A 2600 word description of how Bitcoin works

Bitcoin is cryptocurrency. This means that the underlying units, which are abstract, made-up units, are sent from one user to another via signed messages. These message cannot be forged unless you are the owner of the private key, which is essentially a very long password. The cryptography has been understood for decades, but it wasn't until 2008 that Satoshi Nakamoto, whoever they are, combined ideas in a novel way to allow signed messages to make this work as a currency: Each bitcoin originates in some block of transactions that is mined, each block appends to the previous block and puts all the transactions in order. Thus you can tell if someone sending you a bitcoin has already sent the bitcoin to somebody else. Each time a miner mines a block, they credit themselves some bitcoin, and then they can spend or sell that bitcoin and that gets out into the ecosystem. Once you spend it, whoever you sent it to has to create a new transaction in order to send it to the next person. You can't spend it again, that's the point of having all the transaction sitting in order on a chain. If you try to send it again, the miners and nodes will ignore the transaction as it's incompatible with the current state of the chain.

So in order to use cryptography to create a cryptocurrency, you need some way to order the transactions, in a way that everybody can see and agree upon. There's an extremely easy way to do this; designate a few computers listening for these transactions, and publish these transactions on a ledger in the order they're received. This is quick and efficient, and for a cryptocurrency with the throughput of Bitcoin, it could be done for a few dollars a month using Amazon Web Services.

Of course, Amazon Web Services Coin would be unattractive for so many reasons. The innovation of Satoshi was to create a means to order the transactions that does not require a designated leader.

Satoshi Nakamoto's fantastic idea was to set up a probabilistic auction for the right to create the next block. Each block orders the latest transactions, and the creator of the block is rewarded with bitcoin.

Nakamoto consensus requires a miner must produce a "proof of work'' in order to write the next block. Producing a proof of work is costly, it requires heavy computing power. But to incentivize the miners to do this, whoever writes the next block gets to write themselves a small number of Bitcoin. The difficulty adjustment, which occurs after roughly two weeks, ensures that blocks are not written too quickly - as blocks are written more frequently by more powerful sets of miners, the difficulty adjusts so that it becomes more and more difficult to write blocks. Thus on average blocks are only found about once every ten minutes.

A little more on how this works: miners compute hashes, which are heavy computations with chaotic outputs. The range of the output is between 0 and somewhere around 10⁷⁷ So it's extremely unlikely to get smaller number (say under 10⁶⁰) as a result of computing a few hashes. In order to produce an output under 10⁶⁰ one would have to compute the hash function trillions and trillions of times. But you can prove that you've done this by producing the input which generates the hash.
Every two weeks, a target hash is set. A proof of work is a hash below this threshold. After approximately two weeks, this target is adjusted downward if necessary.

The difficulty adjustment keeps it competitive: As more miners produce more hashes, it becomes more difficult to find a proof of work.

Now it's possible that two miners could write the "next" block at the same time. It's also possible that a miner could deliberately choose to write a block that is not the ``next" block, but rather a competing block: On the blockchain all blocks must go in order and each block must be unique: there can be only one block 4567 and it must come after 4566. Block 4568 cannot be written until the hash from block 4567 is produced, in fact it's the hash from block N-1 that provides the "chain" link to block N.

If two blocks are produced at the same time, there is a (usually temporary) chain split. Miners can decide which to append to; the next block must append one and only one of the two chains. At this point the tie is broken, and miners now follow the simple rule that underlies Nakamoto consensus: The longest chain is the correct one. (Technically, it's the chain with the most cumulative proof of work, which in practice is almost always the longest one.)

Now a simple and elegant game theory kicks in. The only blockchain that matters is the blockchain with the most work. The only way to create a block on this chain is to create the next block, which will be the chain tip. Attempting to mine on a shorter blockchain will probably result in miners wasted costs, the bitcoins created will exist only on a chain that nobody regards as useful. So miners continually front-run the chain and the chain moves forward. There is one chain, all the transactions are in order, and miners are always trying to create the next block on the system to earn more rewards.

In theory, someone with a large amount of computing power could begin mining an alternative chain from several blocks back. If they are lucky and powerful, eventually their chain may catch up and surpass the original chain. At this point, according to the rules of Bitcoin, the challenging chain is the now true chain, and miners will now switch to mine on this chain-tip, not wanting to be left out.

Why would someone do this? The classic example is the so-called double spend: Alice sends Bob a Bitcoin, essentially signing a message saying that the bitcoin she owned has been transferred to Bob. The miners mine this transaction into a block, and blocks continue after that and Bob looks and according to the blockchain, the bitcoin is now under his control. However Alice may be sneaky; suppose she then writes a transaction giving the same bitcoin to Charlie. Now miners and nodes who run the network would reject or ignore this as it's incompatible with the true chain, but if Alice is able to convince miners to go back to before the first transaction was mined, the miners can start a new chain which is internally consistent. If they mine faster they may be able to make their chain longer. At this point Bob looks and sees that he no longer owns the bitcoin, his transaction is now rejected and Charlie is considered the true owner of the bitcoin.

Proof of Work vs Cryptographic signatures

It's important to distinguish between the roles of proof of work and cryptography. Proof of work is simply an arbitration mechanism that (pre-emptively) settles disputes when different orderings of transactions would result in different outcomes for participants. While we may one day see miner extractable value emerge on the Bitcoin blockchain, most imaginable scenarios in which a dispute needs to be settled involve attempts to double-spend.

Asymmetric cryptography is essentially free. It's also essentially unbreakable, when used as prescribed. Anyone can download a short python script to run asymmetric cryptography allowing them to decrypt, encrypt and check signatures from and to anyone in the world. These could include messages which promise Bitcoins, dollars, or goats. These messages may or may not have binding significance, but when a Bitcoin transaction is confirmed on the blockchain it represents a transfer of ownership of some amount of Bitcoin. Everyone can see this transaction on the blockchain and knows it is the unique transaction sending that particular coin.
If we could trust parties to not double-spend, or if we have legal protections against double-spending, we wouldn't need an expensive mechanism such as proof of work.

When Bitcoin first emerged, people were using Bitcoin intentionally anonymously, and they didn't want to know who their counterparty was, or where they had been, and so in order to do this securely, double-spend protection is necessary to make sure that kindly gentleman from Craigslist who just bought some items from you in the Walmart parking isn't going to double-spend. Now if you have a KYC relationship with an exchange who operates in your jurisdiction, there is no good reason to worry about double-spending, if you try to double-spend on your exchange, this might be considered fraud in your jurisdiction. Your exchange knows who you are and they can come after you.

It's impossible to create a valid Bitcoin transaction without the proper keys. No amount of proof of work will change this. The validity of Bitcoin transactions are not protected by proof of work, they are protected by cryptography. Proof of work only serves as an arbitrator in the case that there are multiple valid transactions. It does not determine the monetary value for the coins created in the block: this is determined by the market.

But why does it actually work?

Bitcoin works because people all around the world have collectively decided it is worth putting their energy and money into a cryptocurrency that is outside of the standard banking system and central banks. Bitcoin is essentially an opt-in, unenforceable contract, in which each participant implicitly agrees that the network they are engaging with is valuable and will continue to be valuable in the near future.

People had sought for this long before Satoshi created Bitcoin; the demand was there. Nakamoto consensus is how Bitcoin works, but why Bitcoin works is just as crucial: Bitcoin is something people want to use and have available so they retain the option to use it. If the demand were to dry up, the network would fail.

It was designed to fill roles in which the other available options come up short: Cross border payments, payments between parties that the government might choose to interfere with, a store of value that banks can not freeze in response to a court order, or simply payments that you don't want going into the standard databases. The demand for these and many other use cases is real and positive.

It's important to emphasize that part of the current demand (and nearly all of the OG demand) for Bitcoin is the demand for a currency that does not have a leader. If leaders could be chosen, it would result in a much faster systems with much more bandwidth, and would not require the massive energy expenditures.

Takeovers and attacks

According to the consensus rules governing Bitcoin, if one miner is able to marshal over 51% of the hashrate, they can be successful (with high probability) in writing their own chain which contains only their blocks. This chain will be longer and have more work than other chains so will be the chain. The miners who create the blocks then "control" the blockchain in the sense that they can choose which transactions to allow on and in what order. They can't create new valid transactions with signatures they do not control, for example they cannot sign a transaction spending Bob's bitcoin if they do not have Bob's keys. They have the power of censorship: If Bob sends a transaction to Charlie, the 51% miner can simply ignore it if they don't like Bob or Charlie, or could ask for a bribe.

In the monopoly 51% attack (as opposed to a one-off 51% double-spend attack) a miner or group of miners begins mining blocks and ignoring all other blocks. They do this in the open, perhaps even loudly, declaring their intentions days or weeks ahead. Because their chain will be the longest, all efforts by other miners will go by the wayside. Other miners are forced to close up shop.

Of course, a monopoly mined blockchain is unattractive to most Bitcoin users (at least traditional ones), who generally didn't sign up for centralized money. At this point they may opt out of Bitcoin altogether, choosing a different cryptocurrency, or they may continue to use it. A third option is for Bitcoin users to find some extraprotocolar means of communication that rejects the longest chain - in fact, there is a command users can run called 'invalidateblock.' If enough users agree to invalidate the blocks of the monopoly miner, their nodes will show that \textit{the} blockchain is the strongest competing chain. This response is quite problematic - users would want to do it in a way that avoids creating a new set of de facto authorities, and this can be tricky without the longest chain rule.

Many Bitcoin users will claim that such an attack will never happen. Such an attack has not been seriously attempted and is unlikely to happen in the immediate future (Attacks were threatened in the 2016-17 Blocksize war, but never carried out.)

Mining and the security budget

When Bitcoin began in 2009 each miner who mined a block was rewarded 50 bitcoins. After a few years, at block number 210,000, this number was cut in half to 25. It was cut in half again at block 420,000 and again at block 630,000. It will be cut in half again in 2024 at block 840,000 to a block reward of 3.25 bitcoins per block. Students of mathematics will recognize this as a geometric series: Because the number of new bitcoins is cut in half approximately every four years, the total of all bitcoin created ever is 21 million.
Now while this does mean that the total number is finite, at the same time this means that the amount of money paid to miners to mine blocks in decreasing in absolute bitcoin terms. While the value of a bitcoin has been trending up in dollar terms, the bitcoin rewards will continue to decrease. As of 2022 on order of $10 billion worth of bitcoin was produced. While this is a large number, it is considerably smaller than many numbers, in particular the defense budget of nations, the cash being held by major corporations, or the net worth of many individuals.

Miners also obtain revenue from fees, which are paid from transactors to the miners. Fees are typically determined by the market for transactions. Because the blocksize is fixed, miners will put transactions with the higher fees first, and this means typically there will be a market rate to put transactions on the blockchain. On average this number has not been very large in comparison to the block subsidy.

Note that an individual mining at home is extremely unlikely to mine a block. Commercial miners each spend tens or hundreds of thousands of dollars over weeks: these are the competition. So the notion that individuals can meaningfully participate in the process by mining their own transactions is far-fetched.

The security method for Bitcoin is essentially a probabilistic auction. Miners are bidding on blocks. Writing a blocks gives the miner some amount of bitcoin; Some in the form of the scheduled subsidy and the rest in the form om transaction fees.

The economics the determine that miners will burn electricity up to the point where they are expected to make zero profit, and then stop spending.