About a year ago when the Bitcoin train was just starting to gather steam, a friend turned to me and asked, “So why can’t you just copy a Bitcoin?”
This is a confusion that a lot of people have, and a fair one: the notion of a digital entity that can’t be easily copied is entirely unintuitive. In fact, the Bitcoin network is one of the coolest, and least understood technology in the popular consciousness right now. That’s a shame, because the underlying mechanics of Bitcoin is really pretty straightforward. You don’t even need any particularly hard math, if you’re willing to take a few things on faith.
We’ve covered, in the past, what Bitcoin is, how to use it safely, and even written a manual on the topic, but we’ve never really gotten into how it works. Today, we’ll be delving into that ‘how’, and talking about the tools that are necessary to keep the “magic Internet money” running behind the scenes.
Bitcoin for Poker
So why can’t you copy a Bitcoin? The answer, to make a long story short, is that a Bitcoin isn’t really a string of data to be copied: it’s an entry in a distributed ledger that tells you how much money each person has. The reason you can’t alter the ledger is due to the clever structure of the Bitcoin network — there are many copies of the ledger, and the ledger itself is designed in such a way that it’s hard to tamper with.
To understand the issue better, imagine that you were going to try to implement a pen-and-paper Bitcoin (WritCoin) for a game of poker with your friends. You’re all too cheap to buy chips, but you still want to keep track of how much play money everyone has, and let people move it amongst themselves.
One solution is to pick someone trustworthy to be record keeper for the game: they make a note of each transaction as it happens, let you know if the transaction succeeded (i.e. didn’t take anyone to a negative balance), and can add up all the successful transactions to figure out how much money everyone has at any given time. This is similar to how PayPal and other centralized payment systems work. As you can see, the idea of copying a unit of currency doesn’t really make sense in this system – the record keeper wouldn’t allow it. Note that the record keeper is in a position of power in this scenario, and may choose to give himself lots of money, steal a small fraction of all money spent, or otherwise abuse his position.
Now, imagine that instead of playing poker with your friends, you’re trapped in a high-stakes mob poker game, where nobody at the table trusts anyone else to be recordkeeper (but you’re all still too cheap to buy chips).
Now you have a problem: because there’s no trust, the centralized authority won’t work anymore. So, you come up with the clever idea of letting anyone at the table become an independent record keeper if they want to. Each of them will take note of all transactions. That way, when it comes time to find out how much money someone has, if any minority group of them decides to lie about their records, the majority will catch them out. To keep things fair, you all agree to pay out a small reward to the record-keepers in exchange for their services. This devalues all of your money a little, but encourages people to become record-keepers and prevent fraud – and, unlike with a single record keeper, the money devaluation can be controlled to a manageable level. This is, in a nutshell, the gist of the Bitcoin network. A network of independent computers running special software (Bitcoin miners) independently keep track of every transaction that has ever occurred in the network. In return, they have a chance of being rewarded every time they confirm a group of transactions. In order to spend money, you just talk to the network and inform them of the desire to do so. They note the transaction in their logs (if you have enough money to successfully make it), and move on.
Bitcoin and Cryptography
Of course, it’s not quite that simple in practice. Imagine the problems of trying to move WritCoin to the Internet. Now, suddenly, you need a way to prove that it’s really you making a transaction (in real life, you can see who’s making transaction requests — not so on the Internet). Also, on the Internet, with a large network, it’s difficult to consult every single Bitcoin miner in existence to find out how much money everyone has. It would be nice if you could just talk to a few of them and still be able to tell which of them were honest. There are two cryptographic tools that make these things possible online: digital signatures, and proof of work.
A cryptographic signature is a clever application of asymmetric encryption, and it works like this: from a single secret piece of information, you can do a set of mathematical operations that produce two subsidiary pieces of information (called a public and a private key) such that anything encrypted (scrambled into gibberish) by the private key can only be decrypted (unscrambled) by the public key. Furthermore, when these keys are produced correctly, there is no way to find out what the private key is, even if you know the public key. Explaining how these actually work, math-wise requires abstract algebra and is way beyond the scope of this article. If you’d like to learn more, check out the Wikipedia article about elliptic curve cryptography, the cryptosystem used by Bitcoin.
Imagine, for a moment, that you have a private key and public key that you regularly use. You could publish the public key (which looks like a random string of gibberish), and connect it with your identity. Then, whenever you posted something online, you could take your message, encrypt it with your secret private key, and publish both the encrypted version and the original message side by side. Then, if someone wanted to see if you actually wrote it, they could simply use your public key to decrypt the encrypted version and compare it to the message. If they didn’t match, the reader would know that your message had been tampered with. In other words, if a malicious party wanted to replace your message with their own, they would have no way of generating a matching encrypted version of the text, because they don’t know your private key. The encrypted version of the message (or, more typically, an encrypted hash of the message, which we’ll discuss in a moment), attached to the message itself, is called a digital signature.
Digital signatures are how transactions are verified in Bitcoin. You may have heard of a “Bitcoin wallet.” A Bitcoin wallet is simply a particular public/private key pair. If you want a Bitcoin wallet, you just pick a secret piece of information (you can use a passphrase, or have your computer make up a string of nonsense), and then use it to generate your public and private key. Your public/private key pair is your wallet – if people want to send you money, you give them your public key, and they tell the network that they’d like to send money to the wallet corresponding to that public key. If you want to send money from your wallet, you just tell the network that — and sign it with your corresponding private key. Thus, unless somebody gets ahold of either your private key or your original secret, there’s no way for them to fake transactions from you.
In cryptography, there is also a tool called a hash function. A hash function simply takes a large amount of information as an input, and scrambles it down to a short string of nonsense (the length of the output is always the same, and depends on the function you use). Hash functions are sensitive, in that any minor change to the original data completely and unrecognizably changes the string of nonsense (the ‘hash’). As a result of this, hash functions have the unique property of being one-way — given a piece of information, you can easily hash it, but given a particular hash, there’s no way of working backwards to figure out what piece of information was hashed to create it, except by guessing at random. To learn more, check out the Wikipedia article on hash functions.
Hash functions are very useful! The application most relevant to Bitcoin is called “proof-of-work,” which is a way of proving to someone else that a certain amount of computational work was expended. If someone chooses a word at random (say, “doppelganger”), and you respond with a piece of information whose hash happens to be “doppelganger,” (or a string sufficiently similar to it) then they know that you spent a lot of time guessing before you finally found a piece of information that worked. Thus, they have proof that you executed a certain amount of computational work. This can be used to prevent email spam, by forcing anyone trying to send you an email to complete a small proof-of-work based on their email address, your email address, and the time. This proof-of-work can be very easy, so that it’s no inconvenience at all for ordinary people sending a few emails a day, but becomes impractically expensive for bulk mailers.
In Bitcoin, proof-of-work is used to prevent people from lying. It works like this: when a miner wants to add a block of transactions to their ledger, they take the whole block chain (a list of all the transactions that have occurred to date that the miner could verify were valid), and add the latest group of transactions to it. They then hash it all together, and start doing the proof-of-work for that value – guessing values to hash to try to find a new value that’s sufficiently close to the target value. While they are doing this, miners all over the world are doing exactly the same thing, competing to be the first to find a proof-of-work that’s “good enough” (a standard that increases automatically to keep up with Moore’s Law and the growth of the network). The first one to get there gets a windfall (currently 25 Bitcoins or about $15,600 at time of writing) in exchange for their service, and their successful block is distributed to all the other miners, and becomes a permanent addition to the block chain.
The consequence of this is that, if you want to generate a fake Blockchain, you have to reproduce all of the proofs-of-work done by the network, which is expensive. The farther back you want to edit something, the more proofs-of-work based on that information you have to re-do. It’s very unlikely that anyone can produce better, faster proofs-of-work than the whole legitimate Bitcoin mining network, which means that, generally, the block-chain that’s had the most proof-of-work spent on it is the legitimate one. Another way of saying this is that lying in the Bitcoin network is hard, because it takes a lot of computational power to generate a properly structured lie. That means that, if you want an accurate blockchain, you don’t have to talk to every Bitcoin miner and let them vote — you can simply talk to a few random miners, get their blockchains, and, if there’s a conflict, accept the version with the most, strongest proofs-of-work, and there’s a very good chance it’ll be the real one.
Bitcoin in a Nutshell
To sum up: Bitcoin wallets are public/private key pairs. Any public key can send money to any other public key, by making a statement to the network, signed with the corresponding private key. That statement is broadcasted peer to peer, among all the miners, all of whom are attempting to generate proofs-of-work for all the transactions they’ve recorded to date. Every time that one of them generates a sufficiently good proof-of-work, they are awarded with some Bitcoins, and their block becomes part of the official, distributed ledger. By adding up the transactions in all the blocks, you can figure out how much money you have – or anyone else. The record is hard to tamper with, due to the difficulty of producing proof-of-work faster than the rest of the network.
That’s (pretty much) it. Once you understand the cryptographic primitives in play, the idea actually pretty straightforward. That should not, however, be taken to mean that it isn’t remarkable. Constructing a protocol that forces thousands of people all over the world to deal with one another honestly, despite their best efforts to the contrary, is a huge victory for cryptography, and one of the most powerful ideas of the last few years.