The foundational document of Bitcoin, authored by the pseudonymous Satoshi Nakamoto, introduced a revolutionary concept: a peer-to-peer electronic cash system. This system allows for direct online payments between parties without relying on a financial institution. By leveraging cryptographic proof and a decentralized network, it solves the long-standing issue of double-spending in digital currency. This article delves into the core principles and mechanisms outlined in the original whitepaper.
Introduction to the Problem
Traditional electronic commerce relies heavily on financial institutions acting as trusted third parties to process payments. While this system works adequately for most transactions, it suffers from inherent weaknesses rooted in the trust-based model. Dispute resolution by these institutions makes truly irreversible transactions impossible. The associated costs increase transaction fees, limit minimum practical transaction sizes, and prevent the feasibility of small, everyday micropayments.
The need for trust breeds further inefficiencies. Merchants must be wary of their customers, often requesting more personal information than necessary. A certain rate of fraud is accepted as unavoidable. While physical cash can avoid these issues in face-to-face transactions, no mechanism exists for non-reversible payments over a communication channel without a trusted party.
The solution is an electronic payment system based on cryptographic proof instead of trust. This allows any two willing parties to transact directly, eliminating the need for a third party. Computationally irreversible transactions protect sellers from fraud, and routine escrow mechanisms could easily be implemented to protect buyers.
How Transactions Work
An electronic coin is defined as a chain of digital signatures. Each owner transfers the coin to the next by digitally signing a hash of the previous transaction and the next owner's public key. The recipient can verify the signatures to confirm the chain of ownership.
The critical problem is ensuring that none of the previous owners have double-spent the coin. The typical solution involves a trusted central authority, like a mint, that checks every transaction for double-spending. This centralization, however, means the entire system's fate rests with the mint, and every transaction must go through it, much like a bank.
The proposed solution requires that all transactions be publicly announced. A system is needed for participants to agree on a single, chronological history of the order in which transactions were received. The recipient needs proof that, at the time of the transaction, the majority of nodes agreed it was the first received.
The Role of the Timestamp Server
The solution begins with a timestamp server. This server works by taking a hash of a block of items to be timestamped and widely publishing the hash. The timestamp proves that the data must have existed at the time to get the hash. Each timestamp includes the previous timestamp in its hash, forming a chain that reinforces all previous timestamps.
Proof-of-Work: Securing the Network
To implement a distributed timestamp server on a peer-to-peer basis, a proof-of-work system is used, similar to Adam Back's Hashcash. Proof-of-work involves scanning for a value that, when hashed (e.g., with SHA-256), the hash begins with a certain number of zero bits. The average work required is exponential to the number of zero bits required, but verification is quick and easy.
For the timestamp network, proof-of-work is implemented by incrementing a nonce in the block until a value is found that gives the block's hash the required number of zero bits. Once the CPU effort has been expended to make the block satisfy the proof-of-work, it cannot be changed without redoing the work. As later blocks are chained after it, altering the block would require redoing all subsequent blocks.
Proof-of-work also solves the problem of determining representation in majority decision-making. If the majority were based on one-IP-address-one-vote, it could be subverted by anyone able to allocate many IPs. Proof-of-work is essentially one-CPU-one-vote. The longest chain represents the majority decision, as it contains the greatest amount of proof-of-work effort.
The network's difficulty is adjusted to target an average number of blocks per hour, compensating for increasing hardware speed and varying node interest.
The Network's Operation
The steps to run the network are straightforward:
- New transactions are broadcast to all nodes.
- Each node collects new transactions into a block.
- Each node works on finding a proof-of-work for its block.
- When a node finds the proof-of-work, it broadcasts the block to all nodes.
- Nodes accept the block only if all transactions in it are valid and not already spent.
- Nodes express their acceptance of the block by working on creating the next block in the chain, using the accepted block's hash as the previous hash.
Nodes always consider the longest chain to be the correct one and will work to extend it. If two nodes broadcast different versions of the next block simultaneously, some nodes may receive one first and others the other. In this case, they work on the first one they received but save the other branch. The tie is broken when the next proof-of-work is found, making one branch longer; nodes then switch to the longest chain.
Incentivizing Participation: The Block Reward
The first transaction in a block is a special transaction that creates new coins owned by the block's creator. This incentivizes nodes to support the network and provides a way to initially distribute coins into circulation, as there is no central authority to issue them. The steady addition of a constant amount of new coins is analogous to gold miners expending resources to add gold to circulation.
Incentives can also be funded by transaction fees. If the output value of a transaction is less than its input value, the difference is a transaction fee added to the incentive value of the block containing that transaction. Once a predetermined number of coins have entered circulation, the incentive can transition entirely to transaction fees, avoiding inflation.
This incentive structure encourages nodes to remain honest. An attacker with more CPU power than all honest nodes would have to choose between using that power to defraud people by stealing back payments or using it to generate new coins. He would find it more profitable to play by the rules, as those rules allow him to earn more new coins than anyone else.
👉 Explore advanced blockchain security features
Efficient Data Storage with Merkle Trees
Once the latest transaction in a coin is buried under enough blocks, spent transactions before it can be discarded to save disk space. To facilitate this without breaking the block's hash, transactions are hashed in a Merkle tree, with only the root included in the block's hash. Old blocks can be compacted by stubbing off branches of the tree.
A block header with no transactions is about 80 bytes. With blocks generated every 10 minutes, this equates to about 4.2 MB per year. Given that typical computer systems had 2GB of RAM in 2008 and Moore's Law predicts growth, storage should not be a problem even if the block headers must be kept in memory.
Simplified Payment Verification
It's possible to verify payments without running a full network node. A user only needs a copy of the block headers of the longest proof-of-work chain. He can then check with network nodes to confirm he has the longest chain and obtain the Merkle branch linking his transaction to the block it was timestamped in. He cannot check the transaction for himself, but by linking it to a place in the chain, he sees that a network node has accepted it.
This verification is reliable as long as honest nodes control the network. If an attacker overpowers the network, this simplified method is more vulnerable. A strategy to improve security is for software to accept alerts from network nodes when they detect an invalid block, prompting the user to download the full block and alerted transactions to confirm the inconsistency.
Combining and Splitting Value
To allow value to be split and combined, transactions can contain multiple inputs and outputs. There will typically be either a single input from a larger previous transaction or multiple inputs combining smaller amounts. Transactions can have up to two outputs: one for the payment and one for returning change, if any, back to the sender.
There is no need to extract a complete standalone copy of a transaction's history for this to work securely.
Privacy in the System
While all transactions are public, a degree of privacy is maintained by keeping public keys anonymous. The public can see that someone is sending an amount to someone else but cannot link the transaction to a specific individual. This is similar to the level of information released by stock exchanges, where the time and size of individual trades are public, but the parties involved are not.
As an additional firewall, a new key pair should be used for each transaction to prevent them from being linked to a common owner. Some linkage is still inevitable with multi-input transactions, which reveal that their inputs were owned by the same owner. The risk is that if the owner of a key is revealed, linking could reveal other transactions belonging to the same owner.
The Math Behind the Security: Probability of an Attack
The security of the system is analyzed by considering an attacker trying to generate an alternate chain faster than the honest chain. The probability of an attacker catching up from a given deficit is analogous to a Gambler's Ruin problem.
The probability drops exponentially as the number of blocks the attacker must catch up with increases. If the attacker does not make a lucky advance early on, his chances become vanishingly small as he falls further behind.
The recipient of a new transaction must wait until the transaction has been added to a block and z blocks have been linked after it to be certain the payer cannot change the transaction. The expected number of blocks the attacker can produce follows a Poisson distribution. By calculating the probability, we can see it decreases exponentially as z increases.
For example, with an attacker's computational power q at 10% of the honest network (q=0.1), the probability of success after just 5 blocks (z=5) is less than 0.1%.
👉 Learn more about calculating crypto security risks
Frequently Asked Questions
What is the primary innovation of the Bitcoin whitepaper?
The core innovation is solving the double-spending problem for digital currency without requiring a trusted central authority. It achieves this through a decentralized peer-to-peer network using cryptographic proof and a consensus mechanism called proof-of-work.
How does proof-of-work secure the Bitcoin network?
Proof-of-work requires participants (miners) to expend computational effort to add new blocks to the blockchain. This effort makes it extremely difficult to alter past transactions, as an attacker would need to redo the proof-of-work for the target block and all subsequent blocks, which requires more CPU power than the honest network.
What are 'mining' and the 'block reward'?
Mining is the process of competing to find the solution to the proof-of-work problem for a new block. The winner who finds the solution gets to add the block to the chain and is rewarded with newly created bitcoins (the block reward) and any transaction fees from the transactions included in that block.
How private are Bitcoin transactions?
Bitcoin is pseudonymous, not anonymous. All transactions are publicly visible on the blockchain. While real-world identities aren't directly linked to public keys, sophisticated analysis can sometimes connect transactions to individuals. Using a new address for every transaction enhances privacy.
What does it mean that transactions are 'irreversible'?
Once a transaction has been confirmed by being included in a block and then followed by several other blocks on the blockchain, it is considered computationally irreversible. The cost and energy required to reverse it by overpowering the network's honest miners become astronomically high.
How does the system handle scalability with every node storing all transactions?
The original design acknowledges that storing the entire blockchain forever could become burdensome. It proposes using Merkle trees to allow for "pruning" of old, spent transactions, saving storage space while still maintaining the integrity of the block hashes.
Conclusion
The system proposed provides a robust, trustless electronic transaction system. It begins with a framework of digital signatures for strong ownership control, which is incomplete without a method to prevent double-spending. The solution is a peer-to-peer network using proof-of-work to record a public history of transactions. This history becomes computationally impractical for an attacker to change as long as honest nodes collectively control most of the CPU power.
The network itself is structurally simple. Nodes can work with minimal coordination, do not need to be identified, and can leave and rejoin the network at will. They vote with their CPU power by extending valid chains and rejecting invalid ones. Any necessary rules and incentives can be enforced through this consensus mechanism.