BIP: ? Layer: Applications Title: Ordinal Numbers Author: Casey Rodarmor <[email protected]> Comments-Summary: No comments yet. Comments-URI: https://github.com/casey/ord/discussions/126 Status: Draft Type: Informational Created: 2022-02-02 License: PD
This document defines a scheme for asigning serial numbers to satoshis.
This work is placed in the public domain.
Bitcoin has no notion of stable, public accounts or identities. Addresses are single-use, and wallet accounts are private. Additionally, the use of addresses or public keys as stable identifiers precludes transfer of ownership or key rotation.
This proposal is motivated by the desire to provide stable identifiers that may be used by Bitcoin applications.
Every satoshi is serially numbered, starting at 0, in the order in which it is mined. These numbers are termed "ordinal numbers", or "ordinals", as they are ordinal numbers in the mathematical sense, giving the order of each satoshi in the totally supply. The word "ordinal" is nicely unambiguous, as it is not used elsewhere in the Bitcoin protocol.
The ordinal numbers of transaction inputs are transferred to outputs in first-in-first-out order, according to the size and order of the transactions inputs and outputs.
If a transaction is mined with the same transaction ID as outputs currently in the UTXO set, following the behavior of Bitcoin Core, the new transaction outputs displace the older UTXO set entries, destroying the ordinals contained in any unspent outputs of the first transaction. This rule is required to handle the two pairs of mainnet transactions with duplicate transaction IDs, namely the coinbase transactions of blocks 91812/91842, and 91722/91880, mined before BIP-34 made the creation of transactions with duplicate IDs impossible.
For the purposes of the assignment algorithm, the coinbase transaction is considered to have an implicit input equal in size to the subsidy, followed by an input for every fee-paying transaction in the block, in the order that those transactions appear in the block. The implicit subsidy input carries the block's newly created ordinals. The implicit fee inputs carry the ordinals that were paid as fees in the block's transactions.
Underpaying the subsidy does not change the ordinal numbers of satoshis mined in subsequent blocks. Ordinals depend only on how many satoshis could have been mined, not how many actually were.
Ordinals are created and assigned with the following algorithm:
# subsidy of block at given height
def subsidy(height):
return 50 * 100_000_000 >> height // 210_000
# first ordinal of subsidy of block at given height
def first_ordinal(height):
start = 0
for height in range(height):
start += subsidy(height)
return start
# assign ordinals in given block
def assign_ordinals(block):
first = first_ordinal(block.height)
last = first + subsidy(block.height)
coinbase_ordinals = list(range(first, last))
for transaction in block.transactions[1:]:
ordinals = []
for input in transaction.inputs:
ordinals.extend(input.ordinals)
for output in transaction.outputs:
output.ordinals = ordinals[:output.value]
del ordinals[:output.value]
coinbase_ordinals.extend(ordinals)
for output in block.transaction[0].outputs:
output.ordinals = coinbase_ordinals[:output.value]
del coinbase_ordinals[:output.value]
Ordinals may be written as the ordinal number followed by the Romance-language ordinal indicator °, for example 13°.
A satpoint may be used to indicate the location of an ordinal within an output. A satpoint consists of an outpoint, i.e., a transaction ID and output index, with the addition of the offset of the ordinal within that output. For example, if the ordinal in question is at offset 6 in the first output of a transaction
can be written as:
`680df1e4d43016571e504b0b142ee43c5c0b83398a97bdcfd94ea6f287322d22:0:6`
A slot may be used to indicate the output of an ordinal without referring to a transaction ID, by substituting the block height and transaction index within the block for the transaction ID. It is written as an x'ed quad, similar to a Lightning Network short channel ID with an additional number indicating the offset of the ordinal within the output. For example, the ordinal at offset 100 in the output at offset 1, in the coinbase transaction of block 83 can be written as:
`83x0x1x100`
Satoshis with ordinals that are not valuable or notable can be referred to as cardinal, as their identity does not matter, only the amount. A cardinal output is one whose ordinals are unimportant for the purpose at hand, for example an output used only to provide padding to avoid creating a transaction with an output below the dust limit.
Ordinal numbers are designed to be orthogonal to other aspects of the Bitcoin protocol, and can thus be used in conjunction with other layer one and layer two techniques and applications, even ones that were not designed with ordinal numbers in mind.
Ordinal satoshis can be secured using current and future script types. They can be held by single-signature wallets, multi-signature wallets, time-locked, and height-locked in all the usual ways.
This orthogonality also allows them to be used with layer-two applications. A stablecoin issuer can promise to allow redemption of specific ranges of ordinals for $1 United States dollar each. Lightning Network nodes can then be used to create a USD-denominated Lightning Network, using existing software with very modest modifications.
By assigning ordinal numbers to all satoshis without need for an explicit creation step, the anonymity set of ordinal number users is maximized.
Since an ordinal number has an output that contains it, and an output has a public key that controls it, the owner of an ordinal can respond to challenges by signing messages using the address associated with the controlling UTXO. Additionally, an ordinal can change hands, or its private key can be rotated without a change of ownership, by transferring it to a new output.
Ordinals require no changes to blocks, transactions, or network protocols, and can thus be immediately adopted, or ignored, without impacting existing users.
Ordinals do not have an explicit on-chain footprint. However, a valid objection is that adoption of ordinals will increase demand for outputs, and thus increase the size of the UTXO set that full nodes must track. See the objections section below.
The ordinal number scheme is extremely simple. The specification above is 15 lines of code.
Ordinals are fairly assigned. They are not premined, and are assigned proportionally to existing bitcoin holders.
Ordinals are as granular as possible, as bitcoin is not capable of tracking ownership of sub-satoshi values.
Any ordinal transfer can be accomplished in a single transaction, but the resulting transaction may contain outputs below the dust limit, and thus be non-standard and difficult to get included in a block. Consider a scenario where Alice owns an output containing the range of ordinals [0,10], the current dust limit is 5 satoshis, and Alice wishes to send send ordinals 4° and 6° to Bob, but retain ordinal 5°. Alice could construct a transaction with three outputs of size 5, 1, and 5, containing ordinals [0,4], 5, and [6,10]. The second output is under the dust limit, and so such a transaction would be non-standard.
This transfer, and indeed any transfer, can be accomplished by breaking the transfer into multiple transactions, with each transaction performing one or more splits and merging in padding outputs as needed.
To wit, Alice could perform the desired transfer in two transactions. The first transaction would send ordinals [0,4] to Bob, and return as change ordinals [5,10] to Alice. The second transaction would take as inputs an output of at least 4 satoshis, the change input, and an additional input of at least one satoshi; and create an output of size 5 to Bob's address, and the remainder as a change output. Both transactions avoid creating any non-standard outputs, but still accomplish the same desired transfer of ordinals.
Privacy: Ordinal numbers are public and thus reduce user privacy.
The applications using ordinal numbers required them to be public, and reduce the privacy of only those users that decide to use them.
Fungibility: Ordinal numbers reduce the fungibility of Bitcoin, as ordinals received in a transaction may carry with them some public history.
As anyone can send anyone else any ordinals, any reasonable person will assume that a new owner of a particular ordinal cannot be understood to be the old owner, or have any particular relationship with the old owner.
Congestion: Adoption of ordinal numbers will increase the demand for transactions, and drive up fees.
Since Bitcoin requires the development of a robust fee market, this is a strong positive of the proposal.
UTXO set bloat: Adoption of ordinal numbers will increase the demand for entries in the UTXO set, and thus increase the size of the UTXO set, which all full nodes are required to track.
The dust limit, which makes outputs with small values difficult to create, should encourage users to create non-dust outputs, and to clean them up once they no longer have use for the ordinals that they contain.
The public key associated with an ordinal may change. This requires actively following the blockchain to keep up with key changes, and requires care compared to a system where public keys are static. However, a system with static public keys suffers from an inability for keys to be rotated or accounts to change hands.
Ordinal-aware software must avoid destroying ordinals by unintentionally relinquishing them in a transaction, either to a non-controlled output or by using them as fees.
Ordinals are opt-in, and should not impact the privacy of existing users.
Ordinals are themselves public, however, this is required by the fact that many of the applications that they are intended to enable require public identifiers.
Ordinal aware software should never mix satoshis which might have some publicly visible data associated with their ordinals with satoshis intended for use in payments or savings, since this would associate that publicly visible data with the users otherwise pseudonymous wallet outputs.
Since any ordinal can be sent to any address at any time, ordinals that are transferred, even those with some public history, should be considered to be fungible with other satoshis with no such history.
Ordinal numbers are fully backwards compatible and require no changes to the bitcoin network.
Indexes supporting fast queries related to ordinals are slow to build and consume large amounts of space.
An O(1) index that maps UTXOs to the ordinals that they contain is currently 100GiB. The same index including spent outputs is 10TiB.
An O(1) index supporting the opposite mapping, that of individual ordinals to the UTXO that contains them, is likely to be intractable. However, an O(n) index where n is the number of times an ordinal has changed hands, is fast and practical.
A proof can be constructed that demonstrates that a particular ordinal is contained in a particular output, however the proofs are large. Such a proof consists of:
- Block headers - A merkle path to the coinbase transaction that created the ordinal - The coinbase transaction that created the ordinal - And for every spend of that ordinal:
- The spend transaction
- The transactions that created the inputs before the input that was spent,
to determine the values of the preceding inputs, to determine the position
of the ordinal
- And, if the ordinal was used as fees, all prior transaction in the block in
which it was spent, and the coinbase transaction, to determine the location
of the ordinal in the outputs.
This document, along with an implementation of an ordinal index that tracks the position of ordinals in the main chain, is available here.
A variation of this scheme was independently invented a decade ago by jl2012 on the Bitcoin Forum.
For other colored coin proposals see Bitcoin Wiki entry.
For aliases, an implementation of short on-chain identifiers, see BIP 15.