Bitcoin protocol

The Bitcoin protocol for the bitcoin cryptocurrency is an open source cryptographic protocol that operates on a peer-to-peer network. It uses a chain or "blockchain" of transactions to achieve consensus and to solve the double-spending problem. The blockchain is distributed internationally using peer-to-peer filesharing technology similar to BitTorrent. It was designed in 2008 and released in 2009 by pseudonymous developer(s) Satoshi Nakamoto.

The network timestamps transactions by including them in blocks that form an ongoing chain called the blockchain. Such blocks cannot be changed without redoing the work that was required to create each block since the modified block. The longest blockchain serves not only as proof of the sequence of events but also records that this sequence of events was verified by a majority of the Bitcoin network's computing power. As long as a majority of computing power is controlled by nodes that are not cooperating to attack the network, they will generate the longest chain of records and outpace attackers.

The network itself requires minimal structure to share transactions. Messages are broadcast on a best effort basis, and nodes can leave and rejoin the network at will. Upon reconnection, a node will download and verify new blocks from other nodes to complete its local copy of the blockchain.^[1][2]

This section does not cite any sources. Please help improve this section by adding citations to reliable sources. Unsourced material may be challenged and removed. (May 2013) (Learn how and when to remove this message)

A bitcoin is a currency object — an entity which is traded, though nothing prevents trades in fractional or multiple bitcoins. All bitcoins are equivalent. A transaction creates and destroys (invalidates) bitcoins, creating the same amount as it destroys.

A bitcoin is defined by a chain of digitally-signed transactions that began with its creation as a block reward. The owner of a bitcoin transfers it to the next owner by digitally signing it over to the next owner in a bitcoin transaction, much like endorsing a traditional bank check. A payee can verify each previous transaction to verify the chain of ownership.

Although it would be possible to handle bitcoins individually, it would be unwieldy to make a separate transaction for every cent in a transfer. Transactions are therefore allowed to contain multiple inputs and outputs, and in that way bitcoins can be split and combined. Common transactions will have either a single input from a larger previous transaction or multiple inputs combining smaller amounts, and at most two outputs: one for the payment, and one returning the change, if any, back to the sender. Any difference between the total input and output amounts of a transaction is offered to miners as a transaction fee.

It should be noted that fan-out, where a transaction depends on several transactions, and those transactions depend on many more, is not a problem here. Since the network verifies every transaction along the way, there is never the need to extract a complete standalone copy of a transaction's history.

Two consecutive SHA-256 hashes are used for transaction verification. RIPEMD-160 is used after a SHA-256 hash for Bitcoin digital signatures or "addresses". A Bitcoin address is the hash of an ECDSA public-key, computed as follows:

Bitcoin address/Public-key = Version concatenated with RIPEMD-160(SHA-256(public key))
Checksum = 1st 4 bytes of SHA-256(SHA-256(Key hash))
Bitcoin Address = Base58Encode(Key hash concatenated with Checksum)

The Bitcoin specification starts with the concept of a distributed timestamp server. A timestamp server works by taking a SHA256 hash function of some data and widely publishing the hash, such as in a newspaper or Usenet post. The timestamp proves that the data must have existed at the time, in order to produce the hash. For Bitcoin, each timestamp includes the previous timestamp hash as input for its own hash. This dependency of one hash on another is what forms a chain, with each additional timestamp providing evidence that each of the previous timestamp hashes existed.

To form a distributed timestamp server as a peer-to-peer network, Bitcoin uses a proof-of-work system similar to Adam Back's Hashcash and the internet rather than newspaper or Usenet posts.^[2] The work in this system is what is often referred to as Bitcoin mining.

The mining process involves scanning for a value that when hashed twice with SHA-256, begins with a number of zero bits. While the average work required increases exponentially with the number of leading zero bits required, a hash can always be verified by executing a single round of double SHA-256.

For the Bitcoin timestamp network, a valid "proof-of-work" is found by incrementing a nonce until a value is found that gives the block's hash the required number of leading zero bits. Once the hashing has produced a valid result, the block cannot be changed without redoing the work. As later records or "blocks" are chained after it, the work to change the block would include redoing the work for each subsequent block.

Majority consensus in Bitcoin is represented by the longest chain, which required the greatest amount of effort to produce it. If a majority of computing power is controlled by honest nodes, the honest chain will grow fastest and outpace any competing chains. To modify a past block, an attacker would have to redo the proof-of-work of that block and all blocks after it and then surpass the work of the honest nodes. The probability of a slower attacker catching up diminishes exponentially as subsequent blocks are added.^[2]

To compensate for increasing hardware speed and varying interest in running nodes over time, the difficulty of finding a valid hash is adjusted roughly every 2 weeks. If blocks were generated too fast, the difficulty increases and more hashes are required to find a block and to generate new bitcoins.^[2]

Bitcoin mining is a competitive endeavor. An arms race has been observed through the various hashing technologies that have been used to mine bitcoins: basic CPUs, High-end GPUs (Graphical Processing Units) common in many gaming computers, FPGAs (Field Programmable Gate Arrays) and ASICs (Application-specific integrated circuits) all have been used with the latter reducing profitability of each former technology. The newest addition, ASICs, are built into devices that are specialized for Bitcoin mining.^[3]

Computing power is often bundled together or "pooled" into a central server to reduce variance in miner income. Individual mining rigs often have to wait relatively long periods of time to confirm a block of transactions and receive payment. When miners cooperate in a pool, all participating miners receive a number of the bitcoins every time a participating server solves a block. This payment is proportional to the amount of work an individual miner contributed to help find that block.^[4]

A rough overview of the process to mine bitcoins is:^[2]

1. New transactions are broadcast to all nodes.
2. Each miner node collects new transactions into a block.
3. Each miner node works on finding a difficult proof-of-work for its block.
4. When a node finds a proof-of-work, it broadcasts the block to all nodes.
5. New bitcoins are successfully collected or "mined" by the receiving node which found the proof-of-work.
6. Nodes accept the block only if all transactions in it are valid and not already spent.
7. Nodes express their acceptance of the block by working on creating the next block in the chain, using the hash of the accepted block as the previous hash.
8. Repeat.

Nodes are incentivized to work on extending the longest chain or risk their work being wasted. If two nodes broadcast different versions of the next block simultaneously, some nodes may receive one or the other first. In that case, they work on the first one they received, but save the other branch in case it becomes longer. The tie will be broken when the next proof-of-work is found and one branch becomes longer; the nodes that were working on the other branch will then switch to the longer one.

New transaction broadcasts do not necessarily need to reach all nodes. As long as they reach many nodes, however, transactions will get into a block before long. Block broadcasts are also tolerant of dropped messages. If a node does not receive a block, it will request it when it receives the next block and realizes it missed one.

By convention, the first transaction in a block is a special transaction that produces new bitcoins owned by the creator of the block. This adds an incentive for nodes to support the network,^[2] and provides a way to initially distribute coins into circulation, since there is no central authority to issue them.

The continual and steady addition of new coins is analogous to gold miners expending resources to add gold to circulation.^[2] In this case, it is computing power and electricity that is expended.

The incentive can also be funded with transaction fees. If the output value of a transaction is less than its input value, the difference is a transaction fee that is added to the incentive value of the block containing the transaction.

Once the latest transaction of a coin is buried under enough blocks, fully spent transactions which preceded it can be discarded in order to save disk space. To facilitate this without breaking the block's hash, transactions are hashed in a Merkle tree, with only the root included in the block's hash. Old blocks can then be compacted by stubbing off branches of the tree. The interior hashes need not be stored.

A block header with no transactions would be about 80 bytes. Supposing that blocks are generated every 10 minutes, 80 bytes × 6 × 24 × 365 = 4.2 MB per year. With computer systems typically selling with 6 GB of RAM as of 2013, and Moore's law predicting current growth of 1.2 GB per year, storage should not be a problem even if the block headers need to be kept in memory.

It is possible to verify Bitcoin payments without running a full network node. A user only needs to keep a copy of the block headers of the longest proof-of-work chain, which are available by querying network nodes until it's apparent that the longest chain has been obtained. Then, get the Merkle branch linking the transaction to the block it is timestamped in. One can not check the transaction for oneself, but by linking it to a place in the chain, one can see that a network node has accepted it, and blocks added after it further confirm the network has accepted it.

As such, the verification is reliable as long as honest nodes control the network, but is more vulnerable if the network is overpowered by an attacker. While network nodes can verify transactions for themselves, the simplified method can be fooled by an attacker's fabricated transactions for as long as the attacker can continue to overpower the network. To protect against this, alerts from network nodes detecting an invalid block prompt the user's software to download the full block and verify alerted transactions to confirm their inconsistency. Businesses that receive frequent payments will probably still want to run their own nodes for more independent security and quicker verification.

• Bitcoin Wiki
• Bitcoin Mining Equipment