The Immutable Stock and the Unbounded Flow
How a Fixed Number of Satoshis Settles an Arbitrary Number of Payments
The Immutable Stock and the Unbounded Flow
How a Fixed Number of Satoshis Settles an Arbitrary Number of Payments
Keywords: Bitcoin; satoshi; protocol immutability; consensus rules; original protocol; hash chains; payment channels; blind signatures; e-cash; SIGHASH; nSequence; off-chain transactions; nChain; micropayments; settlement.
There is a recurring category error in commentary on Bitcoin. The error is to treat the quantity of money as if it were the quantity of payments. A fixed monetary base is read as a fixed transactional capacity, and the conclusion is drawn that a network capped at roughly twenty-one million units, each divisible into one hundred million parts, can mediate only some bounded number of economic exchanges before it exhausts itself. That conclusion is false. It confuses a stock with a flow. The number of monetary units is fixed by the protocol; the number of times those units may change hands between settlements is not. The two quantities are governed by different parts of the system, and conflating them produces a misdescription of what Bitcoin is and what it can do.
This essay makes the distinction precise. It establishes, first, what is actually fixed in the protocol and in what sense it is fixed. It then shows that the transactional capacity of the system is not bounded by the monetary base, because cryptographic techniques that predate Bitcoin by decades — Lamport’s hash chains (1981), Chaum’s blind signatures (1983), and Rivest and Shamir’s PayWord micropayment scheme (1997) — together with the transaction-replacement mechanism present in the original protocol (Nakamoto, 2009) and the payment-channel construction later formalised by Decker and Wattenhofer (2015), decouple the count of payments from the count of on-chain settlements. A single satoshi, even priced at ten cents, can mediate an arbitrarily large number of transfers before any of them touches the ledger. The engineering of this decoupling has been disclosed in detail in the patent corpus of nChain, several documents of which are examined below.
A point of reference is set at the outset, because the analysis depends on it. The constants and mechanisms cited here are those of the protocol as Satoshi Nakamoto released it in the version 0.1 source code (Nakamoto, 2009). That rule set is the original Bitcoin protocol, and it is preserved by the Bitcoin SV node implementation (Bitcoin SV Node developers, n.d.). A chain that alters those rules — that changes the unit, the issuance schedule, the script grammar, or the block constraints — is, by the argument of Section II, a fork that has departed from the protocol. The thesis is not that Bitcoin is metaphysically unalterable. It is the sharper claim that the monetary base is immutable in the only sense that matters — consensus immutability under the original rules — and that this immutability is fully compatible with unbounded payment flow.
The principle is stated once and then defended: the stock is fixed; the flow is not; the second fact is what makes the first economically tolerable.
I. What Is Actually Fixed
Begin with the unit. In the original protocol, one bitcoin is divisible to eight decimal places, and the smallest representable quantity — the satoshi — is one hundred-millionth of a bitcoin. This is not a convention of user interfaces. It is the representation used throughout the source: the monetary constant COIN is defined as one hundred million (100,000,000), the constant CENT as one million (1,000,000), and amounts are formatted as a whole part and an eight-digit fractional part computed by integer division and modulo against COIN (Nakamoto, 2009, main.h). One bitcoin is exactly 100,000,000 satoshis. There is no fractional satoshi at the base layer; the amount type admits no smaller denomination, and no validating node will accept a transaction output that purports to carry one.
The issuance ceiling is a second, distinct fact, and the distinction is routinely missed. There is no line of code that states a total supply of twenty-one million. The ceiling is implicit: it emerges from the block-subsidy schedule. In the original source, the subsidy starts at fifty bitcoin (computed as 50 × COIN) and is halved every 210,000 blocks by an integer right-shift of the subsidy value by the block height divided by 210,000 (Nakamoto, 2009, main.cpp, GetBlockValue). The right-shift is integer floor-division by a power of two, so each halving truncates any remainder. Summing the schedule gives the exact maximum issuable quantity. There are thirty-three epochs in which the integer subsidy is non-zero. Each epoch issues 210,000 blocks; epoch k (counting from zero) pays a per-block subsidy of fifty bitcoin in satoshis — that is, 5,000,000,000 satoshis — shifted right by k, with the remainder discarded. The total is the sum, over the thirty-three epochs, of two hundred and ten thousand blocks times the truncated per-block subsidy:
∑k=032 210,000 × ⌊5,000,000,000 ÷ 2k⌋ = 2,099,999,997,690,000 satoshis.
This is 2,099,999,997,690,000 satoshis, equivalent to 20,999,999.9769 bitcoin — a figure that is 2,310,000 satoshis short of the round product 21,000,000 × 100,000,000. The shortfall is the accumulated integer truncation across the halvings. The cap is therefore not a number asserted anywhere; it is a consequence of the issuance rule, derivable from it, and enforced by the absence of any code path that mints coin outside the schedule. (The reader may confirm the figure by direct summation of the series above; nothing in the calculation depends on any secondary source.)
Two observations follow immediately. The first is that neither the satoshi denomination nor the issuance ceiling appears in the founding paper. Nakamoto’s (2008) paper describes a chain of digital signatures, a proof-of-work timestamp server, and an incentive in the form of newly minted coin, but it states no figure for total supply and no decimal precision for the unit. The eight-decimal satoshi and the implicit twenty-one-million ceiling are properties of the released protocol (Nakamoto, 2009), not of the document that preceded it. The second observation is that these properties are enforced by the same mechanism that enforces everything else: independent validation by every full node against a shared rule set. A transaction that violates the supply rule is not rejected by an authority. It is rejected by each node that checks it, because the rule is encoded in the validation logic each node runs.
This is the precise content of the word immutable. It does not mean that the numbers are written into the fabric of the universe. It means that they are fixed by the rules every participant independently enforces, such that no participant — and no coordinated subset short of the whole — can change them while still transacting on the same ledger. The immutability is computational and economic, and it is the strongest kind available to a system that has no central administrator.
II. Why the Count Cannot Be Changed Without Becoming a Different Ledger
The decisive argument is not that the satoshi count is hard to change. It is that any change to it produces a different object. Consider the attempt. Suppose some coalition wished to raise the issuance ceiling, to subdivide the satoshi into smaller parts, or to alter the halving schedule so as to mint additional coin. To do so, that coalition must run software that accepts as valid the very transactions and blocks that the original rule set rejects. The moment such a block is produced and accepted by that coalition, its chain diverges from the chain validated under the original rules. Nodes running the original rules reject the coalition’s block; the coalition’s nodes accept it. There are now two ledgers.
This is the ordinary structure of a hard fork, and its consequence is categorical rather than incremental. The original ledger continues, unaltered, validated by everyone who did not change their rules. The new ledger is a distinct asset with a distinct rule set and a distinct history from the point of divergence. To say that “Bitcoin’s supply was increased” by such an action is a misuse of the word Bitcoin. The supply of the original chain was not increased; a second chain was created whose supply differs. The party that changed the rules is, definitionally, the party that forked away. The original protocol is whatever the unchanged rule set validates, and the coins on it remain governed by the original schedule. (This is not a merely abstract point: implementations descended from forks even carry the trace of their departure in their own source comments, where the monetary sanity-check is annotated with a unit symbol other than that of the original chain — a small but telling artefact of having branched.)
The point generalises to every consensus parameter, but it bites hardest on the monetary ones, because the monetary parameters are precisely what holders are relying on when they value the asset. A holder of bitcoin holds a claim denominated in a unit whose total quantity is bounded by a schedule no single party can revise. The credibility of that bound is not a promise made by an institution; it is a property of the fact that revising it requires abandoning the ledger on which the claim exists. The immutability of the satoshi count is therefore not a feature bolted onto Bitcoin. It is constitutive of what the asset is. Remove it and you do not have a modified Bitcoin; you have something else that shares an ancestor.
The reader who wishes to press the objection — “but a sufficiently dominant coalition could simply impose new rules and call the result Bitcoin” — has not escaped the argument. Naming is not validation. The chain that the original rules accept is the chain that the original software produces, and that software does not stop running because a coalition wishes it would. The dispute over the name is a social dispute; the existence of the original ledger under the original rules is a technical fact independent of the dispute. The fixed stock is fixed in exactly this sense, and no stronger sense is needed.
III. The Category Error: Unit Count Is Not Transactional Capacity
Having fixed the stock, turn to the flow, and to the error that motivates this essay. The error reasons as follows: there are about 2.1 × 1015 satoshis; therefore there can be at most some number of payments proportional to that figure; therefore a monetary base this small cannot serve as global payment infrastructure. Every step after the first is a non sequitur.
The number of satoshis bounds the number of distinct simultaneously-held balances expressible at one instant. It does not bound the number of payments, because a payment is a transfer of control, and the same unit may be transferred again and again. A single satoshi that moves from Alice to Bob, then from Bob to Carol, then from Carol to Dave, has mediated three payments while remaining one satoshi. Over a year, with sufficient velocity, that satoshi can mediate an enormous number of transfers. The bound on payments is set by velocity and settlement architecture, not by the size of the monetary base. This is elementary monetary economics — the same physical banknote settles many purchases in its lifetime — and it applies with greater force to a digital bearer instrument that need not be physically transported between transfers.
The crucial refinement, and the one that the patent and cryptographic literature makes concrete, is that most of those transfers need not be recorded on the ledger at all. On-chain settlement is one mode of transfer; it is not the only mode. A payment can be effected by handing over a cryptographic object that the recipient can later convert into an on-chain settlement at a time of their choosing, or that the recipient can pass onward to a third party without settling. Between the funding of a position and its final settlement, the number of economically binding transfers is limited only by the construction used to represent them. The constructions that achieve this are old, well understood, and provably secure. I take them in turn.
IV. Hash Chains: Many Payments from One Anchor
The oldest of the relevant primitives is the hash chain, introduced by Lamport (1981) for password authentication and adapted to payments by Rivest and Shamir (1997). Lamport’s construction is austere. Take a one-way function — a function easy to compute and infeasible to invert — and a secret seed x. Apply the function n times to obtain hn(x). Publish that terminal value as a commitment. To authenticate the first time, reveal hn−1(x); the verifier confirms that applying the function once yields the published hn(x). To authenticate the second time, reveal hn−2(x); and so on, walking backward along the chain. Each revealed value can be checked against the previously revealed one, and no earlier value can be forged from a later one because the function cannot be inverted. A single published commitment thereby supports n successive authentications (Lamport, 1981).
Rivest and Shamir (1997) turned the authentication chain into a payment chain. In PayWord, a user commits to the tip of a hash chain and signs that commitment once. Each preimage along the chain — each “payword” — is then redeemable as a unit of payment to a vendor. The user spends by releasing successive paywords; the vendor accumulates them and redeems the highest one received, which certifies the total. The economic significance is structural: one signature and one commitment underwrite a long sequence of micropayments, and only the aggregate need be settled. Rivest and Shamir designed the scheme precisely because public-key operations are expensive relative to hash evaluations, and a payment system that required a signature per micropayment would be crushed by its own cryptographic overhead. The hash chain amortises one expensive commitment over n cheap transfers.
Map this onto the satoshi. Suppose a channel or escrow is anchored by a fixed quantity of satoshis. A hash chain of length n committed against that anchor permits n incremental transfers of value, each verifiable, each binding, none requiring an on-chain transaction until settlement. If n is one million, one anchoring of the fund supports one million payments. The fund did not grow; the satoshis in it were not multiplied; the flow through them was multiplied by n. The stock is untouched. The flow is bounded by the length of the chain, which is a free parameter chosen by the participants, not by the monetary base.
V. Payment Channels: Many Updates per Settlement
Hash chains give a one-directional, monotone sequence of payments. Payment channels generalise this to bidirectional, repeatedly-revisable balances between two parties, and the mechanism is present in the original protocol. Each transaction input carries a sequence number, nSequence, and a transaction is treated as final only when its inputs are final; a transaction may also carry a future lock-time. In the original source, an input is final when its sequence number is at its maximum value, a transaction is non-final while its lock-time lies ahead of the current height, and a newer version of a transaction with a higher input sequence number supersedes an earlier version before finalisation (Nakamoto, 2009, main.h, in the input and transaction finality checks). This is the original payment-channel mechanism: two parties commit a funding transaction time-locked into the future, then exchange successively-numbered updated versions that re-allocate the funded amount, the latest version superseding all earlier ones, with only the final state recorded on-chain when the channel closes.
Decker and Wattenhofer (2015) gave one of the first rigorous treatments of such a construction. Their duplex micropayment channel is built from two unidirectional sub-channels together with an invalidation tree: a structure of transactions carrying decrementing relative time-locks, such that a newer channel state can always be confirmed ahead of any older state it replaces. The parties fund the channel once on-chain. They then transact off-chain by jointly signing updated allocations of the funded amount; the invalidation tree guarantees that only the most recent agreed allocation can be enforced on-chain if the channel closes. Decker and Wattenhofer (2015) prove that this construction extends the number of transactions that can occur within the lifetime of a single channel, with end-to-end security and instant transfers.
The architecture has the same shape as the hash chain but is richer. One on-chain funding event and one on-chain settlement event bracket an interior of off-chain updates whose number is bounded by the depth of the invalidation tree and the time-lock budget, not by the funded amount. Two parties who open a channel funded with a single satoshi — supposing for the sake of the argument that the satoshi is the unit of account — can pass that satoshi’s worth of balance back and forth between them across the entire lifetime of the channel, settling only the net position at the end.
It is worth stating plainly what the channel does to the category error of Section III. The error assumed that every payment consumes ledger capacity in proportion to the monetary base. The channel demonstrates that payment count and ledger writes are decoupled by design. A channel that processes a million updates writes twice to the chain — once to open, once to close. The million updates are real, binding, and final relative to the channel’s enforcement rules; they are simply not individually recorded. The monetary base mediated all million; it was diminished by none of them.
VI. The Arithmetic of a Ten-Cent Satoshi
I now make the headline claim quantitative, and I label the calculation for what it is: an illustrative bound that depends on chosen parameters, not an empirical measurement of any deployed network. The point of the arithmetic is to show the order of magnitude that the architecture permits, not to assert that any particular network operates at it.
Suppose, for definiteness, that one satoshi is priced at ten cents. Take a single such satoshi as the funding of an off-chain construction — a hash chain or a channel — and ask how many payments it can mediate before settlement.
In the hash-chain case, the number of payments is n, the chain length, which is bounded only by storage and by the participants’ willingness to compute n hash evaluations. A chain of length 106 is trivially computable on commodity hardware; a chain of length 109 is computable, if less trivially. The satoshi mediates 106 to 109 micropayments on one anchoring. In the channel case, the number of updates is bounded by the invalidation-tree depth and the time-lock budget; across the lifetime of a channel, and across re-anchoring of a channel into a fresh channel, the count of off-chain updates that a single funded satoshi supports is likewise on the order of 106 and beyond.
The headline phrasing — that a single sat, even at ten cents, could be used billions of times before settlement — is therefore an upper-bound illustration contingent on chain length and channel lifetime, not a claim about realised throughput. What is not contingent, and what is the actual load-bearing claim, is the structural fact behind the illustration: the number of payments a fixed satoshi can mediate is set by the off-chain construction’s free parameters, and those parameters are unbounded by the monetary base. Ten cents of base money is not ten cents of payment capacity. It is ten cents of settled net position, sitting beneath a volume of gross payment flow whose ceiling is chosen, not given. This is precisely why a small, fixed monetary base is not an obstacle to large-scale payment infrastructure, and why the category error of Section III is an error rather than a constraint.
VII. Blind E-Cash: Minting Tokens Against a Fixed Reserve
A third primitive enlarges the picture from sequential reuse to reissuance. Chaum (1983) introduced blind signatures, the cryptographic basis of untraceable electronic cash. The mechanism is a multiplication trick over a signature scheme. A payer who wants a token signed by an issuer does not present the token directly. The payer first multiplies the token by a random blinding factor before sending it; the issuer signs the blinded value without learning the underlying token; the payer then divides out the blinding factor and is left with a valid signature on the original token that the issuer never saw. The issuer has certified a token it cannot link to the act of signing, which is the property that makes the resulting cash untraceable (Chaum, 1983). Chaum’s later work with Fiat and Naor extended the construction to prevent double-spending while preserving anonymity, and the lineage runs forward into the entire electronic-cash literature.
The relevance to a fixed monetary base is that blind e-cash separates the reserve from the circulating medium. An issuer holds a reserve — a fixed quantity of satoshis locked on-chain — and issues blinded tokens against it. Those tokens circulate off-chain, are transferred between parties, are combined and split, and are redeemed against the reserve only when a holder chooses to settle. The quantity of tokens outstanding at any instant is constrained by the reserve, in the sense that the issuer must remain solvent; but the throughput of tokens — the number of times tokens are issued, transferred, redeemed, and re-issued against the same reserve — is not bounded by the reserve’s size. A reserve of one satoshi can back a token that is issued, spent, redeemed, and re-issued indefinitely, each cycle a distinct economic event settling against the same locked unit. The reserve is the stock; the token flow is the flow; and Chaum’s blinding ensures the flow can be conducted without the issuer reconstructing the payment graph.
This is the deepest form of the decoupling. Hash chains reuse a unit sequentially; channels reuse it bidirectionally; blind e-cash reissues a claim on the unit an unbounded number of times, with privacy. All three rest on a fixed reserve and produce unbounded flow.
VIII. SIGHASH: Composition and Recombination of Settlements
The off-chain constructions must eventually settle, and settlement is where the fixed satoshis are partitioned, combined, and recombined into final on-chain form. The protocol mechanism that governs how a signature commits to a transaction — and therefore how transactions may be composed before settlement — is the signature-hash flag, or SIGHASH, and it is part of the original protocol.
A Bitcoin signature does not sign a transaction wholesale; it signs a digest of the transaction whose composition is selected by a flag. The original source defines the flags as SIGHASH_ALL with value 1, SIGHASH_NONE with value 2, SIGHASH_SINGLE with value 3, and SIGHASH_ANYONECANPAY with value 0x80 (decimal 128), and the signature-hashing routine constructs the digest accordingly (Nakamoto, 2009, script.h, script.cpp). The base flags determine which parts of the transaction the signature commits to. SIGHASH_ALL commits to every input and every output, fixing the transaction entirely. SIGHASH_NONE commits to the inputs but to none of the outputs, leaving the destination of funds open. SIGHASH_SINGLE commits to the inputs and to exactly one output — the one at the same index as the signed input — leaving the remaining outputs free. Orthogonal to these is the SIGHASH_ANYONECANPAY modifier, which restricts the signature’s commitment to the single input it authorises, leaving all other inputs free to be supplied by other parties; in the routine this is handled by reducing the signed input set to the one being signed (Nakamoto, 2009, script.cpp).
The economic consequence is compositional. Because a signer can commit to only their own input (using ANYONECANPAY) or only their own output (using SINGLE), independent parties can each sign their fragment of a transaction, and the fragments can be assembled into a single settling transaction without any party trusting another with an open-ended commitment. A crowd-funding pledge that contributes one input and is valid only if a target is met; a collaborative settlement that nets many parties’ off-chain positions into one on-chain transaction; an exchange of pre-signed fragments that combine into a final settlement — all are expressed through the choice of SIGHASH flag. The same fixed satoshis can be combined into one settlement, split across several, or recombined into different settlements depending on which fragments the participants choose to assemble. Settlement is not a single rigid operation; it is a composition of independently authorised pieces, and the flags are the grammar of that composition.
This closes the loop with the monetary base. The fixed stock of satoshis is partitioned into unspent outputs; the off-chain constructions move claims on those outputs without touching the chain; and when settlement comes, the SIGHASH grammar lets the participants assemble the fixed satoshis into whatever final on-chain configuration the netting of their off-chain flow requires. The stock is conserved at every step. The flow is shaped freely.
IX. The nChain Patent Corpus as Engineering Disclosure
The constructions above are not merely academic. Their adaptation to the Bitcoin transaction model has been documented in a substantial body of patent filings assigned to nChain, several of which I have examined directly and which I cite here as engineering disclosures — that is, as published technical specifications of how the decoupling is built.
The most directly relevant is the granted patent Secure off-chain blockchain transactions (Trevethan, 2024). Its specification describes a method for effecting instant off-chain transfers of a digital asset between mutually untrusted parties via an intermediary platform that is trusted only to follow a transaction protocol without storing information that could compromise the transfers. The construction generates multiple transactions, each recordable to the blockchain under different circumstances, so that a suitable settling transaction can be recorded depending on how the counterparties behave; critically, at least some of the generated transactions remain valid for on-chain recording even if the intermediary fails entirely, and the full private key — and thus ownership of the asset — can be proven at any time (Trevethan, 2024). The patent’s own classification places it under private payment circuits using e-cash, under hash-chain cryptographic mechanisms, and under secret-sharing key establishment, which is to say it sits squarely at the intersection of the three primitives discussed above. This is the off-chain decoupling of payment from settlement, specified at the level of transaction templates and key management.
Three further nChain filings document the surrounding machinery by which fixed on-chain units are made to carry off-chain function. Accessing an Internet of Things device using blockchain metadata (Vincent & Wright, 2025) specifies a method in which access to a resource is controlled by a tokenised output — a “coloured” unit of value carried within a transaction — such that spending the token grants access and a subsequent transaction detokenises it to revoke access. Here a fixed unit of bitcoin is overloaded to carry a transferable, revocable right, with the right itself moving through ordinary transaction mechanics. Computer implemented system and method for storing data on a blockchain (Wright et al., 2022) specifies the Metanet structure, in which transaction outputs carry content and a flag linking related fragments, demonstrating that the fixed transaction grammar carries arbitrary structured data alongside value. Communication protocol using blockchain transactions (Mackay et al., 2022) specifies a method by which network-access certificates are issued and verified through blockchain transactions, again repurposing the fixed transaction model as a carrier for off-chain function. A fifth filing, Systems and methods for efficient and secure processing, accessing and transmission of data via a blockchain network (Wright et al., 2025), specifies improved methods for processing and retrieving data anchored to a blockchain with enhanced access control.
Taken together, these disclosures describe an engineering programme consistent with the thesis of this essay: the fixed on-chain stock is treated as a settlement and anchoring layer, while transferable function — payments, access rights, data, certificates — is carried in constructions that touch the chain only at funding and settlement. The patents are evidence not of the thesis’s truth, which rests on the cryptography and the protocol, but of the fact that the decoupling has been reduced to specific, claimed, buildable practice rather than left as theory.
One caveat is owed to the reader, stated rather than buried. A patent filing is a claim of inventive method and an account of an embodiment; it is not a peer-reviewed result, and its existence certifies neither novelty in fact nor that the method is the best available. I cite these documents for what they are — disclosed engineering of off-chain and tokenised constructions on the Bitcoin model — and for nothing more. The load-bearing claims of the essay rest on the protocol constants of Section I, the consensus argument of Section II, and the peer-reviewed cryptography of Sections IV, V, and VII.
X. Synthesis: An Immutable Base Beneath an Unbounded Flow
The argument assembles into a single structure. The monetary base of Bitcoin is fixed: eight-decimal divisibility into satoshis, and an issuance ceiling of 2,099,999,997,690,000 satoshis enforced implicitly by the halving schedule, both derivable directly from the original protocol source (Nakamoto, 2008, 2009). That base is immutable in the only sense the system can offer and the only sense that matters: it cannot be changed without abandoning the ledger on which the changed coins would have to live, which is to say any change produces a different asset rather than a modified Bitcoin (Section II).
Resting on that base, the transactional capacity of the system is not bounded by the size of the base. Hash chains amortise one anchoring over n sequential payments (Lamport, 1981; Rivest & Shamir, 1997). Payment channels — built on the original protocol’s transaction-replacement mechanism (Nakamoto, 2009) and formalised as duplex channels by Decker and Wattenhofer (2015) — amortise two on-chain events over an interior of off-chain updates whose count is a chosen parameter. Blind e-cash reissues claims against a fixed reserve an unbounded number of times, with privacy (Chaum, 1983). And the SIGHASH grammar of the original protocol lets the fixed satoshis be composed, split, and recombined into whatever final settlements the netting of all this off-chain flow requires (Nakamoto, 2009). The engineering of these constructions on the Bitcoin transaction model has been disclosed in specific patented embodiments (Mackay et al., 2022; Trevethan, 2024; Vincent & Wright, 2025; Wright et al., 2022, 2025).
The illustrative arithmetic of Section VI — a ten-cent satoshi mediating payments by the million or the billion before settlement — should be read as what it is: a statement about the free parameters of the off-chain constructions, not a measurement. What the arithmetic correctly conveys is the order of the gap between stock and flow. A fixed, small, immutable monetary base is not a ceiling on payments. It is a floor of final settlement beneath a volume of gross payment that the architecture leaves unbounded. The category error that reads the first quantity as the second is the error this essay exists to retire.
The stock is fixed. The flow is not. The second fact is what makes the first economically tolerable. The principle, having been stated and defended, is done.
References
Bitcoin SV Node developers. (n.d.). bitcoin-sv: src/amount.h [Source code]. GitHub. Retrieved May 28, 2026, from https://github.com/bitcoin-sv/bitcoin-sv/blob/master/src/amount.h
Chaum, D. (1983). Blind signatures for untraceable payments. In D. Chaum, R. L. Rivest, & A. T. Sherman (Eds.), Advances in cryptology: Proceedings of Crypto ’82 (pp. 199–203). Plenum Press. https://doi.org/10.1007/978-1-4757-0602-4_18
Decker, C., & Wattenhofer, R. (2015). A fast and scalable payment network with Bitcoin duplex micropayment channels. In A. Pelc & A. A. Schwarzmann (Eds.), Stabilization, safety, and security of distributed systems (SSS 2015) (Lecture Notes in Computer Science, Vol. 9212, pp. 3–18). Springer. https://doi.org/10.1007/978-3-319-21741-3_1
Lamport, L. (1981). Password authentication with insecure communication. Communications of the ACM, 24(11), 770–772. https://doi.org/10.1145/358790.358797
Mackay, A., Tartan, C., Wahab, J., Serguieva, A., & Wright, C. S. (2022). Communication protocol using blockchain transactions (U.S. Patent Application Publication No. US 2022/0393891 A1). U.S. Patent and Trademark Office.
Nakamoto, S. (2008). Bitcoin: A peer-to-peer electronic cash system. https://bitcoin.org/bitcoin.pdf
Nakamoto, S. (2009). Bitcoin v0.1.0 [Computer software source code]. Archived at https://github.com/trottier/original-bitcoin
Rivest, R. L., & Shamir, A. (1997). PayWord and MicroMint: Two simple micropayment schemes. In M. Lomas (Ed.), Security protocols (Security Protocols Workshop 1996) (Lecture Notes in Computer Science, Vol. 1189, pp. 69–87). Springer. https://doi.org/10.1007/3-540-62494-5_6
Trevethan, T. (2024). Secure off-chain blockchain transactions (U.S. Patent No. US 12,056,694 B2). U.S. Patent and Trademark Office.
Vincent, S., & Wright, C. S. (2025). Accessing an Internet of Things device using blockchain metadata (U.S. Patent No. US 12,301,573 B2). U.S. Patent and Trademark Office.
Wright, C. S., Davies, J. O., Tartan, C. C., & Vaughan, O. (2022). Computer implemented system and method for storing data on a blockchain (U.S. Patent Application Publication No. US 2022/0029817 A1). U.S. Patent and Trademark Office.
Wright, C. S., Vaughan, O., Davies, J. O., & Tartan, C. C. (2025). Systems and methods for efficient and secure processing, accessing and transmission of data via a blockchain network (U.S. Patent No. US 12,231,573 B2). U.S. Patent and Trademark Office.
Wow! It's going to take me a while to digest all this! Thank you for posting this!
More things I now know I didn't know...
"Everything you wanted to know about minting and settlement but were afraid to ask..." Amazon best seller? Also available on chain in unlimited audio book format...
Could payment channels be traded on a market?
Could Bob and Alice sell on their currently open channel.
A large payment channel could change enough value over time, which would incentivise arbitrage.
What would regulators say about making it blind - they would ask for access to trace.
Why must offchain construction eventually settle? Is it feasible for a channel to remain open indefinitely, making the reserve moot? This might emerge as desirable by its users (like the possibility with Lightning)
Is the whole idea analogous to central bank money(paper and metal cash) where the cash only goes back to the Treasury(the ledger) for checking once it has 'worn out' (that is, n has been exhausted)?
Not trying to discount the tech, just trying to understand consequences.