Hacker News new | past | comments | ask | show | jobs | submit login
A from-scratch tour of Bitcoin in Python (karpathy.github.io)
1208 points by yigitdemirag on June 22, 2021 | hide | past | favorite | 277 comments

This is reminds me of Ken Shirriff's 2014 "Bitcoins the Hard Way" blog post that also used Python to build a Bitcoin transaction from scratch: http://www.righto.com/2014/02/bitcoins-hard-way-using-raw-bi...

(The subtitle of the blog is "Computer history, restoring vintage computers, IC reverse engineering, and whatever" and it is full of fascinating articles, several of which have been featured here on HN)

Thanks for the nice mention of my blog. I was wondering if anyone remembered my old bitcoin article :-)

It's a classic. You will be forever remembered for your timeless contributions to the collective consciousness!

The retro-computing stuff I see you guys doing on CuriousMarc's youtube channel blows my mind.

I go back to it twice yearly

We do

Shameless self-promotion but there's also this post I wrote in 2017 if anyone interested in a slightly different take (but a very similar write up to the OP): https://www.samlewis.me/2017/06/a-peek-under-bitcoins-hood/

Cool that this article implements the cryptography primitives, though!

e: Funnily, like the article, I also stored some BTC in a wallet and challenged people to (manually) take/steal it. At the time it was worth $10 USD.. now it's worth $123 USD!

> The 'dumbcoin' jupyter notebook is also a good reference: "Dumbcoin - An educational python implementation of a bitcoin-like blockchain" https://nbviewer.jupyter.org/github/julienr/ipynb_playground...

https://github.com/yjjnls/awesome-blockchain#implementation-... and https://github.com/openblockchains/awesome-blockchains#pytho... list a few more ~"blockchain from scratch" [in Python] examples.

... FWIU, Ethereum has the better Python story. There was a reference implementation of Ethereum in Python? https://ethereum.org/en/developers/docs/programming-language...

Ken's blog is great, as well as his work with CuriousMarc. Here's when he tried mining bitcoins by hand.


No, the hardest way is using pencil and paper to mine a block :)


That's basically just a SHA256 hashing on pen and paper, doesn't have much to do with how bitcoin works.

To be fair, performing sha256 hashing is kind of the only work that Bitcoin is doing, from a kilowatt hour’s perspective.

technically it said “the hard way” not “the hardest way”. also, computing a hash != mining. mining needs forming the block and computing the hash

Same guy, Ken Shirriff

I'm amazed that he has time for this kind of hobby work.

For others: Andrej Karpathy is the director of artificial intelligence and Autopilot Vision at Tesla.

Was on front page yesterday for a presentation on Tesla's Autopilot / Autonomous features: https://www.youtube.com/watch?v=NSDTZQdo6H8

He was doing this kind of hobby work well before. I learnt solving Rubik's cube from his page[0].

[0] http://badmephisto.com

Woah, he's him? Same here!

I had no idea!!! That's amazing.

Same - recognised the domain instantly! Used it to teach my son as well.

What a pleasant surprise!

Oh wow, me too.

I think I still have my printouts of the PLL algorithms somewhere…

Cool to learn this is the same guy.

"If you want something done quickly, give it to the busiest person."

“I choose a lazy person to do a hard job. Because a lazy person will find an easy way to do it.”

― Bill Gates

Is it necessary for me to drink my own urine? No, but I do it anyway because it's sterile and I like the taste.

-- Patches O'Houlihan

I am Groot

-- Groot

You miss 100% of the shots you don't take

-- Wayne Gretzky -- Michael Scott

A lot of busy, smart people have seemingly random side-projects. For example, Von Neumann:

"A professor of Byzantine history at Princeton once said that von Neumann had greater expertise in Byzantine history than he did" [1]

I don't know for sure why, but I think two possibilities are likely: (1) An extremely strong, natural intellectual curiosity and/or (2) Working on other things allows them to bring fresh ideas/insights to their "main" work, and in this sense is also rejuvenating.

[1] https://en.m.wikipedia.org/wiki/John_von_Neumann

From this point of view intelligence and memory may be just like muscle: the more you use (train) it, the more is grows (performs well).

He’s smart enough to do the job he has because he has done this hobby work his whole life. See also Peter Norvig.

Probably helps his boss is the "tecnoking" and cfo is the "master of coin".

Agreed though - impressive he has that kind of sidebar time or is so capable he doesn't need that much time to figure it out.

This stuff isn't that hard to figure out, given the number of specifications and tutorials already out there. What's impressive is the fact that he thought of a reasonably sized task, and (presumably) executed it efficiently and completely without getting stuck or distracted.

I spent quite some time researching this a few years ago. Then I finally programmed and generated my own fully working address. It's quite a satisfying journey. But I have to say, Python makes this somewhat less painful than it is in JavaScript (yes, I tried that too...) xD

He started tweeting about this like months ago

I think he’s a natural teacher - someone who loves sharing what he’s learnt with others - and it pleases to me know such people exist.

Everything I learned about deep neural networks, enough to apply it in a live product, was essentially all his notes, videos and exercises. And it’s all out there for free!

Thanks Andrej and keep doing cool stuff!

I know right? I had to do a double take when I saw the link, and then had to click it to confirm it was that Karpathy

Maybe most of his job is hype & marketing without delivering much

FSD rollout has been delayed many times. He's underperforming.

This is a very cynical way of looking at development progress. Did the iPhone team underperform by shipping in 2007 instead of 2005?

He's almost certainly a 100x engineer.


Definitely saved plenty of lives already. You should watch that video from yesterday

100x means he produces 100x you (or 100x the average engineer).

Or Elon is over-performing.

If you, like me, were curious about what the secret key 1 is on the mainnet, then here you are:

       1 1BgGZ9tcN4rm9KBzDn7KprQz87SZ26SAMH https://www.blockchain.com/btc/address/1BgGZ9tcN4rm9KBzDn7KprQz87SZ26SAMH
Some others:

       2 1cMh228HTCiwS8ZsaakH8A8wze1JR5ZsP  https://www.blockchain.com/btc/address/1cMh228HTCiwS8ZsaakH8A8wze1JR5ZsP
       3 1CUNEBjYrCn2y1SdiUMohaKUi4wpP326Lb https://www.blockchain.com/btc/address/1CUNEBjYrCn2y1SdiUMohaKUi4wpP326Lb
      42 1EMxdcJsfN5jwtZRVRvztDns1LgquGUTwi https://www.blockchain.com/btc/address/1EMxdcJsfN5jwtZRVRvztDns1LgquGUTwi
    1337 1DN76uuAUDY1DLxABD3JAyunhhAreJbCjT https://www.blockchain.com/btc/address/1DN76uuAUDY1DLxABD3JAyunhhAreJbCjT

If you are really curious, all the secrets are out there.


Finding one with a balance is the hard part.

I was wondering if monitoring those starter addresses could be lucrative... They've transacted quite a lot

Thanks, I was wondering the same but too lazy to figure out the addresses!

Implementing things from scratch is probably the ultimate test of thorough understanding. Chapeau! On another note I am amused that Mr. Karphathys name describes exactly what he is doing in his day job.

An excellent example of nominative determinism!

I don't get it. What does the word "Karpathy" mean or sound like?

"car path ey" sounds like a thing connected to finding paths for cars.

D'oh. I was trying to think of a connection between "Karpathy" and Bitcoin.

Car pathing, as in getting cars to drive along a path.

Sometimes implementing things from scratch is the ultimate proof of thorough misunderstanding.

That's very true, I don't know why you're getting downvoted

"NIST publishes recommendations on which ones to use, but people prefer to use other curves (like secp256k1) that are less likely to have backdoors built into them"

Does this make any sense? How is a curve going to have backdoors on it? Or he means a specific implementation? Or is this a joke? I'm confused

ECC NIST curves were proposed by the NSA. They have some unusual hand-selected constants that nobody quite understands exactly why they were selected.


“Working in collaboration with the NSA, NIST included three sets of recommended elliptic curves in FIPS 186-2 that were generated using the algorithms in the American National Standard (ANS) X9.62 standard and Institute of Electrical and Electronics Engineers (IEEE) P1363 standards.”: What exactly is NIST’s justification for making claims regarding the method that NSA used to generate these curves? The fact that a hash matches is publicly verifiable, but the distribution of “random” inputs is not. I have heard NSA employees claiming that the “random” inputs were actually generated as hashes of English text chosen (and later forgotten) by Jerry Solinas."


It's all quite public.


Quoting from the paper:

The standard given by the NIST gives a list of explicit parameters ... describing the elliptic curve behind the algorithm.

Examining the points P and Q here, it is obvious why cryptographers were suspicious of the Dual EC ... once the scalar k is known, it is a “simple matter to determine the secret internal state s of the pseudo-random bit generator” [6], by observing as few as 32 bytes of output.

It goes on to quote one of the NSA contractors who admitted that instead of being randomly chosen, "Q is (in essence) the public key for some random private key."

"It could also be generated like a(nother) canonical G, but NSA kyboshed this idea, and I was not allowed to publicly discuss it, just in case you may think of going there."

Straying from the prescribed points was discouraged, and NIST only provided FIPS validation to clients using the original P and Q.

More recently, GPRS was also shown to have been intentionally weakened - presumably to pass export controls - although in this case I think it was the algorithm and not a "cherry picked" curve: https://eprint.iacr.org/2021/819.pdf

Here's a computerphile video that explains it very simply: https://youtu.be/nybVFJVXbww

> But then the Snowden leaks came along, and it looks even more suspicious.

> Money was changing hands between the NSA and companies, to have them install this as their standard for number generation. That's deeply suspicious.

(-from the video)

That's one piece of information I didn't know, and doesn't usually get mentioned in the discussions I've seen about this.

Thanks! Thanks to the other answers too. Amazing stuff!

There's been a history of mathematical information used in cryptography produced by the NSA, for which it's later revealed, they had pre-developed an attack. Example: the s-boxes of DES.

Except NSA strengthened DES against this not-yet-known-to-the-public attack (differential cryptanalysis).



While keeping DES to 56 bits, to keep the attack within reach.

Looks like the exercise left to the reader has been completed: https://www.blockchain.com/btc-testnet/tx/182bf9202649ded3a6...

> steal my bitcoins from my 3rd identity wallet (mgh4VjZx5MpkHRis9mDsF2ZcKLdXoP3oQ4) to your own wallet ;) If done successfully, the 3rd wallet will show “Final Balance” of 0. At the time of writing this is 0.00095000 BTC, as we intended and expected.

Can someone explain how this was executed?

Guessing it's because the private key is right in the code:

>secret_key3 = int.from_bytes(b"Andrej's Super Secret 3rd Wallet", 'big') # or just random.randrange(1, bitcoin_gen.n)

(Obviously a private key intended for actual use generally wouldn't just be some ASCII bytes of an English phrase and wouldn't be posted publicly. Though, of course, there have been instances of both...)

You have the secret key, just sign away the txouts.

0.00090000 BTC moved 0.00005000 BTC Fees Thats 5.55%

On the test net! On the real net it would be like 20% or more in fees.

Fees are dictated by the user and the time they have for the transaction to take place. The fee could have been much lower.

I think we are well past the point of debating if bitcoin layer one will be used for day to day transactions however. A custodial service or lighting will have to be used for that. Additionally most people treat bitcoin closer to gold than a dollar currently.


Then why bother writing that useless comment?

Why ask that useless question?

Pointing out that something is useless isn't useless in itself.

You can take it down a nihilistic path by claiming that it is in fact useless, but that argument just spins in circles forever because it applies to itself.

However, answering a rhetorical question is in fact useless.

I’ve made something similar in order to learn how everything works and made it into a python library. Everything is in pure python with no dependencies, only std lib. I’ve implemented all the crypto stuff, address generation including HD, transaction serialization and even the bitcoin script. https://github.com/mcdallas/cryptotools


One little nitpick: the checksum error probability should be more like 9 nines. The checksum contains 4 bytes, not 4 bits, and so the false positive rate should be about 1 in 2^32, not 1 in 2^4.

"The raw 25 bytes of our address though contain 1 byte for a Version (the Bitcoin “main net” is b'\x00', while the Bitcoin “test net” uses b'\x6f'), then the 20 bytes from the hash digest, and finally 4 bytes for a checksum so we can throw an error with 1 - 1/2*4 = 93.75% probability in case a user messes up typing in their Bitcoin address into some textbox."

Two days in a row I see this Karpathy name on the front page of HN on two totally unrelated subjects. It almost feels like this is simulated world and something is wrong.

He's seni-famous even before working at Tesla

"...Bitcoin is a living, breathing, developing code base that is moving forward with new features to continue to scale..."

There is exactly zero progress to make it scale in the last 10+ years.

> There is exactly zero progress to make it scale in the last 10+ years.

Lol, literally this week: https://taproot.watch/

Taproot doesn't make bitcoin scale its mainly to increase privacy.

Taproot decreases the size of multisig and other complex transactions significantly, in the happy path of a cooperative signature.

It also enables Schnorr, which produces smaller signatures than ECDSA.

It also contains features to further improve the efficiency of Lightning, which is a shockingly effective scaling mechanism.

Lightning doesn't work because it either leads to a chaos of routing that doesn't scale or it ends up centralized and you lose the point of bitcoin in the first step.

And don't bother coming up with hand wavy explanations of how it could work, some day. People have been talking about Lightning for years, literally billions of dollars have been poured into the "tech", the fact that even bitcoin enthusiasts barely ever use it is all the proof I need.

I wonder how many more years of empty promises we'll have to suffer through before people accept that cryptocurrencies are a very good pyramid scheme with a thick layer of technobabble around it.

Weird Lightning works perfect for me, every time I use it. Low fees instant transactions. Maybe the trouble is in your trolling?

Your entire premise is based on nonsense. People use lightning all the time and it works great.

lightning works, at least you are having fun tho

Daily reminder that cryptocurrencies are not == bitcoin

All the problems with bitcoin are long long solved just not with bitcoin because its not possible to fix something when the majority (of hashpower) thinks its not broken or rather profit form its brokenness.

FBA coins exists since 2013 or so.

> Daily reminder that cryptocurrencies are not == bitcoin

This is an interesting feature of cryptocurrencies. Someone levels a fair criticism of a particular implementation but it can be handwaved away because an entirely separate cryptocurrency solved this particular problem (nevermind that whatever replacement you’ve chosen has its own host of separate problems because those can be handwaved away the same way).

I did not hand wave anything away, maybe read the thread. There was a wrong generalization (cryptocurrencies == bitcoin) about cryptocurrencies that is very common but not accurate at all. Fair criticism on the Ford Model T does not apply to cars.

Handwaved away? You mean improved?

FBA is centralized. Period. There’s a reason ripple hasn’t dominated the secure payments industry.

faceplam FBA is a technology its not a thing or a running system. It can not be centralized its just bunch of math that BTW is mathematically proven to work. There are many FBA based "blockchains" out there some centralized some not. Ripple is a company that uses such a FBA system.

Would you include environmental impact as a solved problem? My understanding is that Proof of Stake is the best serious option and that it's very controversial if it'll work.

Proof of stake lacks the security properties of proof of work, e.g. via grinding attacks.

Grinding attacks aren't a problem if you include secure verifiable randomness in the protocol. E.g., Algorand's VRF-based sortition, or Ethereum 2.0's verifiable delay function.

Solves as in it does not use more energy than what the hardware needs to process the data + it doubles every time you double the number of nodes (obviously since they all have to do the same work too) Its not wasting energy for a PoW lottery it just uses energy like a comparable instant messenger with global server farm would. The more people who use it the more energy it will use there is no way around that.

FBA is completely different form PoS. It does not work on incentives and penalties it works with a global final state, global rules and (federated) byzantine agreement (FBA) for progress (adding the next "block"). No way to re-org, no block/staking reward, no censorship. If someone doesn't act in everyone's interest other nodes simply wont listen to them anymore. Not following the rules its publicly visible for anyone. And since there is no reward anyway there is no financial reason why anyone would participate who does not simply want to help the system.

Well, the "pyramid scheme" + "technobabble" is not totally worthless, if it enables the investment of "literally billions of dollars" in otherwise totally unproven technology paths, doesn't it? Finally there is one area where people are really investing money into computer science! A cause to celebrate in my book.

cough dotcom bubble.

Seriously, investing money in a bubble is nothing to celebrate. That’s why it is called a bubble. It pops and many people loose their money.

Except this bubble is a bit more insidious because you have actors like Tether that are most likely creating a lot of artificial liquidity/demand. If there is a sudden loss of faith and enough actors start rushing for the exits, it will look something more like a musical game of chairs of who is left holding the bag of worthless Mickey Mouse dollars, by my estimation.

Absolutely, that is my biggest worry. And it has no true backing, apart from these pump and dumps.

The single question people in favor of crypto can’t answer is the value creation. Now crypto is a natural evolution of certain monetary services and techniques, but at the core it literally does nothing of value. In fact, one might argue that that is its prime feature in its current state.

Who cares, the size could be 10 times smaller and it would not make a dent in the scalability problem. Its a few transaction per second at max and it would need to be be several hundred just so people could move their "owned" bitcoins away from exchange wallets without loosing several % in fees.

LN is not part of bitcoin and a total joke anyway.

Oh good, BTC can finally support Schnorr signatures, a feature that been available on BCH for years now. A feature that is useless until wallet developers add Schnorr signing functionality.

Taproot is the update we get after ten years of the BTC devs doing nothing except gaslighting users about the protocol's scalability? All that momentum wasted.

> Schnorr signatures, a feature that been available on BCH for years now.

Not in a useful way: https://www.reddit.com/r/btc/comments/l8v8sa/heres_a_6of9_sc...

Segwit was also supposed to scale Bitcoin, and it turns out it was a massively inefficient solution, which took years to even reach it's lackluster potential.

Taproot will in practice have an even smaller impact, as it only affects special transactions that normal people won't use.

So yeah, it's not zero progress, but it's certainly not much.

Segwit itself provided an effective 2x increase in onchain transaction capacity and it fixed transaction malleability which was necessary for lightning network. Lightning network has 50,000+ open channels where payments can be routed without going onchain. Given the lightning network’s strict requirements to keep a node online & responsive, less you lose all your funds, I think that’s extremely impressive and shows a real demand for fast cheap payments.

Now, in November taproot/schnor activates which gives us ptlc’s on the lightning network as well as makes a lightning channel opening transaction look like a normal single signature transaction, yay privacy. All of this lays the groundwork for the next major base layer change, in probably ~2023, anyprevout. This will give us “eltoo” on lightning which is nirvana. Eltoo removes the penalty mechanism which makes running a lightning node on a mobile phone or home node much more reasonable.

Protocols take a long time to develop, especially ones where a miss-step could mean the loss of billions of dollars.

Do not believe anyone telling you that their coin solved bitcoin’s scaling problems years ago.

Bitcoins scaling problem was solved by removing PoW/PoS and by removing the incentive structure (block rewards). As soon as this is gone there was no reason anymore why it would not scale like similar systems. Its basically limited only by how fast data can propagate trough the network.

PoW/PoS was replaced by FBA (Federated Byzantine Agreement) Its not a coin its technology used by several systems and based on BFT (which is way older than bitcoin and bitcoin actually is based on BFT as well although maybe unintentional).

FBA just adds the federated part so a decentral system can be build. While bitcoin instead used a work-reward lottery system (PoW) to decide who can write the next block rather than finding a block everyone agrees on. Its really not that hard to figure out which of these solutions probably works better and scales somewhat like a distributes system is expected to scale.

Bitcoin Cash has taken the approach that Bitcoin should have. On chain scaling.

Bitcoin doesn't scale.


Just watch this video:


So in about 5 years pretend everyone in the United States melts a wrench like that... Then a month later they do that twice, a month later they do it three times.

Hey, at least it will be fun.

Why does every discussion about Bitcoin's environmental impact reduce to "it uses a lot of electricity therefore it should be stopped".

We're not going to shut down entire sectors of the economy because of their environmental impact. People are going to innovate and invest in alternative sources of energy because it is becoming profitable to do so. The solution is hardly ever "just stop doing it", it's "how can we do this better".

Crypto is hardly a "sector of the economy". It's main utility right now is lining the pockets of a few speculators.

Traditional centralized ledgering systems do everything crypto does better and with a fraction of the energy use. It also gives governments tools to combat inflation/deflation and manage counterparty risks within the system.

Crypto is a neat idea, but in the end it doesn't really solve anything, and instead only introduces a lot of unnecessary problems.

It pains me to see how someone could see no value in having a medium of exchange outside of any government currency control. One of my ex-coworkers had his family's fortune wiped out twice in Argentina due to government seizure and hyperinflation before they fled to Canada.

There are few sectors of the economy whose entire model depends fundamentally on huge energy consumption: Bitcoin's Proof of Work depends entirely on wasting huge amounts of electricity as assurance that transactions are verified. If mining became more power efficient, the algorithm would be changed to bring it back to where it is today.

It has been "done better" in 2013 or so when the first FBA system where created as an direct answer to bitcoins expected future environmental impact and scalability problems.

See https://news.ycombinator.com/item?id=27596590

Instead of watching that video, perhaps watch it on photonic induction's channel, seeing as he's the creator.


What happened to the lightning network? (Serious question, I am out of the loop.)

It launched, is usable in most wallets, and is starting to get adoption. It's going to be a key piece of the recently passed legislation in El Salvador which makes Bitcoin legal tender.

Using a closed, centralized implementation that doesn't accept third party nodes. The use of bitcoin is pure marketing, it's just MySQL with extra steps.

The ceo of strike said they are continually promoting that banks and businesses in the El Salvador operate their own lightning network nodes & not to solely rely on them. Only the government’s official (but optional) app will be a wrapper around strike.

This is interesting. Obviously, I heard about the whole "El Salvador something something Bitcoin" deal, but am completely unaware of the actual situation. Can somebody point me in the direction of some nice writeup explaining these details? I can only vaguely imagine how one can take Bitcoin and make it essentially an extension of SWIFT, and struggle to clearly visualize what the implications of this are.

From Strike CEO Jack Maller [1]:

Let’s walk through a user story. I want to send $1,000 to a friend of mine in El Salvador:

* When I initiate the $1,000 payment, Strike debits my existing USD balance.

* Strike then automatically converts my $1,000 to bitcoins ready for use in its infrastructure using its real-time automated risk management and trading infrastructure.

* Strike then moves the bitcoins across the Gulf of Mexico where it arrives in our Central American infrastructure in less than a second and for no cost.

* Strike then takes the bitcoins and automatically converts them back into USDT (synthetic digital dollar known as Tether) using its real-time automated risk management and trading infrastructure.

* Strike then credits the existing user with the USDT to their Strike account.

[1] https://jimmymow.medium.com/announcing-strike-global-2392b90...

It seemed like an answer at first, but actually this answers absolutely nothing and I'm not even sure how it's related to the topic being discussed:

* This guy starts talking about sending USD, but ends up talking about receiving USDT. USD != USDT. And while there are problems with sending USD across the border, there're absolutely no problem with sending USDT. And there's absolutely no problem buying USDT wherever you are. (But, what's important, there might be problems actually converting your USDT into USD.)

* Since we end up buying USDT with USD, the word "Bitcoin" in the middle of the story seems redundant and actually confusing.

* There's nothing about Lightning here. I mean, you can talk about how you use Lightning to transfer BTC inside Strike as much as you want, but if BTC is irrelevant to the user story, so is Lightning.

* I'm not sure how Strike and this user story are relevant at all. It started out about El Salvador accepting BTC as a legal tender, and how using it in actual transactions w/o lightning is problematic due to low TPS. How sending USD to El Salvador is relevant here at all?

Is Tether now backed by a reasonable amount of real dollars? I'm surprised to see it being used in such a serious application after years of hearing how it was a scam.

edit: looked it up, still looks like a total scam. I hope El Salvador is able to get through this without getting screwed and I guess I'll assume Strike (first time I've heard of it) is just as shady until I hear otherwise:


There is no bitcoin needed for this at all its does not even move on the chain for the transfer.

Both sides are Strike entities all this does is use bitcoin as a bridge for USD to USD which is completely pointless as both sides are USD.

You could just buy USDT (or another stabelcoin) and send it there.

Its a different story if there is actually a switch in currency needed. There is this famous and from bitcoin people often hated company called Ripple that specializes on cross-border settlement using crypto as a bridge currency. For that however the crypto must be actually moved and be sold locally for the local currency. And for that to work without risk due to volatility it must be fast. Hence they use XRP (4 sec) instead of bitcoin (10+ min). They call it ODL (On-Demand Liquidity).

See https://ripple.com/ripplenet/on-demand-liquidity/

Please somebody explain why it's downvoted. Ignoring digression about XRP, this is exactly what I read from the parent comment. Judging by the user-story above, all this talk about how BTC is being "sent" (which, as we all know, is a small lie on it's own, since unlike fiat, BTC is never really being sent anywhere) seems just to distract us from the fact that we just end up buying USDT for USD. No BTC involvement required.

Most of HN down votes anything about bitcoin and a few HN bitcoin fans down vote anything "negative" about bitcoin and certainly everything involving XRP. So to no surprise this is being down voted.

>No BTC involvement required.

Totally correct. Remittance over a bridge currency only make sense under very specific conditions, which include that the input currency and the output currency are different. And a direct exchange is not possible or not cheap.

The traditional banking system does this as well, they usually use USD as bridge. To pair every currency with every currency simply isn't feasible and the low volume pairs would have no liquidity anyway. Its basically the same as with goods if you have wood but want metal you use a currency as bridge because there is no market to sell wood for metal. Now if you also have a location difference between the market where you want to sell and the mark where you want to buy then you actually can use the bridge currency to move from one market (location) to another market (location).

The legislation that made Bitcoin legal tender in El Salvador does not legislate the use of Strike. Businesses can use whatever system they want, as long as they can accept payment in Bitcoin. Strike is providing a service that allows any business to take Bitcoin lightning payments and have them automatically converted to dollars, for businesses that do not want to hold Bitcoin. It's not fair to just call this a "sql database" because it's connected to an open payment network and the customer can use whatever means they want to pay the business, even if the business decides to just uses Strike.

Wait, it does not allow third party nodes? What is my Raspberry Pi right next to me doing? Just pretending to be a Lightning Node?

Parent is referring to El Salvador's proposed usage, not the wider lightning network.


They will be using Strike, which is a custodial wallet.

I am puzzled by one thorn it is intended to solve.

In the case of merchant/customer interactions, the LN channel blocks customer funds from their balance, but they will never receive money from the merchant. So that balance will be sent to the merchant, payment by payment.

Not only does that block funds for the customer (which wants to reduce those, to avoid blocking too much, but that reduces the number of payments that can be made off-chain), but it also blocks the merchant’s reception of those payments: the merchant wants to be able to spend it soon, but it can only spend it on-chain.

That is compounded by the fact that most merchant/customer interactions are rare one-offs in the real world. I just don’t buy stamps every day.

LN channels are only most useful when the two parties exchange money bidirectionally on average.

It’s an ongoing problem for sure, but the simple answer is users maintaining multiple well connected channels.

It’s very common on lightning to pay liquidity providers to balance your channels to you. Lightning Labs has a service called loop where you can pay them an onchain transaction and it will make a lightning network payment to your channel for that amount, thus giving you more spend liquidity. Loop is sweet cause it does this in a non custodial way, look into it.

El Salvador not Colombia

Yes. Not sure why I wrote Colombia. Thx.

El Salvador, the military dictatorship that managed to make western dreamer hype it like a shitcoin...

It exists, and it very much works [0] but it has yet to reach the massive levels of adoption people would have expected by now. Simple as that.

[0] https://1ml.com/

Afaik it is still considered #reckless to put bigger amounts on your lightning node and at least the "lnd" implementation seems to be in "beta" (according to their Github releases). Idk about the roadmap for a solid, production ready version is. But in this case safe seems to be better than sorry

Lightning network more or less failed to live up to the hype. Problems like routing complexity, liquidity, and a lack of on-chain space to open and close channels have delayed/limited its impact.

To expand on this, to receive money over Lightning, you need someone else to lock up their bitcoins for you. This is called inbound liquidity, and the problem of users getting inbound liquidity is no joke. Lightning Labs recently launched Lightning Pool to help with this, but fees range from 5% to 25%. Uncompetitive. If you think about it too, it makes sense, because anyone locking up their bitcoins for others should expect a several % return, or else they would loan it out at similar rates. Current Lightning wallets are basically giving their users inbound liquidity for free using VC funds, but is this honestly sustainable? There are other problems with Lightning, like the requirement to be online to receive payments, watchtowers, UX complexity of channels. Some of these are solvable through centralization. But that is why you'll hear people say Lightning recreate the banking model, because realistically that looks like the only way it could work. Oddly, this was all pointed out by many people over the years, but Lightning seems to get endless forgiveness in its inability to deliver, because it is BTC's only hope to maintain the peer-to-peer cash narrative.

The looking up of liquidity is the whole reason LN can not scale or be cheap ever.

Today people in crypto may be willing to look up bitcoins they hold long term anyway. But in the real world this would be dead and trapped capital it doesn't work for you and you cant even use it to quickly buy something an take advantage of a market situation.

The only reason why someone would look up capital like that if is it makes money. So people who use someone else locked up bitcoins have to pay. This makes LN impossible to be cheap. You literally lend money to send money to someone. Its complete absurd. And as you said to make this more efficient large centralized pools are created so there will be a monopoly or oligopoly for lending, hows that gonna be good for the fees.

LN was dead before they started coding it.

If I decide I want to be long BTC, why not also lock it up to earn fees?

No one questions that the people who are bullish on BTC are in on it (some). The question is why would I pay you to lend me BTC when I actually want to send my BTC to someone. It literally adds a third party in what should be a p2p transaction. They replaced the "evil third parties" called banks with their own liquidity pool.

Funny how they figured out that you cant make money with money services if you remove the third party, so they added it back in.

On top of that there are countless other blockchains/DLT that have cheap transactions on the first layer. Cheap as in fractions of a cent. To compete with that you would need to lock your BTC for free but then you still have the on chain transaction that LN needs sometimes that cost way too much.

lock up*

In order to get money on and off lightning network, you still need to make on-chain BTC transactions. Meanwhile, the BTC devs have intentionally changed the network so that it's expensive to make on-chain transactions. From this you can probably figure out why lightning network failed.

its maturing, works pretty well already, but surely patience helps with emergent tech

Apparently it has serious design flaws that compromise its security and performance.

Check out Stacks (https://stacks.co), enables smart contracts on top of Bitcoin through Proof-of-Transfer consensus. Founded by YC alums and launched this January after many years of R&D.

Disclaimer: I'm involved.

There was never any need to scale it at the protocol level. The overwhelming majority of Bitcoin transfers presently happen off-chain, within exchanges. Very few people seem to understand this.

I don't understand. How do Bitcoin transfers happen off-chain? Are those Bitcoin transactions that don't actually use the blockchain?

The exchange itself holds a fluctuating amount of Bitcoin and then updates entries in its own database when transfers occur between exchange participants to reflect a change in ownership. These constitute the vast majority of transactions that occur and none of them are recorded to the blockchain.

And the exchange is centralized?

segwit facilitates the construction of lightning channels.

taproot, which recently locked in, reduces the space needed to represent complex contracts.

moreover, bitcoin aims at being a concise and focused base layer on top of which secondary layers and sidechains can be built.

your absolute statement "exactly zero" is absolutely wrong.

> moreover, bitcoin aims at being a concise and focused base layer on top of which secondary layers and sidechains can be built.

Have you ever read the white paper that outlines what bitcoin aims to be?

It should be p2p cash then turn into store of value after some years and then it becomes the settlement layer for centralized second layer solutions that only exist because the first layer sucks.

Just kidding, it should only be p2p cash and it failed at that.

PoW/PoS will be replace by FBA in the next years and every system that can not switch away from PoW will become irrelevant.

> Have you ever read the white paper that outlines what bitcoin aims to be?

... or even the title

> taproot, which recently locked in, reduces the space needed to represent complex contracts.

Complex contracts? Are you joking? What kind of complex contracts do you think can be done on BTC? Their scripting language and capabilities has been neutered just like their blocksize. Good luck writing a useful contract on BTC.

There was a demo of node software that is capable of 50,000 transactions per second just a few weeks ago. https://www.youtube.com/watch?v=i3As9-9uSXs

(Yes this is on the Bitcoin SV implementation of the Bitcoin protocol - where they're using the original protocol that Satoshi envisioned)

From what I understand, that's 50,000 pre-generated transactions pumped directly to the mining node. Not 50,000 transactions spread across hundreds of non-mining nodes and relayed to the mining node. There's a huge difference. Correct me if I'm wrong here.

Either way, bitcoin the protocol can handle waaaaaay more transactions than the BTC devs have constrained it to.

Yes, more-or-less, but that how it is designed to work. The most reliable way to get a transaction into a block is to send it directly to a miner or set of miners. Apps on BSV do this today via MAPI REST endpoints, similar to how this test was configured. Non-mining nodes will see the transactions later, but they won't do the same verification that mining nodes require because they are not part of consensus. BSV generally sees the eventual network configuration as a small-world network for the mining core, and a mandala network for the apps and services surrounding it, rather than as a mesh network which most blockchain systems strive to be.

So-called heretics have been scaling Bitcoin in spite of BTC's braindead decisions. Last week, 50K TPS were demonstrated publicly on Bitcoin SV: https://www.youtube.com/watch?v=i3As9-9uSXs. More privately.

That's just a lab demo of a single system, not the network or even a common node configuration.

Years ago, there was a presentation [1] by Peter Rizun of Bitcoin Unlimited at Stanford that demonstrated ~100TPS on Bitcoin, and the potential for 1000+ TPS if certain bottlenecks were removed. People said the same thing you're saying back then, but it served to motivate the big block community, and now today BSV routinely does 300+ MB blocks (1000+ tps). This Teranode software is the future of BSV and will become the common node configuration within a few years, so it's worth taking seriously. Also, I left a comment in this thread explaining why this test is more representative than you may think [2].

[1] https://www.youtube.com/watch?v=5SJm2ep3X_M

[2] https://news.ycombinator.com/item?id=27597510

That's not the issue. Block size has to be limited to protect decentralization. Decentralization is the only thing that has value in blockchains, otherwise you're better off using centralized databases.

I'm aware of that argument. The counter-argument goes that at scale, larger blocks would bring in more businesses, more miners, and more competition, and that competition is what actually protects the chain from bad actors who might try to change the rules or censor transactions, not decentralization, and that decentralization is mostly a meme to pacify the masses from realizing who actually has power over the network.

Well, that's a good argument but it's wrong. Larger blocks makes it harder to compete, because it's harder to run a full node. If everyone has to trust the datacenters that run full nodes, then it's game over for everyone else.

The protocol is protected by allowing everyone to run their own full node, to give every user and every entity the power to choose which version of the protocol they want to run. When the network is run by its users, the network evolves in a direction that is best for the users. When the network is run by a few large businesses, the network evolves in a direction that is best for them.

The Bitcoin Core's layered approach is a much better solution than big blocks. The first layer protects the protocol itself, and "big blocks" are implemented on layers on top of that without compromising the core protocol.


There has been great progress in scaling the original protocol through the Bitcoin SV implementation:

  - Transaction fees are ~$0.0001
  - The network has shown capacity for 50k tps
  - On March 14, 2021, the network processed a world record 638 MB block
  - As of June 4, 2021 the chain size exceeded that of the BTC implementation and is currently 418.17 GB
  - New business based on micropayments have emerged like twetch, streamanity, peergame, etc
[1] https://www.prnewswire.com/news-releases/bsv-proves-that-bit...

> - The network has shown capacity for 50k tps

No, that was a lab demo of a single beefy system being directly fed with test data and being measured on how long it takes to process it.

Everyone knows faketoshi is a fraud.

For anyone interested in the saga, Stefan Matthews, who worked with Craig Wright in 2007 and 2008 before Bitcoin was released, gave a couple interviews this past week adding new flavor to the story [1] [2].

[1] https://www.youtube.com/watch?v=k3ACmnUwsZ4

[2] https://www.youtube.com/watch?v=R03ypV9CsTc

Above is proof that the original bitcoin protocol can scale, and recently testnet can do 90k tps. What you think of certain people doesn't change the fact.

Its centralized and run by the people around this fraud. It doesn't matter if the tech is good since no one will use it for anything beside speculation or abuse it as storage which just wont be sustainable in the long run with no limits in place.

The protocol remains the original and it scales significantly. I'd focus on protocol not people. If people changed the protocol then it's no longer bitcoin.

Twetch.app has more than 50k users. It's also a genuine use case. So is etched.page or the other above-mentioned services.

How can you abuse storage if there is a 0.5 satoshis/byte fee to write data on chain currently? Miners are for-profit entities and will always charge for storage.

> I'd focus on protocol not people.

The protocol encompasses the nodes on the network. If the network is highly centralized the protocol is unsafe.

A scalable bitcoin ends up in a dozen data centers. The cost to set up such data centers is few hundred millions plus tens of millions in yearly operations. Miners must secure their infrastructure uptime to remain profitable. There is huge risk and little reward for any such mining company to act dishonestly on new blocks or break antitrust laws. Also it is easier for governments to audit a few large publicly traded miners than auditing thousands of small and inefficient miners. The nature of the bitcoin protocol security is economic.

You completely ignore my points so I will yours

Have a nice day

Which point specifically?

You claim centralized manipulation of bitcoin and fraudulent people while the protocol hasn't changed. Do you have legal evidence?

Also you claim price speculation as the only use case while I've listed several apps with real users.

You mention storage abuse and I argue that miner fees prevent that.

You can stop now dear green name we all can see you only joined to shill ButtcoinShitVison No one here cares.

There has been great progress in scaling on just about every other cryptocurrency, including many flavours of bitcoin. BTC is the only coin who finds scaling too difficult.

It does not scale, at the expense of centralization.

A centralized cryptocoin is just MySql with extra steps.

In python 3.9 you don't need to implement extended euclidean and inv, you can just do `pow(x, -1, mod)`

Kind of surprised Andrej has time to work on anything besides self-driving cars

https://twitter.com/karpathy/status/1407378320551923718 :) But more seriously, I just really love learning and worked on this on the side, in small increments in between the cracks, and purely from interest for fun.

It's awesome to see you doing this, and taking the time to respond here! Ditto for your (re)implementation of transformers a while back, which you clearly worked on for fun as a side project too. The world would be such a better place if every executive in charge of technology at a large company engaged in these kinds of side projects for fun on a regular basis :-)

If I may, let me ask you an unrelated question that just 'popped in my head' only now but is related to your recent presentation at CVPR: Are you guys at Tesla fusing video with audio data for self-driving?

Just curious. I ask because (a) sound waves at frequencies detectable by the human ear appear to be quite important for both routine and edge-case situations (e.g., sounds of other vehicles braking/screeching/accelerating/passing, sirens of ambulances/police cars/fire trucks, bursts of honks from other vehicles, people suddenly shouting/screaming nearby), and (b) audio and video signals are already synchronized, so I imagine fusing them should be more straightforward (e.g., there's already some research out there on applying deep learning to video clips with audio).

Would you be open to doing an AMA on here? I'm sure a lot of software people would love to hear more of your thoughts on software and stuff!

How many hours a day do you work? And what does your daily schedule look like?

I count myself very fortunate that I find the word "work" very confusing.

I know what you mean but I still think that there’s a number you can give. Like this counts as work.

What does your average daily schedule look like?

I'm interested in this too Karpathy, would love to know. Not sure why you're being down voted Adam.

Related... his recent presentation at CVPR is quite interesting: https://www.youtube.com/watch?v=eOL_rCK59ZI&t=28286s

Nobody can work 100% of the time, everyone needs breaks. But some engineers take breaks from their regular work by doing other "work". I find it bizarre that there are so many comments making this out to be some kind of dire situation where he's working on other things because Tesla is sinking or something. Is working on hobby projects as a way to relax really that uncommon?

For reference, I started a small Bitcoin mining hardware business back in the day, while still holding a 200/hr week/8 days a week/400 days a year full-time job. Working on Bitcoin stuff was my "break" from regular work.

His boss has a passing interest…

Maybe he is losing faith in self driving cars and is looking for an alternate field.

Diversification of interests accelerates creativity due to axiomatic discovery and reinforcement, idea plasticity and abstraction practice. Other interests are not just important, they are necessary.

Right. All really smart people 'play'. Famously, Feynman was spinning plates in the Caltech cafeteria on his fingertip, which gave him the ideas that ended up winning him a Nobel prize.

Play is important for children of all ages.

Surely You're Joking is one of my all time favorite books, for sure.

It's maybe an ... interesting sign that someone with substantial liquidity from tesla shares at this point in history is apparently finding cryptocurrency an enjoyable diversion/investment vehicle?

I was thinking the same thing.

Haven't seen tesla do much self driving in practice yet. 3 years late now?

No, same timeline they state every year - FSD by the end of the year.

Sometimes I actually find more energy for working on an endless slog at work when I have an exciting side project going. Easy to get caught up in the side project, however.

> We don’t just get to share code, we get to share a running computer, and anyone anywhere can use it in an open and permissionless manner

Can someone explain what this means? Its not explained anywhere in the post.

Bitcoin transactions, or more precisely transaction outputs, are little scripts that are executed in a VM. To spend a transaction output, you have to "solve it" by providing it an input which makes it return true. The most common transaction script checks that you possess a private key through a signature check, but it's possible to make more complex scripts like the "Pay To Multisig" script. Of course, Bitcoin scripts are quite limited and, unlike Ethereum smart contracts, they are non-Turing-complete and can't store state.

Permissionless just means anyone can create transactions because there's essentially no way to block someone from doing so, unlike say a transaction on PayPal.

You can think of the Bitcoin block chain as the state of a globally-accessible machine. The state is updated through the publication of valid blocks, each of which builds on a previous block. A block is composed of transactions, each of which incrementally advances the machine's state. Each transaction contains a small program "script" that defines the conditions for the state transition it causes.

There's this persistent misconception out there that only Ethereum works this way. It's a testament to marketing. Bitcoin has been doing "smart contracts" long before Ethereum was even a gleam in Vitalik's eye.

Bitcoin's script language is very restricted, claiming that Bitcoin has been doing "smart contracts" is disingenuous to me. I wouldn't call a bitcoin script as "smart". Ethereum was born because of this

Script is restricted, but it permits everything outlined by Nick Szabo's definition. As Wikipedia notes:

> Smart contracts were first proposed in the early 1990s by Nick Szabo, who coined the term, using it to refer to "a set of promises, specified in digital form, including protocols within which the parties perform on these promises".


We don't get to decide what smart contracts are. Nick Szabo decided long ago.

Marketing vs reality has been a big problem in this space.

He links committing transactions to the blockchain to storing state in a distributed data structure... which is of course, in the case of Bitcoin, implemented in arguably the most wasteful, ham-fisted, environmentally disastrous way possible.

There's also the ethereum VM which is a slow decentralized state machine capable of executing code...

Check yourself.All progress was 'wasteful' with resources at one time. And yes, bitcoin is progress.

All progress was 'wasteful' at some point, but all 'progress' is wasteful. And yes, bitcoin is 'progress'.

I suppose Bitcoin is better than gold. Unfortunately, for BTC, we already have much more advanced financial technology.

Permissioned legacy technology is not advanced. The stronger, harder money wins. Good luck with your guess.

I am specifically thinking of fiat money, based on burrowing and fractional reserve banking. This has addressed many historical problems with fixed money/value supply that Bitcoin would have if it ever caught on.

Presumably a reference to blockchain as a distributed ledger.

He is probably referring to Ethereum, which was conceived as a "global computer", operating in an open and permissionless manner.

Ethereum extends the concept, but Bitcoin transactions are programs running on the global blockchain (well, the op codes are executed by a single node, but the result is published and verified by the network, if I understand it right)

But just wanted to make the point that Bitcoin is a global computer as much as ethereum is, Solidity is just Turing complete while (Bitcoin’s) Script is intentionally limited to a few instructions.

Bitcoin is surprisingly easy, I'm currently working on a similar thing, but in Pharo/Smalltalk (I took it up as a project to learn Pharo). It's been pretty nice so far.

I wonder how strong would Elliptic Curve Cryptography be compared to other methods if there is a major breakthrough in quantum computing.

Shor's algorithm, which runs partially on a classical computer and a portion on a quantum computer, breaks elliptic-curve cryptography.

Yes, with major caveats - knowing the public key and having 100s of messages signed by corresponding private key. Nowadays people only expose their public key one time per transaction, and never reuse their address. So to steal coins, not only do you have only ~10 mins between blocks to find the private key, currently Shor's algorithm is unfeasible with only 1 signed message.

Sorry if that's a naive question but why do you need several signed messages? If you have a quantum computer and a quantum period finding function don't you get immediately the discrete log? Assuming you have one public key (not hashed) doesn't that give you the private key immediately?

Broadly speaking, more signed messages can get you more points on the curve you're trying to guess.


May help if you're actually interested.

Edit: More signed transactions help with the classical and not the quantum part of schor.

Edit2: Schor has not yet even been able to factor the integer 35 with current quantum hardware, too much interference.

Not only do many people still reuse keys, but there is also still a huge amount of bitcoin in P2PK outputs, i.e. with exposed public keys.

Shor's integer factorization algorithm needs a single number or key to factor, not hundreds of transactions. I've certainly sent money to old addresses, which exist in perpetuity on the blockchain. I can also use web searches to find hundreds of current public keys in a matter of minutes.

> currently Shor's algorithm is unfeasible with only 1 signed message.

The algorithm is currently unfeasible with 100s of messages. Shor's algorithm uses a quantum computer to reduce the complexity of integer factorization from sub-exponential to polynomial-time. It is not an attack that fine-tunes the output according to the amount of network traffic.

Try actually reading it's aplication to eliptix curve cryptography. No really. Come back when all the bitcoin are belong to you.

I wish this were talked about more. Quantum computing is the biggest long-term threat to crypto imo. What's the plan once elliptic curve cryptography can be broken?

There will be a point in time where there are just a few quantum computers that can break everything before the general public has access to quantum computing. Can crypto work in that scenario? Normal computers wouldn't be able to work with the beastly algorithms a quantum computer could handle.

The first entities that are likely to achieve practical quantum computers will either be governments or big tech companies like Google. And it will be a big deal, so there would likely be several years of warning before it could be at the point where it would make sense to use it to steal someone's bitcoins (I guess the original Satoshi coin address would be the biggest bounty). And in the time period between when the big development is first announced and before it's practical, Bitcoin and other cryptocurrency projects can do a fork to a new digital signature scheme that is quantum proof (such as LegRoast) so that anyone who is concerned can move their coins to a new secure address. So while it would certainly be disruptive, it wouldn't necessarily spell the doom of Bitcoin.

Depends on the incentives. If the only interest in quantum computing is to break classically hard encryption then I think the time between poc and widespread availability could be relatively short.

> What's the plan once elliptic curve cryptography can be broken?

A likely drop-in replacement for elliptic curve cryptography (ECC) currently used by Bitcoin could be


I am not a Mathematician, but what I understood, it's basically an extension of ECC using multiple elliptic curves, allows to re-use the Diffie–Hellman key exchange protocol (private keys kept secret, public keys exchanged) and memory requirements are small. So it would be a perfect replacement in wallets and validation nodes. But I can not explain why it is safe against an attack using quantum computers.

Just don't re-use addresses. Bitcoin does not expose your public key until you spend from it.

If the QC can crack your private key within a few minutes, it would still have a decent chance to steal your money.

> Bitcoin does not expose your public key until you spend from it.

Are you sure, what about when someone sends to it?

They're correct. The blockchain just records that the funds were sent to your address. To spend the funds you have to show the public key which hashes to that address, in another transaction signed by the private key.

If the sender wanted to send you a private message, they would need your public key, but that's not what transactions do.

Fair enough, thank you.

Sending to an address means sending it to a "hash" of a public key (or a more complex script) on all modern formats. Then such script and data is revealed on spend.

While not implemented I think there are "lattice based" forms of cryptography that are believed to QC resistant that blockchains could migrate over to if QCs begin to show signs of increased fault tolerance and size.

We already have a solution (https://en.wikipedia.org/wiki/Lamport_signature) but there’s no reason to deploy it yet since it reduces scalability.

The problem with "yet", in security, is that by the time you realize that "yet" is here, it's already too late.

> I wish this were talked about more.

This is talked about all the time in Bitcoin dev circles.

There's a lot of research and practical work on quantum-proof cryptography which is already in use in some cryptocurrencies - 'just' need to hardfork and update it when it's ready for Bitcoin

No need for a hard fork. A soft fork like Taproot is doing this year would be sufficient.

What cryptocurrencies are currently using post-quantum cryptography?

Only one I'm aware of is QRL ("quantum-resistant ledger").


In theory, it is also broken.

It practice, it appears to be slightly harder to break than RSA for the same security level as we define it in non-quantum computing, but not by much.

Andrej is an excellent teacher. I got into ML because of his blogs and Stanford's CS231n course (which he also started).

  # secret_key = random.randrange(1, bitcoin_gen.n) # this is how you _would_ do it
I know the article is mainly for learning purposes but someone should point out that the `random` module in python is not meant for cryptography. Please use the built-in `secrets` module or `os.urandom` instead.

Taking this opportunity to promote my side project codeamigo and a tutorial I wrote for building your own Bitcoin wallet https://codeamigo.dev/lessons/start/53

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact