Physical cash payments rarely involve just a single coin or banknote. Instead, value is combined by merging multiple tokens and split with change. Informed by this everyday observation, electronic cash transactions can be made more useful by supporting inputs and outputs.
This post is part of the extended series Bitcoin from Scratch.
A transaction output represents a specific quantity of monetary value combined with a chain of ownership. In this sense, an unspent output behaves like an electronic coin. A transaction may contain one or more outputs, allowing value to be split as needed.
A transaction input spends the value stored at a previously unspent transaction output. More than one input may be added to a transaction, allowing the value of coins to be combined if necessary.
Inputs fund a transaction, whereas outputs spend the funds. The combined value of all transaction inputs must be greater than or equal to the combined value of all outputs. Otherwise, value could be created arbitrarily.
Each input references exactly one parent transaction output. Because a single transaction may contain multiple outputs, a way to uniquely identify each one is needed. For simplicity, this series will represent outputs with capital letter suffixes beginning with the letter “A”. In Bitcoin, however, an unspent coin is referenced by concatenating the output’s zero-based index to the hosting transaction’s 32-bit hash value. This combination is known as an outpoint.
Previously, Alice used a signed transaction to pay Bob for a crate of apples. This example can now be updated to account for the presence of transaction inputs and outputs.
Alice begins by finding the ID of a transaction with value she wants to spend. Imagine this turns out to be a ฿2 payment from her friend, Carlos. Alice adds an input to her transaction that references the output of Carlos’ transaction. Under our simplified system, the full output designation would be “819-A”.
Having defined her transaction’s inputs, Alice turns her attention to its outputs. Imagine that the crate of apples Alice is buying costs ฿3. Using Bob’s public key, Alice adds to her transaction a ฿3 output paying Bob. However, this leaves ฿1 in unclaimed value. To recover it, Alice adds a second output, payable to her own public key, with a value of ฿1.
Alice needs to sign her transaction, but things are slightly more complicated this time around. Alice previously signed her entire message to give one coin to Bob. However, transactions can contain multiple inputs, each one requiring a separate signature. In this example, Alice uses her private key to sign her transaction’s only input spending the ฿4 payment from Carlos.
Coin value can be split and combined in the same transaction. For example, Alice might want to pay Bob ฿5, but may only own two coins valued at ฿4 apiece. Alice can combine these coins into an ฿8 payment using two separate inputs. She can then pay Bob and receive change by adding an output payable to herself.
Inputs and outputs allow coin value to be combined and split as needed — just like physical cash. When used with chain of ownership and digital signatures, outright forgery becomes very difficult. There’s just one problem: nothing prevents the owner of a coin from spending it repeatedly.