So the ledger contains a record of all Bitcoin transactions. So it's a memory system, and in fact this equivalence between money and memory was proposed by the macro-economist Narayana Kocherlakota back in 1998. And his point is that money and memory are the same. If you had perfect memory, you could implement any system that you could implement with money. So, along with the digital signature, the accurate ledger is required for the existence of property rights in Bitcoin. Now, credit card companies, banks, and other intermediaries essentially are ledgers. And they enforce the accuracy of the ledger and hence enable property rights. And it's in their interest to enforce the accuracy of the ledger, but Bitcoin is decentralized. So who is the keeper of this collective memory, and who ensures that it is accurate? So in his Bitcoin whitepaper, Satoshi Nakamoto realizes the problem with previous decentralized ledgers and proposes a solution. In previous attempts to decentralize, creators focused on making it impossible to tamper with the ledger. Now this is really hard because the ledger is decentralized, it's on everybody's computer. So how are you going to make it tamper proof? What Satoshi realized is that it was sufficient to have incentives not to tamper with the ledger. And it was potentially much easier to create incentives not the tamper than to forbid tampering per se. And I think this is a nice example of how from the very beginning Bitcoin combined computer science with economic reasoning. So how to dis-incentivize participants from tampering with the ledger? Well, the answer is, we make it easy to detect that the ledger had been tampered with. And thus any dishonest participant would be dissuaded from even trying. So, not only would any attempt be detected, there would actually be no attempts. Of course, we wouldn't want to get complacent. The absence of attempts would not mean that the detection system was unnecessary. So tampering with the ledger in Bitcoin is what in economics we call a, quote, off the equilibrium path. Nobody's going to do it, but we still need to design incentives, so that it remains off the equilibrium, as in not equilibrium behavior. So let's consider an example of how we make it observable that the ledger has been tampered with. So I'm going to write down a very simple ledger, so let's say Maria creates a simple coin, we'll call it MariaCoin. And Maria is just going to have this one coin and she's going to use it for her friends. We aren't going to discuss why this would be useful at the moment, let's just assume it exists. So Maria creates MariaCoin. Then Maria sells MariaCoin to Sophie, presumably Sophie gives Maria some money, dollars perhaps, in exchange. Then Sophie turns around and sells the MariaCoin to Geoff. So from this description, it is clear that, at the end, Geoff is the rightful owner of the MariaCoin. But here's the problem, what if Bob, say, were to come in and attempt to change the second stage? What if that second item were, say, erased and rewritten to read that Maria sells MariaCoin to Bob, not Sophie? So that would invalidate Sophie's ownership and Geoff's ownership, because Sophie had no right to sell it to Geoff. So we do not want this to happen, so not only do we need to detect tampering at the last stage, but at the intermediate stages as well. So here's the solution, we make the ledger recursive. So Maria creates a single MariaCoin, the second stage, Mario sells the MariaCoin to Sophie. Now what I've done here is I've upended the initials of the previous transactions, transaction MCSM. So think of that as kind of a digest of the previous transaction. Now the third stage is Sophie sells the MariaCoin to Geoff. So what I do now is I not only have the digest from the previous stage, but the first digest as well. So MSMS is Maria sells the MariaCoin to Sophie, and then you also have within that digest, MCSM, Maria creates a single MariaCoin. And then finally we digest the whole thing, we have SSMG, so if he sells the MariaCoin to Geoff. And then the other previous two entries are also embedded in that last digest. So to summarize, alongside each entry, I have put a digest, a kind of shorthand to the previous entry. In creating this shorthand, I followed a simple algorithm, I used the first letter of each of the words. Now in principle, we could use this to detect tampering, right? Because what we could do is we could check if the initials match the words in the previous step. So let's just see an example of how this would work. Let's say Bob were to tamper with the second item on the ledger. Instead of reading, Maria sells the MariaCoin to Sophie, he tampers with it to read, Maria sells the MariaCoin to Bob. Well, at that point, the digest would not match, MSMS at the next stage would not be the right initials. So you could detect the tampering by comparing the second stage with the digest that appears at the second and the third stage. Now of course, if Bob were really determined, he could tamper with a digest that appears in the third stage. He could tamper both with item two, having it read, Maria sells the MariaCoin to Bob. And he could then take MSMS and change it to the appropriate initials. However, then the overall digest would not match the stage three message. So in order to truly tamper with the ledger in a way that could not be detected, Bob would have to first tamper with the entry at stage two. Then the digest at stage three, then digest of the digest at stage four. Now in this example, this digest technique is pretty easy to work around. All Bob would have to do would be to find a friend whose name begins with an S. And he could then tamper with it and give the money to his friend, but this really is the idea that Bitcoin uses. But there's a crucial difference, the digest that I've created here is created using cryptography, not, say, just the first initial of the names. And what that means is it's virtually impossible to change the transaction in such a way that it still matches the digest. So to summarize, along with the digital signature, a tamper-proof ledger is a key feature of Bitcoin that enforces property rights. Now, how do you make a ledger tamper-proof when it is distributed? Answer, you make sure any attempts will be discovered. So how do you do that? By making the ledger recursive, every entry contains a little copy of the previous entry.
