What does it mean to own Bitcoin? Most people have heard of Bitcoin by now. That is, it is a completely digital currency that has no government issued and does not require banks to manage accounts and verify transactions. No one really knows who invented it .

Yet many people don’t know the answer to this question, at least not completely.

To achieve this goal, and to ensure that the technical details behind this answer feel motivating, we will walk you through how to invent your own version of Bitcoin.

We’ll start with you using a public ledger to keep track of payments with your friends. Then, as you grow less and less trusting of your friends and the world, if you’re smart enough, you introduce some cryptographic tools to help circumvent the need for trust, and you end up with something called a “cryptocurrency.”

Bitcoin is just the first implementation example of a cryptocurrency, and there are thousands of other cryptocurrencies that are now traded against traditional currencies. Going down the path of your own invention helps lay the foundation for understanding some of the newer players in the game and recognizing where there is room for different design choices.

In fact, one of the reasons I chose this topic was in response to the renewed leap in attention, investment, and… um… hype that has been directed toward these currencies over the last year. I won’t comment or speculate on current or future exchange rates, but I think we can all agree that anyone looking to buy cryptocurrency should actually know what it is.

And by more than just analogies with vague connections to gold mining, I mean actual direct descriptions of what computers are doing when sending, receiving, and creating cryptocurrency.

By the way, one thing worth stressing is that even though you and I are going to dive into the underlying details here, and it will take some time, you don’t actually need to know these details to use cryptocurrencies, just like you don’t need to know these details. When you swipe your credit card, you don’t need to understand the details of what’s happening behind the scenes. There are a lot of apps that make it easy to send and receive these currencies, just like any other digital payment. The difference is that the backbone behind it is not a bank verifying the transaction, but an ingenious system of decentralized trustless verification based on some mathematical principles in cryptography.

Ledger and digital signature

First, let’s put aside the idea of ​​cryptocurrency for a few minutes. We’ll start this story with something more practical: ledgers and digital signatures.

If you and your friends frequently exchange currency, pay for dinner you're due, etc., it might be inconvenient to exchange cash all the time. Therefore, you might keep a public ledger of payments you intend to make in the future.

Alice pays Bob $20, Bob pays Charlie $40, and so on. This ledger will be public and accessible to everyone, just like a website that anyone can go to and add new rows to. At the end of each month, everyone will look at the list of transactions and tally up everything. If you spent more than you received, you put that amount in the pot; if you received more than you spent, you take that amount out.

So the protocol that becomes part of this system looks like this: anyone can add lines to the ledger, and at the end of each month, everyone comes together to settle with real money. One problem with a public ledger like this is that when anyone can add a line, what’s stopping Bob from coming in and writing “Alice pays Bob $100” without Alice’s approval? How can we trust that all of these transactions are what the senders intended?

This is where the first part of cryptography comes in: digital signatures. Just like a handwritten signature, the idea here is that Alice should be able to add something next to the transaction that proves that she has seen and approved it. And it should be impossible for someone else to forge her signature.

At first glance, digital signatures seem impossible at all, because any data that makes up the signature can be read and copied by any computer, so how can forgery be prevented? How it works is that each person generates what is called a public/private key pair, each of which looks like some string of bits. The private key is sometimes also called a "secret" key, so we can abbreviate it to sk and the public key to pk. As the name suggests, a key is something you should keep secret.

In the real world, your handwritten signature looks the same no matter what document you sign. A digital signature is much stronger because it changes based on different messages. It looks like a string of 1s and 0s, usually something like 256 bits, and changing the message even slightly will completely change what the signature on that message should look like. Formally, generating a signature involves some function that depends both on the message itself and on your private key.

The private key ensures that only you can generate the signature, and the fact that it depends on the message means that no one can copy one of your signatures to forge it onto another message.

Related to this is the function that verifies if the signature is valid, and this is where the public key comes into play. All it does is output true or false to indicate if this was a signature created by the private key associated with the public key you used to verify. I won't go into the details of exactly how these functions work, but the idea is that if you don't know the secret key, it's completely impossible to find a valid signature.

Specifically, there is no better strategy than to guess and check if random signatures are valid using the public key until you find one that works. There are 2²⁵⁶ 256 bits of possible signatures you need to find a valid one. That’s a stupidly large number. Calling it an astronomical superstar is putting too much faith in astronomy.

Let's put it this way, when you verify a signature given a message and a public key, you can be very confident that the only way someone could have generated the signature is if they knew the secret key associated with the public key.

There's a small problem here: if Alice signs a transaction like "Alice pays Bob $100", even if Bob can't forge Alice's signature on a new message, he can copy the same line combination multiple times starting with the message/signature and it will work.

To solve this problem, when you sign a transaction, the message must include some unique ID associated with that transaction. This way, if Alice pays Bob $100 multiple times, each transaction requires a brand new signature.

Well, great, digital signatures remove a large amount of trust from our initial agreement.

The ledger is the currency

But even then, it still relies on a sort of honor system. That is, you trust everyone to comply and settle in cash at the end of each month. But what if, for example, Charlie is thousands of dollars in debt and refuses to show up?

The only real reason to go back to cash settlements is if some people, I mean you, Charlie, owe a lot of money, so maybe you have a clever idea that you don't actually have to settle in cash as long as you have a way to prevent people from spending more than they earn.

What you might do is start by having everyone pay $100 into the pot, and have the first few lines of the ledger say "Alice got $100, Bob got $100, etc. Now, when someone spends more than they've already put in the ledger.

For example, after everyone starts with $100, if the first two transactions are "Charlie pays Alice $50" and "Charlie pays Bob $50", if he tries to add "Charlie pays you $20", it will be invalid because it's as if he never signed it.

Note that this means you need to know the full history of transactions in order to verify that a new transaction is valid. This is more or less true for cryptocurrencies as well, although there is a little room for optimization.

Interestingly, this step somewhat removes the connection between the ledger and physical cash. In theory, if everyone in the world used this ledger, you could spend your entire life sending and receiving money only on this ledger without ever converting to real dollars.

To emphasize this, we’ll start referring to the amounts on the ledger as “LedgerDollars,” or LD for short. You are of course free to redeem LedgerDollars for real dollars, for example, maybe Alice gives Bob a $10 bill in the real world in exchange for him adding and signing the transaction “Bob pays Alice 10 LedgerDollars” to the public ledger.

But there is no guarantee of such an exchange in the protocol. Right now, it is more similar to how you would exchange dollars for euros or any other currency on the open market, it is just its own separate thing.

This is the first important thing to know about Bitcoin or any other cryptocurrency: what is it? The history of transactions is the currency. Of course, since people use cash to make purchases, Bitcoin funds do not enter the ledger, and I will see how new funds enter the ledger in a few minutes.

Before that, there are more significant differences between our current LedgerDollars system

Decentralization: How Cryptocurrency Works

So far, I've said that this ledger is some public place, like a website where anyone can add new rows. But this requires trust in a central location. That is, who hosts the website? Who controls the rules for adding new rows?

To remove that trust, we’d have everyone keep their own copy of the ledger. Then, in order to make a transaction, like “Alice pays Bob 100 LedgerDollars,” you’d need to broadcast it to the world so that people can listen and record it on their own private Ledgers. But unless we do more, this system is going to be ridiculously broken.

How do you get everyone to agree on what the correct ledger is? When Bob receives the transaction “Alice pays Bob 10 LedgerDollars”, how can he be sure that everyone else has received and believes the same transaction? He can later use those 10 LedgerDollars to transact with Charlie. Really, imagine yourself listening to the transactions being broadcast. How can you be sure that everyone else is recording the same transactions in the same order?

Now we come to an interesting conundrum: can you come up with a protocol for how transactions are accepted or rejected, and in what order, so that you can be confident that anyone else in the world following the same protocol has a personal ledger that looks exactly like yours?

This is the problem addressed in the original Bitcoin paper.

At a high level, the solution Bitcoin provides is to trust the ledger that has the most computational work put into it. I’m going to spend some time explaining exactly what this means, which involves something called a “cryptographic hash function.” The general idea we’ll build on is that if you use computational work as the basis for trust, you can make it so that fraudulent transactions and conflicting ledgers will require an infeasible amount of computation.

Again, this is beyond what anyone needs to know to use a currency like this. But it’s a very cool idea, and if you understand it, you understand the core of Bitcoin and other cryptocurrencies.

Cryptographic Hash Functions

A hash function takes any type of message or file and outputs a bit string of a fixed length, such as 256 bits. This output is called the "hash" or "digest" of the message, and it looks random. It's not random; for a given input, it always gives the same output. But the idea is that when you change the input slightly, perhaps edit just one character, the resulting hash value changes completely.

In fact, for the hash function I'm showing you here (called SHA256), the way the output changes when you slightly change the input is completely unpredictable. You see, this isn't just a hash function; it's a cryptographic hash function. This means that reversing the calculation is infeasible.

If I showed you some specific string of 1s and 0s and asked you to find an input message such that the SHA256 hash of that message gave this exact string of bits, you would have no better approach than guessing and checking.

You might think you could reverse engineer the required input by really digging into the details of how the function works, but no one has found a way to do that. Interestingly, there is no evidence that the reverse calculation is difficult, but modern security relies heavily on cryptographic hash functions.

If you were to look up what algorithm is behind the secure connection your browser makes right now, with YouTube or with your bank, you'd probably see a name like SHA256 in there.

For now, our focus is simply on how such a function can prove that a particular list of transactions is associated with a significant amount of computational work.

What does it mean to own Bitcoin? Proof of Work and the Blockchain.

Imagine someone showed you a list of transactions, and they said, “I found a special number so that when you put this number at the end of the transaction list, and apply SHA256 to the entire transaction, the first 30 bits of the output are all zeros.” How hard do you think it would be for them to find that number? For a random message, the probability that the hash will start with exactly 30 consecutive zeros is 1 in 230, which is about 1 in a billion.

Since SHA256 is a cryptographic hash function, the only way to find such a special number is by guessing and checking. Therefore, this person would almost certainly have to check about a billion different numbers to find this special number. Once you know this number, you can quickly verify that the hash value does indeed start with 30 zeros.

In other words, you can verify that they have done a lot of work without having to do the same work yourself. This is called "proof of work."

The important thing is that all of this work is inherently tied to that list of transactions. If you change one of those transactions, even slightly, it completely changes the hash, so you have to make another billion guesses to find a new proof of work, a new number that allows the changed hash to be changed. And the ones listed with this new number all start with 30 zeros.

Now think back to our distributed ledger situation. Everyone is broadcasting transactions, and we want a way for everyone to agree on the correct ledger. As I said, the core idea behind the original Bitcoin paper is for everyone to trust the ledger that has the most work put into it.

The way it works is that a given ledger is first organized into blocks, where each block consists of a list of transactions along with a proof of work — that is, a special number such that the hash of the entire block starts with a bunch of zeros.

For now let's assume it must start with 60 zeros, but I'll come back to how you choose that number later. Just like a transaction is only considered valid if it's signed by the sender, a block is only considered valid if it has proof of work. Also, to ensure there's a standard way to sort these blocks, we'll order them so that a block must contain the hash of the previous block.

That way, if you change any block, or try to swap the order of two blocks, it changes the block after it, which changes the hash of that block, which changes the next block, etc. This requires redoing all the work and finding a new special number for each block so that its hash starts with 60 zeros.

Because the blocks are linked together in this way, it is often called a "blockchain" rather than a ledger.

As part of our updated protocol, we will now allow anyone in the world to become a “block creator.” This means they will listen for transactions being broadcast, collect them into a block, then do a whole bunch of work to find the special number that makes the hash of that block start with 60 zeros, and then broadcast the block they found.

To reward the block creator for all this work, when she builds a block, we'll allow her to include a special transaction at the top in which she gets 10 LedgerDollars out of thin air. This is called a block reward. This is a special exception to our usual rules about whether or not to accept a transaction; it doesn't come from anyone, so it doesn't have to be signed.

This also means that the total number of LedgerDollars in our economy increases with each new block. Creating blocks is often referred to as "mining" because it is a lot of work and it introduces new currency into the economy. However, when you hear or read about miners, remember that what they really do is create blocks, broadcast those blocks, and are rewarded with new funds for doing so.

From a miner’s perspective, each block is like a miniature lottery, with everyone trying to guess numbers as fast as they can until one lucky person finds a number that makes the block’s hash start with lots of zeros, and is rewarded for it.

The way our protocol works now for people using the system is that instead of listening for transactions, you listen for new blocks broadcast by miners, updating your own personal copy of the blockchain.

The key addition is that if you hear about two different blockchains with conflicting transaction histories, you follow the longest one, the one that has the most work put into it. If there is a tie, wait until you hear about additional blocks that make the tie longer. So even if there is no central authority, and everyone maintains their own copy of the blockchain, if everyone agrees to give priority to the blockchain that has the most work put into it, we have a way to achieve decentralized consensus.

Double Spending

To understand why this is a trustworthy system, and to know when you should trust that a payment is legitimate, it helps to know how to trick someone in this system.

If Alice wants to fool Bob with a fraudulent block, she might try to send him a block that contains her payment of 100 LedgerDollars to him, but does not broadcast that block to the rest of the network. This way everyone else thinks she still owns those 100 LedgerDollars.

To do this, she would have to find a valid proof of work before all the other miners (each working on their own block). This could happen! Maybe Alice wins this little lottery before everyone else. But Bob will still hear the broadcasts from the other miners, so in order for him to believe the fraudulent blocks, Alice would have to do all the work herself to keep adding blocks to this special fork in Bob's blockchain that are different from what he hears from the other miners.

Remember, by protocol, Bob always trusts the longest chain he knows about. If Alice happens to find blocks faster than all the other miners on the network combined, she might be able to keep this going for a few blocks.

However, unless Alice has close to 50% of the computing resources of all miners, the blockchain that all other miners are working on will grow faster than the single fraudulent blockchain that Alice is providing to Bob. So, over time, Bob will reject what he hears from Alice in favor of the longer chain that everyone else is working on.

Note that this means you don’t have to trust a new block you hear about immediately. Instead, you should wait for a few new blocks to be added to it. If you haven’t heard of any longer blockchains, you can trust that this block is part of the same chain that everyone else is using.

Block times, halvings, and transaction fees

At this point, we have implemented all the main ideas. This distributed ledger system based on proof of work is more or less how the Bitcoin protocol works, as well as how many other cryptocurrencies work.

There are just a few details that need clarification. Earlier I said that the proof of work might be to find a special number that makes the hash of the block start with 60 zeros. The way the actual Bitcoin protocol works is to periodically change the number of zeros so that it takes 10 minutes on average to find a block.

So as more miners come on the network, the challenge gets harder and harder, to the point where this micro-lottery only has about one winner every 10 minutes. Many newer cryptocurrencies have much shorter block times.

All money in Bitcoin ultimately comes from some block rewards. These rewards are 50 Bitcoins per block.

There is a great website called "Block Explorer" where you can view the Bitcoin blockchain, and if you look at the first few blocks on the chain, you will see that they contain no transactions other than the 50 Bitcoin reward given to the miner.

Every 210,000 blocks (roughly every 4 years), the reward is cut in half, so the reward per block is now 12.5 bitcoins, and since this reward decreases exponentially over time, there will never be more than 21 million bitcoins in existence.

However, this does not mean that miners will stop making money. In addition to block rewards, miners can also earn transaction fees. How it works is that every time you make a payment, you can choose to include a small transaction fee, which will be paid to the miner of any block that includes that payment.

The reason you do this is to incentivize miners to actually include the transaction you broadcast into the next block.

You see, in Bitcoin, each block is limited to about 2,400 transactions, which many critics consider to be unnecessarily restrictive. By comparison, Visa processes about 1,700 transactions per second on average and can process over 24,000 transactions per second. Bitcoin's slower processing speed means higher transaction fees, as these determine which transactions miners choose to include in new blocks.

This is far from a comprehensive coverage of cryptocurrency. There are many nuances and alternative design choices I haven’t touched upon here, but hopefully this can provide a stable “wait but why”-style trunk of understanding for anyone who wishes to add more branches with further reading.

Like I said at the beginning, one of the motivations behind this article is that a lot of money has started to flow into cryptocurrencies, and for people getting into this game it would be beneficial to at least understand the basics of the technology.