This whitepaper lays out the consensus mechanism for Bitcoin. Recommended reading in understanding BTC from first principles.
Abstract
“A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution. Digital signatures provide part of the solution, but the main benefits are lost if a trusted third party is still required to prevent double-spending. We propose a solution to the double-spending problem using a peer-to-peer network. The network timestamps transactions by hashing them into an ongoing chain of hash-based proof-of-work, forming a record that cannot be changed without redoing the proof-of-work. The longest chain not only serves as proof of the sequence of events witnessed, but proof that it came from the largest pool of CPU power. As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network, they'll generate the longest chain and outpace attackers. The network itself requires minimal structure. Messages are broadcast on a best effort basis, and nodes can leave and rejoin the network at will, accepting the longest proof-of-work chain as proof of what happened while they were gone.”
Interesting Points Highlighted
- Simple premise established that with financial institutions, the cost of mediation increases transaction costs
- Solution being an “electronic payment system based on cryptographic proof instead of trust”
- Transactions that are computationally impractical to reverse
- In the mint-based model, the mint was aware of all transactions and decided which arrived first
- The payee needs proof that at the time of each transaction, the majority of nodes agreed it was the first received
- With PoW (Proof of Work)
- The majority decision is represented by the longest chain, which has the greatest proof of work invested in it
- If the number of blocks generated are too fast, the difficulty increases
- Network
- New transactions are broadcast to all nodes → each node collects new transactions into a block
- Nodes express their acceptance of the block by working on creating the next block in the chain, using the hash of the accepted block as the previous hash
- Nodes always consider the longest chain to be the correct one and will keep working on extending it
- New transaction broadcasts do not necessarily need to reach all nodes (as long as they reach many nodes, they will get into a block before long
- Incentive
- First transaction in a block is a special one → it starts a new coin owned by the creator of the block
- This adds an incentive for nodes to support the network and provides a way to initially distribute coins into circulation
- Important because there is no central authority to issue them
- Ofcourse, CPU and electricity are expended
- If a greedy attacker is able to assemble more CPU power than all the honest nodes, he would have to choose between using it to defraud people by stealing back his payments, or using it to generate new coins
- Reclaiming disk space
- Once latest transaction in a coin is buried under enough blocks, spent transactions before it can be discarded to save disk space
- To do this without breaking the block’s hash, transactions are hashed into a Merkle Tree, with only the root included in the block’s hash
- Old blocks can then be compacted by stubbing off branches of the tree
- The interior hashes do not need to be stored
- Privacy
- Traditional banking model achieves a level of privacy by limiting access to info to the parties involved and the trusted 3rd party
- Bitcoin announces transactions publicly but keeps public keys anonymous
- The public can see that someone is ending an amount to someone else, but without info linking the transaction to anyone
- Risk is that if that the owner of the key is revealed, linking could reveal other transactions that belonged to the same owner
- Calculations
- Showed that the probability of an attacker finding the next block drops exponentially as the number of blocks the attacker has to catch up with increases
- Odds stacked against the attacker as they fall further behind
- Showed how it’s impossible for attackers, when honest nodes control the majority of CPU power
Conclusion
“We have proposed a system for electronic transactions without relying on trust. We started with the usual framework of coins made from digital signatures, which provides strong control of ownership, but is incomplete without a way to prevent double-spending. To solve this, we proposed a peer-to-peer network using proof-of-work to record a public history of transactions that quickly becomes computationally impractical for an attacker to change if honest nodes control a majority of CPU power. The network is robust in its unstructured simplicity. Nodes work all at once with little coordination. They do not need to be identified, since messages are not routed to any particular place and only need to be delivered on a best effort basis. Nodes can leave and rejoin the network at will, accepting the proof-of-work chain as proof of what happened while they were gone. They vote with their CPU power, expressing their acceptance of valid blocks by working on extending them and rejecting invalid blocks by refusing to work on them. Any needed rules and incentives can be enforced with this consensus mechanism.”