The Complete Work
- Volume I: Mathematical Foundations — complete · proved
- Volume II: Protocol Architecture — complete · verifiable protocol fact
- Volume III: Scaling and Verification — complete · verifiable protocol fact
- Volume IV: Forks and Futures — the contested present, positions attributed
- Volume V: The Path to a Sustainable Future — disciplined speculation, labeled as such
Preface
This is a mathematics textbook about Bitcoin, written in the classical idiom of numbered definitions, theorems, proofs, and exercises: across forty chapters and four appendices, 355 definitions, nearly one hundred theorems and propositions, and 171 exercises. Every result is proved before it is used, from the group axioms through secp256k1, ECDSA, and Schnorr, to SPV, compact filters, Lightning, Taproot, covenants, and the consensus cleanup.
We assume no prior knowledge of cryptography or of Bitcoin. We do assume mathematical maturity: comfort reading a proof, checking a computation, and holding a definition to its exact wording. A patient reader with school algebra can build that comfort here; Volume I was written for exactly that purpose. But the proofs are the book, not an ornament to it.
This is not an engineering manual, and it contains no code: for building software, Antonopoulos's Mastering Bitcoin and Song's Programming Bitcoin are the standard references and natural complements. Nor is it a beginner's explainer. Its nearest relative is Narayanan et al.'s Bitcoin and Cryptocurrency Technologies (Princeton, 2016), from which it differs in being current, Bitcoin-only, and written theorem-first. Each concept builds on those before it, forming a complete chain of understanding: the reader who works through these volumes can verify, from first principles, every cryptographic claim made about Bitcoin.
A Note on Epistemic Status
Not everything in this book is true in the same way, and the reader deserves to know which kind of truth each part offers. Volume I is mathematics: its theorems are proved and will be true in a century. Volumes II and III are verifiable protocol fact—every claim can be checked against running code and the cited specifications, and changes only when the protocol does. Volume IV surveys the contested present: fork histories whose narratives are still argued, proposals whose statuses drift, governance questions that are contested by construction. There the book reports positions, attributes them to their holders, and dates every perishable claim. Volume V is disciplined speculation—economic models with stated assumptions and scenarios labeled as scenarios, kept in remarks and never dressed as theorems. (In those later volumes, definition boxes fix terminology rather than ground proofs.)
The gradient is the design. The first three volumes give you the tools; the last two show you the open questions those tools illuminate—and by the time you reach them, you will not need this book to tell you what to think.
How to Read This Book
The chapters are ordered so that everything is proved before it is used: that is what "elementary" means here—self-contained, not simple. But the book does not have to be read front to back, and most of the later volumes stand on a small set of prerequisites. Four paths:
The full course. Chapters 1–40 in order. Volume I is the investment; everything after it is payoff, with no claim left unproved.
Bitcoin first. Start at Chapter 9 (keys and addresses) and read through Chapter 16, taking the cryptography of Volume I on faith—the forward references will tell you exactly which proofs you deferred. Return to Chapters 1–8 when you want to own them.
Verification and scaling. Chapters 12–13 (Merkle trees and blocks), then Volume III (Chapters 17–25). This is the path for evaluating SPV, light clients, and layer-2 claims—and the debates of Chapter 25 are its destination.
The debates and the future. Chapters 25–27 (myths and fork history), 33 (governance), and 38–40 (security budget, quantum, monetary future) are largely self-contained prose and can be read first by anyone who wants to know what the arguments are about before studying the machinery beneath them.
Wherever you start, Appendix A (notation), Appendix C (subject index), and Appendix D (the rule catalog) are designed for random access.
Contents
Part I · Algebraic Foundations
Sets and binary operations · Group axioms · Abelian and cyclic groups · Generators and order · The discrete logarithm problem
Clock arithmetic · Prime fields · The extended Euclidean algorithm · Fermat's little theorem · Multiplicative inverses
Part II · Elliptic Curves
The Weierstrass equation · Geometric point addition · The chord-tangent method · Point doubling · The point at infinity
Discrete curves · The group law in 𝔽ₚ · Order and cofactor · Hasse's theorem · The elliptic curve discrete logarithm problem
Bitcoin's elliptic curve · The curve parameters · The generator point G · Scalar multiplication · Why secp256k1?
Part III · Cryptographic Protocols
Cryptographic hash functions · SHA-256 internals · RIPEMD-160 · Double hashing · Tagged hashes · The random oracle model
The signing equation · Key generation · Signature creation · Verification · The nonce k and its dangers · Signature malleability
The Schnorr identification protocol · BIP-340 signatures · Batch verification · Key aggregation · MuSig and MuSig2
Volume II · Protocol Architecture
Part IV · Keys and Transactions
Private keys · Public key derivation · Address formats · Base58Check · Bech32 and Bech32m · WIF encoding
The UTXO model · Transaction structure · Inputs and outputs · Segregated Witness · Sighash types · Transaction fees
Stack-based execution · Opcodes · Standard templates · Time locks · OP_RETURN · Tapscript
Part V · Blocks and Mining
Binary hash trees · Computing the Merkle root · Merkle proofs · SPV foundations · Witness commitment
Block structure · The 80-byte header · Block weight · Validation rules · The genesis block · Chain structure
Hash puzzles · Difficulty and target · The difficulty adjustment algorithm · Mining economics · Security analysis
Part VI · Consensus and Upgrades
The monetary theorems: supply cap, final subsidy, inflation schedule · Timing parameters · Block, timestamp, and script limits · Coinbase maturity · Parameter immutability
Policy vs consensus · Hard forks vs soft forks · Activation mechanisms (BIP-9, BIP-8) · Major soft forks · Future upgrade paths
Volume III · Scaling and Verification
Part VII · Light Clients and SPV
Whitepaper Section 8 · The SPV data model · What SPV proves · Security assumptions · Fraud proofs · The gap between theory and implementation
Bloom filter mathematics · BIP-37 protocol · The privacy catastrophe · DoS vulnerabilities · Why Bloom filters failed
Golomb-Rice coding · GCS construction · Filter header chains · Privacy-preserving light clients · Neutrino
The validation spectrum · Trust models of wallet backends · Validation capability classes · Fraud proofs · The data availability problem
Part VIII · Node Optimization and Validation
Initial Block Download · AssumeValid · AssumeUTXO · Pruning · Utreexo · Trade-offs and recommendations
Single-use seals · Pay-to-contract · RGB protocol · Taproot Assets · Scalability and privacy analysis
Part IX · Payment Channels and Lightning
Unidirectional channels · The bidirectional channel problem · LN-Penalty · Revocation mechanisms · HTLCs · Watchtowers
Multi-hop payments · Onion routing · BOLT specifications · Invoices and offers · Pathfinding · Network topology
Part X · Analysis and Perspective
Claims about SPV · Scaling claims · Cryptographic concerns · Consensus claims · Economic claims · A procedure for evaluating claims
Volume IV · Forks and Futures
Part XI · Fork Theory and History
Chain divergence mathematics · Soft vs hard forks · Game theory of adoption · Replay protection · Fork choice rules
Block size debate · Bitcoin Cash · Bitcoin SV · Bitcoin Gold · SegWit2x · Lessons and patterns
Part XII · Soft Forks in Practice: SegWit and Taproot
Transaction malleability · Witness structure · Block weight · BIP-143 sighash · The soft fork mechanism
BIP-340 Schnorr · Key tweaking · Script trees (MAST) · Tapscript · MuSig2 · Adaptor signatures
Part XIII · Proposed Upgrades
CTV (BIP-119) · OP_CAT · OP_VAULT · SIGHASH_ANYPREVOUT · TXHASH · Recursive covenants · Use cases and concerns
Two-way pegs · Federated sidechains · Liquid Network · RSK · SPV and validity proofs · Stacks · The drivechain episode
Ark protocol · Statechains · Channel factories · LN-Symmetry (Eltoo) · Comparison of L2 approaches
Part XIV · Governance and Philosophy
Stakeholder groups · BIP process · Social consensus formation · Soft fork activation · Bitcoin Core's role · The specification problem
Part XV · Synthesis: Verification at Scale
Verification cost as the binding constraint · Why the web scaled (REST) · The BitTorrent precedent · The activation game · The trust-drift ladder · Hyperbitcoinization as a conditional
Volume V · The Path to a Sustainable Future
Part XVI · Long-Term Security
Timewarp attack · 64-byte transaction vulnerability · Merkle tree CVE · Legacy validation costs · Proposed fixes
51% attacks · Double-spend analysis · Chain reorganizations · Selfish mining · Eclipse attacks · Network-level vulnerabilities
Trust accounting for Bitcoin's defenses · Checkpoints · Minimum chain work · AssumeValid · Eclipse mitigations · The 2013 coordinated response
Subsidy decline · Fee market dynamics · Economic models · Game theory · Proposed solutions · Timeline analysis
Shor's algorithm · Grover's algorithm · Post-quantum cryptography · NIST standards · Migration strategies · Timeline estimates
Part XVII · The Road Ahead
Adoption stages · Nation-state game theory · Future scenarios · Hyperbitcoinization · Economic implications · The money of the future
Appendices
Symbols and conventions by topic · The secp256k1 constants · Overloaded-symbol disambiguation · House conventions
Bibliography · Standards · Bitcoin Improvement Proposals · Lightning BOLTs · Security advisories
Alphabetical index of nearly 300 concepts, each linked to its defining section
The validation pipeline as a rule catalog · Phase-by-phase requirements · Activation heights · Height-gated script flags
About This Project
Elementary Bitcoin is written by Melvin Carvalho and maintained as a community project: the source is public, the text is licensed CC BY-SA 4.0, and corrections and contributions flow through GitHub. This edition is dated June 2026; Volume IV dates every perishable claim in place. The numerical examples have been verified computationally (curve points recomputed, signatures checked, probability tables re-derived) and all of its figures rendered and inspected.
Some subjects are deliberately out of scope: custody operations, exchange engineering, price models, and implementation internals. Others are planned, and contributions toward them are especially welcome: mempool and fee policy, wallet mathematics (BIP-32, descriptors, miniscript), mining pool economics, on-chain privacy, and the peer-to-peer network layer.
The claims of this book are checkable at every level: proofs can be re-derived, protocol facts checked against running code and the cited BIPs, attributed positions verified against their sources. An error found at any level is a contribution. So is disagreement with the analysis.