Author: Ash Li, Noah Ho
Original source: notion
With the birth of the Ordinals protocol, it provides Bitcoin with the functions of numbering and inscriptions, thereby broadening the product range of the Bitcoin ecosystem and bringing new vitality to the Bitcoin ecosystem. In this article, we'll dive into the details of the Ordinal protocol, including how each bitcoin is numbered and tracked, and the relationship between inscriptions and numbers. But before diving into this topic, we need to first understand some basic background on Bitcoin to help us better understand what follows.
After reading this article, you will have a grasp of Bitcoin's transaction mechanism and payment model, how Ordinals are numbered and tracked for each satoshi, and how inscriptions are created and traded. Also, you will learn about the differences between the different types of wallets.
1. Bitcoin background
Bitcoin uses a cash-like transaction model (cash system), and its payment method is based on a model called UTXO, which is different from the traditional account balance-based model. For example: in the bank's account bookkeeping model process, when A transfers 100 yuan to B, the bank will record three steps, which constitute a transaction process. The first step is to deduct 100 yuan from A's account, and the record ID of this step is tid1. The second step is to deposit 100 yuan into B's account, and the record ID of this step is tid2. The third step is to record a transfer record, which associates tid1 and tid2, indicating that account A is reduced by 100 yuan, and account B is increased by 100 yuan. In this way, the transfer relationship between A and B is recorded and can be queried and tracked in the future. Now, we will explain the payment method of Bitcoin through the introduction of UTXO and payment model.
UTXO
In the Bitcoin blockchain, all balances are stored in a list called "Unspent Transaction Output" (UTXO). Each UTXO contains a certain number of bitcoins, as well as the owner information of these bitcoins, and indicates whether they are available. Think of it like a cashier's check in the bearer's name, as long as the bearer signs it, the right to use it can be transferred to others. For a specific address, the sum of all UTXO amounts is the balance of the address wallet. By iterating over all UTXOs, we can get the current balance of each address. The sum of all UTXO amounts is all currently circulating bitcoins.
In the transaction structure of Bitcoin, each transaction includes several inputs and outputs, where each input is a reference to an existing UTXO, and each output specifies a new fund receiving address and corresponding amount. Once a transaction is initiated, the UTXO referenced by its input will be temporarily locked to prevent it from being reused until the transaction is completed. Only when the transaction is successfully packaged into a block by the miners and confirmed by the network, the relevant UTXO status will change. Specifically, UTXOs used for transaction inputs will be removed from the UTXO list, indicating that they have been consumed, and new UTXOs will be generated for transaction outputs and added to the UTXO list. It can be understood that the old cash check becomes invalid after being used, and a new cash check is produced, whose ownership belongs to the new holder.
It is worth emphasizing that each UTXO can only be used once in a transaction. Once it is consumed as an input, it is permanently removed from the UTXO list. At the same time, the newly generated output is added to the list as a new UTXO. The list of UTXOs is constantly changing and as each new block is created it is updated accordingly. And, by analyzing the transaction history in the blockchain, we are able to reconstruct the state of the UTXO list at any given point in time.
In addition, the total input amount of a transaction will usually slightly exceed its total output amount. This difference, known as the transaction fee (Transaction fee) or network fee (Network fee), is given as an incentive to miners responsible for packaging transactions into blocks. The size of the network fee is proportional to the complexity of the transaction, so a transaction with more inputs and outputs will generally incur a higher network fee.
Now, in order to understand the transaction structure of Bitcoin more vividly, we will conduct an in-depth analysis through a specific example. The transaction structure of Bitcoin is as follows, where the two variables vin and vout represent the "input" and "output" of the Bitcoin transaction respectively. Bitcoin transactions do not record account-shaped data changes like the traditional account balance model, but are represented by input and output.
Source: https://github.com/bitcoin/bitcoin/blob/v22.0/src/primitives/transaction.h#L270
We can randomly select a transaction record on blockchain.com to analyze. The figure below shows the transaction with **Hash ID** 0627052b6f28912f2703066a912ea577f2ce4da4caa5a5fbd8a57286c345c2f2**. It contains one input and two outputs.
By using the commands `getrawtransaction` and `decoderawtransaction` of bitcoin-cli, we can view the underlying structure of the above transaction:
In the Bitcoin network, a transaction output contains two important pieces of information: the address (the hash of the public key) and the amount (in bitcoins). If the output of a transaction is not used in the input of other transactions, then this transaction output is called unspent transaction output (UTXO). Whoever owns the private key corresponding to the public key in UTXO has the right to use (that is, spend) this UTXO.
Let's observe the information in "vin" in the above code, it indicates that the UTXO spent by this transaction comes from another transaction (its id is [7957a35fe64f80d234d76d83a2a8f1a0d8149a41d81de548f0a65a8a999f6f18](BTC 35fe64f80d234d76d83a2a8f1a0d8149a41d81de548f0a65a8a999f6f18 )) of the 0th output (a transaction can have multiple outputs, and the index starts from 0), we can find out the amount of this UTXO (for example, 0.1) from the historical transaction, so the user spent in this transaction 0.1 BTC, the value 0.1 does not need to be explicitly written in the transaction, but is obtained by looking up the UTXO information. The "vout" of this transaction has two outputs, which are two new UTXOs, corresponding to the new balance and holder, until another transaction consumes them as inputs.
payment model
In order to better understand the payment model of the Bitcoin network, we use an example to introduce the payment process of Bitcoins paid by A to B for an amount of n. The figure below shows the process of user A sending 3 bitcoins to user B.
1. For user A, it is first necessary to determine all the UTXO sets it owns, that is, all bitcoins that user A can control;
2. A selects one or more UTXOs from this set as the input of the transaction. The sum of these inputs is m (2+0.8+0.5=3.3 BTC) which is greater than the amount n (3 BTC) to be paid;
3. User A sets two outputs for the transaction, one output is paid to B's address, the amount is n(3 BTC), and the other output is paid to A's own **change address**, the amount is mn-fee( 3.3-3-0.001=0.299 BTC). The user's wallet usually consists of multiple addresses. Generally, each address is used only once, and the change will be returned to a new address by default;
4. After the miners package the transaction on the chain for confirmation, B can receive the transaction information. Because the size of the block has an upper limit (about 1 MB), miners will give priority to confirming transactions with a high transaction fee rate (`fee_rate=fee/size`) to obtain the highest fee return. We can see the real-time mining transaction fee at [mempool](https://mempool.space/). If we want the fastest confirmation during the transfer process, we can choose High Priority or customize an appropriate transaction rate.
2. Numbering and tracking of Satoshi
The total number of bitcoins is 21 million, and each bitcoin contains 10^8 satoshi (Satoshi, Sat). Therefore, there are a total of 21 million*10^8 satoshis on the Bitcoin network. The Ordinals protocol distinguishes these satoshis and uniquely numbers each satoshi. This section will introduce how this protocol uniquely numbers each Satoshi and tracks its account. In addition, the rarity classification for Satoshi will be introduced.
Satoshi number
According to the Ordinals protocol, satoshis are numbered according to the order in which they were mined. The figure below shows the representation of the 0th satoshi mined in the 0th block.
Source: https://ordinals.com/sat/0
There are many ways to express Satoshi:
- **Integer symbol**: For example, 2099994106992659, indicating the serial number assigned by the Satoshi according to the order of mining.
- **Decimal notation**: For example, 3891094.16797, the first number indicates the height of the block where the Satoshi was mined, and the second number indicates the number of Satoshi in the block.
- **degree symbol**: For example, 3°111094′214″16797‴, the first number is the cycle, numbered from 0, the second number is the block index of the halving epoch, and the third number is the difficulty adjustment The block index of the period, the last number is the index of the sat in the block.
- **Percent symbol**: For example, 99.99971949060254%, which indicates the position of this Satoshi in the Bitcoin supply, expressed as a percentage.
- **Name**: eg Satoshi. A name that encodes the sequence number using the characters a through z.
We will use an example to explain how to number newly mined bitcoins. Looking at block 795952 of the Bitcoin blockchain, we can see that the first transaction **[Tx 3a1f...b177](https://ordinals.com/tx/3a1fdea5953faea184e0303774ea234533aa58979a4d9a4f1c0de0d9b2efb177)** records that the miner reward (coinbase transaction). This transaction includes newly mined bitcoins, which are used as packaging rewards for miners, and transaction fees paid to miners by the transaction initiator. By looking at the input in the figure below, we can find that the id of its UTXO consists of a string of 0 and the block height. The output address is the wallet address of the miner, and the amount is the sum of the above rewards and handling fees.
Source: https://ordinals.com/tx/3a1fdea5953faea184e0303774ea234533aa58979a4d9a4f1c0de0d9b2efb177
If we look further at the part that is output to the miners, we can see the distribution of addresses, amounts, and satoshis involved. As mentioned earlier, these include mining rewards and fees. Among them, the green sats number information [1941220000000000–1941220625000000](https://ordinals.com/range/1941220000000000/1941220625000000) is the new sats generated by mining rewards, and the remaining 712 sats records correspond to this block All handling fees in .
Source: https://ordinals.com/output/3a1fdea5953faea184e0303774ea234533aa58979a4d9a4f1c0de0d9b2efb177:0
We can verify the number Sat 1941220000000000. Its block number is 795952, and the decimal symbol (decimal) is 795952.0, which means that the block height for mining this Satoshi is 795952, and the number of Satoshi in this block is 0, and the subsequent rarity is marked as uncommon. We Will be described in detail in a later section.
Source: https://ordinals.com/sat/1941220000000000
Satoshi circulation
Because each BTC is generated through mining rewards, they are all traceable. Bitcoin accounts use the UTXO model. Assume that user A obtains the 100th-110th Satoshi through mining (the 10 Satoshis are stored as a whole in the same UTXO whose id is adc123). When user A wants to pay user B 5 Satoshi, he chooses to use the id abc123 as the input of the transaction, among which 5 Satoshi are given to user B, and 5 Satoshi are returned to user A as change. These 5 satoshis are a whole, stored in two UTXOs with ids abc456 and abc789 respectively. The above UTXO id and the number of Satoshi are only shown as examples. In reality, the minimum number of Satoshi sent is limited to 546 and the UTXO id is not expressed in this form.
In the above transaction, the circulation path of user A’s 10 Satoshi is:
1. Mining produces 10 Satoshi, numbered [100 *, 110). *It means that the 100th to 109th satoshis are stored in the UTXO with id abc123, and its owner is user A.
2. When A transfers money, 10 Satoshi is divided into two parts, each with 5 Satoshi. The principle of "first in, first out" is adopted here, that is, the ordering of Satoshi numbers is determined according to their indexes in the transaction output. Assuming that the order of output is user A first, then user B, then the serial number of the remaining 5 satoshis of user A is [100, 105), stored in UTXO with id abc456, and the serial number of user B’s 5 satoshis is [ 105, 110), stored in UTXO with id abc789.
Rarity (Rare Satoshi)
As a derivative of the Ordinals protocol, the rarity of Satoshi can be defined according to the order in which they are mined. This will result in some special satoshis having different rarities. Here are the rarities of the different satoshis:
- `common`: any satoshi except the first satoshi of the block (total supply is 2100 trillion)
- `uncommon` good class: first satoshi per block (total supply is 6929999)
- `rare`: first satoshi per difficulty adjustment period (total supply 3437)
- `epic`: the first satoshi after each halving (total supply is 32)
- `legendary`: first satoshi per cycle (total supply of 5)
- `mythic`: the first satoshi of the genesis block (total supply of 1)
This concept of rare Satoshi can add more fun and value to the Bitcoin ecosystem. Satoshis of different rarities may have different values in the market, attracting collectors and investors.
3. Inscription method
Ordinals are significantly different from NFTs on other non-Bitcoin chains. Among them, the main difference is that the metadata of Ordinals is not stored in a specific location. Instead, these metadata are embedded in the witness data (witness field) of the transaction, which is why we call it "inscription" because these data are "engraved" on Bitcoin like an inscription. The specific part of the transaction, and these data are attached to the specific Satoshi. This inscription process is realized through Segregated Witness (Segregated Witness, SegWit) and "Pay-to-Taproot, P2TR", which includes two stages of submission (commit) and reveal (reveal). Any form of content such as text, image or video is inscribed on the designated Satoshi. We will introduce another more direct storage method OP_RETURN below and explain why it is not used as a means of inscription. At the same time, we will introduce what Segregated Witness and Pay-to-Taproot are, and what role they play in the inscription. Finally we will introduce the way of inscriptions.
OP_RETURE
In version 0.9 of the Bitcoin Core client, the compromise was finally achieved through the adoption of the RETURN operator. **RETURN allows developers to add 80 bytes of non-payment data to the transaction output**. Unlike fake payments, RETURN creates an unambiguously verifiable non-consumable output that does not need to be stored in the UTXO set. **RETURN outputs are recorded on the blockchain, they will consume disk space and increase the size of the blockchain, but they are not stored in the UTXO set, so they will not expand the UTXO memory pool, let alone increase Expensive memory cost for full nodes. **
While OP_RETURN is a very straightforward means of storing information on the Bitcoin blockchain, it is also a potential means of inscription. But the limitation of OP_RETURN makes it some challenges when dealing with metadata storage. First of all, OP_RETURN can only store 80 bytes of data, which obviously cannot be satisfied when a larger amount of data needs to be stored. Secondly, OP_RETURN data is stored in the transaction output part. Although this data is not stored in the UTXO set, they occupy the storage space of the blockchain, resulting in an increase in the size of the blockchain. Finally, using OP_RETURN results in higher transaction fees, as it pays more to post those transactions.
Segregated Witness
In contrast, the new method provided by SegWit can overcome the above problems. SegWit is an important protocol upgrade of Bitcoin, proposed by Bitcoin core developer Pieter Wuille in 2015, and finally officially adopted in version 0.16.0 in 2017. Segregated in Segregated Witness means separation and isolation, and Witness is a transaction-related signature. Therefore, SegWit separates certain transaction signature data (witness data) from transactions.
The main benefit of separating signatures from transaction-related data is that it reduces the size of the data stored in a Bitcoin block. This way each block has extra capacity to store more transactions, which also means that the network can process more transactions and senders pay lower fees. Technically speaking, it is to take the script signature (scriptSig) information out of the basic structure (base block) and put it in a new data structure. Nodes and miners doing verification work will also verify the script signature in this new data structure to ensure that the transaction is valid. The Segwit upgrade introduces a new witness field in transaction outputs to ensure privacy and performance. While witness data is not designed for data storage, it actually gives us an opportunity to store things like inscription metadata. Let us use the following figure to understand Segregated Witness more vividly:
***Pre-SegWit – Explanation of Transaction Structure (Percent Data Occupancy)***
***Post-SegWit – Explanation of Transaction Structure (Percent Data Occupancy)***
***Transaction data structure before and after SegWit***
Taproot
P2TR is a type of transaction output for Bitcoin, introduced in the Taproot upgrade in 2021, which enables different transaction conditions to be stored more privately on the blockchain. In the inscriptions of the Ordinals, P2TR plays a vital role. Inscriptions essentially embed specific data content into Bitcoin transactions, and Taproot upgrades, especially P2TR, make this embedded data more flexible and economical.
First of all, due to the way Taproot scripts are stored, we can store inscription content in Taproot script path spending scripts, which have almost no restrictions in terms of content, and at the same time get discounts on witness data, making storing inscription content relatively economical. Since consumption of Taproot scripts can only be made from already existing Taproot outputs, Inscription employs a two-stage commit/reveal process. First, in the commit transaction, a Taproot output of a script that promises to contain the contents of the inscription is created. Then, in a reveal transaction, the output created by the commit transaction is consumed, revealing the inscription content on-chain.
This approach greatly reduces resource consumption. If P2TR is not used, the witness information is stored in the output of the transaction. In this way, as long as the output is not consumed, the witness information will always be stored in the UTXO set. In contrast, if P2TR is used, the witness information will not appear in the transaction generated during the commit phase, so it will not be written into the UTXO set. Only when this UTXO is consumed, the witness information will appear in the transaction input of the reveal phase. P2TR allows metadata to be written to the Bitcoin blockchain, but never appears in the UTXO set. Since maintaining/modifying UTXO sets requires more resources, this practice can save a lot of resources.
inscription
The Ordinals protocol utilizes SegWit to relax the size limit on content written to the Bitcoin network, and stores inscription content in witness data. Make it possible to store metadata up to 4MB. Taproot makes it easier to store arbitrary witness data in Bitcoin transactions, allowing Ordinals developer Casey Rodarmor to repurpose old opcodes (OP_FALSE, OP_IF, OP_PUSH) into what he describes as "envelopes" for storage called "inscriptions." arbitrary data.
The process of casting an inscription consists of the following two steps:
1. First, a commit to the Taproot output of the script containing the inscription content needs to be created in the commit transaction. The storage format is Taproot, that is, the output of the previous transaction is P2TR (Pay-To-Taproot), and the input of the next transaction is embedded in the Taproot script of the witness; first, the string `ord` is entered into stack, to disambiguate that the inscription has other uses. `OP_PUSH 1` indicates that the next push contains the content type, and `OP_PUSH 0` indicates that subsequent data pushes contain the content itself. Large inscriptions must use multiple data pushes, because one of the few limitations of taproot is that a single data push cannot be larger than 520 bytes. At this time, the data of the inscription has corresponded to the UTXO of the transaction output, but it has not been made public.
Post-SegWit – Explanation of Transaction Structure (Percent Data Occupancy)
1. Second, the output created by the commit transaction needs to be consumed in the reveal transaction. At this stage, a transaction is initiated by taking the UTXO corresponding to that inscription as input. At this time, the corresponding inscription content was released to the entire network.
Through the above two steps, the content of the inscription has been bound to the inscribed UTXO. According to the positioning of Satoshi introduced above, the inscription is carried out on the first Satoshi corresponding to the input UTXO, and the content of the inscription is included in the input of the displayed transaction. According to the introduction to the circulation and tracking of Satoshi introduced above, this Satoshi engraved with special content can be transferred, bought, sold, lost and recovered. It should be noted that the inscription cannot be repeated, otherwise the subsequent inscription will be invalid.
We will illustrate this process in detail by engraving a small BTC NFT picture. This process mainly includes the two stages of commit and reveal mentioned above. First, we see that the Hash ID of the first transaction is **[2ddf9...f585c](https://www.blockchain.com/explorer/transactions/btc/2ddf90ddf7c929c8038888fc2b7591fb999c3ba3c3c7b49d54d01f8db4af585c) **. It can be noticed that the output of this transaction does not contain witness data, and there is no relevant inscription information in the web page.
BTC: https://www.blockchain.com/explorer/transactions/btc/2ddf90ddf7c929c8038888fc2b7591fb999c3ba3c3c7b49d54d01f8db4af585c
Next, we look at the records of the second stage, whose Hash ID is [e7454...7c0e1] (https://www.blockchain.com/explorer/transactions/btc/e7454db518ca3910d2f17f41c7b215d6cba00f29bd186ae77d4fcd7f0ba7c0e1). Here, we can see the information of the Ordinals inscription, which is the inscription content of the witness. The input address of this transaction is the output address of the previous transaction, and the output of 0.00000546 BTC(546 Satoshi) is to send this NFT to its own address. At the same time, we can also find the Satoshi where this inscription is located in [Sat 1893640468329373](https://ordinals.com/sat/1893640468329373).
Source: BTC
Source: BTC
In the bitcoin wallet, we can see this asset. If we want to trade this NFT, we can directly send it to someone else’s address, that is, send this UTXO, thus completing the transfer of the inscription.
4. Bitcoin Wallet
After we understand what is the Ordinals ecology, the circulation of Satoshi and the related knowledge of inscriptions, there are currently many application scenarios, whether it is the emergence of related derivative protocols such as BRC-20, ORC-20, BRC-721, GBRC-721, etc., need We have corresponding wallets to support and display token information or NFT small pictures. In this section, we will introduce the concepts and characteristics of different Bitcoin wallet addresses.
Bitcoin addresses start with 1, 3 or bc1. Like email addresses, they can be shared with other bitcoin users who can use them to send bitcoins directly to their own wallets. From a security standpoint, Bitcoin addresses do not have any sensitive content. It can be published anywhere without compromising the security of the account. Unlike email addresses, we can create new addresses anytime we want, all of which will deposit funds directly into your wallet. In fact, many modern wallets automatically create a new address for each transaction for maximum privacy. A wallet is simply a collection of addresses and keys to unlock the funds within. First of all, we need to know how the address of the Bitcoin wallet is generated.
Bitcoin private and public keys
Bitcoin adopts elliptic curve [Secp256k1](https://en.bitcoin.it/wiki/Secp256k1), **"private key" is a random number between 1 and n−1, n** is a very large number (256 bits), n in scientific notation is approximately:
This range is so large that it is almost impossible for us to guess other people's private keys. This random integer private key can be represented by 256 bits, and there are many encoding methods. If the private key in WIF or WIF-compressed form is not encrypted, it can be decoded to get the original "random integer". Another way is [BIP38](https://github.com/bitcoin/bips/blob/master/bip-0038.mediawiki), which proposes to use the AES algorithm to encrypt the private key. The private key obtained by this scheme is Beginning with the character 6P, this kind of private key must enter a password before it can be imported into various Bitcoin wallets. This is the private key we usually use.
Then we will use the elliptic curve formula K = kG to generate the public key K of Bitcoin from the private key k, and G is the Base Point, which is a parameter of secp256k1. The two coordinates of K can be obtained, which are the two expressions of the public key, which are "Uncompressed format" and "Compressed format".
- Uncompressed form, which is to directly connect the two coordinates x and y together, and then add a 0x04 prefix in front;
- Compressed form, that is, when y is an even number, it is coded as 02 x, when y is an odd number, it is coded as 03 x;
bitcoin address
The various types of Bitcoin addresses are shown in the figure below, and there are four representation methods:
Reference: https://en.bitcoin.it/wiki/Invoice_address
1. **Legacy (P2PKH) format**
Example: 1Fh7ajXabJBpZPZw8bjD3QU4CuQ3pRty9u
The address starts with "1", which is the original address format of Bitcoin and is still used today. It is obtained from the public key through Hash calculation, also known as P2PKH, which is the abbreviation of Pay To PubKey Hash (payment to public key hash).
1. **Nested SegWit (P2SH) format**
Example: 3KF9nXowQ4asSGxRRzeiTpDjMuwM2nypAN
The address starts with "3", and P2SH is the abbreviation of Pay To Script Hash (Pay To Script Hash), which supports more complex functions than Legacy addresses. Nested P2SH, get the existing P2SH address (beginning with "3") and encapsulate it with the SegWit address.
1. **Native SegWit (Bech32) format**
Example: bc1qf3uwcxaz779nxedw0wry89v9cjh9w2xylnmqc3
Addresses beginning with bc1 are proposed in [BIP0173](https://en.bitcoin.it/wiki/BIP_0173), which are native Segregated Witness addresses. The Bech32-encoded address is an address format specially developed for SegWit. Bech32 was defined in BIP173 at the end of 2017. One of the main features of this format is that it is case-insensitive (the address only contains 0-9, az), so it can effectively avoid confusion and be more readable when inputting. Since fewer characters are required in the address, the address uses Base32 encoding instead of the traditional Base58, making calculation more convenient and efficient. Data can be stored more tightly in QR codes. Bech32 provides higher security, better optimized checksum error detection code, and minimizes the chance of invalid addresses.
Bech32 addresses are natively compatible with SegWit. No additional space is required to put SegWit addresses into P2SH addresses, so using Bech32 format addresses, the handling fee will be lower. Bech32 addresses have several advantages over older Base58 (Base58Check encoding used to encode byte arrays in Bitcoin into human-encodable strings) addresses: smaller QR codes; better error-proofing; more secure; indistinguishable Upper and lower case; consists only of lower case letters, so it is easier to read, type and understand.
1. **Taproot format (P2TR)**
Bech32 has a disadvantage: if the last character of the address is p, inserting or deleting any number of characters q immediately before p will not invalidate the checksum.
To alleviate the above shortcomings of Bech32, the Bech32m address is proposed in [BIP0350](https://github.com/bitcoin/bips/blob/master/bip-0350.mediawiki):
- For native segwit addresses with version 0, use previous Bech32;
- For native segwit addresses with version 1 (or higher), use the new Bech32m.
For Bech32m addresses, when the version is 1, they always start with **bc1p** (ie Taproot address). Specifically, just like native segwit, a wallet can consist of a seed phrase and a passphrase. These are used to generate extended public and private keys for deriving addresses of arbitrary paths in hierarchical deterministic wallets. It mainly stores BRC-20 and NFT of BTC.
