# A strong bond for Christians and Muslims

“Behold! The angels said: ‘O Mary! God giveth thee glad tidings of a Word from Him. His name will be Jesus Christ, the son of Mary, held in honor in this world and the Hereafter and in (the company of) those nearest to God.’ ”

Before searching for this quote in the New Testament, you might first ask your Muslim co-worker, friend or neighbor for a copy of the Quran, Islam’s revealed text. The quote is from Verse 45 of Chapter 3 in the Quran.

It is well known, particularly in this holiday season, that Christians follow the teachings of Jesus. What is less well understood is that Muslims also love and revere Jesus as one of God’s greatest messengers to mankind.

Other verses in the Quran, regarded by Muslims as the direct word of God, state that Jesus was strengthened with the “Holy Spirit” (2:87) and is a “sign for the whole world.” (21:91) His virgin birth was confirmed when Mary is quoted as asking: “How can I have a son when no man has ever touched me?” (3:47)

The Quran shows Jesus speaking from the cradle and, with God’s permission, curing lepers and the blind (5:110). God also states in the Quran: “We gave (Jesus) the Gospel (Injeel) and put compassion and mercy into the hearts of his followers” (57:27).

As forces of hate in this country and worldwide try to pull Muslims and Christians apart, we are in desperate need of a unifying force that can bridge the widening gap of interfaith misunderstanding and mistrust. That force could be the message of love, peace and forgiveness taught by Jesus and accepted by followers of both faiths.

Christians and Muslims would do well to consider another verse in the Quran reaffirming God’s eternal message of spiritual unity: “Say ye: ‘We believe in God and the revelation given to us and to Abraham, Ismail, Isaac, Jacob, and the Tribes, and that given to Moses and Jesus, and that given to (all) Prophets from their Lord. We make no distinction between any of them, and it is unto Him that we surrender ourselves’ ” (2:136).

The Prophet Muhammad himself sought to erase any distinctions between the message he taught and that taught by Jesus, who he called God’s “spirit and word.” Prophet Muhammad said: “Both in this world and in the Hereafter, I am the nearest of all people to Jesus, the son of Mary. The prophets are paternal brothers; their mothers are different, but their religion is one.”

When Muslims mention the Prophet Muhammad, they always add the phrase “peace be upon him.” Christians may be surprised to learn that the same phrase always follows a Muslim’s mention of Jesus or that we believe Jesus will return to Earth in the last days before the final judgment. Disrespect toward Jesus, as we have seen all too often in our society, is very offensive to Muslims.

Unfortunately, violent events and hate-filled rhetoric around the world provide ample opportunity for promoting religious hostility. And, yes, Muslims and Christians do have some differing perspectives on Jesus’ life and teachings. But his spiritual legacy offers an alternative opportunity for people of faith to recognize their shared religious heritage.

America’s Muslim community stands ready to honor that legacy by building bridges of interfaith understanding and challenging those who would divide our nation along religious or ethnic lines.

We have more in common than we think.

Ibrahim Hooper is national communications director for the Washington-based Council on American-Islamic Relations, the nation’s largest Muslim civil liberties group (ihooper@cair.com).

# This isn’t ‘feminism’. It’s Islamophobia

I am infuriated by white men stirring up anti-Muslim prejudice to derail debate on western sexismThe GuardianSunday 22 December 2013 18.30 GMT

An English Defence League rally in Dewsbury, West Yorkshire. ‘Far-right groups … rush to condemn crimes against women committed by Muslim men, while fielding candidates who make claims like “women are like gongs – they need to be struck regularly”.’ Photograph: Russell Pollard/Demotix/Corbis

As a person who writes about women’s issues, I am constantly being told that Islam is the greatest threat to gender equality in this or any other country – mostly by white men, who always know best. This has been an extraordinary year for feminism, but from the Rochdale grooming case to interminable debates over whether traditional Islamic dress is “empowering” or otherwise, the rhetoric and language of feminism has been co-opted by Islamophobes, who could not care less about women of any creed or colour.

The recent blanket coverage of the “gender segregation on campus” story was a textbook case. This month Student Rights, a pressure group not run by students, released a report vastly exaggerating a suggestion by Universities UK that male and female students might be asked to sit separately in some lectures led by Islamic guest speakers. Many Asian women’s groups and individual Muslim feminists joined the subsequent protests, sometimes taking personal risks to do so. Unfortunately, rightwing commentators and tabloids seized upon the issue to imply that Islamic extremists are taking over the British academy.

Never mind that it wasn’t strictly true, the non-controversy spread to every level of government. Labour MP Chuka Umunna declared: “A future Labour government would not allow or tolerate segregation in our universities.” Even the prime minister stepped into the debate, saying the proposed guidelines, which have since been withdrawn, were “not the right approach”. The elite all-male Oxford club of which both he and the chancellor were members was presumably the perfect approach.

I have spent weary weeks being asked to condemn this “policy of gender segregation” by “Islamic extremists”, despite the fact that no such policy exists. Of course, I condemn all sexism within the academy. I condemn segregated drinking societies and the under-representation of women at the top levels of academia. I condemn rape culture on campus, traditions like “seal clubbing” and “slut dropping” where male students are encouraged to sexually humiliate their female classmates. If I’ve enough breath left, I’ll condemn the suggestion that guest lecturers be allowed a segregated audience for religious reasons.

Structural sexism does take place every day in our universities, as it does in our offices, shops and homes – and we should oppose it everywhere. But demanding that feminists of every race and faith drop all our campaigns and stand against “radical Islam” sounds more and more like white patriarchy trying to make excuses for itself: “If you think we’re bad, just look at these guys.”

It’s the dishonesty that angers me most. It’s the hypocrisy of men claiming to stand for women’s rights while appropriating our language of liberation to serve their own small-minded agenda. Far-right groups like the English Defence League and the British National party rush to condemn crimes against women committed by Muslim men, while fielding candidates who make claims like “women are like gongs – they need to be struck regularly“.

Some of their members tell me that since they are standing against the sexism of Muslim barbarians, as a feminist I should be on their side. When I disagree, I am invariably informed I deserve be shipped to Afghanistan and stoned to death.

Horror stories about Muslim misogyny have long been used by western patriarchs to justify imperialism abroad and sexism at home. The Guardian’s Katharine Viner reminds us about Lord Cromer, the British consul general in Egypt from 1883. Cromer believed the Egyptians were morally and culturally inferior in their treatment of women and that they should be “persuaded or forced” to become “civilised” by disposing of the veil.

“And what did this forward-thinking, feminist-sounding veil-burner do when he got home to Britain?” asks Viner. “He founded and presided over the Men’s League for Opposing Women’s Suffrage, which tried, by any means possible, to stop women getting the vote. Colonial patriarchs like Cromer … wanted merely to replace eastern misogyny with western misogyny.” More than a century later, the same logic is used to imply that misogyny only matters when it isn’t being done by white men.

I am not writing here on behalf of Muslim women, who can and do speak for themselves, and not all in one voice. I am writing this as a white feminist infuriated by white men using dog-whistle Islamophobia to derail any discussion of structural sexism; as someone who has heard too many reactionaries tell me to shut up about rape culture and the pay gap and just be grateful I’m not in Saudi Arabia; as someone angered that so many Muslim feminists fighting for gender justice are forced to watch their truth, to paraphrase that fusty old racist Rudyard Kipling, “twisted by knaves to make a trap for fools”.

We are the fools, if we believe that accepting aggressive distinctions between nice, safe western sexism and scary, heathen Muslim sexism is going to serve the interests of women. The people making these arguments don’t care about women. They care about stoking controversy, attacking Muslims and shouting down feminists of all stripes.

For decades, western men have hijacked the language of women’s liberation to justify their Islamophobia. If we care about the future of feminism, we cannot let them set the agenda.

This article was amended to draw attention to the fact that many Muslim and Asian women were involved in the “gender segregation” protests

# If WIFi does this to plants, what is it doing to you?

Are you slowly killing your houseplants? Probably! But there might be a reason (other than neglect) why they’re all yellow and wilty: your Wi-Fi router.

An experiment by a handful of high school students in Denmark has sparked some serious international interest in the scientific community.

Five ninth-grade girls at Hjallerup School in North Jutland, Denmark, noticed they had trouble concentrating after sleeping with their mobile phones at their bedsides. They tried to figure out why. The school obviously doesn’t have the equipment to test human brain waves, so the girls decided to do a more rudimentary experiment.

They placed six trays of garden cress seeds next to Wi-Fi routers that emitted roughly the same microwave radiation as a mobile phone. Then they placed six more trays of seeds in a separate room without routers. The girls controlled both environments for room temperature, sunlight and water.

After 12 days, they found the garden cress seeds in the routerless room had exploded into bushy greenery, while the seeds next to the Wi-Fi routers were brown, shriveled, and even mutated. See for yourself:

Teacher Kim Horsevad told the Daily Dot that her students did the test twice with the same results. She was quick to point out that while the students did the experiment to test only one variable to the best of their ability, it is a high school experiment and this isn’t a professional study.

“Some of the local debate has been whether the effects were due the cress seeds drying up because of heat from the computers or Access Points used in the experiment, which is a suggestion I can thoroughly refute,” Horsevad said. “The pupils were painstakingly careful in keeping the conditions for both groups similar. The cress seeds in both groups were kept sufficiently moist during the whole experiment, and the temperature were controlled thermostatically. The computers were placed so that the heat would not affect the seeds, which was verified by temperature measurements. Still, there may be confounders which neither the pupils or I have been aware of, but I cannot imagine what they would be.”

She said the results are clearly dramatic and could trigger additional research. Two scientists, neuroscience professor Olle Johanssen at the Karolinska Institutet in Sweden and Dr. Andrew Goldsworthy at the Imperial College in London, have both expressed an interest in the experiment and may repeat it in a professional lab environment.

From left: Lea Nielsen, Mathilde Nielsen, Signe Nielsen, Sisse Coltau and Rikke Holm.

Perhaps coolest of all, the students were awarded for their work at the Danish national science fair.

# Top 9 New Technologies

Bangalore: The driverless cars, flying internet balloons and Google Glass may make you feel that you are a step closer to science fiction;

where world of technology is filled with limitless possibilities. But there are other lesser known technologies that can give you the same feel.

Imagine a micro robot traversing your blood stream killing cancerous cells, a nanofiber maze that can filter sea water for drinking purpose,

the technology where data can be stored in your DNA— feeling as if you are in a wormhole to future? But they are happening right now.

Read on to know 9 mind-blowing technologies that you didn’t know

#9 A brain-to-brain interface for communication and control

Imagine a nuero-sensitive headset that can be used to communicate with each other.

What if it does something more than communication, like controlling one’s motor muscles!!.

A team at Harvard has built just this, and it even works for animals.

There’s lots of speculation that it could one day enable some sort of communication

with animals as well.

And probably help the paraplegic to dance !!!

#8 A substance called d-methionine can prevent noise-induced hearing loss

Pharmacologists have identified a comical called d-methionine which can prevent noise-induced

hearing loss which is common in urban construction workers.

So, soon there will be pills to protect your ears from the acoustic torment of a jackhammer.

#7 Graphene supercapacitors could lead to the electric car of your dreams

The next big thing in automobiles is electric vehicles.  Imagine an electric car that could give

you a couple of hundred miles, then gets fully charged in one minute.

Graphene super capacitors are what will make this possible.

A supercapacitor can hold as much power as a battery, but they charge far more quickly.

As graphene is no longer cost-prohibitive to manufacture at large scale,

grapheme super capacitors could easily end up in our phones, laptops,

and basically anything that runs on a battery.

#6  Femto photography will let you take pictures of objects around the corner from you

Imagine a camera that can capture images at a slow motion of each frame for just two trillionths of a second.

In a recent TED Talk, femto photography specialist demonstrated that this imaging method is so effective

it can even record photons in motion.

You can also apply femto photography tips to shoot a picture of something around the corner from you.

#5 Solar cell paint can turn all kinds of things into a power source

The world has turned into a black hole for energy. From cell phones to fluorescent lamps

everything runs on energy.

Notre Dame Researchers have developed paint that turns a surface into a solar cell;

a step towards the dream of infinite energy.

It’s not totally figured out yet, but a breakthrough may happen anytime soon.

#4 Memristors will drastically change the world of electrical engineering

Sure the transistors, replacing big vacuum tubes, made the sleek gadgets what we hold in our hands possible.

Imagine what a new technology called memristors, a new electric circuit component that takes its name

from “memory” and “resistor,” can do to the gadgets. Hewlett-Packard is already doing big work in this space.

HP Labs Fellow R. Stanley Williams said, “The memristor holds its memory longer. It’s simpler.

It’s easier to make — which means it’s cheaper — and it can be switched a lot faster, with less energy.”

#3 Nanofiber salt filters could be used to harvest ocean water for drinking

Though 71 percent of earth is water, 97.5 percent is contained within the oceans,

just  the remaining 2.5 percent is freshwater. Which means the world is most desperate for clean drinking water.

The new technology called  Nanofiber, is a fibrous material that’s incredibly thin, and can function

very effectively as a salt filter since individual crystals of salt are too big to pass through the holes in

the nanofiber, turning salty water to drinking.

#2 A cancer-killing computer chip could live in a patient’s bloodstream

It’s a “microfluidic” chip, covered in long strands of DNA. The DNA is sort of programmed to

detect and pick the cancerous cells, which can be used to study first, and later to launch an attack on these cells.

#1 You can store data in DNA

Gautim Naik writes in the Wall Street Journal about the eclectic bits of data scientists have already stored on DNA strands.

The scientists encoded in DNA an audio clip of Martin Luther King Jr.’s “I Have a Dream” speech, a photograph,

a copy of Francis Crick and James Watson’s famous “double helix” scientific paper on DNA from 1953

and Shakespeare’s 154 sonnets. They later were able to retrieve them with 99.99 percent accuracy.

So forget silicon ships, the next revolution of data storage can come from bio chips.

# Scientific way to make people like you

How to make people like you: 6 science-based conversation hacks
So you want to know how to make people like you? It’s easier than you think.
When in doubt, parrot. (Thinkstock)

So you want to know how to make people like you? It’s easier than you think.

Here are six research-backed tips:

1. Encourage people to talk about themselves
It gives their brain as much pleasure as food or money:

Talking about ourselves — whether in a personal conversation or through social media sites like Facebook and Twitter — triggers the same sensation of pleasure in the brain as food or money, researchers reported Monday…

“Self-disclosure is extra rewarding,” said Harvard neuroscientist Diana Tamir, who conducted the experiments with Harvard colleague Jason Mitchell. Their findings were published in the Proceedings of the National Academy of Sciences. “People were even willing to forgo money in order to talk about themselves,” Ms. Tamir said. [The Wall Street Journal]

2. To give feedback, ask questions
If you use questions to guide people toward the errors in their thinking process and allow them to come up with the solution themselves, they’re less likely to feel threatened and more likely to follow through.

It’s not you searching for problems; it’s him searching for gaps in his thinking process. You want people to look for assumptions or decisions that don’t make sense upon further reflection…The more you can help people find their own insights, the easier it will be to help others be effective, even when someone has lost the plot on an important project. Bringing other people to insight means letting go of “constructive performance feedback,” and replacing it with “facilitating positive change.” [Your Brain at Work: Strategies for Overcoming Distraction, Regaining Focus, and Working Smarter All Day Long]

Here’s more on feedback.

Stanford professor Jeffrey Pfeffer, persuasion expert Robert Cialdini and many others have allrecommended asking for advice as a powerful way to influence others and warm them to you.

Wharton professor Adam Grant breaks down the science behind it:

New research shows that advice seeking is a surprisingly effective strategy for exercising influence when we lack authority. In one experiment, researcher Katie Liljenquist had people negotiate the possible sale of commercial property. When the sellers focused on their goal of getting the highest possible price, only eight percent reached a successful agreement. When the sellers asked the buyers for advice on how to meet their goals, 42 percent reached a successful agreement. Asking for advice encouraged greater cooperation and information sharing, turning a potentially contentious negotiation into a win-win deal. Studies demonstrate that across the manufacturing, financial services, insurance and pharmaceuticals industries, seeking advice is among the most effective ways to influence peers, superiors, and subordinates. [Give and Take: A Revolutionary Approach to Success]

4. The two-question technique

Sounds silly, but this method is based on research by Nobel Prize-winning psychologist Daniel Kahneman.

A positive answer on the first question will lead to them feeling more positive about their life in general when you ask the second question:

The same pattern is found if a question about the students’ relations with their parents or about their finances immediately precedes the question about general happiness. In both cases, satisfaction in the particular domain dominates happiness reports. Any emotionally significant question that alters a person’s mood will have the same effect. [Thinking, Fast and Slow]

More on this powerful technique here.

5. Repeat the last three words
Active listening has incredible power, and hostage negotiators use it to build rapport. What’s the quick and dirty way to do active listening without training? Social skills expert and author Leil Lowndes recommends simple repetition: “…simply repeat — or parrot — the last two or three words your companion said, in a sympathetic, questioning tone. That throws the conversational ball right back in your partner’s court.”

It shows you’re listening and interested, and it lets them get back to telling their story. You’ve got to be slightly savvy about this one, but it’s surprisingly effective.

Surprisingly effective?

Yes, it is.

It is?

Research shows repetition is effective in negotiations as well.

6. Gossip — but positively
Research shows what you say about others colors how people see you. Compliment other people, and you’re likely to be seen positively. Complain, and you’re likely to be associated with those negative traits you hate:

When you gossip about another person, listeners unconsciously associate you with the characteristics you are describing, ultimately leading to those characteristics’ being “transferred” to you. So, say positive and pleasant things about friends and colleagues, and you are seen as a nice person. In contrast, constantly complain about their failings, and people will unconsciously apply the negative traits and incompetence to you. [59 Seconds: Change Your Life in Under a Minute]

Join 45K+ readers. Get a free weekly update via email here.

# How the Bitcoin protocol actually works

Many thousands of articles have been written purporting to explain Bitcoin, the online, peer-to-peer currency. Most of those articles give a hand-wavy account of the underlying cryptographic protocol, omitting many details. Even those articles which delve deeper often gloss over crucial points. My aim in this post is to explain the major ideas behind the Bitcoin protocol in a clear, easily comprehensible way. We’ll start from first principles, build up to a broad theoretical understanding of how the protocol works, and then dig down into the nitty-gritty, examining the raw data in a Bitcoin transaction.

Understanding the protocol in this detailed way is hard work. It is tempting instead to take Bitcoin as given, and to engage in speculation about how to get rich with Bitcoin, whether Bitcoin is a bubble, whether Bitcoin might one day mean the end of taxation, and so on. That’s fun, but severely limits your understanding. Understanding the details of the Bitcoin protocol opens up otherwise inaccessible vistas. In particular, it’s the basis for understanding Bitcoin’s built-in scripting language, which makes it possible to use Bitcoin to create new types of financial instruments, such as smart contracts. New financial instruments can, in turn, be used to create new markets and to enable new forms of collective human behaviour. Talk about fun!

I’ll describe Bitcoin scripting and concepts such as smart contracts in future posts. This post concentrates on explaining the nuts-and-bolts of the Bitcoin protocol. To understand the post, you need to be comfortable with public key cryptography, and with the closely related idea of digital signatures. I’ll also assume you’re familiar withcryptographic hashing. None of this is especially difficult. The basic ideas can be taught in freshman university mathematics or computer science classes. The ideas are beautiful, so if you’re not familiar with them, I recommend taking a few hours to get familiar.

It may seem surprising that Bitcoin’s basis is cryptography. Isn’t Bitcoin a currency, not a way of sending secret messages? In fact, the problems Bitcoin needs to solve are largely about securing transactions — making sure people can’t steal from one another, or impersonate one another, and so on. In the world of atoms we achieve security with devices such as locks, safes, signatures, and bank vaults. In the world of bits we achieve this kind of security with cryptography. And that’s why Bitcoin is at heart a cryptographic protocol.

My strategy in the post is to build Bitcoin up in stages. I’ll begin by explaining a very simple digital currency, based on ideas that are almost obvious. We’ll call that currency Infocoin, to distinguish it from Bitcoin. Of course, our first version of Infocoin will have many deficiencies, and so we’ll go through several iterations of Infocoin, with each iteration introducing just one or two simple new ideas. After several such iterations, we’ll arrive at the full Bitcoin protocol. We will have reinvented Bitcoin!

This strategy is slower than if I explained the entire Bitcoin protocol in one shot. But while you can understand the mechanics of Bitcoin through such a one-shot explanation, it would be difficult to understand why Bitcoin is designed the way it is. The advantage of the slower iterative explanation is that it gives us a much sharper understanding of each element of Bitcoin.

Finally, I should mention that I’m a relative newcomer to Bitcoin. I’ve been following it loosely since 2011 (and cryptocurrencies since the late 1990s), but only got seriously into the details of the Bitcoin protocol earlier this year. So I’d certainly appreciate corrections of any misapprehensions on my part. Also in the post I’ve included a number of “problems for the author” – notes to myself about questions that came up during the writing. You may find these interesting, but you can also skip them entirely without losing track of the main text.

### First steps: a signed letter of intent

So how can we design a digital currency?

On the face of it, a digital currency sounds impossible. Suppose some person – let’s call her Alice – has some digital money which she wants to spend. If Alice can use a string of bits as money, how can we prevent her from using the same bit string over and over, thus minting an infinite supply of money? Or, if we can somehow solve that problem, how can we prevent someone else forging such a string of bits, and using that to steal from Alice?

These are just two of the many problems that must be overcome in order to use information as money.

As a first version of Infocoin, let’s find a way that Alice can use a string of bits as a (very primitive and incomplete) form of money, in a way that gives her at least some protection against forgery. Suppose Alice wants to give another person, Bob, an infocoin. To do this, Alice writes down the message “I, Alice, am giving Bob one infocoin”. She then digitally signs the message using a private cryptographic key, and announces the signed string of bits to the entire world.

(By the way, I’m using capitalized “Infocoin” to refer to the protocol and general concept, and lowercase “infocoin” to refer to specific denominations of the currency. A similar useage is common, though not universal, in the Bitcoin world.)

This isn’t terribly impressive as a prototype digital currency! But it does have some virtues. Anyone in the world (including Bob) can use Alice’s public key to verify that Alice really was the person who signed the message “I, Alice, am giving Bob one infocoin”. No-one else could have created that bit string, and so Alice can’t turn around and say “No, I didn’t mean to give Bob an infocoin”. So the protocol establishes that Alice truly intends to give Bob one infocoin. The same fact – no-one else could compose such a signed message – also gives Alice some limited protection from forgery. Of course, after Alice has published her message it’s possible for other people to duplicate the message, so in that sense forgery is possible. But it’s not possible from scratch. These two properties – establishment of intent on Alice’s part, and the limited protection from forgery – are genuinely notable features of this protocol.

I haven’t (quite) said exactly what digital money is in this protocol. To make this explicit: it’s just the message itself, i.e., the string of bits representing the digitally signed message “I, Alice, am giving Bob one infocoin”. Later protocols will be similar, in that all our forms of digital money will be just more and more elaborate messages [1].

### Using serial numbers to make coins uniquely identifiable

A problem with the first version of Infocoin is that Alice could keep sending Bob the same signed message over and over. Suppose Bob receives ten copies of the signed message “I, Alice, am giving Bob one infocoin”. Does that mean Alice sent Bob tendifferent infocoins? Was her message accidentally duplicated? Perhaps she was trying to trick Bob into believing that she had given him ten different infocoins, when the message only proves to the world that she intends to transfer one infocoin.

What we’d like is a way of making infocoins unique. They need a label or serial number. Alice would sign the message “I, Alice, am giving Bob one infocoin, with serial number 8740348″. Then, later, Alice could sign the message “I, Alice, am giving Bob one infocoin, with serial number 8770431″, and Bob (and everyone else) would know that a different infocoin was being transferred.

To make this scheme work we need a trusted source of serial numbers for the infocoins. One way to create such a source is to introduce a bank. This bank would provide serial numbers for infocoins, keep track of who has which infocoins, and verify that transactions really are legitimate,

In more detail, let’s suppose Alice goes into the bank, and says “I want to withdraw one infocoin from my account”. The bank reduces her account balance by one infocoin, and assigns her a new, never-before used serial number, let’s say 1234567. Then, when Alice wants to transfer her infocoin to Bob, she signs the message “I, Alice, am giving Bob one infocoin, with serial number 1234567″. But Bob doesn’t just accept the infocoin. Instead, he contacts the bank, and verifies that: (a) the infocoin with that serial number belongs to Alice; and (b) Alice hasn’t already spent the infocoin. If both those things are true, then Bob tells the bank he wants to accept the infocoin, and the bank updates their records to show that the infocoin with that serial number is now in Bob’s possession, and no longer belongs to Alice.

### Making everyone collectively the bank

This last solution looks pretty promising. However, it turns out that we can do something much more ambitious. We can eliminate the bank entirely from the protocol. This changes the nature of the currency considerably. It means that there is no longer any single organization in charge of the currency. And when you think about the enormous power a central bank has – control over the money supply – that’s a pretty huge change.

The idea is to make it so everyone (collectively) is the bank. In particular, we’ll assume that everyone using Infocoin keeps a complete record of which infocoins belong to which person. You can think of this as a shared public ledger showing all Infocoin transactions. We’ll call this ledger the block chain, since that’s what the complete record will be called in Bitcoin, once we get to it.

Now, suppose Alice wants to transfer an infocoin to Bob. She signs the message “I, Alice, am giving Bob one infocoin, with serial number 1234567″, and gives the signed message to Bob. Bob can use his copy of the block chain to check that, indeed, the infocoin is Alice’s to give. If that checks out then he broadcasts both Alice’s message and his acceptance of the transaction to the entire network, and everyone updates their copy of the block chain.

We still have the “where do serial number come from” problem, but that turns out to be pretty easy to solve, and so I will defer it to later, in the discussion of Bitcoin. A more challenging problem is that this protocol allows Alice to cheat by double spending her infocoin. She sends the signed message “I, Alice, am giving Bob one infocoin, with serial number 1234567″ to Bob, and the message”I, Alice, am giving Charlie one infocoin, with [the same] serial number 1234567″ to Charlie. Both Bob and Charlie use their copy of the block chain to verify that the infocoin is Alice’s to spend. Provided they do this verification at nearly the same time (before they’ve had a chance to hear from one another), both will find that, yes, the block chain shows the coin belongs to Alice. And so they will both accept the transaction, and also broadcast their acceptance of the transaction. Now there’s a problem. How should other people update their block chains? There may be no easy way to achieve a consistent shared ledger of transactions. And even if everyone can agree on a consistent way to update their block chains, there is still the problem that either Bob or Charlie will be cheated.

At first glance double spending seems difficult for Alice to pull off. After all, if Alice sends the message first to Bob, then Bob can verify the message, and tell everyone else in the network (including Charlie) to update their block chain. Once that has happened, Charlie would no longer be fooled by Alice. So there is most likely only a brief period of time in which Alice can double spend. However, it’s obviously undesirable to have any such a period of time. Worse, there are techniques Alice could use to make that period longer. She could, for example, use network traffic analysis to find times when Bob and Charlie are likely to have a lot of latency in communication. Or perhaps she could do something to deliberately disrupt their communications. If she can slow communication even a little that makes her task of double spending much easier.

How can we address the problem of double spending? The obvious solution is that when Alice sends Bob an infocoin, Bob shouldn’t try to verify the transaction alone. Rather, he should broadcast the possible transaction to the entire network of Infocoin users, and ask them to help determine whether the transaction is legitimate. If they collectively decide that the transaction is okay, then Bob can accept the infocoin, and everyone will update their block chain. This type of protocol can help prevent double spending, since if Alice tries to spend her infocoin with both Bob and Charlie, other people on the network will notice, and network users will tell both Bob and Charlie that there is a problem with the transaction, and the transaction shouldn’t go through.

In more detail, let’s suppose Alice wants to give Bob an infocoin. As before, she signs the message “I, Alice, am giving Bob one infocoin, with serial number 1234567″, and gives the signed message to Bob. Also as before, Bob does a sanity check, using his copy of the block chain to check that, indeed, the coin currently belongs to Alice. But at that point the protocol is modified. Bob doesn’t just go ahead and accept the transaction. Instead, he broadcasts Alice’s message to the entire network. Other members of the network check to see whether Alice owns that infocoin. If so, they broadcast the message “Yes, Alice owns infocoin 1234567, it can now be transferred to Bob.” Once enough people have broadcast that message, everyone updates their block chain to show that infocoin 1234567 now belongs to Bob, and the transaction is complete.

This protocol has many imprecise elements at present. For instance, what does it mean to say “once enough people have broadcast that message”? What exactly does “enough” mean here? It can’t mean everyone in the network, since we don’t a prioriknow who is on the Infocoin network. For the same reason, it can’t mean some fixed fraction of users in the network. We won’t try to make these ideas precise right now. Instead, in the next section I’ll point out a serious problem with the approach as described. Fixing that problem will at the same time have the pleasant side effect of making the ideas above much more precise.

### Proof-of-work

Suppose Alice wants to double spend in the network-based protocol I just described. She could do this by taking over the Infocoin network. Let’s suppose she uses an automated system to set up a large number of separate identities, let’s say a billion, on the Infocoin network. As before, she tries to double spend the same infocoin with both Bob and Charlie. But when Bob and Charlie ask the network to validate their respective transactions, Alice’s sock puppet identities swamp the network, announcing to Bob that they’ve validated his transaction, and to Charlie that they’ve validated his transaction, possibly fooling one or both into accepting the transaction.

There’s a clever way of avoiding this problem, using an idea known as proof-of-work. The idea is counterintuitive and involves a combination of two ideas: (1) to (artificially) make it computationally costly for network users to validate transactions; and (2) toreward them for trying to help validate transactions. The reward is used so that people on the network will try to help validate transactions, even though that’s now been made a computationally costly process. The benefit of making it costly to validate transactions is that validation can no longer be influenced by the number of network identities someone controls, but only by the total computational power they can bring to bear on validation. As we’ll see, with some clever design we can make it so a cheater would need enormous computational resources to cheat, making it impractical.

That’s the gist of proof-of-work. But to really understand proof-of-work, we need to go through the details.

Suppose Alice broadcasts to the network the news that “I, Alice, am giving Bob one infocoin, with serial number 1234567″.

As other people on the network hear that message, each adds it to a queue of pending transactions that they’ve been told about, but which haven’t yet been approved by the network. For instance, another network user named David might have the following queue of pending transactions:

I, Tom, am giving Sue one infocoin, with serial number 1201174.

I, Sydney, am giving Cynthia one infocoin, with serial number 1295618.

I, Alice, am giving Bob one infocoin, with serial number 1234567.

David checks his copy of the block chain, and can see that each transaction is valid. He would like to help out by broadcasting news of that validity to the entire network.

However, before doing that, as part of the validation protocol David is required to solve a hard computational puzzle – the proof-of-work. Without the solution to that puzzle, the rest of the network won’t accept his validation of the transaction.

What puzzle does David need to solve? To explain that, let $h$ be a fixed hash function known by everyone in the network – it’s built into the protocol. Bitcoin uses the well-known SHA-256 hash function, but any cryptographically secure hash function will do. Let’s give David’s queue of pending transactions a label, $l$, just so it’s got a name we can refer to. Suppose David appends a number $x$ (called the nonce) to $l$ and hashes the combination. For example, if we use $l =$ “Hello, world!” (obviously this is not a list of transactions, just a string used for illustrative purposes) and the nonce $x = 0$ then(output is in hexadecimal)

```h("Hello, world!0") =
```

The puzzle David has to solve – the proof-of-work – is to find a nonce $x$ such that when we append $x$ to $l$ and hash the combination the output hash begins with a long run of zeroes. The puzzle can be made more or less difficult by varying the number of zeroes required to solve the puzzle. A relatively simple proof-of-work puzzle might require just three or four zeroes at the start of the hash, while a more difficult proof-of-work puzzle might require a much longer run of zeros, say 15 consecutive zeroes. In either case, the above attempt to find a suitable nonce, with $x = 0$, is a failure, since the output doesn’t begin with any zeroes at all. Trying $x = 1$ doesn’t work either:

```h("Hello, world!1") =
e9afc424b79e4f6ab42d99c81156d3a17228d6e1eef4139be78e948a9332a7d8
```

We can keep trying different values for the nonce, $x = 2, 3,\ldots$. Finally, at $x = 4250$ we obtain:

```h("Hello, world!4250") =
0000c3af42fc31103f1fdc0151fa747ff87349a4714df7cc52ea464e12dcd4e9
```

This nonce gives us a string of four zeroes at the beginning of the output of the hash. This will be enough to solve a simple proof-of-work puzzle, but not enough to solve a more difficult proof-of-work puzzle.

What makes this puzzle hard to solve is the fact that the output from a cryptographic hash function behaves like a random number: change the input even a tiny bit and the output from the hash function changes completely, in a way that’s hard to predict. So if we want the output hash value to begin with 10 zeroes, say, then David will need, on average, to try $16^{10} \approx 10^{12}$ different values for $x$ before he finds a suitable nonce. That’s a pretty challenging task, requiring lots of computational power.

Obviously, it’s possible to make this puzzle more or less difficult to solve by requiring more or fewer zeroes in the output from the hash function. In fact, the Bitcoin protocol gets quite a fine level of control over the difficulty of the puzzle, by using a slight variation on the proof-of-work puzzle described above. Instead of requiring leading zeroes, the Bitcoin proof-of-work puzzle requires the hash of a block’s header to be lower than or equal to a number known as the target. This target is automatically adjusted to ensure that a Bitcoin block takes, on average, about ten minutes to validate.

(In practice there is a sizeable randomness in how long it takes to validate a block – sometimes a new block is validated in just a minute or two, other times it may take 20 minutes or even longer. It’s straightforward to modify the Bitcoin protocol so that the time to validation is much more sharply peaked around ten minutes. Instead of solving a single puzzle, we can require that multiple puzzles be solved; with some careful design it is possible to considerably reduce the variance in the time to validate a block of transactions.)

Alright, let’s suppose David is lucky and finds a suitable nonce, $x$. Celebration! (He’ll be rewarded for finding the nonce, as described below). He broadcasts the block of transactions he’s approving to the network, together with the value for $x$. Other participants in the Infocoin network can verify that $x$ is a valid solution to the proof-of-work puzzle. And they then update their block chains to include the new block of transactions.

For the proof-of-work idea to have any chance of succeeding, network users need an incentive to help validate transactions. Without such an incentive, they have no reason to expend valuable computational power, merely to help validate other people’s transactions. And if network users are not willing to expend that power, then the whole system won’t work. The solution to this problem is to reward people who help validate transactions. In particular, suppose we reward whoever successfully validates a block of transactions by crediting them with some infocoins. Provided the infocoin reward is large enough that will give them an incentive to participate in validation.

In the Bitcoin protocol, this validation process is called mining. For each block of transactions validated, the successful miner receives a bitcoin reward. Initially, this was set to be a 50 bitcoin reward. But for every 210,000 validated blocks (roughly, once every four years) the reward halves. This has happened just once, to date, and so the current reward for mining a block is 25 bitcoins. This halving in the rate will continue every four years until the year 2140 CE. At that point, the reward for mining will drop below $10^{-8}$ bitcoins per block. $10^{-8}$ bitcoins is actually the minimal unit of Bitcoin, and is known as a satoshi. So in 2140 CE the total supply of bitcoins will cease to increase. However, that won’t eliminate the incentive to help validate transactions. Bitcoin also makes it possible to set aside some currency in a transaction as a transaction fee, which goes to the miner who helps validate it. In the early days of Bitcoin transaction fees were mostly set to zero, but as Bitcoin has gained in popularity, transaction fees have gradually risen, and are now a substantial additional incentive on top of the 25 bitcoin reward for mining a block.

You can think of proof-of-work as a competition to approve transactions. Each entry in the competition costs a little bit of computing power. A miner’s chance of winning the competition is (roughly, and with some caveats) equal to the proportion of the total computing power that they control. So, for instance, if a miner controls one percent of the computing power being used to validate Bitcoin transactions, then they have roughly a one percent chance of winning the competition. So provided a lot of computing power is being brought to bear on the competition, a dishonest miner is likely to have only a relatively small chance to corrupt the validation process, unless they expend a huge amount of computing resources.

Of course, while it’s encouraging that a dishonest party has only a relatively small chance to corrupt the block chain, that’s not enough to give us confidence in the currency. In particular, we haven’t yet conclusively addressed the issue of double spending.

I’ll analyse double spending shortly. Before doing that, I want to fill in an important detail in the description of Infocoin. We’d ideally like the Infocoin network to agree upon the order in which transactions have occurred. If we don’t have such an ordering then at any given moment it may not be clear who owns which infocoins. To help do this we’ll require that new blocks always include a pointer to the last block validated in the chain, in addition to the list of transactions in the block. (The pointer is actually just a hash of the previous block). So typically the block chain is just a linear chain of blocks of transactions, one after the other, with later blocks each containing a pointer to the immediately prior block:

Occasionally, a fork will appear in the block chain. This can happen, for instance, if by chance two miners happen to validate a block of transactions near-simultaneously – both broadcast their newly-validated block out to the network, and some people update their block chain one way, and others update their block chain the other way:

This causes exactly the problem we’re trying to avoid – it’s no longer clear in what order transactions have occurred, and it may not be clear who owns which infocoins. Fortunately, there’s a simple idea that can be used to remove any forks. The rule is this: if a fork occurs, people on the network keep track of both forks. But at any given time, miners only work to extend whichever fork is longest in their copy of the block chain.

Suppose, for example, that we have a fork in which some miners receive block A first, and some miners receive block B first. Those miners who receive block A first will continue mining along that fork, while the others will mine along fork B. Let’s suppose that the miners working on fork B are the next to successfully mine a block:

After they receive news that this has happened, the miners working on fork A will notice that fork B is now longer, and will switch to working on that fork. Presto, in short order work on fork A will cease, and everyone will be working on the same linear chain, and block A can be ignored. Of course, any still-pending transactions in A will still be pending in the queues of the miners working on fork B, and so all transactions will eventually be validated.

Likewise, it may be that the miners working on fork A are the first to extend their fork. In that case work on fork B will quickly cease, and again we have a single linear chain.

No matter what the outcome, this process ensures that the block chain has an agreed-upon time ordering of the blocks. In Bitcoin proper, a transaction is not considered confirmed until: (1) it is part of a block in the longest fork, and (2) at least 5 blocks follow it in the longest fork. In this case we say that the transaction has “6 confirmations”. This gives the network time to come to an agreed-upon the ordering of the blocks. We’ll also use this strategy for Infocoin.

With the time-ordering now understood, let’s return to think about what happens if a dishonest party tries to double spend. Suppose Alice tries to double spend with Bob and Charlie. One possible approach is for her to try to validate a block that includes both transactions. Assuming she has one percent of the computing power, she will occasionally get lucky and validate the block by solving the proof-of-work. Unfortunately for Alice, the double spending will be immediately spotted by other people in the Infocoin network and rejected, despite solving the proof-of-work problem. So that’s not something we need to worry about.

A more serious problem occurs if she broadcasts two separate transactions in which she spends the same infocoin with Bob and Charlie, respectively. She might, for example, broadcast one transaction to a subset of the miners, and the other transaction to another set of miners, hoping to get both transactions validated in this way. Fortunately, in this case, as we’ve seen, the network will eventually confirm one of these transactions, but not both. So, for instance, Bob’s transaction might ultimately be confirmed, in which case Bob can go ahead confidently. Meanwhile, Charlie will see that his transaction has not been confirmed, and so will decline Alice’s offer. So this isn’t a problem either. In fact, knowing that this will be the case, there is little reason for Alice to try this in the first place.

An important variant on double spending is if Alice = Bob, i.e., Alice tries to spend a coin with Charlie which she is also “spending” with herself (i.e., giving back to herself). This sounds like it ought to be easy to detect and deal with, but, of course, it’s easy on a network to set up multiple identities associated with the same person or organization, so this possibility needs to be considered. In this case, Alice’s strategy is to wait until Charlie accepts the infocoin, which happens after the transaction has been confirmed 6 times in the longest chain. She will then attempt to fork the chain before the transaction with Charlie, adding a block which includes a transaction in which she pays herself:

Unfortunately for Alice, it’s now very difficult for her to catch up with the longer fork. Other miners won’t want to help her out, since they’ll be working on the longer fork. And unless Alice is able to solve the proof-of-work at least as fast as everyone else in the network combined – roughly, that means controlling more than fifty percent of the computing power – then she will just keep falling further and further behind. Of course, she might get lucky. We can, for example, imagine a scenario in which Alice controls one percent of the computing power, but happens to get lucky and finds six extra blocks in a row, before the rest of the network has found any extra blocks. In this case, she might be able to get ahead, and get control of the block chain. But this particular event will occur with probability $1/100^6 = 10^{-12}$. A more general analysis along these lines shows that Alice’s probability of ever catching up is infinitesimal, unless she is able to solve proof-of-work puzzles at a rate approaching all other miners combined.

Of course, this is not a rigorous security analysis showing that Alice cannot double spend. It’s merely an informal plausibility argument. The original paper introducing Bitcoin did not, in fact, contain a rigorous security analysis, only informal arguments along the lines I’ve presented here. The security community is still analysing Bitcoin, and trying to understand possible vulnerabilities. You can see some of this researchlisted here, and I mention a few related problems in the “Problems for the author” below. At this point I think it’s fair to say that the jury is still out on how secure Bitcoin is.

The proof-of-work and mining ideas give rise to many questions. How much reward is enough to persuade people to mine? How does the change in supply of infocoins affect the Infocoin economy? Will Infocoin mining end up concentrated in the hands of a few, or many? If it’s just a few, doesn’t that endanger the security of the system? Presumably transaction fees will eventually equilibriate – won’t this introduce an unwanted source of friction, and make small transactions less desirable? These are all great questions, but beyond the scope of this post. I may come back to the questions (in the context of Bitcoin) in a future post. For now, we’ll stick to our focus on understanding how the Bitcoin protocol works.

### Problems for the author

• I don’t understand why double spending can’t be prevented in a simpler manner using two-phase commit. Suppose Alice tries to double spend an infocoin with both Bob and Charlie. The idea is that Bob and Charlie would each broadcast their respective messages to the Infocoin network, along with a request: “Should I accept this?” They’d then wait some period – perhaps ten minutes – to hear any naysayers who could prove that Alice was trying to double spend. If no such nays are heard (and provided there are no signs of attempts to disrupt the network), they’d then accept the transaction. This protocol needs to be hardened against network attacks, but it seems to me to be the core of a good alternate idea. How well does this work? What drawbacks and advantages does it have compared to the full Bitcoin protocol?
• Early in the section I mentioned that there is a natural way of reducing the variance in time required to validate a block of transactions. If that variance is reduced too much, then it creates an interesting attack possibility. Suppose Alice tries to fork the chain in such a way that: (a) one fork starts with a block in which Alice pays herself, while the other fork starts with a block in which Alice pays Bob; (b) both blocks are announced nearly simultaneously, so roughly half the miners will attempt to mine each fork; (c) Alice uses her mining power to try to keep the forks of roughly equal length, mining whichever fork is shorter – this is ordinarily hard to pull off, but becomes significantly easier if the standard deviation of the time-to-validation is much shorter than the network latency; (d) after 5 blocks have been mined on both forks, Alice throws her mining power into making it more likely that Charles’s transaction is confirmed; and (e) after confirmation of Charles’s transaction, she then throws her computational power into the other fork, and attempts to regain the lead. This balancing strategy will have only a small chance of success. But while the probability is small, it will certainly be much larger than in the standard protocol, with high variance in the time to validate a block. Is there a way of avoiding this problem?
• Suppose Bitcoin mining software always explored nonces starting with $x = 0$, then $x = 1, x = 2,\ldots$. If this is done by all (or even just a substantial fraction) of Bitcoin miners then it creates a vulnerability. Namely, it’s possible for someone to improve their odds of solving the proof-of-work merely by starting with some other (much larger) nonce. More generally, it may be possible for attackers to exploit any systematic patterns in the way miners explore the space of nonces. More generally still, in the analysis of this section I have implicitly assumed a kind of symmetry between different miners. In practice, there will be asymmetries and a thorough security analysis will need to account for those asymmetries.

### Bitcoin

Let’s move away from Infocoin, and describe the actual Bitcoin protocol. There are a few new ideas here, but with one exception (discussed below) they’re mostly obvious modifications to Infocoin.

To use Bitcoin in practice, you first install a wallet program on your computer. To give you a sense of what that means, here’s a screenshot of a wallet called Multbit. You can see the Bitcoin balance on the left — 0.06555555 Bitcoins, or about 70 dollars at the exchange rate on the day I took this screenshot — and on the right two recent transactions, which deposited those 0.06555555 Bitcoins:

Suppose you’re a merchant who has set up an online store, and you’ve decided to allow people to pay using Bitcoin. What you do is tell your wallet program to generate a Bitcoin address. In response, it will generate a public / private key pair, and then hash the public key to form your Bitcoin address:

You then send your Bitcoin address to the person who wants to buy from you. You could do this in email, or even put the address up publicly on a webpage. This is safe, since the address is merely a hash of your public key, which can safely be known by the world anyway. (I’ll return later to the question of why the Bitcoin address is a hash, and not just the public key.)

The person who is going to pay you then generates a transaction. Let’s take a look at the data from an actual transaction transferring $0.31900000$ bitcoins. What’s shown below is very nearly the raw data. It’s changed in three ways: (1) the data has been deserialized; (2) line numbers have been added, for ease of reference; and (3) I’ve abbreviated various hashes and public keys, just putting in the first six hexadecimal digits of each, when in reality they are much longer. Here’s the data:

```1.  {"hash":"7c4025...",
2.  "ver":1,
3.  "vin_sz":1,
4.  "vout_sz":1,
5.  "lock_time":0,
6.  "size":224,
7.  "in":[
8.    {"prev_out":
9.      {"hash":"2007ae...",
10.      "n":0},
11.    "scriptSig":"304502... 042b2d..."}],
12. "out":[
13.   {"value":"0.31900000",
14.    "scriptPubKey":"OP_DUP OP_HASH160 a7db6f OP_EQUALVERIFY OP_CHECKSIG"}]}
```

Let’s go through this, line by line.

Line 1 contains the hash of the remainder of the transaction, 7c4025..., expressed in hexadecimal. This is used as an identifier for the transaction.

Line 2 tells us that this is a transaction in version 1 of the Bitcoin protocol.

Lines 3 and 4 tell us that the transaction has one input and one output, respectively. I’ll talk below about transactions with more inputs and outputs, and why that’s useful.

Line 5 contains the value for lock_time, which can be used to control when a transaction is finalized. For most Bitcoin transactions being carried out today thelock_time is set to 0, which means the transaction is finalized immediately.

Line 6 tells us the size (in bytes) of the transaction. Note that it’s not the monetary amount being transferred! That comes later.

Lines 7 through 11 define the input to the transaction. In particular, lines 8 through 10 tell us that the input is to be taken from the output from an earlier transaction, with the given hash, which is expressed in hexadecimal as 2007ae.... The n=0 tells us it’s to be the first output from that transaction; we’ll see soon how multiple outputs (and inputs) from a transaction work, so don’t worry too much about this for now. Line 11 contains the signature of the person sending the money, 304502..., followed by a space, and then the corresponding public key, 04b2d.... Again, these are both in hexadecimal.

One thing to note about the input is that there’s nothing explicitly specifying how many bitcoins from the previous transaction should be spent in this transaction. In fact, all the bitcoins from the n=0th output of the previous transaction are spent. So, for example, if the n=0th output of the earlier transaction was 2 bitcoins, then 2 bitcoins will be spent in this transaction. This seems like an inconvenient restriction – like trying to buy bread with a 20 dollar note, and not being able to break the note down. The solution, of course, is to have a mechanism for providing change. This can be done using transactions with multiple inputs and outputs, which we’ll discuss in the next section.

Lines 12 through 14 define the output from the transaction. In particular, line 13 tells us the value of the output, 0.319 bitcoins. Line 14 is somewhat complicated. The main thing to note is that the string a7db6f... is the Bitcoin address of the intended recipient of the funds (written in hexadecimal). In fact, Line 14 is actually an expression in Bitcoin’s scripting language. I’m not going to describe that language in detail in this post, the important thing to take away now is just that a7db6f... is the Bitcoin address.

You can now see, by the way, how Bitcoin addresses the question I swept under the rug in the last section: where do Bitcoin serial numbers come from? In fact, the role of the serial number is played by transaction hashes. In the transaction above, for example, the recipient is receiving 0.319 Bitcoins, which come out of the first output of an earlier transaction with hash 2007ae... (line 9). If you go and look in the block chain for that transaction, you’d see that its output comes from a still earlier transaction. And so on.

There are two clever things about using transaction hashes instead of serial numbers. First, in Bitcoin there’s not really any separate, persistent “coins” at all, just a long series of transactions in the block chain. It’s a clever idea to realize that you don’t need persistent coins, and can just get by with a ledger of transactions. Second, by operating in this way we remove the need for any central authority issuing serial numbers. Instead, the serial numbers can be self-generated, merely by hashing the transaction.

In fact, it’s possible to keep following the chain of transactions further back in history. Ultimately, this process must terminate. This can happen in one of two ways. The first possibilitty is that you’ll arrive at the very first Bitcoin transaction, contained in the so-called Genesis block. This is a special transaction, having no inputs, but a 50 Bitcoin output. In other words, this transaction establishes an initial money supply. The Genesis block is treated separately by Bitcoin clients, and I won’t get into the details here, although it’s along similar lines to the transaction above. You can see the deserialized raw data here, and read about the Genesis block here.

The second possibility when you follow a chain of transactions back in time is that eventually you’ll arrive at a so-called coinbase transaction. With the exception of the Genesis block, every block of transactions in the block chain starts with a special coinbase transaction. This is the transaction rewarding the miner who validated that block of transactions. It uses a similar but not identical format to the transaction above. I won’t go through the format in detail, but if you want to see an example, seehere. You can read a little more about coinbase transactions here.

Something I haven’t been precise about above is what exactly is being signed by the digital signature in line 11. The obvious thing to do is for the payer to sign the whole transaction (apart from the transaction hash, which, of course, must be generated later). Currently, this is not what is done – some pieces of the transaction are omitted. This makes some pieces of the transaction malleable, i.e., they can be changed later. However, this malleability does not include the amounts being paid out, senders and recipients, which can’t be changed later. I must admit I haven’t dug down into the details here. I gather that this malleability is under discussion in the Bitcoin developer community, and there are efforts afoot to reduce or eliminate this malleability.

### Transactions with multiple inputs and outputs

In the last section I described how a transaction with a single input and a single output works. In practice, it’s often extremely convenient to create Bitcoin transactions with multiple inputs or multiple outputs. I’ll talk below about why this can be useful. But first let’s take a look at the data from an actual transaction:

```1. {"hash":"993830...",
2. "ver":1,
3. "vin_sz":3,
4.  "vout_sz":2,
5.  "lock_time":0,
6.  "size":552,
7.  "in":[
8.    {"prev_out":{
9.      "hash":"3beabc...",
10.        "n":0},
11.     "scriptSig":"304402... 04c7d2..."},
12.    {"prev_out":{
13.        "hash":"fdae9b...",
14.        "n":0},
15.      "scriptSig":"304502... 026e15..."},
16.    {"prev_out":{
17.        "hash":"20c86b...",
18.        "n":1},
19.      "scriptSig":"304402... 038a52..."}],
20.  "out":[
21.    {"value":"0.01068000",
22.      "scriptPubKey":"OP_DUP OP_HASH160 e8c306... OP_EQUALVERIFY OP_CHECKSIG"},
23.    {"value":"4.00000000",
24.      "scriptPubKey":"OP_DUP OP_HASH160 d644e3... OP_EQUALVERIFY OP_CHECKSIG"}]}
```

Let’s go through the data, line by line. It’s very similar to the single-input-single-output transaction, so I’ll do this pretty quickly.

Line 1 contains the hash of the remainder of the transaction. This is used as an identifier for the transaction.

Line 2 tells us that this is a transaction in version 1 of the Bitcoin protocol.

Lines 3 and 4 tell us that the transaction has three inputs and two outputs, respectively.

Line 5 contains the lock_time. As in the single-input-single-output case this is set to 0, which means the transaction is finalized immediately.

Line 6 tells us the size of the transaction in bytes.

Lines 7 through 19 define a list of the inputs to the transaction. Each corresponds to an output from a previous Bitcoin transaction.

The first input is defined in lines 8 through 11.

In particular, lines 8 through 10 tell us that the input is to be taken from the n=0th output from the transaction with hash 3beabc.... Line 11 contains the signature, followed by a space, and then the public key of the person sending the bitcoins.

Lines 12 through 15 define the second input, with a similar format to lines 8 through 11. And lines 16 through 19 define the third input.

Lines 20 through 24 define a list containing the two outputs from the transaction.

The first output is defined in lines 21 and 22. Line 21 tells us the value of the output, 0.01068000 bitcoins. As before, line 22 is an expression in Bitcoin’s scripting language. The main thing to take away here is that the string e8c30622... is the Bitcoin address of the intended recipient of the funds.

The second output is defined lines 23 and 24, with a similar format to the first output.

One apparent oddity in this description is that although each output has a Bitcoin value associated to it, the inputs do not. Of course, the values of the respective inputs can be found by consulting the corresponding outputs in earlier transactions. In a standard Bitcoin transaction, the sum of all the inputs in the transaction must be at least as much as the sum of all the outputs. (The only exception to this principle is the Genesis block, and in coinbase transactions, both of which add to the overall Bitcoin supply.) If the inputs sum up to more than the outputs, then the excess is used as a transaction fee. This is paid to whichever miner successfully validates the block which the current transaction is a part of.

That’s all there is to multiple-input-multiple-output transactions! They’re a pretty simple variation on single-input-single-output-transactions.

One nice application of multiple-input-multiple-output transactions is the idea ofchange. Suppose, for example, that I want to send you 0.15 bitcoins. I can do so by spending money from a previous transaction in which I received 0.2 bitcoins. Of course, I don’t want to send you the entire 0.2 bitcoins. The solution is to send you 0.15 bitcoins, and to send 0.05 bitcoins to a Bitcoin address which I own. Those 0.05 bitcoins are the change. Of course, it differs a little from the change you might receive in a store, since change in this case is what you pay yourself. But the broad idea is similar.

### Conclusion

That completes a basic description of the main ideas behind Bitcoin. Of course, I’ve omitted many details – this isn’t a formal specification. But I have described the main ideas behind the most common use cases for Bitcoin.

While the rules of Bitcoin are simple and easy to understand, that doesn’t mean that it’s easy to understand all the consequences of the rules. There is vastly more that could be said about Bitcoin, and I’ll investigate some of these issues in future posts.

For now, though, I’ll wrap up by addressing a few loose ends.

How anonymous is Bitcoin? Many people claim that Bitcoin can be used anonymously. This claim has led to the formation of marketplaces such as Silk Road(and various successors), which specialize in illegal goods. However, the claim that Bitcoin is anonymous is a myth. The block chain is public, meaning that it’s possible for anyone to see every Bitcoin transaction ever. Although Bitcoin addresses aren’t immediately associated to real-world identities, computer scientists have done agreat deal of work figuring out how to de-anonymize “anonymous” social networks. The block chain is a marvellous target for these techniques. I will be extremely surprised if the great majority of Bitcoin users are not identified with relatively high confidence and ease in the near future. The confidence won’t be high enough to achieve convictions, but will be high enough to identify likely targets. Furthermore, identification will be retrospective, meaning that someone who bought drugs on Silk Road in 2011 will still be identifiable on the basis of the block chain in, say, 2020. These de-anonymization techniques are well known to computer scientists, and, one presumes, therefore to the NSA. I would not be at all surprised if the NSA and other agencies have already de-anonymized many users. It is, in fact, ironic that Bitcoin is often touted as anonymous. It’s not. Bitcoin is, instead, perhaps the most open and transparent financial instrument the world has ever seen.

Can you get rich with Bitcoin? Well, maybe. Tim O’Reilly once said: “Money is like gas in the car – you need to pay attention or you’ll end up on the side of the road – but a well-lived life is not a tour of gas stations!” Much of the interest in Bitcoin comes from people whose life mission seems to be to find a really big gas station. I must admit I find this perplexing. What is, I believe, much more interesting and enjoyable is to think of Bitcoin and other cryptocurrencies as a way of enabling new forms of collective behaviour. That’s intellectually fascinating, offers marvellous creative possibilities, is socially valuable, and may just also put some money in the bank. But if money in the bank is your primary concern, then I believe that other strategies are much more likely to succeed.

Details I’ve omitted: Although this post has described the main ideas behind Bitcoin, there are many details I haven’t mentioned. One is a nice space-saving trick used by the protocol, based on a data structure known as a Merkle tree. It’s a detail, but a splendid detail, and worth checking out if fun data structures are your thing. You can get an overview in the original Bitcoin paper. Second, I’ve said little about theBitcoin network – questions like how the network deals with denial of service attacks, how nodes join and leave the network, and so on. This is a fascinating topic, but it’s also something of a mess of details, and so I’ve omitted it. You can read more about it at some of the links above.

Bitcoin scripting: In this post I’ve explained Bitcoin as a form of digital, online money. But this is only a small part of a much bigger and more interesting story. As we’ve seen, every Bitcoin transaction is associated to a script in the Bitcoin programming language. The scripts we’ve seen in this post describe simple transactions like “Alice gave Bob 10 bitcoins”. But the scripting language can also be used to express far more complicated transactions. To put it another way, Bitcoin isprogrammable money. In later posts I will explain the scripting system, and how it is possible to use Bitcoin scripting as a platform to experiment with all sorts of amazing financial instruments.

Thanks for reading. If you enjoyed this essay, you may also enjoy the first chapter of my forthcoming book on neural networks and deep learning, and consider supporting its writing through Indiegogo. You may also wish to follow me on Twitter.

### Footnote

[1] In the United States the question “Is money a form of speech?” is an important legal question, because of the protection afforded speech under the US Constitution. In my (legally uninformed) opinion digital money may make this issue more complicated. As we’ll see, the Bitcoin protocol is really a way of standing up before the rest of the world (or at least the rest of the Bitcoin network) and avowing “I’m going to give such-and-such a number of bitcoins to so-and-so a person” in a way that’s extremely difficult to repudiate. At least naively, it looks more like speech than exchanging copper coins, say.

# How the Bitcoin protocol actually works

Many thousands of articles have been written purporting to explain Bitcoin, the online, peer-to-peer currency. Most of those articles give a hand-wavy account of the underlying cryptographic protocol, omitting many details. Even those articles which delve deeper often gloss over crucial points. My aim in this post is to explain the major ideas behind the Bitcoin protocol in a clear, easily comprehensible way. We’ll start from first principles, build up to a broad theoretical understanding of how the protocol works, and then dig down into the nitty-gritty, examining the raw data in a Bitcoin transaction.

Understanding the protocol in this detailed way is hard work. It is tempting instead to take Bitcoin as given, and to engage in speculation about how to get rich with Bitcoin, whether Bitcoin is a bubble, whether Bitcoin might one day mean the end of taxation, and so on. That’s fun, but severely limits your understanding. Understanding the details of the Bitcoin protocol opens up otherwise inaccessible vistas. In particular, it’s the basis for understanding Bitcoin’s built-in scripting language, which makes it possible to use Bitcoin to create new types of financial instruments, such as smart contracts. New financial instruments can, in turn, be used to create new markets and to enable new forms of collective human behaviour. Talk about fun!

I’ll describe Bitcoin scripting and concepts such as smart contracts in future posts. This post concentrates on explaining the nuts-and-bolts of the Bitcoin protocol. To understand the post, you need to be comfortable with public key cryptography, and with the closely related idea of digital signatures. I’ll also assume you’re familiar withcryptographic hashing. None of this is especially difficult. The basic ideas can be taught in freshman university mathematics or computer science classes. The ideas are beautiful, so if you’re not familiar with them, I recommend taking a few hours to get familiar.

It may seem surprising that Bitcoin’s basis is cryptography. Isn’t Bitcoin a currency, not a way of sending secret messages? In fact, the problems Bitcoin needs to solve are largely about securing transactions — making sure people can’t steal from one another, or impersonate one another, and so on. In the world of atoms we achieve security with devices such as locks, safes, signatures, and bank vaults. In the world of bits we achieve this kind of security with cryptography. And that’s why Bitcoin is at heart a cryptographic protocol.

My strategy in the post is to build Bitcoin up in stages. I’ll begin by explaining a very simple digital currency, based on ideas that are almost obvious. We’ll call that currency Infocoin, to distinguish it from Bitcoin. Of course, our first version of Infocoin will have many deficiencies, and so we’ll go through several iterations of Infocoin, with each iteration introducing just one or two simple new ideas. After several such iterations, we’ll arrive at the full Bitcoin protocol. We will have reinvented Bitcoin!

This strategy is slower than if I explained the entire Bitcoin protocol in one shot. But while you can understand the mechanics of Bitcoin through such a one-shot explanation, it would be difficult to understand why Bitcoin is designed the way it is. The advantage of the slower iterative explanation is that it gives us a much sharper understanding of each element of Bitcoin.

Finally, I should mention that I’m a relative newcomer to Bitcoin. I’ve been following it loosely since 2011 (and cryptocurrencies since the late 1990s), but only got seriously into the details of the Bitcoin protocol earlier this year. So I’d certainly appreciate corrections of any misapprehensions on my part. Also in the post I’ve included a number of “problems for the author” – notes to myself about questions that came up during the writing. You may find these interesting, but you can also skip them entirely without losing track of the main text.

### First steps: a signed letter of intent

So how can we design a digital currency?

On the face of it, a digital currency sounds impossible. Suppose some person – let’s call her Alice – has some digital money which she wants to spend. If Alice can use a string of bits as money, how can we prevent her from using the same bit string over and over, thus minting an infinite supply of money? Or, if we can somehow solve that problem, how can we prevent someone else forging such a string of bits, and using that to steal from Alice?

These are just two of the many problems that must be overcome in order to use information as money.

As a first version of Infocoin, let’s find a way that Alice can use a string of bits as a (very primitive and incomplete) form of money, in a way that gives her at least some protection against forgery. Suppose Alice wants to give another person, Bob, an infocoin. To do this, Alice writes down the message “I, Alice, am giving Bob one infocoin”. She then digitally signs the message using a private cryptographic key, and announces the signed string of bits to the entire world.

(By the way, I’m using capitalized “Infocoin” to refer to the protocol and general concept, and lowercase “infocoin” to refer to specific denominations of the currency. A similar useage is common, though not universal, in the Bitcoin world.)

This isn’t terribly impressive as a prototype digital currency! But it does have some virtues. Anyone in the world (including Bob) can use Alice’s public key to verify that Alice really was the person who signed the message “I, Alice, am giving Bob one infocoin”. No-one else could have created that bit string, and so Alice can’t turn around and say “No, I didn’t mean to give Bob an infocoin”. So the protocol establishes that Alice truly intends to give Bob one infocoin. The same fact – no-one else could compose such a signed message – also gives Alice some limited protection from forgery. Of course, after Alice has published her message it’s possible for other people to duplicate the message, so in that sense forgery is possible. But it’s not possible from scratch. These two properties – establishment of intent on Alice’s part, and the limited protection from forgery – are genuinely notable features of this protocol.

I haven’t (quite) said exactly what digital money is in this protocol. To make this explicit: it’s just the message itself, i.e., the string of bits representing the digitally signed message “I, Alice, am giving Bob one infocoin”. Later protocols will be similar, in that all our forms of digital money will be just more and more elaborate messages [1].

### Using serial numbers to make coins uniquely identifiable

A problem with the first version of Infocoin is that Alice could keep sending Bob the same signed message over and over. Suppose Bob receives ten copies of the signed message “I, Alice, am giving Bob one infocoin”. Does that mean Alice sent Bob tendifferent infocoins? Was her message accidentally duplicated? Perhaps she was trying to trick Bob into believing that she had given him ten different infocoins, when the message only proves to the world that she intends to transfer one infocoin.

What we’d like is a way of making infocoins unique. They need a label or serial number. Alice would sign the message “I, Alice, am giving Bob one infocoin, with serial number 8740348″. Then, later, Alice could sign the message “I, Alice, am giving Bob one infocoin, with serial number 8770431″, and Bob (and everyone else) would know that a different infocoin was being transferred.

To make this scheme work we need a trusted source of serial numbers for the infocoins. One way to create such a source is to introduce a bank. This bank would provide serial numbers for infocoins, keep track of who has which infocoins, and verify that transactions really are legitimate,

In more detail, let’s suppose Alice goes into the bank, and says “I want to withdraw one infocoin from my account”. The bank reduces her account balance by one infocoin, and assigns her a new, never-before used serial number, let’s say 1234567. Then, when Alice wants to transfer her infocoin to Bob, she signs the message “I, Alice, am giving Bob one infocoin, with serial number 1234567″. But Bob doesn’t just accept the infocoin. Instead, he contacts the bank, and verifies that: (a) the infocoin with that serial number belongs to Alice; and (b) Alice hasn’t already spent the infocoin. If both those things are true, then Bob tells the bank he wants to accept the infocoin, and the bank updates their records to show that the infocoin with that serial number is now in Bob’s possession, and no longer belongs to Alice.

### Making everyone collectively the bank

This last solution looks pretty promising. However, it turns out that we can do something much more ambitious. We can eliminate the bank entirely from the protocol. This changes the nature of the currency considerably. It means that there is no longer any single organization in charge of the currency. And when you think about the enormous power a central bank has – control over the money supply – that’s a pretty huge change.

The idea is to make it so everyone (collectively) is the bank. In particular, we’ll assume that everyone using Infocoin keeps a complete record of which infocoins belong to which person. You can think of this as a shared public ledger showing all Infocoin transactions. We’ll call this ledger the block chain, since that’s what the complete record will be called in Bitcoin, once we get to it.

Now, suppose Alice wants to transfer an infocoin to Bob. She signs the message “I, Alice, am giving Bob one infocoin, with serial number 1234567″, and gives the signed message to Bob. Bob can use his copy of the block chain to check that, indeed, the infocoin is Alice’s to give. If that checks out then he broadcasts both Alice’s message and his acceptance of the transaction to the entire network, and everyone updates their copy of the block chain.

We still have the “where do serial number come from” problem, but that turns out to be pretty easy to solve, and so I will defer it to later, in the discussion of Bitcoin. A more challenging problem is that this protocol allows Alice to cheat by double spending her infocoin. She sends the signed message “I, Alice, am giving Bob one infocoin, with serial number 1234567″ to Bob, and the message”I, Alice, am giving Charlie one infocoin, with [the same] serial number 1234567″ to Charlie. Both Bob and Charlie use their copy of the block chain to verify that the infocoin is Alice’s to spend. Provided they do this verification at nearly the same time (before they’ve had a chance to hear from one another), both will find that, yes, the block chain shows the coin belongs to Alice. And so they will both accept the transaction, and also broadcast their acceptance of the transaction. Now there’s a problem. How should other people update their block chains? There may be no easy way to achieve a consistent shared ledger of transactions. And even if everyone can agree on a consistent way to update their block chains, there is still the problem that either Bob or Charlie will be cheated.

At first glance double spending seems difficult for Alice to pull off. After all, if Alice sends the message first to Bob, then Bob can verify the message, and tell everyone else in the network (including Charlie) to update their block chain. Once that has happened, Charlie would no longer be fooled by Alice. So there is most likely only a brief period of time in which Alice can double spend. However, it’s obviously undesirable to have any such a period of time. Worse, there are techniques Alice could use to make that period longer. She could, for example, use network traffic analysis to find times when Bob and Charlie are likely to have a lot of latency in communication. Or perhaps she could do something to deliberately disrupt their communications. If she can slow communication even a little that makes her task of double spending much easier.

How can we address the problem of double spending? The obvious solution is that when Alice sends Bob an infocoin, Bob shouldn’t try to verify the transaction alone. Rather, he should broadcast the possible transaction to the entire network of Infocoin users, and ask them to help determine whether the transaction is legitimate. If they collectively decide that the transaction is okay, then Bob can accept the infocoin, and everyone will update their block chain. This type of protocol can help prevent double spending, since if Alice tries to spend her infocoin with both Bob and Charlie, other people on the network will notice, and network users will tell both Bob and Charlie that there is a problem with the transaction, and the transaction shouldn’t go through.

In more detail, let’s suppose Alice wants to give Bob an infocoin. As before, she signs the message “I, Alice, am giving Bob one infocoin, with serial number 1234567″, and gives the signed message to Bob. Also as before, Bob does a sanity check, using his copy of the block chain to check that, indeed, the coin currently belongs to Alice. But at that point the protocol is modified. Bob doesn’t just go ahead and accept the transaction. Instead, he broadcasts Alice’s message to the entire network. Other members of the network check to see whether Alice owns that infocoin. If so, they broadcast the message “Yes, Alice owns infocoin 1234567, it can now be transferred to Bob.” Once enough people have broadcast that message, everyone updates their block chain to show that infocoin 1234567 now belongs to Bob, and the transaction is complete.

This protocol has many imprecise elements at present. For instance, what does it mean to say “once enough people have broadcast that message”? What exactly does “enough” mean here? It can’t mean everyone in the network, since we don’t a prioriknow who is on the Infocoin network. For the same reason, it can’t mean some fixed fraction of users in the network. We won’t try to make these ideas precise right now. Instead, in the next section I’ll point out a serious problem with the approach as described. Fixing that problem will at the same time have the pleasant side effect of making the ideas above much more precise.

### Proof-of-work

Suppose Alice wants to double spend in the network-based protocol I just described. She could do this by taking over the Infocoin network. Let’s suppose she uses an automated system to set up a large number of separate identities, let’s say a billion, on the Infocoin network. As before, she tries to double spend the same infocoin with both Bob and Charlie. But when Bob and Charlie ask the network to validate their respective transactions, Alice’s sock puppet identities swamp the network, announcing to Bob that they’ve validated his transaction, and to Charlie that they’ve validated his transaction, possibly fooling one or both into accepting the transaction.

There’s a clever way of avoiding this problem, using an idea known as proof-of-work. The idea is counterintuitive and involves a combination of two ideas: (1) to (artificially) make it computationally costly for network users to validate transactions; and (2) toreward them for trying to help validate transactions. The reward is used so that people on the network will try to help validate transactions, even though that’s now been made a computationally costly process. The benefit of making it costly to validate transactions is that validation can no longer be influenced by the number of network identities someone controls, but only by the total computational power they can bring to bear on validation. As we’ll see, with some clever design we can make it so a cheater would need enormous computational resources to cheat, making it impractical.

That’s the gist of proof-of-work. But to really understand proof-of-work, we need to go through the details.

Suppose Alice broadcasts to the network the news that “I, Alice, am giving Bob one infocoin, with serial number 1234567″.

As other people on the network hear that message, each adds it to a queue of pending transactions that they’ve been told about, but which haven’t yet been approved by the network. For instance, another network user named David might have the following queue of pending transactions:

I, Tom, am giving Sue one infocoin, with serial number 1201174.

I, Sydney, am giving Cynthia one infocoin, with serial number 1295618.

I, Alice, am giving Bob one infocoin, with serial number 1234567.

David checks his copy of the block chain, and can see that each transaction is valid. He would like to help out by broadcasting news of that validity to the entire network.

However, before doing that, as part of the validation protocol David is required to solve a hard computational puzzle – the proof-of-work. Without the solution to that puzzle, the rest of the network won’t accept his validation of the transaction.

What puzzle does David need to solve? To explain that, let $h$ be a fixed hash function known by everyone in the network – it’s built into the protocol. Bitcoin uses the well-known SHA-256 hash function, but any cryptographically secure hash function will do. Let’s give David’s queue of pending transactions a label, $l$, just so it’s got a name we can refer to. Suppose David appends a number $x$ (called the nonce) to $l$ and hashes the combination. For example, if we use $l =$ “Hello, world!” (obviously this is not a list of transactions, just a string used for illustrative purposes) and the nonce $x = 0$ then(output is in hexadecimal)

```h("Hello, world!0") =
```

The puzzle David has to solve – the proof-of-work – is to find a nonce $x$ such that when we append $x$ to $l$ and hash the combination the output hash begins with a long run of zeroes. The puzzle can be made more or less difficult by varying the number of zeroes required to solve the puzzle. A relatively simple proof-of-work puzzle might require just three or four zeroes at the start of the hash, while a more difficult proof-of-work puzzle might require a much longer run of zeros, say 15 consecutive zeroes. In either case, the above attempt to find a suitable nonce, with $x = 0$, is a failure, since the output doesn’t begin with any zeroes at all. Trying $x = 1$ doesn’t work either:

```h("Hello, world!1") =
e9afc424b79e4f6ab42d99c81156d3a17228d6e1eef4139be78e948a9332a7d8
```

We can keep trying different values for the nonce, $x = 2, 3,\ldots$. Finally, at $x = 4250$ we obtain:

```h("Hello, world!4250") =
0000c3af42fc31103f1fdc0151fa747ff87349a4714df7cc52ea464e12dcd4e9
```

This nonce gives us a string of four zeroes at the beginning of the output of the hash. This will be enough to solve a simple proof-of-work puzzle, but not enough to solve a more difficult proof-of-work puzzle.

What makes this puzzle hard to solve is the fact that the output from a cryptographic hash function behaves like a random number: change the input even a tiny bit and the output from the hash function changes completely, in a way that’s hard to predict. So if we want the output hash value to begin with 10 zeroes, say, then David will need, on average, to try $16^{10} \approx 10^{12}$ different values for $x$ before he finds a suitable nonce. That’s a pretty challenging task, requiring lots of computational power.

Obviously, it’s possible to make this puzzle more or less difficult to solve by requiring more or fewer zeroes in the output from the hash function. In fact, the Bitcoin protocol gets quite a fine level of control over the difficulty of the puzzle, by using a slight variation on the proof-of-work puzzle described above. Instead of requiring leading zeroes, the Bitcoin proof-of-work puzzle requires the hash of a block’s header to be lower than or equal to a number known as the target. This target is automatically adjusted to ensure that a Bitcoin block takes, on average, about ten minutes to validate.

(In practice there is a sizeable randomness in how long it takes to validate a block – sometimes a new block is validated in just a minute or two, other times it may take 20 minutes or even longer. It’s straightforward to modify the Bitcoin protocol so that the time to validation is much more sharply peaked around ten minutes. Instead of solving a single puzzle, we can require that multiple puzzles be solved; with some careful design it is possible to considerably reduce the variance in the time to validate a block of transactions.)

Alright, let’s suppose David is lucky and finds a suitable nonce, $x$. Celebration! (He’ll be rewarded for finding the nonce, as described below). He broadcasts the block of transactions he’s approving to the network, together with the value for $x$. Other participants in the Infocoin network can verify that $x$ is a valid solution to the proof-of-work puzzle. And they then update their block chains to include the new block of transactions.

For the proof-of-work idea to have any chance of succeeding, network users need an incentive to help validate transactions. Without such an incentive, they have no reason to expend valuable computational power, merely to help validate other people’s transactions. And if network users are not willing to expend that power, then the whole system won’t work. The solution to this problem is to reward people who help validate transactions. In particular, suppose we reward whoever successfully validates a block of transactions by crediting them with some infocoins. Provided the infocoin reward is large enough that will give them an incentive to participate in validation.

In the Bitcoin protocol, this validation process is called mining. For each block of transactions validated, the successful miner receives a bitcoin reward. Initially, this was set to be a 50 bitcoin reward. But for every 210,000 validated blocks (roughly, once every four years) the reward halves. This has happened just once, to date, and so the current reward for mining a block is 25 bitcoins. This halving in the rate will continue every four years until the year 2140 CE. At that point, the reward for mining will drop below $10^{-8}$ bitcoins per block. $10^{-8}$ bitcoins is actually the minimal unit of Bitcoin, and is known as a satoshi. So in 2140 CE the total supply of bitcoins will cease to increase. However, that won’t eliminate the incentive to help validate transactions. Bitcoin also makes it possible to set aside some currency in a transaction as a transaction fee, which goes to the miner who helps validate it. In the early days of Bitcoin transaction fees were mostly set to zero, but as Bitcoin has gained in popularity, transaction fees have gradually risen, and are now a substantial additional incentive on top of the 25 bitcoin reward for mining a block.

You can think of proof-of-work as a competition to approve transactions. Each entry in the competition costs a little bit of computing power. A miner’s chance of winning the competition is (roughly, and with some caveats) equal to the proportion of the total computing power that they control. So, for instance, if a miner controls one percent of the computing power being used to validate Bitcoin transactions, then they have roughly a one percent chance of winning the competition. So provided a lot of computing power is being brought to bear on the competition, a dishonest miner is likely to have only a relatively small chance to corrupt the validation process, unless they expend a huge amount of computing resources.

Of course, while it’s encouraging that a dishonest party has only a relatively small chance to corrupt the block chain, that’s not enough to give us confidence in the currency. In particular, we haven’t yet conclusively addressed the issue of double spending.

I’ll analyse double spending shortly. Before doing that, I want to fill in an important detail in the description of Infocoin. We’d ideally like the Infocoin network to agree upon the order in which transactions have occurred. If we don’t have such an ordering then at any given moment it may not be clear who owns which infocoins. To help do this we’ll require that new blocks always include a pointer to the last block validated in the chain, in addition to the list of transactions in the block. (The pointer is actually just a hash of the previous block). So typically the block chain is just a linear chain of blocks of transactions, one after the other, with later blocks each containing a pointer to the immediately prior block:

Occasionally, a fork will appear in the block chain. This can happen, for instance, if by chance two miners happen to validate a block of transactions near-simultaneously – both broadcast their newly-validated block out to the network, and some people update their block chain one way, and others update their block chain the other way:

This causes exactly the problem we’re trying to avoid – it’s no longer clear in what order transactions have occurred, and it may not be clear who owns which infocoins. Fortunately, there’s a simple idea that can be used to remove any forks. The rule is this: if a fork occurs, people on the network keep track of both forks. But at any given time, miners only work to extend whichever fork is longest in their copy of the block chain.

Suppose, for example, that we have a fork in which some miners receive block A first, and some miners receive block B first. Those miners who receive block A first will continue mining along that fork, while the others will mine along fork B. Let’s suppose that the miners working on fork B are the next to successfully mine a block:

After they receive news that this has happened, the miners working on fork A will notice that fork B is now longer, and will switch to working on that fork. Presto, in short order work on fork A will cease, and everyone will be working on the same linear chain, and block A can be ignored. Of course, any still-pending transactions in A will still be pending in the queues of the miners working on fork B, and so all transactions will eventually be validated.

Likewise, it may be that the miners working on fork A are the first to extend their fork. In that case work on fork B will quickly cease, and again we have a single linear chain.

No matter what the outcome, this process ensures that the block chain has an agreed-upon time ordering of the blocks. In Bitcoin proper, a transaction is not considered confirmed until: (1) it is part of a block in the longest fork, and (2) at least 5 blocks follow it in the longest fork. In this case we say that the transaction has “6 confirmations”. This gives the network time to come to an agreed-upon the ordering of the blocks. We’ll also use this strategy for Infocoin.

With the time-ordering now understood, let’s return to think about what happens if a dishonest party tries to double spend. Suppose Alice tries to double spend with Bob and Charlie. One possible approach is for her to try to validate a block that includes both transactions. Assuming she has one percent of the computing power, she will occasionally get lucky and validate the block by solving the proof-of-work. Unfortunately for Alice, the double spending will be immediately spotted by other people in the Infocoin network and rejected, despite solving the proof-of-work problem. So that’s not something we need to worry about.

A more serious problem occurs if she broadcasts two separate transactions in which she spends the same infocoin with Bob and Charlie, respectively. She might, for example, broadcast one transaction to a subset of the miners, and the other transaction to another set of miners, hoping to get both transactions validated in this way. Fortunately, in this case, as we’ve seen, the network will eventually confirm one of these transactions, but not both. So, for instance, Bob’s transaction might ultimately be confirmed, in which case Bob can go ahead confidently. Meanwhile, Charlie will see that his transaction has not been confirmed, and so will decline Alice’s offer. So this isn’t a problem either. In fact, knowing that this will be the case, there is little reason for Alice to try this in the first place.

An important variant on double spending is if Alice = Bob, i.e., Alice tries to spend a coin with Charlie which she is also “spending” with herself (i.e., giving back to herself). This sounds like it ought to be easy to detect and deal with, but, of course, it’s easy on a network to set up multiple identities associated with the same person or organization, so this possibility needs to be considered. In this case, Alice’s strategy is to wait until Charlie accepts the infocoin, which happens after the transaction has been confirmed 6 times in the longest chain. She will then attempt to fork the chain before the transaction with Charlie, adding a block which includes a transaction in which she pays herself:

Unfortunately for Alice, it’s now very difficult for her to catch up with the longer fork. Other miners won’t want to help her out, since they’ll be working on the longer fork. And unless Alice is able to solve the proof-of-work at least as fast as everyone else in the network combined – roughly, that means controlling more than fifty percent of the computing power – then she will just keep falling further and further behind. Of course, she might get lucky. We can, for example, imagine a scenario in which Alice controls one percent of the computing power, but happens to get lucky and finds six extra blocks in a row, before the rest of the network has found any extra blocks. In this case, she might be able to get ahead, and get control of the block chain. But this particular event will occur with probability $1/100^6 = 10^{-12}$. A more general analysis along these lines shows that Alice’s probability of ever catching up is infinitesimal, unless she is able to solve proof-of-work puzzles at a rate approaching all other miners combined.

Of course, this is not a rigorous security analysis showing that Alice cannot double spend. It’s merely an informal plausibility argument. The original paper introducing Bitcoin did not, in fact, contain a rigorous security analysis, only informal arguments along the lines I’ve presented here. The security community is still analysing Bitcoin, and trying to understand possible vulnerabilities. You can see some of this researchlisted here, and I mention a few related problems in the “Problems for the author” below. At this point I think it’s fair to say that the jury is still out on how secure Bitcoin is.

The proof-of-work and mining ideas give rise to many questions. How much reward is enough to persuade people to mine? How does the change in supply of infocoins affect the Infocoin economy? Will Infocoin mining end up concentrated in the hands of a few, or many? If it’s just a few, doesn’t that endanger the security of the system? Presumably transaction fees will eventually equilibriate – won’t this introduce an unwanted source of friction, and make small transactions less desirable? These are all great questions, but beyond the scope of this post. I may come back to the questions (in the context of Bitcoin) in a future post. For now, we’ll stick to our focus on understanding how the Bitcoin protocol works.

### Problems for the author

• I don’t understand why double spending can’t be prevented in a simpler manner using two-phase commit. Suppose Alice tries to double spend an infocoin with both Bob and Charlie. The idea is that Bob and Charlie would each broadcast their respective messages to the Infocoin network, along with a request: “Should I accept this?” They’d then wait some period – perhaps ten minutes – to hear any naysayers who could prove that Alice was trying to double spend. If no such nays are heard (and provided there are no signs of attempts to disrupt the network), they’d then accept the transaction. This protocol needs to be hardened against network attacks, but it seems to me to be the core of a good alternate idea. How well does this work? What drawbacks and advantages does it have compared to the full Bitcoin protocol?
• Early in the section I mentioned that there is a natural way of reducing the variance in time required to validate a block of transactions. If that variance is reduced too much, then it creates an interesting attack possibility. Suppose Alice tries to fork the chain in such a way that: (a) one fork starts with a block in which Alice pays herself, while the other fork starts with a block in which Alice pays Bob; (b) both blocks are announced nearly simultaneously, so roughly half the miners will attempt to mine each fork; (c) Alice uses her mining power to try to keep the forks of roughly equal length, mining whichever fork is shorter – this is ordinarily hard to pull off, but becomes significantly easier if the standard deviation of the time-to-validation is much shorter than the network latency; (d) after 5 blocks have been mined on both forks, Alice throws her mining power into making it more likely that Charles’s transaction is confirmed; and (e) after confirmation of Charles’s transaction, she then throws her computational power into the other fork, and attempts to regain the lead. This balancing strategy will have only a small chance of success. But while the probability is small, it will certainly be much larger than in the standard protocol, with high variance in the time to validate a block. Is there a way of avoiding this problem?
• Suppose Bitcoin mining software always explored nonces starting with $x = 0$, then $x = 1, x = 2,\ldots$. If this is done by all (or even just a substantial fraction) of Bitcoin miners then it creates a vulnerability. Namely, it’s possible for someone to improve their odds of solving the proof-of-work merely by starting with some other (much larger) nonce. More generally, it may be possible for attackers to exploit any systematic patterns in the way miners explore the space of nonces. More generally still, in the analysis of this section I have implicitly assumed a kind of symmetry between different miners. In practice, there will be asymmetries and a thorough security analysis will need to account for those asymmetries.

### Bitcoin

Let’s move away from Infocoin, and describe the actual Bitcoin protocol. There are a few new ideas here, but with one exception (discussed below) they’re mostly obvious modifications to Infocoin.

To use Bitcoin in practice, you first install a wallet program on your computer. To give you a sense of what that means, here’s a screenshot of a wallet called Multbit. You can see the Bitcoin balance on the left — 0.06555555 Bitcoins, or about 70 dollars at the exchange rate on the day I took this screenshot — and on the right two recent transactions, which deposited those 0.06555555 Bitcoins:

Suppose you’re a merchant who has set up an online store, and you’ve decided to allow people to pay using Bitcoin. What you do is tell your wallet program to generate a Bitcoin address. In response, it will generate a public / private key pair, and then hash the public key to form your Bitcoin address:

You then send your Bitcoin address to the person who wants to buy from you. You could do this in email, or even put the address up publicly on a webpage. This is safe, since the address is merely a hash of your public key, which can safely be known by the world anyway. (I’ll return later to the question of why the Bitcoin address is a hash, and not just the public key.)

The person who is going to pay you then generates a transaction. Let’s take a look at the data from an actual transaction transferring $0.31900000$ bitcoins. What’s shown below is very nearly the raw data. It’s changed in three ways: (1) the data has been deserialized; (2) line numbers have been added, for ease of reference; and (3) I’ve abbreviated various hashes and public keys, just putting in the first six hexadecimal digits of each, when in reality they are much longer. Here’s the data:

```1.  {"hash":"7c4025...",
2.  "ver":1,
3.  "vin_sz":1,
4.  "vout_sz":1,
5.  "lock_time":0,
6.  "size":224,
7.  "in":[
8.    {"prev_out":
9.      {"hash":"2007ae...",
10.      "n":0},
11.    "scriptSig":"304502... 042b2d..."}],
12. "out":[
13.   {"value":"0.31900000",
14.    "scriptPubKey":"OP_DUP OP_HASH160 a7db6f OP_EQUALVERIFY OP_CHECKSIG"}]}
```

Let’s go through this, line by line.

Line 1 contains the hash of the remainder of the transaction, 7c4025..., expressed in hexadecimal. This is used as an identifier for the transaction.

Line 2 tells us that this is a transaction in version 1 of the Bitcoin protocol.

Lines 3 and 4 tell us that the transaction has one input and one output, respectively. I’ll talk below about transactions with more inputs and outputs, and why that’s useful.

Line 5 contains the value for lock_time, which can be used to control when a transaction is finalized. For most Bitcoin transactions being carried out today thelock_time is set to 0, which means the transaction is finalized immediately.

Line 6 tells us the size (in bytes) of the transaction. Note that it’s not the monetary amount being transferred! That comes later.

Lines 7 through 11 define the input to the transaction. In particular, lines 8 through 10 tell us that the input is to be taken from the output from an earlier transaction, with the given hash, which is expressed in hexadecimal as 2007ae.... The n=0 tells us it’s to be the first output from that transaction; we’ll see soon how multiple outputs (and inputs) from a transaction work, so don’t worry too much about this for now. Line 11 contains the signature of the person sending the money, 304502..., followed by a space, and then the corresponding public key, 04b2d.... Again, these are both in hexadecimal.

One thing to note about the input is that there’s nothing explicitly specifying how many bitcoins from the previous transaction should be spent in this transaction. In fact, all the bitcoins from the n=0th output of the previous transaction are spent. So, for example, if the n=0th output of the earlier transaction was 2 bitcoins, then 2 bitcoins will be spent in this transaction. This seems like an inconvenient restriction – like trying to buy bread with a 20 dollar note, and not being able to break the note down. The solution, of course, is to have a mechanism for providing change. This can be done using transactions with multiple inputs and outputs, which we’ll discuss in the next section.

Lines 12 through 14 define the output from the transaction. In particular, line 13 tells us the value of the output, 0.319 bitcoins. Line 14 is somewhat complicated. The main thing to note is that the string a7db6f... is the Bitcoin address of the intended recipient of the funds (written in hexadecimal). In fact, Line 14 is actually an expression in Bitcoin’s scripting language. I’m not going to describe that language in detail in this post, the important thing to take away now is just that a7db6f... is the Bitcoin address.

You can now see, by the way, how Bitcoin addresses the question I swept under the rug in the last section: where do Bitcoin serial numbers come from? In fact, the role of the serial number is played by transaction hashes. In the transaction above, for example, the recipient is receiving 0.319 Bitcoins, which come out of the first output of an earlier transaction with hash 2007ae... (line 9). If you go and look in the block chain for that transaction, you’d see that its output comes from a still earlier transaction. And so on.

There are two clever things about using transaction hashes instead of serial numbers. First, in Bitcoin there’s not really any separate, persistent “coins” at all, just a long series of transactions in the block chain. It’s a clever idea to realize that you don’t need persistent coins, and can just get by with a ledger of transactions. Second, by operating in this way we remove the need for any central authority issuing serial numbers. Instead, the serial numbers can be self-generated, merely by hashing the transaction.

In fact, it’s possible to keep following the chain of transactions further back in history. Ultimately, this process must terminate. This can happen in one of two ways. The first possibilitty is that you’ll arrive at the very first Bitcoin transaction, contained in the so-called Genesis block. This is a special transaction, having no inputs, but a 50 Bitcoin output. In other words, this transaction establishes an initial money supply. The Genesis block is treated separately by Bitcoin clients, and I won’t get into the details here, although it’s along similar lines to the transaction above. You can see the deserialized raw data here, and read about the Genesis block here.

The second possibility when you follow a chain of transactions back in time is that eventually you’ll arrive at a so-called coinbase transaction. With the exception of the Genesis block, every block of transactions in the block chain starts with a special coinbase transaction. This is the transaction rewarding the miner who validated that block of transactions. It uses a similar but not identical format to the transaction above. I won’t go through the format in detail, but if you want to see an example, seehere. You can read a little more about coinbase transactions here.

Something I haven’t been precise about above is what exactly is being signed by the digital signature in line 11. The obvious thing to do is for the payer to sign the whole transaction (apart from the transaction hash, which, of course, must be generated later). Currently, this is not what is done – some pieces of the transaction are omitted. This makes some pieces of the transaction malleable, i.e., they can be changed later. However, this malleability does not include the amounts being paid out, senders and recipients, which can’t be changed later. I must admit I haven’t dug down into the details here. I gather that this malleability is under discussion in the Bitcoin developer community, and there are efforts afoot to reduce or eliminate this malleability.

### Transactions with multiple inputs and outputs

In the last section I described how a transaction with a single input and a single output works. In practice, it’s often extremely convenient to create Bitcoin transactions with multiple inputs or multiple outputs. I’ll talk below about why this can be useful. But first let’s take a look at the data from an actual transaction:

```1. {"hash":"993830...",
2. "ver":1,
3. "vin_sz":3,
4.  "vout_sz":2,
5.  "lock_time":0,
6.  "size":552,
7.  "in":[
8.    {"prev_out":{
9.      "hash":"3beabc...",
10.        "n":0},
11.     "scriptSig":"304402... 04c7d2..."},
12.    {"prev_out":{
13.        "hash":"fdae9b...",
14.        "n":0},
15.      "scriptSig":"304502... 026e15..."},
16.    {"prev_out":{
17.        "hash":"20c86b...",
18.        "n":1},
19.      "scriptSig":"304402... 038a52..."}],
20.  "out":[
21.    {"value":"0.01068000",
22.      "scriptPubKey":"OP_DUP OP_HASH160 e8c306... OP_EQUALVERIFY OP_CHECKSIG"},
23.    {"value":"4.00000000",
24.      "scriptPubKey":"OP_DUP OP_HASH160 d644e3... OP_EQUALVERIFY OP_CHECKSIG"}]}
```

Let’s go through the data, line by line. It’s very similar to the single-input-single-output transaction, so I’ll do this pretty quickly.

Line 1 contains the hash of the remainder of the transaction. This is used as an identifier for the transaction.

Line 2 tells us that this is a transaction in version 1 of the Bitcoin protocol.

Lines 3 and 4 tell us that the transaction has three inputs and two outputs, respectively.

Line 5 contains the lock_time. As in the single-input-single-output case this is set to 0, which means the transaction is finalized immediately.

Line 6 tells us the size of the transaction in bytes.

Lines 7 through 19 define a list of the inputs to the transaction. Each corresponds to an output from a previous Bitcoin transaction.

The first input is defined in lines 8 through 11.

In particular, lines 8 through 10 tell us that the input is to be taken from the n=0th output from the transaction with hash 3beabc.... Line 11 contains the signature, followed by a space, and then the public key of the person sending the bitcoins.

Lines 12 through 15 define the second input, with a similar format to lines 8 through 11. And lines 16 through 19 define the third input.

Lines 20 through 24 define a list containing the two outputs from the transaction.

The first output is defined in lines 21 and 22. Line 21 tells us the value of the output, 0.01068000 bitcoins. As before, line 22 is an expression in Bitcoin’s scripting language. The main thing to take away here is that the string e8c30622... is the Bitcoin address of the intended recipient of the funds.

The second output is defined lines 23 and 24, with a similar format to the first output.

One apparent oddity in this description is that although each output has a Bitcoin value associated to it, the inputs do not. Of course, the values of the respective inputs can be found by consulting the corresponding outputs in earlier transactions. In a standard Bitcoin transaction, the sum of all the inputs in the transaction must be at least as much as the sum of all the outputs. (The only exception to this principle is the Genesis block, and in coinbase transactions, both of which add to the overall Bitcoin supply.) If the inputs sum up to more than the outputs, then the excess is used as a transaction fee. This is paid to whichever miner successfully validates the block which the current transaction is a part of.

That’s all there is to multiple-input-multiple-output transactions! They’re a pretty simple variation on single-input-single-output-transactions.

One nice application of multiple-input-multiple-output transactions is the idea ofchange. Suppose, for example, that I want to send you 0.15 bitcoins. I can do so by spending money from a previous transaction in which I received 0.2 bitcoins. Of course, I don’t want to send you the entire 0.2 bitcoins. The solution is to send you 0.15 bitcoins, and to send 0.05 bitcoins to a Bitcoin address which I own. Those 0.05 bitcoins are the change. Of course, it differs a little from the change you might receive in a store, since change in this case is what you pay yourself. But the broad idea is similar.

### Conclusion

That completes a basic description of the main ideas behind Bitcoin. Of course, I’ve omitted many details – this isn’t a formal specification. But I have described the main ideas behind the most common use cases for Bitcoin.

While the rules of Bitcoin are simple and easy to understand, that doesn’t mean that it’s easy to understand all the consequences of the rules. There is vastly more that could be said about Bitcoin, and I’ll investigate some of these issues in future posts.

For now, though, I’ll wrap up by addressing a few loose ends.

How anonymous is Bitcoin? Many people claim that Bitcoin can be used anonymously. This claim has led to the formation of marketplaces such as Silk Road(and various successors), which specialize in illegal goods. However, the claim that Bitcoin is anonymous is a myth. The block chain is public, meaning that it’s possible for anyone to see every Bitcoin transaction ever. Although Bitcoin addresses aren’t immediately associated to real-world identities, computer scientists have done agreat deal of work figuring out how to de-anonymize “anonymous” social networks. The block chain is a marvellous target for these techniques. I will be extremely surprised if the great majority of Bitcoin users are not identified with relatively high confidence and ease in the near future. The confidence won’t be high enough to achieve convictions, but will be high enough to identify likely targets. Furthermore, identification will be retrospective, meaning that someone who bought drugs on Silk Road in 2011 will still be identifiable on the basis of the block chain in, say, 2020. These de-anonymization techniques are well known to computer scientists, and, one presumes, therefore to the NSA. I would not be at all surprised if the NSA and other agencies have already de-anonymized many users. It is, in fact, ironic that Bitcoin is often touted as anonymous. It’s not. Bitcoin is, instead, perhaps the most open and transparent financial instrument the world has ever seen.

Can you get rich with Bitcoin? Well, maybe. Tim O’Reilly once said: “Money is like gas in the car – you need to pay attention or you’ll end up on the side of the road – but a well-lived life is not a tour of gas stations!” Much of the interest in Bitcoin comes from people whose life mission seems to be to find a really big gas station. I must admit I find this perplexing. What is, I believe, much more interesting and enjoyable is to think of Bitcoin and other cryptocurrencies as a way of enabling new forms of collective behaviour. That’s intellectually fascinating, offers marvellous creative possibilities, is socially valuable, and may just also put some money in the bank. But if money in the bank is your primary concern, then I believe that other strategies are much more likely to succeed.

Details I’ve omitted: Although this post has described the main ideas behind Bitcoin, there are many details I haven’t mentioned. One is a nice space-saving trick used by the protocol, based on a data structure known as a Merkle tree. It’s a detail, but a splendid detail, and worth checking out if fun data structures are your thing. You can get an overview in the original Bitcoin paper. Second, I’ve said little about theBitcoin network – questions like how the network deals with denial of service attacks, how nodes join and leave the network, and so on. This is a fascinating topic, but it’s also something of a mess of details, and so I’ve omitted it. You can read more about it at some of the links above.

Bitcoin scripting: In this post I’ve explained Bitcoin as a form of digital, online money. But this is only a small part of a much bigger and more interesting story. As we’ve seen, every Bitcoin transaction is associated to a script in the Bitcoin programming language. The scripts we’ve seen in this post describe simple transactions like “Alice gave Bob 10 bitcoins”. But the scripting language can also be used to express far more complicated transactions. To put it another way, Bitcoin isprogrammable money. In later posts I will explain the scripting system, and how it is possible to use Bitcoin scripting as a platform to experiment with all sorts of amazing financial instruments.

Thanks for reading. If you enjoyed this essay, you may also enjoy the first chapter of my forthcoming book on neural networks and deep learning, and consider supporting its writing through Indiegogo. You may also wish to follow me on Twitter.

### Footnote

[1] In the United States the question “Is money a form of speech?” is an important legal question, because of the protection afforded speech under the US Constitution. In my (legally uninformed) opinion digital money may make this issue more complicated. As we’ll see, the Bitcoin protocol is really a way of standing up before the rest of the world (or at least the rest of the Bitcoin network) and avowing “I’m going to give such-and-such a number of bitcoins to so-and-so a person” in a way that’s extremely difficult to repudiate. At least naively, it looks more like speech than exchanging copper coins, say.

# Inside the Mossad’s campaign to off its most dangerous foes, one by one.

“There’ll be a summit conference in the sky,” smiled an Israeli intelligence official Wednesday morning when he learned of the assassination of Hassan Lakkis, the Hezbollah commander in charge of weapons development and advanced technological warfare, in a Beirut suburb around midnight on Tuesday, Dec. 3. The killing of Lakkis is yet another in the latest in a long series of assassinations of leading figures in what Israeli intelligence calls the “Radical Front,” which comprises two countries — Syria and Iran — and three organizations: Hezbollah, the Palestinian Islamic Jihad, and Hamas.

“We’re talking about a number of organizations and people involved in nuclear and terrorist activity. [They] do it not only for their countries in various missions, but have created an international network — the most dangerous and most efficient that I have met,” the official added. The coalition’s goals: “the construction of a nuclear bomb and of various missilery capabilities — from very short to very long ranges — and the implementation of suicide terror at the highest level.” The Israeli goals: take these men out, one by one.

This isn’t the first time Israel has faced very powerful enemies, of course. But Israeli intelligence officials think this may be the most diverse, most intricately woven set of foes the country has encountered. These foes range from those at the leadership level down to field operatives, according to Mossad and Military Intelligence Directorate (Aman) high-ranking officials. And it all involves deep, intimate cooperation that even spans the religious rifts between Sunnis and Shiites, driven by a single motive force: hostility toward the state of Israel.

Back in 2004, the Mossad began identifying various key figures within this Radical Front — those with advanced operational, organizational, and technological capabilities. While other, better-known personalities in these extremist groups and their state backers dealt with strategy, these were the people who handled the details and the translation of strategy into actual practice.

After them came Gen. Hassan Tehrani Moghaddam, head of missile development for the Islamic Revolutionary Guard Corps and the export of missiles to Hezbollah, Hamas, and the Islamic Jihad; Mahmoud al-Mabhouh, the Hamas official in charge of tactical ties with Iran; and Hassan Lakkis (also spelled in FBI documents as Haj Hassan Hilu Laqis), who was identified by Aman in the early 1990s as Hezbollah’s weapons development expert. In an article about Lakkis’s death, Lebanon’s Daily Star called him a “key figure in Hezbollah[‘s] drone program.” The Israeli intelligence source continued the analogy with the Bond movies and called him “Hezbollah’s Q.”

According to his Aman file, Lakkis was active in the radical Shiite movement since age 19, enlisting shortly after it was established. He had a certain amount of technical education at a Lebanese university, but most of his skills were acquired from his experience in developing and manufacturing weaponry. Almost from the outset he was the top procurement officer and coordinator with Iran on these matters. Thanks to his efforts, Hezbollah became the most powerful terrorist organization ever — even more powerful than al Qaeda in many ways — with “firepower that 90 percent of the countries in the world do not have,” according to Dagan.

As early as the mid-1990s, there were Aman officers who marked Lakkis as a potential target, believing that he should be eliminated. But Hezbollah was not a preferred target at the time and was considered more of a nuisance than a strategic threat. By the time that this changed in the 2000s, he was already taking extreme precautions to protect himself.

As I detail in my book, The Secret War With Iran, Lakkis was also wanted in Canada and the United States for running Hezbollah cells in those countries in the early 1990s. He had dispatched “elements with criminal tendencies there, and they were therefore happy to send them to North America so that they would not carry on such activities close to the organizations members” in Lebanon, according to a classified Aman paper. These Lebanese criminals settled in Vancouver, North Carolina, and Michigan, where they worked in the wholesale counterfeiting of visas, driver’s licenses, and credit cards, raking in huge profits. Lakkis permitted them to skim off a fat commission, as long as most of the cash was used for the procurement of sophisticated equipment that Hezbollah was finding it difficult to acquire elsewhere, such as GPS and night-vision equipment and various kinds of flak jackets.

In the wake of information conveyed by Israeli intelligence, the FBI and the Canadian Security Intelligence Service mounted a number of operations against these cells, and their members either fled or were arrested and sentenced to long jail terms for offenses including illicit acquisition of weapons and conspiring to attack Jewish targets. Lakkis himself learned about the raids in time and canceled a planned visit to the United States. In the last telephone calls recorded by the FBI before the crackdown, Lakkis was heard rebuking the cell members for not doing enough for Hezbollah and enjoying the good life in America while the organization’s members in Lebanon were being hammered by Israel.

With Israel’s withdrawal from Lebanon in May 2000, Hezbollah’s military buildup and preparations for a general campaign against Israel became central in the organization’s doctrine. Lakkis functioned in tandem with and under the command of Hezbollah’s military commander, Mughniyeh. The two were aware of Israel’s sensitivity to casualties in its military and of the lack of preparedness on the Israeli home front for sustained bombardment.

They built a complex array of fortifications in south Lebanon with a double goal: surviving for as long as possible under attack from Israeli land forces, which they were sure would happen sooner or later, and preservation of their own ability to fire as many missiles as possible at Israeli communities.

The formula was a success. In the summer of 2006, Israel lost its war with Hezbollah, thanks, in part, to fortifications equipped with advanced gear like communications, command-and-control systems, and night-vision optics — all of which Lakkis played an important role in acquiring. In effect, it was Israel, the strongest military force in the Middle East, that was badly defeated, failing to achieve any of the goals it had set itself.

On July 20, 2006, the Israelis tried to take Lakkis out with a rocket fired from an F-16 fighter at his apartment in Beirut, but he wasn’t home and his son was killed.

The 2006 war (known as the “Second Lebanon War” in Israel, to distinguish it from the war Israel waged against the PLO in Lebanon in 1982) was the high point of the Radical Front and the coordination between the coalition’s top members. Since then, the wheel has turned a full cycle. Mughniyeh was killed by a bomb in his car in Damascus in February 2008; Suleiman was shot dead by a sniper on a beach in Syria in August of the same year; Mabhouh was strangled and poisoned in a Dubai hotel room in January 2010; Moghaddam was blown sky high along with 16 of his personnel in an explosion at a missile depot near Tehran on Nov. 12, 2011. And on Tuesday night, two unidentified masked men cut Lakkis down in the parking garage of his apartment building in a suburb of Beirut.

Hezbollah was quick to point the finger at Israel; Israel was quick to deny the attack. If indeed the assassins belong to some elite intelligence organization, by now they are most likely to be out of Lebanon, away from Hezbollah’s grasp. But this tactical success — if you can call it that — is not necessarily a strategic one in the Middle Eastern political arena.

To play assassin is to challenge history outright. Some hit jobs proved effective in changing reality, but not all changed it in the manner the perpetrators had hoped for. Take the 1992 assassination of Hezbollah Secretary-General Abbas al-Musawi. Retaliation attacks on Israeli and Jewish targets after his death cost dozens of lives, and the more radical and more effective Hassan Nasrallah took over as the organization’s leader.

For these reasons, assassinations should be considered a last resort. The Radical Front is undergoing changes. Iran had to come to a difficult compromise with the West after many years of sanctions brought its economy to its knees. Hezbollah has taken both tactical and political blows since it openly sided with Assad in the Syrian civil war and sent its troops to fight alongside his.

“Now they’re all together,” said the Israeli intelligence official. Then he recited words from the Jewish religious blessing that’s meand to be said on hearing that someone has died: “Blessed be the Judge of the Truth.”

But sometimes it’s better to let the Judge — and History — take its own course.

YOAV LEMMER/AFP/Getty Images

# Special Report – Thailand secretly dumps Myanmar refugees into trafficking rings

RANONG, Thailand Thu Dec 5, 2013 12:34am GMT

1 OF 21. Bozor Mohammed from the Rakhine state in Myanmar stands near a wall after an interview at his house in Kuala Lumpur November 8, 2013. Picture taken November 8.

CREDIT: REUTERS/SAMSUL SAID

### RELATED NEWS

(Reuters) – One afternoon in October, in the watery no-man’s land between Thailand and Myanmar, Muhammad Ismail vanished.

Thai immigration officials said he was being deported to Myanmar. In fact, they sold Ismail, 23, and hundreds of other Rohingya Muslims to human traffickers, who then spirited them into brutal jungle camps.

FINANCIAL COMMENTARIES AND GUIDES
POWERED

As thousands of Rohingya flee Myanmar to escape religious persecution, a Reuters investigation in three countries has uncovered a clandestine policy to remove Rohingya refugees from Thailand’s immigration detention centers and deliver them to human traffickers waiting at sea.

The Rohingya are then transported across southern Thailand and held hostage in a series of camps hidden near the border with Malaysia until relatives pay thousands of dollars to release them. Reporters located three such camps – two based on the testimony of Rohingya held there, and a third by trekking to the site, heavily guarded, near a village called Baan Klong Tor.

Thousands of Rohingya have passed through this tropical gulag. An untold number have died there. Some have been murdered by camp guards or have perished from dehydration or disease, survivors said in interviews.

The Thai authorities say the movement of Rohingya through their country doesn’t amount to human trafficking. But in interviews for this story, the Thai Royal Police acknowledged, for the first time, a covert policy called “option two” that relies upon established human-smuggling networks to rid Thailand of Rohingya detainees.

Ismail was one of five Rohingya who said that Thai immigration officials had sold him outright or aided in their sale to human traffickers. “It seemed so official at first,” said Ismail, a wiry farmer with a long narrow face and tight curly hair. “They took our photographs. They took our fingerprints. And then once in the boats, about 20 minutes out at sea, we were told we had been sold.”

Ismail said he ended up in a camp in southern Thailand. So did Bozor Mohamed, a Rohingya whose frail body makes him seem younger than his 21 years. The camp was guarded by men with guns and clubs, said Mohamed, and at least one person died every day due to dehydration or disease.

“I used to be a strong man,” the former rice farmer said in an interview, as he massaged his withered legs.

Mohamed and others say they endured hunger, filth and multiple beatings. Mohamed’s elbow and back are scarred from what he said were beatings administered by his captors in Thailand while he telephoned his brother-in-law in Malaysia, begging him to pay the \$2,000 (1,220.93 pounds) ransom they demanded. Some men failed to find a benefactor in Malaysia to pay their ransom. The camp became their home. “They had long beards and their hair was so long, down to the middle of their backs, that they looked liked women,” said Mohamed.

“HOLDING BAYS”

What ultimately happens to Rohingya who can’t buy their freedom remains unclear. A Thai-based smuggler said some are sold to shipping companies and farms as manual laborers for 5,000 to 50,000 baht each, or \$155 to \$1,550.

“Prices vary according to their skills,” said the smuggler, who spoke on condition of anonymity.

The Arakan Project, a Rohingya advocacy group based in Thailand, says it has interviewed scores of Rohingya who have passed through the Thai camps and into Malaysia. Many Rohingya who can’t pay end up as cooks or guards at the camps, said Chris Lewa, Arakan Project’s director.

Presented with the findings of this report, Thailand’s second-highest-ranking policeman made some startling admissions. Thai officials might have profited from Rohingya smuggling in the past, said Police Maj-Gen Chatchawal Suksomjit, Deputy Commissioner General of the Royal Thai Police. He also confirmed the existence of illegal camps in southern Thailand, which he called “holding bays”.

Tarit Pengdith, chief of the Department of Special Investigation, Thailand’s equivalent of the U.S. FBI, was also asked about the camps Reuters discovered. “We have heard about these camps in southern Thailand,” he said, “but we are not investigating this issue.”

Besieged by a political crisis and violent street protests this week, Thailand faces difficult questions about its future and global status. Among those is whether it will join North Korea, the Central African Republic and Iran among the world’s worst offenders in fighting human trafficking.

The signs are not good.

The U.S. State Department’s annual Trafficking In Persons (TIP) report ranks countries on their record for combating the crime. For the past four years, Thailand has sat on the TIP Report’s so-called Tier 2 Watch List, the second-lowest rank. It will be automatically downgraded to Tier 3 next year unless it makes what the State Department calls “significant efforts” to eliminate human trafficking.

Dropping to Tier 3 status theoretically carries the threat of U.S. sanctions. In practice, the United States is unlikely to sanction Thailand, one of its oldest treaty allies in Asia. But to be downgraded would be a major embarrassment to Thailand, which is now lobbying hard for a non-permanent position on the United Nations Security Council.

THE ROHINGYA EXODUS

Rohingya are Muslims from Myanmar and Bangladesh, where they are usually stateless and despised as illegal immigrants. In 2012, two eruptions of violence between Rohingyas and majority Buddhists in Rakhine State in western Myanmar killed at least 192 people and made 140,000 homeless. Most were Rohingya, who live in wretched camps or under apartheid-like segregation with little access to healthcare, schools or jobs.

And so they have fled Myanmar by sea in unprecedented numbers over the past year. Ismail and Mohamed joined tens of thousands of Rohingya in one of the biggest movements of boat people since the end of the Vietnam War.

Widespread bias against the Rohingya in the region, however, makes it difficult for them to find safe haven – and easy to fall into the hands of traffickers. “No one is there to speak for them,” says Phil Robertson, deputy director for Asia at Human Rights Watch. “They are a lost people.”

Rohingya men, women and children squeeze aboard overloaded fishing boats and cargo ships to cross the Bay of Bengal. Their desired destination is Malaysia, a Muslim-majority country where at least 31,000 Rohingya already live. As Reuters reported in July, many of these refugees were waylaid in Thailand, where the Thai navy and marine police worked with smugglers to extract money for their onward trip to Malaysia.

Hundreds of Rohingyas were arrested in two headline-grabbing raids by the Thai authorities on January 9 in the towns of Padang Besar and Sadao, both near the Malaysia border. At the time, Colonel Krissakorn Paleetunyawong, deputy commander of police in the area, declared the Rohingya would be deported back to Myanmar. That never happened.

Ismail and Mohamed were among the 393 Rohingya that Thai police say were arrested that day in Padang Besar. So was Ismail’s friend Ediris, 22. The three young men all hailed from Buthedaung, a poor township in northern Rakhine State.

Their story reveals how Thailand, a rapidly developing country in the heart of Southeast Asia, shifted from cracking down on human trafficking camps to facilitating them.

A SECRET POLICY

After their arrest, Ediris and Ismail were brought to an immigration detention center (IDC) in Sadao, where they joined another 300 Rohingya rounded up from a nearby smuggler’s house. The two-story IDC, designed for a few dozen inmates, was overflowing. Women and children were moved to sheltered housing, while some men were sent to other IDCs across Thailand.

With about 1,700 Rohingya locked up nationwide, the Thai government set a July deadline to deport them all and opened talks with Myanmar on how to do it. The talks went nowhere, because the Myanmar government refused to take responsibility for what it regards as illegal immigrants from Bangladesh.

Men and teenage boys languished for months in cramped, cage-like cells, often with barely enough room to sit or stand, much less walk. In June, Reuters journalists visited an IDC in Phang Nga, near the tourist Mecca of Phuket. There were 269 men and boys crammed into a space built for no more than 100. It reeked of urine and sweat. Some detainees used crutches because their muscles had atrophied.

A doctor who inspected Sadao’s IDC in July said he found five emaciated Rohingya clinging to life. Two died on their way to hospital, said the doctor, Anatachai Thaipratan, an advisor of the Thai Islamic Medical Association.

As the plight of Rohingya detainees made world headlines, pressure mounted on Thailand. But Myanmar wouldn’t take them, nor would Malaysia. With thousands more arriving, the U.N.’s refugee agency issued an urgent appeal for alternative housing. The government proposed building a “mega camp” in Nakhon Sri Thammarat, another province in southern Thailand. It was rejected after an outcry from local people.

In early August, 270 Rohingya rioted at the IDC in Phang Nga. Men tore off doors separating cells, demanding to be let outside to pray at the close of the Muslim holy month of Ramadan. Over the last three weeks of August, more than 300 Rohingya fled from five detention centers.

By this time, Mohamed, the 21-year-old refugee, could no longer walk, let alone escape. His leg muscles had wasted away from months in detention in a cell shared by 95 Rohingya men. Ismail and Ediris were shuttled between various IDCs, ending up in Nong Khai, a city on Thailand’s northern border with Laos.

Thailand saw its options rapidly dwindling, a senior government official said, speaking on condition of anonymity. It couldn’t protest to Myanmar’s government to improve the lives of Rohingya and stem the exodus, the official said. That could ruffle diplomatic feathers and even jeopardize the access of Thai companies hoping to invest in Myanmar, one of the world’s hottest frontier markets.

Nor could Thailand arrest, prosecute and jail the Rohingya for breaking Thai immigration law – there were simply too many of them. “There would be no room in our prison cells,” Police Maj-Gen Chatchawal said.

That growing problem gave birth to “option two” in October, a secret policy to deport the refugees back to Myanmar that led to Rohingyas being sold to human trafficking networks.

A hint of the policy shift came weeks earlier, on September 13, when Police Lt. Gen. Panu Kerdlarppol, chief of the Immigration Bureau, met with officials from other agencies on the resort island of Koh Samui to decide what to do with the Rohingya. Afterwards, Kerdlarppol announced that immigration authorities would take statements from the Rohingya “to arrange their deportation” and see if any want to go home. Arrangements would be made for those who did.

By early October, 2,058 Rohingya were held in 14 IDCs across Thailand, according to the Internal Security Operations Command, a national security agency run by the Thai military. A month later, that number stood at about 600, according to non-governmental organizations and Muslim aid workers. By the first week of December, it was 154, Thailand’s immigration department said.

Rohingya were fast disappearing from Thailand’s IDCs, and nobody knew where they were going.

“WE NOW BELONGED TO THEM”

Central to the policy was Ranong, a sparsely populated Thai province whose geography has always made it a smugglers’ paradise. Ranong shares a long, ill-policed land and sea border with Myanmar. Its coastline is blanketed in dense mangrove forest and dotted with small, often uninhabited islands.

The provincial capital, also called Ranong, was built on tin mining but now lives off fishingand tourism. Rust-streaked trawlers from Thailand and Burma ply the same waters as dive boats and yachts. So do wooden “long-tail” boats, named after their extended drive-shafts, which ferry Burmese migrant workers to the Myanmar port of Kawthaung, only a 30-minute voyage away.

By late October, hundreds of Rohingya were being packed onto immigration trucks and driven to Ranong for processing and deportation. Among them were Ismail and Ediris, who arrived in the port city after a grueling, standing room-only journey of 1,200 km (746 miles) from Nong Khai.

At Ranong’s IDC, they were photographed and told by Thai immigration officers they were being sent back to Myanmar. “They said no other countries were accepting Rohingya, and Myanmar had become peaceful,” said Ismail.

Then they were driven to a Ranong pier and herded onto four long-tail boats, each with a three-man crew of Thais and Burmese. Once at sea, the Rohingya asked the boat driver to help them. The Burmese-speaking driver shook his head and told the Rohingya they had been sold by Thai immigration officials for 11,000 baht (\$350) each.

“They told us we now belonged to them,” said Ismail.

After about 30 minutes at sea, the boats stopped. It was early afternoon on October 23. The vessels waited until about 6 p.m., when a large fishing boat arrived. They were loaded aboard and sailed through the night until they reached a jungle island, separated from the mainland by a narrow river. It was about 4 a.m.

Ismail said he saw about 200 other Rohingya in that camp, mostly sleeping and guarded by men with guns. The guards shoved Ismail and the others into a muddy clearing. There was no water or food. He was told he must pay 60,000 Thai baht (\$1,850). Did he have family who could send the money? If he did, he could go wherever he wanted, Ismail said he was told. “If you don’t, we’ll use this,” one guard said, showing an iron rod.

Ismail had some cash but not enough. “We need to escape,” he whispered to Ediris. After an hour at the camp, just before dawn, the two men made their move. A guard fired shots in the air as they ran through the jungle and waded through a river to reach the mainland. For the next 24 hours, they survived by drinking stream-water and eating the bark of banana trees. They emerged onto a rubber plantation, their feet lacerated from the bare-foot jungle trek, and met a Burmese man who promised to spirit them into Malaysia for 8,000 baht, or \$250, each.

They agreed and were driven to a house in southern Thailand, where Reuters interviewed them hours before they were smuggled by pick-up across the Malaysian border.

THE JUNGLE CAMPS

Bozor Mohamed, the third young Rohingya from Buthedaung, said he was held for 10 days at a jungle camp in Padang Besar.

He, too, said he had been delivered by Thai officials to trafficking boats along the maritime border with Myanmar. Afterwards, in torrential rain and under cover of darkness, along with perhaps 200 other Rohingya, Mohamed said he was ferried back across the strait to Thailand, where a new ordeal began.

The men were taken on a two-day journey by van, motor-bike, and foot to a smuggler’s camp on the border with Malaysia. On the final hike, men with canes beat the young Rohingya and the others, many of them hobbled by months of detention. They stumbled and dragged themselves up steep forested hills.

Making the same trek was Mohamed Hassan, a fourth Rohingya to escape Thailand’s trafficking network. Hassan is a baby-faced 19-year-old from the Rakhine capital of Sittwe.

He said he arrived at the camp in September after an overnight journey in a pick-up truck, followed by a two-hour walk into the hills with dozens of other Rohingya. Their captors ordered them to carry supplies, he said. Already giddy with fatigue and hunger after eight days at sea, the 19-year-old shouldered a sack of rice. “If we stopped, the men beat us with sticks,” he said.

The camp was partially skirted by a barbed-wire fence, he said, and guarded by about 25 men with guns, knives and clubs. Hassan reckoned it held about 300 Rohingya. They slept on plastic sheets, unprotected from the sun and rain, and were allowed only one meal a day, of rice and dried fish. He said he was constantly hungry.

One night, two Rohingya men tried to escape. The guards tracked them down, bound their hands and dragged them back to camp. Then, the guards beat the two men with clubs, rods and lengths of rubber. “Everybody watched,” said Hassan. “We said nothing. Some people were crying.”

The beating lasted some 30 minutes, he said. Then a guard drew a small knife and slit the throat of one of the fugitives.

The prisoners were ordered to dispose of his corpse in the forest. The other victim was dumped in a stream. Afterwards, Hassan vomited with fear and exhaustion, but tried not to cry. “When I cried they beat me. I had already decided that I would die there.”

His only hope of release was his older brother, 42, a long-time resident of Thailand. Hassan said he had his brother’s telephone number with him, but at first his captors wouldn’t let him call it. (Traffickers are reluctant to deal with relatives in Thailand, in case they have contacts with the Thai authorities that could jeopardize operations.)

Eventually, Hassan reached his brother, who said he sold his motorbike to help raise the equivalent of about \$3,000 to secure Hassan’s freedom, after 20 days in the camp.

Reporters were able to trace the location of three trafficking camps, based on the testimony of Rohingya who previously were held in them.

Three journalists traveled on motor-bikes and then hiked through rubber plantations and dense jungle to directly confirm the existence of a major camp near Baan Klong Tor.

Concealed by a blue tarpaulin tent, the Rohingya were split into groups of men and women. Some prayed. The encampment was patrolled by armed guards and protected by villagers and police. The reporters didn’t attempt to enter. Villagers who have visited the camp said the number of people held inside ranged from an estimated 500 to a thousand or more, depending on the number of people arriving, departing or escaping.

Interviews with about a dozen villagers also confirmed two other large camps: one less than a mile away, and another in Padang Besar, near the Malaysia border.

“THAT RED LINE IN THE SEA”

Major General Chatchawal of the Royal Thai Police in Bangkok admitted there was an unofficial policy to deport the Rohingya to Myanmar. He called this “a natural way or option two.” But he said the Rohingya went voluntarily.

“Some Rohingya in our IDCs can’t stand being in limbo, so they ask to return to where they came from,” said Chatchawal. “This means going back to Myanmar.” Rohingya at the IDCs, for instance, sign statements in the presence of a local Islamic leader, in which they agree they want to return to Myanmar.

These statements, however, were at times produced in the absence of a Rohingya language translator. When reporters visited the Sadao IDC for this story, the translator was a Muslim from Myanmar who spoke only Thai and Burmese, and thus unable to explain what the detainees were signing.

Chatchawal was also presented with recent testimony from Rohingya who said they weren’t taken to back to Myanmar. Instead, they were put in boats by Thai immigration officials, told they had been sold and taken under duress to Thailand’s camps. Reporters interviewed four Rohingya for this story who said they fell prey to trafficking with official complicity.

At the house where Ediris and Ismail were interviewed were two other survivors of the trafficking camps: Abdul Basser, 24, and Fir Mohamed, 28. They told similar stories. Both were arrested after arriving in Thailand on January 25, and held at the overcrowded Phang Nga IDC for about eight months. On October 17, the two men, along with dozens of other Rohingya, were driven overnight to Ranong.

“We were told we could go back to Myanmar,” said Mohamed.

That day, 48 Rohingya and five Buddhist Burmese were loaded into trucks and driven to a pier. The five Burmese were put on one boat; the Rohingya were put on another. After about a half hour at sea, the captain cut the engine. “We thought the engine had stalled or broke down,” said Basser. “The captain told us we could not go back to Myanmar, that we had been sold by the immigration and police,” he added.

Mohamed and Basser, too, escaped after being brought to an island near mainland Thailand.

Until now, the Thai government has denied official complicity in the smuggling or trafficking of Rohingya. But in a break with that position, Chatchawal said Thai officials might have received money previously in exchange for Rohingya, but not anymore. “In the past, and I stress in the past, there may have been cases of officials taking payments for handing over migrants to boats,” he said. “I am not ruling it out, but I don’t know of any specific cases recently.”

He said it was possible the Rohingya were intercepted by brokers and never made it to Myanmar. “Once they’ve crossed that border, that red line in the sea, they are Myanmar’s responsibility,” he said.

He also admitted the camps uncovered by Reuters exist in breach of Thai laws. He referred to them as “temporary shelters” for a people who ultimately want to reach Malaysia. The smugglers who run the camps “extort money from Rohingya” but police don’t accept bribes from them, he said.

As for the trafficking way stations in Padang Besar and Sadao, Chatchawal said: “I do believe there could be more camps like these. They could be hidden deep in the jungle.”

(Additional reporting by Jutaret Skulpichetrat and Amy Sawitta Lefevre in Bangkok, andStuart Grudgings in Kuala Lumpur.)

# Thailand dumps Myanmar’s Muslim refugees into trafficking rings

## Special Report – Thailand dumps Myanmar’s Muslim refugees into trafficking rings

DECEMBER 5, 2013

(Bozor Mohammed from the Rakhine state in Myanmar is pictured after an interview at his house in Kuala Lumpur November 8, 2013. Picture taken November 8. To match Special Report THAILAND-ROHINGYA/ REUTERS/Samsul Said)

One afternoon in October, in the watery no-man’s land between Thailand and Myanmar, Muhammad Ismail vanished.

Thai immigration officials said he was being deported to Myanmar. In fact, they sold Ismail, 23, and hundreds of other Rohingya Muslims to human traffickers, who then spirited them into brutal jungle camps.

As thousands of Rohingya flee Myanmar to escape religious persecution, a Reuters investigation in three countries has uncovered a clandestine policy to remove Rohingya refugees from Thailand’s immigration detention centers and deliver them to human traffickers waiting at sea.

The Rohingya are then transported across southern Thailand and held hostage in a series of camps hidden near the border with Malaysia until relatives pay thousands of dollars to release them. Reporters located three such camps – two based on the testimony of Rohingya held there, and a third by trekking to the site, heavily guarded, near a village called Baan Klong Tor.

Thousands of Rohingya have passed through this tropical gulag. An untold number have died there. Some have been murdered by camp guards or have perished from dehydration or disease, survivors said in interviews.

The Thai authorities say the movement of Rohingya through their country doesn’t amount to human trafficking. But in interviews for this story, the Thai Royal Police acknowledged, for the first time, a covert policy called “option two” that relies upon established human-smuggling networks to rid Thailand of Rohingya detainees.

VIDEO: Vicious circle awaits Rohingya refugees in Thailand (4:15)

# 20 Years of Talks: Keeping Palestinians Occupied

## 20 Years of Talks: Keeping Palestinians Occupied

3 December, 2013

INFOGRAPHIC TOOLS
PRINT
ZOOMINOUT

Sources
Talks TimelineThe Guardian, 2011. Timeline: Middle East Peace Talks (accessed on 3 December 2013)
Settlement UnitsFoundation for Middle East Peace, 2012. Housing Stats in Israel, West Bank, and Gaza (2010-2011) (accessed on 3 December 2013) & Peace Now, 2011. The Settlements: The Biggest Threat to a Two-State Solution (PDF) & Israeli Central Bureau of Statistics, 2013. Table 4: Dwellings, by stage of construction, district and construction initiator (PDF)
Settler PopulationB’Tselem, 2013. Statistics on Settlements and Settler Population (accessed on 3 December 2013)
Settlement SubsidyShir Hever in Newsweek, 2011. The Economics of Occupation (accessed on 3 December 2013)
House DestructionInternal Displacement Monitoring Centre, 2011. The State of Palestine (accessed on 3 December 2013) & data aggregated from B’Tselem, 2013. Statistics on Destruction of Property (accessed on 3 December 2013)
Jerusalem IDs RevokedB’Tselem, 2013. Statistics on Revocation of Residency in East Jerusalem (accessed on 3 December 2013)
Demolition Orders (3,000 West Bank)UN OCHA, 2011. Humanitarian Factsheet on Area C of the West Bank (PDF)
Demolition Orders (1,500 E Jerusalem)Israeli Committee Against House Demolitions, 2013. Israel’s Policy of Demolishing Palestinian Homes Must End: ICAHD Submission to the UN (accessed on 3 December 2013)
OPT Palestinian PopulationPalestinian Central Bureau of Statistics, 2013. Population Statistics (accessed on 3 December 2013)
Registered RefugeesUNRWA, 2012. In Figures (PDF)
Enclaves (166 West Bank + 1 Gaza)B’Tselem, 2013. Acting the Landlord: Israel’s Policy in Area C, the West Bank (accessed on 3 December 2013)
CheckpointsB’Tselem, 2013. Checkpoints, Physical Obstructions, and Forbidden Roads (accessed on 3 December 2013)
Wall LengthB’Tselem, 2012. The Seperation Barrier – Statistics (accessed on 3 December 2013)
Gaza BlockadeB’Tselem, 2013. The Siege on Gaza (accessed on 3 December 2013)

# Modi Foot in Mouth List

A few gems of “Prime Minister Material” Modi

• The Gujarat chief minister’s response on widespread malnutrition being the result of a predominantly vegetarian middle class that is “more beauty conscious than health conscious” is a classic of the foot-in-mouth genre. (About 52 per cent of children under five in his state are victims; 70 per cent of children between six and 59 months are anaemic; so are 55 per cent of Gujarati women.)
•  He made the claim, some time back, that under the Bharatiya Janata Party-led National Democratic Alliance, India had achieved eight per cent economic growth. It was pointed out that the correct figure was six per cent. But Mr Modi did not have the courtesy to admit his error.
• His most recent clutch of incorrect statements is enough to make any educated Indian blush. In a valiant attempt to whip up popular support among the people of Bihar, Mr Modi declared that Taxila was located in Bihar.
• Alexander had been defeated by the people of Bihar on the banks of the Ganges. These howlers have now been in the public domain for five days but there is no sign that Mr Modi is ashamed of them. This only reveals his lack of intellectual honesty just as his persistently shrill attacks on his rivals exhibit his lack of dignity.
• Narendra Modi courted controversy when he alleged at a rally in Jesar that the UPA-II government had spent Rs 1,180 crore on the personal foreign tours of UPA chairperson Sonia Gandhi.
• In comparing his feelings to the occupant of a car involved in an accident, Modi thus contributed to political folklore his controversial “puppy” analogy: “Even If I am in the back seat of a car and a puppy comes under the wheels, isn’t it painful? It is. Whether I am a chief minister or not, I am a human being   I will be sad if something bad happens anywhere.”
• To leave the misogyny aside for a moment, there was also something rather comical about Narendra Modi ‘s ” Rs.50 crore girlfriend” jibe at Sunanda Pushkar Tharoor and the war of words it sparked. Firstly there is the sight of the seemingly invincible Gujarat chief minister, who regressed from quoting Vivekananda to spouting such rubbish barely a week into the heat and dust of the election campaign.
• Sardar Patel who opposed RSS as the assassins of Gandhiji, is now Modi’s hero.
• After his “puppy” metaphor in the context of the Gujarat Carnage of 2002 in an interview to a foreign news agency ‘Reuters’, he has now lambasted the Congress party saying that “whenever they are faced with a crisis they wear the burqa of secularism and hide in a bunker”; this was at a public rally in Pune on July 14th.

Narendra Modi without doubt has become a sensation in many sections of society. A phenomenon fuelled by a section of news media. After nine years of Manmohan Singh’s meek rule, Modi’s impassioned speeches, skillful use of rhetoric, assertiveness and showmanship make him look like a rock star. To some extent, his style and language can be compared to that of Raj Thackeray’s. But Modi is more than that. His promises on the development front have led a sizeable population of our country to believe he can get us out of the mess we are in – and must therefore become Prime Minister of India. Does Modi have the ability and intent of taking India forward, away from the many crises we face today? I think not.

Modi has been selling the idea that attracting investment to a state amounts to “development”. By providing low interest rates, cheap rentals and waiving stamp duty, his government claims to persuade big corporates to invest in Gujarat. For instance, to lure the Tatas to set up their Nano plant in Sanand, the Gujarat government waived stamp duty on the land sale and gave other concessions to the tune of over Rs 30,000 crore.

Why did the government give these sops to Tata? Some say it was for “employment generation”. However, the state government policy of ensuring 85 per cent recruitment for locals was waived for this project. There was no gain in terms of revenue and very little employment generation. The tax waivers mean that the people of Gujarat are directly or indirectly subsidising each Nano sold by the Tatas – this is a criminal misuse of authority by the government. The people of Sanand voted the Bharatiya Janata Party out in the 2012 Assembly elections – perhaps a sign of disenchantment with Modi’s policies? The corporates get a sweet deal and, in return, endorse Modi for the Prime Minister’s job. You scratch my back, I scratch yours? Something like the model Manmohan Singh followed in the early years of UPA 1.

The fact that Modi’s policies bring investment into Gujarat cannot be denied. The important question that needs to be asked is – who are the beneficiaries of this investment? A state that has seen high growth rates for the last 20 years is expected to have generated revenue to work for the human development of the people of that state. According to the Planning Commission, Gujarat’s rank in poverty alleviation is extremely poor. In fact, the tribal population (17 per cent of the total) in the state has actually seen an increase in poverty over the last decade and malnutrition is very severe among Gujarat’s children and women. It is no surprise that in a recent study by United Nation’s Development Programme, Gujarat ranked 8th among major Indian states in human development. This suggests that the economic growth that Gujarat has seen is concentrated within a small percentage of the state’s population. Edward Abbey had once said, “Growth for the sake of growth is the ideology of a cancer cell”.

If the growth is not reaching the poor majority, what good is the growth? India is a country suffering from widespread poverty, hunger and malnourishment. A widening economic chasm is hardly an achievement in such an environment. With such a backdrop, is this the kind of development model we need today?

Modi is often described as a non-corrupt and incorruptible leader. In this limited definition of honesty one can draw parallels with Dr Manmohan Singh. So he may be clean himself, but he turns a blind eye to his Ministers’ plundering resources. Sitting at the top, overseeing, even if not participating in corrupt practices. Babu Bokhariya, a Cabinet minister of the Gujarat government, was convicted in an illegal mining case earlier this year and has been on trial since 2006, but Modi refused to act against his Minister. Then in 2011, while the nation stood up and demanded a strong Lokpal bill, Modi was occupied in delaying a Lokayukta in his own state. Finally, in 2013, we find his government has enacted a law which is more toothless than the UPA government’s Lokpal.

After a CAG report indicting the Modi government for corruption was leaked recently, Times of India reported the following (April 3, 2013):

With all but four Congress MLAs suspended from the House, there could be no debate on the damning CAG reports. As soon as the house began functioning on Friday, MLAs Rajendrasinh Parmar, Paranjayadityasinhji Parmar, Jodhaji Thakore and Amit Chavda sought discussion on CAG report, which the speaker Ganpar Vasava disallowed.

The quartet rushed to the well carrying banners on CAG. They were suspended, quite predictably, and escorted out by the security staff.

A clear sign that opposition is not tolerated in Modi’s Gujarat. In many ways, he reminds one of the Emergency-period Indira Gandhi. It is interesting to note that Modi rarely attends the Gujarat Assembly proceedings, let alone make statements on the floor. On the one hand, he can address massive rallies with great charisma. On the other, he has a habit of walking away from interviews when cornered with tough questions.

A Prime Minister is the voice of the nation. He must engage the people of his country in a dialogue. How can Modi not be accountable to the media or the legislative body, and still flash his “democratic” credentials? Does democracy have no meaning beyond elections? In this day and age, it is impossible to overturn democracy as brazenly as Indira Gandhi did in the 1970s, but does Modi have those tendencies? Absolutely.

Modi is trapped in an environment in which he cannot make a difference even if he wants to, owing to the kind of politics he represents. If he does become Prime Minister, the MPs who will support Modi for the job will in all likelihood have won the Lok Sabha elections after investing crores of rupees of black money (as Gopinath Munde recently admitted). If he becomes Prime Minister, will he stop his MPs from seeking returns on those investments? And will they continue to support him if he does? The current political system of “money through power and power through money” is such that neither Modi nor Rahul Gandhi (his closest competitor) can possibly make our lives better. If corruption funds these political parties, who will be their priority: the aam aadmi or the donors?