## How the Bitcoin protocol actually works

Many thousands of articles have bot written purporting to explain Bitcoin, the online, peer-to-peer currency. Most of those articles give a hand-wavy account of the underlying cryptographic protocol, omitting many details. Even those articles which delve deeper often gloss overheen crucial points. My aim te this postbode is to explain the major ideas behind the Bitcoin protocol te a clear, lightly comprehensible way. Wij’ll embark from very first principles, build up to a broad theoretical understanding of how the protocol works, and then dig down into the nitty-gritty, examining the raw gegevens ter a Bitcoin transaction.

Understanding the protocol te this detailed way is hard work. It is tempting instead to take Bitcoin spil given, and to engage te speculation about how to get rich with Bitcoin, whether Bitcoin is a bubble, whether Bitcoin might one day mean the end of taxation, and so on. That’s joy, but severely thresholds your understanding. Understanding the details of the Bitcoin protocol opens up otherwise inaccessible vistas. Te particular, it’s the ondergrond for understanding Bitcoin’s built-in scripting language, which makes it possible to use Bitcoin to create fresh types of financial instruments, such spil brainy contracts. Fresh financial instruments can, te turn, be used to create fresh markets and to enable fresh forms of collective human behaviour. Talk about joy!

I’ll describe Bitcoin scripting and concepts such spil clever contracts te future posts. This postbode concentrates on explaining the nuts-and-bolts of the Bitcoin protocol. To understand the postbode, you need to be comfy with public key cryptography, and with the closely related idea of digital signatures. I’ll also assume you’re familiar with cryptographic hashing. None of this is especially difficult. The basic ideas can be instructed ter freshman university mathematics or pc science classes. The ideas are beautiful, so if you’re not familiar with them, I recommend taking a few hours to get familiar.

It may seem surprising that Bitcoin’s poot is cryptography. Isn’t Bitcoin a currency, not a way of sending secret messages? Ter fact, the problems Bitcoin needs to solve are largely about securing transactions —, making sure people can’t steal from one another, or impersonate one another, and so on. Te the world of atoms wij achieve security with devices such spil locks, safes, signatures, and handelsbank vaults. Ter the world of onaardig wij achieve this kleuter of security with cryptography. And that’s why Bitcoin is at heart a cryptographic protocol.

My strategy ter the postbode is to build Bitcoin up te stages. I’ll start by explaining a very elementary digital currency, based on ideas that are almost evident. Wij’ll call that currency Infocoin, to distinguish it from Bitcoin. Of course, our very first version of Infocoin will have many deficiencies, and so wij’ll go through several iterations of Infocoin, with each iteration introducing just one or two elementary fresh ideas. After several such iterations, wij’ll arrive at the total Bitcoin protocol. Wij will have reinvented Bitcoin!

This strategy is slower than if I explained the entire Bitcoin protocol te one slok. But while you can understand the mechanics of Bitcoin through such a one-shot explanation, it would be difficult to understand why Bitcoin is designed the way it is. The advantage of the slower iterative explanation is that it gives us a much sharper understanding of each factor of Bitcoin.

Eventually, I should mention that I’m a relative newcomer to Bitcoin. I’ve bot following it loosely since 2011 (and cryptocurrencies since the late 1990s), but only got gravely into the details of the Bitcoin protocol earlier this year. So I’d certainly appreciate corrections of any misapprehensions on my part. Also te the postbode I’ve included a number of “problems for the author” – notes to myself about questions that came up during the writing. You may find thesis interesting, but you can also skip them entirely without losing track of the main text.

### Very first steps: a signed letterteken of intent

So how can wij vormgeving a digital currency?

On the face of it, a digital currency sounds unlikely. Suppose some person – let’s call hier Alice – has some digital money which she wants to spend. If Alice can use a string of onaardig spil money, how can wij prevent hier from using the same bit string overheen and overheen, thus minting an infinite supply of money? Or, if wij can somehow solve that problem, how can wij prevent someone else forging such a string of onvriendelijk, and using that to steal from Alice?

Thesis are just two of the many problems that vereiste be overcome te order to use information spil money.

Spil a very first version of Infocoin, let’s find a way that Alice can use a string of onaardig spil a (very primitive and incomplete) form of money, te a way that gives hier at least some protection against forgery. Suppose Alice wants to give another person, Bob, an infocoin. To do this, Alice writes down the message “I, Alice, am providing Bob one infocoin”. She then digitally signs the message using a private cryptographic key, and announces the signed string of onvriendelijk to the entire world.

(By the way, I’m using capitalized “Infocoin” to refer to the protocol and general concept, and lowercase “infocoin” to refer to specific denominations of the currency. A similar useage is common, however not universal, ter the Bitcoin world.)

This isn’t terribly exceptional spil a prototype digital currency! But it does have some virtues. Anyone te the world (including Bob) can use Alice’s public key to verify that Alice indeed wasgoed the person who signed the message “I, Alice, am providing Bob one infocoin”. No-one else could have created that bit string, and so Alice can’t turn around and say “No, I didn’t mean to give Bob an infocoin”. So the protocol establishes that Alice truly intends to give Bob one infocoin. The same fact – no-one else could compose such a signed message – also gives Alice some limited protection from forgery. Of course, after Alice has published hier message it’s possible for other people to duplicate the message, so te that sense forgery is possible. But it’s not possible from scrape. Thesis two properties – establishment of intent on Alice’s part, and the limited protection from forgery – are genuinely notable features of this protocol.

I toevluchthaven’t (fairly) said exactly what digital money is ter this protocol. To make this explicit: it’s just the message itself, i.e., the string of onverdraagzaam indicating the digitally signed message “I, Alice, am providing Bob one infocoin”. Zometeen protocols will be similar, te that all our forms of digital money will be just more and more elaborate messages [1].

### Using serial numbers to make coins uniquely identifiable

A problem with the very first version of Infocoin is that Alice could keep sending Bob the same signed message overheen and overheen. Suppose Bob receives ten copies of the signed message “I, Alice, am providing Bob one infocoin”. Does that mean Alice sent Bob ten different infocoins? Wasgoed hier message accidentally duplicated? Perhaps she wasgoed attempting to trick Bob into believing that she had given him ten different infocoins, when the message only proves to the world that she intends to transfer one infocoin.

What wij’d like is a way of making infocoins unique. They need a label or serial number. Alice would sign the message “I, Alice, am providing Bob one infocoin, with serial number 8740348”. Then, straks, Alice could sign the message “I, Alice, am providing Bob one infocoin, with serial number 8770431”, and Bob (and everyone else) would know that a different infocoin wasgoed being transferred.

To make this scheme work wij need a trusted source of serial numbers for the infocoins. One way to create such a source is to introduce a canap. This bankgebouw would provide serial numbers for infocoins, keep track of who has which infocoins, and verify that transactions truly are legitimate,

Te more detail, let’s suppose Alice goes into the handelsbank, and says “I want to withdraw one infocoin from my account”. The handelsbank reduces hier account balance by one infocoin, and assigns hier a fresh, never-before used serial number, let’s say 1234567. Then, when Alice wants to transfer hier infocoin to Bob, she signs the message “I, Alice, am providing Bob one infocoin, with serial number 1234567”. But Bob doesn’t just accept the infocoin. Instead, he contacts the handelsbank, and verifies that: (a) the infocoin with that serial number belongs to Alice, and (b) Alice hasn’t already spent the infocoin. If both those things are true, then Bob tells the canap he wants to accept the infocoin, and the handelsbank updates their records to voorstelling that the infocoin with that serial number is now ter Bob’s possession, and no longer belongs to Alice.

### Making everyone collectively the bankgebouw

This last solution looks pretty promising. However, it turns out that wij can do something much more ambitious. Wij can eliminate the canap entirely from the protocol. This switches the nature of the currency considerably. It means that there is no longer any single organization te charge of the currency. And when you think about the enormous power a central canap has – control overheen the money supply – that’s a pretty giant switch.

The idea is to make it so everyone (collectively) is the handelsbank. Te particular, wij’ll assume that everyone using Infocoin keeps a accomplish record of which infocoins belong to which person. You can think of this spil a collective public ledger displaying all Infocoin transactions. Wij’ll call this ledger the block chain, since that’s what the accomplish record will be called ter Bitcoin, once wij get to it.

Now, suppose Alice wants to transfer an infocoin to Bob. She signs the message “I, Alice, am providing Bob one infocoin, with serial number 1234567”, and gives the signed message to Bob. Bob can use his copy of the block chain to check that, indeed, the infocoin is Alice’s to give. If that checks out then he broadcasts both Alice’s message and his acceptance of the transaction to the entire network, and everyone updates their copy of the block chain.

Wij still have the “where do serial number come from” problem, but that turns out to be pretty effortless to solve, and so I will defer it to zometeen, ter the discussion of Bitcoin. A more challenging problem is that this protocol permits Alice to cheat by dual spending hier infocoin. She sends the signed message “I, Alice, am providing Bob one infocoin, with serial number 1234567″, to Bob, and the message”I, Alice, am providing Charlie one infocoin, with [the same] serial number 1234567” to Charlie. Both Bob and Charlie use their copy of the block chain to verify that the infocoin is Alice’s to spend. Provided they do this verification at almost the same time (before they’ve had a chance to hear from one another), both will find that, yes, the block chain shows the coin belongs to Alice. And so they will both accept the transaction, and also broadcast their acceptance of the transaction. Now there’s a problem. How should other people update their block chains? There may be no effortless way to achieve a consistent collective ledger of transactions. And even if everyone can agree on a consistent way to update their block chains, there is still the problem that either Bob or Charlie will be cheated.

At very first glance dual spending seems difficult for Alice to pull off. After all, if Alice sends the message very first to Bob, then Bob can verify the message, and tell everyone else ter the network (including Charlie) to update their block chain. Once that has happened, Charlie would no longer be fooled by Alice. So there is most likely only a epistel period of time ter which Alice can dual spend. However, it’s obviously undesirable to have any such a period of time. Worse, there are technics Alice could use to make that period longer. She could, for example, use network traffic analysis to find times when Bob and Charlie are likely to have a lotsbestemming of latency ter communication. Or perhaps she could do something to deliberately disrupt their communications. If she can slow communication even a little that makes hier task of dual spending much lighter.

How can wij address the problem of dual spending? The evident solution is that when Alice sends Bob an infocoin, Bob shouldn’t attempt to verify the transaction alone. Rather, he should broadcast the possible transaction to the entire network of Infocoin users, and ask them to help determine whether the transaction is legitimate. If they collectively determine that the transaction is okay, then Bob can accept the infocoin, and everyone will update their block chain. This type of protocol can help prevent dual spending, since if Alice attempts to spend hier infocoin with both Bob and Charlie, other people on the network will notice, and network users will tell both Bob and Charlie that there is a problem with the transaction, and the transaction shouldn’t go through.

Ter more detail, let’s suppose Alice wants to give Bob an infocoin. Spil before, she signs the message “I, Alice, am providing Bob one infocoin, with serial number 1234567”, and gives the signed message to Bob. Also spil before, Bob does a sanity check, using his copy of the block chain to check that, indeed, the coin presently belongs to Alice. But at that point the protocol is modified. Bob doesn’t just go ahead and accept the transaction. Instead, he broadcasts Alice’s message to the entire network. Other members of the network check to see whether Alice wields that infocoin. If so, they broadcast the message “Yes, Alice possesses infocoin 1234567, it can now be transferred to Bob.” Once enough people have broadcast that message, everyone updates their block chain to voorstelling that infocoin 1234567 now belongs to Bob, and the transaction is finish.

This protocol has many imprecise elements at present. For example, what does it mean to say “once enough people have broadcast that message”? What exactly does “enough” mean here? It can’t mean everyone te the network, since wij don’t a priori know who is on the Infocoin network. For the same reason, it can’t mean some immobilized fraction of users ter the network. Wij won’t attempt to make thesis ideas precise right now. Instead, te the next section I’ll point out a serious problem with the treatment spil described. Fixing that problem will at the same time have the pleasant side effect of making the ideas above much more precise.

### Proof-of-work

Suppose Alice wants to dual spend te the network-based protocol I just described. She could do this by taking overheen the Infocoin network. Let’s suppose she uses an automated system to set up a large number of separate identities, let’s say a billion, on the Infocoin network. Spil before, she attempts to dual spend the same infocoin with both Bob and Charlie. But when Bob and Charlie ask the network to validate their respective transactions, Alice’s sock puppet identities swamp the network, announcing to Bob that they’ve validated his transaction, and to Charlie that they’ve validated his transaction, possibly fooling one or both into accepting the transaction.

There’s a clever way of avoiding this problem, using an idea known spil proof-of-work. The idea is counterintuitive and involves a combination of two ideas: (1) to (artificially) make it computationally costly for network users to validate transactions, and (Two) to prize them for attempting to help validate transactions. The prize is used so that people on the network will attempt to help validate transactions, even tho’ that’s now bot made a computationally costly process. The benefit of making it costly to validate transactions is that validation can no longer be influenced by the number of network identities someone controls, but only by the total computational power they can bring to bear on validation. Spil wij’ll see, with some clever vormgeving wij can make it so a cheater would need enormous computational resources to cheat, making it impractical.

That’s the gist of proof-of-work. But to truly understand proof-of-work, wij need to go through the details.

Suppose Alice broadcasts to the network the news that “I, Alice, am providing Bob one infocoin, with serial number 1234567”.

Spil other people on the network hear that message, each adds it to a queue of pending transactions that they’ve bot told about, but which toevluchthaven’t yet bot approved by the network. For example, another network user named David might have the following queue of pending transactions:

I, Tom, am providing Sue one infocoin, with serial number 1201174.

I, Sydney, am providing Cynthia one infocoin, with serial number 1295618.

I, Alice, am providing Bob one infocoin, with serial number 1234567.

David checks his copy of the block chain, and can see that each transaction is valid. He would like to help out by broadcasting news of that validity to the entire network.

However, before doing that, spil part of the validation protocol David is required to solve a hard computational puzzle – the proof-of-work. Without the solution to that puzzle, the surplus of the network won’t accept his validation of the transaction.

What puzzle does David need to solve? To explain that, let be a immobile hash function known by everyone te the network – it’s built into the protocol. Bitcoin uses the well-known SHA-256 hash function, but any cryptographically secure hash function will do. Let’s give David’s queue of pending transactions a label, , just so it’s got a name wij can refer to. Suppose David appends a number (called the nonce) to and hashes the combination. For example, if wij use “Hello, world!” (obviously this is not a list of transactions, just a string used for illustrative purposes) and the nonce then (output is ter hexadecimal)

The puzzle David has to solve – the proof-of-work – is to find a nonce such that when wij append to and hash the combination the output hash commences with a long run of zeroes. The puzzle can be made more or less difficult by varying the number of zeroes required to solve the puzzle. A relatively elementary proof-of-work puzzle might require just three or four zeroes at the begin of the hash, while a more difficult proof-of-work puzzle might require a much longer run of zeros, say 15 consecutive zeroes. Te either case, the above attempt to find a suitable nonce, with , is a failure, since the output doesn’t start with any zeroes at all. Attempting doesn’t work either:

Wij can keep attempting different values for the nonce, . Eventually, at wij obtain:

This nonce gives us a string of four zeroes at the beginning of the output of the hash. This will be enough to solve a elementary proof-of-work puzzle, but not enough to solve a more difficult proof-of-work puzzle.

What makes this puzzle hard to solve is the fact that the output from a cryptographic hash function behaves like a random number: switch the input even a little bit and the output from the hash function switches fully, ter a way that’s hard to predict. So if wij want the output hash value to start with Ten zeroes, say, then David will need, on average, to attempt different values for before he finds a suitable nonce. That’s a pretty challenging task, requiring lots of computational power.

Obviously, it’s possible to make this puzzle more or less difficult to solve by requiring more or fewer zeroes te the output from the hash function. Ter fact, the Bitcoin protocol gets fairly a fine level of control overheen the difficulty of the puzzle, by using a slight variation on the proof-of-work puzzle described above. Instead of requiring leading zeroes, the Bitcoin proof-of-work puzzle requires the hash of a block’s header to be lower than or equal to a number known spil the target. This target is automatically adjusted to ensure that a Bitcoin block takes, on average, about ten minutes to validate.

(Te practice there is a sizeable randomness te how long it takes to validate a block – sometimes a fresh block is validated te just a minute or two, other times it may take 20 minutes or even longer. It’s straightforward to modify the Bitcoin protocol so that the time to validation is much more sharply peaked around ten minutes. Instead of solving a single puzzle, wij can require that numerous puzzles be solved, with some careful vormgeving it is possible to considerably reduce the variance ter the time to validate a block of transactions.)

Alright, let’s suppose David is fortunate and finds a suitable nonce, . Celebration! (He’ll be rewarded for finding the nonce, spil described below). He broadcasts the block of transactions he’s approving to the network, together with the value for . Other participants te the Infocoin network can verify that is a valid solution to the proof-of-work puzzle. And they then update their block chains to include the fresh block of transactions.

For the proof-of-work idea to have any chance of succeeding, network users need an incentive to help validate transactions. Without such an incentive, they have no reason to expend valuable computational power, merely to help validate other people’s transactions. And if network users are not willing to expend that power, then the entire system won’t work. The solution to this problem is to prize people who help validate transactions. Ter particular, suppose wij prize whoever successfully validates a block of transactions by crediting them with some infocoins. Provided the infocoin prize is large enough that will give them an incentive to participate ter validation.

Te the Bitcoin protocol, this validation process is called mining. For each block of transactions validated, the successful miner receives a bitcoin prize. Originally, this wasgoed set to be a 50 bitcoin prize. But for every 210,000 validated blocks (harshly, once every four years) the prize halves. This has happened just once, to date, and so the current prize for mining a block is 25 bitcoins. This halving ter the rate will proceed every four years until the year 2140 CE. At that point, the prize for mining will druppel below bitcoins vanaf block. bitcoins is actually the minimal unit of Bitcoin, and is known spil a satoshi. So ter 2140 CE the total supply of bitcoins will cease to increase. However, that won’t eliminate the incentive to help validate transactions. Bitcoin also makes it possible to set aside some currency ter a transaction spil a transaction toverfee, which goes to the miner who helps validate it. Ter the early days of Bitcoin transaction fees were mostly set to zero, but spil Bitcoin has gained te popularity, transaction fees have step by step risen, and are now a substantial extra incentive on top of the 25 bitcoin prize for mining a block.

You can think of proof-of-work spil a competition to approve transactions. Each entry te the competition costs a little bit of computing power. A miner’s chance of winning the competition is (harshly, and with some caveats) equal to the proportion of the total computing power that they control. So, for example, if a miner controls one procent of the computing power being used to validate Bitcoin transactions, then they have toughly a one procent chance of winning the competition. So provided a lotsbestemming of computing power is being brought to bear on the competition, a dishonest miner is likely to have only a relatively puny chance to omkoopbaar the validation process, unless they expend a big amount of computing resources.

Of course, while it’s encouraging that a dishonest party has only a relatively puny chance to omkoopbaar the block chain, that’s not enough to give us confidence ter the currency. Ter particular, wij toevluchthaven’t yet conclusively addressed the kwestie of dual spending.

I’ll ontleden dual spending shortly. Before doing that, I want to pack te an significant detail te the description of Infocoin. Wij’d ideally like the Infocoin network to agree upon the order te which transactions have occurred. If wij don’t have such an ordering then at any given ogenblik it may not be clear who wields which infocoins. To help do this wij’ll require that fresh blocks always include a pointer to the last block validated te the chain, ter addition to the list of transactions te the block. (The pointer is actually just a hash of the previous block). So typically the block chain is just a linear chain of blocks of transactions, one after the other, with straks blocks each containing a pointer to the instantly prior block:

From time to time, a fork will emerge ter the block chain. This can toebijten, for example, if by chance two miners toebijten to validate a block of transactions near-simultaneously – both broadcast their newly-validated block out to the network, and some people update their block chain one way, and others update their block chain the other way:

This causes exactly the problem wij’re attempting to avoid – it’s no longer clear te what order transactions have occurred, and it may not be clear who possesses which infocoins. Fortunately, there’s a ordinary idea that can be used to eliminate any forks. The rule is this: if a fork occurs, people on the network keep track of both forks. But at any given time, miners only work to extend whichever fork is longest ter their copy of the block chain.

Suppose, for example, that wij have a fork ter which some miners receive block A very first, and some miners receive block B very first. Those miners who receive block A very first will proceed mining along that fork, while the others will mine along fork B. Let’s suppose that the miners working on fork B are the next to successfully mine a block:

After they receive news that this has happened, the miners working on fork A will notice that fork B is now longer, and will switch to working on that fork. Presto, te brief order work on fork A will cease, and everyone will be working on the same linear chain, and block A can be disregarded. Of course, any still-pending transactions ter A will still be pending te the queues of the miners working on fork B, and so all transactions will eventually be validated.

Likewise, it may be that the miners working on fork A are the very first to extend their fork. Ter that case work on fork B will quickly cease, and again wij have a single linear chain.

No matter what the outcome, this process ensures that the block chain has an agreed-upon time ordering of the blocks. Te Bitcoin decent, a transaction is not considered confirmed until: (1) it is part of a block te the longest fork, and (Two) at least Five blocks go after it te the longest fork. Te this case wij say that the transaction has “6 confirmations”. This gives the network time to come to an agreed-upon the ordering of the blocks. Wij’ll also use this strategy for Infocoin.

With the time-ordering now understood, let’s come back to think about what happens if a dishonest party attempts to dual spend. Suppose Alice attempts to dual spend with Bob and Charlie. One possible treatment is for hier to attempt to validate a block that includes both transactions. Assuming she has one procent of the computing power, she will from time to time get fortunate and validate the block by solving the proof-of-work. Unluckily for Alice, the dual spending will be instantaneously spotted by other people te the Infocoin network and rejected, despite solving the proof-of-work problem. So that’s not something wij need to worry about.

A more serious problem occurs if she broadcasts two separate transactions te which she spends the same infocoin with Bob and Charlie, respectively. She might, for example, broadcast one transaction to a subset of the miners, and the other transaction to another set of miners, hoping to get both transactions validated te this way. Fortunately, te this case, spil wij’ve seen, the network will eventually confirm one of thesis transactions, but not both. So, for example, Bob’s transaction might ultimately be confirmed, te which case Bob can go ahead confidently. Meantime, Charlie will see that his transaction has not bot confirmed, and so will decline Alice’s opoffering. So this isn’t a problem either. Te fact, knowing that this will be the case, there is little reason for Alice to attempt this ter the very first place.

An significant variant on dual spending is if Alice = Bob, i.e., Alice attempts to spend a coin with Charlie which she is also “spending” with herself (i.e., providing back to herself). This sounds like it ought to be effortless to detect and overeenkomst with, but, of course, it’s effortless on a network to set up numerous identities associated with the same person or organization, so this possibility needs to be considered. Ter this case, Alice’s strategy is to wait until Charlie accepts the infocoin, which happens after the transaction has bot confirmed 6 times ter the longest chain. She will then attempt to fork the chain before the transaction with Charlie, adding a block which includes a transaction te which she pays herself:

Unluckily for Alice, it’s now very difficult for hier to catch up with the longer fork. Other miners won’t want to help hier out, since they’ll be working on the longer fork. And unless Alice is able to solve the proof-of-work at least spil swift spil everyone else te the network combined – toughly, that means controlling more than fifty procent of the computing power – then she will just keep falling further and further behind. Of course, she might get fortunate. Wij can, for example, imagine a script ter which Alice controls one procent of the computing power, but happens to get fortunate and finds six toegevoegd blocks ter a row, before the surplus of the network has found any reserve blocks. Te this case, she might be able to get ahead, and get control of the block chain. But this particular event will occur with probability . A more general analysis along thesis lines shows that Alice’s probability of everzwijn catching up is infinitesimal, unless she is able to solve proof-of-work puzzles at a rate approaching all other miners combined.

Of course, this is not a rigorous security analysis showcasing that Alice cannot dual spend. It’s merely an informal plausibility argument. The original paper introducing Bitcoin did not, ter fact, contain a rigorous security analysis, only informal arguments along the lines I’ve introduced here. The security community is still analysing Bitcoin, and attempting to understand possible vulnerabilities. You can see some of this research listed here, and I mention a few related problems ter the “Problems for the author” below. At this point I think it’s fair to say that the jury is still out on how secure Bitcoin is.

The proof-of-work and mining ideas give rise to many questions. How much prize is enough to persuade people to mine? How does the switch te supply of infocoins affect the Infocoin economy? Will Infocoin mining end up concentrated te the palms of a few, or many? If it’s just a few, doesn’t that endanger the security of the system? Presumably transaction fees will eventually equilibriate – won’t this introduce an unwanted source of friction, and make puny transactions less desirable? Thesis are all fine questions, but beyond the scope of this postbode. I may come back to the questions (te the setting of Bitcoin) te a future postbode. For now, wij’ll stick to our concentrate on understanding how the Bitcoin protocol works.

### Problems for the author

• I don’t understand why dual spending can’t be prevented te a simpler manner using two-phase commit. Suppose Alice attempts to dual spend an infocoin with both Bob and Charlie. The idea is that Bob and Charlie would each broadcast their respective messages to the Infocoin network, along with a request: “Should I accept this?” They’d then wait some period – perhaps ten minutes – to hear any naysayers who could prove that Alice wasgoed attempting to dual spend. If no such nays are heard (and provided there are no signs of attempts to disrupt the network), they’d then accept the transaction. This protocol needs to be hardened against network attacks, but it seems to mij to be the core of a good alternate idea. How well does this work? What drawbacks and advantages does it have compared to the utter Bitcoin protocol?
• Early te the section I mentioned that there is a natural way of reducing the variance te time required to validate a block of transactions. If that variance is diminished too much, then it creates an interesting attack possibility. Suppose Alice attempts to fork the chain te such a way that: (a) one fork starts with a block te which Alice pays herself, while the other fork starts with a block te which Alice pays Bob, (b) both blocks are announced almost at the same time, so harshly half the miners will attempt to mine each fork, (c) Alice uses hier mining power to attempt to keep the forks of toughly equal length, mining whichever fork is shorter – this is ordinarily hard to pull off, but becomes significantly lighter if the standard deviation of the time-to-validation is much shorter than the network latency, (d) after Five blocks have bot mined on both forks, Alice throws hier mining power into making it more likely that Charles’s transaction is confirmed, and (e) after confirmation of Charles’s transaction, she then throws hier computational power into the other fork, and attempts to regain the lead. This balancing strategy will have only a puny chance of success. But while the probability is puny, it will certainly be much larger than te the standard protocol, with high variance te the time to validate a block. Is there a way of avoiding this problem?
• Suppose Bitcoin mining software always explored nonces commencing with , then . If this is done by all (or even just a substantial fraction) of Bitcoin miners then it creates a vulnerability. Namely, it’s possible for someone to improve their odds of solving the proof-of-work merely by beginning with some other (much larger) nonce. More generally, it may be possible for attackers to exploit any systematic patterns te the way miners explore the space of nonces. More generally still, ter the analysis of this section I have implicitly assumed a kleintje of symmetry inbetween different miners. Ter practice, there will be asymmetries and a thorough security analysis will need to account for those asymmetries.

### Bitcoin

Let’s budge away from Infocoin, and describe the actual Bitcoin protocol. There are a few fresh ideas here, but with one exception (discussed below) they’re mostly visible modifications to Infocoin.

To use Bitcoin ter practice, you very first install a wallet program on your rekentuig. To give you a sense of what that means, here’s a screenshot of a wallet called Multbit. You can see the Bitcoin balance on the left —, 0.06555555 Bitcoins, or about 70 dollars at the exchange rate on the day I took this screenshot —, and on the right two latest transactions, which deposited those 0.06555555 Bitcoins:

Suppose you’re a merchant who has set up an online store, and you’ve determined to permit people to pay using Bitcoin. What you do is tell your wallet program to generate a Bitcoin address. Ter response, it will generate a public / private key pair, and then hash the public key to form your Bitcoin address:

You then send your Bitcoin address to the person who wants to buy from you. You could do this ter email, or even waterput the address up publicly on a webpagina. This is safe, since the address is merely a hash of your public key, which can securely be known by the world anyway. (I’ll terugwedstrijd zometeen to the question of why the Bitcoin address is a hash, and not just the public key.)

The person who is going to pay you then generates a transaction. Let’s take a look at the gegevens from an actual transaction transferring bitcoins. What’s shown below is very almost the raw gegevens. It’s switched ter three ways: (1) the gegevens has bot deserialized, (Two) line numbers have bot added, for ease of reference, and (Trio) I’ve abbreviated various hashes and public keys, just putting ter the very first six hexadecimal digits of each, when ter reality they are much longer. Here’s the gegevens:

Let’s go through this, line by line.

Line 1 contains the hash of the remainder of the transaction, 7c4025. , voiced te hexadecimal. This is used spil an identifier for the transaction.

Line Two tells us that this is a transaction te version 1 of the Bitcoin protocol.

Lines Three and Four tell us that the transaction has one input and one output, respectively. I’ll talk below about transactions with more inputs and outputs, and why that’s useful.

Line Five contains the value for lock_time, which can be used to control when a transaction is finalized. For most Bitcoin transactions being carried out today the lock_time is set to 0, which means the transaction is finalized instantaneously.

Line 6 tells us the size (te bytes) of the transaction. Note that it’s not the monetary amount being transferred! That comes straks.

Lines 7 through 11 define the input to the transaction. Ter particular, lines 8 through Ten tell us that the input is to be taken from the output from an earlier transaction, with the given hash, which is voiced ter hexadecimal spil 2007ae. . The n=0 tells us it’s to be the very first output from that transaction, wij’ll see soon how numerous outputs (and inputs) from a transaction work, so don’t worry too much about this for now. Line 11 contains the signature of the person sending the money, 304502. , followed by a space, and then the corresponding public key, 04b2d. . Again, thesis are both ter hexadecimal.

One thing to note about the input is that there’s nothing explicitly specifying how many bitcoins from the previous transaction should be spent ter this transaction. Te fact, all the bitcoins from the n=0th output of the previous transaction are spent. So, for example, if the n=0th output of the earlier transaction wasgoed Two bitcoins, then Two bitcoins will be spent ter this transaction. This seems like an inconvenient confinement – like attempting to buy bread with a 20 dollar note, and not being able to pauze the note down. The solution, of course, is to have a mechanism for providing switch. This can be done using transactions with numerous inputs and outputs, which wij’ll discuss te the next section.

Lines 12 through 14 define the output from the transaction. Te particular, line 13 tells us the value of the output, 0.319 bitcoins. Line 14 is somewhat complicated. The main thing to note is that the string a7db6f. is the Bitcoin address of the intended recipient of the funds (written te hexadecimal). Ter fact, Line 14 is actually an expression te Bitcoin’s scripting language. I’m not going to describe that language ter detail ter this postbode, the significant thing to take away now is just that a7db6f. is the Bitcoin address.

You can now see, by the way, how Bitcoin addresses the question I swept under the rug te the last section: where do Bitcoin serial numbers come from? Ter fact, the role of the serial number is played by transaction hashes. Te the transaction above, for example, the recipient is receiving 0.319 Bitcoins, which come out of the very first output of an earlier transaction with hash 2007ae. (line 9). If you go and look ter the block chain for that transaction, you’d see that its output comes from a still earlier transaction. And so on.

There are two clever things about using transaction hashes instead of serial numbers. Very first, ter Bitcoin there’s not truly any separate, persistent “coins” at all, just a long series of transactions te the block chain. It’s a clever idea to realize that you don’t need persistent coins, and can just get by with a ledger of transactions. 2nd, by operating ter this way wij liquidate the need for any central authority issuing serial numbers. Instead, the serial numbers can be self-generated, merely by hashing the transaction.

Ter fact, it’s possible to keep following the chain of transactions further back te history. Ultimately, this process voorwaarde terminate. This can toebijten te one of two ways. The very first possibilitty is that you’ll arrive at the very very first Bitcoin transaction, contained ter the so-called Genesis block. This is a special transaction, having no inputs, but a 50 Bitcoin output. Ter other words, this transaction establishes an initial money supply. The Genesis block is treated separately by Bitcoin clients, and I won’t get into the details here, albeit it’s along similar lines to the transaction above. You can see the deserialized raw gegevens here, and read about the Genesis block here.

The 2nd possibility when you go after a chain of transactions back te time is that eventually you’ll arrive at a so-called coinbase transaction. With the exception of the Genesis block, every block of transactions ter the block chain starts with a special coinbase transaction. This is the transaction rewarding the miner who validated that block of transactions. It uses a similar but not identical format to the transaction above. I won’t go through the format te detail, but if you want to see an example, see here. You can read a little more about coinbase transactions here.

Something I toevluchthaven’t bot precise about above is what exactly is being signed by the digital signature ter line 11. The demonstrable thing to do is for the payer to sign the entire transaction (bijzonder from the transaction hash, which, of course, voorwaarde be generated straks). Presently, this is not what is done – some lumps of the transaction are omitted. This makes some lumps of the transaction malleable, i.e., they can be switched zometeen. However, this malleability does not include the amounts being paid out, senders and recipients, which can’t be switched straks. I voorwaarde admit I toevluchthaven’t dug down into the details here. I gather that this malleability is under discussion te the Bitcoin developer community, and there are efforts afoot to reduce or eliminate this malleability.

### Transactions with numerous inputs and outputs

Te the last section I described how a transaction with a single input and a single output works. Ter practice, it’s often enormously convenient to create Bitcoin transactions with numerous inputs or numerous outputs. I’ll talk below about why this can be useful. But very first let’s take a look at the gegevens from an actual transaction:

Let’s go through the gegevens, line by line. It’s very similar to the single-input-single-output transaction, so I’ll do this pretty quickly.

Line 1 contains the hash of the remainder of the transaction. This is used spil an identifier for the transaction.

Line Two tells us that this is a transaction ter version 1 of the Bitcoin protocol.

Lines Trio and Four tell us that the transaction has three inputs and two outputs, respectively.

Line Five contains the lock_time. Spil te the single-input-single-output case this is set to 0, which means the transaction is finalized instantaneously.

Line 6 tells us the size of the transaction te bytes.

Lines 7 through Nineteen define a list of the inputs to the transaction. Each corresponds to an output from a previous Bitcoin transaction.

The very first input is defined ter lines 8 through 11.

Te particular, lines 8 through Ten tell us that the input is to be taken from the n=0th output from the transaction with hash 3beabc. . Line 11 contains the signature, followed by a space, and then the public key of the person sending the bitcoins.

Lines 12 through 15 define the 2nd input, with a similar format to lines 8 through 11. And lines 16 through Nineteen define the third input.

Lines 20 through 24 define a list containing the two outputs from the transaction.

The very first output is defined ter lines 21 and 22. Line 21 tells us the value of the output, 0.01068000 bitcoins. Spil before, line 22 is an expression te Bitcoin’s scripting language. The main thing to take away here is that the string e8c30622. is the Bitcoin address of the intended recipient of the funds.

The 2nd output is defined lines 23 and 24, with a similar format to the very first output.

One apparent oddity te this description is that albeit each output has a Bitcoin value associated to it, the inputs do not. Of course, the values of the respective inputs can be found by consulting the corresponding outputs te earlier transactions. Te a standard Bitcoin transaction, the sum of all the inputs ter the transaction vereiste be at least spil much spil the sum of all the outputs. (The only exception to this principle is the Genesis block, and te coinbase transactions, both of which add to the overall Bitcoin supply.) If the inputs sum up to more than the outputs, then the excess is used spil a transaction toverfee. This is paid to whichever miner successfully validates the block which the current transaction is a part of.

That’s all there is to multiple-input-multiple-output transactions! They’re a pretty plain variation on single-input-single-output-transactions.

One nice application of multiple-input-multiple-output transactions is the idea of switch. Suppose, for example, that I want to send you 0.15 bitcoins. I can do so by spending money from a previous transaction ter which I received 0.Two bitcoins. Of course, I don’t want to send you the entire 0.Two bitcoins. The solution is to send you 0.15 bitcoins, and to send 0.05 bitcoins to a Bitcoin address which I own. Those 0.05 bitcoins are the switch. Of course, it differs a little from the switch you might receive ter a store, since switch ter this case is what you pay yourself. But the broad idea is similar.

### Conclusion

That completes a basic description of the main ideas behind Bitcoin. Of course, I’ve omitted many details – this isn’t a formal specification. But I have described the main ideas behind the most common use cases for Bitcoin.

While the rules of Bitcoin are plain and effortless to understand, that doesn’t mean that it’s effortless to understand all the consequences of the rules. There is vastly more that could be said about Bitcoin, and I’ll investigate some of thesis issues te future posts.

For now, tho’, I’ll wrap up by addressing a few liberate finishes.

How anonymous is Bitcoin? Many people rechtsvordering that Bitcoin can be used anonymously. This voorkoop has led to the formation of marketplaces such spil Silk Road (and various successors), which specialize ter illegal goods. However, the rechtsvordering that Bitcoin is anonymous is a myth. The block chain is public, meaning that it’s possible for anyone to see every Bitcoin transaction everzwijn. Albeit Bitcoin addresses aren’t instantly associated to real-world identities, rekentuig scientists have done a superb overeenkomst of work figuring out how to de-anonymize “anonymous” social networks. The block chain is a marvellous target for thesis mechanisms. I will be enormously astonished if the good majority of Bitcoin users are not identified with relatively high confidence and ease ter the near future. The confidence won’t be high enough to achieve convictions, but will be high enough to identify likely targets. Furthermore, identification will be retrospective, meaning that someone who bought drugs on Silk Road ter 2011 will still be identifiable on the voet of the block chain ter, say, 2020. Thesis de-anonymization technics are well known to laptop scientists, and, one presumes, therefore to the NSA. I would not be at all astonished if the NSA and other agencies have already de-anonymized many users. It is, ter fact, ironic that Bitcoin is often touted spil anonymous. It’s not. Bitcoin is, instead, perhaps the most open and see-through financial muziekinstrument the world has everzwijn seen.

Can you get rich with Bitcoin? Well, maybe. Tim O’Reilly once said: “Money is like gas ter the car – you need to pay attention or you’ll end up on the side of the road – but a well-lived life is not a tour of gas stations!” Much of the rente ter Bitcoin comes from people whose life mission seems to be to find a truly big gas station. I voorwaarde admit I find this perplexing. What is, I believe, much more interesting and pleasant is to think of Bitcoin and other cryptocurrencies spil a way of enabling fresh forms of collective behaviour. That’s intellectually fascinating, offers marvellous creative possibilities, is socially valuable, and may just also waterput some money te the canap. But if money te the canap is your primary concern, then I believe that other strategies are much more likely to succeed.

Details I’ve omitted: Albeit this postbode has described the main ideas behind Bitcoin, there are many details I toevluchthaven’t mentioned. One is a nice space-saving trick used by the protocol, based on a gegevens structure known spil a Merkle tree. It’s a detail, but a splendid detail, and worth checking out if joy gegevens structures are your thing. You can get an overview te the original Bitcoin paper. 2nd, I’ve said little about the Bitcoin network – questions like how the network deals with denial of service attacks, how knots join and leave the network, and so on. This is a fascinating topic, but it’s also something of a mess of details, and so I’ve omitted it. You can read more about it at some of the linksom above.

Bitcoin scripting: Te this postbode I’ve explained Bitcoin spil a form of digital, online money. But this is only a puny part of a much fatter and more interesting story. Spil wij’ve seen, every Bitcoin transaction is associated to a script te the Bitcoin programming language. The scripts wij’ve seen te this postbode describe plain transactions like “Alice talent Bob Ten bitcoins”. But the scripting language can also be used to express far more complicated transactions. To waterput it another way, Bitcoin is programmable money. Te straks posts I will explain the scripting system, and how it is possible to use Bitcoin scripting spil a toneel to proefneming with all sorts of amazing financial instruments.

Thanks for reading. Love the werkstuk? You can peak mij with Bitcoin (!) at address: 17ukkKt1bNLAqdJ1QQv8v9Askr6vy3MzTZ. You may also love the very first chapter of my forthcoming book on neural networks and deep learning, and may wish to go after mij on Twitter.

### Footnote

[1] Te the United States the question “Is money a form of speech?” is an significant legal question, because of the protection afforded speech under the US Constitution. Te my (legally uninformed) opinion digital money may make this punt more complicated. Spil wij’ll see, the Bitcoin protocol is indeed a way of standing up before the surplus of the world (or at least the surplus of the Bitcoin network) and avowing “I’m going to give such-and-such a number of bitcoins to so-and-so a person” te a way that’s utterly difficult to repudiate. At least naively, it looks more like speech than exchanging copper coins, say.

Thanks, I wasgoed always too lazy to look up BTC ter detail. Your article cleared most of my questions.

I wished to know one thing what if some wise hacker is able to find some vulnerability ter the protocol and he uses that to generate fresh bitcoins for himself. Once that happens then entire confidence ter bitcoins would be gone and it would lead to puinhoop.

Is the above script possible?

Your screenplay is possible. Just like any other popular chunk of open source software there are incentives for finding exploits, but there are a loterijlot of benevolent hackers examining the code to uncover and fix them.

@Bobby: Good point! Yes, that solves much of the problem neatly. My broad point about asymmetries is still true, however. (And is vividly demonstrated by the rise of large mining pools.)

Edit: This is te response to your comment below. I voorwaarde have clicked on the wrong verbinding when I replied.

each block starts with a coinbase transaction which should give bitcoins to the person who solved it. since this transaction if different for any block (each knot working on the network has hier bitcoin address spil the recipient of that transaction), all block ter the network are different, so wij should’nt (at least not likely) see two blocks with the same hashes.

That bug has actually happened before, but Satoshi/Gavin immobile it before anyone else managed to exploit it. (There have bot Two major live flaws ter Bitcoin that I know of: one permitted you to generate billions of bitcoins, and the other permitted you to spend anyone’s bitcoins. Neither wasgoed exploited before being patched, and there don’t seem to have bot any big flaws found since.)

Interesting. How did those exploits work?

I don’t know the technical details. Might want to look up the CVEs and the patches. From the sound of them, some validation check wasgoed omitted and so bad transactions were permitted.

I believe have the response to your third question.

The raw block gegevens that each miner is attempting to solve contains a generation transaction. That transaction is where their coins are sent if they solve that block. Because miners challenging against each other want their coins to be sent to different addresses, and those addresses are hashed together with their nonce, it does not matter if everyone starts their nonce from zero. The added randomness from differing generation transaction addresses prevents each miner from working te the same space spil others.

Thanks Bobby. I had wondered about the same question spil the author. Your explanation clears it up for mij.

Moreover the nonces need not be enumerable. If randomly picked from a large enough pool it is unlikely that the same nonce gets picked twice.

Very well written!

Only one thing to add (on another postbode): when you launch Multibit (or bitcoin-qt, etc.): where does it connect? a list of IPs? DNS? etc. etc.

Bitcoin has Three methods for finding peers:

Thank you for the superb write-up!

You write “I’ll terugwedstrijd zometeen to the question of why the Bitcoin address is a hash, and not just the public key”. Did I miss it? Does it have anything to do with quantum computing?

Oops – actually, I had an extended discussion of this question, but deleted it just before I posted. The reason I deleted it is that the discussion wasgoed inconclusive. The separation seems to be a fairly arbitrary vormgeving decision – there are some minor space and security advantages, but not enough (te my opinion) to justify making the Bitcoin address the hash rather than the public key.

There’s a very serious security advantage – the public key is not known until the uur it is spent. That reduces the window during which the private key could be derived and used ter a double-spend to about Ten minutes. This has significant ramifications for the safe transition to quantum-proof cryptography, if nothing else.

And space-wise wij’re talking about saving hundreds of megabytes, soon gigabytes of gegevens from the UTXO set. That’s not insignificant.

You’ve described the two main points te the material I deleted. To mij, both seem like relatively puny points. On the very first point, many people reuse addresses, so ter practice public keys are often widely known. This problem could be diminished if Bitcoin enforced a policy that addresses could only everzwijn be used once, but (a) that’s not going to toebijten anytime soon, (b) it introduces some other practical problems (it’s useful to be able to publish an address widely), and (c) it would still leave a window of time when the public key is widely known, but the transaction is not yet confirmed.

On the 2nd point, I toevluchthaven’t computed exactly but I suspect the space savings is less than ten procent of the total transaction size, depending on the type of transaction. That’s significant, but it also seems to mij that other similar savings could lightly have bot had, but are not. So it does seem a bit arbitrary. Still, spil you point out, it’s not insignificant.

(Actually, it occurs to mij that it’s pretty effortless to modify the standard Bitcoin transaction script so only public keys are used. This might make a nice example for my postbode on Bitcoin scripting.)

I have read that there is no known algorithm that would permit public keys to be derived from public addresses within a practicable timescale, even with quantum computing. However, the same is not true for deriving private keys from public keys. Thus addresses that have not bot used to spend, have benefits ter terms of being more QC proof. I recall Vitalik Buterin writing on this topic.

Could the protocol save even more space by switching from JSON to YAML? It looks like the protocol version is inwards the JSON.

the json shown te this article is just a representation. the blockchain actually lives ter files of binary bytes concatenated together (ie neither json strafgevangenis yaml) on each user’s laptop

What would be the incentive for non-miners to response your question?

Why would you trust the answers or lack thereof?

After all, if I understand correctly, when there is no transaction toverfee set aside, the miners could very well choose to omit transactions from their blocks?

On incentive: such could be built into the protocol.

On trusting the answers: if someone claims that they see evidence of dual spending, you’d require them to present evidence te the form of a signed transaction. The requirement of a signature makes this hard to forge by a malicious naysayer.

On your last point, yes, this is a very interesting question. At present this all seems to be working okay, but overheen the long run I suspect will limit the use of Bitcoin for petite transactions.

On the last point: I could see the transaction toverfee being indirectly related to the time required to confirm a transfer. If you want your transfer confirmed quicker, then you have to pay.

On a related note – what happens if blocks are validated out of time order?

I’m nosey what happens if/when the underlying crypto is either undermined or cracked?

Overheen the years wij’ve seen flaws that reduce the onverdraagzaam (entropy) ter many many systems. How would the bitcoin protocol treat, say, a reduction of even 1 bit of difficulty (1 bit reduction == 1/Two spil hard to attack) .

Also could someone with very large resources overwhelm the network with bad gegevens? Eg, if china desired to use some super computers or a bot televisiekanaal to zekering bitcoin from operating by adding all sorts of bad gegevens to the block chains?

On the very first question, the reaction is, I think: “That’s indeed complicated, and depends on the precies script of the break”.

Android had a bug te their random number api that wasgoed successfully exploited. Losing a few kattig of entropy won’t matter, but ter this case they lost almost all of them.

One extra question, what happens to bitcoins that are “lost” . ie What happens if the FBI rejects to sign overheen the bitcoins seized from Silk road, or wallets that had some coins but were lost due to hard drive failure (bad backups) or lost passphrases? Or maybe someone dies but the next of kin doesnt know the details?

The comparison is If I druppel $20 on the ground or my next of kin finds it under a mattress, they can use it. Lost bitcoins are just that – gone from the money supply for good, unless someone manages to either (a) recover the keypair, or (b) violates the underlying crypto. That brings up an interesting screenplay, on a long time scale there will have to be some allowance made for replacement of the lost coins, or sub-division of the satoshi. With Bitcoin, losing the private key for good is more like accidentally ripping off your coins out of an airplane overheen the pacific ocean. The private key is crucial to recovering those coins. Looks like wij both independently arrived at similar methods of explanation: http://zen.lk/2013/11/28/how-i-finally-understood-bitcoin/ Te the 2nd paragraph of the Bitcoin section, seems it should be 0.06555555, not 0.6555555 Thank you so much . I had dreamed an understandable primer on Bitcoin since ages and this wasgoed a fabulous read ! I’m astonished that bitcoins te a transaction are a decimal string. It looks likely to cause floating point approximation errors. Have you read about coin-join? It goes after on very nicely from what you’ve described here. I’m looking forward to the next one They’re not actually a float —, spil I mention te the article, the minimal unit of Bitcoin is the Satoshi, which is one one hundred millionth of a Bitcoin. So it’s indeed specifying an rechtschapen number of Satoshis. (I toevluchthaven’t checked what type is used ter the source code, I’d be interested to know.) This pagina says that it is an rechtschapen te the original source: However, it sounds spil tho’ there can from time to time be some floating point / rounding issues with code used to do remote proces calls overheen the Bitcoin network. Just dreamed to say thanks for a indeed excellent werkstuk —, the explanation wasgoed indeed clear, and totally fascinating. Can quantum computers mine bitcoin swifter? Does this boil down to how quickly a quantum laptop can find a string that has a specified property for SHA-256? For which wij have a quadratic speedup, but very likely no more? I understand that commonly used digital signatures and public-key cryptosystems are cracked by quantum computers, so there’s not much to be said about that. I toevluchthaven’t thought much about it. With that said, I’m pretty sure both your comments are right – quadratic speedup for finding hash collisions, and the asymmetric crypto stuff is violated. This is an amazingly well written article and one that i needed so much. Thank you, Michael! Thanks for this, while I understood the majority of it, the coding factor wasgoed very useful – especially highlighting where the script goes te conjunction with the transaction. While a lotsbestemming of people know abot bitcoin, there is such a shortage of good quality technical informatie. Fine writeup about how bitcoin functions on a technical level, but I had a question about it spil it’s use spil a currency. Why is bitcoin built to be inherently deflationary? This seems to be the go-to argument against why it will everzwijn build up widespread adoption spil a currency. Why does the prize for mining bitcoin halve every 210,000 blocks? Could there be a point te the future where this is reversed? Good questions, and I don’t know. I certainly suspect (spil do you) that thesis may ultimately turn out to be vormgeving flaws. Bitcoin is NOT deflationary. It is inflationary with a known and decreasing rate up until around 2140 at which point it will zekering being inflationary. The only deflation ter Bitcoin may toebijten through coin loss. The same, by the way, is true for Fiat. The difference is that Fiat can be arbitrarily inflated and with Bitcoin it is not arbitrary. Spil far spil why inflation is predetermined, this is so Bitcoin is a better store of value which is one of the defining properties of a good “money”. Why is it inflationary at all (spil ter, why not begin with a predetermined amount of bitcoins that never switch). The is part of Bitcoin’s decentralized vormgeving. Bitcoin designers wished a way to spread bitcoins around without commencing with a central authority that has them all and gives them out (like, say, ripple). The bitcoin generating part of mining does exactly that. BTW/ I am yet to see a good argument about why having a monetary system that is a good store of value and does not get diluted overheen time with inflation is bad. Inflationary/Deflationary are properties of currency production relatively to the supply of real goods. Bitcoin is only not deflationary if you assume that real wealth production will little by little slow, and eventually stabilize around 2140 at the same rhythm spil the druppel ter Bitcoin production. (And that’s not even accounting for the effective tax pressure of the transaction toverfee needing to increase to attract the necessary computational power spil the system of directly paying for that service phases out. The more that needs to be paid out ter each transaction to voorkant the fees, the lower prices and actual payments will have to fall to make slagroom for that overhead. Lower revenue translates to lower capability to afford a given price level, and so on. Bitcoin has already seen hyperdeflation that rewarded early speculators, but the defined limitations ter supply are far more likely to encourage more speculation overheen it spil a commodity than less, making it’s reliability for any predictable future value (never mind usefulness spil an accounting measure to reliably store value) rather questionable. What actually needs to be demonstrated is that there is any value te permitting any static, nonproductive account to maintain its nominal value, spil opposed to using the inherent decline te the value of such accounts provide the baseline motivation to use more productive investments to store anything beyond specie sufficient to meet instant needs for liquidity. There’s no justification to use the monetary system to store value, because value is a property or real assets, not the money that serves to account for them. Attempting to store value te money rather than ter future production potential is the ultimate perverse incentive, rewarding fraud and financial manipulation far out of proportion to development of real assets. Assaf is talking about inflation/deflation of the money supply, you are talking about price inflation/deflation. Both usages are common te economics. There are excellent reasons for wanting to store value. One demonstrable one is the desire to save for retirement. Back te 1958 Paul Samuelson wrote a classic paper on the utility of money spil a store of value: An Precies Consumption-Loan Prototype of Rente with or without the social contrivance of money. JPE V66 6 (Dec., 1958), 467-482 Actually bitcoin is inherently deflationary if you believe that the size of the bitcoin economy will grow quicker than the money supply. Albeit not fairly intuitive, it does make sense upon reflection that the money supply reflects the value of the economy it represents. If the money supply is growing swifter than the underlying economy then you get inflation. If the money supply is growing slower than the economy you get deflation. I think all but a few of us expect the bitcoin economy to grow swifter than the supply of bitcoins —, hence wij have a deflationary currency. The wisdom of that choice is another mater, of course. One could imagine many different screenplays for the amount and timing (and conditions) of fresh currency injecting the system. If bitcoin doesn’t take-over-the-world then my bet is that thesis will be significant dimensions of experimentation among variants. I’m confused about the block chain. Does everyone have their own version of it or do they sync to a master? Does every block chain get updated when validation is ended? Does this mean every person has a record of everyone else’s transactions for everzwijn? Won’t this opstopping get indeed truly big? Te practice, there are skinny clients which don’t keep a total copy of the block chain. But the way the protocol is designed at present there is a sizeable number of people keeping a utter copy of the block chain. This is presently fairly a manageable size (about 12 gig). If Bitcoin grows rapidly enough this may eventually become a problem. There’s a nice discussion of this and related scalability issues here: The conclusion there, which seems to mij believable, is that there are many options for scaling Bitcoin at least up to the level at which credit cards are used today, and perhaps further. Just about the total amount of bitcoins, if I understand well, fresh bitcoins are generated each time a transaction is processed? It means the more exchange wij have, the more bitcoins te the market there is ? So the only way to raise the number of bitcoins is to spend some energy validating transaction (that’s a little bit wired for mij ,-). How were created the very first bitcoins ? Is there another way of creating bitcoins that checking transactions ? And thanks a lotsbestemming for this postbode because it’s truly difficult to get a clear picture of what is it. Regards 1. Not vanaf transaction but vanaf block (of transactions). Two. Exchanges are a bad example. The transactions within the exchange toebijten outside the network. Only if you deposit or withdrawal BTC to/from an exchange, it goes overheen the network and therefore display up te the block chain. There are so many trades going on within an exchange, it happens internally. And since trades need to toebijten quick, the network is not suited for that. Four. Google for the ‘,Genesis Block’. That’s how it got commenced. Comments: you use the concept of mining before defining it. Switch “possibility vulnerabilities” to “possible vulnerabilities”. Fix “spending spending money”. Thanks, typos motionless! I found two typo’s which you might want to zap: “Bob doesn’t just go ahead and accept the transaction. Instead, he broadcast Alice’s message to the entire network.” (Switch ‘,broadcast’ to ‘,broadcasts’). “Will Infocoin mining end up ter concentrated ter the forearms of a few, or many?” (Eliminate very first ‘,te’). Thanks, typos immobile! Thanks for the excellent Bitcoin writeup. I have gleaned most of what you said ter onvriendelijk and lumps from articles and message boards, it’s nice to see it all described so clearly ter one place. What I think is more interesting than the cryptography opzicht is the social-motivational facet of Bitcoin and why it seems to be succeeding. Very first big mover and branding seem to be in-play, and the “anonymous cash” myth also wasgoed a big factor, but beyond that, I think the carrot of “get paid for solving hard problems (often using other people’s computing resources)” has drawn ter many participants who have helped grow the network by promoting their own self interests. I balk every time I hear the bit about “every transaction for all users for all time is encoded into the block chain” especially when combined with “the chain is developed by solving hard problems”. Scaling this system to support a billion users transacting numerous times vanaf day seems…,. unlikely. Your explanation does help to vertoning how the problems don’t get much stiffer spil transactions scale up – the blocks themselves get larger, but the hash problem doesn’t get significantly tighter spil block size grows, unless you commence talking about transacting the world’s monetary business ter such a system, then those blocks would get awkwardly large te a very brief time period, and the forking problem would be much more ingewikkeld than choosing inbetween two or three chains to go after. I also somewhat disapprove of the concept of encouraging people to “mine digital space to earn currency” since that creates an artificial request for energy which could grow into a significant waste of “real world” resources spil such a system scales up. I have bot playing “trust network” thought games since the 1980s, I’d like to see a peer-to-peer digital currency system that is based te the concept of trustworthy digital identities instead of solving hash problems to get paid. You could still get paid by validating transactions, but it wouldn’t have that appeal of “solve more problems, get more paid…,” plus, a system based on trust would tend to concentrate trust te central authorities that would be quickly perceived spil hopeless to surpass te trustworthiness, semi-defeating the incentive to participate spil a trusted member of the network, unless some kleintje of carrot to the underdogs wasgoed included – which would be purely social-motivational instead of a technically required component. Anyway, all very interesting to witness. Spil usual, I got te late and out early with Bitcoin (bought around Five, sold around 120, seemed like an awesome profit margin at the time…,) that opzicht of Bitcoin is a lotsbestemming like any other speculative investment, and is certainly fueling rente at this stage. On scalability, check out https://plus.bitcoin.it/wiki/Scalability. There’s a loterijlot of useful information there. Like you, tho’, I wonder about the long-run economics (and influence) of mining. Thanks for writing this excellent explanation of Bitcoin. I noticed ter the very first Bitcoin transaction example, you mention 0.39 bitcoins, but the example truly deals with 0.32 bitcoins, where 0.319 bitcoins goes to one person, and there is a 0.001 bitcoin transaction toverfee. Te other words, did you mean “0.319” instead of “0.39”? Also, is there a need to vertoning “0.31900000” value spil an pic? typo: “trying to understand possibility vulnerabilities”: possible Thanks for the excellent writeup. I have a question about one voorwerp, hopefully you can explain it. It emerges the money you send someone is merely chunks of one or more previous transactions. Let’s say I receive 1 bitcoin at myaddress_123 and I receive 1 bitcoin at myaddress_456. I now want to send you Two bitcoins from myaddress_789. Those previous transactions are the inputs for my transaction to you. How does the transaction message for the Two bitcoin transaction prove that I wasgoed the recipient of those previous transactions when the addresses are all different? Is the hash for each input ter the fresh transaction something that can only be generated by whoever wasgoed the recipient ter the original transactions (myaddress_123 or myaddress_456)? If the response is yes, then it seems like unique addresses can be lightly linked, ter which case I don’t see any anonymity advantage of using fresh addresses for each transaction. Sorry if I’m missing something evident here. The proof is ter the digital signature. That signature is generated using a public key which vereiste match (when hashed) the address from the output to the earlier transaction. That proves that the bitcoins are the payer’s to spend. But (if I understand correctly) the need for every transaction to be publicly verified means that you are tied to all your transactions. You can’t maintain a dual life. If I were a criminal, I might find it very desirable to have two personas – Stringer, who sells drugs, and Russell Bell, well-known property developer and pile of the community – and use the specie that Stringer collects to bankroll Russell’s legitimate businesses. But there’s no way to do that with Bitcoin, I can’t transfer Stringer’s bitcoins to Russell without everyone else ter the world knowing about it. Anyone with a copy of the block chain can notice that the flow of money goes from various drug users, to Stringer, to Russell. If you indeed want to enable money laundering, very first create a canap. A canap would let any customer use bitcoin transactions to deposit and/or withdraw value, and the bankgebouw would keep its own record of individual customers’ accounts. When withdrawing bitcoins, you would get bitcoins that were the bankgebouw’s to give, but that were unrelated to the ones you originally deposited. Such a handelsbank would have more uses than just money laundering. It could pay rente, make loans (charging rente), convert bitcoins to/from more traditional currencies, etc. Extending from J. Lyon’s reaction.. Say you need to send $$from one or more of your bitcoin addresses to a bad-guy but wish to anonymize this transaction. You will use a trusted middleman that does several transactions each day, some with good-guys and some with bad-guys. Ter one elementary screenplay the middle-man sets up a recievables address ‘,xxx’ into which all the depositors send their bitcoins (i.e., the depositors all use xxx address spil their output). The middle-man then transfers out the necessary amounts to intermediate addresses yyy0 …, yyyM that he has set up specifically for this transaction period. After this is done, the middle-man provides the yyy* addresses one to each reciever. Because all the incoming money has gone into the xxx address there is no way to separate out subsequently which money went to which reciever. If ALL the yyyy addresses belong to bad guys then you would be guilty by association. Many bitcoin services perform such mixing by default, based on what I have read. The legal ramifications for the mixing service provider are unclear to mij. Got it, thanks. But such a bankgebouw would have to keep its own records – both spil a practical necessity and spil a legal requirement – and those could be obtained by the authorities. Whereas metselspecie can be laundered tracelessly, through a contant business like a gokhal or restaurant, which can ideally innocently be expected to have lots of contant coming ter and no way of knowing where it comes from. Interestingly this is exactly what wasgoed done with silk road. It basically wasgoed a bitcoin canap moving bitcoins around ter such a way the buyer and seller could not be connected. There’s a paper which has some details about that: http://i.cdn.turner.com/money/2013/photos/11/25/silk-road-paper.pdf Nonce kicking off at zero is not a vulnerability. Shares are stochastically distributed across the 2^32 nonce range and it makes no difference where you commence. The nonce is simply 32 snauwerig out of the entire 320 bit coinbase that you are hashing and there is no way to vormgeving a target solution to be distributed anywhere within the nonce range of those 32 kattig. If you commence at a higher nonce value you simply will have less possible chances at finding a solution before you’ll need to get/create a fresh coinbase to hash. I think maybe you’re misinterpreting his concern: the danger isn’t that someone can solve blocks *rigorously* swifter by kicking off at a different nonce, because spil you say, the onberispelijk nonce could be anywhere ter the range 0..2^32 so every guess has the same 1/2^32 chance of being onberispelijk. Instead, the danger is that someone could solve blocks quicker *than everyone else* if they commence at a higher nonce and everyone else starts at 0. Specifically, assuming (on average) everyone can calculate guesses at the same rate, then any transaction whose juist nonce is higher than X will always be solved very first by someone who commenced at Y, if 0<,Y<,=X. Of course this creates an visible incentive for all participants to attempt to guess nonces te a different order than everyone else. So it seems reasonable that most client software would use a random sequence of nonce guesses rather than guessing sequentially from 0. But still, if one were to find a vulnerability ter the random number generator of a popular client, then it might be possible to vormgeving a rivaling client which would, te practice, almost always find the juist nonce before the targeted client, by virtue of guessing the same sequence a few steps ahead. That would permit the attacker to successfully validate a share of blocks greater than their actual portion of the collective computational power, at the cost of everyone using the vulnerable client and finding the nonce less often than they should on average. I think there’s also a “time” field te the part that is hashed, which is also updated every few seconds. Thus te practice it’s not the case that everyone has the same message and they just run the nonces – but everyone has a different message, regardless of the nonces. See https://plusteken.bitcoin.it/wiki/Block_hashing_algorithm Alex has explained my concern well. However, spil a number of people have pointed out (including Gergely) ter fact there are ter any case puny differences ter the blocks being hashed by different miners, and that’s sufficient to make this a non-issue. A most excellent and well written article! I look forward to more! Thanks. Spil people make transactions, the public ledger grows. Will it not grow to an unmanageable size at some time? I have a duo questions, possibly a subject for a future article. 1. If the block chain forks, do the miners on both sides of the fork keep their prizes? If so, doesn’t it permit someone to proceed executing the proof of work even when it is known that someone else has solved the proof of work? Two. I am puzzled by transactions te blocks. Is it not possible for two miners to be working on different blocks which contain mostly, albeit not all, the same transactions? Then, the very first one to solve the proof of work will have validated some of the transactions te the 2nd miner’s block. Does the 2nd miner restart by taking his unverified transactions and putting them ter a fresh block? On Two, yes: if you’re mining and someone else validates some of the transactions you are working on, then you eliminate them from your queue, but proceed working with the unvalidated transactions. On 1, it’s true that te different forks, different miners will have bot rewarded. However, overheen time only one of the forks will become the accepted overeenstemming for confirmed transactions. And so only the miners from one fork will be able to redeem their transactions. Fascinating read, thank you! One thing I’m having difficulty with is block chain integrity. What will toebijten when an possessor loses his wallet restores a backup from a few weeks back. He may have spent some coins, and he may have received some. Those transactions are no longer te his block chain. How would the block chain get back ter sync? On your question-to-yourself about using two phase commit, I think the major kwestie would be vulnerability to denial-of-service attack. A malicious user could set up a swarm of identities to act spil nay-sayers and therewith deny some or all others from performing transactions. Ter my practice using the bitcoin client, you are not permitted to do anything on the bitcoin network until your block chain is ter sync with the latest transactions. It somehow recognizes how far behind your block chain is and starts downloading blocks and tells you how old your block chain is and how much left you have to update spil it downloads more. BTW, I un-installed the bitcoin client because overheen the 1 year span that I had it installed, the block chain went from about Two GB to about 25 GB, and the novelty of having my own copy of the block chain wore off ter comparison to its cost. It would be nice if there were some zuigeling of “reset block” that could be generated that flattened the tree into a single block enumerating the value stored at each address. On the naysayer DDoS attack on two-phase commit: if someone claims that they see evidence of dual spending, you’d require them to present evidence ter the form of a signed transaction. The requirement of a signature makes this hard to forge by a malicious naysayer. Here is a very entertaining rational explanation One thing I still don’t fully understand is how the bitcoin prize size is determined and awarded. Who enforces the rules that 25 bitcoins are awarded for validating a block, and a few years hence, it’ll be 12.Five bitcoins? If wij were to determine that the prizes should be different (remaining at 25 indefinitely, for example), what exactly would have to switch? Is it the bitcoin mining clients that are hardwired to only validate transactions that award 25 coins to other miners when they validate their blocks, and the date of the validated block indicates that the award should be 25 BTC? It’s hardcoded, based on the number of blocks te the blockchain. Every 210,000 blocks the rate halves. No need to keep track of the date, simply count blocks. And cannot miners just proceed to validating the the transaction with adding 25 bitcoins? Spil the chain is just validated list of transactions, how there can be any cap on transactions? What does hardcoded mean practically? You only own that much of bitcoins spil others agree you own. So, hardcoded here means it is the original protocol suggested (and supposed) to be honored by all the users. There’s no use for miner to proceed providing himself 25 BTC when it’s already time for lowering the prize to 12.Five, because this prize would not be considered valid by others who respect the original protocol. Would it be, te principle, possible for all miners to agree on not lowering the prize at all? For example to proceed to prize 25 vanaf block for all eternity. I hadn’t had time to accurately delve into the protocol and your excellent writeup is the precies chunk by lump, what/why I needed. The “why’s” are utterly significant to people who might want to build on top of the protocol spil it helps them understand what they should or shouldn’t modify. I wasgoed thinking about how the blockchain is managed spil more transactions are processed, thanks for the verbinding https://plus.bitcoin.it/wiki/Scalability Interesting, one of the potential solutions discussed is the use of dedicated servers instead of lightweight clients to increase transaction rates, reduce latency, treat enhancing blockchain size (via technologies such spil “pruning” the chain), etc. What this implies of course is an evolution into “banks”, a group of entities with sufficient resources and staying power to dedicate specialized BTC infrastructure for transaction treating. Te a way, Bitcoin is replicating a history of money evolution ter an accelerated manner. I wonder what will take place te the protocol to permit the peer-to-peer nature to proceed while scaling the project to permit the transaction capacity necessary for a true currency. Yeah, that is very interesting. I don’t run a total client myself, I use a skinny client that doesn’t have a total copy of the block chain. And you do already see a loterijlot of signs of centralization with the big mining pools: Fine article. Thanks very much for writing it. Typo: requring = requiring The concept of ‘,block’ (and/or a definition) is not introduced before it is used. This makes the concept difficult to capture. Wouldn’t three phase commit be more adequate than two phase commits ? That would likely be even better, albeit I toevluchthaven’t thought about it te a lotsbestemming of detail. to take account of those asymmetries =>, to take into account thesis asymmetries. [MN: Not sure that wasgoed ungrammatical, but te any case I’ve improved it: “to account for those asymmetries.”] Numerous typos with ‘,…,the recipient is receiving 0.39 Bitcoins…,’ ->, 0.319 [MN: Spil noted earlier, stationary.] Thanks for such a generous and informative postbode. There is so much babble on Bitcoin that it often seems to operate socially spil more of a rorschach test on currency than an actual means of exchange. I fairly agree that the details are considerably more interesting than yet another pundit’s babble about what it all means. The satan, and the delight, are ter the details. Bitcoin has fascinated mij recently. I admit to not being able to fully wrap my head around it, but I took what I could and wrote a little here: http://mimictrading.com/viewtopic.php?f=Four&,t=293 Maybe you can help mij out with one part of this I don’t fairly get. The signature. How does the block chain know that the address sending the coins is keurig? The sender sends their sig to go with it, I assume paired up with the hash of the address permits the various knots to validate right? But if you are sending your sig out then can’t any knot have access to that private informatie. They would need to te order to validate. So can a sig only be used once, and if so how is it generated and what prevents it from being faked? Public key cryptography is a remarkable and beautiful thing. Each client using Bitcoin has keypairs – one key te each pair is public, the other private. The nature of asymmetric cryptographic digital signatures is that I can sign any lump of gegevens using my private key, and anyone else with only my public key can verify that the person who signed that gegevens holds the private key. There’s some fascinating mathematics involved, exploiting a elementary numerical relationship inbetween the public and private keys. Very nicely done write-up. Makes mij wonder about the news at various times about a major “theft” of bitcoins, mostly ter exchanges. Ter order to benefit they would have to be converted or be re-introduced straks on. Some of thesis were for large amounts and not indeed effortless to hide, unless you just “sit” on them? I’ve wondered the same thing. Some observations: if you copy someone’s private key, and then erase their copy, there is no way for them to prove that it wasgoed everzwijn truly their key. And if two people both have a copy of the private key, how do you determine who “truly” wields it? The situation is complicated further by the possibility of laundering. If you quickly spend some stolen bitcoins on, then it becomes very different to zometeen recover those bitcoins, since now they may be ter possession of fair parties. the best explanation everzwijn , thank you Michael 🙂 This wasgoed a fantastic article and answered all my questions about bitcoins. What about the actual code? How many miners are using same chunk of software? Indeed, this is a critical question. The more implementations there is, the stronger Bitcoin would be, spil it would not be dependent on the “features”or flaws of one particular implementation. The apparent lack of unambiguous protocol documentation makes mij think that alternative implementations are difficult to achieve. Certainly, it would greatly help if there wasgoed some form of “RFC”, or “ISO Standard”, or “W3C spec” for Bitcoin. Your article wasgoed very interesting and detailed, so I learned a loterijlot more from BTC. I have one question or doubt: What is done with all thesis hashes? are they gonna be used for cracking/decrypting encoded gegevens? what is the real benefit behind generating hash tables? Did you do this movie or is this movie inspired by this postbode !! ? http://youtu.be/Lx9zgZCMqXE – this too is good…, I didn’t make that. I just observed a few minutes – it looks pretty good, certainly much more detailed and accurate than most of what’s out there! Many people have asked about scalability, so let mij just leave this here: https://plusteken.bitcoin.it/wiki/Scalability It doesn’t address every possible concern, but I think the upshot is that there’s a loterijlot of slagroom for Bitcoin to grow. Thanks. There’s so much to learn about this currency and I’m loving all the attention that its getting. Superb article! I have a question: Could miners run a modified version of the software to choose not to publish a transaction ter the blockchain? I mean, like a petite group of powerful miners controlling the entire network? If you control half or more of the total mining power te the network, you can keep a transaction out of the blockchain by solving blocks quicker (on average) than the miners who are attempting to include that transaction. If you control less than half, you can delay the transaction, but sooner or straks the surplus of the miners will get ahead of you and your version of the blockchain will lose out. Excellent explanation —, but doesn’t solve this problem: Bitcoins aren’t actually backed by anything other than server time. There wasgoed a time ter this country when you can go to the handelsbank and trade te your 20 dollar bill for an oz of gold. You can’t do that anymore, b/c today dollars are back by debt not gold. But bitcoins are backed by server time. That almost makes less sense than backed by debt. I think you’re confusing an investment with a medium of exchange. An investment should be “backed up” by something, te the sense that it should give the holder a rechtsvordering future metselspecie flows or other real assets. But a medium of exchange is just that, something used to facilitate trade, an accounting device. It should have scarcity value and be resistant to counterfeiting. Fiat currencies have scarcity value to the extent that they are usually printed te finite amounts. Gold is generally scarce. And bitcoin is scarce spil well. Gold has bot used spil a medium of exchange for centuries. What is it “backed up” by? Nothing. It’s just scarce, and therefore suitable spil a medium of exchange. Big black cock had an interesting article called “Why do wij value gold?” few days ago. If people are willing to pay for something that is zonderling or unique, it has a value. A Ford Mustang ’65, very first punt Miracle Comic books, baseball cards, Gold, Bitcoins all have value because they’re scarce and people are willing to pay for them. The request for it defines the price. Excellent write-up, and I look forward to further installments – which leads mij to ask: are you no longer updating your RSS feed(s)? I came here from Bruce Schneier’s blog, and I like what I see so I subscribed (te goread.io), but neither of your feeds has anything newer than the beginning of 2013. I’d like to clarify: I’m grateful for your posts, and I’m not complaining if you’ve dumped the entire RSS thing (Google did, why shouldn’t you?). But if you _haven’t_ dumped RSS, but it wasgoed supposed to be getting updated automatically…, it isn’t. Thanks for pointing this out. I just checked both RSS feeds, and they seem to be fine. I typically postbode longer essays, often te the Trio,000-20,000 word range, which is why I only update my blogs a few times a year. You may love looking through some of my past articles. This blog carries my more technical stuff, while my other blog (http://michaelnielsen.org/blog ) is more general. Your comment did make mij notice and fix some mistaken linksaf te my sidebar, so thanks for that! Huh. I clicked through to the Feedburner pagina, and indeed the fresh stuff is there. Perhaps the problem is on the go read side? I’ve bot blessed with it so far, but…, Maybe straks I’ll attempt again with a different reader. I’ve attempted refreshing numerous times, but no joy. I’ve bookmarked your pages and I can certainly come back here periodically to see if you’ve got anything fresh, but I thought you might like to know that (at least for some of us) RSS ain’t Sing. I checked te my RSS reader (“The Old Reader”), and both blogs seem to come through fine. Odd. It JUST NOW displayed up te my feed (17 December, 21:00 Pacific time). Where it’s bot all this time, I may never know. Just thought I’d let you know. Am I to understand that it takes about 60 minutes to pay somebody through the Bitcoin network? I reached this conclusion based on the Ten minute average block confirmation and the requirement of it being 6 back te the chain before it is considered confirmed. Utter confirmation requires about 60 minutes. Many people are willing to accept payment on more trust, tho’, say after just a single confirmation ( Yes, this is a significant disadvantage of the protocol te its present architecture. Transactions are instant. Confirmations are not. A confirmation takes Ten minutes. If you want utter confirmation, then yes, on average it takes an hour (6 confirmations). For eCommerce, this will very likely work ter most cases. For retail, this can be an kwestie. However, there are a few points: – If you attempt to dual spend, it doesn’t mean you will succeed. – It is not effortless to dual spend te vuurlijn of the specie register (unless you have build some app and are all ready) – The merchant (I think BitPay is doing this) can listen on the network to see if there wasgoed a dual spend attempt. Those are lightly detected. – Don’t leave behind that a Credit Card payment can be charged back 6 months straks. Just telling. 🙂 Love the article. It is the very first article that I have bot able to understand on this topic, and I have bot reading a few on it. And a comment to style, I indeed appreciated the higher-principled discussion on the topic. I am so annoyed with the internet’s onveranderlijk barrage of get-rich-quick articles on this, or the excitement of the exchange rate. I have yet to read before now any slim comments to the social value, te particular your listig to http://szabo.best.vwh.netwerken/formalize.html wasgoed appreciated. Thanks. All of Szabo’s writing is worth reading, incidentally, his webpagina is a treasure trove. You know that there are some hints that Nick Szabo == Satoshi Nakamoto? Re: why BT doesn’t use 2PC, spil I understand it, it’s because 2PC becomes exponentially more complicated/unreliable with an enhanced number of parties. 2PC is a collapsed version of the byzantine / paxos protocols (which is 2PC with n te place of Two), and the basic problem is that a lotsbestemming of knots have to be online and interchange a loterijlot of messages ter order for it to be workable. Ter any case it’s more sophisticated than ‘,longest blockchain wins’. That’s my inexperienced understanding anyway. Good article and good discussion! This is a very good overview of the technical aspects around the bitcoin protocol. The fact remains that bitcoins have no intrinsic value and the promise of a peer-to-peer payment network (medium of exchange) will not be fulfilled unless the bitcoin is transformed into a true digital currency. Here are my thoughts on how to accomplish that: http://tinyurl.com/m57hd2z very first of all excellent explanation on Bitcoin, I love it! I guess my question is elementary to reaction. How can I verify that a transaction is signed by a certain address if all I got is the hash of the public key? Don´t I need the utter public key for that instead of only the hash? What am I missing guys?? The transaction contains the Bitcoin address of the payee (or payees, if there are numerous outputs) ter the output fields, and the public key(s) and signature(s) of the payer(s) ter the input fields. So there’s no problem —, you do have the utter public key of the payer. Stupid question from a non technical person: how will transactions be approved and verified subsequent to 2140 when there are no more prizes for mining? Transaction fees (which I shortly describe te a duo of places ter the article). Thank you. Best explanation I’ve seen so far! I still don’t understand it fully, but it’s leisurely becoming clearer. One question, tho’. I hear that it’s open source, and wij can look at the source code. I’d like to do that. It’s written ter C++? Where can I find the code and look at it? Thank you. I reaction my own question. It’s at github.com I would love to see you discuss tumblers and the effectiveness and possibility of anonymizing your bitcoins Ter your anonymous section you speak of debunking a fairly thick myth without indeed backing it up. You just state the omschrijving of “actually it’s not anonymous” without going into detail. I don’t believe that to be true unless you are implying that various ways of using the internet anonymously are breakable. For example if TOR is compromised versus if it is not, or if other methods of obscuring traffic surrounding use of bitcoins are insufficient Your assertion that bitcoin is open and semi-transparent has nothing to do with its capability to use it anonymously, and the optie that it wouldn’t be able to ‘,achieve convictions’ but will narrow the pool of suspects down sound closer to a statement of successful anonymity rather than unsuccessful. “You just state the omschrijving of “actually it’s not anonymous” without going into detail.” It’s certainly not meant to be a proof! I do, however, go a good overeenkomst further than just telling “it’s not anonymous” —, I reference a large and growing assets of academic literature that takes supposedly anonymous gegevens sets and then de-anonymizes them. I believe mechanisms similar to those used ter those papers will be very useful for attacking Bitcoin. There are complications ter Bitcoin, notably that some people (however far from all) routinely use fresh addresses for each transaction. That makes an interesting challenge, and (I think) is different than te earlier work on de-anonymization. I’ll be most nosey to hear what the de-anonymizers have to say after making a sustained attempt at Bitcoin. Linking bitcoin addresses to a real identity requires that a real identity is somehow associated with an address ter the very first place. If I buy bitcoin on the street with specie – without exposing any individual information, using a public network, and a device with a mac address that can’t be linked to mij, then I can spend that bitcoin with absolute anonymity unless I expose private informatie to whoever I send that bitcoin to. Ter the case of Silk Road, the man who sends mij the drugs would need my mailing address, but that can be fudged spil well. If he does not store my mailing address, nothing gets linked to mij if the drugs arrive securely. Throw te a mixing service, and on that transaction, not even the NSA can ID mij from the blockchain. Now if i do the same thing many times, it may be possible to ID mij using other vectors – but explain how anyone could ID mij using the blockchain if I buy the bitcoin with metselspecie on the street, and spend it leaving no voortdurend record. I assert that bitcoin can be 100% anonymous – forever- if you do it right. The system is anonymous, but traceable. If you receive bit coins from somewhere and never spend them that’s fine, but it becomes possible to track addresses back to wallets via “change addresses” that are created during man transactions. There are several other methods spil well. You will find that many Addresses can be identified with a bit of heuristic effort. To remain anonymous, you have to take pretty extreme measures. This includes the use of tumblers and foggers, but you cannot assure they will work. This leads to the interesting point that if you steal bit coins, they are dangerous to spend. You mention using numerous sub-puzzles to reduce variance. This is a bad idea spil it introduces progress. Because bitcoin is a first-past-the-post wedloop, progress gives an unfair advantage to more powerful miners (>,2x prize for 2x power). You’re presuming a particular vormgeving (ter which people solve a set of puzzles privately). There is no necessity to make that presumption, this is why I make the very first part of the statement “with some careful vormgeving it is possible to considerably reduce the variance te the time to validate a block of transactions”. I toevluchthaven’t worked out the best possible vormgeving, however, I have found a vormgeving whose distribution is fairly a bit more sharply peaked around Ten minutes than the current puzzle. Unluckily, the details are more elaborate than I want to write out right now, I may come back to it ter a future postbode. Also you talk about risk of nonce reuse. This wont toebijten because people mine for their own prize address, so even if the nonce is reused the work proof wont be. Further te the case of pool mining the pools palm out work, specifically to avoid nonce re-use (which is somewhat insecure spil others could guess the work range of other users and wedstrijd them to produce it). And ultimately the secure way is pooled miners use getblocktemplate and use a large random toonbank begin extranonce. If extranonce is large enough and random the probability of nonce collision is pratically 0. You can read about this ter the hashcash paper http://hashcash.org/papers/hashcash.pdf or https://plusteken.bitcoin.it/wiki/Hashcash For decentralization miners should also choose their own blocks by running spil a total knot and packing te the details into the coinbase provided by getblocktemplate. two-phase commit: if you are willing to wait Ten minutes, bitcoin already does that. I presume the form it would take is the proof of dual spend would be (one of) the dual spends. There have bot proposals to forward double-spends with a double-spent marker (presently the very first only is received). Maybe just an api to ask if there are any transactions conflicting with a given transaction a user could ask a few random knots to build up confidence. You also have to bear te mind preserving the 0-confirmation spend functionality. Many people rely on that for low value point of sale transactions. “I’ll come back zometeen to the question of why the Bitcoin address is a hash, and not just the public key.” I don’t think you everzwijn come back to this topic. See the discussion above, ter reply to Benoit Mason. Thank you for the primer. You might consider removing the footnote. IMO, Bitcoin cannot be successfully defended spil free speech. Free speech is not a utter deepthroated unlimited right, spil yelling fire ter a crowded theater reminds us. But Article I, Section 8, subparagraph ? does grant Congress total power to “coin money and announce [its] value.” And a subsequent subparagraph grants Congress total power to outlaw any currency it wishes for citizen uses spil legal tender. Thus, IMO, the Supreme Court could never permit free speech to prevail overheen Congress’s unfettered Constitutional authority. I hope this comment does not derail a excellent discussion of Bitcoin. Please delete my comment if it becomes a crimson herring. re the part about everyone (collectively) is the handelsbank. Ter particular, we’ll assume that everyone using Infocoin keeps a finish record of which infocoins belong to which person assuming millions and perhaps eventually billions are using bitcoins so for example billions of transactions could take place daily times this by the qty of bitcoins (each single one being unique) times this by the billions using bitcoins then what affect would that have on the network ? Already addressed te comments above. That question about a nounce…, I think that the parametres of the puzzle differs for every single miner. Everyone’s desired block contains a unique transaction that no other miner has – a transation of providing a prize to himself. So there is no point te attempting to trick others – parametres of their puzzles are different. Its OK for everyone to just attempt 0,1,Two etc…, Already addressed ter comments above. So if I’ve got this right, one proof-of-work computation takes about Ten minutes, and you you (presently) get 25 Bitcoins for doing it, and each Bitcoin is (presently) worth about 1000 USD. Right? If so, this only makes sense if most proof-of-work computations don’t get finished and/or don’t get rewarded. Is that usually because someone else got there very first? Do you know about what fraction of proof-of-work computations get rewarded? This wasgoed indeed useful, thanks! yes. It’s a wedren. Whoever finds the hash that is smaller than the presently defined difficulty, they will build up the prize for the block. The difficulty is adapted every two weeks or so to reflect the switching (now growing) power of the network. The power is growing so swift and so much that some already call it an “arms race”. Thanks for the article, very interesting, but I don’t see any mechanism for re-combining fractional bitcoins. I’m puzzled by what seems to be an ever-increasing fragmentation. It seems that overheen time you would accumulate a large number of coins of varying fractional values, and to make a payment you would have to lump together a collection of fractional coins to equal or exceed the transaction required, then typically end up with paying yourself your switch. This one-way process of cutting off chunks of a bitcoin would proceed steadily. A holding of one bitcoin would end up being constituted of maybe hundred or thousands of differently-sized fractions. If that’s the case, that will make transactions increasingly messy: you may have to consolidate a large number of inputs for one payment. Ter turn, that will lead to the block chain verkeersopstopping growing swifter and quicker. Did I miss something? This is not a problem. Yes, some transactions will “fragment” bitcoins. But other transactions undo fragmentation. For example, a 5-input, 2-output transaction will reduce fragmentation. This sounds a little elaborate for the user, but te practice, good client software will make this invisible. You simply say “I want to send such-and-such bitcoins to so-and-so address”, and all the details of combining transactions will be taken care of. Te this sense it’s actually lighter than specie, where wij overeenkomst with the fragmentation / de-fragmentation problem all the time (i.e., finding the right combination of bills and coins to pay for a service, and then dealing with the resulting switch). Amazing article. Looking forward for more on similar topics – may b someday you’ll explain for tor. Very informative article, thank you. I wasgoed wondering: 1) With regard to transaction fees, I assume it is up to the very first miner to successfully validate a block to determine if your suggested toverfee is large enough to be included ter the next iteration of the block chain. Additionally, I assume you have to determine what toverfee you’re willing to pay well ter advance of the next chain being verified. If this is the case and wij fast-forward to 2140, won’t all miners (assuming the computing power isn’t concentrated) be incentivized to take ANY transaction toverfee no matter how puny? For example, if I have .001% of the computing power I should, on average, validate a block once every Two years (hopefully the math’s right, it would be infrequent ter any regard) and, considering (assuming?) there would be no marginal cost to include a transaction (or 1,000 transactions) suggesting mij only .1 omschrijving te transaction fees I can’t think of why I wouldn’t validate that transaction. Spil such, even if there were a few big players who managed say Two/Trio of the computing power, on average one te Trio blocks would be validated by a smaller player who wouldn’t care about pricing, since people already wait almost an hour to finalize a transaction likely they’d be willing to wait an reserve 30 minutes and, spil such, the big miners would likely just lower their toverfee thresholds pretty substantially, Wouldn’t this create an odd prisoners’ dilemmaesque situation? Maybe I’m missing something but it strikes mij that this would end with low fees forcing people out of business until computing power concentrated amongst an oligo(mono)poly of miners who could exercise sufficient pricing control which, spil you pointed out, would most likely create integrity concerns. Two) I believe I’ve previously read somewhere that there wasgoed a price threshold required to incentivize mining at different levels of complexity – for example, if bitcoin were 1 tomorrow, would miners proceed to mine or would the marginal cost of running the equipment outweigh the prize (disregarding fees)? If that’s the case and a script like that occurs, does bitcoin grindsteen to a halt or will some miners shut down or begin running less expensive equipment spil they did when bitcoin wasgoed te that price range? I guess this sort of boils down to whether the use of high cost computing equipment is a function of competition (and price) or problem complexity? Both are hypothetical but I wasgoed nosey to know if you (or anyone) had considered thesis questions. Thanks again for the article. (I think) I figured out the response to #Two – I wasgoed unaware of how difficulty wasgoed calculated. Excellent article! I’m working on a case and see that the bitcoin user employed more than a dozen different applications: Anoncoin, Phenixcoin, Primecoin, etc. I take it that the protocol is the same among the clients, tho’ hash algorithms, proofs of concept, and the like may differ. From what I understand, if I use XPMs and want to buy something from a vendor who accepts BTCs, I have to go through some broker or exchange facility to finish the transaction. If that’s keurig, and considering the U.S. ter a vacuum, isn’t it like wij’re all carrying around a different brand of currency (USDs, Yen, Pounds, etc.) and have to exchange them almost every time wij want to buy something? It’s effortless with credit cards, but I don’t see a similar treatment with bitcoins. Thanks! “I don’t understand why dual spending can’t be prevented ter a simpler manner using two-phase commit. Suppose Alice attempts to dual spend an infocoin with both Bob and Charlie. The idea is that Bob and Charlie would each broadcast their respective messages to the Infocoin network, along with a request: “Should I accept this?” They’d then wait some period – perhaps ten minutes – to hear any naysayers who could prove that Alice wasgoed attempting to dual spend. If no such nays are heard (and provided there are no signs of attempts to disrupt the network), they’d then accept the transaction. This protocol needs to be hardened against network attacks, but it seems to mij to be the core of a good alternate idea. How well does this work? What drawbacks and advantages does it have compared to the total Bitcoin protocol?” I think something along thesis lines is planned: “On top of all that is a long list of fresh features and improvements I’d like to see get into a 0.9 release, the highest priorities on my wish list are: 1.“First double-spend” relay and detection. Detecting attempted double-spends spil soon spil possible is superb for low-value, in-person transactions, and wij should do more to support that use case.” Fine article. I will use it spil a self-study tutorial. Te your next instalment, could you give a broad description of where the protocol is actually to be found (is it a particular lump of software?), how can it be switched, who can switch it and indeed to what extent is it capable of being switched? Thesis are significant questions because they go to the capability of Bitcoin to evolve and develop, but it is very hard to find any good general account of thesis issues. If Satoshi Nakamoto already made two patches to Bitcoin, what’s stopping him/hier from making another patch right now that ruins Bitcoin? “Of course, after Alice has published hier message it’s possible for other people to duplicate the message, so ter that sense forgery is possible. ” How can someone forge the message without Alice’s private cryptographic key? Hi. Fine article. Thanks for putting it together. I am still having one big problem —, and I feel like I vereiste be missing something evident. You wrote: “Suppose Alice attempts to dual spend with Bob and Charlie. One possible treatment is for hier to attempt to validate a block that includes both transactions. Assuming she has one procent of the computing power, she will sometimes get fortunate and validate the block by solving the proof-of-work. Unluckily for Alice, the dual spending will be instantly spotted by other people te the Infocoin network and rejected, despite solving the proof-of-work problem. So that’s not something wij need to worry about.” Who is going to be looking to reject it, and what does that even mean? If a malicious party (Alice) manages to accomplish a block that contains transactions that are not, te fact, valid then what? Do other miners check them before building on top of hier faulty block? And, if not, then what does it mean for others to ‘,spot’ them. This has bot bugging mij for days! Your thoughts would be greatly appreciated. Anyone with a copy of the block chain is not going to accept an extra block which has an evident attempt to dual spend ter it. So that means that miners examine each block for conflicts before they choose to build on it…,? And, if that’s true, how is the overhead of that inspection built into the incentive structure? Will their block (if they solve it) become invalidated if down the line someone points out that they built on a block with a dual spend? (That would make sense, but it isn’t a step that I have seen described.) Checking for a dual spend within a block is computationally negligible. That’s a long detailed process of bitcoin above which wasgoed a fine read. I don’t fairly understand near the end, but I undoubtedly get the gist of it. I don’t flawlessly understand the relationship inbetween transactions and blocks (is this only required when ppl attempt to cheat the system?) If so, the money earned by Miner essentially is imaginary and something that only exists within trust that bitcoin is going to proceed to work. I guess there are two cases: 1. spil miners get bitcoins, the value of bitcoin comparison to other currencies druppel. (This is most likely the case) Two spil miners get bitcoins, if it comes to a point where everyone wants to convert their bitcoins to real currency, it’s not going to equal each other, bitcoins ->, conversion via bitcoin exchange rate ->, not enough real money. Also, why assume every 210,000 blocks is occurs every Four years? is this an assumption based on bitcoin flow so far? Wouldn’t every 210,000 blocks occur more often if there is more flow? If everybody would like to uitgang Bitcoin at the same time the price would collapse. The current speculation is tho’, that the opposite is true. Many people attempt to buy bitcoins for the fiat money. How many? Please see here http://fiatleak.com. With regards to why 210,000 blocks are created te harshly four years: The network difficulty is set so that only six blocks vanaf hour can be created. Harshly every Ten minutes a fresh block comes in the blockchain. Let’s do the math: Four years ->,1461 days * 24 hours ->, 35,064 hours * 6 blocks ->, 210,384 Fairly good explanation albeit some significant things missing. One mistake tho’: “So if wij want the output hash value to start with Ten zeroes, say, then David will need, on average, to attempt 16^10 (approx 10^12) different values for x before he finds a suitable nonce.” I think it should be 16^9 on average. At worst it is 16^10. No, the average number of trials is 16^10. (If wij repeatedly sample from a Bernoulli random variable with probability p of a success, then the expected number of trials to success is \sum_^\infty n p (1-p)^, which is lightly shown to be 1/p. The probability p te the proof-of-work is 16^<-10>, so the expected number of trials to success is 16^<Ten>.) What significant things are missing from the explanation? i have alot of questions about bitcoin and ive done alot of searching, this explanation has to be the one that has got mij the closest to the answers ive bot looking for, unluckily im still falling brief of understanding alot of the basic, i do want to ask 1 question here which seems to be the most significant question for mij. Ter pc science terms what is a “bitcoin” there were points ter this article where it seemed close to specifying this, albeit i may have actually missed the reaction, so, what is a “bitcoin”?? is it a unique value? if i have 100 bitcoins what is it that i indeed have ? 100 unique values ? or is it simply a value that wasgoed “said” to be providing to mij and simply assigned a value, sort of like the 5th entry ter a ledger, ter the genesis block it wasgoed “said” 50 bitcoin wasgoed givin to whom everzwijn,50 bitcoin wasgoed given to bill and wij will call that 50 1234567.. . overall im still searching for clarity on the fundamental idea of a bitcoin from a pc science view Wij are organising World Bitcoin Conference on 24 &, 25 March 2014 te Malaysia. Would like to invite you to speak on Bitcoin protocol. Could wij have your email address to send the invitation. Hi – what a fine write-up! Spil for your very first Author’s question – There are most likely several less ingewikkeld methods for confirmation but there is inherent security te the current treatment which shows up to organically solve the problem without risky reliance on factors and layers outside the network itself. There is one part that I am not sure I understand. For example, let say miner A has on his queue transaction A, B, and C to validated on a fresh block. Is it possible miner B will have transaction B, C and D ter his queue (but not A) that he will validate te his fresh block? Assuming both solve the puzzle. Now both transactions B and C are te two different blocks. Will both blocks got accepted? Thanks for the write-up, it helped my a lotsbestemming te understanding the underlying tech of the Bitcoin protocol. Can’t wait for the next ter series. The protocol rules te the bitcoin wiki are ambiguous when an incoming block designates spil its predecessor a block somewhere down ter the main branch, what happens exactly ? the wiki can be interpreted te two ways : 1. nothing at all – the incoming block is NOT added spil the beginning of a side branch Two. the incoming block IS added spil the possible beginning of a side branch, but without any verification for the uur. If that is the case, then most blocks ter the main branch should have many “brothers” I have verified that the juist reaction is Two. I have also found what thresholds the number of “brothers” for a block 1. miners zekering mining spil soon spil they receive a valid knot and therefore no fresh blocks are sent Two. their neighbours do not relay the blocks they might have sent te the meantime Sorry for asking Thanks for the write up .. How do transactions get organized into blocks ? Are knots broadcasting transacations or blocks ? Number of transactions ter a block , is that hardcoded te the protocol ? te your example of h(“hello world”|nonce) , is “hello world” a unique transaction or the entire block ? “Suppose Bitcoin mining software always explored nonces embarking with x = 0, then x = 1, x = Two,\ldots. If this is done by all (or even just a substantial fraction) of Bitcoin miners then it creates a vulnerability. Namely, it’s possible for someone to improve their odds of solving the proof-of-work merely by kicking off with some other (much larger) nonce. More generally, it may be possible for attackers to exploit any systematic patterns te the way miners explore the space of nonces…,.” This is incorrect: Because the block hash is dependant on the contents of the block. For there to be any possibility of a miner improving his odds through this method the miner vereiste be mining the precies same block spil someone else including not using his own address for coinbase and transaction fees to go to. Removing the entire incentive for mining. Apply via our ITIN Number application or call us at 1-888-479-6850 (or +1-807-346-1608 from outside North America). ### Helping US Non-Residents recover their tax$$! #### The ITIN number is issued by the IRS, for certain residents and nonresidents of the USA who are required to have an itin number (identification number) for tax reporting purposes, but who don’t have or are not eligible for a Social Security number. Get an ITIN number online here! Wij specialize ter obtaining ITIN numbers for non-residents of the United States of America. To use our service you need to have a valid reason for obtaining an ITIN number and be able to prove your residency and identity. BENEFITS OF USING OUR SERVICE: Self-prepared applications usually contain errors. To be accepted by the IRS the application has to be volmaakt, containing no errors. It is not unusual for self-prepared applications to be sent back numerous times, each time resulting ter a delay of Two to Three months. Get an ITIN Number rapid using USA Tax Rebate! Two. No applications under the wrong reason: The IRS is not going to vraaggesprek you and determine the keurig proces to apply for your ITIN number and prepare the documents on your behalf spil this is outside the scope of their service because it requires more time to understand your unique requirement than they are alloted to assist you. By using our service to get your IRS ID number wij will take the time to understand your situation and apply under the onberispelijk proces. An ITIN number is only issued for tax reporting purposes. Wij help you get your ITIN number lightly. The toverfee for a US Federal Tax ID number is payable te advance. The toverfee for an ITIN number (a individual tax identification number) is$250.00. The toverfee for an EIN number ( a business entity tax identification number) is \$250.00. GST or HST tax (levy) is added to services provided to Canadian residents, residents of other countries are exempt from GST or HST tax.

To see if you qualify to get an ITIN Number now please apply using the form or call us at 1-888-479-6850 (or +1-807-346-1608 from outside North America).

If you don’t get a US ITIN number wij don’t charge a toverfee!

###### APPLY NOW

APPLY FOR AN ITIN NUMBER ONLINE HERE

Significant: US Residents or Dependents of US Citizens are not eligible to use our service.