On October 31, 2008, an individual or group using the pseudonym Satoshi Nakamoto published a groundbreaking document titled Bitcoin: A Peer-to-Peer Electronic Cash System. This foundational text introduced the world to Bitcoin and laid the groundwork for the entire cryptocurrency ecosystem.
This article presents the core concepts and principles from the original Bitcoin whitepaper, translated into English and structured for clarity. It explains the innovative solution proposed to solve the double-spending problem without relying on trusted third parties.
Introduction: The Problem with Traditional Electronic Payments
Internet commerce relies almost entirely on financial institutions serving as trusted third parties to process electronic payments. While this system works well enough for most transactions, it suffers from the inherent weaknesses of the trust-based model.
Non-reversible transactions are not truly possible because financial institutions cannot avoid mediating disputes. The costs of mediation increase transaction costs, limiting the minimum practical transaction size and cutting off the possibility for small, everyday payments. There is a broader cost: the system’s inability to make non-reversible payments for non-reversible services.
What is needed is an electronic payment system based on cryptographic proof instead of trust, allowing any two willing parties to transact directly with each other without the need for a trusted third party.
Understanding the Double-Spending Problem
An electronic coin can be defined as a chain of digital signatures. Each owner transfers the coin to the next by digitally signing a hash of the previous transaction and the public key of the next owner. The payee can verify the signatures to verify the chain of ownership.
The problem is that the payee cannot verify that one of the owners did not double-spend the coin. The traditional solution involves a trusted central authority, or mint, that checks every transaction for double spending. This approach centralizes power and requires every transaction to go through the mint.
The Bitcoin solution involves publicly announcing transactions and implementing a system for participants to agree on a single history of the order in which transactions were received. The payee needs proof that at the time of each transaction, the majority of nodes agreed it was the first one received.
The Role of the Timestamp Server and Proof-of-Work
The solution begins with a timestamp server. A timestamp server works by taking a hash of a block of items to be timestamped and widely publishing the hash. Each timestamp includes the previous timestamp in its hash, forming a chain, with each additional timestamp reinforcing the ones before it.
To implement a distributed timestamp server on a peer-to-peer basis, Bitcoin uses a proof-of-work system similar to Adam Back's Hashcash. Proof-of-work involves scanning for a value that, when hashed, such as with SHA-256, the hash begins with a certain number of zero bits. The average work required is exponential in the number of zero bits required and can be verified by executing a single hash.
In the Bitcoin network, the proof-of-work is implemented by incrementing a nonce in the block until a value is found that gives the block's hash the required zero bits. Once the CPU effort has been expended to make it satisfy the proof-of-work, the block cannot be changed without redoing the work. As later blocks are chained after it, the work to change the block would include redoing all the blocks after it.
Proof-of-work also solves the problem of determining representation in majority decision making. If the majority were based on one-IP-address-one-vote, it could be subverted by anyone able to allocate many IPs. Proof-of-work is essentially one-CPU-one-vote. The majority decision is represented by the longest chain, which has the greatest proof-of-work effort invested in it.
How the Network Functions and Reaches Consensus
Nodes always consider the longest chain to be the correct one and will keep working on extending it. If two nodes broadcast different versions of the next block simultaneously, some nodes may receive one first and others the other. In that case, they work on the first one they received but save the other branch in case it becomes longer.
The tie is broken when the next proof-of-work is found and one branch becomes longer; the nodes that were working on the other branch will then switch to the longer one. New transaction broadcasts do not necessarily need to reach all nodes. As long as they reach many nodes, they will get into a block before long.
👉 Explore the technical architecture behind this system
Incentivizing Participation: Coin Generation and Transaction Fees
By convention, the first transaction in a block is a special transaction that starts a new coin owned by the creator of the block. This adds an incentive for nodes to support the network and provides a way to initially distribute coins into circulation, since there is no central authority to issue them.
The steady addition of a constant amount of new coins is analogous to gold miners expending resources to add gold to circulation. In this case, it is CPU time and electricity that is expended. The incentive can also be funded with transaction fees. If the output value of a transaction is less than its input value, the difference is a transaction fee that is added to the incentive value of the block containing the transaction.
Once a predetermined number of coins have entered circulation, the incentive can transition entirely to transaction fees and be completely inflation-free. The incentive may help encourage nodes to stay honest. If a greedy attacker is able to assemble more CPU power than all the honest nodes, he would have to choose between using that power to defraud people by stealing back his payments or using it to generate new coins.
He ought to find it more profitable to play by the rules, such rules that favour him with more new coins than everyone else combined, than to undermine the system and the validity of his own wealth.
Optimizing Storage and Simplifying Payment Verification
Once the latest transaction in a coin is buried under enough blocks, the spent transactions before it can be discarded to save disk space. To facilitate this without breaking the block's hash, transactions are hashed in a Merkle tree, with only the root included in the block's hash.
Old blocks can then be compacted by stubbing off branches of the tree. The interior hashes do not need to be stored. A block header with no transactions would be about 80 bytes. If blocks are generated every 10 minutes, 80 bytes 6 24 * 365 = 4.2MB per year.
It is possible to verify payments without running a full network node. A user only needs to keep a copy of the block headers of the longest proof-of-work chain, which he can get by querying network nodes until he's convinced he has the longest chain.
He obtains the Merkle branch linking the transaction to the block it's timestamped in. He cannot check the transaction for himself, but by linking it to a place in the chain, he can see that a network node has accepted it, and blocks added after it further confirm the network has accepted it.
Privacy in a Public Transaction System
The traditional banking model achieves a level of privacy by limiting access to information to the parties involved and the trusted third party. The necessity to announce all transactions publicly precludes this method in Bitcoin, but privacy can still be maintained by breaking the flow of information in another place: by keeping public keys anonymous.
The public can see that someone is sending an amount to someone else, but without information linking the transaction to anyone. This is similar to the level of information released by stock exchanges, where the time and size of individual trades is made public, but without telling who the parties were.
As an additional firewall, a new key pair should be used for each transaction to keep them from being linked to a common owner. Some linking is still unavoidable with multi-input transactions, which necessarily reveal that their inputs were owned by the same owner.
Frequently Asked Questions
What is the primary innovation of the Bitcoin whitepaper?
The primary innovation is solving the double-spending problem for digital currency without requiring a trusted central authority. It achieved this through a decentralized peer-to-peer network using cryptographic proof and a consensus mechanism called proof-of-work.
How does proof-of-work secure the Bitcoin network?
Proof-of-work requires participants (miners) to expend computational effort to solve a complex mathematical problem to add a new block of transactions to the chain. This process secures the network because altering any past block would require an attacker to redo the proof-of-work for that block and all subsequent blocks, a computationally impractical feat as long as honest nodes control a majority of the CPU power.
What are Bitcoin transaction fees?
Transaction fees are small amounts of bitcoin paid by the sender of a transaction to incentivize miners to include their transaction in the next block. After all new coins are minted, these fees will serve as the sole incentive for miners to continue securing the network.
Can Bitcoin transactions remain truly private?
While Bitcoin offers a degree of pseudonymity because transactions are between cryptographic addresses and not directly linked to real-world identities, the public nature of the blockchain means transaction flows are analyzable. It is not an entirely anonymous system; it is more accurately described as pseudonymous.
What is the purpose of the 'coinbase' transaction in a block?
The coinbase transaction is the first transaction in a new block. It is a special transaction that creates new bitcoin from nothing and awards it to the miner who successfully found the proof-of-work solution for that block. It is the mechanism for issuing new currency and incentivizing mining.
How does a user verify a transaction without running a full node?
A user can perform Simplified Payment Verification (SPV). By downloading only the block headers of the longest chain and requesting a Merkle branch proof from a full node, the user can cryptographically verify that their transaction is included in a block without having to store the entire blockchain.
Conclusion: A System Based on Cryptographic Proof
Bitcoin proposes an electronic transaction system that does not rely on trust. It starts with the usual framework of coins made from digital signatures, which provides strong control of ownership but is incomplete without a way to prevent double-spending.
The solution is a peer-to-peer network using proof-of-work to record a public history of transactions. This system is secure as long as honest nodes collectively control more CPU power than any cooperating group of attacker nodes. The network itself requires minimal structure. Messages are broadcast on a best-effort basis, and nodes can leave and rejoin the network at will, simply by accepting the proof-of-work chain as proof of what happened while they were gone.