[Bitcoin-development] Proposal: soft-fork to make anyone-can-spend outputs unspendable for 100 blocks

Adam Back adam at cypherspace.org
Sun Jun 2 21:45:54 UTC 2013

So the idea is that people may want to use proof-of-work unrelated to
bitcoin, and abuse bitcoin to obtain that proof, in a way denominated in BTC
(and with a published USD exchange rate).  And the ways they can do that are

a) create unspendable addresses (which maybe you cant compact in the UTXO
set if the unspendable address choices are not standardized)

b) spend to anyone which I take it goes to a random person who happens to
see the address first and race the "spend to me" out on to the network, and
hope miners dnt replace it with "spend to miner", which is insecure

c) doesnt delay by 100 blocks just delay the "spend to me" race?  Also most
likely to be one by a big miner once they adapt and join the race.

d) some new standardized spend to fees (only miners can claim).

e) spend to charity/non-profit of choice could be useful also

f) I guess we see something related in zerocoin - locked but unlockable via
another type of transaction later.

g) why not instead make the beneficiary the address of the service the user
is consuming that is being DoS protected by the proof-of-sacrifice?  Seems
more useful than burning virtual money, then it helps the bitcoin network
AND it helps the service provide better service!

so if I understand what you proposed d) seems like a useful concept if that
is not currently possible.  eg alternatively could we not just propose a
standard recognized address that clearly no-one knows the EC discrete log


On Sat, Jun 01, 2013 at 03:30:36PM -0400, Peter Todd wrote:
>Currently the most compact way (proof-size) to sacrifice Bitcoins that
>does not involve making them unspendable is to create a anyone-can-spend
>output as the last txout in the coinbase of a block:
>scriptPubKey: <data> OP_TRUE
>The proof is then the SHA256 midstate, the txout, and the merkle path to
>the block header. However this mechanism needs miner support, and it is
>not possible to pay for such a sacrifice securely, or create an
>assurance contract to create one.
>A anyone-can-spend in a regular txout is another option, but there is no
>way to prevent a miner from including a transaction spending that txout
>in the same block. Once that happens, there is no way to prove the miner
>didn't create both, thus invalidating the sacrifice. The announce-commit
>protocol solves that problem, but at the cost of a much larger proof,
>especially if multiple parties want to get together to pay the cost of
>the sacrifice. (the proof must include the entire tx used to make the
>However if we add a rule where txouts ending in OP_TRUE are unspendable
>for 100 blocks, similar to coinbases, we fix these problems. The rule
>can be done as a soft-fork with 95% support in the same way the
>blockheight rule was implemented. Along with that change
>anyone-can-spend outputs should be make IsStandard() so they will be
>The alternative is sacrifices to unspendable outputs, which is very
>undesirable compared to sending the money to miners to further
>strengthen the security of the network.
>We should always make it easy for people to write code that does what is
>best for Bitcoin.

>Get 100% visibility into Java/.NET code with AppDynamics Lite
>It's a free troubleshooting tool designed for production
>Get down to code-level detail for bottlenecks, with <2% overhead.
>Download for free and get started troubleshooting in minutes.

>Bitcoin-development mailing list
>Bitcoin-development at lists.sourceforge.net

More information about the bitcoin-dev mailing list