lodewijk andr de la porte writes: > I honestly don't see how. A transaction has an orgin, which is verified to > have the coins, and a destination, which is a public key that must have a > private key. AFAIK every public key has a computable private key > counterpart. > > But please correct me.
The reason Taral says that you could "create transactions that transfer money into black holes that are unrecoverable" is that the destination of a transaction is actually not a public key but rather a _script_ in a scripting language. To claim the coins later, a recipient creates a new transaction that satisfies the conditions of the script associated with the previous transaction. The normal case is that each script has the effect of transferring coins to a public key. https://en.bitcoin.it/wiki/Script#Standard_Transaction_to_Bitcoin_address https://en.bitcoin.it/wiki/Transactions However, this documentation emphasizes that the script can be valid even if it has a different effect. For example, it's possible to create an output that can be claimed by anyone without any authorization. It's also possible to require that an input be signed by ten different keys, or be redeemable with a password instead of a key. You could equally easily write a script that cannot be executed successfully, for instance because the condition for claiming its output would be that 0=1. (An even simpler case is that the script just returns false immediately, via OP_RETURN.) It seems like the standard Bitcoin client should accept transactions _containing_ such a script as valid (i.e., the script reflects the intention of the previous owner of some coins and successfully claims the output of the previous transaction involving those coins), even though the standard client would not be willing to generate those transactions. You could think of a transaction as like a machine-readable will, and the Bitcoin network as like a probate court that happens to be implemented by a P2P software network. Prospective heirs can show up and prove that they have a legitimate claim to some of the inheritance. However, since the will is being interpreted by software, the testator can (rather than the common case of naming specific heirs) actually implement wacky conditions that are the stuff of fiction in our world. For example, "BTC 1700 to the first person to claim it, provided that 1+1=3". Unlike a human-operated probate court, the Bitcoin network has no notion of intestacy or escheat. If it becomes clear that some coins can never ever be claimed, well, wasn't that testator odd to do that? -- Seth David Schoen <[email protected]> | No haiku patents http://www.loyalty.org/~schoen/ | means I've no incentive to FD9A6AA28193A9F03D4BF4ADC11B36DC9C7DD150 | -- Don Marti _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
