Understanding Bitcoin Internals
Most people who have opinions about Bitcoin don’t know what Bitcoin really is. The best way to learn that is to dive into the details of how Bitcoin works.
Bitcoins Do Not Exist
Bitcoins do not exist, in the classical sense.
You already know you can’t hold a Bitcoin in your hands. Of course, you can’t hold your checking account or your Facebook profile, either. But your checking account is addressable; it has a unique identifierComposed of the routing number and the account number.. You can’t touch it, but you can still point to it.
Bitcoins aren’t like that. They are not uniquely identifiable. You cannot point at where a Bitcoin is now: you can only point to the last place it was seen.
Bitcoins are Heraclitean fire, forever splitting and recombining, traceable only through the public record of a chain of expenditures. These values are only identifiable as the results of an expenditure, which we call “outputs”.
You Cannot Own A Bitcoin
It’s difficult to prove ownership of a thing which does not exist.
All you can do is prove that you are authorized to spend it. How do you spend a Bitcoin? By relinquishing your authority to spend it. You do this using “transactions” which consume outputs from previous transactions and create new outputs, subject to new authorities.
Trading Bitcoins is not as much like trading actual physical coins as it is like trading gift cards - like, for instance, an Amazon or iTunes gift card. A gift card isn’t legal tender; it’s an authorization to spend a certain amount of US dollars. Bitcoin authorities are authorizations to spend a certain amount of Bitcoins.
There’s a lot of irony here. First, “cryptocurrencies” are less like cryptographic currencies and more like massively multiplayer crowdsourced gift cards. Second, and more subtly, Bitcoin rhetoric is often very anti-authoritarian. But in practice, at the level of implementation, Bitcoin is all about authorityBitcoin rhetoric often also has a strong theme of anonymity, but Bitcoin is actually more traceable than any real currency..
Authority
The Bitcoin system evaluates authority over outputs using scripts written in a flexible (though not Turing-complete) language. These scripts are embedded in the outputs of the transactions themselves. A transaction that attempts to spend an output is only valid when it defines arguments that the output’s script can determine to be correct. Thus authority in the Bitcoin system is always, in one way or another, the ability to prove you know something.
For simple transactions which model transfers of ownership — the most common type of transaction — the knowledge consists of a cryptographic key pair. The transaction disburses a certain amount of Bitcoins to anyone who can prove knowledge of a key pair. This is the type of transaction employed when using a Bitcoin “address”.
More complex transactions can transfer authority to a combination of key pairs. For example, authority over a certain amount of Bitcoins might require the use of three key pairs, each possessed by a different person. A transaction might require the solution to a puzzle. It is possible to define scripts that destroy Bitcoins by always denying authority, as well as scripts that allow anyone to spend an outputAlthough Bitcoin hype is out of control, and Bitcoin’s implementation has some serious issues, this aspect of Bitcoin is very promising and holds a lot of potential. For instance, in a successful implementation of a so-called “cryptocurrency,” both contract compliance and escrow agents could be built into the currency itself..
Transactions assert authority over inputs, and the Bitcoin network is responsible for confirming or rejecting transactions based on their assertions. Anyone can submit transactions claiming authority over outputs, but the Bitcoin network only records a transaction in the public record (called the blockchain) when its claims are proven by running the scripts.
Transactions
A transaction has two components: a list of inputs and a list of outputs. Inputs link the Bitcoin to its previous outputs. Outputs describe how to divide and authorize any use of the combined value of the inputs.
Each output has:
- a value
- a script used to prove authority to spend the output
Each input has:
- a reference to one of the outputs of a previous transaction
- a list of arguments to be passed to that output’s script
The total value spent in a transaction is the sum of its inputs’ values. This sum may be distributed among any number of output values; there’s no need for correspondence between individual inputs and outputs.
This arrangement allows you to make change, when using an input that has a higher value than the amount you wish to spend. You can do this by creating one output that transfers authority to the recipient, and another which transfers authority back to you. Similarly, you can combine the values of several small inputs to produce an output of greater value.
When the total output value is less than the total input value, the difference is an implicit output which can only be claimed by the next Bitcoin miner who discovers a blockQuoting the Bitcoin wiki: Any input bitcoins not redeemed in an output [are] considered a transaction fee; whoever generates the block will get it.. This is the mechanism used to pay transaction fees to miners, which are customary for large or complex transactions. You can ignore the custom, but then most miners will ignore your transaction.
Scripts
A transaction asserts authority over an input by defining a list of arguments. If the input’s script returns True when evaluated with these arguments, then the transaction is authorized to use this input. Otherwise, the transaction has not proven authority over the input, and it will be rejected.
Bitcoin software allows you to define arbitrary scripts, but the Bitcoin protocol only considers a few clearly defined types of scripts to be standardSince Bitcoin has no formal spec, the set of standard scripts for any version of the Bitcoin protocol is defined by whatever the reference client is doing. As you can see by reading this source code link, in the current version (v0.10), the reference client allows only five standard transactions.. All others are supposed to be rejected by the Bitcoin networkQuoting the Bitcoin wiki: Note that there is a small number of standard script forms that are relayed from node to node; non-standard scripts are accepted if they are in a block, but nodes will not relay them.. Even so, some of the non-standard scripts are worth examining as a path to better understanding of Bitcoin transactions.
The simplest possible script is empty; it has no instructions, so it merely returns the argument provided to it. Anyone can spend the associated output merely by specifying True as the argument.
The next simplest script merely returns False. The result is an output that cannot be spent. This effectively destroys the amount of Bitcoin that was specified as the output’s value.
The Original Ownership Script: Pay To Pubkey
Of the scripts that are actually accepted by the Bitcoin network, the most straightforward is called Pay to Pubkey. This type of script takes one argument: a digital signature. It verifies the signature against a public key that is embedded in the script itself.
To receive a Bitcoin payment using this method, you must provide the sender with the full public key corresponding to some private key you possess. There are two disadvantages to this approach:
- Public keys are fairly long and unwieldy in string form, making them less suitable for modeling an ownership “address”.
- If the algorithm used for public key cryptography in Bitcoin is ever broken, the public key embedded in an output script could be used by an attacker to recover the private key needed to spend the output. Such an attacker could theoretically capture all the Bitcoins.
These problems are severe, so this script’s deprecated.
The Current Ownership Script: Pay To Pubkey Hash
Instead, by far the most common form of transaction is one involving a “Bitcoin address”. The only things actually addressable in the Bitcoin system are transactions and the blocks that record them. So what is a Bitcoin address that we should be mindful of it?
A Bitcoin address is the cryptographic hash of the public part of a key pairPer the Bitcoin wiki: a Bitcoin address is in fact the hash of an ECDSA public key.. When used in an output script, this hash identifies the key pair which can be used to exercise authority over the output. It is easy to confirm that a certain hash was generated from a particular public key, but it is not easy to reverse the processs, to determine from a hash what the original public key was. This addresses one of the two problems with Pay to Pubkey. A hash of a public key is shorter than the original public key, and this solves the other problem.
It works like this: for each transaction output that you intend to “pay” to an “address”, you create a script that expects two arguments: the full public key, and a digital signature of the transaction created with the corresponding private key. You embed the “address” as a literal value in the body of the script.
At runtime, the script takes the supplied public key and hashes it. If that hashed value does not match the script’s embedded “address” literal, the script will immediately return False. Otherwise, the script proceeds to verify the signature supplied in the arguments against the public key. If the signature is valid, the script returns True.
Multiple-Signature Scripts
You can also transfer authority over Bitcoins in a way that requires more than one signature for the next expenditureAs you can see by examining the source code, in v0.10, multi-signature scripts are arbitrarily limited to a maximum of 3 key pairs.. The output script in this case embeds a literal number representing the number of public keys (N) to be used, a literal number representing the number of signatures required to authorize the use of this output as an input (M), and the public keys themselves.
When this output is used as a transaction input, you provide M signatures generated from the private keys corresponding to the output script’s public keys.
In this situation there is no single recipient, nor is there any obvious “address”. Requesting a “payment” of this sort means providing the creator of the transaction with the all the public keys you wish to be used and relying on it to properly construct the output script.
Conclusion
Bitcoin’s a fascinating blend of brilliant innovation and cowboy hacking. Under the hood, it’s a scripting language paired with a network. The network shares (a subset of) the scripting language’s command history with its entire user base, worldwide, for all time. Consequently, this command history is gigantic and full of bizarre cruft. Although people refer to Bitcoin as a cryptocurrency, its ownership and spending model has more in common with corporate gift cards than actual currencies.