I just find a problem: how could a SPV client count the number of transactions in a block, without downloading the whole block?

Related discussion: https://bitcointalk.org/index.php?topic=975648.0

If this could not be done, your proposal won't work for SPV clients without trusting a centralized service

If this could be done, there is an even more compact way to encode transactions: just number all transactions chronologically. According to blockchain.info

https://blockchain.info/charts/n-transactions-total?timespan=all&showDataPoints=false&daysAverageString=1&show_header=true&scale=0&address=

we have about 61,000,000 transactions. This could be encoded with only 26 bits. Since most blocks are not full, this must be much more efficient.

Having a upper bound is probably good enough for me. The upper bound is the nearest power of 2, right?

As a related question, in the current protocol, could an SPV node requests for the x-th transaction in the y-th block, without knowing the txid of the transaction?

Is it possible to count the number of tx in a block without downloading the whole block? (e.g. only using the Merkle tree)

Example 2: the 4th output (sending to 17SEHdQNxrP64M6aUkDJtoUKAhSMujamhE) of 9abcc1383bcc5eb980dd263837c7bd368d0fd5d1696a89e49dc9e63c82e7ce16

The block has 460 transactions so 9 bits is needed for txindex
The tx has 21 outputs so 5 bits is needed to encode all outputs. However, with only 5 words and 20bits of checksum, only 3 bits is left. That means we could only encode the first 8 outputs.

version: 0
height: 0001010100011111100110 (346086)
txindex: 101111010 (378, or the 379th tx)
outputindex: 011 (3, or the 4th output)

information: 000010101-000111111-001101011-11010011

blockhash: 0x000000000000000000e83a55db617b5db59ce161f8ef4d0989b8c6d1a3e82102
scriptPubKey: 0x76a91446963eb29098f58519f94bd8c3130f5b5166123488ac
SHA256(blockhash-scriptPubKey) = 34e17a91bcccfb02b4eec27d035c3f5c2150675ede100d1be7549f2629b93a8a
Checksum = First 20 bits of SHA256 hash = 0011-0100-1110-0001-0111

With 2-bit checksum and 9-bit information for each word, it becomes:
00(c)
000010101(i)
11(c)
000111111(i)
01(c)
001101011(i)
00(c)
11010011(i)
111000010111(c)

So the 5 words address will be
00000010101-11000111111-01001101011-00110100111-11000010111
i.e. actor-side-estate-crunch-seed

In the example above I use 1 checksum + 10 information for each word. Maybe 2+9 is better to make the words look more "random"

With 2-bit checksum and 9-bit information for each word, it becomes:
10(c)
000000000(i)
10(c)
000000000(i)
11(c)
0000000(i)
111011010010110100100101(c)

So the 5 words address will be
10000000000-10000000000-11000000011-10110100101-10100100101
i.e. length-length-scatter-regret-pigeon

We need some independent security experts to suggest the appropriate number of checksum bits.

Thanks for your coding but I can't read C. I'd like to illustrate with some examples:

---------------------
The only output in the genesis block:

version: 0
height: 0000000000000000000000
txindex: 0
outputindex: 0

information: 0000000000-0000000000-00000

blockhash: 0x000000000019d6689c085ae165831e934ff763ae46a2a6c172b3f1b60a8ce26f
scriptPubKey: 0x4104678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb649f6bc3f4 cef38c4f35504e51ec112de5c384df7ba0b8d578a4c702b6bf11d5fac
SHA256(blockhash-scriptPubKey) = afb4b496b902df5adc89d9d89080f6dc80383dbe6e1067140721ed53e2ccbedb
Checksum = First 30 bits* of SHA256 hash = 1010-1111-1011-0100-1011-0100-1001-01

With 1-bit checksum and 10-bit information for each word**, it becomes:
1(c)
0000000000(i)
0(c)
0000000000(i)
1(c)
00000(i)
011111011010010110100100101(c)

So the 5 words address will be
10000000000-00000000000-10000001111-10110100101-10100100101
i.e. length-abandon-limit-regret-pigeon


* I still assume minimum 20-bit checksum. It could be encoded in 4 words if 16-bit checksum is used.
** Since you are using 16-bit checksum instead of 20-bit as I suggest, there might not be enough checksum bits for each word if 4 checksum bits is used. So I'd like to standardize it to be 1+10 instead of 4+7 as I suggested before.

There is no "balance" in bitcoin protocol, only "unspent transaction output" (UTXO)

It's essentially proof-of-stake. No matter how they call it it's proof-of-stake

Actually I believe we will have some better way to encode before block 4M. It is also likely that there will be significant change in the blockchain structure and this scheme will obsolete. In such case, probably 21 bits is already enough as I expect such change would happen in 30 years.

There is always a big temptation to reduce the number of checksum bits but each bit you cut halves the security.

Wow, just now, the block 346019 has 2064 transactions.

To convert the bits into final address, we first serialize version-height-txIndex-txOutputIndex (the "information"). The information should be within 25-35 bits, and checksum is 20-30 bits

To derive the first word, we take the first 4 bits from checksum and the first 7 bits from information. This is repeated until all information bits are included. The rest will be checksum if there is any left *

A 6-words address would be encoded similarly, with 3 bits of checksum and 8 bits of information for each word.


* I put checksum before the information to make each word looks more "random". Otherwise, some words would be used more frequently than others, especially the first 2 words which encodes the block height.

I'm not sure if this is a right way to go. A checksum should be statistically independent from the information. Otherwise, it's not a checksum

good idea. This saves a lot.

You certainly don't need 24 bits for block height. It takes >300years. All cryptography in current form should have been broken long before that. 22 bits (70 years) would be enough.

The TxOut index is controlled by user so let's assume it to be usually 1 bit (because people want a short address)

I want at least 20 bits of checksum (1 in a million error tolerance)

I prefer to leave 1 version bit for future extension. (otherwise we may need to use a completely different word list for future encoding scheme)

-----------------
So a 5-words address would have

1 version bit
22 block height bits
1 to 11 txIndex bits
1 to 11 txOutputIndex bits
at least 20 checksum bits

The txIndex and txOutputIndex will always use the least possible bits, leaving more room for the checksum.

For example, if a block is known to have only 500 txs, the txIndex will only take 9 bits so the txOutputIndex may take at most 3 bits. If there is only 3 outputs (2 bits) in the tx, the checksum will have 21 bits

EDIT: If there is not enough bits left to fully encode txOutputIndex, the earlier outputs are assumed. For example, if there are 14 outputs (4 bits) in the tx but only 2 bits is left for txOutputIndex, we could still encode the first 4 outputs with 5 words.

Similarly, if a block has more than 2048 txs, a 5-words address is still valid if it is referring to first 2048 tx in the block and it is referring to the first or second output
------------------
If an address can't fit-in a 5-words address, it would need 6 words anyway. So a 6-words address would have

1 version bit
22 block height bits
1 to 22 txIndex bits
1 to 22 txOutputIndex bits
at least 20 checksum bits

22 txIndex bits should be enough for a 800MB block. If that's still not enough, it could be extended to 7-words in a similar way.

It is also valid to encode a 5-words address in 6-words, for extra checksum security.

And the checksum has to be broken down into pieces and inserted in every 11-bit block to make sure every word is pseudo-random. Vanity addresses are still possible, just by pure luck. No mining of vanity address is possible.


Encoding of private key and public key are different concepts. If you made a small mistake in private key, it is very likely to recover it by some burst force. If you sent you bitcoin to a wrong public key, it is totally irreversible.

Case 1: Alice would like to transmit the private key "ABCD1234" to Bob. The private key has no checksum and is carrying 100BTC on the blockchain. However, due to unstable network, Bob received "ABBD1234". Bob will immediately find that the private key carries no bitcoin and will ask Alice to resubmit. Even if he can't reach Alice again, he can still try to burst force it with the available information.

Case 2: Alice would like to transmit the public key "ABCD1234" to Bob. The public key has no checksum. However, due to unstable network, Bob received "ABBD1234". Bob sent 100BTC to "ABBD1234" and screwed up

Let say 1% of the world population will exchange their bitcoin address once per day, which is 70,000,000/day

0.01% of them will make a random mistake. So there will be 7000 mistakes/day.

With 5-bits of checksum, there will be 218 irreversible erroneous transaction/day
With 16-bits of checksum, this reduce to once per day
With 21-bits of checksum, this reduce to once per 300 days
Satoshi uses a 32-bits checksum in bitcoin address. That becomes once per 1681 years

Having an address with only 4 words is great, but it gives a false sense of security. If we are going to establish an industry standard, I believe we have a moral responsibility to lay users. We all make mistakes, and I'm sure 0.01% is way underestimated.

(You may argue that a random mistake may just point to a non-existing output but I've already used conservative parameters in my estimation)

This is a bad analogy.

The correct one should be:

Bank = Bitcoin miner
Cheque = Bitcoin transaction
USD = Bitcoin

Bitcoin transaction, like a cheque, has no intrinsic value. But bitcoin transaction is not bitcoin

Buffett is an excellent investor but he doesn't invest in anything he doesn't understand. Obviously he doesn't understand Bitcoin at all.

Miners could sell the block space for the vanity address without knowing the private key. All they need to do is to put their client's transactions in the appropriate positions. If the incentive is big enough, strong miners may even try to orphan other people's block to grab a good address.

My proposal will insert bits derived from the block-hash everywhere in the address, so it is not possible to mine a vanity address without discarding a successful block.


This is not true. Please don't assume all people are native English speakers. Even for native speakers many words are still very similar

gmaxwell has list some examples of poorly chosen words in BIP39: [choice, choose], [drip, script, trip], [risk, brisk], [load, road]

some more: [awake, aware, away], [stamp, stand], [price, pride], [steak, stick] (frankly speaking, I can't differentiate between "steak" and "stick" at all)

5 bits is unacceptable. I think 16-bits is really minimum, with an error tolerance of 1/65536. 20-bits will give 1 in a million.

Just use the blockhash as part of the checksum as I suggested. It's quite obvious.



Why won't they do that? Let say address of the block 987654 txindex 7777 output 888 is "best adult web". This address will be extremely valuable and all miners will try to grab it.

[/quote]

Do you really think 5 bits of checksum is enough? An address with random error will have 3.125% of probability to be valid. It's just unacceptable especially for bitcoin which getting refund is totally impossible.

OP updated

I hope listing on OTCQX will bring some real liquidity to bitcoin market

You have not fixed the following problems:

1. blockchain reorg

2. Miners may try to fill up a block with garbage for a vanity address

To fix the reorg problem you have to include blockhash and/or tx-hash somewhere in your formula. This is tricky because that would lengthen the address

To fix the vanity address problem miner shouldn't be able to determine the address before a block is found. Again, this is avoided if the blockhash is part of the formula

------------------------
I'd like to propose the following method for referring any ScriptPubKey on the blockchain. I don't care how people interpret the information in the ScriptPubKey:

Version: 1 bit (always 0)
Height: 20 bits (up to block 1048576, enough for 13 years)
txIndex: 19 bits (up to 524288 tx/block, won't happen until the blocksize is >110MB)
TxOut index: 8 bits (up to 256 outputs/tx)
Checksum: 29 bits (slightly weaker than 32 bits in a standard bitcoin address)
Total: 77 bits, requiring 7 words to encode

All components are zero-padded. Anything beyond block 1048576 / txIndex 524288 / TxOut index 256 are invalid.

Checksum is the first 29 bits of SHA256(Blockhash-ScriptPubKey)

The 48-bits (Version-Height-txIndex-TxOut index) is split into 6 fragments of 8-bits
The 29-bits Checksum is split into 5 fragments of 5-bits and 1 fragment of 4-bits
Fragments are concatenated alternatively, so miners are not able to mine a vanity address without giving up a successful block hash.

To resolve the address, an SPV node has to obtain the ScriptPubKey with Height-txIndex-TxOut index, and verify the Checksum with Blockhash-ScriptPubKey

Reducing to 6 words is possible but it reduces the checksum security and future compatibility
Version: 1 bit (always 0)
Height: 20 bits (reducing to 19 bits will make it overflows in less than 4 years)
txIndex: 16 bits (up to 65536 tx/block, won't happen until the blocksize is >13MB)
TxOut index: 5 bits (up to 32 outputs/tx)
Checksum: 24 bits (Not sure if this is enough)
Total: 66 bits

Or 5 words:
Version: 1 bit (always 0)
Height: 20 bits
txIndex: 13 bits (up to 8192 tx/block, won't happen until the blocksize is >1.5MB)
TxOut index: 4 bits (up to 16 outputs/tx)
Checksum: 17 bits (This could be risky)
Total: 55 bits

8 words would be good enough for foreseeable future. It's still much better than encoding an 160-bits address with 15 words:
Version: 1 bit (always 0)
Height: 22 bits (enough for >70 years)
txIndex: 25 bits (enough for 6.8GB block)
TxOut index: 11 bits (up to 2048 outputs/tx)
Checksum: 29 bits
Total: 88 bits

Would you memorize your bank account number? I won't.

Why should I memorize by bitcoin address?