The Original Bitcoin White Paper by Satoshi Nakamoto

Bitcoin: A Peer-to-Peer Electronic Cash System
by Satoshi Nakamoto
A purely peer-to-peer version of electronic
cash would allow online
payments to be sent directly from one party
to another without going through a
financial institution. Digital signatures
provide part of the solution, but the main
benefits are lost if a trusted third party
is still required to prevent double-spending.
We propose a solution to the double-spending
problem using a peer-to-peer network.
The network timestamps transactions by hashing
them into an ongoing chain of
hash-based proof-of-work, forming a record
that cannot be changed without redoing
the proof-of-work. The longest chain not only
serves as proof of the sequence of
events witnessed, but proof that it came from
the largest pool of CPU power. As
long as a majority of CPU power is controlled
by nodes that are not cooperating to
attack the network, they’ll generate the longest
chain and outpace attackers. The
network itself requires minimal structure.
Messages are broadcast on a best effort
basis, and nodes can leave and rejoin the
network at will, accepting the longest
proof-of-work chain as proof of what happened
while they were gone.
1. Introduction
Commerce on the Internet has come to rely
almost exclusively on financial institutions
serving as
trusted third parties to process electronic
payments. While the system works well enough
most transactions, it still suffers from the
inherent weaknesses of the trust based model.
Completely non-reversible transactions are
not really possible, since financial institutions
avoid mediating disputes. The cost of mediation
increases transaction costs, limiting the
minimum practical transaction size and cutting
off the possibility for small casual transactions,
and there is a broader cost in the loss of
ability to make non-reversible payments for
reversible services. With the possibility
of reversal, the need for trust spreads. Merchants
be wary of their customers, hassling them
for more information than they would otherwise
A certain percentage of fraud is accepted
as unavoidable. These costs and payment uncertainties
can be avoided in person by using physical
currency, but no mechanism exists to make
over a communications channel without a trusted
What is needed is an electronic payment system
based on cryptographic proof instead of trust,
allowing any two willing parties to transact
directly with each other without the need
for a trusted
third party. Transactions that are computationally
impractical to reverse would protect sellers
from fraud, and routine escrow mechanisms
could easily be implemented to protect buyers.
this paper, we propose a solution to the double-spending
problem using a peer-to-peer distributed
timestamp server to generate computational
proof of the chronological order of transactions.
system is secure as long as honest nodes collectively
control more CPU power than any
cooperating group of attacker nodes.
We define an electronic coin as a chain of
digital signatures. Each owner transfers the
coin to the
next by digitally signing a hash of the previous
transaction and the public key of the next
and adding these to the end of the coin. A
payee can verify the signatures to verify
the chain of
The problem of course is the payee can’t verify
that one of the owners did not double-spend
the coin. A common solution is to introduce
a trusted central authority, or mint, that
checks every
transaction for double spending. After each
transaction, the coin must be returned to
the mint to
issue a new coin, and only coins issued directly
from the mint are trusted not to be double-spent.
The problem with this solution is that the
fate of the entire money system depends on
company running the mint, with every transaction
having to go through them, just like a bank.
We need a way for the payee to know that the
previous owners did not sign any earlier
transactions. For our purposes, the earliest
transaction is the one that counts, so we
don’t care
about later attempts to double-spend. The
only way to confirm the absence of a transaction
is to
be aware of all transactions. In the mint
based model, the mint was aware of all transactions
decided which arrived first. To accomplish
this without a trusted party, transactions
must be
publicly announced, and we need a system for
participants to agree on a single history
of the
order in which they were received. The payee
needs proof that at the time of each transaction,
majority of nodes agreed it was the first
3.Timestamp Server
The solution we propose begins with a timestamp
server. A timestamp server works by taking
hash of a block of items to be timestamped
and widely publishing the hash, such as in
newspaper or Usenet post. The timestamp proves
that the data must have existed at the
time, obviously, in order to get into the
hash. Each timestamp includes the previous
timestamp in
its hash, forming a chain, with each additional
timestamp reinforcing the ones before it.
To implement a distributed timestamp server
on a peer-to-peer basis, we will need to use
a proof-
of-work system similar to Adam Back’s Hashcash,
rather than newspaper or Usenet posts.
The proof-of-work involves scanning for a
value that when hashed, such as with SHA-256,
hash begins with a number of zero bits. The
average work required is exponential in the
of zero bits required and can be verified
by executing a single hash.
For our timestamp network, we implement the
proof-of-work by incrementing a nonce in the
block until a value is found that gives the
block’s hash the required zero bits. Once
the CPU
effort has been expended to make it satisfy
the proof-of-work, the block cannot be changed
without redoing the work. As later blocks
are chained after it, the work to change the
would include redoing all the blocks after
The proof-of-work also solves the problem
of determining representation in majority
making. If the majority were based on one-IP-address-one-vote,
it could be subverted by anyone
able to allocate many IPs. Proof-of-work is
essentially one-CPU-one-vote. The majority
decision is represented by the longest chain,
which has the greatest proof-of-work effort
in it. If a majority of CPU power is controlled
by honest nodes, the honest chain will grow
fastest and outpace any competing chains.
To modify a past block, an attacker would
have to
redo the proof-of-work of the block and all
blocks after it and then catch up with and
surpass the
work of the honest nodes. We will show later
that the probability of a slower attacker
catching up
diminishes exponentially as subsequent blocks
are added.
To compensate for increasing hardware speed
and varying interest in running nodes over
the proof-of-work difficulty is determined
by a moving average targeting an average number
blocks per hour. If they’re generated too
fast, the difficulty increases.
The steps to run the network are as follows:
1) New transactions are broadcast to all nodes.
2) Each node collects new transactions into
a block.
3) Each node works on finding a difficult
proof-of-work for its block.
4) When a node finds a proof-of-work, it broadcasts
the block to all nodes.
5) Nodes accept the block only if all transactions
in it are valid and not already spent.
6) Nodes express their acceptance of the block
by working on creating the next block in the
chain, using the hash of the accepted block
as the previous hash.
Nodes always consider the longest chain to
be the correct one and will keep working on
extending it. If two nodes broadcast different
versions of the next block simultaneously,
nodes may receive one or the other first.
In that case, they work on the first one they
but save the other branch in case it becomes
longer. The tie will be broken when the next
of-work is found and one branch becomes longer;
the nodes that were working on the other
branch will then switch to the longer one.
New transaction broadcasts do not necessarily
need to reach all nodes. As long as they reach
many nodes, they will get into a block before
long. Block broadcasts are also tolerant of
messages. If a node does not receive a block,
it will request it when it receives the next
block and
realizes it missed one.
6. Incentive
By convention, the first transaction in a
block is a special transaction that starts
a new coin owned
by the creator of the block. This adds an
incentive for nodes to support the network,
and provides
a way to initially distribute coins into circulation,
since there is no central authority to issue
The steady addition of a constant of amount
of new coins is analogous to gold miners expending
resources to add gold to circulation. In our
case, it is CPU time and electricity that
is expended.
The incentive can also be funded with transaction
fees. If the output value of a transaction
less than its input value, the difference
is a transaction fee that is added to the
incentive value of
the block containing the transaction. Once
a predetermined number of coins have entered
circulation, the incentive can transition
entirely to transaction fees and be completely
The incentive may help encourage nodes to
stay honest. If a greedy attacker is able
assemble more CPU power than all the honest
nodes, he would have to choose between using
to defraud people by stealing back his payments,
or using it to generate new coins. He ought
find it more profitable to play by the rules,
such rules that favour him with more new coins
everyone else combined, than to undermine
the system and the validity of his own wealth.
7.Reclaiming Disk Space
Once the latest transaction in a coin is buried
under enough blocks, the spent transactions
it can be discarded to save disk space. To
facilitate this without breaking the block’s
transactions are hashed in a Merkle Tree,
with only the root included in the block’s
Old blocks can then be compacted by stubbing
off branches of the tree. The interior hashes
not need to be stored.
A block header with no transactions would
be about 80 bytes. If we suppose blocks are
generated every 10 minutes, 80 bytes * 6 * 24
* 365=4.2MB per year. With computer systems
typically selling with 2GB of RAM as of 2008,
and Moore’s Law predicting current growth
1.2GB per year, storage should not be a problem
even if the block headers must be kept in
8. Simplified Payment Verification
It is possible to verify payments without
running a full network node. A user only needs
to keep
a copy of the block headers of the longest
proof-of-work chain, which he can get by querying
network nodes until he’s convinced he has
the longest chain, and obtain the Merkle branch
linking the transaction to the block it’s
timestamped in. He can’t check the transaction
himself, but by linking it to a place in the
chain, he can see that a network node has
accepted it,
and blocks added after it further confirm
the network has accepted it.
As such, the verification is reliable as long
as honest nodes control the network, but is
vulnerable if the network is overpowered by
an attacker. While network nodes can verify
transactions for themselves, the simplified
method can be fooled by an attacker’s fabricated
transactions for as long as the attacker can
continue to overpower the network. One strategy
protect against this would be to accept alerts
from network nodes when they detect an invalid
block, prompting the user’s software to download
the full block and alerted transactions to
confirm the inconsistency. Businesses that
receive frequent payments will probably still
want to
run their own nodes for more independent security
and quicker verification.
9. Combining and Splitting Value
Although it would be possible to handle coins
individually, it would be unwieldy to make
separate transaction for every cent in a transfer.
To allow value to be split and combined,
transactions contain multiple inputs and outputs.
Normally there will be either a single input
from a larger previous transaction or multiple
inputs combining smaller amounts, and at most
outputs: one for the payment, and one returning
the change, if any, back to the sender.
It should be noted that fan-out, where a transaction
depends on several transactions, and those
transactions depend on many more, is not a
problem here. There is never the need to extract
complete standalone copy of a transaction’s
10. Privacy
The traditional banking model achieves a level
of privacy by limiting access to information
to the
parties involved and the trusted third party.
The necessity to announce all transactions
precludes this method, but privacy can still
be maintained by breaking the flow of information
another place: by keeping public keys anonymous.
The public can see that someone is sending
an amount to someone else, but without information
linking the transaction to anyone. This is
similar to the level of information released
by stock exchanges, where the time and size
individual trades, the “tape”, is made public,
but without telling who the parties were.
As an additional firewall, a new key pair
should be used for each transaction to keep
from being linked to a common owner. Some
linking is still unavoidable with multi-input
transactions, which necessarily reveal that
their inputs were owned by the same owner.
The risk
is that if the owner of a key is revealed,
linking could reveal other transactions that
belonged to
the same owner.
11. Calculations
We consider the scenario of an attacker trying
to generate an alternate chain faster than
the honest
chain. Even if this is accomplished, it does
not throw the system open to arbitrary changes,
as creating value out of thin air or taking
money that never belonged to the attacker.
Nodes are
not going to accept an invalid transaction
as payment, and honest nodes will never accept
a block
containing them. An attacker can only try
to change one of his own transactions to take
money he recently spent.
The race between the honest chain and an attacker
chain can be characterized as a Binomial
Random Walk. The success event is the honest
chain being extended by one block, increasing
lead by +1, and the failure event is the attacker’s
chain being extended by one block, reducing
gap by -1.
The probability of an attacker catching up
from a given deficit is analogous to a Gambler’s
Ruin problem. Suppose a gambler with unlimited
credit starts at a deficit and plays potentially
infinite number of trials to try to reach
breakeven. We can calculate the probability
he ever
reaches breakeven, or that an attacker ever
catches up with the honest chain, as follows:
And here there’s some mathematics which you
can look at at
p=probability an honest node finds the next
q1=probability the attacker finds the next
qz=probability the attacker will ever catch
up from z blocks behind
The probability drops exponentially as the
number of blocks the
attacker has to catch up with increases. With
the odds against him, if he doesn’t make a
lunge forward early on, his chances become
vanishingly small as he falls further behind.
We now consider how long the recipient of
a new transaction needs to wait before being
sufficiently certain the sender can’t change
the transaction. We assume the sender is an
who wants to make the recipient believe he
paid him for a while, then switch it to pay
back to
himself after some time has passed. The receiver
will be alerted when that happens, but the
sender hopes it will be too late.
The receiver generates a new key pair and
gives the public key to the sender shortly
signing. This prevents the sender from preparing
a chain of blocks ahead of time by working
it continuously until he is lucky enough to
get far enough ahead, then executing the transaction
that moment. Once the transaction is sent,
the dishonest sender starts working in secret
on a
parallel chain containing an alternate version
of his transaction.
The recipient waits until the transaction
has been added to a block and z blocks have
been linked after it. He doesn’t know the
exact amount of progress the attacker has
made, but assuming the honest blocks took
the average expected time per block, the attacker’s
potential progress will be a Poisson distribution
with expected value:
And here you can check the document, and realize
with the equations and c code you will find
that the probability becomes enormously tiny.
12. Conclusion
We have proposed a system for electronic transactions
without relying on trust. We started with
the usual framework of coins made from digital
signatures, which provides strong control
ownership, but is incomplete without a way
to prevent double-spending. To solve this,
proposed a peer-to-peer network using proof-of-work
to record a public history of transactions
that quickly becomes computationally impractical
for an attacker to change if honest nodes
control a majority of CPU power. The network
is robust in its unstructured simplicity.
work all at once with little coordination.
They do not need to be identified, since messages
not routed to any particular place and only
need to be delivered on a best effort basis.
Nodes can
leave and rejoin the network at will, accepting
the proof-of-work chain as proof of what
happened while they were gone. They vote with
their CPU power, expressing their acceptance
valid blocks by working on extending them
and rejecting invalid blocks by refusing to
work on
them. Any needed rules and incentives can
be enforced with this consensus mechanism.
This is Stefan Molyneux from Freedomain Radio
and I hope this has been very helpful, and
I encourage you to explore this very exciting
world, of shared database information.

62 thoughts on “The Original Bitcoin White Paper by Satoshi Nakamoto

  1. Thanks for bothering to read the whitepaper. I love it how the nay-sayers dismiss bitcoin as a ponzi scheme without even attempting to comprehend the computer science behind its network (block chain), yet rely on other internet protocols (stmp, tcp/ip, https…) on a daily basis without question. Price is not the same as value. Bitcoin unit is not the same as Bitcoin network.

  2. Thank you!! I've been trying to read trough it for a while now but my ADHD always takes me away from getting trough it. Sent you 0.01 btc 🙂

  3. Thanks Stefan, this just prompted me to hit pause and to to and read it myself. Too many choice sentences that need to be double- and triple-read 🙂

  4. The crucial bit is an attacker having to care more about the value of their own bitcoins vs attacking the blockchain.  If PTB want to take it down they'll throw whatever fiat expense and hardware at it they need (and governments have supercomputer arrays at their disposal).  The question is – will they?

  5. We need an election system based on the principles of Bitcoin. Since all votes can be authenticated. The only reason for voting at all is that we do not trust. With a Bitcoin system, we have a win, win situation. How can this be done ? This would satisfy those that would have us all having Neocon identification cards, and those that may take advantage of our system without them.

  6. @Stefan Molyneux Wow, how heavily invested are you in bitcoin? Just look at all the shite in the world and your only topic (at the moment) is bitcoin…..????
    You have a audience, please don't mislead us.

  7. Bitcoin heist:

  8. Mining of a virtual crypto currency is virtual work not real work in the real world.  What good does mining Bitcoins do for the real world from a social and ecological perspective? IF bitcoins was a stable currency than it may have a long shelf life, but its really just one big stock trading Ponzi scheme benefitting the early adopters and miners who confiscate the wealth of the late adopters leading to an eventual climatic collapse.  I think the idea of electronic currency is great, but the way bitcions functions fails as a real currency.  Why can't we have a so called crypto currency that trades at the exact same price always such as one bitcoin equals one days work, 1 hour of work, $10, 1 oz of silver, I chord of wood or whatever real life item we chose to peg to it?

  9. im not disagreeing with the fact bit coin is not perfect math im highly skeptical on how even a perfect system is to work in an imperfect world.

    And yes, Bitcoin has significant illicit uses. Programs like satashi dice allow people to gamble online. Until recently, a Web site called Silk Road helped dealers sell millions of dollars of illicit drugs

    We don't know who Satoshi Nakamoto is, but we do know that if he ever surfaces, he will be an extremely wealthy man. Millions of bitcoins were created in the currency's first two years, and Satoshi likely owns hundreds of thousands of them. At today's prices, he would be a millionaire many times over.

    People want to use the currency that most other people use, and in the United States that's going to be US dollars for the foreseeable future. And that's a good thing: if Bitcoin became the standard currency of the US economy, then its fixed money supply would create a serious risk of the next economic downturn snowballing into a depression

  10. I remember reading this several years ago… My thought, as when first reading On the Origin of Species, The Law, and other great works: "what a fucking genius" 🙂

  11. An IT worker threw out a computer hard drive without realizing it contained $7.5 million worth of the digital currency Bitcoin.

  12. y u do this? their is already "How Bitcoin Works Under the Hood" on u-tewb
    he used animation and pictures to help understand.

  13. What I like about Bitcoin is it's intrinsic value outside of currency. You can do so many things with it which are all obvious to even the casual observer.

  14. Anything that is created by someone under an alias puts up big red flags in my mind. What is hiding his real name from? This has scam written all over it.

    Even if it's not, the speculative bubble will crash sooner or later. Bitcoins has gone up in value 400% in one month. This is not good and neither is the hoarding of coins. 65% of released coins have not been used once. The whole purpose of a currency is to be used, not hoarded, as it's one and only function is a medium of exchange.

  15. Hi Jolly Roger. Bitcoin is not a Ponzi scheme; look up the definition. If you think Bitcoin is a Ponzi scheme then presumably you think that all traded currencies and commodities are too. Bitcoin is profoundly important. It significantly improves humanity's chance of ending injustice, war and poverty.

  16. Let's see, who or what has the resources and motivation to successfully attack the Bitcoin network, one guess?

    Use BC to trade, not store wealth.

  17. Someday in the future, we'll look at this document as the beggining of the end of the banking system that ruled the world.

  18. People w/ btc really want $, and what $ can buy.  they purchase btc w/ $, hype btc, then sell them for $$.  Such pump and dump behavior is repulsive and supports the continuation of the fraud.  "How I turned $27.00 into $880,000.00 with bitcoin" by some guy in Norway.  Everyone wants in on the action.

    I suppose Stefan can start accepting btc for subscription to his website.  All those that want to hear btc hyped will probably gladly throw a fraction of bitcoin his way.

  19. "Since all transactions on the blockchain are public, it is known that only a quarter of those bitcoins have ever changed their master, which means Satoshi Nakamoto is believed to be the owner of roughly one million bitcoins. With Bitcoin surging past $1000, that stash is worth about $1.1 billion.

    "It's all going according to plan. Indeed, Satoshi designed Bitcoin so that its price would increase in tandem with users' adoption of the cryptocurrency."

    But it's not a business. *rolls eyes*

  20. For all the ones commenting and bashing bitcoin as a currency. As Andreas Antonopoulos (@aantonop) routinely states, Bitcoin is a protocol and technology. It is also a currency like the internet is an electronic mail service. The CURRENCY side of Bitcoin is just the first app and there are already several more.

    This is just the beginning folks. Be grateful that you are living to see this flower blossom.

  21. From Russell proofs to Godels Incompleteness theorem, the former over 300 pages(1+1=2), both mind scrambling yet we have folk`s here who think they can just say bitcoin is a Ponzi scheme and were supposed to believe them. Yes and faeries exist and live at the bottom of my garden, if your going to make a statement back it up please. Yes i have got photographs…lol

  22. This is for all the pyramid/ponzi trolls…

  23. Hi Stefan, Thank you so much introducing me to bitcoin. I never understood it, but I think after listening to your videos I am really starting to get it!
    Thank you so much!

  24. I'm watching closely. It dropped hard in the last 36 hrs. now at $760 usd, up from $650 this morning. I say let it drop, ill buy in again at <$120. They have value, if you can find a buyer or trade for what you want. I'm happy with the goods, services and growth I've received so far. I look to long term investments, this is not one , this is a use it or loose it currency, so far. I use it like a credit card account, or for immediate purchases. Too volatile to leave it alone, you have to be able to read the wave if you want ride it.

  25. Important note: backups of wallet files need to be updated about every 10 transactions or else they become stale. Also note that encrypted wallets are WAY safer for backups than unencrypted.

  26. It's all so complicated and scary, so I'll just use FUD buzzwords to help me feel better about my poor reasoning skills.

    #pyramidscheme #ponzischeme #tulipbubble #onlygovernmentcanbesmart

  27. Contains The True Identity Of Satoshi Nakamoto


  28. You have obviously no grasp on the supply of bitcoin. By the the year 2024 20 million of the possible 21 million bitcoins will have been mined. When effort to mine these coins exceeds the reward to do so the value of them will drop like a rock. After 2024 it will take 100 YEARS to mine the last million coins. Miners who depend on POW and that is related to its value will drop like flies in a RAID factory. I will predict this 100% it does not last beyond 2024.

  29. APPLY HERE TO TEACH BASIC ENGLISH ONLINE: (Native English speaker & Non-Native English Speaker Okay) Apply Now: No degree required – A degree is a plus

Leave a Reply

Your email address will not be published. Required fields are marked *