Can money exist without an owner?
8 steps to build Bitcoin from scratch and understand why it works
No jargon, no shortcuts. Just logic, cryptography, and the design decisions that make it work.
Three ideas before we begin
Money was never a thing
The myth says barter came first, then coins, then banks. Anthropological evidence says otherwise: the earliest economies ran on debts and favors. "I owe you three goats" was money. No object was needed — it was enough for the community to remember who owed what to whom. Money was always a shared record.
Whoever keeps the books holds the power
When a community grows, collective memory is not enough. Someone has to keep the ledger — a temple, a king, a bank. It is efficient, but it has a cost: whoever controls the record can decide who can pay, whose balance gets frozen, and how much new money is created. Centralizing the record means centralizing power over money.
This is not theoretical
Canada froze bank accounts of protesters in 2022. Nigeria restricted cash withdrawals to force adoption of its digital currency. Argentina devalued the peso 50% in a single day. Lebanon prevented citizens from accessing their own savings. Whenever a government or bank controls the record, these things are possible — and they happen.
So the question is clear: can a shared record exist that depends on no one? For that, the ledger would need to live on computers — distributed, with no single point of control. But the moment money becomes digital, a fundamental problem appears.
Each solution creates the next problem
Bitcoin was not invented all at once. It is a chain of solutions where each answer generates a new question.
It all starts with a simple question: what happens when money stops being physical? The first obstacle is not security, nor speed, nor privacy. It is something much more fundamental.
The copy problem
The first obstacle to digital money is not security or speed. It is something we take for granted in the physical world that does not exist digitally: that giving means losing.
If I hand you a €100 bill, it leaves my pocket. I don't need anyone's permission: physics guarantees I can't give it to you and someone else at the same time. The transfer is direct, verifiable, and final.
Now think about a digital file. When you "send" it, it doesn't move — it copies. You still have the original intact. That's great for sharing photos or documents, but for money it's a disaster: if you can copy a digital bill, you can spend the same money two, ten, or a thousand times.
TRY THE DIFFERENCE
This is called the double-spending problem Spending the same unit of digital money more than once, sending it to two recipients before the system detects the conflict . It's not an implementation bug — it's a fundamental property of digital information. And it's the reason why, for decades, every attempt at electronic money needed a central intermediary to say "this coin has already been spent".
The ultimate question
How do you prove a digital file is unique? In the physical world, matter solves this for you — a bill cannot be in two pockets at the same time. In digital, you need a mechanism that makes duplication impossible without relying on trust in anyone. Solving this means inventing digital money. Not solving it means inventing yet another database with an owner.
In the physical world, scarcity is free — matter guarantees it. In digital, scarcity The property of something existing in limited quantity and not being freely duplicable must be built. That construction is Bitcoin.
Digital files copy themselves. That makes double spending inevitable... unless someone keeps the books. The most obvious solution to the copy problem is the same one we have used for centuries: put an intermediary in charge of the record. It works. But it has a price.
The obvious solution: put someone in charge
If nobody keeps the books, double spending is inevitable. The most direct fix: a central server that says who has what.
When you want to pay, you don't send a file — you ask the server to move numbers from your account to another. The server checks you have funds, updates the figures, and you're done. No copy is possible because there's no file to copy: just a database Shared record of who owes what to whom controlled by an operator.
This is exactly the model of your bank, PayPal, Visa. There is no "money" moving. Just numbers in a database and a company in the middle that decides whether the operation goes through. It works, it's fast, and it has been running for decades. But it has an inevitable consequence.
Whoever controls the server controls your money.
That is not a metaphor. Controlling the server means having four concrete capabilities over any user:
It can censor: decide that a transaction will not execute. It can freeze: let you see your balance but prevent you from moving it. It can devalue: create new money that dilutes the value of yours. And it can go down: if the server stops working — from an attack, a bug, or a bankruptcy — the whole system stops with you inside.
This is not theory. In 2022, Canada froze bank accounts of protesters without a court order. Lebanon has been preventing its citizens from accessing their own savings for years. Argentina devalued the peso 54% in a single day. And in 2013, Cyprus confiscated up to 47.5% of bank deposits over €100,000 to bail out its financial system.
EXPERIENCE WHAT THE OPERATOR CAN DO
None of these cases is a technical failure. They are features of the design Capability inherent to the design, not an implementation error . It is not that the operator is evil — it is that the design concentrates power in a single point, and concentrated power is eventually exercised.
Before Bitcoin, nobody escaped this trap
DigiCash (1989): advanced cryptography, but a central server that went bankrupt. E-gold (1996): digital gold payments, shut down by the US government. B-money and Bit Gold (1998): brilliant ideas by Wei Dai and Nick Szabo that anticipated Bitcoin but were never completed. They all hit the same wall: they couldn't prevent copying without putting someone in charge of the ledger.
Centralization solves double spending, but concentrates power. And if we remove the intermediary to eliminate that power... the problem reappears: who decides which transaction came first?
If we want to eliminate the intermediary, we need to solve two problems: how do you prove who you are without anyone identifying you? And how do you authorize a transaction without revealing your secret? The answer lies in mathematical tools that have been waiting decades for this moment.
Cryptography: the tools
Before building a consensus system, we need mathematical tools that solve an ancient problem: how do you prove something is yours without revealing your secret?
Hash functions: the mathematical meat grinder
A hash function is a mathematical operation that takes any data — a name, an entire novel, a photo of your cat — and produces a fixed-size "fingerprint." Always the same size, regardless of whether the input was a single letter or the entire Bible. And most importantly: it is a one-way street. You can convert data into its fingerprint, but you cannot reconstruct the original data from the fingerprint.
Think of it like an industrial meat grinder. You put in an entire cow and out comes a perfectly formed hamburger. You can verify that the hamburger came from that specific cow (by putting the cow through the grinder again and comparing). But no matter how hard you try, you cannot reconstruct the cow from the hamburger. The operation is irreversible.
And there is something else that makes hash functions extraordinarily useful: the avalanche effect. If you change a single character in the input — a comma, a space, an uppercase letter to lowercase — the output changes completely. Not a little. Completely. As if it were an entirely different piece of data. This means you cannot "get close" to the correct result. Either you have the exact data, or you have nothing.
The same input always produces the same output. "Hello" always generates the same hash. Today, tomorrow, on any computer in the world.
Impossible to reverse. There is no known mathematical operation that lets you go from the hash back to the original data. The only way is to try every possible combination.
SHA-256 Hash algorithm producing a 256-bit fingerprint (64 hex characters) , the algorithm Bitcoin uses, always produces a 256-bit output (64 hexadecimal characters). It does not matter if the input is one byte or one terabyte.
A minimal change in the input produces a completely different hash. "Hello" and "hello" generate hashes that have absolutely nothing in common.
SHA-256 Hash Playground
Type anything and watch the hash transform in real time
SHA-256 Property
Deterministic
The same input will always produce the exact same hash output. No randomness involved.
Public key cryptography: your mathematical identity
Now we need to solve another problem: identity. In the physical world, your identity is verified by a document, a photo, a handwritten signature. In a decentralized digital system with no central authority, how do you prove who you are? The answer is public key cryptography — one of the most elegant ideas in modern mathematics.
The mechanism is simple: you generate two mathematically linked keys. The private key is your absolute secret — an enormous number that only you know. The public key is derived from the private one and can be shared with everyone. The relationship is asymmetric: from the private key you can easily calculate the public key, but from the public key it is mathematically impossible to obtain the private one.
Think about it in contrast to the physical world: when you sign a check, someone who sees your signature could try to copy it. Your security depends on it being "hard" to imitate — but not impossible. With public key cryptography, the situation is radically different. Your private key produces signatures that anyone can verify using your public key, but it is mathematically impossible — not hard, impossible — to deduce the private key from the public one. The asymmetry does not depend on the forger's skill, but on the laws of mathematics.
Bitcoin uses a branch of mathematics called elliptic curves Type of mathematical curve whose properties enable operations that are easy to compute in one direction but impossible to reverse — specifically a curve called secp256k1 The specific elliptic curve Bitcoin uses to generate key pairs . You do not need to understand the details, but the core idea is this: the curve defines an operation that is extremely fast to compute in one direction (deriving the public key from the private one), but practically impossible to reverse (obtaining the private key from the public one). It is like mixing two paint colors — easy to do, impossible to separate. This mathematical property is the foundation for everything that follows.
In Bitcoin, your public key (or more precisely, a hash of it) is your address — the equivalent of a bank account number. Anyone can send funds to that address. But only whoever possesses the corresponding private key can spend those funds. There is no server verifying your password. There is no bank authorizing the transfer. The math itself is the authority. If you lose your private key, you lose access forever. No one can recover it. There is no "forgot my password" button.
Digital signatures: proof without revelation
Now we combine the two previous tools. A digital signature Mathematical proof that you know the private key, without revealing it works like this: first, you hash the message you want to sign (for example, "Ana sends 1 BTC to Bob"). Then, you use your private key to sign that hash. The result is the digital signature — a unique piece of data that proves you, and only you, authorized that specific message.
Anyone on the network can take three things — the original message, the signature, and your public key — and mathematically verify that the signature is valid. That it was created by the owner of that private key. That the message was not altered by even a single bit after being signed. And all of this without your private key having been revealed at any point in the process.
The message "Ana sends 1 BTC to Bob" is converted into a 256-bit hash. This unique fingerprint represents the exact content of the transaction.
Your private key operates on the hash to produce the digital signature. Only your private key can generate this specific signature for this specific hash.
Anyone takes the message, the signature, and the signer's public key. The math confirms: yes, this signature was made by the owner of this key.
This is revolutionary. In the traditional banking system, you prove your identity by showing your password or PIN to a central server that compares it against its database. You are handing your secret to an intermediary and trusting them to protect it. With digital signatures, you prove you know the secret without ever revealing it. It is as if you could open a lock in front of witnesses without anyone seeing the key. The proof is mathematical, not social.
Digital Signature Demo
Generate, sign, and verify with real elliptic curve cryptography
Step 1 — Generate Key Pair
Your private key is a random 256-bit number. The public key is mathematically derived from it — easy in one direction, impossible to reverse.
What signatures CAN'T solve
Digital signatures solve the identity problem. We know with mathematical certainty that Ana authorized a transaction. But there is a critical problem that signatures cannot solve: double spending.
Ana can sign a message that says "I send 1 BTC to Bob" and sign another that says "I send 1 BTC to Carol." Both signatures are perfectly valid. Cryptography confirms that Ana authorized both. But Ana only has 1 BTC — both cannot be fulfilled. Which came first? Which one actually counts? The signature does not contain a trustworthy timestamp. And in a decentralized network, there is no central clock that can tell you which message was created first. Signatures guarantee who authorized each transaction, but they cannot prevent the same coin from being spent twice.
This is exactly the double-spend problem from the previous chapter. Cryptography gives us perfect identity, but does not resolve the conflict. We need something more: a mechanism that orders transactions in a way the entire network agrees on.
We now have cryptographic identity: no one needs a bank to prove who they are. But there is a problem cryptography alone cannot solve. Ana signs two valid transactions with the same bitcoin — one to Bob, another to Carol. Both signatures are perfect. Which came first? In a network with no central clock and no leader, agreeing on the order of events is the real challenge.
Cryptography guarantees identity, but not order. We know WHO signed, but not WHEN. Without consensus on time, the double-spend problem remains unsolved.
Decentralization: the challenge of agreement
Eliminating the intermediary is easy to say. The real problem is: how do thousands of computers unknown to each other agree on a single version of the truth, with no one in charge?
The 4 simultaneous requirements
For a decentralized money system to work, it is not enough to just remove the central server. The system must satisfy four conditions simultaneously — and the difficulty is that they seem to contradict each other.
No node is special. There is no hierarchy, no administrator, no permission. Any computer can join the network or leave it freely, at any moment, without asking anyone for authorization.
All nodes must agree on ONE single order of transactions. There cannot be two versions of history. If Ana sends 1 BTC, everyone must agree on who she sent it to first.
It must be extremely expensive to lie and extremely cheap to verify the truth. If an attacker can manipulate the system without spending real resources, the system is broken. The asymmetry between the cost of attacking and the cost of verifying is the key.
The system must keep working even if some nodes fail, disconnect, or even act maliciously. You cannot design a system that requires all participants to be honest — because they will not be.
Meeting any of these conditions in isolation is trivial. Meeting all of them at once, in an environment where any participant could be an attacker, was considered impossible for decades. To understand why, we need to know a classic problem in computer science.
The Byzantine Generals Classic consensus problem: how to coordinate when some participants lie? Problem
Imagine five Byzantine army generals surrounding an enemy city. Each general commands a division in a different position. To take the city, they must all attack at the same time — if only some attack while others retreat, those who attack will be slaughtered. They must coordinate: either all attack, or all retreat.
The problem: they can only communicate by sending horse messengers between their camps. Messages take time. There is no way to meet in person. And the worst part: some generals might be traitors. A traitorous general can send a message saying "I attack" to some and "I retreat" to others, trying to cause disaster.
How can the loyal generals reach agreement when they cannot trust the messages they receive? How do you distinguish an honest general from a traitor if both send the same types of messages?
This problem was formalized in 1982 by Leslie Lamport, Robert Shostak, and Marshall Pease in their paper "The Byzantine Generals Problem." They proved that in a system with n participants, consensus is possible if and only if fewer than one third of the participants are traitors. That is: if you have 3 traitors, you need at least 10 participants to reach reliable agreement.
The connection to Bitcoin is direct. The network nodes are the generals. Transactions are the orders that must be coordinated. Attackers — nodes trying to double-spend, manipulate history, or corrupt consensus — are the traitors. The Byzantine Generals Problem is exactly the problem Bitcoin needs to solve.
But there is an additional complication that Lamport did not consider, because his model assumed something: that participants have a known identity. That you know how many generals there are. That you can count them. What happens when the network is open and anyone can enter?
Why voting does not work — The Sybil Attack where an actor creates multiple fake identities to gain influence Attack
The obvious solution to the consensus problem seems simple: let the nodes vote. Each node proposes which transaction should go first, everyone votes, and the majority wins. Digital democracy. Sounds elegant, right?
There is a devastating problem. In an open network where anyone can join without permission — which is exactly what we need for requirement number one — anyone can create unlimited identities. There are no digital passports. There is no civil registry. A single computer can present itself to the network as a thousand different nodes.
The name comes from the book "Sybil" (1973), about a person diagnosed with multiple personality disorder — a single mind inhabiting many identities. In a peer-to-peer network, a Sybil attacker is exactly that: a single entity that creates thousands of fake identities to dominate the system.
Imagine a vote on the network. There are 100 honest nodes. An attacker creates 200 fake nodes — all controlled from a single computer. Now the attacker has 67% of the "votes." They can decide which transactions are valid. They can rewrite history. They can steal your money by making you believe they paid you, and then vote to invalidate that transaction.
And here is the fundamental problem: the cost of creating a digital identity is zero. Creating a fake node costs nothing. There is no friction, no barrier, no cost. In the physical world, creating a false identity requires documents, photos, bribes. In an open network, it is a line of code.
Result: the attacker controls 71% of the votes. The "democracy" has been hijacked.
Sybil Attack Simulation
Observe how identity-based voting works
Network Vote
Which transaction is valid? Ana → Bob or Ana → Carol?
Network Nodes
Vote Results
Result: Ana → Bob wins (6 vs 4)
Democracy works... if identities are real.
The insight that changes everything
If you cannot vote with identity — because identity is free and forgeable — you need to vote with something different. Something that cannot be fabricated out of thin air. Something that has a real, verifiable, and unforgeable cost.
Not "one person = one vote." That does not work when persons are infinite and free. Instead: "one unit of real-world cost = one vote." If you want to influence consensus, you must prove that you have spent real-world resources. It is not enough to claim it — you must prove it in a way that anyone can verify instantly.
This conceptual shift is subtle but revolutionary. In all human voting systems, the unit of vote is identity: one person, one vote. But in an open digital system, identity does not work as an anchor. What you need is a scarce and verifiable resource. Something that exists in the physical world and that you cannot duplicate with a click.
Voting does not work: identities are infinite and free. But what if instead of voting with identity, you voted with something that cannot be fabricated? Something with a real, measurable, verifiable cost. Something like electricity. That idea — replacing identity with energy expenditure — is what makes the next step possible.
You need to vote with something costly and verifiable. Not with identity. That idea — replacing identity with cost — is the conceptual breakthrough that makes Bitcoin possible.
Proof of Work: voting with energy
The previous chapter showed that identity-based voting fails: an attacker can create infinite identities at no cost. The solution: make voting EXPENSIVE. Not "one person = one vote", but "one CPU = one vote". To cast a vote, you must prove you spent real computational energy.
The anti-spam barrier: work as proof
The idea of requiring a computational cost did not originate with Bitcoin. Think of postal mail: each letter needs a stamp. Sending one letter is cheap, but sending a million spam letters is prohibitively expensive. The physical stamp is an economic barrier against mass abuse.
In 1997, Adam Back proposed HashCash 1997 anti-spam system by Adam Back, precursor to Bitcoin's PoW : a system that required each email to include a small computational "proof of work." To send an email, your computer had to solve a cryptographic puzzle that took a few seconds. Sending one email: trivial. Sending a million spam emails: you would need years of computation. Spam became economically unviable.
Satoshi Nakamoto adapted this same idea for money. In Bitcoin, the "proof of work" does not protect against email spam — it protects against consensus manipulation. If you want to propose a block of transactions, you must prove that your computer spent real energy solving a puzzle. That proof is your "vote."
Proof of work as anti-spam barrier for email. Each email requires a computation of a few seconds.
Reusable proofs of work as a form of digital money. A crucial intermediate step.
Proof-of-work adapted as a consensus mechanism for decentralized money. The proof of work no longer just prevents spam: it orders transactions and secures the network.
How mining works
But what exactly is being "voted" on? When someone sends bitcoin, that transaction is not confirmed immediately. It sits in a waiting area alongside all other pending transactions on the network. A miner takes a batch of those transactions, groups them into a package called a "block," and competes with other miners for the right to add that block to the permanent record. The miner who wins the competition will have "voted" with real energy: their block is accepted as the next one in the chain.
The mining process is conceptually simple but computationally brutal. A miner takes three ingredients, combines them, and searches for a result that meets a specific condition:
You take pending transactions + the previous block hash + a random number called the " nonce Number the miner varies on each attempt to change the resulting hash ."
You run all the data through SHA-256. You get a 64-character hexadecimal hash. Completely unpredictable.
Does the hash start with N zeros? If yes: you win. If not: change the nonce and repeat. Millions, billions of times.
Mining Simulator
See how Proof of Work actually works
Why this works: the fundamental asymmetry
The key to proof of work lies in a deep asymmetry. Finding a valid hash is HARD: it requires brute force, there are no shortcuts, no magic formulas. You must try nonces one by one until you find the right one. It is like trying to open a combination lock by testing every possible combination.
But verifying a valid hash is INSTANT. Any node in the network takes the proposed block, computes a single hash, and checks if it starts with the required zeros. One single operation. Milliseconds. No effort.
This asymmetry is the key to everything. It costs real energy to create a block, but costs nothing to verify it. This means lying is expensive and detecting lies is free. Exactly the property we needed for a decentralized system.
The difficulty Parameter that determines how many leading zeros the hash must have to be valid adjustment
If the difficulty were fixed, the system would break. As more miners join the network with more powerful hardware, the total hashrate Number of hashes per second a miner can compute increases and blocks would be found faster and faster. If fewer miners participate, blocks would take too long. Bitcoin needs a self-regulating mechanism.
The solution is elegant: every 2,016 blocks (approximately two weeks), the network automatically recalculates the difficulty. The target is always the same: one block every ~10 minutes, regardless of how many miners there are.
Blocks are found too fast (less than 10 min average). The network responds: MORE leading zeros are required in the hash. The puzzle becomes harder.
Blocks take too long (more than 10 min average). The network responds: FEWER leading zeros are required. The puzzle becomes easier.
~2 weeks of real time
1 block every ~10 minutes
The protocol adjusts itself
The incentive: why would anyone spend energy
If mining requires spending real electricity, why would anyone do it? Bitcoin solves this with an elegant economic incentive that aligns self-interest with network security.
The miner who finds a valid block receives newly created bitcoins as a reward. Currently 3.125 BTC per block. This reward is cut in half every 210,000 blocks (~4 years) in an event known as the "halving."
Users pay a fee to have their transaction included in a block. The miner receives all the fees from the transactions they include. As the block reward decreases with halvings, fees become the primary source of income.
This is where Bitcoin's design is brilliant. A miner who has invested millions in hardware and electricity has two options: play by the rules and receive legitimate rewards, or try to cheat. But cheating requires controlling more than 50% of the entire network's computational power — an astronomical cost. And if they succeeded, trust in Bitcoin would collapse, destroying the value of the very coins they were trying to steal. It is more profitable to be honest.
Now we know how to create blocks: miners compete by spending real energy, and the winner proposes the next group of transactions. But a loose block is not very useful. How do we ensure no one can alter a past transaction? The answer: chain each block to the previous one, so that modifying one forces you to redo all the work that came after.
Proof of work converts real-world energy into digital security. Forging Bitcoin's history requires spending more energy than the entire honest network combined.
The Blockchain: linked blocks
We already have proof of work to create blocks. But how do we ensure the history of transactions is IMMUTABLE? The answer: chain each block to the previous one using hashes.
How blocks link together
Each block contains: transactions, a timestamp, a nonce, and the HASH OF THE PREVIOUS BLOCK. This hash creates a chain: if you modify any old block, its hash changes, which breaks the link to the next block — and to every block that comes after it.
It is like a chain of links where each link is forged with the metal of the previous one. If you replace a link in the middle, it no longer fits with the ones around it. The chain breaks visibly and unambiguously.
Notice how the "prevHash" of each block matches exactly the "hash" of the previous block. Those matching colors represent the same value. If someone changed a single transaction in Block #N-2, its hash would change, and it would no longer match the prevHash in Block #N-1. The chain would break.
Anatomy of a block
Each block is a data structure containing all the information needed to be independently verified. Let us look at what is inside.
The Merkle Tree: summary of all transactions
A block can contain thousands of transactions. How do you verify that a specific transaction is included without checking all the others? The Merkle Tree solves this: it groups transactions in pairs and hashes them together. Then the results are paired and hashed again. This repeats until only one hash remains: the Merkle Root.
The advantage: to verify any transaction, you only need a handful of hashes (a "branch" of the tree), not the entire block. A block with 4,000 transactions can be verified with just ~12 hashes.
Mining the initial blockchain...
Immutability Property ensuring that recorded data cannot be retroactively altered : why rewriting history is impossible
Since each block references the hash of the previous block, changing ANY historical transaction triggers a cascading effect. It is not enough to modify one block — you have to redo the entire chain from that point forward.
Changing a transaction changes the Merkle Root, which changes the block hash. The hash no longer meets the required difficulty.
You need to find a new nonce that makes the hash meet the difficulty. This requires trillions of attempts and an enormous amount of energy.
Every subsequent block had the old hash as its prevHash. Now that it changed, you must re-mine each of them in sequence. If there are 100 blocks after it, you must re-mine all 100.
While you are recalculating all of that, the rest of the network keeps adding new blocks. You would need more computational power than the entire network combined — and maintain it indefinitely.
The current Bitcoin network generates approximately 600 exahashes per second (600,000,000,000,000,000,000 hashes/s). To rewrite even a single block with 6 confirmations, you would need to exceed that power for over an hour. The energy required would equal the electrical output of a small country. And all for what — if you manage to corrupt Bitcoin, you destroy the value of what you are trying to steal.
And here is the most extraordinary property: immutability grows over time. A block with 1 confirmation is hard to reverse. With 6, it is practically impossible. With 100, there is no computational power in the universe that could reverse it. Each new block is like another layer of concrete poured over the previous blocks.
Rewriting difficulty by block depth
The chain is immutable: changing the past requires redoing an astronomical amount of work. But there is one scenario we have not yet resolved. What happens when two miners find a valid block at almost the same time? The chain forks. We need a rule that the entire network can independently apply to decide which chain is the legitimate one.
Each new block strengthens every previous block. With every passing minute, rewriting history becomes exponentially more costly. This is how information becomes as immutable as rock.
Consensus: the heaviest chain
Two miners in different parts of the world find a valid block at almost the same time. Now there are two valid versions of the blockchain. Which one is the "real" one?
The fork Temporary split when two miners find a block nearly simultaneously problem
In a global network, propagation delays mean different nodes see different blocks first. A miner in Tokyo finds Block #N. Three seconds later, a miner in New York finds another Block #N, with slightly different transactions. Both are valid — both miners did legitimate work.
For a brief moment, the network is split: nodes closer to Tokyo follow Chain A, nodes closer to New York follow Chain B. Both chains are equally valid. There is no arbiter to decide. There is no central server to pick the winner.
Nodes closer to Asia follow this version
Nodes closer to America follow this version
The rule: follow the chain with the most accumulated work
Satoshi's solution is elegant in its simplicity: every node follows the chain that has the most accumulated proof of work. Commonly simplified as the "longest chain rule," the technically correct description is the "heaviest chain" — the one with the most computational work invested.
This is a simple, objective rule that every node can independently evaluate. It requires no voting. It requires no extra communication. It requires no leader. Just math. Each node looks at the chains it knows about, calculates which has the most accumulated work, and follows it. If a heavier chain appears, it switches automatically.
Nakamoto's rule: always follow the valid chain with the most accumulated proof of work. No voting. No leader. Just math.
How does the fork resolve? Simply with time. Eventually, a miner will find the next block and add it to one of the two chains. The moment one chain has one more block of work, ALL nodes recognize it as the valid chain and abandon the other.
Blockchain Fork Resolution
Watch how competing chains resolve via the heaviest-chain rule
Press Play to simulate two miners finding a block at the same time...
Confirmations
No blocks yet after the fork
Press Play to start the fork race.
Confirmations Number of blocks added after the block containing your transaction; more confirmations = more security : certainty grows with time
When a fork resolves, the losing chain's blocks become "orphaned." The transactions they contained return to the mempool to be included in a future block. This is why merchants wait for "confirmations" — each confirmation is a new block added on top of yours.
Each additional confirmation makes reversal exponentially more costly. With 6 confirmations, the probability of reversal is less than 0.001%.
The 51% Theoretical attack where an actor controls more than half the total hashrate attack
There is a theoretical scenario in which consensus could be subverted. If an attacker controlled more than 50% of the entire network's computational power, they could mine blocks faster than everyone else and eventually create a heavier alternative chain.
An attacker with more than 50% of the hashrate could theoretically rewrite the blockchain's history. But executing this attack would require:
This is where game theory reinforces technical security. An attacker with 51% of the hashrate would have two options: use that power to attack the network and destroy Bitcoin's value, or use that same power to mine honestly and earn enormous rewards. The second option is always more profitable. Attacking is irrational from an economic standpoint.
Bitcoin's current hashrate exceeds 600 exahashes per second, distributed among thousands of miners across dozens of countries. Accumulating 51% would require a capital investment that no nation-state or corporation has deemed viable. And if they tried, the community would detect it and respond.
Bitcoin's security does not depend solely on cryptography — it depends on attacking being economically irrational. The incentives are aligned so that honesty is always the most profitable strategy.
The heaviest chain wins, conflicts resolve themselves, and attacking is economically irrational. With this, we have the final piece of the puzzle. It is time to see how they all fit together: identity without authority, order without a leader, immutability without a guardian, and consensus without voting. The complete system.
Nakamoto consensus is elegant because it doesn't require everyone to agree. It only requires everyone to follow the same simple rule: the chain with the most accumulated work wins. Mathematics replaces trust.
Bitcoin: the complete system
We have built every piece: digital signatures, hash functions, proof of work, blockchain, consensus. Now it is time to see how all these pieces fit together into the machine Satoshi Nakamoto designed.
The pieces of the machine
Each concept we have explored fulfills a specific function in the system. Together, they form a mechanism where no piece can be missing without the system collapsing.
Prove who you are without revealing your private key. Only you can authorize transactions from your address.
Create a unique digital fingerprint of any data. A tiny change produces a completely different hash.
Demands a real energy cost to create blocks. Lying is expensive; honesty is profitable.
Chains each block to the previous one with hashes. Rewriting the past requires redoing the entire chain.
The heaviest chain wins. All nodes follow the same rule without the need for central coordination.
Block rewards and fees align individual interest with network security. Greed serves the common good.
A transaction's journey
Let us walk through what happens step by step when Alice sends 0.5 BTC to Bob. Each step involves one or more of the concepts we have learned.
Selects UTXOs Unspent Transaction Output: the basic unit of value in Bitcoin as inputs that add up to at least 0.5 BTC. Creates outputs: 0.5 BTC to Bob and the change back to herself.
Uses her private key to digitally sign each input. This proves she is the legitimate owner of those funds without revealing her key.
The signed transaction is sent to nearby nodes, which relay it to their neighbors. Within seconds, thousands of nodes have received it.
Each node verifies Alice's digital signature and checks that the UTXOs have not been previously spent. If anything fails, the transaction is rejected.
The verified transaction is stored in each node's "waiting room" (the mempool Waiting room where transactions wait before being included in a block ), waiting to be included in a block.
A miner selects transactions from the mempool (prioritizing those with higher fees) and groups them into a candidate block along with the coinbase Special transaction that creates new bitcoins as reward to the miner transaction (their reward).
The miner adjusts the nonce trillions of times until finding a hash that meets the difficulty. This takes on average 10 minutes for the entire network.
The new valid block is sent to the entire network. Every node can instantly verify that the hash meets the difficulty.
Each node verifies the complete block and adds it to its local copy of the blockchain. The included transactions are removed from its mempool.
After 6 confirmations (~60 minutes), the probability of reversal is less than 0.001%. Bob can consider the payment final.
UTXO Explorer
Understand how Bitcoin transactions really work — inputs, outputs, and change
Mempool empty — create a transaction above
No transactions yet
How UTXOs work
Bitcoin does not have "account balances." Instead, each transaction creates Unspent Transaction Outputs (UTXOs). To spend bitcoin, you select UTXOs as inputs and create new outputs. If the inputs exceed the amount, the difference returns as "change." The small remainder is the mining fee.
The Halving Halving of the block reward, every ~210,000 blocks (~4 years) : programmatic scarcity
The reward miners receive for each block is not constant. Every 210,000 blocks (approximately 4 years), it is cut in half. This event is known as the "halving" and it is the reason Bitcoin has a fixed supply.
Unlike fiat money, where a central bank can print unlimited amounts, Bitcoin's supply is governed by mathematics. Nobody can change the rule. Nobody can print more.
The reward halves every ~4 years until all 21 million BTC have been mined (~year 2140). After that, miners will only collect transaction fees.
Key properties
Thousands of nodes across dozens of countries. No single point of failure. No server to shut down, no company to close, no CEO to arrest.
Maximum 21 million BTC. The halving reduces issuance every 4 years. Nobody can alter this cap. It is scarcity verifiable by anyone.
Every transaction is public and verifiable. Anyone can audit the total supply, verify a transaction, or run a full node.
Anyone can participate, anywhere, anytime. You do not need approval from a bank, a government, or a corporation. You just need an internet connection.
Bitcoin is not just a technology. It is an incentive system where individual greed serves the collective good — exactly as Adam Smith envisioned, but executed with mathematics instead of trust.
You've reached the end
Nine chapters. From barter to a global financial system without intermediaries. Let us walk back through the path we have just traveled.
Your journey
What you've learned
We started with a fisherman who needed firewood and discovered why humanity invented money. We saw how gold became paper, how paper was unlinked from any backing, and how governments can abuse that power.
Then we asked: can we create digital money? And we discovered the copy problem, the temptation of centralized control, and the double-spend Attempt to spend the same digital coins twice, the fundamental problem of digital money trap. Cryptography gave us the tools: digital signatures to prove identity and hash functions to create immutable digital fingerprints.
With decentralization, we eliminated the single point of failure. With proof of work Mechanism requiring real energy expenditure to validate blocks, making fraud costly , we made lying expensive. With the blockchain, we chained history so that rewriting it was computationally impossible. With Nakamoto consensus Rule that says: always follow the valid chain with the most accumulated work , we resolved conflicts without an arbiter. And with economic incentives, we aligned individual greed with the collective good.
The result: a global financial system that operates 24 hours a day, 7 days a week, 365 days a year, with no one in charge. That is Bitcoin.
Keep exploring
"Bitcoin: A Peer-to-Peer Electronic Cash System" by Satoshi Nakamoto. 9 pages that changed the world.
bitcoin.org/bitcoin.pdf → ⌨ Explore the source codeBitcoin is open-source software. Every line of code is public, auditable, and modifiable by anyone.
github.com/bitcoin/bitcoin →If you've made it this far, you now understand something most people don't: Bitcoin is not about getting rich. It's about creating a financial system that doesn't depend on trust in institutions.
For the first time in history, mathematics replaces authority.
Built with Astro, React, and GSAP. Designed to explain, not to sell.