[[ch01_how_does_bitcoin_work]] == How Does Bitcoin Work? === Bitcoin currency and units Internally, all values are stored in _satoshi_, the base unit of the bitcoin currency, equal to 100th of a millionth of a bitcoin latexmath:[\( 1 satoshi = 1/100,000,000 bitcoin\)]. For example, Alice's transaction transferring 0.015 bitcoin to Bob for a cup of coffee, will be encoded in the blockchain with a value of one and a half million (1,500,000) satoshi. [TIP] ==== All value references in the book will indicate satoshi or bitcoin units as appropriate. Code segments showing encoded value should be assumed to be satoshi unless otherwise specified ==== === Bitcoin addresses and public key crypto Bitcoin uses Elliptic Curve public key cryptography for its default algorithm for signing transactions. ==== Public Key Cryptography ((("public key", "private key"))) Public key, or assymetric cryptography, is a type of cryptography that uses a pair of digital keys. A user has a private and a public key. The public key is derived from the private key with a mathematical function that is difficult to reverse. [[pubcrypto_colors]] .Public Key Cryptography: Irreversible Function as Color Mixing image::images/pubcrypto-colors.png["Public Key Cryptography: Irreversible Function as Color Mixing"] As an example, think of mixing a shade of yellow with a shade of blue. Mixing the two colors is simple. However, figuring out exactly which two shades went into the final mix is not so easy, unless you have one of the two shades. If you have one of the colors you can easily filter it out and get the other. Whereas mixing colors is easy, "un-mixing" them is hard. The mathematical equivalent most often used in cryptography is the Discrete Logarith Problem link$$https://en.wikipedia.org/wiki/Discrete_logarithm_problem#Cryptography$$[Discrete Logarithm Problem in Cryptography] To use public key cryptography, Alice will ask Bob for his public key. Then, Alice can encrypt messages with Bob's public key, knowing that only Bob can read those messages, since only Bob has the equivalent private key. [TIP] ==== In most implementations, the private and public keys are stored together as a _key pair_, for convenience. However, it is trivial to re-produce the public key if one has the private key, so storing only the private key is also possible. ==== ==== Elliptic Curve Cryptography ((("elliptic curve cryptography", "ECC"))) Elliptic Curve Cryptography is a type of assymetric or public-key cryptography based on the discrete logarithm problem as expressed by addition and multiplication on the points of an elliptic curve. Starting with a private key in the form of a randomly generator number +k+, we multiply it with a predetermined point on the curve called the _generator point_ to produce another point somewhere else on the curve, which is the corresponding public key. [latexmath] ++++ \begin{equation} {K = k G} \end{equation} ++++ [[key_derivation]] where +k+ is the private key, +G+ is a fixed point on the curve called the _generator point_, ((("generator point"))) and +K+ is the resulting public key, another point on the curve. Elliptic curve multiplication can be visualized geometrically as drawing a line connecting two points on the curve (G and kG) to produce a third point (K). The third point is the public key. [[ecc_addition]] .Elliptic Curve Cryptography: Visualizing the addition operator on the points of an elliptic curve image::images/ecc-addition.png["Addition operator on points of an elliptic curve"] Bitcoin specifically uses the +secp256k1+ elliptic curve: ((("secp256k1"))) [latexmath] ++++ \begin{equation} {y^2 = (x^3 + 7)} \text{over} \mathbb{F}_p \end{equation} ++++ or [latexmath] ++++ \begin{equation} {y^2 \mod p = (x^3 + 7) \mod p} \end{equation} ++++ where +p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F+, a very large prime. The +mod p+ indicates that this curve is over a finite field of prime order +p+, also written as latexmath:[\(\mathbb{F}_p\)]. The curve looks like a pattern of dots scattered in two dimensions, which makes it difficult to visualize. However, the math is identical as that of an elliptic curve over the real numbers shown above. [[ecc-over-F37-math]] .Elliptic Curve Cryptography: Visualizing the addition operator on the points of an elliptic curve over F(p) image::images/ecc-over-F37-math.png["Addition operator on points of an elliptic curve over F(p)"] ==== Generating bitcoin keys There are many ways to generate keys for use in bitcoin. The simplest is to pick a large random number and turn it into a key pair (See <>). A random key can generated with very simple hardware or even manually with pen, paper and dice. The disadvantage of random keys is that if you generate many of them you must keep copies of all of them. Another method for making keys is _deterministic key generation_. Here you generate each new key as a function of the previous key, linking them in a sequence. As long as you can re-create that sequence, you only need the first key to generate them all. In this section we will examine the different methods for key generation. ===== Type-0 or non-deterministic (random) keys The first and most important step in generating keys is to find a secure source of entropy, or randomness. The private key is a 256-bit number, which must be selected at random. Creating a bitcoin key is essentially the same as "Pick a number between 1 and 2^256^". The exact method you use to pick that number does not matter, as long as it is not predictable or repeatable. Bitcoin software will use the underlying operating system's random number generators to produce 256-bits of entropy. Usually, the OS random number generator is initialized by a human source of randomness, which is why you may be asked to wiggle your mouse around for a few seconds. For the trully paranoid, nothing beats dice, pencil and paper. [[Type0_keygen]] .Private key generation: From random mouse movements to a 256-bit number used as the private key image::images/Type-0 keygen.png["Private key generation"] [TIP] ==== The bitcoin private key is just a number. A public key can be generated from any private key. Therefore, a public key can be generated from any number, up to 256-bits long. You can pick your keys randomly using a method as simple as dice, pencil and paper. ==== Once a private key has been generated, the public key equivalent can be derived from it using the elliptic curve multiplication function. Many software implementations of bitcoin use the OpenSSL library, specifically the https://www.openssl.org/docs/crypto/ec.html[Elliptic Curve library]. Here's an example from the reference implementation, generating a public key from an existing private key [[ecc_mult]] .Reference Client: Using OpenSSL's EC_POINT_mul to generate the public key from a private key https://github.com/bitcoin/bitcoin/blob/0.8.4/src/key.cpp#L31[bitcoin/src/key.cpp : 31] ==== [source, c++] ---- // Generate a private key from just the secret parameter int EC_KEY_regenerate_key(EC_KEY *eckey, BIGNUM *priv_key) { [...initializtion code ommitted ...] if (!EC_POINT_mul(group, pub_key, priv_key, NULL, NULL, ctx)) <1> goto err; EC_KEY_set_private_key(eckey,priv_key); EC_KEY_set_public_key(eckey,pub_key); [...] ---- <1> Multiplying the priv_key by the generator point of the elliptic curve group, produces the pub_key ==== [TIP] ==== The size of bitcoin's private key, 2^256^ is a truly unfathomable number. It is equal to approximately 10^77^ in decimal. The visible universe contains approximately 10^80^ atoms. ==== This most basic form of key generation, generates what are known as _Type-0_ or _Non-Deterministic_ (ie. random) keys. When a sequence of keys is generated for a single user's wallet, each key is randomly generated when needed [[Type0_chain]] .Type-0 or Non-Deterministic Keys are randomly generated as needed image::images/type0_chain.png["Key generation"] ===== Type-1 deterministic (non-random) key chains [[Type1_chain]] .Type-1 Deterministic Keys are generated from a phrase and index number image::images/type1_chain.png["Key generation"] ===== Type-2 chained deterministic keys [[Type2_chain]] .Type-2 Chained Deterministic Keys are generated from a binary seed and index number image::images/type2_chain.png["Key generation"] ===== Type-2 hierarchical deterministic keys [[Type2_tree]] .Type-2 Hierarchical Deterministic Keys are derived from a master seed using a tree structure image::images/BIP32-derivation.png["Key generation"] === Transactions In simple terms, a transaction tells the network that the owner of a number bitcoins has authorized the transfer of some of those bitcoins to another owner. The new owner can now spend these bitcoins by creating another transaction that authorizes transfer to another owner, and so on, in a chain of ownership. [TIP] ==== _Transactions_ move value from _transaction inputs_ to _transaction outputs_. An input is where the coins (value) is coming from, either a previous transaction's output or a miner's reward. An output "sends" value to a new owner by locking it with their key. ==== The transaction contains proof of ownership for each amount of bitcoin whose value is transfered, in the form of a digital signature from the owner, that can be independently validated by anyone. In bitcoin terms, "spending" is signing the value of a previous transaction for which you have the keys, over to a new owner. At this point you may begin to wonder: "If every transaction refers to value in a previous transaction, where does the value come from originally?". All bitcoins are originally _mined_ (see <>). Each block contains a special transaction which is the first transaction in the block. This is called the _generation_ transaction and it generates bitcoin out of a special input, which is called the _coinbase_ and is reward for creating a new block. In simple terms, miners get the privilege of a magic transaction that create bitcoins from thin-air and pay those bitcoins to themselves. If you were to look at the chain of transaction for a bitcoin payment you have received, you can track the inputs to a previous transaction's output. Go back far enough and you will find the block where the bitcoins you hold today were once mined. A transaction, in bitcoin terminology, also refers to the signed data structure that contains a series of inputs and outputs transferring value, as encoded in the blockchain or propagating on the bitcoin network. In the blockchain, a transaction is stored as a variable-lenght data structure, that contains an array of _transaction inputs_ and an array of _transaction outputs_. .A transaction data structure, as stored in the blockchain [options="header"] |======= |Part|Size|Description |Version| 4 bytes | The transaction type version (default and only type value is 1) |Number of Inputs | VarInt | How many inputs are listed below |Inputs | List of Tx_In | One or more inputs, specifying where the value will come from |Number of Outputs | VarInt | How many outputs are listed below |Outputs | List of Tx_Out | One or more outputs, specifying where to "send" the value |======= From the perspective of Alice and Bob's transaction for the cup of coffee, the input would be Alice's coins from previous transactions and the output would be 0.015 BTC (or 1.5m satoshi) that would be "sent" to Bob's bitcoin address for payment of the coffee. Bob could then spend this bitcoin by creating transactions whose inputs refer to this transaction s output. Each transaction's outputs become possible inputs for future transactions. What changes is who controls the keys that unlock them. For that we have to delve in a bit deeper into the data structure of the inputs and outputs themselves. The input always refers to a previous transaction. In the case of Alice's coffee purchase, he wallet software would find a previous transaction that has a similar value, to minimize the need for generating change. Let's assume that Alice had previously been paid 0.02BTC by someone else. Her wallet will use that previous transaction to pay Bob for the coffee. .Alice's transaction input [options="header"] |======= |Part|Value|Description |Previous Tx Hash| 643b0b82c0e88ffdfec6b64e3e6ba35e7ba5fdd7d5d6cc8d25c6b241501 | a hash used to identify a previous transaction |Previous Tx Index| 0 | The first output of that transaction is 0 |Script Signature | 30450...6b241501 | A signature from Alice's key to unlock this value |======= In the input above, Alice sources the funds to pay for the coffee. In this case, all the funds come from a single output from a previous transaction. It is possible to construct transactions that source value from thousands of inputs, aggregating the value. A transaction can also have thousands of outputs, so the _Tx Index_ is used to identify which of the previous transaction's outputs will be "consumed" in this new transaction. In this case, Alice will be using the first transaction output. You may notice that there is no value field in the input. That is because the *entire* value of the referenced output is consumed. You cannot use only part of an output, you must use the entire value. All the value from all the inputs listed in a transaction is aggregated and then disbursed to the various outputs, according to the value defined in those outputs. In attempting to pay Bob for coffee, Alice must create a transaction for the exact amount, even though she may not have "exact change" in the form of previous transactions that perfectly match. Alice will therefore have to either aggregate many smaller inputs (previous unspent outputs) to reach the price of the coffee, or use a larger input and then make some change back to her wallet. This is all done automatically by the wallet software, so Alice just sees the exact amount transacted, but behind the scenes there may be a flurry of inputs being aggregated and change returned. For simplicity, Alice was lucky enough to have a perfectly matching previous transaction, so her wallet only needs one input for this coffee transaction. [TIP] ==== Inputs don't have a value field. That is because the outputs of a previous transaction can either be spent or unspent as a whole. You cannot use part of an output, you must use all of it. If you only need part of the value of a previous output, you must spend all of it and generate "change", by creating an new output for the excess value back to your own wallet. ==== .Alice's transaction output [options="header"] |======= |Part|Value|Description |Value| 1,500,000 | The value in satoshi to transfer to this output |Script| OP_DUP OP_HASH160 OP_EQUALVERIFY OP_CHECKSIG | A script for spending this output |======= The second part of the transaction, is where Alice effectively pays Bob for the coffee. This is achieved by creating an output _that only Bob can spend_. In bitcoin, the script used to "lock" an output to a specific bitcoin address is +OP_DUP OP_HASH160 OP_EQUALVERIFY OP_CHECKSIG+, with ++ replaced by the public key of the recipient, in this case Bob's public key. While this script looks rather complicated and confusing, it will be explained in great detail below (see <