The Hitchhiker’s Summary of Bitcoin theory
A neither technical nor completely non-technical introduction to the theory behind bitcoin.
TL;DR: Bitcoin ‘mining’ is when individuals compete for the right to claim a reward for publishing blocks into the blockchain.
A hash function H(x) is a special kind of function that takes any string (a long list of letters/numbers) as an input, and maps it to a finite output — 256 bytes in the case of bitcoin. The essential properties of a hash function are:
- It is collision-free — nobody can find x and y such that H(x) = H(y). This property has never been proven, but is probabilistic.
- It has the hiding property — cannot recover x from H(x). In practice, we concatenate a random string r to x before hashing.
The collision-free property means we can identify information uniquely by its hash. Hash pointers are hashes that are used to reference pieces of known information.
A blockchain is a linked list of hash pointers. Each block contains the hash of the previous block. It is tamper evident, because any changes made to a block will change its hash, which will change the next block, which will change the next block’s hash etc., until we see that the leading hash changes.
These put the ‘crypto’ in cryptocurrency. There is extensive cryptological theory regarding public/private keys, which is central to bitcoin.
- An individual has a secret key, i.e a random number that only they know, and a public key that anyone can see. The secret key is like a password.
- You can sign a message, or the hash of the message, with your secret key. Anyone can verify with your public key that the signature is valid.
- Signatures are specific to particular messages.
- Bitcoin uses the elliptic curve digital signing algorithm (ECDSA), which is vulnerable to quantum computing.
- If we sign a hash pointer to a block on the blockchain, we effectively sign the whole chain.
- The public key (or the hash of the public key) is the same as the bitcoin address.
A centralised cryptocurrency
Let us imagine that Satoshi were the man in charge of bitcoin. Here is how a centralised cryptocurrency might work:
- Satoshi creates a new coin with a unique coin ID and signs it. This creation is put into a block.
- To pay a coin, Satoshi creates a new block, which contains: a ‘pay to Alice’ statement which he signs, and a hash of the previous block
- If Alice wants to transfer a coin to Bob, she will create a new block which contains: a ‘pay to Bob’ statement which she signs, and a hash of the previous block. The question that cryptocurrencies have to solve is this: what stops Alice from double spending, paying the same coin to many people?
- The answer (for a centralised cryptocurrency): Satoshi publishes and signs the blockchain, so anyone can see that their coins haven’t been double spent.
The problem is that this system requires us to trust Satoshi.
Decentralised cryptocurrencies need to implement a form of distributed consensus — getting many members of the network (nodes) to agree on something. Bitcoin uses an implicit consensus scheme:
- In each round, a random node in the network is selected to propose the next block in the blockchain.
- Other nodes can then accept, by extending that block, or reject, by extending from a previous block
What if there are malicious nodes? A malicious node cannot:
- steal bitcoin from other users, because of the cryptographically secure public/secret key system. The only way you pay with someone else’s bitcoin is if you have access to their secret key.
- deny service to a particular user, because if he does not add a transaction to his block, someone else will.
However, a malicious Eve can buy goods from Bob with bitcoin, then effectively void the transaction while keeping the goods.
- Eve will sign a valid payment to him in exchange for the goods. However, if it is Eve’s turn to propose a block, she can simply propose a payment to another address (e.g. owned by herself). If this block gets accepted, then Eve has received her goods without paying Bob. The payment to Bob is in an orphaned block.
- To prevent this, Bob must wait for ‘confirmations’ — extensions of the chain in which Eve pays Bob.
- The double spend probability decreases exponentially with the number of confirmations. In practice, people normally wait for six confirmation blocks. However, at a rate of one block every ten minutes, this would take an hour. Note that you can never be 100% sure that the payment you received won’t be double spent, but you can probabilistically guarantee it.
Incentives to act honestly
There are many theoretical problems with consensus that can be nullified in practice through the use of incentives.
The block reward:
- The creator of a block has the ability to include a special coin creation transaction, to send a bitcoin to an address of his choice.
- But this block will only be valid if other nodes accept it — providing an incentive for the creator to act honestly (dishonest blocks are unlikely to be accepted).
- The block reward is a fixed value (now 12.5BTC) which halves every 4 years (view a countdown here).
- This is the only way new bitcoins are created, and there is a finite total supply of 21 million coins (all mining will cease after the year 2140).
- The creator of a transaction can make the output slightly less than the input, the difference being interpreted as a transaction fee.
- This is purely voluntary, but blocks with higher transaction fees are processed faster.
- As time goes on, transaction fees will become as important as the block reward.
In order to stop everyone competing for these rewards, and to reduce the likelihood of malicious sybil nodes (generating many nodes under your control), bitcoin uses a proof of work scheme, in which the next block creator is chosen based on computing power. Bitcoin uses hash puzzles:
- We have to find a string nonce such that the hash of [nonce appended to the previous block] is very small. This is essentially trying to guess which number will win a lottery.
- The difficulty of the hash puzzles is increased every two weeks to maintain a constant block output rate of one every 10 minutes.
- This can only be done by brute forcing (more than 10²⁰ hashes per block on average).
The probability of winning the next block is equal to the fraction of global hash power that you have. Attacks on bitcoin are therefore infeasible unless you have more than half of the global hash power. Such an individual is called a 51% attacker. What can such an attacker do?
- The attacker cannot steal coins because of the underlying cryptography.
- Though he can suppress certain transactions from the blockchain, honest nodes will see this and can choose to include that transaction in their blocks.
- Rules of the system like the block reward cannot be changed.
- However, confidence in bitcoin would likely take a hit.
There is a lot more I could talk about, but I feel that the above is enough to paint a coherent picture of the theory behind bitcoin. If you’ve found this useful, please share it!
Incidentally, if you’d like to learn more about bitcoin, I’d suggest Princeton’s course on cryptocurrencies, which is available for free on Coursera.