Alice is far away from Bob and wants to buy his Alpaca socks. In return, she wants to send him a dollar. A dollar bill is a piece of paper with very low intrinsic value, but which is accepted by people in exchange for valuable products and services in the real world, such as the socks Alice wants to buy. One simple thing Alice can do is to put a dollar bill in an envelope, mail it to Bob, and then wait for Bob to send the socks to her.
Another thing Alice can do is to "wire" the money to Bob. She can do that by first giving her dollar bills to an institution called a bank, the job of which is to safe-keep Alice's dollar bills and, in return, to give Alice a written promise (called a "bank statement") that, whenever she wishes, she can come to the bank to take back the same amount of dollar bills that she deposited. Since the money is still Alice's, she is entitled to do with it whatever she pleases, and the bank (like most banks), for a small fee, will do Alice the service of "giving" the dollar bills to Bob instead of her. This could be done by sending a person to Bob's door, with Alice's dollar bills in hand (or, better, fresh new dollar bills, if Alice's dollar bills are in bad condition), but usually it is done by Alice's bank by giving the dollar bills to Bob's bank and informing them that the money is for Bob, who will then see the amount in his next statement, or, if he is in a hurry, the next time he contacts his bank asking about how much money they have for him.
Since banks have many customers, and bank employees require money for doing the job of talking to people and signing documents, banks in recent times have been using machines such as ATMs and web servers, that do the job of "talking" to the customers instead of paid bank employees. The job of these machines is to learn what each customer wants to do with his/her money and, to the extent that it's possible, act on what the customer wants (for example, ATMs can hand cash). In the end, there is very little human involvement in this process, most of the time. The people can always know how much money out of the money that the bank is safe-keeping is theirs, and they are confident that the numbers they see in their bank statements and on their computer screens stand for the number of dollar bills that that they can get from the bank at any time they wish. They can be so sure of that, that they can accept those numbers in the same way they accept paper dollars (this is similar to the way people started accepting paper dollars as they accepted gold or silver).
However, the fact that machines are used does not change the structure of this system, which is, as it was, based on a central authority (the bank) which is responsible for keeping records about how much money belongs to whom. Everybody has to rely on this central authority to be honest (i.e. to say the truth about how much money they are safe-keeping in total, or at least to make the paper money available upon demand from the owners). Also, every person has to identify him/herself to this authority, by giving his/her real name, in order to be allowed to get their paper bills back or to send money to another person.
Bitcoin is a system of owning and voluntarily transferring amounts of so-called bitcoins, in a manner similar to an on-line banking interface, but anonymously and without reliance on a central authority to decide on what is true. These bitcoins are valuable because they require the spending of real resources (CPU time and electricity) to produce, and they cannot be counterfeited or removed from a person's ownership without illicit access to his/her computer.
To guarantee that an eavesdropper, Eve, cannot access other people's bitcoins by creating transactions in their names we use a public key system to make digital signatures. In this system, each person, such as Alice and Bob, has a pair of public and private keys which he/she stores in a safe wallet. Only the user with his secret private key can sign a document, such as the transaction to give some of his bitcoins to somebody else, but any one can validate the signature using the user’s public key. The bitcoins, in Alice's hands, already contain a signature by whoever sent her the amount.
- Bob sends his public key to Alice.
- Alice adds Bob’s public key along with the amount she wants to transfer, to the transaction.
- Alice signs the transaction with her secret private key.
As a result, anyone who knows the public keys of both Alice and Bob can now see that Alice agreed to transfer the amount to Bob.
Later on, when Bob will transfer the same coins to Charley, he will do the same thing: receive from Charley his public key, add a new transaction to the chain of transactions and sign it with his (Bob) private key. But only Bob can do this, because only Bob has the private key which is necessary for signing and which is the only private key to match Bob’s public key that is already in the chain.
Eve cannot change who the coins belong to by replacing Bob’s public key with her public key, because Alice signed the transfer to Bob using her private key, declaring that the coins now belong to Bob, and Alice's private key is kept secret from Eve. So if Charley accepts that the original coin was in the hands of Alice he will also accept the fact that this coin was later passed to Bob and now Bob is passing this same coin to him.
This is how we guarantee that Alice cannot replicate the coin and use it in more than one transaction:
- Details about the transaction are sent to as many other people's computers as possible
- At least one of the computers sends back a block, which is just a large document that includes details of many transactions. The block is sent to as many other people as possible.
- Eventually the block reaches Bob who can validate that his transaction was recorded and no other transaction for the same coin was made in the past.
In theory, Alice could generate a spoofed block in which her past usage of the same coin does not appear and try to send this block to Bob as evidence that the coin is still hers. However, that past transaction, which contains a signature from Alice, has already been announced and has already been distributed to a very large number of computers in the bitcoin network. Since the process of generating a block is designed to take a long time and all transactions must be given in such blocks, Alice will be unable to compete with all these computers in the rate with which she can generate blocks. Bob will receive much more blocks from third persons than Alice alone will ever be able to generate, and some of these blocks will contain Alice's previous transaction, telling Bob that Alice has already spent her coin. And since, in the presence of multiple parallel chains of blocks of transactions, the longest such chain is taken as the truth, the only way for Alice to "pass" her own version of events is to be in a position to command the majority of the CPU power on the network. We assume nobody can do that, therefore Alice cannot undo what she did and cannot spend her coin twice.
In order to protect his privacy, Bob can generate a new public-private key pair for each transaction. So David receiving the coin from Charley will not be able to identify who is the second person in the list of transactions. The only thing David will know is the address of Bob which is a shortened (hashed) version of his public key.
Creation of coins
As we saw, both Bob and Charley need to verify that the original coin from Alice is valid. Alice cannot simply generate coins instantly, out of thin air, because the appearance of a coin is a transaction that needs to be accepted by others (it must appear at some place in the chain of blocks). The way that new coins are slowly introduced is this: every computer that manages to generate a block is allowed to put one transaction there in which it gains 50 BTC, without this amount having to come from somewhere. Other computers receiving the block can easily see that the block is valid and accept that this amount belongs to the computer that generated the block. This is called a "proof of work", because generating blocks is a slow process that requires Alice to spend real resources (buy recent computer hardware, use electricity and CPU time) and in this way it can be compared to gold mining. Only with a proof of work is Alice allowed to contribute to the chain of blocks that together keep a record of all transactions. The coin received by Alice is an incentive for her to perform this computation work. In addition to this, Alice can shave a small, voluntary fee from the transactions stored in the block.
Putting it all together
Directly experience the system in action by visting Bitcoin Block Explorer. The site shows you the latest blocks in the block chain. The block chain contains the agreed history of all transactions that took place in the system. Note how many blocks were generated in the last hour, should be around 6. Also notice the number of transactions and the total amount transfered in the last hour (last time I checked it was about 64 and 15K.) This should give you an indication of how active the system is.
Next, drill into one of these blocks. Start by noticing that the block's hash begins with a run of zeros, this is what made making it so difficult. The computer that generated this block had to run on many Nonce values (also listed on the block's page) until it found one that generated this run of zeros. Next notice the line titled Previous block, each block contains the hash of the block that came before it, this is what forms the chain of blocks. Now notice all the transactions the block contains. The first transaction is the income earned by the computer that generated this block. It includes a fixed amont of coins created out of thin air and possibly fee collected from other transactions in the same block. Several blocks starting from the same block could have been generated in parallel but at the end all the computers in the network agree that only one of these blocks is accepted to be part of the block chain. Other blocks are rejected either because they didn't play according to the rules of the game or they missed out on some of the transactions.
Drill into any of the transactions and you will see how it is made from one or more amounts coming in and out. The fact that there can be more than one incoming and outgoing amounts, allow the system to join and break amounts in any possible way allowing for any fractional amount needed (usually cents.) Each incoming amount is a transaction from the past (which you can also drill to) coming from an address of someone and each outgoing amount is addressed to someone and will be part of a future transaction (which you can also drill too if it also had already taken place.)
Finally you can drill into any of the addresses and see what public information is available.