This unit is Part 1 of the Annotated Princeton Bitcoin Video Course.

Welcome (1 minute)

The four presenters for the series are introduced: Joseph Bonneau; Ed Felten; Arvind Narayanan; and Andrew Miller.

Cryptographic Hash Functions (18 minutes)

This lecture starts by explaining what hash functions are, but doesn’t say much about why they’re useful in Bitcoin.

Bitcoin is a messaging system in some ways similar to email and Twitter. But instead of passing tweets or emails around, the Bitcoin network passes two kinds of specially-formatted messages: transactions and blocks. It’s very useful to give every message a unique identifier so that it can later be unambiguously referenced.

Examples of unique identifiers are easy to find: phone numbers; driver license numbers; social security numbers; credit card numbers; email addresses; full legal names; and so on. These unique identifier are useful because they allow computers to record information about the thing they refer to. For example, your cellular phone company maintains database records linked to your phone number.

All of the identifiers I listed share one thing in common: they’re issued by central authorities. This system won’t work in a distrubuted system like Bitcoin, so we need another way to identify blocks and transactions.

Hash functions are the answer. A hash function accepts any piece of digital data, regardless of its length, and returns a fixed-length sequence of bits. Cryptographic hash functions have a number of useful properties, as the video explains.

To learn more about why Bitcoin in particular uses hash functions, see Seven Things Bitcoin Users Should Know about Hash Functions

Hash Pointers and Data Structures (8 minutes)

The unique identifiers given to blocks and transactions are used in two main ways:

1. Messages can be chained. A message refers to its parent by including its hash value. The parent references its own parent in the same way, and so on. The result is a temper-evident message chain. The two most important message chains in Bitcoin are block chains and chains of ownership.
2. A list of messages can be composed into a binary tree (Merkle Tree). Like a chain, a tree orders messages in a tamper-evident way. But a tree is more flexible in that membership of a given message can be proven efficiently. The most important kind of binary tree used in bitcoin is the one made up of the transactions contained in a block. The root of this tree (the Merkle Root) appears in the block header.

Digital Signatures (9 minutes)

All messaging systems need to grant and manage rights to resources, and Bitcoin is no exception. Unlike centralized messaging services like Twitter, however, Bitcoin can’t rely on trusted servers. Bitcoin solves this problem through digital signatures.

A digital signature scheme consists of three parts:

1. A method to generate a public/private key pair.
2. A method of signing a message with a private key.
3. A method for verifying a signature given a public key and message.

Making this system work requires two guarantees:

1. Valid signatures will always be validated.
2. Valid signatures can’t be forged.

Public Keys as Identities (5 minutes)

A signature matching a given public key can only be produced with the corresponding private key. Therefore, a valid signature constitutes proof of an identity. Think of a public key as a name that can be generated without a trusted third party. Making a new name/identity is as simple as generating a new key pair. All of this happens in a decentralized way, with no trusted services required.

It’s important to consider privacy when using Bitcoin’s decentralized identity management. A new identity that has signed no messages has no history. But each message signed by the same identity builds a chain that can be used to degrade the privacy of its user. Privacy is the topic of Unit 6.

A Simple Cryptocurrency (14 minutes)

It’s time to bring all of the cryptographic pieces together. Imagine a simple system of money, Goofycoin. There are three rules:

1. Goofy can create a new goofycoin whenever he wants by signing a message. The hash value of this message becomes the coin’s unique ID.
2. Anyone can transfer ownership of a goofycoin to anyone else by signing a message containing the coin’s unique ID. The hash value of this message becomes the coin’s new ID.
3. The authenticity of any goofycoin can be confirmed by tracing the chain of ownership back to a coin creation message signed by goofy.

Chain of ownership only goes so far, though. In particular, Goofycoin allows any user to re-spend the same goofycoin.

Scroogecoin solves this problem. It works like Goofycoin, except all transactions are sent to Scrooge. Any user can consult Scrooge to get the complete chain of ownership for any coin. To combat double spending, Scrooge refuses to publish any coin that has already been spent.

The problem with Scroogecoin is Scrooge himself. He can:

• be forced offline;
• decide to censor some chains of ownership;
• be bribed to break the rules,

What’s needed is a system like Scroogecoin, but without Scrooge.

Next Up: How Bitcoin Achieves Decentralization