In October 2008, Satoshi Nakamoto published a nine-page whitepaper describing a "peer-to-peer electronic cash system." The key word was cash. Cash is fungible — one dollar bill is indistinguishable from another. Cash leaves no permanent trail. Cash doesn't require a trusted intermediary. Cash allows transactions between parties who have never met without either one knowing more than they need to.
Bitcoin, as deployed, is none of those things.
Every Bitcoin transaction ever made is permanently, publicly, and immutably recorded on a ledger that anyone in the world can read. Entire companies — Chainalysis, Elliptic, CipherTrace — exist to analyze that ledger and identify who sent what to whom. The FBI used Bitcoin's transaction graph to identify and arrest the founder of the Silk Road. The Department of Justice has recovered Bitcoin from ransomware attacks by tracing the blockchain.
Bitcoin is not anonymous cash. It is a pseudonymous public ledger. The difference matters enormously — and understanding it requires understanding the cryptography that makes cryptocurrency possible at all.
What a Wallet Address Actually Is
Start with what it means to "have" Bitcoin.
There is no digital coin sitting on a server somewhere with your name on it. There is a public ledger recording that a particular address controls a particular balance. Controlling that balance means possessing the private key for that address — the cryptographic secret that allows you to authorize a transaction moving funds out.
A Bitcoin private key is a random 256-bit number. Generating one means picking a random number between 1 and approximately 10^77 — a number so large it approaches the number of atoms in the observable universe. Your wallet software does this the moment you create a new address.
From the private key, a corresponding public key is derived using elliptic curve mathematics on the secp256k1 curve — the same curve used by Bitcoin. The relationship is one-way: the public key can be derived from the private key trivially, but the private key cannot be derived from the public key in any practical timeframe. This is the foundation of the whole system.
From the public key, a Bitcoin address is derived by hashing — first through SHA-256, then through RIPEMD-160 — producing a 160-bit value that is base58-encoded into the familiar alphanumeric string starting with "1" or "3" or "bc1."
The address is what you share publicly. The private key is what you guard absolutely.
The Part That Should Blow Your Mind
Here is what follows from the above: any combination of randomly chosen characters could theoretically be a valid Bitcoin address. Addresses are just numbers. There are 2^160 possible Bitcoin addresses — approximately 1.46 × 10^48. That's 1,460 trillion trillion trillion trillion.
And here is what actually bends people's brains: the cryptographic security of Bitcoin does not depend on hiding addresses. It depends on the mathematical impossibility of deriving a private key from a known address.
Knowing a wallet address doesn't help you steal the funds. You cannot reverse the hashing process to recover the public key (SHA-256 and RIPEMD-160 are one-way functions). You cannot reverse the elliptic curve math to recover the private key from the public key. The private key that controls a wallet can only be found by guessing — and guessing randomly from a space of 2^256 possibilities.
What about collisions?
This is where it gets philosophically strange. Nothing in mathematics prevents two different private keys from controlling the same Bitcoin address. Address space is 2^160. Private key space is 2^256. Multiple private keys map to the same address — in principle.
In practice, the probability of two randomly generated wallets sharing an address is approximately 1 in 2^160. By the birthday paradox, you'd need to generate roughly 2^80 (about 10^24) addresses before you'd have a 50% chance of any collision. To put 2^80 in context: if every person who has ever lived — roughly 100 billion people — had been generating a billion Bitcoin addresses per second since the Big Bang, they would collectively have generated approximately 10^37 addresses. The 50% collision threshold requires 10^24. So collisions should have happened.
They haven't, because 10^37 is still a tiny fraction of the address space relative to collision probability, and the birthday threshold is 10^24 — a number no one has approached. The mathematics permits collisions theoretically. The scale of the address space makes them cosmologically unlikely for natural random generation.
What it means: your wallet is safe not because collisions are impossible, but because the universe isn't old enough, fast enough, or large enough for random collision-based attacks to succeed.
Bitcoin's Privacy Problem
The early perception of Bitcoin as anonymous cash was wrong, but not entirely unfounded. Bitcoin addresses are pseudonymous — they don't inherently reveal who controls them. A fresh address, used once, and funded from a source that can't be tied to your identity, is reasonably private.
But Bitcoin's blockchain records every transaction permanently and publicly. Every address that has ever sent or received Bitcoin is visible on-chain, along with the amounts and timestamps of every transaction involving it. This creates a transaction graph — a network map of who paid whom how much and when.
Transaction graph analysis can de-anonymize Bitcoin transactions in ways that aren't intuitive. Common patterns betray users: change address clustering (your wallet sends the amount you intended, but also creates a change address for the remainder — and both outputs are visible); address reuse (the same address appearing in multiple transactions confirms they share an owner); and the on/off ramps where Bitcoin meets traditional finance — exchanges, which are required by law to collect identity documents and report to regulators.
The FBI's recovery of Colonial Pipeline ransom and the Silk Road investigation weren't cryptographic breaks. They were graph analysis. Bitcoin's transaction history is permanently public. Anyone willing to do the analysis can trace the flow.
This is the gap between the whitepaper's vision and Bitcoin's reality.
Ethereum: Powerful but Not That
Ethereum deserves its own context. Where Bitcoin is digital cash (in aspiration if not execution), Ethereum is a programmable blockchain — a globally distributed computer that executes smart contracts automatically when their conditions are met.
This is genuinely novel. Smart contracts enabled decentralized finance (DeFi): lending protocols, automated market makers, and yield mechanisms that operate without intermediaries. They enabled NFTs, on-chain governance, and tokenized real-world assets. The Ethereum Virtual Machine is a real innovation.
But Ethereum is not a better Bitcoin. It's a different thing. Its blockchain is equally transparent — every transaction, every contract execution, every token transfer is publicly visible and analyzable. The privacy problem is identical. And Ethereum's history of smart contract bugs, protocol changes, and the contentious 2016 hard fork (to reverse the DAO hack) represents a different set of trade-offs than Bitcoin's.
Bitcoin's core protocol has remained essentially unchanged for fifteen years. It does one thing — move value — and does it with predictable, auditable, immutable rules. Ethereum does many things and has changed its rules.
Neither is what Satoshi described.
Monero: What Bitcoin Was Supposed to Be
Monero (XMR) was designed from the ground up to solve Bitcoin's privacy problem at the protocol level. Not through optional add-ons or user behavior, but through cryptographic mechanisms that make privacy the default — the only option.
Three technologies do the work:
Ring Signatures — When you send Monero, your transaction is signed with a ring signature that combines your real signing key with a set of other users' past transaction outputs as decoys. The signature proves that someone in the ring authorized the transaction, without revealing which one. Outsiders see a valid transaction. They cannot determine who sent it.
Stealth Addresses — Every Monero transaction sends funds to a one-time address that is mathematically derived from the recipient's public keys but appears completely unrelated on the blockchain. The recipient's wallet scans each block with their private view key to detect transactions addressed to them. No external observer can link transactions to a particular recipient's published address. You can publish one Monero address for life; every payment you receive goes to a unique, unlinkable one-time address that only you can detect.
RingCT (Ring Confidential Transactions) — Hides transaction amounts. On Monero's blockchain, the amounts moving in each transaction are cryptographically blinded. Validators can confirm that inputs equal outputs (no coins were created from nothing) using zero-knowledge cryptographic proofs, without seeing what those amounts are.
The result: on Monero's blockchain, you can see that transactions occurred. You cannot determine who sent them, who received them, or how much was moved. This is cash-equivalent privacy — and it's built into every transaction by default. There's no "private mode" to forget to enable.
The cryptographic machinery achieving this is sophisticated — ring signatures, Pedersen commitments for amount hiding, Diffie-Hellman key exchange for stealth address derivation — but the user experience is identical to Bitcoin. You have an address. You send and receive. The privacy layer operates invisibly.
This is why the characterization holds: there is Bitcoin, there is Monero, and everything else is derivative. Not derivative in a dismissive sense — Ethereum is genuinely innovative. But in terms of what peer-to-peer electronic cash requires — censorship resistance, fungibility, privacy — the original vision maps most closely to Monero. Bitcoin is the standard for store of value and predictable monetary policy. Monero is the closest implementation of what the whitepaper described for daily use.
Hashing: The One-Way Street Everything Depends On
Both Bitcoin and Monero rely on cryptographic hash functions at their core. A hash function takes an input of any length and produces a fixed-length output — a hash — with three critical properties:
Deterministic: the same input always produces the same hash.
One-way: given a hash, it is computationally infeasible to find the input that produced it.
Collision-resistant: it is computationally infeasible to find two different inputs that produce the same hash.
Bitcoin uses SHA-256. Feed in any data — a transaction record, a block header, a private key — and you get a 256-bit output. The same input always produces the same output. Different inputs produce completely different outputs (a property called the avalanche effect: changing one bit of input changes roughly half the bits of output). And you cannot work backwards.
SHA-256's output space is 2^256. The probability of any two distinct inputs producing the same SHA-256 hash by accident is approximately 1 in 2^256 — the same scale as the AES-256 key space we discussed in our encryption piece. You'd need to hash 2^128 different inputs before having a 50% chance of a collision, by the birthday paradox. This has never been demonstrated and is not expected to happen.
MD5: The Cautionary Tale
Not all hash functions share SHA-256's properties, and the story of MD5 illustrates what happens when one doesn't.
MD5 produces a 128-bit output — 2^128 possible hash values. By birthday paradox, random collisions become likely after approximately 2^64 hashes — still astronomically large. When MD5 was designed in 1991, this seemed adequate.
In 2004, cryptographers Xiaoyun Wang and Hongbo Yu demonstrated that MD5 collisions could be deliberately engineered — two deliberately crafted, different inputs that produce the same MD5 hash — in about 2^39 operations. On a modern CPU, this takes seconds. By 2009, researchers had demonstrated a chosen-prefix attack: they could construct a malicious SSL certificate that had the same MD5 hash as a legitimate one, allowing a forged certificate to pass MD5-based verification.
MD5 is broken for any security-critical purpose. It should not be used to verify the integrity of software, documents, or certificates. It should not be used in password storage. It should not be used in digital signatures.
But here is the nuance: MD5 is not broken for all uses.
The attacks on MD5 are deliberate collision attacks — an adversary actively crafting two inputs to collide. For two randomly generated, unrelated large files — say, two different operating system disk images — the probability of an accidental MD5 collision is still approximately 1 in 2^128. No one has manufactured a Linux ISO that collides with another Linux ISO. The deliberate attack requires control over both inputs.
For file integrity checking in non-adversarial contexts — verifying that a 10 GB database backup transferred without corruption, or confirming that two copies of a large media file are identical — accidental MD5 collisions are so unlikely that MD5 remains functionally reliable. If you're asking "did this file change?", MD5 checksums work fine. If you're asking "can I trust this file came from who claims to have sent it?", MD5 is not safe.
The distinction is between accidental collision (still near-impossible for unrelated large files) and deliberate collision (demonstrably feasible). Most common uses of MD5 as a file-comparison tool fall in the first category. Security verification falls in the second, and SHA-256 is the correct tool there.
Everything Else Is Derivative
Thousands of cryptocurrencies exist. The vast majority are one of the following:
Bitcoin forks: Copies of Bitcoin's codebase with modified parameters — Litecoin (4x faster blocks), Bitcoin Cash (larger blocks), Dogecoin (inflationary supply, started as a joke). They inherit Bitcoin's strengths and weaknesses, including its transparency problem.
Ethereum clones: Blockchains using the Ethereum Virtual Machine or similar smart contract environments — Polygon, Avalanche, BNB Chain. They're Ethereum-compatible networks, often with different consensus mechanisms or transaction costs, but fundamentally the same programmable blockchain concept.
Purpose-built tokens on Ethereum: Not separate blockchains at all. ERC-20 tokens are entries in an Ethereum smart contract. They have whatever properties that contract defines. They depend entirely on Ethereum's security.
Attempted privacy coins: Zcash introduced optional shielded transactions using zero-knowledge proofs (zk-SNARKs), but privacy is not the default — and when most transactions are transparent, the shielded ones stand out as suspicious. Dash's privacy is insufficiently strong cryptographically. Monero's privacy is mandatory and comprehensive, which is the property that makes it fungible.
The crypto space's diversity looks like innovation from the outside. From a cryptographic architecture perspective, it's mostly iteration on two models: Bitcoin's UTXO-based value transfer, and Ethereum's account-based smart contract platform. The innovations at the margins are real but incremental.
Why This Matters Beyond Ideology
The Bitcoin vs. Monero question is not purely philosophical. It has concrete implications for commercial finance.
Bitcoin's transparency is a double-edged sword. For regulated lenders who need to verify the source of funds, Bitcoin's traceable history is an asset — you can audit a wallet's transaction history. For borrowers who use Bitcoin holdings as collateral, that same transparency exposes their financial position publicly and permanently.
Monero's privacy creates regulatory friction. Several exchanges have delisted XMR under pressure from regulators who want transaction visibility. The IRS has offered bounties for Monero-tracing tools. Using Monero in a regulated lending context requires careful compliance consideration that Bitcoin does not.
The collision probability argument has real implications. The mathematical property that makes Bitcoin addresses secure — the vast key space making random collision essentially impossible — is the same property that makes losing a private key permanent. There is no recovery mechanism. There is no "forgot my password." The cryptographic guarantees that protect your funds also protect them from you if you lose access.
This is the fundamental trade-off of cryptographic systems: the same math that makes unauthorized access impossible makes authorized access irrecoverable when the credentials are lost. An estimated 3 to 4 million Bitcoin — roughly 15-20% of those that will ever exist — are locked in wallets whose private keys are gone. They are held by the mathematics permanently.
The system works exactly as designed. Whether that design is appropriate for every financial use case is a different question.
The Key Insight
Under all of this — the addresses, the collisions, the privacy layers, the hash functions — is a single idea: one-way mathematical functions create asymmetries so extreme that they can substitute for trust.
You don't need to trust a bank to hold your Bitcoin. You trust the math that makes it economically irrational to forge your signature. You don't need to trust a counterparty with your Monero transaction history. You trust the ring signature math that makes it cryptographically impossible to link you to a transaction without your private key.
The blockchain in general, and privacy-preserving blockchains specifically, are attempts to replace institutional trust with mathematical trust. Whether they succeed depends entirely on the soundness of the mathematics — and for Bitcoin and Monero, that mathematics has held.
Everything else is derivative.
Sources
- Satoshi Nakamoto, "Bitcoin: A Peer-to-Peer Electronic Cash System" (October 31, 2008) — bitcoin.org/bitcoin.pdf
- Bitcoin's secp256k1 elliptic curve — ANSI X9.62, SEC 2 standard; secg.org; used for private/public key derivation
- SHA-256 and RIPEMD-160 hash functions — NIST FIPS PUB 180-4 (SHA-256); H. Dobbertin, A. Bosselaers, B. Preneel, "RIPEMD-160: A Strengthened Version of RIPEMD" (1996)
- Xiaoyun Wang and Hongbo Yu, "How to Break MD5 and Other Hash Functions", EUROCRYPT 2005, Lecture Notes in Computer Science, Vol. 3494 — demonstrated MD5 collision in ~2^39 operations
- Silk Road investigation and Bitcoin tracing — United States v. Ross William Ulbricht, Case 1:14-cr-00068 (S.D.N.Y.); FBI used transaction graph analysis, not cryptographic breaks
- Colonial Pipeline Bitcoin recovery — U.S. Department of Justice press release, June 7, 2021; FBI traced ransomware payment via blockchain analysis; justice.gov
- Monero ring signatures — Nicolas van Saberhagen (pseudonym), "CryptoNote v 2.0" (October 17, 2013) — technical specification for ring signature and stealth address scheme underlying Monero
- Monero RingCT (Ring Confidential Transactions) — Shen Noether, Adam Mackenzie, et al., "Ring Confidential Transactions", Ledger Journal (2016) — amount hiding via Pedersen commitments
- Estimated lost Bitcoin (~3–4 million BTC): Chainalysis, The Chainalysis 2020 Crypto Crime Report; James Howells and similar documented key-loss cases