined.  The article drops any template which has less than 10 occurrences however by my math the outputs not cataloged represent less than 0.01% of all outputs.  I computed that by looking at the difference between the # of cataloged outputs and the total # of outputs confirmed by my own tool (uncategorized = total - sum of 24 reported templates).  There may be a small difference as I was looking at total outputs at a later block but 0.01% would be an upper bound.





To simplify the bootstrap the Pay2PubKey (and obsolete output) outputs could be converted into Pay2PubKeyHash by hashing the PubKey.
The known unspendable outputs (bugs, possibly intentional unspendable outputs, testing, and OP_Return can just be dropped from the bootstrap.
This would mean that supporting just Pay2PubKeyHash, Native Multisig and P2SH (with only the most common forms) would provide support for at least 99.6% of outputs and possibly as much as 99.9%.  

Remember this is based on just the # of outputs not the value of the unspent outputs although I do not think the distribution will change significantly.

As pointed out 5 times now ... this would require a change in protocol.


No.  From this thread it is very clear you lack the basic knowledge and logic skills necessary to implement a BIP.  I mean we just played a 14 post game of "who's on first" because you couldn't grasp the concept that in an changed protocol the protocol would be changed and thus referencing the current protocol would be pointless.

Of course that would be my opinion.  You don't need to ask permission to write up a BIP or make a pull request.