[Bitcoin-development] Atomic coin swapping?

Jorge Timón timon.elviejo at gmail.com
Sat Sep 22 09:10:16 UTC 2012

I'm very interested in this. I was expecting transitive/multi-hop
transactions (Ripple) with colored coins, and I don't understand why
is not possible.

>From https://en.bitcoin.it/wiki/Contracts

SIGHASH_ALL: This is the default. It indicates that everything about
the transaction is signed, except for the input scripts. Signing the
input scripts as well would obviously make it impossible to construct
a transaction, so they are always blanked out. Note, though, that
other properties of the input, like the connected output and sequence
numbers, are signed; it's only the scripts that are not. Intuitively,
it means "I agree to put my money in, if everyone puts their money in
and the outputs are this".

Why "Signing the input scripts as well would obviously make it
impossible to construct a transaction"?
I don't understand that part. I think a new SIGHASH_* type that
doesn't pay attention to that "obviously" is needed to achieve what we

Say we want the following transaction:

A 1 satoshi -> B 1 satoshi -> C 100 btc -> A

It would be necessary to sign the following:

Inputs: from srcA, from srcB,
Outputs: 1 satoshi to destB, 1 satoshi to destC, 100 btc to destA

"from srcC" is not really necessary.

This same scheme can be used for n-hops.

What am I missing?

On 9/22/12, Jeff Garzik <jgarzik at exmulti.com> wrote:
> Forum URL: https://bitcointalk.org/index.php?topic=112007.0
> gmaxwell was talking about colored coins[1] in IRC recently.  They are
> potentially interesting in the context of distributed bonds[2], which
> I am currently pursuing with pybond[3].
> Here is the problem I am trying to solve, does the crowd have an answer?
> 1. Alice transfers a 1-satoshi colored coin to Bob.
> 2. Bob transfers 100 BTC to Alice.  May be restricted to 1 txout, if
> that eases implementation details.
> 3. Steps #1 and #2 happen as an atomic unit, all-or-none.
> 4. Alice and Bob must both approve this atomic transfer of coins, with
> appropriate signatures.
> Is this possible within the current bitcoin system?  As far as I can
> see, the answer is "no" but maybe I'm missing something.
> My best guess to the answer is "possible, but requires a new SIGHASH_*
> type"?
> [1] https://bitcointalk.org/index.php?topic=106449.0
> [2] https://bitcointalk.org/index.php?topic=92421.0
> [3] https://github.com/jgarzik/pybond
> --
> Jeff Garzik
> exMULTI, Inc.
> jgarzik at exmulti.com
> ------------------------------------------------------------------------------
> How fast is your code?
> 3 out of 4 devs don\\\'t know how their code performs in production.
> Find out how slow your code is with AppDynamics Lite.
> http://ad.doubleclick.net/clk;262219672;13503038;z?
> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development

Jorge Timón

More information about the bitcoin-dev mailing list