The intelligent layperson's guide to Bitcoin: script
In 2008 an anonymous person or group going by the name Satoshi Nakamoto wrote a paper describing a protocol for a digital currency called Bitcoin. Bitcoin brought together ideas discussed on the cypherpunks mailing list during the 1990s. The cypherpunks strove towards what they called crypto-anarchy. This imagined order, facilitated by cryptographic technology, is one in which “the government is not temporarily destroyed but permanently forbidden and permanently unnecessary.” [Wei Dai]
In January 2009, Nakamoto released the first computer program that used the Bitcoin protocol. Soon, people were running the software on their computers, buying and selling things for Bitcoins.
If you’ve heard about Bitcoin you’ll probably already know that the price of Bitcoins has been increasing rapidly, and that it’s volatile.
No one’s permission is required to start using Bitcoin, there are no forms to fill in. Anyone with a computer, an internet connection, and some free software, anywhere in the world can accept (and then send) Bitcoins.
Bitcoin is a peer-to-peer system so it doesn’t require any trust to be placed in a central authority. There are no servers to hack, no databases containing sensitive information that can be leaked. And there’s no one in control who governments and other powerful parties can strong-arm to get their way.
The rules in the protocol mean that there can never be more than 21 Million Bitcoins, and the rate that new coins are created is known in advance. This means that unlike fiat currencies issued by governments, no one has the ability to inflate the supply of Bitcoins.
Anyone can write software that uses a modified version of the Bitcoin protocol, but unless the changes are clearly in the interest of the majority of Bitcoin users it’s unlikely that enough people would voluntarily download and instal the new software for this effort to be worthwhile.
The most popular pieces of Bitcoin software are open source projects. Anyone can inspect the code, and many people do. This ongoing scrutiny is a powerful safeguard against insecure or malicious code finding its way into the programs.
The meaning of Bitcoin
A ‘Bitcoin’ is a unit of account, analogous to a Euro or a Dollar. Each Bitcoin is currently divisible into a hundred million atomic units, called Satoshis.
‘Bitcoin’ is also a public protocol. The protocol can be thought of as a set of rules for how pieces of software--known as Bitcoin clients--must communicate with each other. A Bitcoin client allows a person to send and receive Bitcoins. The clients work by sending messages to one another. If the messages passed between clients stick to the rules of the protocol, they’re forwarded on, spreading through the network.
We’re going to look at the fundamental ideas behind how the Bitcoin system works.
Transactions and addresses
Bitcoins aren’t physical coins, but they’re not files on a computer either. They’re really numbers in a public ledger called the blockchain. This contains a record of every Bitcoin transaction that has ever happened.
You can think of a transaction in the blockchain as a record that a certain amount of Bitcoins were sent from one Bitcoin address to another.
A Bitcoin address looks like this: 1K3p8wnV6bjGEk3ShyKxeiMBrCTTRQA4YE. You’ll also see them displayed as scanable QR codes like this [display image of QR code].
One person can have many Bitcoin addresses. In fact it's common to use a new address for each payment, it's free and helps maintain privacy. To make a Bitcoin payment to someone, you need to know an address of theirs.
Your Bitcoin balance is the combined total of all the Bitcoins assigned to addresses under your control. Bitcoin clients inspect the blockchain and calculate your current Bitcoin balance by checking the flow of funds into, and out of, all the addresses under your control.
When you send Bitcoins to an address, behind the scenes your client creates a transaction and broadcasts it to the rest of the network.
So what stops a person from maliciously creating and broadcasting a transaction that sends Bitcoins from someone elses address, to one of his own?
We know that each Bitcoin user has many addresses. What this really means is that the user has the power to re-assign the funds at those addresses to any other valid Bitcoin address, in other words, they have the power to spend those funds.
Bitcoin addresses are designed to be public. People share them with others to request payment. Knowing a bitcoin address allows you to send funds to it, but it doesn’t allow you to send funds from that address. This is because Bitcoin transactions must be prepared in a special way before they’re sent: they’re cryptographically signed.
Public key cryptography
A Bitcoin address is a representation of a code known as a public key. Each public key has an accompanying code called a private key. Bitcoin addresses (and the public keys they’re derived from) can safely be displayed to the world, but their corresponding private keys need to be kept secret. This is important because knowing a private key allows a person to spend any funds in the corresponding Bitcoin address.
By the way: Most of the time Bitcoin users don’t need to worry about this complexity because their Bitcoin clients automatically keep track of their receiving addresses, as well as their public and private keys. Bitcoin clients typically store all this information in a file known as a Bitcoin wallet. It’s an important responsibility of each Bitcoin user to secure his wallet file against theft and hardware failure. If you lose Bitcoins in these ways, they’re gone forever.
To understand how the Bitcoin system prevents malicious transactions, it’s important to first get an idea of how public key cryptography works. We’ll describe a typical setup that’s simpler than the one Bitcoin actually uses [Elliptic Curve Cryptography], but the results are very similar.
Public and private keys have a special mathematical relationship. Both keys in a keypair can be used to encrypt data, turning it into unreadable code, known as ciphertext. The interesting thing is that data encrypted with a public key can only be decrypted using the corresponding private key, and data encrypted by a private key can only be decrypted using the corresponding public key. This relationship makes it possible to do a couple of very useful things.
Protecting confidential information
Say Alice wants to send Bob some sensitive information in a way that guarantees that no one else, such as Eve, can listen in and read the information while it’s on its way.
If Alice sends unencrypted data, also known as plaintext data, and if Eve successfully intercepts the message, she can read it. The sensitive information would no longer be a secret between Alice and Bob.
Here’s how Alice and Bob solve the problem using public key cryptography. First Bob publishes his public key online, as plaintext, so that Alice can easily access it. Other people might see the public key too, but that doesn’t matter. Then Alice uses Bob’s public key to encrypt the sensitive data before sending it to him. Since only Bob has access to the corresponding private key, that means that only Bob can decrypt Alice’s encrypted message. Even if Eve manages to intercept the data, she still won’t be able to read it.
Another very useful way of using public key cryptography is to ‘sign’ a piece of data. Signing a piece of data means attaching to it a guarantee that you--as the only person who has access to your private key--have approved or originated that data, and that no one else has modified it afterwards. Bitcoin uses cryptographic signatures to guarantee that no one can spend another person’s money. How does this work?
To create a cryptographic signature, the data to be signed is first passed through a hash function.
A hash function is a piece of computer code that takes a piece of data of any length as its input, and generates a fixed-length string of characters as its output. The output of a hash function looks like a collection of random characters.
Passing the same input data to a given hashing function will always result in the same output. But changing even just one character of the input will give a completely different hash value.
If we come across the hash value for some data, the only way we could find out what the input was would be to hash a great many different input strings ourselves until we find one that resulted in the same hash value. With the hashing algorithm used by Bitcoin this would take an unthinkably long time, even if we found a way to create a giant computer, as efficient as the laws of thermodynamics allow, and dedicated the entire energy output of our sun to the task. This is why we say that this task is computationally infeasible.
Bob’s a well known literary critic with a reputation for being tough. He’s written a glowing review of a particular book and he realises that people might be hesitant to believe he really wrote the review himself. He’d like to give people a way to be sure that he really wrote the review, and that it wasn’t the work of an imposter.
The first thing that happens is the plaintext review Bob wrote is passed through a hashing function. This gives us a random-looking hash value. Next, this hash value is encrypted using Bob’s private key. This turns one random-looking sequence of characters into another random-looking sequences of characters.
By encrypting data with his private key, Bob has created cypertext that can decrypted by anyone using the corresponding public key. The encrypted hash value of a piece of data is the signature for that piece of data.
When the signature has been created, the plaintext book review, together with Bob’s signature, is published somewhere where others can access it. Alice wants to check that this review really originated with Bob. She uses Bob’s public key (which everyone has access to) to decrypt the signature, which reveals a hash value. She then runs the plaintext review through the same hash function that was used in creating the signature.
If the hash matches the one in the signature, this means that a person with Bob’s private key must have signed the message. And since we know that Bob is very careful about keeping his private key secret, we can be confident that Bob himself approved or originated the message.
Signatures in bitcoin
How does all this apply to Bitcoin? Imagine that Bob wants to send 0.01 Bitcoins to Alice to pay for a haircut. He uses his client app to scan in Alice’s receiving addresses, he types in the amount he wants to transfer, and clicks send.
Behind the scenes his bitcoin client is doing some work. First the client selects one or more addresses from Bob’s wallet that together have enough funds in them to pay the requested amount. These are known as the inputs to the transaction. For each input address, the client creates an instruction so that, together, 0.01 Bitcoins is transferred from Bob’s addresses, to Alice’s address. The client then signs the instructions with the private keys that belong to Bob’s input addresses, and the whole thing is broadcasted to the rest of the bitcoin network for verification.
Other nodes in the network receive the new transaction. Because Bob’s transaction also includes the full public keys for the addresses he’s sending from, the other nodes are able to use this information to check the signatures in the transaction. If they don’t check out, or if the numbers don’t add up, the transaction is rejected by the network.
Notice that the network doesn’t care who the source addresses belong to. The Bitcoin system doesn’t need to know who Bob is, the only important thing is whether or not the person attempting to spend money has access to the required private keys for the input addresses.
Byzantine fault tolerance
You’ve probably heard that you can get new bitcoins by having your computer compete with others to solve complicated calculations. In fact, the calculations aren’t especially complicated, but getting to grips with why they’re useful can be difficult.
Bitcoin’s decentralised design has some important benefits, it’s great that there’s no person or group who can become corrupted and abuse their power over the system, and it’s also good to know that Bitcoin, like the bittorrent network, would be extremely difficult to shut down.
But decentralisation brings certain challenges. Primarily, there has to be a way to prevent double spending.
The nodes in the bitcoin network each have their own copy of the public ledger of Bitcoin transactions, the blockchain. There is no central, definitive copy of this ledger. The information in the copies of the ledger is used to determine whether or not new transactions are permitted. For instance if the information in the ledger says that the balance at a particular bitcoin address is zero, then no funds can be sent from that address.
So signed transactions are created by users wanting to spend their coins, and are sent out to the rest of the network. Valid transactions get stored in the distributed blockchain.
But if this was all there was to it, Bob could double spend. If Bob’s balance was 1.00 Bitcoin, he could create two transactions spending that same bitcoin. If the two transactions were quickly sent, one after the other, and if they were checked by different parts of the network, both transactions might be recorded in different copies of the public ledger. Bob would have spent a coin, and would still have that coin! But there’d be a more fundamental problem than Bob having more purchasing power: With no way to consolidate differences between copies of the blockchain, more and more divergent copies of the ledger would appear over time, with no way for nodes to decide which version of the blockchain to refer to.
Proof of work
The way Bitcoin gets around this is to use the concept of proof of work. When a new transaction is broadcast to the network it isn’t immediately added to the public ledger. Instead it’s added to a list of pending transactions. Certain nodes in the network, called ‘miners’ work on this ordered list of pending transactions, repeatedly processing this ‘block’ in different ways, until they discover a particular way of representing the block that allows it to be added to the blockchain.
Earlier we talked about how hash functions are used to sign Bitcoin transactions. The Bitcoin miners are hashing data too, they’re hashing the pending transactions.
The public ledger is made up of groups of transactions called blocks. The Bitcoin protocol only accepts a new block as part of the blockchain once a miner has found a way to create a hash value from that block which conforms to particular requirements.
So what a miner does is combines pieces of information and feeds the combination into a hash function. The most important pieces of information that get hashed are the list of pending Bitcoin transactions, and a number known as the nonce.
A hash function takes input data of any length, and outputs a random looking fixed-length string. If we repeatedly hash the same input data, the hash function will always give the same output. But if even one tiny part of the input string changes, then the resulting hash value will be completely different.
So by repeatedly changing the nonce number, and combining that with the list of pending transactions, the miner creates lots of different hash values. The alpha-numeric hash values are hexadecimal representations of numbers. Miners are looking for a specific combination of nonce value and transaction list that results in a hash value that’s lower than a certain target number, this threshold is known as the “difficulty”.
Once he finds such a combination he will broadcast the details of the solution to the rest of the network, which will check the solution is valid, and then add the newly solved block to the blockchain. The transactions within are now said to be 'confirmed'. The miners can now set to work trying to solve the next batch of transactions.
Miners willingly set their computers to this intensive hashing work because the miners who succeed in solving blocks are rewarded with newly generated bitcoins, as well as any transaction fees that are included in the confirmed transactions. The block reward is reduced by 50%, every 210,000 (two hundred and ten thousand) blocks, or roughly every four years. Over time the supply of bitcoins created looks like this [graph].
One more detail that’s important to mention: the data that miners are hashing also includes the hash value of the last solved block in the blockchain--so each solved block contains a reference to the previous one, this series of references is what puts the ‘chain’ in blockchain. What this means is that new blocks are solved ‘on top of’ older blocks in the blockchain.
This is significant because of Bitcoin events known as forks. A fork happens when the blockchain splits, with different parts of the network using different versions of the blockchain. Because Bitcoin uses a decentralised network, and information isn’t instantly synchronised across it, it’s possible that two miners both find a valid solution for a new block before either miner knows about the existence of the other solution. So now there are two valid, solved blocks in existence that both reference the same previous block. We have two versions of the blockchain, where the newest blocks are different. The blockchain is said to have forked.
But the bitcoin system is designed to eventually reach consensus about which blocks are valid and which aren’t. The protocol says that when a node receives information about competing blockchains, only the longest chain will be accepted, the shorter one will be ignored.
What happens after a fork is that initially both versions of the chain are the same length and neither gets rejected, but when the next block gets solved and added to one version of the blockchain or the other, one version of the blockchain is now longer than the other. As news of the newly extended blockchain propagates through the network, nodes will reject the shorter of the two chains, and any orphaned transactions from the shorter chain are again added to the pool of pending transactions. Of course it’s possible that through another coincidence both chains get extended within a very short time of one another, and again neither is rejected by the network. But a series of such coincidences is very unlikely.
This means that the deeper in the blockchain a transaction is, the less likely it is that that it will be rejected in the future. This is why, if a block has three newer blocks on top of it, we say that the block has three ‘confirmations’. Bitcoin clients assume that if a block has six confirmations then it’s safe to treat that block as a permanent part of the distributed blockchain.
The bitcoin network monitors the time taken to solve new blocks and adjusts the target difficulty at regular intervals so that the network is solving an average of one new block every ten minutes. So when we look at a block that’s part of the blockchain, it’s a fair assumption that it took the entire bitcoin network about ten minutes of hashing before a miner was able to ‘solve’ that block.
The 51% attack
Again Bob is trying to cheat the network. He pays Alice one bitcoin for a tub of luxury moustache wax. While Alice is waiting for the transaction to accumulate six confirmations, Bob is privately mining blocks. He’s creating an alternate version of the blockchain in which the same bitcoin that he sent to Alice is sent to one of his own addresses instead. After the publicly broadcasted initial payment has accumulated six confirmations Alice sends the moustache wax. After this point, if Bob has managed to created a blockchain that’s longer than the public version, he can broadcast it to the network and it will be accepted as the new canonical blockchain. He’ll have the moustache wax, and he’ll still have the bitcoin he paid for it.
But in order to be successful, Bob has to mine blocks faster than the rest of the network put together. In other words, his mining machine has to generate more hashes per second than all the other computers combined. Bob’s attempting something called a 51% attack, it’s named that way because that’s how much of the total hashing power of the Bitcoin network he’d need to control to be successful.
But even with an array of powerful machines it’s very unlikely that Bob would be able to harness this much power. So the ‘honest’ version of the blockchain--powered by the rest of the network--would grow faster than Bob’s private fraudulent version, and his scheme to double spend his bitcoin will have failed. And even if Bob did somehow end up with more than 50% of the hashing power, he’d usually end up wealthier if he dedicated his machines to mining honestly rather than to attacking Bitcoin.
We’ve looked at two key technologies that bitcoin is based on. Transactions are secured using public key cryptography, while proof of work and probabilistic transaction confirmations meet the challenges of decentralised design, creating a stabilizing consensus. Bitcoin is the first system to successfully put these pieces together to create a powerful global network, which is part of the reason it’s fuelling interest in the world-changing potential of decentralised crypto-currencies.