ColoredCoinsBitcoinX (Coloredcoins.

org)
YoniAssiayoni.assia@etoro.comVitalikButerinv@buterin.com LeorHakimliorhakim@gmail.comMeniRosenfeldmeni@bitcoil.co.il

Abstract
Bitcoin is the world's first decentralized digital currency, allowing the easy storage and transfer of cryptographic tokens, usingapeertopeernetwork tocarry information,hashing as a synchronization signal to prevent doublespending, andapowerfulscriptingsystemto determine ownership of the tokens. There is a growing technology and business infrastructuresupportingit. By the original design bitcoins are fungible, acting as a neutral medium of exchange. However, by carefully tracking the origin of a given bitcoin, it is possible to "color" a set of bitcoins to distinguish it from the rest. These bitcoins can then have special properties supported by eitheranissuingagentorby public agreement,andhavevalueindependentof the face value of the underlying bitcoins. Such colored bitcoins can be used for alternative currencies, commodity certificates, smart property, and otherfinancialinstruments suchas stocksandbonds. Because colored coins make use of the existing Bitcoin infrastructure and can be stored and transferred withouttheneedforathirdparty,andevenbeexchangedforoneanotherin an atomic transaction, they can open the way for thedecentralizedexchangeofthings that are not possible by traditional methods. In this paper we will discuss the implementation detailsofcoloredcoinsandsomeoftheirusecases.

Background
TheadventofSatoshiNakamoto'sBitcoinin2009hasfundamentallyenlargedthescopeof whatcanbedonewithcryptography.BeforeBitcoin,anyattempttomanageanykindof digitalassetsonlinewithoutacentralizedauthorityalwaysranintoafundamentalproblem thatwasthoughttobeintractable:thedoublespendingthreat.Ifadigitalassetisnothingbut afileconsistingofonesandzeroes,thetheorywent,whatstopsanyonefromsimply makingahundredcopiesofthatfileandtherebymultiplyingtheirownwealth?Withacentral authority,theproblemiseasythecentralauthoritycansimplykeeptrackofwhoowns whatquantityofthedigitalasset.However,centralizationisproblematicformanyreasons:

acentralizedauthoritycreatesasinglepointoffailurewhichcanbehacked,shutdowndue toregulatorypressure,orevenleverageitsprivilegedstatustobenefititselfatthewider community'sexpense.AlthoughsomeabortiveattemptsweremadebyWeiDaiandNick Szaboin1998and2005aswellasAdamBack'shashcash,Bitcoinmarksthefirsttimethat anyonehascreatedafullyfunctional,viabledecentralizedsolutionasolutionwhichis rapidlygainingpopularityandmainstreamacceptanceallaroundtheworld. Becauseofitsfullydigitalanddecentralizeddesign,Bitcoinoffersanumberofadvantages overexistingpaymentsystems.Itstransactionalirreversibilityprovidesforahighdegreeof security,allowingmerchantstoconsiderablycutcostsinhighriskindustries.Itslackofa centralizedauthorityhasrendereditinvulnerabletosocalled"financialcensorship" attemptssuchasthefinancialblockadeofWikileaksbybanksandcreditcardcompaniesin 2011whiledonationsthroughthetraditionalfinancialsystemdroppedby95%asaresultof theblockade,Bitcoindonationskeptcominginatfullsteamthewholewaythrough[1] .Its technicaleaseofuseisallowingentrepreneursaroundtheworldtostartupprediction markets,notarizationservices,gamblingsites,paywallsandmanyothertypesof businesseswithzerostartupcostinonlyafewweeks'worthofdevelopmentwork.Finally, mostinterestinglyofall,thepublicnatureofBitcointransactionspotentiallyallowsfora degreeofradicaltransparencyforbusinessesandnonprofitorganizationsthatissimplynot possibleanyotherwayalthoughthisareahasnotyetbeenfullydevelopedinpractice,one earlyexampleofsuchasystembeingimplementedinpracticeisthe"provablyfair gambling"systemsusedbysiteslikeSatoshiDice,allowinguserstocryptographically verifythatthesiteisnotcheatingonbets.Givenalloftheseadvantages,thenatural questionis:isitpossibletousethesamefunctionalityforotherapplicationsaswell? Theanswer,itturnsout,isyes.ThefundamentalinnovationbehindBitcoin,thatofusing cryptographicproofofworktomaintainasecuredistributeddatabase,isgoodformorethan justthesinglelimitedsupplycurrencyoriginallyenvisionedbySatoshiNakamotoin2009 exactlythesametechnologycanbeusedtomaintainownershipofcompanyshares,"smart property",alternativecurrencies,bankdepositsandmuchmore.Anythingwhichis(1) representableasadigitalasset,and(2)a"rivalrousgood",meaningthatonlyoneperson canownitatatime,ispotentiallyfairgameforrepresentationintheBitcoinblockchain. However,Bitcoindoesnotincludeanyfacilitiesfordoingthisbydefaulttodoanyofthese things,anadditionalprotocolisrequired.AndBitcoinXintendstoaccomplishjustthat.

Overview
TheideaistoopenupBitcoinasweknowitnowintotwoseparatelayers,being,the underlyingtransactionalnetworkbasedonitscryptographictechnology,andanoverlay networkofissuanceofdistinctinstrumentsencapsulatedinadesignwecall'coloredcoins.' IfwecanissuemanydistinctinstrumentswithintheBitcoinecosystem,therearemany potentialusecases:

 Acompanymightwanttoissuesharesusingcoloredcoins,takingadvantageofthe Bitcoininfrastructuretoallowpeopletomaintainownershipofsharesandtradeshares,and evenallowvotingandpaydividendsovertheBitcoinblockchain. Smartproperty:supposethereisacarrentalcompany.Thecompanycanrelease onecoloredcointorepresenteachcar,andthenconfigurethecartoturnononlyifit receivesamessagesignedwiththeprivatekeythatcurrentlyownsthecoloredcoin.Itcan thenreleaseasmartphoneappthatanyonecanusetobroadcastamessagesignedwith theirprivatekey,andputupthecoloredcoinsonatradingplatform.Anyonewillbeableto thenpurchaseacoloredcoin,usethecarforwhateverperiodoftimeusingthesmartphone appasa"carkey",andsellthecoinagainattheirleisure. Alocalcommunitymightwishtocreateacommunitycurrency,usingtheBitcoin infrastructuretosecurelystorefunds. Acompanymaywishtocreateacorporatecurrency,suchasAirMilesrewards points,orevenplaincoupons. Anissuermightwishtoreleaseacointorepresentdeposits,allowingpeopleto trade,forexample,"BitstampUSDcoins"orsomegoldstoragecompanys"goldcoins". Decentrallymanagingownershipofdigitalcollectiblessuchasoriginalartworks justlikeartcollectorsbuyandselloriginalcopiesoffamouspaintingsformillionsofdollars today,coloredcoinsallowustodothesamewithpurelydigitalobjects,suchassongs, movies,ebooksandsoftware,aswell,bystoringthecurrentownershipoftheworkasa coloredcoinontheblockchain. Usingcoloredcoinstotradeandmanageaccessandsubscriptionservices.For example,amuseum,asubwayoranonlineservicelikeNetflixmayissuepassesas coloredcoinsandreleaseasmartphoneappthatcanbeusedtomakeasignatureproving ownershipofapassinperson,allowingthesepassestobesimultaneouslytransferable, fullydigitalandsecurelyuncopyable.

Technicalbackground:Bitcointransactions
ThefundamentalobjectintheBitcoinnetworkiscalledaBitcointransaction.ABitcoin transactioncontains: 1. Asetofinputs,eachofwhichcontains(i)thetransactionhashandoutputindex ofoneoftheoutputsofaprevioustransaction,and(ii)adigitalsignaturewhichservesas cryptographicproofthattherecipientoftheprevioustransactionoutputauthorizesthis transaction. 2. Asetofoutputs,eachofwhichcontains(i)thevalue(amountofBTC)goingtothe output,and(ii)ascript,whichdeterminestheconditionsunderwhichtheoutputcanbe spent.

Theprecisenatureofscriptsandsignaturesisnotimportantforthepurposesofthecolored coinsprotocolausefulsimplificationistothinkoftheoutputscriptasapublickeyandthe signatureasastandardcryptographicdigitalsignaturemadewiththecorrespondingprivate key.EveryoutputscriptmapstoauniqueBitcoinaddress,anditispossibletoefficiently convertbackandforthbetweenthetworepresentations. Thealgorithmforvalidatingatransactionisasfollows: I N P U T _ S U M = 0 f o r i n p u t i n i n p u t s : p r e v t x = g e t _ t x _ f r o m _ b l o c k c h a i n ( i n p u t . p r e v _ o u t . h a s h ) i f p r e v t x = = N U L L : r e t u r n F A L S E i f i s _ o u t p u t _ a l r e a d y _ s p e n t ( p r e v t x , i n p u t . p r e v _ o u t . i n d e x ) : r e t u r n F A L S E i f n o t v e r i f y ( i n p u t . s i g , p r e v t x . o u t p u t s [ i n p u t . p r e v _ o u t . i n d e x ] . s c r i p t ) : r e t u r n F A L S E I N P U T _ S U M + = p r e v t x . o u t p u t s [ i n p u t . p r e v _ o u t . i n d e x ] . v a l u e O U T P U T _ S U M = 0 f o r o u t p u t i n o u t p u t s : O U T P U T _ S U M + = o u t p u t . v a l u e i f I N P U T _ S U M < O U T P U T _ S U M : r e t u r n F A L S E r e t u r n T R U E NotethatBitcoindoesnotrecognizetheconceptof"addressbalances"thatissimplya

layerofconvenienceaddedontopbyBitcoinsoftware.IfyourBitcoinwallettellsyouthat youhave50BTC,whatthatmeansisthatthereare50BTCworthoftransactionoutputs (perhapsoneoutputof50BTC,perhapsfourof12.5BTCanycombinationworks)whose outputscriptscorrespondtoyouraddress. Butwhatifthereisnosetoftransactionoutputsthatyoucancombineintoatransactionto sendexactlywhatyouwant?Inthatcase,Bitcoinusesaconceptcalledchange. Essentially,youputmorethanyouneedtointothetransaction,butyousendtheexcess backtoyourselfinoneoftheoutputs. Usually,changegoesintoanewaddresstopreserveprivacy.Usingthesetransactions,it's possibletomaintainuseraccountbalancesandsendtootherusersanyamountdesired.

Genesistransactions
Inordertoissueanewcolor,onemustreleasethecoinsofthatcolorbycreatingagenesis transaction.Acoloredcoingenesistransactionhasspecificrulesthatitsinputsandoutputs mustfollow. Inputs Fortheinputsofagenesistransaction,therearetwocasestoconsider: Nonreissuablecolorsinthenonreissuablecase,theinputsareirrelevanttheissuer willnothaveanypoweroncethetransactionisissued,soallthatmattersisthe transactionitself(specifically,itsoutputs). Reissuablecolorshere,theissuershouldchooseonesecureaddressasanissuing address,andsetinput0ofthetransactiontocomefromthataddress.Lateron,the issuerwillbeabletoissuemoreunitsofthecolorbycreatinganothergenesis transactionwiththesameaddressatinput0.Inputs1+ofagenesistransactionare alwaysirrelevantfromtheperspectiveofthecoloredcoinsprotocoltheonlypurposeof addingadditionalinputsisifyoudonothaveasingleinputcapableofpayingforthe coloredcoingenesisallbyitself.Also,notethatoneissuingaddresscanberesponsible foratmostonereissuablecolor,andifanissuingaddressisresponsibleforany reissuablecolorsitcannotberesponsibleforanynonreissuablecolors. Outputs Theoutputsofacoloredcoingenesisconsistofasetofoutputssendingthecoloredcoinsto theiroriginalowners,followedbyoneOP_RETURNdataoutput,followedbyoneormore changeoutputstosendexcessuncoloredbitcoinsbacktotheissuer.AnOP_RETURNoutput isallowedtohave80bytestoremainasastandardtransaction,andallofthedataidentifyingthe transactionasacoloredcointransactionwillbeinsidethisdatafield.Thedatafieldwillbe organizedasfollows: [ 0 . . . 4 ] : [ 0 , 6 7 , 6 7 , 8 0 , 0 ] ( t h a t s C C P p a d d e d w i t h a z e r o b y t e o n b o t h s i d e s ) [ 5 . . . 6 ] : p r o t o c o l v e r s i o n n u m b e r ( c u r r e n t l y 0 ) [ 7 . . . 8 ] : r e i s s u a n c e p o l i c y ( 0 f o r n o n r e i s s u a b l e , 6 5 5 3 5 f o r i n f i n i t e l y r e i s s u a b l e f r o m t h e g e n e s i s a d d r e s s ) [ 9 . . 7 9 ] : o p t i o n a l ( d a t a a b o u t t h e c o l o r ) Theschemeisintendedtobehierarchicalinthefuture,COLORwillalwaysremaininbytes 0...4,andaversionnumberwillalwaysbeinbytes5...6,butafutureversionmayhavea

differentintentionforbytes779thantodescribeareissuancepolicyandoptionaldata.Evenin thescopeofversion0,afuturereissuancepolicymayspecifysomedatainbytes[9...79]. Currently,thedatainbytes9...79canbeinanyformatonepossibilityisfortheissuertoinclude thecolorsnameandURL. Notethat,inthecaseofreissuablecolors,agenesisaddressshouldbekepthighlysecure, sinceifanattackermanagestogainaccesstothegenesistheywillhaveunlimitedpowerto issuenewcoloredcoinsofthatcolor.Thus,itisverystronglyrecommendedthattheaddress shouldbeatleasta2of3multisignatureaddress,orperhapseven3of5,withprivatekeysheld incoldstorage.Inthecaseofnonreissuablecolors,theissuerneedsnosecurityunlessthey themselvesintendtoholdontosomeportionofthecoloredcoins,inwhichcasethesame securityconsiderationsapplytothemasforanyotherdigitalassets. Fullclientsthatdownloadtheentireblockchainshouldattempttoprocesseverygenesis,and storeinformationaboutasmanycolorsaspossible.Lightclients,includingwebbasedclients, shouldrequireuserstoimportcolorsbysubmittingthetransactionhashofthecolorgenesis,at whichpointtheyqueryaserverforthegenesistransactiontoextracttheinformationaboutthe color. Example i n p u t s : [ 1 7 z t L i a G d W c W F X 8 C g Y q W G Q P E i z e p P L s S r b : 5 0 0 0 0 0 , 1 9 G A F u k X 9 i x S D L y 1 p 2 U E e d 2 m p D Q 6 9 Q P U X r : 2 1 2 5 7 3 5 , 1 M y K 5 t e 6 U 6 z G o o m 6 8 n V E z T U 2 x 9 4 9 R e N y S N : 2 5 0 0 0 0 0 ] o u t p u t s : [ 1 L Q h U n H 2 U Y 9 c u L h 8 q v H U N P L 3 G g L V W U 5 z i D : 1 0 0 0 0 0 0 , 1 P E F U d 6 6 e 2 Q 7 w 4 w 4 K i s Z R S a u p N J z 7 K 7 d p L : 1 0 0 0 0 0 0 , 1 P m q m J G R x p K x 4 5 F H L T B m t e K Q x V i H g m 4 M x i : 1 0 0 0 0 0 0 , 1 D C o 3 v 1 g S q U 6 g 2 G G D z 9 d 4 B D 3 5 h 9 c A R e 5 d y : 2 0 0 0 0 0 0 , O P _ R E T U R N : [ 0 6 7 6 7 8 0 0 0 0 2 5 5 2 5 5 ] + [ 0 ] * 7 1 1 M y K 5 t e 6 U 6 z G o o m 6 8 n V E z T U 2 x 9 4 9 R e N y S N : 1 1 5 7 3 5 ] First,welookattheoutputsofthetransaction.NotethattheOP_RETURNoutputappearsin position5,anditsfirstfivebytesare[ 0 6 7 6 7 8 0 0 ] asspecifiedbytheprotocol,sothe transactionisacolorgenesistransactionandtheoutputsinpositions04areallcoloredcoin outputs.Hence,addresses1 L Q h U , 1 P E F U , and1 P m q m willallhaveacolorvalueof990000, andaddress1 D C o 3 willhaveacolorvalueof1990000(thereasonwhy10000issubtractedfrom eachcolorvaluewillbecomeevidentinthetransfertransactionsectionfornowaccepttheidea that10000satoshisofpaddingisrequiredforeachoutputasarule).Then,lookatthe OP_RETURNitself.Bytes78are[ 2 5 5 2 5 5 ] ,sothecolorisreissuable.Theaddressof

input0is1 7 z t L i a G d W c W F X 8 C g Y q W G Q P E i z e p P L s S r b ,sothecolorwillbereissuablebyany futuregenesistransactionwhichalsohas1 7 z t L i a G d W c W F X 8 C g Y q W G Q P E i z e p P L s S r b asthe addressofitsinput0.

Transfertransactions
Inordertotransfercoloredcoins,onemustcreateatransfertransaction.Atransfertransaction sendscoloredcoinsfromoneaddresstoanother,althoughtransfertransactionscanalsobe morecomplex,involvingdifferentcolorsanduncoloredcoinsinonetransaction.Thisversionof theprotocolwilldefineatransferalgorithmknownastaggingbasedcoloring,usingthe sequencenumberfieldoneachinputasatagdeterminingwhichoutputsthecoinsfromthat inputwillgoto.Specifically,thebottombinarydigitsofthesequencenumberaretreatedasabit fieldeg.ifthethirddigitfromtherightinthebinaryexpansionofthesequencenumberisone, thencolorvaluefromthatinputwillgotooutput2,otherwiseitwillnot.Thus,eachinputendsup associatedwithasubsetoftheoutputs.Thealgorithmthenhascolorvalueflowfromeachinput toeachofitsassociatedoutputsinorder.Ifanoutputendsupcompletelyfilledwithcolorvalueof onecolor,itistreatedascoloredotherwise,theoutputisuncolored. Thetaggingbasedalgorithmalsomakesuseofaconceptcalledpadding,apotentially adjustableparameterwhichissetto10000bydefault.Theideabehindpaddingisthatthefirst 10000satoshisofeachoutputaretreatedasuncolored,andtheremainderiscolored.Thisgets aroundantidustrulesthatpreventtransactionoutputsbelowacertainsize. Theprecisealgorithmspecificationisasfollows: p a d d i n g = 1 0 0 0 0 f o r o u t p u t i n o u t p u t s : o u t p u t . c o l o r v a l u e = 0 o u t p u t . s p a c e = o u t p u t . v a l u e p a d d i n g f o r i i n [ 0 . . . l e n g t h ( i n p u t s ) 1 ] : i n p u t s [ i ] . s p a c e = i n p u t s [ i ] . v a l u e p a d d i n g i f i n p u t s [ j ] . s e q u e n c e < 4 2 9 4 9 6 7 2 9 5 : f o r j i n [ 0 . . . l e n g t h ( o u t p u t s ) 1 ] : i f [ i n p u t s [ i ] . s e q u e n c e / ( 2 ^ j ) ] % 2 = = 1 : t r a n s f e r = m i n ( i n p u t s [ i ] . s p a c e , o u t p u t s [ j ] . s p a c e ) i f i n p u t s [ i ] . c o l o r e d : o u t p u t s [ j ] . c o l o r v a l u e + = t r a n s f e r o u t p u t s [ j ] . s p a c e = t r a n s f e r i n p u t s [ i ] . s p a c e = t r a n s f e r

f o r o u t p u t i n o u t p u t s : i f o u t p u t s [ j ] . c o l o r v a l u e = = o u t p u t s [ j ] . v a l u e p a d d i n g : o u t p u t s [ j ] . c o l o r e d = t r u e e l s e : o u t p u t s [ j ] . c o l o r e d = f a l s e

Examples: i n p u t s : [ { v a l u e : 1 0 0 0 5 , s e q : 2 , c o l o r e d : t r u e } , { v a l u e : 1 0 0 1 0 , s e q : 6 , c o l o r e d : t r u e } , { v a l u e : 1 0 0 2 0 , s e q : 1 , c o l o r e d : f a l s e } , { v a l u e : 1 0 0 0 0 0 , s e q : 4 2 9 4 9 6 7 2 9 5 , c o l o r e d : f a l s e } ] o u t p u t s : [ { v a l u e : 1 0 0 2 0 } , { v a l u e : 1 0 0 1 0 } , { v a l u e : 1 0 0 0 5 } , { v a l u e : 9 0 0 0 0 } ] Forthesakeofhumanreadabilityandintuitiveness,wewontquitefollowthealgorithminthe codeinstead,wellbreaktheprocessdownintotwoparts.First,wellinitializeallofthespace andcolorvaluevariables,anddeterminewhichoutputseachinputgoestobasedonits sequencenumber.Spaceisalwaysinitializedtovalueminuspaddingforinputsandoutputs,and colorvalueisinitializedtozeroforalloftheoutputs.Toshowhowsequencenumbersturninto outputsets,lookatinput1forexample.Input1ssequencenumber,inbinaryform,is 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 ,ofwhichonlybytes1and2aresetto1.Ifthe sequencenumberis4294967295,wetreatthatasbeingequivalenttoasequencenumberof zero(ie.nooutputs).Thisspecialruleisaddedsothatnoncoloredcointransactions,wherethe sequencenumberisnearlyalways4294967295,canbesafelyignoredbytheprotocol. i n p u t s : [ { s p a c e : 5 , o u t p u t s : [ 1 ] , c o l o r e d : t r u e } , { s p a c e : 1 0 , o u t p u t s : [ 1 , 2 ] , c o l o r e d : t u r e } , { s p a c e : 2 0 , o u t p u t s : [ 0 ] , c o l o r e d : f a l s e } , { s p a c e : 9 0 0 0 0 , o u t p u t s : [ 0 , 1 , 2 , 3 ] , c o l o r e d : f a l s e } ] o u t p u t s : [ { s p a c e : 2 0 , c v : 0 } , { s p a c e : 1 0 , c v : 0 } ,

{ s p a c e : 5 , c v : 0 } , { s p a c e : 8 0 0 0 0 , c v : 0 } ] Now,weprocessinput0.Withinput0,onlyoutput1needstobeconsidered.Withthis input/outputpair,weseethatm i n ( i n p u t s [ 0 ] . s p a c e , o u t p u t s [ 1 ] . s p a c e ) is5,sowe subtract5spacefrombothandadd5colorvaluetoinput1.Forthesakeofbrevity,wellshow theintermediatestateinamorecompressedform: i n p u t s : [ ( 0 , [ 1 ] , t ) ( 1 0 , [ 1 , 2 ] , t ) ( 2 0 , [ 0 ] , f ) ( 9 0 0 0 0 , [ 0 , 1 , 2 , 3 ] , f ) ] o u t p u t s : [ ( 2 0 , 0 ) ( 5 , 5 ) ( 5 , 0 ) ( 8 0 0 0 0 , 0 ) ] Next,weprocessinput1.Withinput1,wefirstprocessoutput1.m i n ( i n p u t s [ 1 ] . s p a c e , o u t p u t s [ 1 ] . s p a c e ) =5,sowechangethestateto: i n p u t s : [ ( 0 , [ 1 ] , t ) ( 5 , [ 1 , 2 ] , t ) ( 2 0 , [ 0 ] , f ) ( 9 0 0 0 0 , [ 0 , 1 , 2 , 3 ] , f ) ] o u t p u t s : [ ( 2 0 , 0 ) ( 0 , 1 0 ) ( 5 , 0 ) ( 8 0 0 0 0 , 0 ) ] Withoutput2,weseethatboththeinputandtheoutputhave5space,sowegoto: i n p u t s : [ ( 0 , [ 1 ] , t ) ( 0 , [ 1 , 2 ] , t ) ( 2 0 , [ 0 ] , f ) ( 9 0 0 0 0 , [ 0 , 1 , 2 , 3 ] , f ) ] o u t p u t s : [ ( 2 0 , 0 ) ( 0 , 1 0 ) ( 0 , 5 ) ( 8 0 0 0 0 , 0 ) ] Now,ontoinput2.Input2has20spaceandoutput0has20space,sowesubtract20space fromboth.However,input2isuncolored,soweaddnocolorvaluetooutput0. i n p u t s : [ ( 0 , [ 1 ] , t ) ( 0 , [ 1 , 2 ] , t ) ( 0 , [ 0 ] , f ) ( 9 0 0 0 0 , [ 0 , 1 , 2 , 3 ] , f ) ] o u t p u t s : [ ( 0 , 0 ) ( 0 , 1 0 ) ( 0 , 5 ) ( 8 0 0 0 0 , 0 ) ] Input3has90000space,andmatchesnoinputsbecauseitssequencenumberis4294967295, soweskipit.Andweredone.Wenowlookattheoutputs: o u t p u t s : [ { v a l u e : 1 0 0 2 0 , c o l o r v a l u e : 0 } , { v a l u e : 1 0 0 1 0 , c o l o r v a l u e : 1 0 } , { v a l u e : 1 0 0 0 5 , c o l o r v a l u e : 5 } , { v a l u e : 9 0 0 0 0 , c o l o r v a l u e : 0 } ] Outputs1and2havecolorvaluematchingthevaluepaddingformula,andsoarecolored. Outputs0and3havenocolorvalue,sotheyareuncolored.Fortunately,wehavenooutputsthat arepartiallyfilledwithcolorvalueiftherewere,thatcolorvaluewouldbedestroyed.Sowhatis thistransaction?Fromourpointofview,weseethatcolorvaluefrominputs0and1flowsto

outputs1and2.Wealsoseethatspaceflowsfrominput2tooutput0,butnotcolorvalue,and weseethatspacefrominput3goesnowhere.Chancesarethatthistransactionisactuallya trade,simultaneouslymovingthecolorthatwearelookingatfromtheownerofinputs0and1to theownerofoutputs1and2,andsomeothercolorthatweareunawareoffrominput2tooutput 0.Toseethismoreclearly,tryrunningthroughthealgorithmbutwithonlyinput2colored.The spacedisappearingfrominput3isjunkthatinputexistssimplytopaythetransactionfee,and output3existsonlytocollectthechange. ReasoningforChoiceofTaggingBasedColoring Thistaggingbasedcoloringalgorithmhasseveraladvantages: 1.Minimalpertransactionmetadatawitheachtransactionoutput,youdonotneedtostore itscolorvalueindependentlyofitsvalue,ascolorvalueisalwayseitherv a l u e p a d d i n g if theoutputiscoloredorzeroifitisuncolored.Additionally,inamulticolorcontext,thealgorithmis designedinsuchawaythatatransactionoutputcanneverhavemorethanonecolor.Thus,the onlymetadatathatshouldbestoredwitheachtransactionoutputisitscolor(or,potentially, uncolored). 2.Multicolorsupportatransactioncanbemadecontainingsatoshisofmultiplecolors,and thetransactioncanbeprocessedevenifyouarenotawareofsomeofthecolorsthatareinthe transaction.Infact,itmayevenbepossibletousebackwardscanning(seenextsection)to automaticallydetectandimportnewcolorsuponseeingatransactioncontainingthem. 3.Nominimumsendingamountthankstothepaddingparameter,Bitcoinsdustruleis circumvented,andatransactioncansendeven1colorvalueifdesired. 4.Efficiencyifoneistryingtodeterminethecolorofanoutputwithoutanypriordata,one wouldneedtoemployabackwardscanningalgorithmwithpotentiallyexponentialgrowthinthe numberofoutputsneededtoscanovertime.Becausethesequencebasedcoloringalgorithm ignoresalldefaultuncoloredtransactions,thisprocessismassivelyspedup. Weaknesses: 1.BitcoinpricedependenceiftheBitcoinpricejumpsby100x,andthedustminimum (currently5430satoshis)changestocompensate,thepaddingamountwillbecomeexpensiveto send.Alternatively,ifthepricefallsby100xandthedustminimumincreases,thepaddingwill becomeinsufficient. 2.Efficiencyalthoughthisalgorithmmakesmassiveimprovementsovermorenaive approachessuchasorderbasedcoloring,thebackwardscanningisstilltheoretically exponential(asoneoutputcanhavemultipleparentinputs),soasecurelightclientisstillmuch lessefficientwithcoloredcoinsthanwithpureBitcoin.Weknowofonlytwowaysofalleviating thisproblem.First,onecanhaveacolorschemethatallowssplittingbutnotrecombining outputs,relyingonanactiveissuertodotherecombination.Bylimitingeachoutputtohaving oneinputasaparent,thissolvestheexponentialgrowthproblem.Second,onecanmove beyondcoloredcoinstoaseparatespecializednetwork,mostlikelyanewcryptocurrency

(altcoin)mergedminedwithBitcoin. 3.S I G H A S H _ A N Y O N E C A N P A Y doesnotwork.S I G H A S H _ A N Y O N E C A N P A Y isanopcodethat thesignerofaninputcanaddwhich,iftranslatedintoEnglish,readsroughlyasIagreetosend thefundscontainedinthisinputtothespecifiedoutputs,andIdonotcarewhattheotherinputs areaslongastheyaresufficienttopayfortheoutputs.Normally,asignaturesignstheentire transaction,includingspecificinputsandoutputs.Withcoloredcoins, S I G H A S H _ A N Y O N E C A N P A Y doesnotwork,sinceBitcoinsscriptinglanguageisnot colorawaresothereisnowaytodemandthattheothertransactionoutputsbeofanyspecific color.Thisisafundamentallimitationofcoloredcoins 4.Maximum31outputspertransactiontechnically,32arepossible,althoughthecode wouldneedtobemorecomplicatedtoavoidaccidentallymakinganinputwithsequencenumber 4294967295(binary,1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 )withtheintentionof sendingthatinputtoalloutputs. BackwardScanning: TODO

DecentralizedExchangewithColoredCoins
Onebeneficialfeatureofcoloredcoinsistheabilitytoeasilydoatomicswapsthatis,tradeX unitsofcoinAforYunitsofcoinBwithouteitherpartyneedingtotrusttheother.Theidea behindthisissimple:haveamulticolortransactionwithaninputofXunitsofcoinAfromparty1 andYunitsofcoinBfromparty2,andanoutputofXunitsofcoinAtoparty2andYunitsof coinBtoparty1.WithOBCorpaddedOBC,thissimplyconsistsofputtingtheinputsand outputsinorderinputandoutput0forcoinAandinputandoutput1forcoinB.

HereisamorepreciseexampleinplainOBC,includinga10000satoshifee: { i n p u t s : [ { c o l o r : ' g r e e n ' , a d d r e s s : [ A ] , v a l u e : 6 0 0 0 0 } , { c o l o r : ' b l u e ' , a d d r e s s : [ B ] , v a l u e : 2 0 0 0 0 } , { c o l o r : ' u n c o l o r e d ' , a d d r e s s : [ B ] , v a l u e : 7 0 0 0 0 } ] ,

 o u t p u t s : [ { c o l o r : ' g r e e n ' , a d d r e s s : [ B ] , v a l u e : 6 0 0 0 0 } , { c o l o r : ' b l u e ' , a d d r e s s : [ A ] , v a l u e : 2 0 0 0 0 } { c o l o r : ' u n c o l o r e d ' , a d d r e s s : [ B ] , v a l u e : 6 0 0 0 0 } ] } However,thisisnotenoughtomakeafullexchangeafullexchangerequirestheabilityfor userstopostorders(eg."Iwanttosellupto50Xataratioofatleast3.3Yfor1X")and havethoseordersbeenforceable.Ifanorderisnotenforceable,thenanyonecanspamthe orderbookwithfalseordersandtherebyeithermanipulateorshutdownthemarketoutright. Withcoloredcoins,unfortunately,ordersarenotenforceableanyonecanmakeanorder andrefusetosignanyspecificexchangetransactions.Partiallysignedtransactionswith S I G H A S H _ A N Y O N E C A N P A Y arepowerlesstosolvetheprobleminmostcasesifyouare tryingtosellcoloredcoinsforBTC,itisaviablesolution,butifyouaretryingtobuycolored coinsanyonecandefraudyoubysendinginuncoloredcoins,whichtheblockchaincannot distinguishfromcoloredcoins.Thus,acentralized,oratleastsemicentralized,serviceis stillrequiredtoactasaspamfiltertomakecoloredcoinexchangeareality.However,the levelofcentralizationismuchlessthanbetweenBitcoinandothercurrencies,asthe centralizedservicedoesnotneedtoactuallystoreanyfundstheonlytaskthatitneedsto performisthatofscreeninguserstoseeifanyoneismakingfalseorders,andthenforbid themfrommakingfurtherorders.

References
1. http://yoniassia.com/coloredbitcoin/Initialblogpostoncoloredcoins 2. https://bitcointalk.org/index.php?topic=101197.0Initialdiscussionsoncoloredcoins inbitcointalk 3. https://bitcoil.co.il/BitcoinX.pdf OverviewofcoloredcoinsbyMeniRosenfeld 4. http://nwotruth.com/wikileaksboycottstoobigtofailwithbitcoin/Wikileaks boycotts:toobigtofailwithBitcoin 5. https://github.com/bitcoin/bitcoin/pull/2738Bitcoin0.9change 6. https://github.com/bitcoinx/coloredcointools/wiki/colored_coins_introColoredcoins intro(describesOBCandPOBC) 7. https://coloredcoins.org 8. https://github.com/killerstorm/BitcoinArmory/blob/color/p2ptrade.pyP2Ptrade 9. https://bitcointalk.org/index.php?topic=112007.0Discussiononatomiccoin swapping 10. https://en.bitcoin.it/wiki/Smart_PropertySmartproperty 11. http://brownzings.blogspot.com/2013/06/analternatemoresimpleimplementation.ht mlAnAlternateMoreSimpleImplementationofColoredCoins,PaulSnow 12. http://vbuterin.com/coloredcoins/valuecalc.pyDynamicprogrammingalgorithmfor sendingadesirednumberofsatoshisundervaluebasedcoloring 13. orderbasedweakcoloringOverviewandcallforideas: 14. Alexsorderbasedweakcoloring: 15. https://github.com/killerstorm/BitcoinArmoryArmoryversionsupportingcolored coins 16. http://www.bitcoinx.orgwebsiteofagrowingcommunityaroundamultiplecurrency ontopofbitcoinpaymentsystem 17. http://szabo.best.vwh.net/idea.html
18. https://www.usenix.org/legacy/publications/library/proceedings/ec98/fujimura.html

anattempttoimplementorderbasedweakcoloringonbitcoinjswithchromeextension client https://github.com/0i0/bitcoinjscolor https://github.com/0i0/bitcolorchromeex

Appendix:Alternativecoloringalgorithms
Themorechallengingpartofdevelopingthecoloredcoinsprotocolistodetermineawayof transferringcoloredcoinsfromoneaddresstoanother.Fortransactionswithoneinputand oneoutput,theproblemistrivialthecoloroftheoutputcansimplybethesameasthecolor ofthepreviousoutputthatisspentbytheinput.Ifatransactionhasmultipleinputsand outputs,however,thesituationisdifferenthowdoweknowwhichinputscorrespondto whichoutputs?Asitturnsout,figuringoutawayofspecifyingthisismorechallengingthan itseemsalthoughseveralsolutionsdopresentthemselves,theyareallimperfectintheir ownways. Formally,whatwecareaboutisdefiningafunction,ComputeOutputColors,thattakesa transactioncontaininginputsandoutputs,oftheform: i n p u t s = [ { v a l u e : [ i n t e g e r ] , c o l o r v a l u e : [ i n t e g e r ] , } , . . . ] o u t p u t s = [ { v a l u e : [ i n t e g e r ] } , . . . ] Andcomputesthe"c o l o r v a l u e "propertyofeachoutput.Notethatinthismodelweare lookingatonecoloratatime.Inmostofthecoloringschemesdescribedhere,itispossible toprocessmanycolorssimultaneously,butthatisnotarequirementforacoloringscheme andwewillshowtheonecolorversionforallcoloringschemesforsimplicity.Insimpler coloringschemes,wehavec o l o r v a l u e = v a l u e forcoloredtransactions(andof coursec o l o r v a l u e = 0 foruncoloredtransactions),butthisdoesnotalwaysholdtrue formorecomplexschemes.Thedifferencebetweenvalueandcolorvalueisthis:an output'svalueisthenumberofsatoshisintheoutput,accordingtotheplainBitcoinprotocol, whereasits"colorvalue"isthenumberofcoloredsatoshisthatithas.Forexample,in paddedorderbasedcoloring(seebelow)atransactionmayhave60000regularsatoshis, butonly50000coloredsatoshis.Itcouldalsogotheotherwayaroundundercertain

taggingbasedcoloringschemes,anoutputmighthave10000satoshisaccordingtothe Bitcoinprotocol,but10millionsatoshisaccordingtothecoloringrules. Afullcoloredcoinsimplementation,includingthegenesistransactionprotocolandthe transfertransactionprotocol,shouldideallyhavethefollowingproperties: Simplicitytheprotocolshouldbeassimpleandeasytoimplementaspossible. Ideally,ahumanshouldbeabletolookthroughanordinaryblockchainexplorerandtrace coloredcoinsofaspecificcolordownthetransactiongraph. Backwardscanning:itshouldbepossibletodeterminethecolorvaluesofthe inputstoatransactionfromthecolorvaluesoftheoutputs. Nonrestrictivenessasmuchofwhatonecandowithbitcoinsaspossibleshould alsobedoablewithcoloredcoins.Thetransfertransactionprotocolshouldnotimposeso manyrestrictionsthatitbecomesimpossibleto,forexample,makeamultisignature transaction,apartiallysignedtransactionoratimelockedtransaction.Unfortunately,100% nonrestrictivenessisimpossiblegiventhecurrentprotocolforexample,atrustfree assurancecontract,donebypublishingatransactionwithagivenoutputandallowing anyonetoaddandsigntheirowninputusingS I G H A S H _ A N Y O N E C A N P A Y topooltogether fundstopayfortheoutput,cannotwork,asthereisnowaytodistinguishacoloredoutput fromanuncoloredoutputinscripts.However,theprotocolshouldleaveasmuchroomas possible. AtomictradeabilityitshouldbepossibletocreateasingletransactionsendingX unitsofcolorC fromA toB andY unitsofcolorC fromB toA foranyC andC provided 1 2 1 2 thateither(i)C and C usethesamecolorprotocol,or(ii) C =uncoloredbitcoins.Ideally, 1 2 2 colorprotocolsshouldalsobecompatiblewitheachother,butthisisnotcritical. Efficiencyitshouldbepossibletoefficientlydeterminethecolorvalueofagiven transactionoutput,ideallystartingwithzeroinformationexcepttheoutputandthecolor definitionitself.Efficiencyinthiscontextdoesnothaveacleardefinitionitissimplyan empiricalquestionofpracticality(eg.doesittake100blockchainqueriesor200000canthe queriesbeparallelized?) Spaceefficiencycoloredcoinstransactionsshouldimposeaminimalamountof extrabloatontheBitcoinblockchaincomparedtoregulartransactions.

OrderbasedColoring
Orderbasedcoloringistheoriginal,andsimplest,coloringalgorithm.Thebestintuitive explanationfororderbasedcoloringisthis:saythateverytransactionhasa"width" proportionaltoitstotalinputvalue.Onesideofthetransactionwillhaveinputs,witheach inputhavingawidthproportionaltoitsvalue,andtheothersidewillhaveoutputs,witheach outputhavingawidthproportionaltoitsvalue.Now,supposethatcoloredwaterisflowing down(orright)inastraightlinefromtheinputstotheoutputs.Thecolorofanoutputwillbe thecolorofthewaterthatflowsintotheoutput,oruncoloredifanoutputreceiveswaterfrom multiplecolors.

Formally,thealgorithmisdefinedasfollows: i = 0 o f f s e t = 0 f o r j i n [ 0 . . . l e n g t h ( o u t p u t s ) 1 ] : c o l = t r u e w h i l e o f f s e t < o u t p u t s [ j ] . v a l u e : i f i n p u t s [ i ] . c o l o r v a l u e = = 0 : c o l = f a l s e i + = 1 i f c o l : o u t p u t s [ j ] . c o l o r v a l u e = o u t p u t s [ j ] . v a l u e e l s e : o u t p u t s [ j ] . c o l o r v a l u e = 0 o f f s e t = o u t p u t s [ j ] . v a l u e r e t u r n o u t p u t s EvaluationofOBC: Simplicity:thealgorithmiseasytocode,andfollowsanintuitivemodeloftheway thatcoloring"should"work. Nonrestrictiveness:AsidefromS I G H A S H _ A N Y O N E C A N P A Y ,thereareno restrictions. Atomictradeability:atomictradesareveryeasy:input0andoutput1belongtoA, andinput1andoutput0belongtoB. Efficiency:efficiencyisveryproblematic.Therearetwowaystocalculatethecolor ofanoutput:topdown,calculatingthecolorofeverytransactionoutputstartingfromthe genesisoutputbyrecursivelyapplyingtheOBCalgorithm,andbottomup,startingfromthe outputandlookingbackthroughasfewancestorsaspossibletoconclusivelydeterminethe color.Thetopdownalgorithmisobviouslynotefficientwithoutprecomputation.The bottomupalgorithmisalsonotefficient,aseveryoutputcanhavemultipleparents,insome circumstancescausingthenumberofancestorsthatneedstobesearchedtoblowup

exponentially.Uncoloredoutputsareespeciallydifficulttoprove,astheentireblockchain wouldpotentiallyneedtobescannedallthewaybacktothecoinbasetransactions. Spaceefficiency:OBCtransactionstakeupexactlyasmuchspaceasregular Bitcointransactions. Specialconsiderations: Orderbasedcoloringalsohasanothermajorweakness:thedustlimit.Bitcoinenforcesthe requirementthatalloutputsinastandardBitcointransactionmustcontainatleast5430satoshis (0.0000543BTC),andtransactionsthatfallafoulofthisrequirementwilltakedaystoconfirm. Thisintroducesthefollowingproblems: Uniqueornearuniquecoloredcoins(eg.smartproperty,originalart,digital baseballcards,etc)needtobetreatedspecially,sinceitisverydifficulttosendanoutputof exactlyonesatoshi.Thelikelysolutionistocreatea6000satoshigenesisoutput,andthen treatthe6000satoshistogetherasasinglecoloredcoinanythinglessthan6000inasingle outputwouldcountasnothing.However,thereisachoicetobemadehere:canthe6000 satoshisbesplitandthenputbacktogetheragain?Ifso,thenthereisnofinalcriterionfor coindestruction,whichispotentiallyveryproblematic.Ifnot,thentheimplementationdoes notconstitutepureorderbasedcoloring. Stocksorcurrenciesissuedontopofcoloredcoinswouldeitherhavehighminimum transactionvalues,orbeexpensivetosetup.Forexample,ifacompanymakesanIPO worth10000BTContopof100BTC,theminimumamountofthestockthatcouldbe transactedwouldbeworth0.00543BTC(~$1asofthetimeofthiswriting).Notethatona lowerlevelthisisaproblemforallcoloringschemesdescribedhereitisveryexpensiveto createacolorwithmoregranularitythanafewmillionunits.Theoretically,however,itis possibletocreatecoloringschemesthatartificiallyaddmoregranularityiftheneedarises.

PaddedOrderBasedColoring
Paddedorderbasedcoloringisasomewhatmorecomplicatedapproachthataddresses someoftheconcernsaroundorderbasedcoloring.Essentially,theideaistotreatevery transactionoutputashavinga"padding"ofacertainnumberofuncoloredsatoshis,withthe coloredsatoshisfollowing.Asidefromthis,thealgorithmissimilartoOBC,althoughitis morerestrictive.

Thealgorithmworksbysplittingupthelistoftransactioninputsandoutputsinto "sequences",whereasequenceconsistsofasetofinputsandoutputsthatperfectlylineup witheachother.Forexample,ifatransactionhasinputsofsize6 , 6 , 6 , 7 , 5 , 3 (not includingpadding)andoutputsofsize9 , 9 , 1 0 , 2 , 2 , 1 ,thenthesequenceswouldbe [ [ 6 , 6 , 6 ] , [ 9 , 9 ] ] ,[ [ 7 , 5 ] , [ 1 0 , 2 ] ] and[ [ 3 ] , [ 2 , 1 ] ] .Withineachsequence,ifall inputshavethesamecolorthentheoutputsareofthatcolor,andotherwisetheoutputsare uncolored.Thisextralayerofrestrictivenessisaddedtoallowclientstorecognizealarge subsetofnormalBitcointransactionsasuncoloredandthereforeimmediatelydiscardthem. Thecodeisasfollows: j = 0 o f f s e t = 0 p a d d i n g = 1 0 0 0 0 s e q u e n c e s = [ ] c u r r e n t _ i n p u t _ s e q = [ ] c u r r e n t _ o u t p u t _ s e q = [ ] f o r i i n [ 0 . . . l e n g t h ( i n p u t s ) 1 ] : i f i n p u t s [ i ] . v a l u e < p a d d i n g : b r e a k o f f s e t + = ( i n p u t s [ i ] . v a l u e p a d d i n g ) w h i l e o f f s e t > 0 : i f o u t p u t s [ j ] . v a l u e < p a d d i n g : b r e a k o f f s e t = ( o u t p u t s [ j ] . v a l u e p a d d i n g ) c u r r e n t _ o u t p u t _ s e q . a p p e n d ( o u t p u t s [ j ] ) j + = 1 i f o u t p u t s [ j ] . v a l u e < p a d d i n g : b r e a k

 c u r r e n t _ i n p u t _ s e q . a p p e n d ( i n p u t s [ i ] ) i f o f f s e t = = 0 : s e q u e n c e s . a p p e n d ( { i n p u t s : c u r r e n t _ i n p u t _ s e q , o u t p u t s : c u r r e n t _ o u t p u t _ s e q } ) c u r r e n t _ i n p u t _ s e q = [ ] c u r r e n t _ o u t p u t _ s e q = [ ] f o r o u t p u t i n o u t p u t s : o u t p u t . c o l o r v a l u e = 0 f o r s e q i n s e q u e n c e : c o l = t r u e i f ( s e q . i n p u t s [ 0 ] . c o l o r v a l u e > 0 ) e l s e f a l s e f o r i n p u t i n s e q . i n p u t s : i f ! i n p u t . c o l o r v a l u e : c o l = f a l s e i f c o l : f o r o u t p u t i n s e q . o u t p u t s : o u t p u t . c o l o r v a l u e = o u t p u t . v a l u e p a d d i n g Evaluation: Simplicity:thealgorithmisconsiderablymorecomplex,andlessintuitive,thanplain OBC.Furthermore,creatingtransactionswithmoreoutputsthaninputs(orviceversa)adds anextralayerofcomplexity,asatransactionmayneedtohaveanextrainputoroutputto payfororcollectexcesspadding. Nonrestrictiveness:insomeways,paddedOBCisactuallyslightlylessrestrictive thanplainBitcoin,asitbecomespracticaltosendasinglesatoshiofagivencolor.Onthe otherhand,S I G H A S H _ A N Y O N E C A N P A Y isstillunusable. Atomictradeability:atomictradesareveryeasy. Efficiency:paddedOBCwinsovertraditionalOBCononecount:itcansometimes detectnoncoloredcointransactions,therebyinmanycasesprematurelyendingthe search.Thisusuallyhappenswhen,innoncoloredcointransactionswithmultipleinputs andoutputs,thenumberofinputsandoutputsdoesnotmatchup,leadingtothecoloring algorithmdiscoveringnosequences.Forevengreaterefficiency,onecanalwaysaddmore restrictions,forexampleoutrightmandatingthatthenumberofinputsandoutputsmustbe thesame,andforbiddingoutputssmallerthanthepadding.Asidefromthis,however,the factthatapotentiallyexponentialupwardsearchmayberequiredstillremains. Spaceefficiency:OBCtransactionstakeupexactlyasmuchspaceasregular Bitcointransactions.

AlternativeTaggingbasedColoring
Thereisalsoanalternativecoloringalgorithm,whichusestaggingtodeterminenotthe permutation,butratherthecoloringitself.Thelasttwodigitsoftheoutputvalueareusedto representthecoloroftheoutput.However,becausethereisariskofcollisions(infact,with101 colorsatleasttwomusthavethesametwodigitID),weassigntoeachcolortentwodigitIDs, andgivetheusersclientthefreedomtopickacolorIDthatisuniquetoaparticularcolorinthe eventofanatomicswap.Theversiondescribedhereisaformalizationandminormodificationof analgorithmdescribedbyPaulSnow.[8] p a d d i n g = 1 0 0 0 0 f o r o u t p u t i n o u t p u t s : t a g = o u t p u t . v a l u e % 1 0 0 o u t p u t . c o l o r = " u n c o l o r e d " i f t a g > 0 : f o r i i n [ 0 . . . 9 ] : i f S H A 2 5 6 ( g e t _ c o l o r _ d e f i n i t i o n ( c o l o r ) + i ) = = t a g : i f o u t p u t . v a l u e > = p a d d i n g : o u t p u t . c o l o r v a l u e = o u t p u t . v a l u e p a d d i n g Unliketheotheralgorithms,thisonedoesneedtobefollowedupbyavalueconsistencycheck: c v = 0 f o r i n p u t i n i n p u t s : c v + = i n p u t . c o l o r v a l u e f o r o u t p u t i n o u t p u t s : c v = o u t p u t . c o l o r v a l u e i f c v < 0 : f o r o u t p u t i n o u t p u t s : o u t p u t . c o l o r v a l u e = 0 Evaluation: Simplicity:thealgorithmiseasytoimplement.However,thereisonecomplication: anoutputcanhavemultiplecolorsatthesametime.Surprisinglythough,evenifthatdoes happenitispossibletoconstructatransactiontosplitthemulticoloredoutputintoseparate singlecoloredoutputs. Nonrestrictiveness:onecouldmaliciouslyconstructacolorwhichcannotbe exchangedforagivenothercolorin10^20steps(ortwocolorswhicharemutually incompatiblein10^10steps).Also,notalltransactionsizesarepossible.However, statisticaltestsshowthatanyamountofmorethan2000satoshiscannearlyalwaysbe builtfrommultipleoutputs,andanefficientdynamicprogrammingalgorithmexiststofinda wayofdoingso[9] .

 Atomictradeability:atomictradesareveryeasy. Efficiency:thealgorithmwillnearlyalwaysbeabletodetectandavoidprocessing uncoloredtransactions,sotheupwardsearchwillbelimitedtotransactionsofagivencolor. Thisessentiallyprovidesthemaximumpossibleefficiencywithanyoutputbasedcoloring scheme. Spaceefficiency:noextradatacostrequired.

PerSatoshiTracking
Persatoshitrackingisanotherformoforderbasedcoloring,butwhichisverylimitedin scope.UnlikeOBCortaggingbasedcoloring,whichseektoassigncolorstooutputs, persatoshitrackingassignsacolortoeachsatoshiinanoutput. Algorithm: d e f g e t P a r e n t ( t x , i n d e x , o f f s e t ) : t o t a l _ o f f s e t = 0 f o r i i n [ 0 . . . i n d e x 1 ] : t o t a l _ o f f s e t + = t x . o u t p u t s [ i ] . v a l u e t o t a l _ o f f s e t + = o f f s e t j = 0 w h i l e t o t a l _ o f f s e t > t x . i n p u t s [ j ] . v a l u e : t o t a l _ o f f s e t = t x . i n p u t s [ j ] . v a l u e : j + = 1 r e t u r n ( g e t _ p r e v i o u s _ t x ( t x . i n p u t s [ j ] ) , j , t o t a l _ o f f s e t ) g e t C h i l d workssimilarlybutinreverse.Notethatthesefunctionsdonotcomputecolors theysimplytrackasinglesatoshiasitmakesitswaydowntheblockchain,withthe understandingthatoneparticularsatoshiwillalwayshavethesamecolor. Themainadvantageofthisisefficiency:thereisnoriskofexponentialblowup,aseach satoshihasonlyoneparent.However,formostcasesthisprotocolalsointroducesan impracticalamountofinefficiency,asmostoutputshavemanythousands,orevenmillions, ofsatoshis.Thus,thisisaspecialpurposeprotocol,limitedtouniquecoloredcoinssuchas collectiblesandsmartproperty.However,forthatpurpose,itprovidesanincrediblyuseful andlightweightimplementationofcoloredcoins. Sinceindividualsatoshiscannotpracticallybesentduetothedustlimit,acoloredsatoshi wouldlikelycomeprepackagedwith10000satoshisofpadding.Agenesistransaction would,byconvention,publishonesatoshiperoutput,alwaysatoffsetzero,andthenthe satoshiwouldbepassedaroundalongwithitspadding.