This is part IV in my “Bitcoin Explained” series.
At the end of part III we saw that the Bitcoin network’s primary function is to act as a peer to peer timestamping system. That the blocks could, in principle, verify any data its operators wished.
The catch of course is that those operators need an incentive to operate that system. There is nowhere near enough demand for verifying lost works of copyright music, photographs of cheques, or preventing contract fraud to encourage people to dedicate their computing resources to running such a timestamping network. In that sense then, it is absolutely necessary that the primary application for a peer to peer timestamping system like Bitcoin must be financial. What’s more, some of that finance must be diverted to the node operators; or more particularly, the miners (the non-miners in the network are connected for their own benefit/interest, rather than for monetary reward).
We’re therefore going to move on to talking about how the Bitcoin block chain is used to implement the bitcoin currency. We’re going to be concerned almost entirely with the payload part of the blocks now; with only the connection between block and payload relevant to us. The payload of the Bitcoin block chain’s block is a list of bitcoin transactions. A hash (of special type) of that payload is included in the block header — no more. From a certain perspective, the block payload is only that special hash; but as a convenience the entire list of transactions is available from the nodes as well.
Let’s get the reward out of the way quickly. Being the creator of a block gets you one special ability that nobody else has. You gain the ability to write the first entry in the transaction list and you get to write it as a special type of transaction; one that generates coins from nowhere (for now). That then is your incentive to contribute your computing power to the network: if you are the miner that finds the block, you get to keep those freshly generated coins. Now: you can’t just generate any number of coins you like, the other nodes in the network will simply reject your block. You can (for now) give yourself fifty coins. There is more to say on this, but it can wait until a later article; all we need for now is that there is an incentive, and simultaneously (and more importantly) a way in which new coins enter the bitcoin economy.
Let’s leave Bitcoin for a little while, and talk about public key cryptography. In particular cryptographic signatures. Digital signatures and public key encryption go mathematically hand in hand. Public key cryptography is typified (regardless of the underlying mathematics) by having two-part keys: a public part and a private part. These two parts are inseparably joined, they are only valid as a pair. There is no particular mystique about them, fundamentally they are two long numbers. Usually long numbers like these are represented using hexadecimal for computer systems; so they look scary to non-computer scientists. You shouldn’t be scared: they really are just numbers, and in general the user doesn’t have much to do with them — they’re usually just stored in a file. From a user perspective though, here’s what you need to know:
- A public key can be used to encrypt a message such that only the person with the matching private key can decrypt that message.
- A private key can be used to sign a message such that anyone with the matching public key can verify that the matching private key was used to make the signature.
Bitcoin makes no use whatsoever of encryption. It is entirely based on digital signatures. It has to be: it is a public record, not a public store of private records. These signatures, to any reasonable degree of confidence, are unfakeable. The mathematics of why this is so is beyond the scope of these articles, but be aware that all your banking, secure internet browsing, chip and pin credit cards and digital television content protection work off exactly the same bits of mathematics: trust me, they are unfakeable.
Imagine that real-world signatures were as unfakeable as digital signatures. Imagine a bit of paper with a serial number and the message “I will pay the owner 50 govcoins worth of gold” written on. Further pretend for now that the Bank of England has some gold, and a trustworthy Governor. There is plenty of blank space on this paper. Imagine now that we run a chain of custody for money rather than the haphazard possession-is-ownership system we really have.
Two pieces of paper come into your possession.
17283726152 17283726152 I will pay the owner... I will pay the owner... -------------------- -------------------- Alice owns this Alice owns this signed Governor signed Governor Bob owns this Bob owns this signed Alice signed Alice Charlie owns this Charlie owns this signed Bob signed Bob Dave owns this Dave owns this signed Charlie signed Charlie Ernie owns this Fred owns this signed Dave signed Gail
Both Fred and Ernie can prove their identity by creating a new signature in front of you. Would Harry take Fred’s copy, or Ernie’s copy as payment for a debt? Remember, signatures are unfakeable. Do you see the magic here? The paper is irrelevant, it can be stolen but ownership does not transfer with possession. It is the signature that is important. Think about what’s going to go on the paper next:
17283726152 17283726152 I will pay the owner... I will pay the owner... -------------------- -------------------- Alice owns this Alice owns this signed Governor signed Governor Bob owns this Bob owns this signed Alice signed Alice Charlie owns this Charlie owns this signed Bob signed Bob Dave owns this Dave owns this signed Charlie signed Charlie Ernie owns this Fred owns this signed Dave signed Gail Harry owns this Harry owns this signed Ernie signed Fred
Harry would be a fool to take Fred’s signature on this paper; Fred’s ownership is not part of the chain; Dave did not sign over ownership of this paper to Fred, he did sign it over to Ernie. Ernie is therefore entirely capable of signing it over to Harry. If anyone can verify a signature, then anyone can verify the ownership.
Congratulations; you now understand Bitcoin transaction chains.
A quick aside to cover some economic rather than technical issues:
“I will pay the owner 50 govcoins worth of gold”
What a sneaky devil I am. I’m almost as bad as a government. What, exactly, is “50 govcoins worth of gold”? I didn’t say 50oz of gold, or $23 worth of gold. The answer is: whatever amount you can get from the seller of the gold.
What is a govcoin worth? Whatever you can get for it.
What is a dollar worth? Whatever you can get for it.
What is 50oz of gold worth? Whatever you can get for it.
What is a bitcoin worth? Whatever you can get for it.
Did you spot the hole in the system? Fred can’t produce a valid signature chain just because he stole the paper, but any of the real owners can copy the paper, getting multiple copies of the valid signature chain.
17283726152 17283726152 I will pay the owner... I will pay the owner... -------------------- -------------------- Alice owns this Alice owns this signed Governor signed Governor Bob owns this Bob owns this signed Alice signed Alice Charlie owns this Charlie owns this signed Bob signed Bob Dave owns this Dave owns this signed Charlie signed Charlie Ernie owns this Ernie owns this signed Dave signed Dave Harry owns this Harry owns this signed Ernie signed Ernie
If Harry walks in to two different shops; what stops him signing these two copies over to two different people? As it stands, nothing.
We’ll talk about this problem in part V, when we’ll discuss double spending.