Chapter 1: Bitcoin

Overview

Bitcoin is the world's first decentralized digital currency, invented in 2009 by an anonymous individual or group operating under the pseudonym Satoshi Nakamoto. Designed to enable censorship-resistant financial transactions for anyone in the world without the control of central banks or governments, Bitcoin operates on a distributed ledger technology known as the blockchain. Its creation unfolded against the backdrop of the 2008 global financial crisis — a moment of profound institutional failure that gave rise to fundamental questions about the legitimacy of the existing financial system.

Bitcoin's technical foundation is built on a combination of cryptographic innovations, including Proof of Work (PoW), hash functions, and Elliptic Curve Cryptography. These technologies work in concert to solve the double-spending problem and enable secure transactions without the need for a trusted third party. The Nakamoto Consensus — a groundbreaking consensus mechanism — allows thousands of independent nodes to agree on a single, authoritative record of transactions.

This chapter provides a systematic exploration of the core concepts that make up Bitcoin. Beginning with its origins and history, we cover the mechanics of mining, the structure of transactions, major protocol upgrades, Layer 2 solutions, and privacy technologies — offering a comprehensive view of the entire Bitcoin ecosystem. Understanding how each concept interconnects is essential to achieving a deep and nuanced understanding of Bitcoin.

---

Genesis Block

Definition

The Genesis Block is the first block of the Bitcoin blockchain, mined directly by Satoshi Nakamoto on January 3, 2009. Corresponding to block height 0, it serves as the origin point for all subsequent blocks — the entire Bitcoin blockchain extends continuously from this single block. The Genesis Block is hardcoded into all Bitcoin node software, permanently embedded as an immovable foundation. Notably, the 50 BTC coinbase reward from the Genesis Block is unspendable by design, widely regarded as a deliberate choice on Nakamoto's part.

Key Points

• Embedded Historical Message: The Genesis Block contains the headline from the January 3, 2009 edition of The Times: "Chancellor on brink of second bailout for banks." This serves simultaneously as a direct critique of the failures of the legacy financial system and as a tamper-proof timestamp proving exactly when Bitcoin was born.
• The Anchor of the Blockchain: The Genesis Block is the only block in existence that contains no previous block hash. Every Bitcoin block includes the hash of the block before it, forming the chain — the Genesis Block is the sole exception to this rule, existing as the absolute starting point.
• Unspendable 50 BTC Reward: Due to a characteristic of the Bitcoin protocol, the 50 BTC mining reward from the Genesis Block is not included in the standard UTXO set, making it effectively frozen in perpetuity.
• First Transaction Nine Days Later: On January 12, 2009 — nine days after the Genesis Block was mined — Nakamoto sent 10 BTC to cryptographer Hal Finney, recording Bitcoin's first-ever peer-to-peer (P2P) transaction.
• Symbolic Significance: The Genesis Block represents far more than a technical starting point. It functions as an ideological manifesto for decentralized finance. To this day, it is a common practice among Bitcoin advocates to send small amounts of BTC to the Genesis Block address as a mark of reverence.

Related Concepts

The Genesis Block is the starting point for every historical and technical concept in Bitcoin. The "longest chain rule" of Nakamoto Consensus uses the Genesis Block as a shared reference point, allowing all nodes to trace and agree on the same chain. Halving calculations are also based on block heights counted from the Genesis Block. Furthermore, the coinbase transaction embedded in the Genesis Block serves as the original template for all subsequent coinbase structures, illustrating the foundational mechanics of the Nonce and Proof of Work.

---

Proof of Work (PoW)

Definition

Proof of Work (PoW) is Bitcoin's core consensus mechanism, requiring miners to demonstrate significant computational effort in order to add a new block to the blockchain. In practice, a miner repeatedly hashes a block header using the SHA-256 hash function, searching for a specific Nonce value that produces a result at or below the network's target threshold. This process is fundamentally one of repeated guess-and-check: finding a valid solution is computationally expensive, yet verifying a claimed solution is nearly instantaneous for anyone on the network. PoW is an elegant mechanism that simultaneously addresses spam prevention and blockchain security.

Key Points

• Security Through Computational Cost: PoW is designed so that altering any historical record on the blockchain requires an enormous expenditure of computational resources. An attacker wishing to modify a specific block would need to redo the PoW for that block and every block that follows — while the honest network continues to advance — making such an attack practically infeasible.
• Trillions of Hash Attempts Per Second: Modern Bitcoin mining uses ASIC (Application-Specific Integrated Circuit) hardware to attempt hashes at speeds exceeding tens of terahashes per second per machine. Across the entire network, total computational throughput reaches hundreds of exahashes per second.
• The Dual Nature of Energy Consumption: PoW converts electrical energy into digital security. Critics point to the energy expenditure as wasteful, while proponents argue that this consumption is precisely what gives Bitcoin's security its physical grounding — a process of transforming energy into digital value.
• Facilitating Decentralization: PoW is an open system that anyone can join. Anyone with access to electricity and hardware can participate in mining, which contributes to maintaining the network's decentralized character. The rise of ASICs raising the barrier to entry, however, remains a point of ongoing debate.
• Preventing Double Spending: PoW solves the double-spending problem — the risk of using the same bitcoin twice. Once a transaction is included in a block and subsequent blocks are stacked on top of it, the probability of it being reversed decreases exponentially.

Related Concepts

PoW is inseparable from the Hash Function (SHA-256) — without SHA-256, PoW cannot function. The target value miners must hit is periodically adjusted by the Difficulty Retarget mechanism. The total computational effort of the network is measured by Hash Rate, which serves as the primary indicator of network security. Nakamoto Consensus operates on top of PoW, and both the theoretical risk and practical cost of a 51% Attack are derived from the properties of PoW. The concept of the Security Budget is also directly tied to the economics of PoW mining.

---

Hash Function (SHA-256)

Definition

A hash function is a one-way mathematical operation that takes an input of arbitrary length and produces a fixed-length output known as a hash value or digest. Bitcoin uses SHA-256 (Secure Hash Algorithm 256-bit), which always produces a 256-bit output (represented as 64 hexadecimal characters). For added security, Bitcoin applies SHA-256 twice in succession — a process known as double SHA-256 (SHA-256d). The most critical property of a cryptographic hash function is its asymmetry: computing an output from a given input is trivial, while deriving the original input from its output is computationally infeasible with current technology.

Key Points

• Avalanche Effect: Changing even a single bit of the input produces a completely different and unpredictable output hash. For example, the SHA-256 hashes of "Bitcoin" and "bitcoin" are entirely distinct 64-character strings. This property is what guarantees the immutability of the blockchain.
• Collision Resistance: It is computationally infeasible to find two different inputs that produce the same hash output (a "collision"). With 2^256 possible outputs, finding a specific hash value is analogous to searching a space larger than the number of atoms in the observable universe.
• The Key to Chaining Blocks: Each block header contains the hash of the previous block. Tampering with the contents of any block changes that block's hash, which then conflicts with the "previous block hash" field in the next block — breaking the integrity of the entire chain from that point forward.
• Merkle Tree Construction: All transactions within a block are summarized using SHA-256 hashes arranged in a Merkle tree structure, with the resulting Merkle Root stored in the block header. This allows efficient verification of whether a specific transaction is included in a block without downloading the entire blockchain.
• The Core Operation of Mining: At its essence, PoW mining is the act of performing an enormous number of SHA-256 hash computations in search of a hash below the target value. ASIC chips are purpose-built for SHA-256 operations, making them orders of magnitude more efficient than general-purpose CPUs.

Related Concepts

SHA-256 is the computational engine behind Proof of Work (PoW), and it is central to the mining process of iteratively hashing with varying Nonce values. ASIC hardware is engineered specifically to perform SHA-256 operations with maximum efficiency. Together with Elliptic Curve Cryptography, SHA-256 forms the cryptographic backbone of Bitcoin's security model. It also plays a role in protocol upgrades such as SegWit and Taproot, where transaction signature data is hashed as part of the validation process.

---

Nonce

Definition

A Nonce — short for "Number Used Once" — is a 32-bit integer counter included in the Bitcoin block header. To find a hash at or below the network's target threshold, a miner systematically or randomly varies this Nonce value from 0 up to approximately 4.3 billion (2^32), hashing the block header with each iteration. Finding a valid Nonce is the central challenge of the PoW puzzle, and the act of searching for it is what constitutes mining. At modern levels of mining difficulty, the entire 32-bit Nonce space is often exhausted in a matter of milliseconds, requiring miners to manipulate additional variables to continue the search.

Key Points

• The Limits of the Nonce Space: A 32-bit Nonce supports approximately 4,294,967,296 distinct values. Modern ASIC mining hardware can exhaust this entire space in just a few milliseconds, meaning the Nonce field alone does not provide sufficient search space at current difficulty levels.
• Extra Nonce as an Extension: When the Nonce space is exhausted, miners modify the Extra Nonce field within the coinbase transaction. Altering the coinbase transaction changes the Merkle Root in the block header, which in turn changes the entire hash input — effectively providing an unbounded additional search space.
• Timestamp Manipulation: The timestamp field in the block header can also be slightly adjusted to generate new hash inputs. This provides yet another dimension of search space beyond the Nonce itself.
• Part of the Block Header Structure: A Bitcoin block header consists of six fields: Version, Previous Block Hash, Merkle Root, Timestamp, Bits (target), and Nonce. The Nonce is the primary field that miners freely manipulate in the search for a valid block.

Related Concepts

The Nonce is the primary search variable in Proof of Work (PoW) and works in conjunction with the Hash Function (SHA-256) to form the core mechanics of mining. The technique of modifying the Extra Nonce in the coinbase transaction when the Nonce space is exhausted connects directly to how Mining Pools use the Stratum protocol to assign distinct Nonce ranges to individual miners, ensuring that no two miners are duplicating work.

---

Hash Rate

Definition

Hash Rate is a metric representing the number of SHA-256 hash computations performed per second by an individual miner or the entire mining network. It can be measured at various scales — from a single ASIC device to the global Bitcoin network as a whole — and is expressed in units such as KH/s (kilohashes), MH/s (megahashes), GH/s (gigahashes), TH/s (terahashes), PH/s (petahashes), and EH/s (exahashes) per second. As of 2024, Bitcoin's total network hash rate stands in the range of several hundred EH/s, making Bitcoin the most computationally powerful network in history by a significant margin.

Key Points

• A Direct Measure of Security: The higher the network's total hash rate, the greater the computational cost required to execute a 51% Attack, and therefore the more secure the network. Hash rate is the most intuitive quantitative indicator of Bitcoin's security posture.
• Correlation with Bitcoin Price: Hash rate and Bitcoin's price tend to move in the same direction. When the price rises, mining becomes more profitable, attracting more participants and driving hash rate higher. Conversely, when prices fall, less efficient miners exit the market, reducing hash rate.
• Relationship with Difficulty Retarget: Sharp changes in hash rate directly influence block production times, which are then corrected by the Difficulty Retarget mechanism. A sudden surge in hash rate causes blocks to be produced faster than the 10-minute target, prompting a difficulty increase at the next adjustment epoch.
• Network Health Monitoring: A sudden, significant drop in hash rate can signal a large-scale mining facility shutdown, power disruptions, or regulatory crackdowns — making hash rate a valuable tool for assessing the overall health of the network.

Related Concepts

Hash rate represents the total computational output of PoW and serves as the primary input to the Difficulty Retarget algorithm. Advances in ASIC hardware have been the primary driver of network-wide hash rate growth. Mining Pools aggregate the hash rate of individual miners to generate more predictable revenue streams. From the perspective of the Security Budget, hash rate is intrinsically linked to the economic incentives that keep miners participating in and securing the network.

---

Difficulty Retarget

Definition

Difficulty Retarget is an automatic adjustment mechanism built into the Bitcoin protocol that recalibrates mining difficulty every 2,016 blocks (approximately every two weeks) to maintain an average block production time of roughly 10 minutes. Concretely, the protocol compares the actual time taken to mine the most recent 2,016 blocks against the ideal target time (2,016 × 10 minutes = 20,160 minutes) and adjusts the difficulty proportionally. To prevent extreme volatility, the adjustment is capped: difficulty can increase by a maximum factor of 4x or decrease by no more than 4x (i.e., to a minimum of 1/4 of the current difficulty) in any single adjustment.

Key Points

• Why 10 Minutes?: The 10-minute block time reflects a deliberate tradeoff between network propagation latency and security. Too short, and new blocks are produced before the previous block has time to propagate to all nodes globally, leading to frequent Chain Reorganizations (Reorgs). Too long, and transaction confirmation times become unacceptably slow.
• Automatic Adaptation to Hash Power Changes: Whether a surge of new miners and hardware floods the network or a mass exodus of hash power suddenly occurs, the Difficulty Retarget responds automatically. For example, when China banned Bitcoin mining in 2021 and roughly 50% of global hash rate disappeared overnight, the difficulty adjustment mechanism reduced difficulty accordingly — and the network continued producing blocks without interruption.
• Historical Largest Adjustment: Following China's 2021 mining ban, the Bitcoin network experienced its largest-ever single difficulty decrease of approximately 28%, as the network adapted to the sudden loss of roughly half its computational power. Hash rate subsequently migrated to other jurisdictions and recovered fully.
• Adjustment Formula: New Difficulty = Current Difficulty × (20,160 minutes / Actual Time Elapsed). If the result exceeds 4× the current difficulty, it is capped at 4×; if it falls below 1/4, it is floored at 1/4.

Related Concepts

Difficulty Retarget is the critical bridge between PoW and Hash Rate — it continuously monitors changes in hash rate and adjusts the target threshold to maintain the 10-minute block time. Together with Halving, it constitutes one of the two foundational pillars of Bitcoin's monetary policy. It is also an indispensable component in maintaining the long-term stability of Nakamoto Consensus.

---

ASIC (Application-Specific Integrated Circuit)

Definition

An ASIC (Application-Specific Integrated Circuit) is a semiconductor chip designed exclusively to perform SHA-256 hash computations. Unlike general-purpose CPUs or GPUs, which are engineered to handle a broad range of tasks, Bitcoin mining ASICs dedicate every transistor on the die to executing SHA-256d (double SHA-256) operations as rapidly and energy-efficiently as possible. The result is a device that can outperform a CPU by a factor of tens of thousands to hundreds of thousands in terms of hash operations per watt. Today, the Bitcoin mining industry has essentially transitioned entirely to ASIC-based infrastructure.

Key Points

• The Evolution of Mining Hardware: Bitcoin mining has progressed through four hardware generations: CPU → GPU (graphics cards) → FPGA (Field-Programmable Gate Arrays) → ASIC. Each transition brought efficiency improvements of tens to hundreds of times over the previous generation. Since the advent of ASICs, mining with CPUs or GPUs has become economically nonviable.
• Rising Barriers to Entry: The high research, development, and manufacturing costs of ASICs have consolidated mining into the hands of well-capitalized industrial operations, raising barriers to entry for individual participants and concentrating hash power among a smaller number of large actors.
• Continuous Performance Improvements: Leading ASIC manufacturers — including Bitmain, MicroBT, and Canaan — release new generations of mining hardware on a regular cycle, each achieving measurable improvements in efficiency (measured in joules per terahash, J/TH). Older-generation ASICs are progressively priced out of profitability as newer, more efficient models flood the market.
• Hardware Monoculture Risk: Because all Bitcoin ASICs are optimized for the same SHA-256 algorithm, a fundamental vulnerability in SHA-256 would theoretically render the entire mining hardware base obsolete. In practice, however, SHA-256 remains cryptographically robust with no known exploitable weaknesses.
• Relationship to Mining Centralization: The capital-intensive nature of ASIC manufacturing and the economies of scale in industrial mining operations have contributed to a degree of geographic and organizational centralization in Bitcoin mining — a topic that remains actively debated in the community.

Related Concepts

ASICs are purpose-built to perform the SHA-256 computations that drive Proof of Work (PoW). Their widespread adoption is the primary reason for the dramatic increases in global Hash Rate over time. Mining Pools emerged partly as a direct consequence of ASIC proliferation, giving smaller participants a way to earn consistent rewards despite the dominance of large operations. The economics of ASIC deployment are also central to discussions about the Security Budget and the long-term sustainability of mining incentives post-Halving.

---

Mining Pool

Definition

A Mining Pool is a cooperative arrangement in which multiple miners combine their individual hash rate to increase their collective probability of mining a valid block, then share the resulting block reward proportionally based on each participant's contributed hash power. Because Bitcoin's PoW is a probabilistic process, an individual miner with modest hash rate might go months or years without successfully mining a block on their own. Mining pools smooth out this variance, providing participants with small, frequent payouts rather than large, infrequent windfalls. The pool operator coordinates work distribution and reward disbursement, typically charging a small fee (usually 1–3%) for this service.

Key Points

• Variance Reduction: The fundamental value proposition of a mining pool is statistical. A solo miner contributing 0.001% of the network's hash rate has an extremely low probability of finding any given block. By joining a pool, that miner receives a proportional share of every block the pool finds — converting a highly variable income stream into a predictable one.
• Work Distribution via Stratum: Pools use the Stratum protocol to assign each participating miner a unique range of Nonce values and Extra Nonce configurations to search, ensuring that miners are not duplicating each other's work and that all hash rate is being used efficiently.
• Reward Distribution Methods: Various payout schemes exist, each with different risk-sharing characteristics. Common models include Pay Per Share (PPS), which pays a fixed amount for each valid share submitted regardless of whether the pool finds a block; and Proportional (PROP), where rewards are distributed based on shares submitted during the round in which a block is found.
• Centralization Concerns: A small number of large mining pools collectively control a majority of Bitcoin's total hash rate. If any single pool were to exceed 51% of network hash rate, it would theoretically be able to execute a 51% Attack. The community actively monitors pool concentration as a key network health metric.
• Hashrate Distribution Transparency: Bitcoin's mining pool landscape is publicly observable, with real-time dashboards showing each pool's share of total network hash rate. This transparency is crucial for the community to monitor decentralization trends and respond to concentration risks.

Related Concepts

Mining Pools are a direct product of the ASIC era and the extreme difficulty of solo mining at scale. They interact closely with the Nonce and Extra Nonce search space management enabled by the Stratum protocol. Pool concentration is a central concern in discussions of the 51% Attack threat model. The block rewards and transaction fees that pools distribute to miners are also the primary components of the Security Budget.

---

Nakamoto Consensus

Definition

Nakamoto Consensus is the consensus mechanism introduced by Satoshi Nakamoto in the Bitcoin whitepaper, combining Proof of Work with the "longest chain rule" (more precisely, the chain with the greatest accumulated PoW, or "heaviest chain") to enable a decentralized network of nodes to agree on a single, canonical transaction history without any central coordinator. The core principle is simple: nodes always consider the chain with the greatest total cumulative PoW as the valid chain, and rational miners have a powerful economic incentive to extend the longest chain rather than competing against it. This creates a self-reinforcing system in which honest behavior is the dominant strategy.

Key Points

• The Longest Chain Rule: When two miners simultaneously find valid blocks at the same height, creating a temporary fork, nodes adopt whichever branch is extended first by the next block. The shorter branch is then abandoned, and its transactions are returned to the mempool. Over time, the longest chain always wins.
• Probabilistic Finality: Unlike some consensus mechanisms that offer absolute finality, Nakamoto Consensus provides probabilistic finality. The deeper a transaction is buried under subsequent blocks, the exponentially less likely it becomes that it will ever be reversed. In practice, 6 confirmations (approximately 60 minutes) is widely considered sufficient for high-value transactions.
• Self-Healing Network: Nakamoto Consensus allows the Bitcoin network to continue operating and reaching consensus even in the face of network partitions, malicious nodes, and asynchronous communication — without any central authority to arbitrate disputes.
• Economic Game Theory: The mechanism relies on rational economic incentives. Attempting to rewrite history requires expending more computational resources than the entire honest network — and even a successful attack would likely destroy the value of the very asset the attacker is targeting. Honest mining is simply the most profitable strategy.
• Byzantine Fault Tolerance: Nakamoto Consensus provides a practical form of Byzantine fault tolerance in an open, permissionless network — a problem that had stumped computer scientists for decades before Bitcoin. It tolerates up to 50% of network hash rate being controlled by malicious actors (though in practice, significantly less than 50% can be dangerous).

Related Concepts

Nakamoto Consensus is the overarching framework that binds together Proof of Work (PoW), the Genesis Block as the universal starting reference, and the Difficulty Retarget mechanism that keeps block production stable. It is also the lens through which Chain Reorganization (Reorg) and 51% Attack must be understood — both are behaviors that emerge from, or threaten, the assumptions underlying Nakamoto Consensus. Without PoW providing the "weight" to chains, the longest chain rule itself would be meaningless.

---

Chain Reorganization (Reorg)

Definition

A Chain Reorganization (Reorg) occurs when a node switches from its currently accepted chain to a different chain that has accumulated more total Proof of Work — effectively replacing some number of recently accepted blocks with an alternative sequence. Reorgs can happen naturally and benignly (for example, when two miners find blocks simultaneously, creating a brief fork that resolves when one branch grows longer) or maliciously (when an attacker secretly mines an alternative chain and then broadcasts it to overtake the honest chain). The depth of a reorg — measured in the number of blocks replaced — determines its severity and impact.

Key Points

• Natural vs. Malicious Reorgs: Shallow reorgs of 1–2 blocks are a normal, occasional occurrence on the Bitcoin network, arising from the propagation latency inherent in a globally distributed system. Deep reorgs of many blocks are extraordinarily rare on Bitcoin and would indicate either a catastrophic network event or a deliberate 51% Attack.
• Transaction Reversal Risk: Any transaction confirmed in a block that is subsequently orphaned by a reorg is effectively "unconfirmed" and returns to the mempool. This is why the standard recommendation is to wait for multiple confirmations before considering a transaction final, particularly for large-value transfers.
• Selfish Mining: A theoretical attack strategy known as selfish mining involves a miner (or pool) privately withholding valid blocks and publishing them strategically to cause reorgs that orphan honest miners' blocks. Even with less than 50% of hash rate, a selfish miner can gain a disproportionate share of block rewards — though this attack is difficult to execute successfully in practice.
• Orphan Blocks: Blocks that were once part of the active chain but have been replaced by a longer chain are called orphan blocks (or stale blocks). The transactions in orphan blocks are not lost — they return to the mempool and are typically re-included in subsequent blocks.
• Exchange and Payment Processor Vulnerability: Services that accept zero-confirmation transactions or require very few confirmations are particularly vulnerable to reorg-based double-spend attacks, where an attacker broadcasts a transaction to a merchant and simultaneously mines a conflicting transaction in a private chain.

Related Concepts

Chain Reorgs are a direct consequence of the probabilistic nature of Nakamoto Consensus and are the primary vector through which a 51% Attack manifests its harm. The probability and cost of a deep reorg are determined by the network's total Hash Rate. Difficulty Retarget, by keeping block times consistent, indirectly influences the frequency of natural shallow reorgs. The depth of confirmations required to consider a transaction safe is fundamentally a response to the risk of reorgs.

---

Halving

Definition

Halving (also referred to as the "halvening") is a programmatic event built into the Bitcoin protocol that cuts the block subsidy — the amount of newly created bitcoin awarded to the miner who successfully mines a block — in half every 210,000 blocks (approximately every four years). Bitcoin launched with a block subsidy of 50 BTC. After the first halving in November 2012, this dropped to 25 BTC; after the second in July 2016, to 12.5 BTC; after the third in May 2020, to 6.25 BTC; and after the fourth in April 2024, to 3.125 BTC. This process will continue until approximately the year 2140, at which point the final satoshi will have been mined and the total supply will have reached its hard cap of 21 million BTC.

Key Points

• Enforcing Scarcity: The Halving is the mechanism by which Bitcoin enforces its fixed, predictable monetary supply. Unlike fiat currencies, which can be inflated at the discretion of central authorities, Bitcoin's issuance schedule is entirely determined by mathematics and cannot be altered without network-wide consensus.
• The Stock-to-Flow Model: Each Halving dramatically increases Bitcoin's stock-to-flow ratio — the relationship between existing supply (stock) and new annual issuance (flow). Proponents of the stock-to-flow model argue that this mechanical reduction in supply growth has historically correlated with significant price appreciation, though the model remains controversial.
• Miner Economics: Each Halving directly cuts miners' block subsidy revenue in half, creating significant pressure on mining economics. Miners whose cost of production exceeds the new revenue level are forced to shut down, causing a temporary decline in hash rate that is subsequently corrected by a Difficulty Retarget.
• The Transition to Fee Revenue: As block subsidies continue to diminish, transaction fees must eventually become the primary economic incentive for miners to continue securing the network. The long-term sustainability of Bitcoin's security model after subsidies approach zero is a critical and actively debated topic — closely tied to the concept of the Security Budget.
• Predictability and Transparency: Every participant in the Bitcoin network knows in advance exactly when the next Halving will occur and exactly how much the block subsidy will be reduced. This predictability is a defining feature of Bitcoin's monetary policy and stands in stark contrast to the opaque, discretionary nature of central bank policy.

Related Concepts

Halving is the central pillar of Bitcoin's monetary policy, directly interacting with the Security Budget by progressively reducing the block subsidy that funds network security. Miners respond to each Halving through Difficulty Retarget adjustments as hash rate fluctuates. The Lightning Network becomes increasingly important as a scaling solution that could drive on-chain transaction fee revenue over the long term. The long-term security implications of declining subsidies are inseparable from the broader discussion of PoW's sustainability.

---

UTXO (Unspent Transaction Output)

Definition

UTXO (Unspent Transaction Output) is the fundamental accounting primitive of the Bitcoin protocol. Rather than maintaining account balances (as Ethereum does), Bitcoin tracks ownership of funds through a set of discrete, unspent transaction outputs. Every on-chain transaction consumes one or more existing UTXOs as inputs and creates one or more new UTXOs as outputs. A user's "balance" in Bitcoin is not stored anywhere explicitly — it is simply the sum of all UTXOs locked to addresses controlled by that user's private keys. The complete set of all current UTXOs across the Bitcoin network is maintained by every full node as the UTXO set.

Key Points

• The UTXO Model vs. Account Model: Unlike account-based blockchains where a global state tracks each address's balance, Bitcoin's UTXO model is stateless at the individual level. Each UTXO is an independent "coin" with its own value and spending condition. This design makes parallel transaction validation efficient and eliminates certain classes of replay attacks.
• Change Outputs: Because UTXOs are indivisible units that must be spent in their entirety, transactions almost always produce a "change output" — an output that returns excess funds back to the sender. For example, spending a 1 BTC UTXO to send 0.3 BTC typically creates two outputs: one for 0.3 BTC to the recipient and one returning approximately 0.7 BTC (minus fees) to the sender.
• UTXO Set Size: The UTXO set represents the current state of all spendable bitcoin in existence and must be maintained in fast-access memory (or efficient storage) by all full nodes. As of 2024, the Bitcoin UTXO set contains tens of millions of entries, with its size being an ongoing concern for node operators.
• CoinJoin and Privacy: The UTXO model's structure is double-edged from a privacy perspective. Blockchain analysis firms can attempt to trace fund flows by clustering UTXOs. Techniques like CoinJoin exploit the UTXO model to combine multiple users' inputs into a single transaction, obscuring the link between inputs and outputs.
• Coin Selection: Wallets must implement coin selection algorithms to decide which UTXOs to use as inputs for a given transaction. Effective coin selection balances minimizing transaction fees (by selecting UTXOs that minimize total transaction size) with consolidating dust (very small UTXOs) to keep the wallet manageable.

Related Concepts

The UTXO model is the foundation on which Bitcoin Script operates — every UTXO is locked by a Bitcoin Script spending condition (scriptPubKey), and spending it requires providing a valid unlocking script (scriptSig). SegWit restructured how witness data is associated with UTXOs, introducing the concept of the segwit UTXO type. CoinJoin leverages the multi-input nature of UTXO transactions for privacy enhancement. The Ordinals protocol assigns individual identities to satoshis by tracking them through the UTXO set using ordinal theory.

---

Bitcoin Script

Definition

Bitcoin Script is a stack-based, intentionally non-Turing-complete scripting language used to specify the conditions under which UTXOs can be spent. Every UTXO is locked by a scriptPubKey (also called the locking script or output script), which defines what proof must be provided to spend the funds. A transaction spending that UTXO must supply a scriptSig (unlocking script) that, when combined with the scriptPubKey and executed on a stack, evaluates to true. The deliberate decision to make Bitcoin Script non-Turing-complete — excluding loops and preventing infinite execution — was a design choice to prioritize security and predictability over general programmability.

Key Points

• Stack-Based Execution: Bitcoin Script executes on a simple push-down stack. Operations (opcodes) either push data onto the stack or manipulate the stack's contents. Transaction validation consists of concatenating the scriptSig and scriptPubKey and executing them sequentially; if the stack contains a single non-zero value at the end, the transaction is valid.
• Standard Script Types: The most common script patterns include P2PK (Pay to Public Key), P2PKH (Pay to Public Key Hash — the "1..." address format), P2SH (Pay to Script Hash — the "3..." format), P2WPKH (Pay to Witness Public Key Hash — native SegWit "bc1q..." addresses), and P2TR (Pay to Taproot — "bc1p..." addresses introduced by the Taproot upgrade).
• Multisignature (Multisig): Bitcoin Script natively supports multisig arrangements, requiring M-of-N signatures to spend a UTXO. For example, a 2-of-3 multisig requires any two of three designated private keys to authorize a spend — a fundamental building block for custodial solutions, corporate treasuries, and smart contract-like constructs on Bitcoin.
• Non-Turing-Completeness as a Feature: The absence of loops and recursive execution means Bitcoin Script programs always terminate and their resource consumption is bounded. This makes transaction validation safe, predictable, and resistant to denial-of-service attacks via infinite loops — a deliberate tradeoff against the expressiveness available in Turing-complete languages like Solidity.
• OP_RETURN for Data Storage: The OP_RETURN opcode allows embedding up to 80 bytes of arbitrary data in a transaction output that is explicitly unspendable. This is the on-chain data embedding mechanism used by various protocols, and is distinct from the Ordinals inscription methodology.

Related Concepts

Bitcoin Script is inseparable from the UTXO model — every UTXO is defined by its Script spending conditions. Elliptic Curve