As you may know Bitcoin was developed by Satoshi Nakamoto (whoever he is) in 2008. Bitcoin’s claim to fame is that it is the world’s first decentralized digital currency. Not the first overall digital currency, but the first one to solve the problems associated with decentralization. What problems may that be?
It’s fairly easy to use standard cryptographic tools, like digital signatures, to “prove” ownership of something. I can prove I own one bitcoin by presenting a valid digital signature. I can also sign over ownership of that bitcoin to you by attaching your bitcoin address to it before signing. The problem we run into, however, is that there is no way to know whether I also signed over ownership of that same coin to someone else (or even to another address controlled by myself) before transferring it to you. Since bitcoins are digital, they are not scarce and can be copied ad infinitum. Any digital currency that doesn’t tackle this “double spend” problem, will be destroyed by hyperinflation on day one.
Centralized digital currencies attempt to solve this problem by keeping a log of all the transactions ever to have taken place. Before accepting a payment from me, you would check with the issuing company to make sure I have not previously transferred the same coin to someone else. This works well enough except that the centralized issuer creates a single point of failure. Governments notoriously don’t like competition and a single issuer is very easy to shut down. This is exactly what happened to Liberty Reserve. The company had over a million customers before it was shut down by the U.S. Government earlier this year for the “crime” of letting people transfer money from point A to point B. God forbid. Needless to say, this creates a need for a censorship resistant digital currency that does not have a single point of failure and cannot be shut down by an arbitrary decree of the government.
The solution Bitcoin employs is to simply make the transaction history public. Each user will download and store a copy of the transaction history and can check this ledger before accepting payment to verify that the coins have not been previously spent. Sounds easy enough, so what’s the monumental innovation here? Well, this method ends up creating more problems than it solves. For starters, how do you get all the users to agree on a single transaction history? How likely is it that millions of users around the globe will form a consensus about prior transactions? Consider how each user has an incentive to see to it that their transactions are left out of the global transaction history. I’m sure there are plenty of people who would love to make a 100 BTC purchase only to have that transaction fail to make it into the public ledger. In computer science this problem is known as the Byzantine Generals Problem. Without solving this problem, Bitcoin would be forever plagued by multiple competing transaction histories, and fraudulent transactions.
One potential solution could be to allow users to vote for which transaction history they believe to be valid, but there are multiple problems here. First, it’s not hard for an attacker to gain control of a botnet — a group of computers infected with a virus allowing the attacker to control them. Any one-IP-address-one-vote scheme would be corrupted fairly easily. Second, this still doesn’t address with the problem with incentives. Even if you could guarantee only one vote per user, the incentive still remains to vote only for the transaction history which favors you the most.
The Block Chain
This is where Nakamoto really showed off his brilliance. To help you understand his solution I will first describe the Bitcoin mining process, then we’ll analyze it to see how it radically shifts the incentives.
When you first open your Bitcoin wallet, your computer automatically connects to a handful of other users (called peers) who are also operating the wallet software. Whenever you make a transaction, your computer broadcasts it to the peers you’ve connected to. Upon receiving the transaction, each peer will perform a series of about 20 checks to make sure the transaction is valid (including checking the digital signature to verify that you are in fact the owner), then relay it to its peers. Through this process the transaction will propagate throughout the network eventually reaching all users.
A “miner” is a peer in the network who collects these transactions and works to organize them into blocks. In the early days of Bitcoin every user was also a miner. Today, however, with Bitcoin’s rise in popularity, mining has become profitable to the point where it now takes specialized hardware and software to mine. After a miner receives and verifies a transaction, he adds it to a memory pool along with all other unconfirmed transactions and begins assembling them into a block. A typical block will contain about two to three hundred transactions. A critical point to keep in mind here is that all miners receive all transactions and independently work to create a block. Once a miner creates a valid block, he broadcasts it to the network. Each user will check its validity then add it to their local copy of the public ledger called — the block chain.
Whichever miner creates a valid block is rewarded for his effort with newly created bitcoins (hence the term mining). The protocol regulates the rate at which bitcoins are created. Currently, the reward is set at 25 bitcoins per block (about $3,600 USD) and is scheduled to be halved every four years until the total number of bitcoins created reaches 21 million.
So if just anyone with the right hardware can create a block, what stops miners from each creating blocks with favorable transaction histories, relaying them, and creating multiple versions of the block chain?
Proof of Work
The Bitcoin protocol specifies that in order to produce a “valid” block, a miner must submit proof that he expended a certain amount of processing power (and hence time) in the creation of the block. In practice this essentially amounts to requiring that miners submit an answer to a complex math problem which can only be found by running random numbers through an equation over and over again until the correct answer is found (we’ll talk more about the exact mechanisms in Part 2). The difficulty of this math problem is calibrated such that only one miner will solve this math problem every ten minutes on average. Now I can’t stress the importance of this proof of work enough. It isn’t just busy work like some suggest. It is designed such that blocks can be found much quicker collectively rather than individually. Consider, for example, a situation where there are competing transaction histories (a “fork” in the block chain).
In this case the math problems that need to be solved are different for each chain. When confronted with this situation, each miner needs to decide for himself which chain he is going to work to extend. In this sense miners can be said to “vote” with their processing power. Now as a matter of arithmetic, the chain with the most processing power devoted to extending it will always be the longest chain. If chain A has 51% of the processing power and chain B has 49%, those mining chain A will collectively solve the math problems quicker than those mining on chain B. As a result, the more time that passes, the larger the gap between chain A and chain B will become.
From the perspective of an individual miner, you always want to mine on the majority chain. Why? Because it’s unlikely the public will accept a minority chain as valid. Any blocks that you mine are not going to be worth 25 BTC (or $3,600 USD), instead they will be worth zero. This applies even to someone who wants to “vote” for a transaction history that is more favorable to himself. Consider the following example: The last block in the chain is block three and a malicious miner just spent 300 BTC on a new car. He wants to see to it that his transaction doesn’t make it into block four so he starts mining a block that does not include his transaction. Let’s say the miner controls 10% of the network’s processing power (a large amount that is certainly difficult to get). Given that it takes the entire network an average of 10 minutes to solve the math problems needed to find a block, this individual miner will take 100 minutes on average to find a block. Obviously, it is much more likely that the rest of the network will mine block four before the malicious miner. When this happens the miner has a decision to make: Does he give up his attack, accept the legitimate block four, and begin work on block five or does he continue working to find a block four with his version of the transaction history? If he chooses the latter, again the probabilities suggest the rest of the network will find block five (and blocks six, seven, etc) before he finds his version of block four. Whenever he does manage to find and relay his fraudulent block four, it will just simply be ignored (orphaned in Bitcoin parlance) since the main chain is longer than his alternate chain.
The only way such an attack could succeed is for the malicious miner to continue adding blocks to his alternate chain and somehow extend it longer than the main chain. As we already mentioned, however, the chain with the majority of the processing power will always grow to be longest chain, so unless this attacker can muster up a ton of processing power, the attack will not succeed.
You might ask, how likely is it that someone can commandeer enough processing power to put himself over 50%? Surely the NSA has some powerful supercomputers right? Couldn’t they do it? Well, considering that the total processing power in the Bitcoin network is faster at computing these math problems than the top 500 supercomputers in the world combined …………. times 35, I’m going to go out on a limb and say it is unlikely to happen. Not only that, but as we speak people are bringing more processing power online in an attempt to mine blocks and earn the reward. Check out this chart of the total processing power in the network:
No that isn’t an NSA data center firing up. It’s the mad rush to mine bitcoin in the aftermath of the price increase from $14 at the beginning of the year to approximately $140 right now combined with advances in mining hardware.
So to sum up, given the likelihood of failure, the only rational thing to do is simply to give up mining alternative chains, accept the network consensus and move on. The opportunity cost of mining blocks that will not be included in the main chain is just too high. Because of this incentive structure, profit maximizing miners will always choose to mine on the majority chain guaranteeing that the millions of disparate Bitcoin users will be able to agree on a single transaction history.
So there you have it. Hopefully now you can appreciate the sheer brilliance of Nakamoto’s protocol. He designed Bitcoin in such a way that it essentially channels private self-interest into public good. Miners are led as if by the invisible hand of Satoshi himself to come to a consensus.
Ok that’s it for this post. In Part 2 we will take a deeper look at the cryptography involved in Bitcoin mining and how it is used to secure the network.