We are now at the point where everyone has heard of bitcoin. but how many people really know what it is? I suppose most people would say that it is a fully digital currency, with no government to issue it and no need for banks to manage accounts or verify transactions. but that just describes its properties. what is a bitcoin, what does it mean to have one and what really happens when a person sends bitcoins to another?
Most of what you’ll find on this topic online focuses on price fluctuations, speculation about the future of finance, and memes about both.
Reading: But how does bitcoin actually work
this article is not about any of that. Today’s story is about how the invention of bitcoin was the solution to an interesting mathematical puzzle, and how that solution offers a window into some clever ideas in cryptography, such as digital signatures and cryptographic hash functions.
we are going to explain step by step how you could have invented your own version of bitcoin. In the end, you need to have an understanding of how bitcoin works and where there is room for different design options, thus the entire ecosystem of alternative cryptocurrencies.
One point worth emphasizing, by the way, is that while you and I will dive into the underlying details here, you don’t really need to know those details to use a cryptocurrency, just as you don’t need to know the details of what it is. it happens under the hood when you swipe a credit card. Like any other digital payment, there are many user-friendly apps that allow you to send and receive these coins very easily.
Just like with traditional banking, it’s possible to use cryptocurrencies like bitcoin without needing to understand everything that’s going on underneath.
what’s the puzzle
no one knows who invented bitcoin. the document describing it and the initial code providing an implementation were published under the pseudonym satoshi nakamoto shortly after the 2008 financial crisis.
This timing was probably not a coincidence, as the premise of a cryptocurrency is to offer a way for people to transact without relying on a central point of trust. Generally, when you use your credit card to pay for goods, there is a bank (or set of banks) that must be trusted to correctly deduct from your account and add to the recipient’s. Most currency is issued by a government, which then has some level of control over that currency, for example by affecting the money supply. this means that the holders of that currency are placing some trust in the issuing government to manage it well.
bitcoin’s intention was to circumvent both. it was conceived as a currency controlled by no one, with a money supply that no one could change, where it is possible for one party to pay another and know that the books are balanced correctly without relying on a central point of trust.
Some readers may question whether this type of decentralization is worthwhile or necessary, and if so, to what extent. those are valuable questions, but completely irrelevant to our discussion today. Whether or not you feel a personal need for trustless payments, the question of whether or not such a system is possible is technologically interesting.
Cryptography is a field originally developed to encrypt messages, which involves some incredibly deep mathematics to do so. Just as there is a famous “unreasonable efficiency of mathematics”, the tools of cryptography have an equally unreasonable efficiency beyond the scope of secret messages, with the challenge of creating a decentralized currency serving as just one example.
inventing cryptocurrency
To start, stop thinking about cryptocurrencies for a few minutes. let’s start the story with something more realistic: ledgers and digital signatures.
If you and your friends exchange money quite frequently, paying your share of the dinner bill and so on, it can be inconvenient to exchange cash all the time. therefore, you may decide to keep a communal ledger where you can record payments as if they were made with real cash, reminding yourself which payments need to be made each time you decide to settle.
A ledger is just a list of transactions, used to keep track of everyone’s balance.
This ledger will be something public and accessible to everyone, like a website where anyone can go in and add new lines.
at the end of each month, let’s say, everyone could go through the list of transactions and count everything. if you have spent more than you have received, you put that money in the pot, and if you have received more than you have spent, you take it out.
so the protocol to be part of this system looks like this:
- Anyone can add lines to the ledger.
- At the end of each month, everyone gets together to make a real money deal.
Of course, there is an obvious problem with a public ledger like this, where anyone can add a line. what prevents bob from walking in and typing “alicia pays bob $100” without alice approving?
In this public ledger, anyone can write any transaction they want.
how are we supposed to trust that all these transactions are what the sender intended them to be? this is where the first part of cryptography comes in: digital signatures.
digital signatures
just like a handwritten signature, the idea here is that alice should be able to add something next to a transaction that shows she saw and approved it. and it should be infeasible for anyone else to forge her signature.
can we add signatures to each line to verify that the sender has approved the transaction?
At first it might seem like digital signatures shouldn’t even be possible. even if alice is the only one capable of creating her signature initially, if it’s just a set of 1’s and 0’s, shouldn’t anyone be able to copy it from then on? what to avoid counterfeits?
Forgeries are a problem in the real world because your handwritten signature always looks the same, so forging a signature just means copying it from one document to another. digital signatures work differently. when alice signs a statement, that signature is a function of two things:
- some private information that only alice has, known as her “private key”
- the message she is signing.
then, alice’s signature might be 00111010… on one document, but 11101001… on another. Both signatures are proof that Alice saw and approved the document, but they are not identical.
alicia signs each document differently depending on its content. but both signatures are his.
but a signature function is only useful if there is a corresponding function to check that it is valid.
The way this works is that they all generate what is called a public key/private key pair, each of which looks like a string of 1’s and 0’s. The private key is sometimes also called the “secret” key. “, so we can abbreviate it as sk while abbreviating the public key as pk. As the names suggest, the secret key is something you should keep to yourself.
each person gets their own public key and secret key.
Any digital signature scheme will consist of two functions, one to produce a signature on a message and one to verify that a signature is valid.
Notice, the signing function requires the use of the secret key. The goal is that if Alice is the only one who knows her secret key, only she can produce a signature. if that key is compromised, all bets are off.
verifytext{verify}verify is a way of asking “was this signature produced on this message using the secret key associated with this public key?” should return truetext{true}true when applied to a valid signature and falsetext{false}false for all other signatures.
Of course, so far I haven’t said anything about how these two functions signtext{sign}sign and verifytext{verify}verify. We won’t go into the details in this article, which involves quite a bit of mathematical ingenuity, but it might be worth pausing to contemplate what properties you want it to have.
The hope is that producing a valid signature requires knowing the secret key, but inevitably there is another way to produce a valid signature. because everyone knows the public key, someone could run the function verify(signature, message, packet)text{verify(textcolor{blue}{signature}, message, textcolor{green}{packet})}verify( signature, message, pk) over and over on different potential signatures until finally one returns true.
For the digital signature scheme using bitcoin1, there are 22562^{256}2256 possible signatures. it’s hard to overstate how many there are. to call it astronomically large would be to give astronomy too much credit. in fact, I made a supplemental lesson dedicated just to illustrating just how huge this number is.
Let’s say that when you verify a signature with a given message and public key, you can feel extremely confident that it was not produced by using a guess-and-verify method with the verifytext{verify}verify function. and what makes a digital signature algorithm good is that there is no other way than to guess and check that someone could forge a signature.
copying the same line
so, going back to our ledger, we now have a way to sign transactions to verify that the sender approves them.
This is all very well. any new transaction in the ledger must be signed, and the only way to sign it is by knowing the secret key. the signature changes depending on the content of the transaction, so copying signatures from one transaction to another won’t work.
but there is a problem here. Suppose Alice signs a transaction such as “Alice pays $100.” bob can’t forge alice’s signature on new messages, but he could copy that same line as many times as he wants, since the message/signature combination is still valid.
Anyone can create copies of previous transactions.
To solve this, we make it so that when you sign a transaction, the message must include a unique ID associated with that transaction. That way, if Alice pays $100 multiple times, each transaction requires a completely new signature.
With these unique IDs, each new transaction must obtain a new signature, even if it is identical to a previous transaction.
and with that, we have working digital signatures, which removes a huge trust aspect in our initial protocol.
withdraw cash
but still, this is based on a kind of honor system. you are relying on everyone to deliver and settle in cash at the end of each month. What if, say, Charlie runs up thousands of dollars in debt and then refuses to show up?
The only real reason to go back to using cash to settle is if some people (I’m looking at you charlie) owe a lot of money. as long as no one goes into debt, only the ledger works fine. In reality, you’ll never have to settle in cash as long as you have some way to prevent people from spending much more than they take in.
See also: Top 30 spell abandon hottest
One thing you and your friend could do is have everyone pay $100 into the pot and have the first few lines of the ledger say Alice gets $100, Bob gets $100, etc.
everyone puts $100 into the pot to start.
Now, just don’t accept trades when someone is spending more than you have on the ledger. For example, after everyone started with $100, if the first two transactions are (Charlie pays Alice $50 and Charlie pays Bob $50), then if I tried to add Charlie pays you $20, readers of the book would recognize that this is invalid.
In this new system, we don’t allow people to spend more than they have.
notice, this means you now need to know the full transaction history just to verify that a new one is valid. (This will mostly be true for cryptocurrencies as well, though there is room for optimization.)
Verifying a transaction now requires checking the entire ledger history to make sure no one is overdrawn.
The interesting thing here is that this step removes a bit of the connection between the general ledger and the physical cash. In theory, if everyone in the world used this ledger, you could live your whole life just sending and receiving money on this ledger without converting it to real dollars.
In reality, many of us already live our lives this way, spending and earning purely digitally while only occasionally going back to physical cash. in that case, the relevant “ledger” is much more complicated and involves an elaborate system of banks. the big difference is that with banks we could always convert our balance into a digital account in “real” cash2.
but suppose you and your friends completely separate your ledger from real cash, with no guarantee that having a positive balance there could translate into cold, hard bills in your hand. To emphasize this point, let’s stop using the $$$ sign and start referring to ledger amounts as “accounting dollars,” or ld for short.
Of course, you are free to exchange accounting dollars for actual US dollars. For example, perhaps Alice gives Bob a $10 bill in the real world in exchange for him adding and signing the transaction “Bob pays Alice 10 ld” in the community ledger.
but exchanges like this are not guaranteed in the protocol. now it’s more like how you can exchange dollars for euros or any other currency on the open market. it is its own independent thing. Also, if there is high demand to be part of the ledger, it may take more than $10 in physical cash for a 10ld transaction to go to you. and if there is little demand to be part of the system, it could require much less.
so our ledger is now a currency. It lacks a state backing it, and no one is collecting taxes that need to be paid in accounting dollars, but in principle it is a closed system that allows you and your friends to transact with each other. this brings up an important point to understand about bitcoin, or any other cryptocurrency: fundamentally, cryptocurrency is just a ledger. the transaction history is the currency.
There is nothing else. no physical currency or cash. any bank or institution. “Owning” a bitcoin just means having a positive balance on the bitcoin ledger. or more specifically, it is to have access to the secret key associated with an entity that has a positive balance.
Of course, with bitcoin, money doesn’t go into the ledger with people buying using cash.3 We’ll see how new money goes into the ledger in just a few minutes. but before that, there is an even more significant difference between our current system of accounting dollars and how real cryptocurrencies work.
distribute the ledger
So far, I’ve said that this ledger is somewhere public, like a website where anyone can add new lines. but this requires relying on a central location. specifically, who hosts that website? who controls the rules for adding new lines?
Under the current system, we must trust the owner of the ledger.
To remove that bit of trust, we’re ditching the idea of having a ledger in a central location. instead, we’ll have everyone keep their own copy of the ledger. Then, to make a transaction, such as “Alice pays 100 shillings ld”, broadcast the message to the world for people to hear and record in their own private ledgers.
Remember this live trading view from earlier?
what you’re really looking at here is all the transactions bitcoin users choose to broadcast to the world to be tracked on a decentralized set of ledgers.
Distributing the ledger in this way eliminates the need to rely on a central authority.
but unless we do something else, this system is absurdly bad. How can you get everyone to agree on the correct ledger? when bob receives the transaction alice pays bob 10 ld how can he be sure that everyone else received and believes the same transaction? if even one person doesn’t know about the transaction, bob may not be allowed to spend that accounting 10 dollars later.
If everyone keeps a single copy of the ledger, how can we make sure everyone agrees on what it should say?
Really, imagine listening to the transactions being broadcast. how can you be sure that everyone else is recording the same transactions as you? In those live bitcoin transactions illustrated above, how can you know if everyone else in the world has also heard and when they will remember them as legitimate transactions in the future?
This is the real puzzle that bitcoin solved. the novel idea that satoshi nakamoto came up with in 2008 was a way to allow everyone in a decentralized system to agree on the validity of a single growing document, in this case a ledger, without having to trust a central source.
At a high level, the solution is to trust whichever ledger has more computation work. We’ll explain exactly what that means in a moment, but the general idea is that if you use computational work as the basis for trust, fraudulent transactions become computationally infeasible. that is, if you wanted to trick a person into trusting a ledger that is different from what the rest of the world agrees on, you would have to do a prohibitively large amount of work.
again, this is going beyond what someone would need to know to use a coin like this. but it’s a great idea! and if you understand it, you understand the heart of bitcoin and other cryptocurrencies.
hash functions
The workhorse behind Nakamoto’s solution to this puzzle is something known as a cryptographic hash function. this is a function that takes any type of message or file as input and outputs a string of bits with a fixed length. this output is called the “hash” or “digest” of the message and should be seen randomly.
is not random; always gives the same result for the same document. but the idea is that when you slightly change the input, perhaps by editing just one character in the document, the resulting hash changes completely.
Here’s a little playground where you can input a message and see what its hash looks like using a special hash function known as sha256, which is what bitcoin uses.
Notice how when the input text changes, the hash changes completely. in fact, for sha256, the way the output changes as you slightly change the input is completely unpredictable. this property is what makes it a cryptographic hash function.
that means it is not feasible to compute in the reverse direction. If I show you a specific hash, like 1001111100111100…1001001110000100, and ask you to find an input message that provides that hash as output, you’ll have no better method than just guessing and checking with random inputs.
cannot compute the inverse of the hash function (other than just guessing and checking the inputs).
Again, if you want to get an idea of how much computation 22562^{256}2256 actually involves, take a look at the supplemental lesson. I actually had a lot of fun writing that.
You might think you could somehow reverse engineer the desired input by digging into the details of how the function works, but no one has found a way to do it.4
no one has been able to reverse engineer sha256.
so how can we use this function to prove that a particular list of bitcoin transactions is associated with a large amount of computational effort?
proof of work
Consider the following challenge.
In the box below I have a list of transactions, and below those transactions is a number. by default the number is zero, but you can change it. everything in the box is considered a large document, and that document is encrypted with sha256. your goal is to change the number in the box so that the resulting hash starts with at least six zeroes.
It’s definitely possible, but it takes a while to find a solution. and, because the output of the hash function is unpredictable, there really is no better method than guess and check.
This challenge becomes exponentially more difficult as the number of zeros required increases. finding 7 zeros is manageable, and the largest I’ve found gives 9. if you find any really great solutions, that produce a lot of zeros, please leave them in the comments!
Now suppose someone shows you a list of transactions and says “I found a special number so that when I put this number at the end of the list of transactions and sha256 everything, the first 30 bits of the output are all zeros”.
how difficult do you think it was for them to find that number? the answer, of course, is that it was probably very difficult.
For a random message, the probability that the hash starts with 30 successive zeros is 111 in 2302^{30}230, which is about 1 in a billion. so this person almost certainly had to go through about a billion different guesses before finding this special one.
but the nice thing is that once you know the number, you can quickly verify that this hash really does start with 30 zeros. In other words, you can verify that they went through a lot of work without having to go through that same effort yourself. this number is called proof of work.
See also: List 20+ microvision reddit best
more importantly, all of this work is intrinsically tied to that list of transactions. changing one of the transactions even slightly would completely change the hash, so you would have to do all that work again just to find a new number that would make the hash start with 30 zeroes.
creating a chain of blocks
Think about our distributed ledger situation. everyone is broadcasting transactions, and we want a way for everyone to agree on what really is the correct ledger.
everyone has their own copy of the ledger. which one is correct?
As I said before, the core idea behind the original bitcoin paper is to make everyone trust the ledger that has the most computational work. so let’s use the many zeros game to show that creating a ledger took a lot of work.
however, we don’t want to play the many zeros game by hashing the entire ledger. what is much better is to let the work done on the ledger accumulate over time, rather than repeatedly starting over. so we start by grouping the transactions in the ledger into blocks.
each block consists of a list of transactions, along with a number at the bottom that is the proof of work. the proof of work should be chosen in such a way that when you hash the entire block, the result you get starts with a lot of zeroes (just like in the previous challenge). for now, let’s say you have to start with 60 zeros, but I’ll come back to how you can choose that threshold later.
In the same way that a transaction is only considered valid if it is signed by the sender, a block is only considered valid if it has a proof of work.
We also need to make sure that the blocks are not reorganized, because that would alter the transaction history. so we will say that each block must start with the hash of the previous block. that way, the order of the blocks can’t change.
Because the blocks are chained in this way, rather than being called a ledger, this is commonly called a “blockchain”.
block creators (also known as “miners”)
But now that our ledger is divided into blocks, we have a bit of a problem. we can’t just add new transactions to the ledger like we used to. instead, we will need a process to group new transactions into blocks and calculate proof of work. therefore, as part of our updated protocol, we will allow anyone in the world to be a “blockmaker”.
what this means is that they will listen to the transactions being broadcast, collect them into a block, and then do a bunch of work to find the special number that makes the hash of this block start with 60 zeroes, and broadcast the block they found.5
To reward a block creator for all this work, when they build a block, we’ll let them include a special transaction at the top where they get, say, 10 countable dollars out of thin air.
this is called a block reward.6 is a special exception to our usual rules about whether or not to accept transactions. it doesn’t come from anyone, so it doesn’t have to be signed. it also means that the total amount of accounting dollars in our economy increases with each new block.
Block building is often referred to as “mining” as it is labor intensive and introduces new bits of currency into the economy. but when you hear or read about miners, keep in mind that what they are really doing is listening to transactions, creating blocks, broadcasting those blocks, and being rewarded with new money for doing so.
From the miner’s perspective, each block is like a miniature lottery, where everyone guesses the numbers as fast as they can until one lucky individual finds one that causes the block’s hash to start with lots of zeroes, and as a result, receives a reward. .
and anyone who only uses bitcoin (but not mining) no longer needs to listen to all the individual transactions on the network to copy them into a personal ledger. instead, bitcoin users only need to keep track of the blocks that are being produced, which is much easier.
bitcoin users only need to keep track of the blocks they listen to, not all individual transactions.
The key addition is that if it learns that two miners are broadcasting different blockchains with conflicting transaction histories, it goes back to the longer one. that is, the one that has cost you the most work.
if there is a tie, wait until you hear about an additional block to make it longer.
so, even though there is no central authority, and everyone maintains their own copy of the blockchain, if everyone agrees to give preference to the blockchain that has the most work put into it, we have a way to come to an agreement. decentralized consensus.
but of all the systems we could use to find consensus, why choose this one? why always give in to the longest chain? and why do we require proof of work, which artificially increases the difficulty of creating new blocks?
Alice attempts fraud
To see why this method is reliable, it’s useful to look at what it would take to fool someone on this system.
say alice wants to buy something from bob for 100 ld, but without spending those ledger dollars. she could try to send you a block that includes a line that says “alice pays bob 100 ld”, but without broadcasting that block to the rest of the network. that way bob thinks he got paid, he gives her what she bought, then she can go back to the economy and spend that ld100 somewhere else, and when bob tries to spend that ld100 other people won’t consider it valid.
To achieve this, it would have to find a valid proof of work before all the other miners bob is listening to, each working on their own block. and that would be difficult, but if she had a significant part of the network computation, it could happen! Maybe she Alice will win this miniature lottery before the other miners. she could then write a block containing the fraudulent transaction and show it to bob (but not to anyone else).
but bob will still listen to future broadcasts made by other miners, and alice never told those other miners about the block she produced and gave to bob, so they won’t include it in their own versions of the blockchain.
p>
now bob will listen for conflicting strings. one from alice, and one from everyone else. remember, protocol says that bob always trusts the longest chain he knows.
so, from this point on, alice is in a race against every other miner on the network to make sure her scam chain always contains more blocks than the legitimate one, so she can keep fooling bob into thinking her chain is the real one.
if all other miners can commit new blocks faster than alice, bob will stop believing alice’s version and switch to believing the other miners’ chain.
if alice’s computing resources are smaller than the rest of the network combined, the rest of the network is more likely to find a valid proof of work for her next block before she does. if you have less than 50% of the total computation on the network (and you probably have much less than that), beating everyone else indefinitely will be virtually impossible.7
then, after a while, when alice inevitably fails to keep her longer chain, bob will reject what he’s hearing from alice in favor of the longer chain that everyone else is working on.
That’s what we mean when we say proof-of-work makes fraud computationally infeasible. creating blocks is hard work, so working against consensus is too much to handle. furthermore, if the block rewards are significant, it almost certainly means that effort is better spent mining new valid blocks than trying to trick a person.
It is worth noting that creating a single fraudulent block is definitely possible. the difficulty is in maintaining the lie for a long time. therefore, to avoid being cheated, a user need not necessarily trust a new block that it listens to right away. instead, they must wait for several new blocks to be added on top of it. If you haven’t heard of longer blockchains yet, you can trust that this block is part of the same chain that everyone else is using.
blocks are more reliable when they are not new.
accounting dollars vs. bitcoin
With that, we get to all the main ideas. This proof-of-work based distributed ledger system is more or less how the bitcoin protocol works and how many other cryptocurrencies work. there are just some details to clarify.
I said earlier that the proof-of-work challenge might be to find a special number for the block hash to start with 60 zeros. the way the actual bitcoin protocol works is to systematically change that many zeros so that it always takes the world around 10 minutes to find a new block. so as there are more and more miners on the network, the challenge gets harder and harder such that this miniature lottery only has one winner every 10 minutes.8
Also, all money in bitcoin ultimately comes from some block reward. no one “buys” bitcoin as we originally said while building our own dollar ledger.9 when bitcoin started, the reward was 50 bitcoin per block. there is a great site called block explorer where you can look through the bitcoin block chain. if you look at the first few blocks on the chain, they contain no transactions other than the 50 bitcoin reward for the miner. every 210,000 blocks, which is roughly every 4 years, that reward is halved. so right now, as of 2021, the reward is 6.25 bitcoins per block, and because this reward decreases geometrically over time, there will never be more than 21 million bitcoins in existence.
However, this does not mean that miners will stop making money. In addition to the block reward, miners can also collect transaction fees. the way this works is that every time you make a payment, you can optionally include a small transaction fee that will go to the miner of any block that includes that payment.
The reason you can do this is to incentivize miners to include your transaction in the next block. It’s up to the miners to decide which transactions they want to include in the block they’re calculating hashes for, so it makes sense to incentivize them to include theirs.
You see, in bitcoin, each block is limited to about 2,400 transactions, which many critics say is unnecessarily restrictive.
since bitcoin aims to add about a block every 10 minutes, only about 4 bitcoin transactions per second (give or take) can be processed. For comparison, Visa processes an average of around 1,700 transactions per second and is capable of handling more than 24,000 per second. slower processing in bitcoin means higher transaction fees, as that’s what determines which transactions miners choose to include in new blocks.
In addition to being slow, bitcoin is also criticized for using too much power. the idea of proof-of-work is a clever way to prevent fraud, but it means that mining blocks requires a truly incredible amount of resources.
According to the Cambridge Bitcoin Electricity Consumption Index, bitcoin mining currently (as of 2021) uses about 115 terrawatt-hours of electricity per year. To put it into perspective, it’s substantially more than the entire country of Finland uses.
Since 2008, an alternative to proof work known as “proof-of-stake” has emerged, which uses vastly less power and has been started by several newer cryptocurrencies.
conclusion
This is far from a complete coverage of cryptocurrencies. there are a lot of nuances and alternative design options that I haven’t touched on here, but the goal is to provide a stable understanding tree trunk in the style you’d expect but why for anyone looking to add a few more branches with further reading.
I originally made the video underlying this lesson in 2017, in the midst of a new wave of attention and money flow towards cryptocurrencies, though I didn’t realize at the time how much more was to come. It was a bit disappointing to see the flood of spam and scams that made their way into the comments on that video, although perhaps that’s unavoidable for a topic so related to money.
Even if the monetary aspect is what gets people’s attention (after all, why else would so many suddenly want to learn about crypto?), the hope here is that your conclusion is an appreciation of intelligence and the utility of objects such as digital signatures and cryptographic hash functions. and more than that, the hope is that you appreciate how powerful it is to be able to construct functions with the properties they claim to have, as this is an example of some surprisingly sophisticated mathematics finding its way into widespread use.
See also: General 20+ compare docusign and echosign best , don’t miss
