2017-05-10 19:06:23 +00:00
|
|
|
|
[[mining]]
|
2017-04-24 21:09:15 +00:00
|
|
|
|
== Mining and Consensus
|
|
|
|
|
|
2023-03-05 20:37:16 +00:00
|
|
|
|
[[mtp]]
|
|
|
|
|
=== Median Time Past (MTP)
|
|
|
|
|
|
2023-04-09 15:33:18 +00:00
|
|
|
|
((("scripting", "timelocks",
|
|
|
|
|
"Median-Tme-Past")))((("Median-Tme-Past")))((("timelocks",
|
|
|
|
|
"Median-Tme-Past")))As part of the activation of relative timelocks,
|
|
|
|
|
there was also a change in the way "time" is calculated for timelocks
|
|
|
|
|
(both absolute and relative). In bitcoin there is a subtle, but very
|
|
|
|
|
significant, difference between wall time and consensus time. Bitcoin is
|
|
|
|
|
a decentralized network, which means that each participant has his or
|
|
|
|
|
her own perspective of time. Events on the network do not occur
|
|
|
|
|
instantaneously everywhere. Network latency must be factored into the
|
|
|
|
|
perspective of each node. Eventually everything is synchronized to
|
|
|
|
|
create a common ledger. Bitcoin reaches consensus every 10 minutes about
|
|
|
|
|
the state of the ledger as it existed in the _past_.
|
|
|
|
|
|
|
|
|
|
The timestamps set in block headers are set by the miners. There is a
|
|
|
|
|
certain degree of latitude allowed by the consensus rules to account for
|
|
|
|
|
differences in clock accuracy between decentralized nodes. However, this
|
|
|
|
|
creates an unfortunate incentive for miners to lie about the time in a
|
|
|
|
|
block so as to earn extra fees by including timelocked transactions that
|
|
|
|
|
are not yet mature. See the following section for more information.
|
|
|
|
|
|
|
|
|
|
To remove the incentive to lie and strengthen the security of timelocks,
|
|
|
|
|
a BIP was proposed and activated at the same time as the BIPs for
|
2023-05-23 20:47:54 +00:00
|
|
|
|
relative timelocks. This is BIP113, which defines a new consensus
|
2023-04-09 15:33:18 +00:00
|
|
|
|
measurement of time called _Median-Time-Past_.
|
|
|
|
|
|
|
|
|
|
Median-Time-Past is calculated by taking the timestamps of the last 11
|
|
|
|
|
blocks and finding the median. That median time then becomes consensus
|
|
|
|
|
time and is used for all timelock calculations. By taking the midpoint
|
|
|
|
|
from approximately two hours in the past, the influence of any one
|
|
|
|
|
block's timestamp is reduced. By incorporating 11 blocks, no single
|
|
|
|
|
miner can influence the timestamps in order to gain fees from
|
|
|
|
|
transactions with a timelock that hasn't yet matured.
|
|
|
|
|
|
|
|
|
|
Median-Time-Past changes the implementation of time calculations for
|
|
|
|
|
+nLocktime+, +CLTV+, +nSequence+, and +CSV+. The consensus time
|
|
|
|
|
calculated by Median-Time-Past is always approximately one hour behind
|
|
|
|
|
wall clock time. If you create timelock transactions, you should account
|
|
|
|
|
for it when estimating the desired value to encode in +nLocktime+,
|
|
|
|
|
+nSequence+, +CLTV+, and +CSV+.
|
|
|
|
|
|
|
|
|
|
Median-Time-Past is specified in
|
2023-05-23 20:47:54 +00:00
|
|
|
|
https://github.com/bitcoin/bips/blob/master/bip-0113.mediawiki[BIP113].
|
2023-03-05 20:37:16 +00:00
|
|
|
|
|
|
|
|
|
[[duplicate_transactions]]
|
|
|
|
|
=== Preventing Duplicate Transactions
|
|
|
|
|
|
|
|
|
|
FIXME:BIP30 and 34
|
2017-05-10 19:06:23 +00:00
|
|
|
|
|
2017-04-24 21:09:15 +00:00
|
|
|
|
=== Introduction
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("mining and consensus", "purpose of")))The word "mining" is somewhat
|
|
|
|
|
misleading. By evoking the extraction of precious metals, it focuses our
|
|
|
|
|
attention on the reward for mining, the new bitcoin created in each
|
|
|
|
|
block. Although mining is incentivized by this reward, the primary
|
|
|
|
|
purpose of mining is not the reward or the generation of new coins. If
|
|
|
|
|
you view mining only as the process by which coins are created, you are
|
|
|
|
|
mistaking the means (incentives) as the goal of the process. Mining is
|
|
|
|
|
the mechanism that underpins the decentralized clearinghouse, by which
|
|
|
|
|
transactions are validated and cleared. Mining is the invention that
|
|
|
|
|
makes bitcoin special, a decentralized security mechanism that is the
|
|
|
|
|
basis for P2P digital cash.
|
|
|
|
|
|
|
|
|
|
((("mining and consensus", "decentralized consensus")))((("central
|
|
|
|
|
trusted authority")))Mining _secures the Bitcoin system_ and enables the
|
|
|
|
|
emergence of network-wide _consensus without a central authority_.
|
|
|
|
|
((("fees", "transaction fees")))The reward of newly minted coins and
|
|
|
|
|
transaction fees is an incentive scheme that aligns the actions of
|
|
|
|
|
miners with the security of the network, while simultaneously
|
|
|
|
|
implementing the monetary supply.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
[TIP]
|
|
|
|
|
====
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("decentralized systems", "bitcoin mining and")))The purpose of mining
|
|
|
|
|
is not the creation of new bitcoin. That's the incentive system. Mining
|
|
|
|
|
is the mechanism by which bitcoin's _security_ is _decentralized_.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
====
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
Miners validate new transactions and record them on the global ledger. A
|
|
|
|
|
new block, containing transactions that occurred since the last block,
|
|
|
|
|
is "mined" every 10 minutes on average, thereby adding those
|
|
|
|
|
transactions to the blockchain. Transactions that become part of a block
|
|
|
|
|
and added to the blockchain are considered "confirmed," which allows the
|
|
|
|
|
new owners of bitcoin to spend the bitcoin they received in those
|
|
|
|
|
transactions.
|
|
|
|
|
|
|
|
|
|
((("fees", "mining rewards")))((("mining and consensus", "mining rewards
|
|
|
|
|
and fees")))((("Proof-of-Work algorithm")))((("mining and consensus",
|
|
|
|
|
"Proof-of-Work algorithm")))Miners receive two types of rewards in
|
|
|
|
|
return for the security provided by mining: new coins created with each
|
|
|
|
|
new block, and transaction fees from all the transactions included in
|
|
|
|
|
the block. To earn this reward, miners compete to solve a difficult
|
|
|
|
|
mathematical problem based on a cryptographic hash algorithm. The
|
|
|
|
|
solution to the problem, called the Proof-of-Work, is included in the
|
|
|
|
|
new block and acts as proof that the miner expended significant
|
|
|
|
|
computing effort. The competition to solve the Proof-of-Work algorithm
|
|
|
|
|
to earn the reward and the right to record transactions on the
|
|
|
|
|
blockchain is the basis for bitcoin's security model.
|
|
|
|
|
|
|
|
|
|
The process is called mining because the reward (new coin generation) is
|
|
|
|
|
designed to simulate diminishing returns, just like mining for precious
|
|
|
|
|
metals. Bitcoin's money supply is created through mining, similar to how
|
|
|
|
|
a central bank issues new money by printing bank notes. The maximum
|
|
|
|
|
amount of newly created bitcoin a miner can add to a block decreases
|
|
|
|
|
approximately every four years (or precisely every 210,000 blocks). It
|
|
|
|
|
started at 50 bitcoin per block in January of 2009 and halved to 25
|
|
|
|
|
bitcoin per block in November of 2012. It halved again to 12.5 bitcoin
|
|
|
|
|
in July 2016. Based on this formula, bitcoin mining rewards decrease
|
|
|
|
|
exponentially until approximately the year 2140, when all bitcoin
|
|
|
|
|
(20.99999998 million) will have been issued. After 2140, no new bitcoin
|
|
|
|
|
will be issued.
|
|
|
|
|
|
|
|
|
|
Bitcoin miners also earn fees from transactions. Every transaction may
|
|
|
|
|
include a transaction fee, in the form of a surplus of bitcoin between
|
|
|
|
|
the transaction's inputs and outputs. The winning bitcoin miner gets to
|
|
|
|
|
"keep the change" on the transactions included in the winning block.
|
|
|
|
|
Today, the fees represent 0.5% or less of a bitcoin miner's income, the
|
|
|
|
|
vast majority coming from the newly minted bitcoin. However, as the
|
|
|
|
|
reward decreases over time and the number of transactions per block
|
|
|
|
|
increases, a greater proportion of bitcoin mining earnings will come
|
|
|
|
|
from fees. Gradually, the mining reward will be dominated by transaction
|
|
|
|
|
fees, which will form the primary incentive for miners. After 2140, the
|
|
|
|
|
amount of new bitcoin in each block drops to zero and bitcoin mining
|
|
|
|
|
will be incentivized only by transaction fees.
|
|
|
|
|
|
|
|
|
|
In this chapter, we will first examine mining as a monetary supply
|
|
|
|
|
mechanism and then look at the most important function of mining: the
|
|
|
|
|
decentralized consensus mechanism that underpins bitcoin's security.
|
|
|
|
|
|
|
|
|
|
To understand mining and consensus, we will follow Alice's transaction
|
|
|
|
|
as it is received and added to a block by Jing's mining equipment. Then
|
|
|
|
|
we will follow the block as it is mined, added to the blockchain, and
|
|
|
|
|
accepted by the Bitcoin network through the process of emergent
|
|
|
|
|
consensus.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
==== Bitcoin Economics and Currency Creation
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("mining and consensus", "bitcoin economics and currency
|
|
|
|
|
creation")))((("currency creation")))((("money supply")))((("issuance
|
|
|
|
|
rate")))Bitcoin are "minted" during the creation of each block at a
|
|
|
|
|
fixed and diminishing rate. Each block, generated on average every 10
|
|
|
|
|
minutes, contains entirely new bitcoin, created from nothing. Every
|
|
|
|
|
210,000 blocks, or approximately every four years, the currency issuance
|
|
|
|
|
rate is decreased by 50%. For the first four years of operation of the
|
|
|
|
|
network, each block contained 50 new bitcoin.
|
|
|
|
|
|
|
|
|
|
In November 2012, the new bitcoin issuance rate was decreased to 25
|
|
|
|
|
bitcoin per block. In July of 2016 it was decreased again to 12.5
|
|
|
|
|
bitcoin per block. It will halve again to 6.25 bitcoin at block 630,000,
|
|
|
|
|
which will be mined sometime in 2020. The rate of new coins decreases
|
|
|
|
|
like this exponentially over 32 "halvings" until block 6,720,000 (mined
|
|
|
|
|
approximately in year 2137), when it reaches the minimum currency unit
|
|
|
|
|
of 1 satoshi. Finally, after 6.93 million blocks, in approximately 2140,
|
|
|
|
|
almost 2,099,999,997,690,000 satoshis, or almost 21 million bitcoin,
|
|
|
|
|
will be issued. Thereafter, blocks will contain no new bitcoin, and
|
|
|
|
|
miners will be rewarded solely through the transaction fees.
|
|
|
|
|
<<bitcoin_money_supply>> shows the total bitcoin in circulation over
|
|
|
|
|
time, as the issuance of currency decreases.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
[[bitcoin_money_supply]]
|
|
|
|
|
.Supply of bitcoin currency over time based on a geometrically decreasing issuance rate
|
|
|
|
|
image::images/mbc2_1001.png["BitcoinMoneySupply"]
|
|
|
|
|
|
|
|
|
|
[NOTE]
|
|
|
|
|
====
|
2023-05-23 20:40:36 +00:00
|
|
|
|
The maximum number of coins mined is the _upper limit_ of possible
|
|
|
|
|
mining rewards for bitcoin. In practice, a miner may intentionally mine
|
|
|
|
|
a block taking less than the full reward. Such blocks have already been
|
|
|
|
|
mined and more may be mined in the future, resulting in a lower total
|
|
|
|
|
issuance of the currency.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
====
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
In the example code in <<max_money>>, we calculate the total amount of
|
|
|
|
|
bitcoin that will be issued.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
[[max_money]]
|
|
|
|
|
.A script for calculating how much total bitcoin will be issued
|
|
|
|
|
====
|
|
|
|
|
[source, python]
|
|
|
|
|
----
|
|
|
|
|
include::code/max_money.py[]
|
|
|
|
|
----
|
|
|
|
|
====
|
|
|
|
|
|
|
|
|
|
<<max_money_run>> shows the output produced by running this script.
|
|
|
|
|
|
|
|
|
|
[[max_money_run]]
|
|
|
|
|
.Running the max_money.py script
|
|
|
|
|
====
|
|
|
|
|
[source,bash]
|
|
|
|
|
----
|
|
|
|
|
$ python max_money.py
|
2023-02-01 16:31:10 +00:00
|
|
|
|
Total BTC to ever be created: 2099999997690000 Satoshis
|
2017-04-24 21:09:15 +00:00
|
|
|
|
----
|
|
|
|
|
====
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
The finite and diminishing issuance creates a fixed monetary supply that
|
|
|
|
|
resists inflation. Unlike a fiat currency, which can be printed in
|
|
|
|
|
infinite numbers by a central bank, bitcoin can never be inflated by
|
|
|
|
|
printing.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
.Deflationary Money
|
|
|
|
|
****
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("deflationary money")))The most important and debated consequence of
|
|
|
|
|
fixed and diminishing monetary issuance is that the currency tends to be
|
|
|
|
|
inherently _deflationary_. Deflation is the phenomenon of appreciation
|
|
|
|
|
of value due to a mismatch in supply and demand that drives up the value
|
|
|
|
|
(and exchange rate) of a currency. The opposite of inflation, price
|
|
|
|
|
deflation, means that the money has more purchasing power over time.
|
|
|
|
|
|
|
|
|
|
Many economists argue that a deflationary economy is a disaster that
|
|
|
|
|
should be avoided at all costs. That is because in a period of rapid
|
|
|
|
|
deflation, people tend to hoard money instead of spending it, hoping
|
|
|
|
|
that prices will fall. Such a phenomenon unfolded during Japan's "Lost
|
|
|
|
|
Decade," when a complete collapse of demand pushed the currency into a
|
|
|
|
|
deflationary spiral.
|
|
|
|
|
|
|
|
|
|
Bitcoin experts argue that deflation is not bad per se. Rather,
|
|
|
|
|
deflation is associated with a collapse in demand because that is the
|
|
|
|
|
only example of deflation we have to study. In a fiat currency with the
|
|
|
|
|
possibility of unlimited printing, it is very difficult to enter a
|
|
|
|
|
deflationary spiral unless there is a complete collapse in demand and an
|
|
|
|
|
unwillingness to print money. Deflation in bitcoin is not caused by a
|
|
|
|
|
collapse in demand, but by a predictably constrained supply.
|
|
|
|
|
|
|
|
|
|
The positive aspect of deflation, of course, is that it is the opposite
|
|
|
|
|
of inflation. Inflation causes a slow but inevitable debasement of
|
|
|
|
|
currency, resulting in a form of hidden taxation that punishes savers in
|
|
|
|
|
order to bail out debtors (including the biggest debtors, governments
|
|
|
|
|
themselves). Currencies under government control suffer from the moral
|
|
|
|
|
hazard of easy debt issuance that can later be erased through debasement
|
|
|
|
|
at the expense of savers.
|
|
|
|
|
|
|
|
|
|
It remains to be seen whether the deflationary aspect of the currency is
|
|
|
|
|
a problem when it is not driven by rapid economic retraction, or an
|
|
|
|
|
advantage because the protection from inflation and debasement far
|
|
|
|
|
outweighs the risks of deflation.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
****
|
|
|
|
|
|
|
|
|
|
=== Decentralized Consensus
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("mining and consensus", "decentralized consensus")))((("decentralized
|
|
|
|
|
systems", "consensus in")))In the previous chapter we looked at the
|
|
|
|
|
blockchain, the global public ledger (list) of all transactions, which
|
|
|
|
|
everyone in the Bitcoin network accepts as the authoritative record of
|
|
|
|
|
ownership.
|
|
|
|
|
|
|
|
|
|
But how can everyone in the network agree on a single universal "truth"
|
|
|
|
|
about who owns what, without having to trust anyone? All traditional
|
|
|
|
|
payment systems depend on a trust model that has a central authority
|
|
|
|
|
providing a clearinghouse service, basically verifying and clearing all
|
|
|
|
|
transactions. Bitcoin has no central authority, yet somehow every full
|
|
|
|
|
node has a complete copy of a public ledger that it can trust as the
|
|
|
|
|
authoritative record. The blockchain is not created by a central
|
|
|
|
|
authority, but is assembled independently by every node in the network.
|
|
|
|
|
Somehow, every node in the network, acting on information transmitted
|
|
|
|
|
across insecure network connections, can arrive at the same conclusion
|
|
|
|
|
and assemble a copy of the same public ledger as everyone else. This
|
|
|
|
|
chapter examines the process by which the Bitcoin network achieves
|
|
|
|
|
global consensus without central authority.
|
|
|
|
|
|
|
|
|
|
((("emergent consensus")))((("mining and consensus", "emergent
|
|
|
|
|
consensus")))Satoshi Nakamoto's main invention is the decentralized
|
|
|
|
|
mechanism for _emergent consensus_. Emergent, because consensus is not
|
|
|
|
|
achieved explicitly—there is no election or fixed moment when consensus
|
|
|
|
|
occurs. Instead, consensus is an emergent artifact of the asynchronous
|
|
|
|
|
interaction of thousands of independent nodes, all following simple
|
|
|
|
|
rules. All the properties of bitcoin, including currency, transactions,
|
|
|
|
|
payments, and the security model that does not depend on central
|
|
|
|
|
authority or trust, derive from this invention.
|
|
|
|
|
|
|
|
|
|
Bitcoin's decentralized consensus emerges from the interplay of four
|
|
|
|
|
processes that occur independently on nodes across the network:
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
[role="pagebreak-before"]
|
|
|
|
|
- Independent verification of each transaction, by every full node,
|
|
|
|
|
based on a comprehensive list of criteria
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
- Independent aggregation of those transactions into new blocks by
|
|
|
|
|
mining nodes, coupled with demonstrated computation through a
|
|
|
|
|
Proof-of-Work algorithm
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
- Independent verification of the new blocks by every node and assembly
|
|
|
|
|
into a chain
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
- Independent selection, by every node, of the chain with the most
|
|
|
|
|
cumulative computation demonstrated through Proof-of-Work
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
In the next few sections we will examine these processes and how they
|
|
|
|
|
interact to create the emergent property of network-wide consensus that
|
|
|
|
|
allows any Bitcoin node to assemble its own copy of the authoritative,
|
|
|
|
|
trusted, public, global ledger.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
[[tx_verification]]
|
|
|
|
|
=== Independent Verification of Transactions
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("mining and consensus", "independent transaction
|
|
|
|
|
verification")))((("transactions", "independent verification of")))In
|
|
|
|
|
<<transactions>>, we saw how wallet software creates transactions by
|
|
|
|
|
collecting UTXO, providing the appropriate unlocking scripts, and then
|
|
|
|
|
constructing new outputs assigned to a new owner. The resulting
|
|
|
|
|
transaction is then sent to the neighboring nodes in the Bitcoin network
|
|
|
|
|
so that it can be propagated across the entire Bitcoin network.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
However, before forwarding transactions to its neighbors, every Bitcoin
|
|
|
|
|
node that receives a transaction will first verify the transaction. This
|
|
|
|
|
ensures that only valid transactions are propagated across the network,
|
|
|
|
|
while invalid transactions are discarded at the first node that
|
|
|
|
|
encounters them.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
Each node verifies every transaction against a long checklist of
|
|
|
|
|
criteria:
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
- The transaction's syntax and data structure must be correct.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
- Neither lists of inputs or outputs are empty.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
- The transaction size in bytes is less than +MAX_BLOCK_SIZE+.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
- Each output value, as well as the total, must be within the allowed
|
|
|
|
|
range of values (less than 21m coins, more than the _dust_ threshold).
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
- None of the inputs have hash=0, N=–1 (coinbase transactions should not
|
|
|
|
|
be relayed).
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
- +nLocktime+ is equal to +INT_MAX+, or +nLocktime+ and +nSequence+
|
|
|
|
|
values are satisfied according to +MedianTimePast+.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
- The transaction size in bytes is greater than or equal to 100.
|
|
|
|
|
|
|
|
|
|
- The number of signature operations (SIGOPS) contained in the
|
|
|
|
|
transaction is less than the signature operation limit.
|
|
|
|
|
|
|
|
|
|
- The unlocking script (+scriptSig+) can only push numbers on the stack,
|
|
|
|
|
and the locking script (+scriptPubkey+) must match +IsStandard+ forms
|
|
|
|
|
(this rejects "nonstandard" transactions).
|
|
|
|
|
|
|
|
|
|
- A matching transaction in the pool, or in a block in the main branch,
|
|
|
|
|
must exist.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
- For each input, if the referenced output exists in any other
|
|
|
|
|
transaction in the pool, the transaction must be rejected.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
- For each input, look in the main branch and the transaction pool to
|
|
|
|
|
find the referenced output transaction. If the output transaction is
|
|
|
|
|
missing for any input, this will be an orphan transaction. Add to the
|
|
|
|
|
orphan transactions pool, if a matching transaction is not already in
|
|
|
|
|
the pool.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
- For each input, if the referenced output transaction is a coinbase
|
|
|
|
|
output, it must have at least +COINBASE_MATURITY+ (100) confirmations.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
- For each input, the referenced output must exist and cannot already be
|
|
|
|
|
spent.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
- Using the referenced output transactions to get input values, check
|
|
|
|
|
that each input value, as well as the sum, are in the allowed range of
|
|
|
|
|
values (less than 21m coins, more than 0).
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
- Reject if the sum of input values is less than sum of output values.
|
|
|
|
|
|
|
|
|
|
- Reject if transaction fee would be too low (+minRelayTxFee+) to get
|
|
|
|
|
into an empty block.
|
|
|
|
|
|
|
|
|
|
- The unlocking scripts for each input must validate against the
|
|
|
|
|
corresponding output locking scripts.
|
|
|
|
|
|
|
|
|
|
These conditions can be seen in detail in the functions
|
|
|
|
|
+AcceptToMemoryPool+, +CheckTransaction+, and +CheckInputs+ in Bitcoin
|
|
|
|
|
Core. Note that the conditions change over time, to address new types of
|
|
|
|
|
denial-of-service attacks or sometimes to relax the rules so as to
|
|
|
|
|
include more types of transactions.
|
|
|
|
|
|
|
|
|
|
By independently verifying each transaction as it is received and before
|
|
|
|
|
propagating it, every node builds a pool of valid (but unconfirmed)
|
|
|
|
|
transactions known as the _transaction pool_, _memory pool_, or
|
|
|
|
|
_mempool_.
|
|
|
|
|
|
|
|
|
|
=== Mining Nodes
|
|
|
|
|
|
|
|
|
|
((("mining and consensus", "mining nodes")))((("Bitcoin nodes", "mining
|
|
|
|
|
nodes")))Some of the nodes on the Bitcoin network are specialized nodes
|
|
|
|
|
called _miners_. In <<ch01_intro_what_is_bitcoin>> we introduced ((("use
|
|
|
|
|
cases", "mining for bitcoin", id="jingten")))Jing, a computer
|
|
|
|
|
engineering student in Shanghai, China, who is a bitcoin miner. Jing
|
|
|
|
|
earns bitcoin by running a "mining rig," which is a specialized
|
|
|
|
|
computer-hardware system designed to mine bitcoin. Jing's specialized
|
|
|
|
|
mining hardware is connected to a server running a full Bitcoin node.
|
|
|
|
|
Unlike Jing, some miners mine without a full node, as we will see in
|
|
|
|
|
<<mining_pools>>. Like every other full node, Jing's node receives and
|
|
|
|
|
propagates unconfirmed transactions on the Bitcoin network. Jing's node,
|
|
|
|
|
however, also aggregates these transactions into new blocks.
|
|
|
|
|
|
|
|
|
|
Jing's node is listening for new blocks, propagated on the Bitcoin
|
|
|
|
|
network, as do all nodes. However, the arrival of a new block has
|
|
|
|
|
special significance for a mining node. The competition among miners
|
|
|
|
|
effectively ends with the propagation of a new block that acts as an
|
|
|
|
|
announcement of a winner. To miners, receiving a valid new block means
|
|
|
|
|
someone else won the competition and they lost. However, the end of one
|
|
|
|
|
round of a competition is also the beginning of the next round. The new
|
|
|
|
|
block is not just a checkered flag, marking the end of the race; it is
|
|
|
|
|
also the starting pistol in the race for the next block.
|
|
|
|
|
|
|
|
|
|
=== Aggregating Transactions into Blocks
|
|
|
|
|
|
|
|
|
|
((("mining and consensus", "aggregating transactions into blocks",
|
|
|
|
|
id="MACaggreg10")))((("transactions", "aggregating into blocks",
|
|
|
|
|
id="Taggreg10")))((("blocks", "aggregating transactions into",
|
|
|
|
|
id="Baggreg10")))((("blocks", "candidate blocks")))((("candidate
|
|
|
|
|
blocks")))((("transaction pools")))((("memory pools (mempools)")))After
|
|
|
|
|
validating transactions, a Bitcoin node will add them to the _memory
|
|
|
|
|
pool_, or _transaction pool_, where transactions await until they can be
|
|
|
|
|
included (mined) into a block. Jing's node collects, validates, and
|
|
|
|
|
relays new transactions just like any other node. Unlike other nodes,
|
|
|
|
|
however, Jing's node will then aggregate these transactions into a
|
|
|
|
|
_candidate block_.
|
|
|
|
|
|
|
|
|
|
Let's follow the blocks that were created during the time Alice bought a
|
|
|
|
|
cup of coffee from Bob's Cafe (see <<spending_bitcoin>>). Alice's
|
|
|
|
|
transaction was included in block 277,316. For the purpose of
|
|
|
|
|
demonstrating the concepts in this chapter, let's assume that block was
|
|
|
|
|
mined by Jing's mining system and follows Alice's transaction as it
|
|
|
|
|
becomes part of this new block.
|
|
|
|
|
|
|
|
|
|
Jing's mining node maintains a local copy of the blockchain. By the time
|
|
|
|
|
((("use cases", "buying coffee")))Alice buys the cup of coffee, Jing's
|
|
|
|
|
node has assembled a chain up to block 277,314. Jing's node is listening
|
|
|
|
|
for transactions, trying to mine a new block and also listening for
|
|
|
|
|
blocks discovered by other nodes. As Jing's node is mining, it receives
|
|
|
|
|
block 277,315 through the Bitcoin network. The arrival of this block
|
|
|
|
|
signifies the end of the competition for block 277,315 and the beginning
|
|
|
|
|
of the competition to create block 277,316.
|
|
|
|
|
|
|
|
|
|
During the previous 10 minutes, while Jing's node was searching for a
|
|
|
|
|
solution to block 277,315, it was also collecting transactions in
|
|
|
|
|
preparation for the next block. By now it has collected a few hundred
|
|
|
|
|
transactions in the memory pool. Upon receiving block 277,315 and
|
|
|
|
|
validating it, Jing's node will also compare it against all the
|
|
|
|
|
transactions in the memory pool and remove any that were included in
|
|
|
|
|
block 277,315. Whatever transactions remain in the memory pool are
|
|
|
|
|
unconfirmed and are waiting to be recorded in a new block.
|
|
|
|
|
|
|
|
|
|
((("Proof-of-Work algorithm")))((("mining and consensus", "Proof-of-Work
|
|
|
|
|
algorithm")))Jing's node immediately constructs a new empty block, a
|
|
|
|
|
candidate for block 277,316. This block is called a _candidate block_
|
|
|
|
|
because it is not yet a valid block, as it does not contain a valid
|
|
|
|
|
Proof-of-Work. The block becomes valid only if the miner succeeds in
|
|
|
|
|
finding a solution to the Proof-of-Work algorithm.
|
|
|
|
|
|
|
|
|
|
When Jing's node aggregates all the transactions from the memory pool,
|
|
|
|
|
the new candidate block has 418 transactions with total transaction fees
|
|
|
|
|
of 0.09094928 bitcoin. You can see this block in the blockchain using
|
|
|
|
|
the Bitcoin Core client command-line interface, as shown in
|
|
|
|
|
<<block277316>>.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
[[block277316]]
|
|
|
|
|
.Using the command line to retrieve block 277,316
|
|
|
|
|
====
|
|
|
|
|
[source,bash]
|
|
|
|
|
----
|
|
|
|
|
$ bitcoin-cli getblockhash 277316
|
|
|
|
|
|
|
|
|
|
0000000000000001b6b9a13b095e96db41c4a928b97ef2d944a9b31b2cc7bdc4
|
|
|
|
|
|
|
|
|
|
$ bitcoin-cli getblock 0000000000000001b6b9a13b095e96db41c4a928b97ef2d9\
|
|
|
|
|
44a9b31b2cc7bdc4
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[source,json]
|
|
|
|
|
----
|
|
|
|
|
{
|
|
|
|
|
"hash" : "0000000000000001b6b9a13b095e96db41c4a928b97ef2d944a9b31b2cc7bdc4",
|
|
|
|
|
"confirmations" : 35561,
|
|
|
|
|
"size" : 218629,
|
|
|
|
|
"height" : 277316,
|
|
|
|
|
"version" : 2,
|
|
|
|
|
"merkleroot" : "c91c008c26e50763e9f548bb8b2fc323735f73577effbc55502c51eb4cc7cf2e",
|
|
|
|
|
"tx" : [
|
|
|
|
|
"d5ada064c6417ca25c4308bd158c34b77e1c0eca2a73cda16c737e7424afba2f",
|
|
|
|
|
"b268b45c59b39d759614757718b9918caf0ba9d97c56f3b91956ff877c503fbe",
|
|
|
|
|
|
|
|
|
|
... 417 more transactions ...
|
|
|
|
|
|
|
|
|
|
],
|
|
|
|
|
"time" : 1388185914,
|
|
|
|
|
"nonce" : 924591752,
|
|
|
|
|
"bits" : "1903a30c",
|
|
|
|
|
"difficulty" : 1180923195.25802612,
|
|
|
|
|
"chainwork" : "000000000000000000000000000000000000000000000934695e92aaf53afa1a",
|
|
|
|
|
"previousblockhash" : "0000000000000002a7bbd25a417c0374cc55261021e8a9ca74442b01284f0569"
|
|
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
====
|
|
|
|
|
|
|
|
|
|
==== The Coinbase Transaction
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("coinbase transactions", id="coinbtrans10")))((("transactions",
|
|
|
|
|
"coinbase transactions", id="Tcoinb10")))The first transaction in any
|
|
|
|
|
block is a special transaction, called a _coinbase transaction_. This
|
|
|
|
|
transaction is constructed by Jing's node and contains his _reward_ for
|
|
|
|
|
the mining effort.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
[NOTE]
|
|
|
|
|
====
|
2023-05-23 20:40:36 +00:00
|
|
|
|
When block 277,316 was mined, the reward was 25 bitcoin per block. Since
|
|
|
|
|
then, one "halving" period has elapsed. The block reward changed to 12.5
|
|
|
|
|
bitcoin in July 2016. It will be halved again in 210,000 blocks, in the
|
|
|
|
|
year 2020.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
====
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
Jing's node creates the coinbase transaction as a payment to his own
|
|
|
|
|
wallet: "Pay Jing's address 25.09094928 bitcoin." The total amount of
|
|
|
|
|
reward that Jing collects for mining a block is the sum of the coinbase
|
|
|
|
|
reward (25 new bitcoin) and the transaction fees (0.09094928) from all
|
|
|
|
|
the transactions included in the block as shown in
|
|
|
|
|
<<generation_tx_example>>.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[[generation_tx_example]]
|
|
|
|
|
.Coinbase transaction
|
|
|
|
|
====
|
|
|
|
|
----
|
|
|
|
|
$ bitcoin-cli getrawtransaction d5ada064c6417ca25c4308bd158c34b77e1c0eca2a73cda16c737e7424afba2f 1
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
[source,json]
|
2017-07-18 16:44:16 +00:00
|
|
|
|
[role="c_less_space"]
|
2017-04-24 21:09:15 +00:00
|
|
|
|
----
|
|
|
|
|
{
|
|
|
|
|
"hex" : "01000000010000000000000000000000000000000000000000000000000000000000000000ffffffff0f03443b0403858402062f503253482fffffffff0110c08d9500000000232102aa970c592640d19de03ff6f329d6fd2eecb023263b9ba5d1b81c29b523da8b21ac00000000",
|
|
|
|
|
"txid" : "d5ada064c6417ca25c4308bd158c34b77e1c0eca2a73cda16c737e7424afba2f",
|
|
|
|
|
"version" : 1,
|
|
|
|
|
"locktime" : 0,
|
|
|
|
|
"vin" : [
|
|
|
|
|
{
|
|
|
|
|
"coinbase" : "03443b0403858402062f503253482f",
|
|
|
|
|
"sequence" : 4294967295
|
|
|
|
|
}
|
|
|
|
|
],
|
|
|
|
|
"vout" : [
|
|
|
|
|
{
|
|
|
|
|
"value" : 25.09094928,
|
|
|
|
|
"n" : 0,
|
|
|
|
|
"scriptPubKey" : {
|
|
|
|
|
"asm" : "02aa970c592640d19de03ff6f329d6fd2eecb023263b9ba5d1b81c29b523da8b21OP_CHECKSIG",
|
|
|
|
|
"hex" : "2102aa970c592640d19de03ff6f329d6fd2eecb023263b9ba5d1b81c29b523da8b21ac",
|
|
|
|
|
"reqSigs" : 1,
|
|
|
|
|
"type" : "pubkey",
|
|
|
|
|
"addresses" : [
|
|
|
|
|
"1MxTkeEP2PmHSMze5tUZ1hAV3YTKu2Gh1N"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
====
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
Unlike regular transactions, the coinbase transaction does not consume
|
|
|
|
|
(spend) UTXO as inputs. Instead, it has only one input, called the
|
|
|
|
|
_coinbase_, which creates bitcoin from nothing. The coinbase transaction
|
|
|
|
|
has one output, payable to the miner's own Bitcoin address. The output
|
|
|
|
|
of the coinbase transaction sends the value of 25.09094928 bitcoin to
|
|
|
|
|
the miner's Bitcoin address; in this case it is
|
|
|
|
|
+1MxTkeEP2PmHSMze5tUZ1hAV3YTKu2Gh1N+.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
==== Coinbase Reward and Fees
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("coinbase transactions", "rewards and fees")))((("fees", "transaction
|
|
|
|
|
fees")))((("mining and consensus", "rewards and fees")))To construct the
|
|
|
|
|
coinbase transaction, Jing's node first calculates the total amount of
|
|
|
|
|
transaction fees by adding all the inputs and outputs of the 418
|
|
|
|
|
transactions that were added to the block. The fees are calculated as:
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
----
|
2023-02-01 16:31:10 +00:00
|
|
|
|
Total Fees = Sum(Inputs) - Sum(Outputs)
|
2017-04-24 21:09:15 +00:00
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
In block 277,316, the total transaction fees are 0.09094928 bitcoin.
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
Next, Jing's node calculates the correct reward for the new block. The
|
|
|
|
|
reward is calculated based on the block height, starting at 50 bitcoin
|
|
|
|
|
per block and reduced by half every 210,000 blocks. Because this block
|
|
|
|
|
is at height 277,316, the correct reward is 25 bitcoin.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
The calculation can be seen in function +GetBlockSubsidy+ in the Bitcoin
|
|
|
|
|
Core client, as shown in <<getblocksubsidy_source>>.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
[[getblocksubsidy_source]]
|
|
|
|
|
.Calculating the block reward—Function GetBlockSubsidy, Bitcoin Core Client, main.cpp
|
|
|
|
|
====
|
2017-07-18 16:40:15 +00:00
|
|
|
|
[role="c_less_space"]
|
2017-04-24 21:09:15 +00:00
|
|
|
|
[source, cpp]
|
|
|
|
|
----
|
|
|
|
|
CAmount GetBlockSubsidy(int nHeight, const Consensus::Params& consensusParams)
|
|
|
|
|
{
|
|
|
|
|
int halvings = nHeight / consensusParams.nSubsidyHalvingInterval;
|
|
|
|
|
// Force block reward to zero when right shift is undefined.
|
|
|
|
|
if (halvings >= 64)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
CAmount nSubsidy = 50 * COIN;
|
|
|
|
|
// Subsidy is cut in half every 210,000 blocks which will occur approximately every 4 years.
|
|
|
|
|
nSubsidy >>= halvings;
|
|
|
|
|
return nSubsidy;
|
|
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
====
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
The initial subsidy is calculated in satoshis by multiplying 50 with the
|
|
|
|
|
+COIN+ constant (100,000,000 satoshis). This sets the initial reward
|
|
|
|
|
(+nSubsidy+) at 5 billion satoshis.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("halvings")))Next, the function calculates the number of +halvings+
|
|
|
|
|
that have occurred by dividing the current block height by the halving
|
|
|
|
|
interval (+SubsidyHalvingInterval+). In the case of block 277,316, with
|
|
|
|
|
a halving interval every 210,000 blocks, the result is 1 halving.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
The maximum number of halvings allowed is 64, so the code imposes a zero
|
|
|
|
|
reward (returns only the fees) if the 64 halvings is exceeded.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
Next, the function uses the binary-right-shift operator to divide the
|
|
|
|
|
reward (+nSubsidy+) by two for each round of halving. In the case of
|
|
|
|
|
block 277,316, this would binary-right-shift the reward of 5 billion
|
|
|
|
|
satoshis once (one halving) and result in 2.5 billion satoshis, or 25
|
|
|
|
|
bitcoins. The binary-right-shift operator is used because it is more
|
|
|
|
|
efficient than multiple repeated divisions. To avoid a potential bug,
|
|
|
|
|
the shift operation is skipped after 63 halvings, and the subsidy is set
|
|
|
|
|
to 0.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
Finally, the coinbase reward (+nSubsidy+) is added to the transaction
|
|
|
|
|
fees (+nFees+), and the sum is returned.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
[TIP]
|
|
|
|
|
====
|
2023-05-23 20:40:36 +00:00
|
|
|
|
If Jing's mining node writes the coinbase transaction, what stops Jing
|
|
|
|
|
from "rewarding" himself 100 or 1000 bitcoin? The answer is that an
|
|
|
|
|
incorrect reward would result in the block being deemed invalid by
|
|
|
|
|
everyone else, wasting Jing's electricity used for Proof-of-Work. Jing
|
|
|
|
|
only gets to spend the reward if the block is accepted by everyone.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
====
|
|
|
|
|
|
|
|
|
|
==== Structure of the Coinbase Transaction
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("coinbase transactions", "structure of")))With these calculations,
|
|
|
|
|
Jing's node then constructs the coinbase transaction to pay himself
|
|
|
|
|
25.09094928 bitcoin.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
As you can see in <<generation_tx_example>>, the coinbase transaction
|
|
|
|
|
has a special format. Instead of a transaction input specifying a
|
|
|
|
|
previous UTXO to spend, it has a "coinbase" input. We examined
|
|
|
|
|
transaction inputs in <<inputs>>. Let's compare a regular transaction
|
|
|
|
|
input with a coinbase transaction input. <<table_8-1>> shows the
|
|
|
|
|
structure of a regular transaction, while <<table_8-2>> shows the
|
|
|
|
|
structure of the coinbase transaction's input.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
[[table_8-1]]
|
|
|
|
|
.The structure of a "normal" transaction input
|
|
|
|
|
[options="header"]
|
|
|
|
|
|=======
|
|
|
|
|
|Size| Field | Description
|
|
|
|
|
| 32 bytes | Transaction Hash | Pointer to the transaction containing the UTXO to be spent
|
|
|
|
|
| 4 bytes | Output Index | The index number of the UTXO to be spent, first one is 0
|
|
|
|
|
| 1–9 bytes (VarInt) | Unlocking-Script Size | Unlocking-Script length in bytes, to follow
|
2017-05-10 17:04:27 +00:00
|
|
|
|
| Variable | Unlocking-Script | A script that fulfills the conditions of the UTXO locking script
|
2023-02-01 16:31:10 +00:00
|
|
|
|
| 4 bytes | Sequence Number | Currently disabled Tx-replacement feature, set to 0xFFFFFFFF
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|=======
|
|
|
|
|
|
|
|
|
|
[[table_8-2]]
|
|
|
|
|
.The structure of a coinbase transaction input
|
|
|
|
|
[options="header"]
|
|
|
|
|
|=======
|
|
|
|
|
|Size| Field | Description
|
|
|
|
|
| 32 bytes | Transaction Hash | All bits are zero: Not a transaction hash reference
|
|
|
|
|
| 4 bytes | Output Index | All bits are ones: 0xFFFFFFFF
|
|
|
|
|
| 1–9 bytes (VarInt) | Coinbase Data Size | Length of the coinbase data, from 2 to 100 bytes
|
2017-05-10 19:06:23 +00:00
|
|
|
|
| Variable | Coinbase Data | Arbitrary data used for extra nonce and mining tags. In v2 blocks; must begin with block height
|
2017-04-24 21:09:15 +00:00
|
|
|
|
| 4 bytes | Sequence Number | Set to 0xFFFFFFFF
|
|
|
|
|
|=======
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
In a coinbase transaction, the first two fields are set to values that
|
|
|
|
|
do not represent a UTXO reference. Instead of a "transaction hash," the
|
|
|
|
|
first field is filled with 32 bytes all set to zero. The "output index"
|
|
|
|
|
is filled with 4 bytes all set to 0xFF (255 decimal). The "Unlocking
|
|
|
|
|
Script" (+scriptSig+) is replaced by coinbase data, a data field used by
|
|
|
|
|
the miners, as we will see next.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
==== Coinbase Data
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("coinbase transactions", "coinbase data")))Coinbase transactions do
|
|
|
|
|
not have an unlocking script (aka, +scriptSig+) field. Instead, this
|
|
|
|
|
field is replaced by coinbase data, which must be between 2 and 100
|
|
|
|
|
bytes. Except for the first few bytes, the rest of the coinbase data can
|
|
|
|
|
be used by miners in any way they want; it is arbitrary data.
|
|
|
|
|
|
|
|
|
|
((("nonce values")))((("blocks", "genesis block")))((("blockchain
|
|
|
|
|
(the)", "genesis block")))((("genesis block")))In the genesis block, for
|
|
|
|
|
example, Satoshi Nakamoto added the text "The Times 03/Jan/2009
|
|
|
|
|
Chancellor on brink of second bailout for banks" in the coinbase data,
|
|
|
|
|
using it as a proof of the date and to convey a message. Currently,
|
|
|
|
|
miners use the coinbase data to include extra nonce values and strings
|
|
|
|
|
identifying the mining pool.
|
|
|
|
|
|
|
|
|
|
The first few bytes of the coinbase used to be arbitrary, but that is no
|
2023-05-23 20:47:54 +00:00
|
|
|
|
longer the case. As per BIP34, version-2 blocks (blocks with the
|
2023-05-23 20:40:36 +00:00
|
|
|
|
version field set to 2) must contain the block height index as a script
|
|
|
|
|
"push" operation in the beginning of the coinbase field.
|
|
|
|
|
|
|
|
|
|
In block 277,316 we see that the coinbase (see
|
|
|
|
|
<<generation_tx_example>>), which is in the unlocking script or
|
|
|
|
|
+scriptSig+ field of the transaction input, contains the hexadecimal
|
|
|
|
|
value +03443b0403858402062f503253482f+. Let's decode this value.
|
|
|
|
|
|
|
|
|
|
The first byte, +03+, instructs the script execution engine to push the
|
|
|
|
|
next three bytes onto the script stack (see
|
|
|
|
|
<<tx_script_ops_table_pushdata>>). The next three bytes, +0x443b04+, are
|
|
|
|
|
the block height encoded in little-endian format (backward,
|
|
|
|
|
least-significant byte first). Reverse the order of the bytes and the
|
|
|
|
|
result is +0x043b44+, which is 277,316 in decimal.
|
|
|
|
|
|
|
|
|
|
The next few hexadecimal digits (+0385840206+) are used to encode an
|
|
|
|
|
extra _nonce_ (see <<extra_nonce>>), or random value, used to find a
|
|
|
|
|
suitable Proof-of-Work solution.
|
|
|
|
|
|
|
|
|
|
((("bitcoin improvement proposals", "Pay to Script Hash
|
2023-05-23 20:47:54 +00:00
|
|
|
|
(BIP16)")))((("bitcoin improvement proposals", "CHECKHASHVERIFY
|
|
|
|
|
(BIP17)")))((("CHECKHASHVERIFY (CHV)")))((("Pay-to-Script-Hash (P2SH)",
|
2023-05-23 20:40:36 +00:00
|
|
|
|
"coinbase data")))The final part of the coinbase data (+2f503253482f+)
|
|
|
|
|
is the ASCII-encoded string pass:[<span
|
|
|
|
|
class="keep-together"><code>/P2SH/</code></span>], which indicates that
|
|
|
|
|
the mining node that mined this block supports the P2SH improvement
|
2023-05-23 20:47:54 +00:00
|
|
|
|
defined in BIP16. The introduction of the P2SH capability required
|
|
|
|
|
signaling by miners to endorse either BIP16 or BIP17. Those endorsing
|
|
|
|
|
the BIP16 implementation were to include +/P2SH/+ in their coinbase
|
|
|
|
|
data. Those endorsing the BIP17 implementation of P2SH were to include
|
|
|
|
|
the string +p2sh/CHV+ in their coinbase data. The BIP16 was elected as
|
2023-05-23 20:40:36 +00:00
|
|
|
|
the winner, and many miners continued including the string +/P2SH/+ in
|
|
|
|
|
their coinbase to indicate support for this feature.
|
|
|
|
|
|
|
|
|
|
<<satoshi_words>> uses the libbitcoin library introduced in
|
|
|
|
|
<<alt_libraries>> to extract the coinbase data from the genesis block,
|
|
|
|
|
displaying Satoshi's message. Note that the libbitcoin library contains
|
|
|
|
|
a static copy of the genesis block, so the example code can retrieve the
|
|
|
|
|
genesis block directly from the library.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
[[satoshi_words]]
|
|
|
|
|
.Extract the coinbase data from the genesis block
|
|
|
|
|
====
|
|
|
|
|
[source, cpp]
|
|
|
|
|
----
|
|
|
|
|
include::code/satoshi-words.cpp[]
|
|
|
|
|
----
|
|
|
|
|
====
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
We compile the code with the GNU C++ compiler and run the resulting
|
|
|
|
|
executable, as shown in <<satoshi_words_run>>.((("",
|
|
|
|
|
startref="MACaggreg10")))((("", startref="Baggreg10")))((("",
|
|
|
|
|
startref="Taggreg10")))((("", startref="Tcoinb10")))((("",
|
|
|
|
|
startref="coinbtrans10")))
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
[[satoshi_words_run]]
|
|
|
|
|
.Compiling and running the satoshi-words example code
|
|
|
|
|
====
|
|
|
|
|
[source,bash]
|
|
|
|
|
----
|
2023-02-01 16:31:10 +00:00
|
|
|
|
$ # Compile the code
|
2017-04-24 21:09:15 +00:00
|
|
|
|
$ g++ -o satoshi-words satoshi-words.cpp $(pkg-config --cflags --libs libbitcoin)
|
2023-02-01 16:31:10 +00:00
|
|
|
|
$ # Run the executable
|
2017-04-24 21:09:15 +00:00
|
|
|
|
$ ./satoshi-words
|
|
|
|
|
^D<><44><GS>^A^DEThe Times 03/Jan/2009 Chancellor on brink of second bailout for banks
|
|
|
|
|
----
|
|
|
|
|
====
|
|
|
|
|
|
|
|
|
|
=== Constructing the Block Header
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("mining and consensus", "constructing block headers")))((("blocks",
|
|
|
|
|
"headers")))((("headers")))((("blockchain (the)", "block headers")))To
|
|
|
|
|
construct the block header, the mining node needs to fill in six fields,
|
|
|
|
|
as listed in <<block_header_structure_ch10>>.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
[[block_header_structure_ch10]]
|
|
|
|
|
.The structure of the block header
|
|
|
|
|
[options="header"]
|
|
|
|
|
|=======
|
|
|
|
|
|Size| Field | Description
|
|
|
|
|
| 4 bytes | Version | A version number to track software/protocol upgrades
|
|
|
|
|
| 32 bytes | Previous Block Hash | A reference to the hash of the previous (parent) block in the chain
|
|
|
|
|
| 32 bytes | Merkle Root | A hash of the root of the merkle tree of this block's transactions
|
|
|
|
|
| 4 bytes | Timestamp | The approximate creation time of this block (seconds from Unix Epoch)
|
|
|
|
|
| 4 bytes | Target | The Proof-of-Work algorithm target for this block
|
|
|
|
|
| 4 bytes | Nonce | A counter used for the Proof-of-Work algorithm
|
|
|
|
|
|=======
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
At the time that block 277,316 was mined, the version number describing
|
|
|
|
|
the block structure is version 2, which is encoded in little-endian
|
|
|
|
|
format in 4 bytes as +0x02000000+.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("blocks", "parent blocks")))((("parent blocks")))Next, the mining
|
|
|
|
|
node needs to add the "Previous Block Hash" (also known as +prevhash+).
|
|
|
|
|
That is the hash of the block header of block 277,315, the previous
|
|
|
|
|
block received from the network, which Jing's node has accepted and
|
|
|
|
|
selected as the _parent_ of the candidate block 277,316. The block
|
|
|
|
|
header hash for block 277,315 is:
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
0000000000000002a7bbd25a417c0374cc55261021e8a9ca74442b01284f0569
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
[TIP]
|
|
|
|
|
====
|
2023-05-23 20:40:36 +00:00
|
|
|
|
By selecting the specific _parent_ block, indicated by the Previous
|
|
|
|
|
Block Hash field in the candidate block header, Jing is committing his
|
|
|
|
|
mining power to extending the chain that ends in that specific block. In
|
|
|
|
|
essence, this is how Jing "votes" with his mining power for the
|
|
|
|
|
longest-difficulty valid chain.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
====
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("merkle trees")))((("blockchain (the)", "merkle trees")))The next
|
|
|
|
|
step is to summarize all the transactions with a merkle tree, in order
|
|
|
|
|
to add the merkle root to the block header. The coinbase transaction is
|
|
|
|
|
listed as the first transaction in the block. Then, 418 more
|
|
|
|
|
transactions are added after it, for a total of 419 transactions in the
|
|
|
|
|
block. As we saw in the <<merkle_trees>>, there must be an even number
|
|
|
|
|
of "leaf" nodes in the tree, so the last transaction is duplicated,
|
|
|
|
|
creating 420 nodes, each containing the hash of one transaction. The
|
|
|
|
|
transaction hashes are then combined, in pairs, creating each level of
|
|
|
|
|
the tree, until all the transactions are summarized into one node at the
|
|
|
|
|
"root" of the tree. The root of the merkle tree summarizes all the
|
|
|
|
|
transactions into a single 32-byte value, which you can see listed as
|
|
|
|
|
"merkle root" in <<block277316>>, and here:
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
c91c008c26e50763e9f548bb8b2fc323735f73577effbc55502c51eb4cc7cf2e
|
|
|
|
|
----
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
Jing's mining node will then add a 4-byte timestamp, encoded as a Unix
|
|
|
|
|
"epoch" timestamp, which is based on the number of seconds elapsed from
|
|
|
|
|
January 1, 1970, midnight UTC/GMT. The time +1388185914+ is equal to
|
|
|
|
|
Friday, 27 Dec 2013, 23:11:54 UTC/GMT.
|
|
|
|
|
|
|
|
|
|
Jing's node then fills in the target, which defines the required
|
|
|
|
|
Proof-of-Work to make this a valid block. The target is stored in the
|
|
|
|
|
block as a "target bits" metric, which is a mantissa-exponent encoding
|
|
|
|
|
of the target. The encoding has a 1-byte exponent, followed by a 3-byte
|
|
|
|
|
mantissa (coefficient). In block 277,316, for example, the target bits
|
|
|
|
|
value is +0x1903a30c+. The first part +0x19+ is a hexadecimal exponent,
|
|
|
|
|
while the next part, +0x03a30c+, is the coefficient. The concept of a
|
|
|
|
|
target is explained in <<target>> and the "target bits" representation
|
|
|
|
|
is explained in <<target_bits>>.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2017-04-26 17:08:26 +00:00
|
|
|
|
The final field is the nonce, which is initialized to zero.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
With all the other fields filled, the block header is now complete and
|
|
|
|
|
the process of mining can begin. The goal is now to find a value for the
|
|
|
|
|
nonce that results in a block header hash that is less than the target.
|
|
|
|
|
The mining node will need to test billions or trillions of nonce values
|
|
|
|
|
before a nonce is found that satisfies the requirement.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
=== Mining the Block
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("mining and consensus", "mining the block", id="MACmining10")))Now
|
|
|
|
|
that a candidate block has been constructed by Jing's node, it is time
|
|
|
|
|
for Jing's hardware mining rig to "mine" the block, to find a solution
|
|
|
|
|
to the Proof-of-Work algorithm that makes the block valid. Throughout
|
|
|
|
|
this book we have studied cryptographic hash functions as used in
|
|
|
|
|
various aspects of the Bitcoin system. The hash function SHA256 is the
|
|
|
|
|
function used in bitcoin's mining process.((("", startref="jingten")))
|
|
|
|
|
|
|
|
|
|
((("mining and consensus", "defined")))In the simplest terms, mining is
|
|
|
|
|
the process of hashing the block header repeatedly, changing one
|
|
|
|
|
parameter, until the resulting hash matches a specific target. The hash
|
|
|
|
|
function's result cannot be determined in advance, nor can a pattern be
|
|
|
|
|
created that will produce a specific hash value. This feature of hash
|
|
|
|
|
functions means that the only way to produce a hash result matching a
|
|
|
|
|
specific target is to try again and again, randomly modifying the input
|
|
|
|
|
until the desired hash result appears by chance.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
==== Proof-of-Work Algorithm
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("Proof-of-Work algorithm", id="proof10")))((("mining and consensus",
|
|
|
|
|
"Proof-of-Work algorithm", id="Cproof10")))A hash algorithm takes an
|
|
|
|
|
arbitrary-length data input and produces a fixed-length deterministic
|
|
|
|
|
result, a digital fingerprint of the input. For any specific input, the
|
|
|
|
|
resulting hash will always be the same and can be easily calculated and
|
|
|
|
|
verified by anyone implementing the same hash algorithm.
|
|
|
|
|
((("collisions")))The key characteristic of a cryptographic hash
|
|
|
|
|
algorithm is that it is computationally infeasible to find two different
|
|
|
|
|
inputs that produce the same fingerprint (known as a _collision_). As a
|
|
|
|
|
corollary, it is also virtually impossible to select an input in such a
|
|
|
|
|
way as to produce a desired fingerprint, other than trying random
|
|
|
|
|
inputs.
|
|
|
|
|
|
|
|
|
|
With SHA256, the output is always 256 bits long, regardless of the size
|
|
|
|
|
of the input. In <<sha256_example1>>, we will use the Python interpreter
|
|
|
|
|
to calculate the SHA256 hash of the phrase, "I am Satoshi Nakamoto."
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
[[sha256_example1]]
|
|
|
|
|
.SHA256 example
|
|
|
|
|
====
|
|
|
|
|
[source,bash]
|
|
|
|
|
----
|
|
|
|
|
$ python
|
|
|
|
|
----
|
|
|
|
|
[source,pycon]
|
|
|
|
|
----
|
2023-02-01 16:31:10 +00:00
|
|
|
|
Python 2.7.1
|
2017-04-24 21:09:15 +00:00
|
|
|
|
>>> import hashlib
|
2023-02-01 16:31:10 +00:00
|
|
|
|
>>> print hashlib.sha256("I am Satoshi Nakamoto").hexdigest()
|
|
|
|
|
5d7c7ba21cbbcd75d14800b100252d5b428e5b1213d27c385bc141ca6b47989e
|
2017-04-24 21:09:15 +00:00
|
|
|
|
----
|
|
|
|
|
====
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
<<sha256_example1>> shows the result of calculating the hash of +"I am
|
|
|
|
|
Satoshi Nakamoto"+:
|
|
|
|
|
+5d7c7ba21cbbcd75d14800b100252d5b428e5b1213d27c385bc141ca6b47989e+. This
|
|
|
|
|
256-bit number is the _hash_ or _digest_ of the phrase and depends on
|
|
|
|
|
every part of the phrase. Adding a single letter, punctuation mark, or
|
|
|
|
|
any other character will produce a different hash.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
Now, if we change the phrase, we should expect to see completely
|
|
|
|
|
different hashes. Let's try that by adding a number to the end of our
|
|
|
|
|
phrase, using the simple Python scripting in
|
|
|
|
|
<<sha256_example_generator>>.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
[[sha256_example_generator]]
|
2017-05-10 17:04:27 +00:00
|
|
|
|
.SHA256 script for generating many hashes by iterating on a nonce
|
2017-04-24 21:09:15 +00:00
|
|
|
|
====
|
2017-07-18 16:48:44 +00:00
|
|
|
|
[role="c_less_space"]
|
2017-04-24 21:09:15 +00:00
|
|
|
|
[source, python]
|
|
|
|
|
----
|
|
|
|
|
include::code/hash_example.py[]
|
|
|
|
|
----
|
|
|
|
|
====
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
Running this will produce the hashes of several phrases, made different
|
|
|
|
|
by adding a number at the end of the text. By incrementing the number,
|
|
|
|
|
we can get different hashes, as shown in
|
|
|
|
|
<<sha256_example_generator_output>>.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
[[sha256_example_generator_output]]
|
|
|
|
|
.SHA256 output of a script for generating many hashes by iterating on a nonce
|
|
|
|
|
====
|
|
|
|
|
[source,bash]
|
|
|
|
|
----
|
|
|
|
|
$ python hash_example.py
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
I am Satoshi Nakamoto0 => a80a81401765c8eddee25df36728d732...
|
|
|
|
|
I am Satoshi Nakamoto1 => f7bc9a6304a4647bb41241a677b5345f...
|
|
|
|
|
I am Satoshi Nakamoto2 => ea758a8134b115298a1583ffb80ae629...
|
|
|
|
|
I am Satoshi Nakamoto3 => bfa9779618ff072c903d773de30c99bd...
|
|
|
|
|
I am Satoshi Nakamoto4 => bce8564de9a83c18c31944a66bde992f...
|
|
|
|
|
I am Satoshi Nakamoto5 => eb362c3cf3479be0a97a20163589038e...
|
|
|
|
|
I am Satoshi Nakamoto6 => 4a2fd48e3be420d0d28e202360cfbaba...
|
|
|
|
|
I am Satoshi Nakamoto7 => 790b5a1349a5f2b909bf74d0d166b17a...
|
|
|
|
|
I am Satoshi Nakamoto8 => 702c45e5b15aa54b625d68dd947f1597...
|
|
|
|
|
I am Satoshi Nakamoto9 => 7007cf7dd40f5e933cd89fff5b791ff0...
|
|
|
|
|
I am Satoshi Nakamoto10 => c2f38c81992f4614206a21537bd634a...
|
|
|
|
|
I am Satoshi Nakamoto11 => 7045da6ed8a914690f087690e1e8d66...
|
|
|
|
|
I am Satoshi Nakamoto12 => 60f01db30c1a0d4cbce2b4b22e88b9b...
|
|
|
|
|
I am Satoshi Nakamoto13 => 0ebc56d59a34f5082aaef3d66b37a66...
|
|
|
|
|
I am Satoshi Nakamoto14 => 27ead1ca85da66981fd9da01a8c6816...
|
|
|
|
|
I am Satoshi Nakamoto15 => 394809fb809c5f83ce97ab554a2812c...
|
|
|
|
|
I am Satoshi Nakamoto16 => 8fa4992219df33f50834465d3047429...
|
|
|
|
|
I am Satoshi Nakamoto17 => dca9b8b4f8d8e1521fa4eaa46f4f0cd...
|
|
|
|
|
I am Satoshi Nakamoto18 => 9989a401b2a3a318b01e9ca9a22b0f3...
|
|
|
|
|
I am Satoshi Nakamoto19 => cda56022ecb5b67b2bc93a2d764e75f...
|
|
|
|
|
----
|
|
|
|
|
====
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
Each phrase produces a completely different hash result. They seem
|
|
|
|
|
completely random, but you can reproduce the exact results in this
|
|
|
|
|
example on any computer with Python and see the same exact hashes.
|
|
|
|
|
|
|
|
|
|
The number used as a variable in such a scenario is called a _nonce_.
|
|
|
|
|
The nonce is used to vary the output of a cryptographic function, in
|
|
|
|
|
this case to vary the SHA256 fingerprint of the phrase.
|
|
|
|
|
|
|
|
|
|
To make a challenge out of this algorithm, let's set a target: find a
|
|
|
|
|
phrase that produces a hexadecimal hash that starts with a zero.
|
|
|
|
|
Fortunately, this isn't difficult! <<sha256_example_generator_output>>
|
|
|
|
|
shows that the phrase "I am Satoshi Nakamoto13" produces the hash
|
|
|
|
|
+0ebc56d59a34f5082aaef3d66b37a661696c2b618e62432727216ba9531041a5+,
|
|
|
|
|
which fits our criteria. It took 13 attempts to find it. In terms of
|
|
|
|
|
probabilities, if the output of the hash function is evenly distributed
|
|
|
|
|
we would expect to find a result with a 0 as the hexadecimal prefix once
|
|
|
|
|
every 16 hashes (one out of 16 hexadecimal digits 0 through F). In
|
|
|
|
|
numerical terms, that means finding a hash value that is less than
|
|
|
|
|
+0x1000000000000000000000000000000000000000000000000000000000000000+. We
|
|
|
|
|
call this threshold the _target_ and the goal is to find a hash that is
|
|
|
|
|
numerically less than the target. If we decrease the target, the task of
|
|
|
|
|
finding a hash that is less than the target becomes more and more
|
|
|
|
|
difficult.
|
|
|
|
|
|
|
|
|
|
To give a simple analogy, imagine a game where players throw a pair of
|
|
|
|
|
dice repeatedly, trying to throw less than a specified target. In the
|
|
|
|
|
first round, the target is 12. Unless you throw double-six, you win. In
|
|
|
|
|
the next round the target is 11. Players must throw 10 or less to win,
|
|
|
|
|
again an easy task. Let's say a few rounds later the target is down to
|
|
|
|
|
5. Now, more than half the dice throws will exceed the target and
|
|
|
|
|
therefore be invalid. It takes exponentially more dice throws to win,
|
|
|
|
|
the lower the target gets. Eventually, when the target is 2 (the minimum
|
|
|
|
|
possible), only one throw out of every 36, or 2% of them, will produce a
|
|
|
|
|
winning result.
|
|
|
|
|
|
|
|
|
|
From the perspective of an observer who knows that the target of the
|
|
|
|
|
dice game is 2, if someone has succeeded in casting a winning throw it
|
|
|
|
|
can be assumed that they attempted, on average, 36 throws. In other
|
|
|
|
|
words, one can estimate the amount of work it takes to succeed from the
|
|
|
|
|
difficulty imposed by the target. When the algorithm is a based on a
|
|
|
|
|
deterministic function such as SHA256, the input itself constitutes
|
|
|
|
|
_proof_ that a certain amount of _work_ was done to produce a result
|
|
|
|
|
below the target. Hence, _Proof-of-Work_.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
[TIP]
|
|
|
|
|
====
|
2023-05-23 20:40:36 +00:00
|
|
|
|
Even though each attempt produces a random outcome, the probability of
|
|
|
|
|
any possible outcome can be calculated in advance. Therefore, an outcome
|
|
|
|
|
of specified difficulty constitutes proof of a specific amount of work.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
====
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
In <<sha256_example_generator_output>>, the winning "nonce" is 13 and
|
|
|
|
|
this result can be confirmed by anyone independently. Anyone can add the
|
|
|
|
|
number 13 as a suffix to the phrase "I am Satoshi Nakamoto" and compute
|
|
|
|
|
the hash, verifying that it is less than the target. The successful
|
|
|
|
|
result is also Proof-of-Work, because it proves we did the work to find
|
|
|
|
|
that nonce. While it only takes one hash computation to verify, it took
|
|
|
|
|
us 13 hash computations to find a nonce that worked. If we had a lower
|
|
|
|
|
target (higher difficulty) it would take many more hash computations to
|
|
|
|
|
find a suitable nonce, but only one hash computation for anyone to
|
|
|
|
|
verify. Furthermore, by knowing the target, anyone can estimate the
|
|
|
|
|
difficulty using statistics and therefore know how much work was needed
|
|
|
|
|
to find such a nonce.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
[TIP]
|
|
|
|
|
====
|
2023-05-23 20:40:36 +00:00
|
|
|
|
The Proof-of-Work must produce a hash that is _less than_ the target. A
|
|
|
|
|
higher target means it is less difficult to find a hash that is below
|
|
|
|
|
the target. A lower target means it is more difficult to find a hash
|
|
|
|
|
below the target. The target and difficulty are inversely related.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
====
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("targets")))Bitcoin's Proof-of-Work is very similar to the challenge
|
|
|
|
|
shown in <<sha256_example_generator_output>>. The miner constructs a
|
|
|
|
|
candidate block filled with transactions. Next, the miner calculates the
|
|
|
|
|
hash of this block's header and sees if it is smaller than the current
|
|
|
|
|
_target_. If the hash is not less than the target, the miner will modify
|
|
|
|
|
the nonce (usually just incrementing it by one) and try again. At the
|
|
|
|
|
current difficulty in the Bitcoin network, miners have to try
|
|
|
|
|
quadrillions of times before finding a nonce that results in a low
|
|
|
|
|
enough block header hash.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
A very simplified Proof-of-Work algorithm is implemented in Python in
|
|
|
|
|
<<pow_example1>>.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
[[pow_example1]]
|
|
|
|
|
.Simplified Proof-of-Work implementation
|
|
|
|
|
====
|
|
|
|
|
[source, python]
|
|
|
|
|
----
|
|
|
|
|
include::code/proof-of-work-example.py[]
|
|
|
|
|
----
|
|
|
|
|
====
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
Running this code, you can set the desired difficulty (in bits, how many
|
|
|
|
|
of the leading bits must be zero) and see how long it takes for your
|
|
|
|
|
computer to find a solution. In <<pow_example_outputs>>, you can see how
|
|
|
|
|
it works on an average laptop.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
[[pow_example_outputs]]
|
|
|
|
|
.Running the Proof-of-Work example for various difficulties
|
|
|
|
|
====
|
|
|
|
|
[source, bash]
|
|
|
|
|
----
|
|
|
|
|
$ python proof-of-work-example.py*
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
Difficulty: 1 (0 bits)
|
|
|
|
|
|
|
|
|
|
[...]
|
|
|
|
|
|
|
|
|
|
Difficulty: 8 (3 bits)
|
|
|
|
|
Starting search...
|
|
|
|
|
Success with nonce 9
|
|
|
|
|
Hash is 1c1c105e65b47142f028a8f93ddf3dabb9260491bc64474738133ce5256cb3c1
|
|
|
|
|
Elapsed Time: 0.0004 seconds
|
|
|
|
|
Hashing Power: 25065 hashes per second
|
|
|
|
|
Difficulty: 16 (4 bits)
|
|
|
|
|
Starting search...
|
|
|
|
|
Success with nonce 25
|
|
|
|
|
Hash is 0f7becfd3bcd1a82e06663c97176add89e7cae0268de46f94e7e11bc3863e148
|
|
|
|
|
Elapsed Time: 0.0005 seconds
|
|
|
|
|
Hashing Power: 52507 hashes per second
|
|
|
|
|
Difficulty: 32 (5 bits)
|
|
|
|
|
Starting search...
|
|
|
|
|
Success with nonce 36
|
|
|
|
|
Hash is 029ae6e5004302a120630adcbb808452346ab1cf0b94c5189ba8bac1d47e7903
|
|
|
|
|
Elapsed Time: 0.0006 seconds
|
|
|
|
|
Hashing Power: 58164 hashes per second
|
|
|
|
|
|
|
|
|
|
[...]
|
|
|
|
|
|
|
|
|
|
Difficulty: 4194304 (22 bits)
|
|
|
|
|
Starting search...
|
|
|
|
|
Success with nonce 1759164
|
|
|
|
|
Hash is 0000008bb8f0e731f0496b8e530da984e85fb3cd2bd81882fe8ba3610b6cefc3
|
|
|
|
|
Elapsed Time: 13.3201 seconds
|
|
|
|
|
Hashing Power: 132068 hashes per second
|
|
|
|
|
Difficulty: 8388608 (23 bits)
|
|
|
|
|
Starting search...
|
|
|
|
|
Success with nonce 14214729
|
|
|
|
|
Hash is 000001408cf12dbd20fcba6372a223e098d58786c6ff93488a9f74f5df4df0a3
|
|
|
|
|
Elapsed Time: 110.1507 seconds
|
|
|
|
|
Hashing Power: 129048 hashes per second
|
|
|
|
|
Difficulty: 16777216 (24 bits)
|
|
|
|
|
Starting search...
|
|
|
|
|
Success with nonce 24586379
|
|
|
|
|
Hash is 0000002c3d6b370fccd699708d1b7cb4a94388595171366b944d68b2acce8b95
|
|
|
|
|
Elapsed Time: 195.2991 seconds
|
|
|
|
|
Hashing Power: 125890 hashes per second
|
|
|
|
|
|
|
|
|
|
[...]
|
|
|
|
|
|
|
|
|
|
Difficulty: 67108864 (26 bits)
|
|
|
|
|
Starting search...
|
|
|
|
|
Success with nonce 84561291
|
|
|
|
|
Hash is 0000001f0ea21e676b6dde5ad429b9d131a9f2b000802ab2f169cbca22b1e21a
|
|
|
|
|
Elapsed Time: 665.0949 seconds
|
|
|
|
|
Hashing Power: 127141 hashes per second
|
|
|
|
|
----
|
|
|
|
|
====
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
As you can see, increasing the difficulty by 1 bit causes a doubling in
|
|
|
|
|
the time it takes to find a solution. If you think of the entire 256-bit
|
|
|
|
|
number space, each time you constrain one more bit to zero, you decrease
|
|
|
|
|
the search space by half. In <<pow_example_outputs>>, it takes 84
|
|
|
|
|
million hash attempts to find a nonce that produces a hash with 26
|
|
|
|
|
leading bits as zero. Even at a speed of more than 120,000 hashes per
|
|
|
|
|
second, it still requires 10 minutes on a laptop to find this solution.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
At the time of writing, the network is attempting to find a block whose
|
|
|
|
|
header hash is less than:
|
2017-05-10 19:06:23 +00:00
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
0000000000000000029AB9000000000000000000000000000000000000000000
|
|
|
|
|
----
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
As you can see, there are a lot of zeros at the beginning of that
|
|
|
|
|
target, meaning that the acceptable range of hashes is much smaller,
|
|
|
|
|
hence it's more difficult to find a valid hash. It will take on average
|
|
|
|
|
more than 1.8 zeta-hashes (thousand billion billion hashes) per second
|
|
|
|
|
for the network to discover the next block. That seems like an
|
|
|
|
|
impossible task, but fortunately the network is bringing 3 exa-hashes
|
|
|
|
|
per second (EH/sec) of processing power to bear, which will be able to
|
|
|
|
|
find a block in about 10 minutes on average.((("",
|
|
|
|
|
startref="Cproof10")))((("", startref="proof10")))
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
[[target_bits]]
|
|
|
|
|
==== Target Representation
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("mining and consensus", "mining the block", "target
|
|
|
|
|
representation")))((("targets", id="targets10")))In <<block277316>>, we
|
|
|
|
|
saw that the block contains the target, in a notation called "target
|
|
|
|
|
bits" or just "bits," which in block 277,316 has the value of
|
|
|
|
|
+0x1903a30c+. This notation expresses the Proof-of-Work target as a
|
|
|
|
|
coefficient/exponent format, with the first two hexadecimal digits for
|
|
|
|
|
the exponent and the next six hex digits as the coefficient. In this
|
|
|
|
|
block, therefore, the exponent is +0x19+ and the coefficient is
|
|
|
|
|
+0x03a30c+.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
The formula to calculate the difficulty target from this representation
|
|
|
|
|
is:
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2018-03-14 17:42:38 +00:00
|
|
|
|
++++
|
|
|
|
|
<ul class="simplelist">
|
|
|
|
|
<li>target = coefficient * 2<sup>(8*(exponent–3))</sup></li>
|
|
|
|
|
</ul>
|
|
|
|
|
++++
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
Using that formula, and the difficulty bits value 0x1903a30c, we get:
|
|
|
|
|
|
2018-03-14 17:42:38 +00:00
|
|
|
|
++++
|
|
|
|
|
<ul class="simplelist">
|
|
|
|
|
<li>target = 0x03a30c * 2<sup>0x08*(0x19-0x03)</sup></li>
|
|
|
|
|
<li>=> target = 0x03a30c * 2<sup>(0x08*0x16)</sup></li>
|
|
|
|
|
<li>=> target = 0x03a30c * 2<sup>0xB0</sup></li>
|
|
|
|
|
</ul>
|
|
|
|
|
++++
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
which in decimal is:
|
|
|
|
|
|
2018-03-14 17:42:38 +00:00
|
|
|
|
++++
|
|
|
|
|
<ul class="simplelist">
|
|
|
|
|
<li>=> target = 238,348 * 2<sup>176</sup></li>
|
2018-03-14 17:58:18 +00:00
|
|
|
|
<li>=> target = <br/>22,829,202,948,393,929,850,749,706,076,701,368,331,072,452,018,388,575,715,328</li>
|
2018-03-14 17:42:38 +00:00
|
|
|
|
</ul>
|
|
|
|
|
++++
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
switching back to hexadecimal:
|
|
|
|
|
|
2018-03-14 17:42:38 +00:00
|
|
|
|
++++
|
|
|
|
|
<ul class="simplelist">
|
2018-03-14 17:59:23 +00:00
|
|
|
|
<li>=> target = <br/>0x0000000000000003A30C00000000000000000000000000000000000000000000</li>
|
2018-03-14 17:42:38 +00:00
|
|
|
|
</ul>
|
|
|
|
|
++++
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
This means that a valid block for height 277,316 is one that has a block
|
|
|
|
|
header hash that is less than the target. In binary that number must
|
|
|
|
|
have more than 60 leading bits set to zero. With this level of
|
|
|
|
|
difficulty, a single miner processing 1 trillion hashes per second (1
|
|
|
|
|
terahash per second or 1 TH/sec) would only find a solution once every
|
|
|
|
|
8,496 blocks or once every 59 days, on average.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
[[target]]
|
|
|
|
|
==== Retargeting to Adjust Difficulty
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("mining and consensus", "mining the block", "retargeting to adjust
|
|
|
|
|
difficulty")))As we saw, the target determines the difficulty and
|
|
|
|
|
therefore affects how long it takes to find a solution to the
|
|
|
|
|
Proof-of-Work algorithm. This leads to the obvious questions: Why is the
|
|
|
|
|
difficulty adjustable, who adjusts it, and how?
|
|
|
|
|
|
|
|
|
|
Bitcoin's blocks are generated every 10 minutes, on average. This is
|
|
|
|
|
bitcoin's heartbeat and underpins the frequency of currency issuance and
|
|
|
|
|
the speed of transaction settlement. It has to remain constant not just
|
|
|
|
|
over the short term, but over a period of many decades. Over this time,
|
|
|
|
|
it is expected that computer power will continue to increase at a rapid
|
|
|
|
|
pace. Furthermore, the number of participants in mining and the
|
|
|
|
|
computers they use will also constantly change. To keep the block
|
|
|
|
|
generation time at 10 minutes, the difficulty of mining must be adjusted
|
|
|
|
|
to account for these changes. In fact, the Proof-of-Work target is a
|
|
|
|
|
dynamic parameter that is periodically adjusted to meet a 10-minute
|
|
|
|
|
block interval goal. In simple terms, the target is set so that the
|
|
|
|
|
current mining power will result in a 10-minute block interval.
|
|
|
|
|
|
|
|
|
|
How, then, is such an adjustment made in a completely decentralized
|
|
|
|
|
network? Retargeting occurs automatically and on every node
|
|
|
|
|
independently. Every 2,016 blocks, all nodes retarget the Proof-of-Work.
|
|
|
|
|
The equation for retargeting measures the time it took to find the last
|
|
|
|
|
2,016 blocks and compares that to the expected time of 20,160 minutes
|
|
|
|
|
(2,016 blocks times the desired 10-minute block interval). The ratio
|
|
|
|
|
between the actual timespan and desired timespan is calculated and a
|
|
|
|
|
proportionate adjustment (up or down) is made to the target. In simple
|
|
|
|
|
terms: If the network is finding blocks faster than every 10 minutes,
|
|
|
|
|
the difficulty increases (target decreases). If block discovery is
|
|
|
|
|
slower than expected, the difficulty decreases (target increases).
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
The equation can be summarized as:
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
New Target = Old Target * (Actual Time of Last 2016 Blocks / 20160 minutes)
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
<<retarget_code>> shows the code used in the Bitcoin Core client.
|
|
|
|
|
|
|
|
|
|
[[retarget_code]]
|
|
|
|
|
.Retargeting the Proof-of-Work—CalculateNextWorkRequired() in pow.cpp
|
|
|
|
|
====
|
|
|
|
|
[source,cpp]
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
// Limit adjustment step
|
|
|
|
|
int64_t nActualTimespan = pindexLast->GetBlockTime() - nFirstBlockTime;
|
|
|
|
|
LogPrintf(" nActualTimespan = %d before bounds\n", nActualTimespan);
|
|
|
|
|
if (nActualTimespan < params.nPowTargetTimespan/4)
|
|
|
|
|
nActualTimespan = params.nPowTargetTimespan/4;
|
|
|
|
|
if (nActualTimespan > params.nPowTargetTimespan*4)
|
|
|
|
|
nActualTimespan = params.nPowTargetTimespan*4;
|
|
|
|
|
|
|
|
|
|
// Retarget
|
|
|
|
|
const arith_uint256 bnPowLimit = UintToArith256(params.powLimit);
|
|
|
|
|
arith_uint256 bnNew;
|
|
|
|
|
arith_uint256 bnOld;
|
|
|
|
|
bnNew.SetCompact(pindexLast->nBits);
|
|
|
|
|
bnOld = bnNew;
|
|
|
|
|
bnNew *= nActualTimespan;
|
|
|
|
|
bnNew /= params.nPowTargetTimespan;
|
|
|
|
|
|
|
|
|
|
if (bnNew > bnPowLimit)
|
|
|
|
|
bnNew = bnPowLimit;
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
====
|
|
|
|
|
|
|
|
|
|
[NOTE]
|
|
|
|
|
====
|
2023-05-23 20:40:36 +00:00
|
|
|
|
While the target calibration happens every 2,016 blocks, because of an
|
|
|
|
|
off-by-one error in the original Bitcoin Core client it is based on the
|
|
|
|
|
total time of the previous 2,015 blocks (not 2,016 as it should be),
|
|
|
|
|
resulting in a retargeting bias toward higher difficulty by 0.05%.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
====
|
|
|
|
|
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
The parameters +Interval+ (2,016 blocks) and +TargetTimespan+ (two weeks
|
|
|
|
|
as 1,209,600 seconds) are defined in _chainparams.cpp_.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
To avoid extreme volatility in the difficulty, the retargeting
|
|
|
|
|
adjustment must be less than a factor of four (4) per cycle. If the
|
|
|
|
|
required target adjustment is greater than a factor of four, it will be
|
|
|
|
|
adjusted by a factor of 4 and not more. Any further adjustment will be
|
|
|
|
|
accomplished in the next retargeting period because the imbalance will
|
|
|
|
|
persist through the next 2,016 blocks. Therefore, large discrepancies
|
|
|
|
|
between hashing power and difficulty might take several 2,016 block
|
|
|
|
|
cycles to balance out.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
[TIP]
|
|
|
|
|
====
|
2023-05-23 20:40:36 +00:00
|
|
|
|
The difficulty of mining a bitcoin block is approximately '10 minutes of
|
|
|
|
|
processing' for the entire network, based on the time it took to mine
|
|
|
|
|
the previous 2,016 blocks, adjusted every 2,016 blocks. This is achieved
|
|
|
|
|
by lowering or raising the target.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
====
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
Note that the target is independent of the number of transactions or the
|
|
|
|
|
value of transactions. This means that the amount of hashing power and
|
|
|
|
|
therefore electricity expended to secure bitcoin is also entirely
|
|
|
|
|
independent of the number of transactions. Bitcoin can scale up, achieve
|
|
|
|
|
broader adoption, and remain secure without any increase in hashing
|
|
|
|
|
power from today's level. The increase in hashing power represents
|
|
|
|
|
market forces as new miners enter the market to compete for the reward.
|
|
|
|
|
As long as enough hashing power is under the control of miners acting
|
|
|
|
|
honestly in pursuit of the reward, it is enough to prevent "takeover"
|
|
|
|
|
attacks and, therefore, it is enough to secure bitcoin.
|
|
|
|
|
|
|
|
|
|
The difficulty of mining is closely related to the cost of electricity
|
|
|
|
|
and the exchange rate of bitcoin vis-a-vis the currency used to pay for
|
|
|
|
|
electricity. High-performance mining systems are about as efficient as
|
|
|
|
|
possible with the current generation of silicon fabrication, converting
|
|
|
|
|
electricity into hashing computation at the highest rate possible. The
|
|
|
|
|
primary influence on the mining market is the price of one kilowatt-hour
|
|
|
|
|
of electricity in bitcoin, because that determines the profitability of
|
|
|
|
|
mining and therefore the incentives to enter or exit the mining
|
|
|
|
|
market.((("", startref="targets10")))
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
=== Successfully Mining the Block
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("mining and consensus", "mining the block", "successful
|
|
|
|
|
completion")))((("use cases", "mining for bitcoin", id="jingtentwo")))As
|
|
|
|
|
we saw earlier, Jing's node has constructed a candidate block and
|
|
|
|
|
prepared it for mining. Jing has several hardware mining rigs with
|
|
|
|
|
application-specific integrated circuits, where hundreds of thousands of
|
|
|
|
|
integrated circuits run the SHA256 algorithm in parallel at incredible
|
|
|
|
|
speeds. Many of these specialized machines are connected to his mining
|
|
|
|
|
node over USB or a local area network. Next, the mining node running on
|
|
|
|
|
Jing's desktop transmits the block header to his mining hardware, which
|
|
|
|
|
starts testing trillions of nonces per second. Because the nonce is only
|
|
|
|
|
32 bits, after exhausting all the nonce possibilities (about 4 billion),
|
|
|
|
|
the mining hardware changes the block header (adjusting the coinbase
|
|
|
|
|
extra nonce space or timestamp) and resets the nonce counter, testing
|
|
|
|
|
new combinations.
|
|
|
|
|
|
|
|
|
|
Almost 11 minutes after starting to mine block 277,316, one of the
|
|
|
|
|
hardware mining machines finds a solution and sends it back to the
|
|
|
|
|
mining node.
|
|
|
|
|
|
|
|
|
|
When inserted into the block header, the nonce 924,591,752 produces a
|
|
|
|
|
block hash of:
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
----
|
2017-07-18 02:29:23 +00:00
|
|
|
|
0000000000000001b6b9a13b095e96db41c4a928b97ef2d944a9b31b2cc7bdc4
|
2017-04-24 21:09:15 +00:00
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
which is less than the target:
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
0000000000000003A30C00000000000000000000000000000000000000000000
|
|
|
|
|
----
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
Immediately, Jing's mining node transmits the block to all its peers.
|
|
|
|
|
They receive, validate, and then propagate the new block. As the block
|
|
|
|
|
ripples out across the network, each node adds it to its own copy of the
|
|
|
|
|
blockchain, extending it to a new height of 277,316 blocks. As mining
|
|
|
|
|
nodes receive and validate the block, they abandon their efforts to find
|
|
|
|
|
a block at the same height and immediately start computing the next
|
|
|
|
|
block in the chain, using Jing's block as the "parent." By building on
|
|
|
|
|
top of Jing's newly discovered block, the other miners are essentially
|
|
|
|
|
"voting" with their mining power and endorsing Jing's block and the
|
|
|
|
|
chain it extends.
|
|
|
|
|
|
|
|
|
|
In the next section, we'll look at the process each node uses to
|
|
|
|
|
validate a block and select the longest chain, creating the consensus
|
|
|
|
|
that forms the decentralized blockchain.((("",
|
|
|
|
|
startref="MACmining10")))((("", startref="jingtentwo")))
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
=== Validating a New Block
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("mining and consensus", "new block validation")))((("blocks", "new
|
|
|
|
|
block validation")))((("validation")))The third step in bitcoin's
|
|
|
|
|
consensus mechanism is independent validation of each new block by every
|
|
|
|
|
node on the network. As the newly solved block moves across the network,
|
|
|
|
|
each node performs a series of tests to validate it before propagating
|
|
|
|
|
it to its peers. This ensures that only valid blocks are propagated on
|
|
|
|
|
the network. The independent validation also ensures that miners who act
|
|
|
|
|
honestly get their blocks incorporated in the blockchain, thus earning
|
|
|
|
|
the reward. Those miners who act dishonestly have their blocks rejected
|
|
|
|
|
and not only lose the reward, but also waste the effort expended to find
|
|
|
|
|
a Proof-of-Work solution, thus incurring the cost of electricity without
|
|
|
|
|
compensation.
|
|
|
|
|
|
|
|
|
|
When a node receives a new block, it will validate the block by checking
|
|
|
|
|
it against a long list of criteria that must all be met; otherwise, the
|
|
|
|
|
block is rejected. These criteria can be seen in the Bitcoin Core client
|
|
|
|
|
in the functions +CheckBlock+ and +CheckBlockHeader+ and include:
|
|
|
|
|
|
|
|
|
|
- The block data structure is syntactically valid
|
|
|
|
|
|
|
|
|
|
- The block header hash is less than the target (enforces the
|
|
|
|
|
Proof-of-Work)
|
|
|
|
|
|
|
|
|
|
- The block timestamp is less than two hours in the future (allowing for
|
|
|
|
|
time errors)
|
|
|
|
|
|
|
|
|
|
- The block size is within acceptable limits
|
|
|
|
|
|
|
|
|
|
- The first transaction (and only the first) is a coinbase transaction
|
|
|
|
|
|
|
|
|
|
- All transactions within the block are valid using the transaction
|
|
|
|
|
checklist discussed in <<tx_verification>>
|
|
|
|
|
|
|
|
|
|
The independent validation of each new block by every node on the
|
|
|
|
|
network ensures that the miners cannot cheat. In previous sections we
|
|
|
|
|
saw how miners get to write a transaction that awards them the new
|
|
|
|
|
bitcoin created within the block and claim the transaction fees. Why
|
|
|
|
|
don't miners write themselves a transaction for a thousand bitcoin
|
|
|
|
|
instead of the correct reward? Because every node validates blocks
|
|
|
|
|
according to the same rules. An invalid coinbase transaction would make
|
|
|
|
|
the entire block invalid, which would result in the block being rejected
|
|
|
|
|
and, therefore, that transaction would never become part of the ledger.
|
|
|
|
|
The miners have to construct a perfect block, based on the shared rules
|
|
|
|
|
that all nodes follow, and mine it with a correct solution to the
|
|
|
|
|
Proof-of-Work. To do so, they expend a lot of electricity in mining, and
|
|
|
|
|
if they cheat, all the electricity and effort is wasted. This is why
|
|
|
|
|
independent validation is a key component of decentralized consensus.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
=== Assembling and Selecting Chains of Blocks
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("mining and consensus", "assembling and selecting chains of blocks",
|
|
|
|
|
id="MACassembling10")))((("blocks", "assembling and selecting chains
|
|
|
|
|
of", id="Bassemble10")))The final step in bitcoin's decentralized
|
|
|
|
|
consensus mechanism is the assembly of blocks into chains and the
|
|
|
|
|
selection of the chain with the most Proof-of-Work. Once a node has
|
|
|
|
|
validated a new block, it will then attempt to assemble a chain by
|
|
|
|
|
connecting the block to the existing blockchain.
|
|
|
|
|
|
2023-05-25 15:05:55 +00:00
|
|
|
|
Nodes maintain three sets of blocks: those connected to the best
|
|
|
|
|
blockchain, those that form branches off the best blockchain (stale
|
2023-05-25 16:56:42 +00:00
|
|
|
|
blocks), and finally. Invalid blocks are rejected as soon as any one
|
2023-05-23 20:40:36 +00:00
|
|
|
|
of the validation criteria fails and are therefore not included in any
|
|
|
|
|
chain.
|
|
|
|
|
|
2023-05-25 15:05:55 +00:00
|
|
|
|
The "best blockchain" at any time is whichever _valid_ chain of blocks has
|
2023-05-23 20:40:36 +00:00
|
|
|
|
the most cumulative Proof-of-Work associated with it. Under most
|
|
|
|
|
circumstances this is also the chain with the most blocks in it, unless
|
|
|
|
|
there are two equal-length chains and one has more Proof-of-Work. The
|
2023-05-25 15:05:55 +00:00
|
|
|
|
best chain will also have branches with blocks that are "siblings" to
|
|
|
|
|
the blocks on the best chain. These blocks are valid but not part of the
|
|
|
|
|
best chain. They are kept for future reference, in case one of those
|
|
|
|
|
chains is extended to exceed the best chain in work. In the next section
|
2023-05-23 20:40:36 +00:00
|
|
|
|
(<<forks>>), we will see how secondary chains occur as a result of an
|
|
|
|
|
almost simultaneous mining of blocks at the same height.
|
|
|
|
|
|
|
|
|
|
When a new block is received, a node will try to slot it into the
|
|
|
|
|
existing blockchain. The node will look at the block's "previous block
|
|
|
|
|
hash" field, which is the reference to the block's parent. Then, the
|
|
|
|
|
node will attempt to find that parent in the existing blockchain. Most
|
2023-05-25 15:05:55 +00:00
|
|
|
|
of the time, the parent will be the "tip" of the best chain, meaning
|
|
|
|
|
this new block extends the best chain. For example, the new block
|
2023-05-23 20:40:36 +00:00
|
|
|
|
277,316 has a reference to the hash of its parent block 277,315. Most
|
|
|
|
|
nodes that receive 277,316 will already have block 277,315 as the tip of
|
2023-05-25 15:05:55 +00:00
|
|
|
|
their best chain and will therefore link the new block and extend that
|
2023-05-23 20:40:36 +00:00
|
|
|
|
chain.
|
|
|
|
|
|
|
|
|
|
Sometimes, as we will see in <<forks>>, the new block extends a chain
|
2023-05-25 15:05:55 +00:00
|
|
|
|
that is not the best chain. In that case, the node will attach the new
|
2023-05-23 20:40:36 +00:00
|
|
|
|
block to the secondary chain it extends and then compare the work of the
|
2023-05-25 15:05:55 +00:00
|
|
|
|
secondary chain to the best chain. If the secondary chain has more
|
|
|
|
|
cumulative work than the best chain, the node will _reconverge_ on the
|
2023-05-23 20:40:36 +00:00
|
|
|
|
secondary chain, meaning it will select the secondary chain as its new
|
2023-05-25 15:05:55 +00:00
|
|
|
|
best chain, making the old best chain a secondary chain. If the node is
|
2023-05-23 20:40:36 +00:00
|
|
|
|
a miner, it will now construct a block extending this new, longer,
|
|
|
|
|
chain.
|
|
|
|
|
|
|
|
|
|
By selecting the greatest-cumulative-work valid chain, all nodes
|
|
|
|
|
eventually achieve network-wide consensus. Temporary discrepancies
|
|
|
|
|
between chains are resolved eventually as more work is added, extending
|
|
|
|
|
one of the possible chains. Mining nodes "vote" with their mining power
|
|
|
|
|
by choosing which chain to extend by mining the next block. When they
|
|
|
|
|
mine a new block and extend the chain, the new block itself represents
|
|
|
|
|
their vote.
|
|
|
|
|
|
|
|
|
|
In the next section we will look at how discrepancies between competing
|
|
|
|
|
chains (forks) are resolved by the independent selection of the
|
|
|
|
|
greatest-cumulative-work chain.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
[[forks]]
|
|
|
|
|
==== Blockchain Forks
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("mining and consensus", "assembling and selecting chains of blocks",
|
|
|
|
|
"blockchain forks")))((("blockchain (the)", "blockchain forks",
|
|
|
|
|
id="BCTfork10")))((("forks", "blockchain fork events",
|
|
|
|
|
id="forks10")))Because the blockchain is a decentralized data structure,
|
|
|
|
|
different copies of it are not always consistent. Blocks might arrive at
|
|
|
|
|
different nodes at different times, causing the nodes to have different
|
|
|
|
|
perspectives of the blockchain. To resolve this, each node always
|
|
|
|
|
selects and attempts to extend the chain of blocks that represents the
|
|
|
|
|
most Proof-of-Work, also known as the longest chain or greatest
|
|
|
|
|
cumulative work chain. By summing the work recorded in each block in a
|
|
|
|
|
chain, a node can calculate the total amount of work that has been
|
|
|
|
|
expended to create that chain. As long as all nodes select the
|
|
|
|
|
greatest-cumulative-work chain, the global Bitcoin network eventually
|
|
|
|
|
converges to a consistent state. Forks occur as temporary
|
|
|
|
|
inconsistencies between versions of the blockchain, which are resolved
|
|
|
|
|
by eventual reconvergence as more blocks are added to one of the forks.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2017-05-10 19:06:23 +00:00
|
|
|
|
[TIP]
|
|
|
|
|
====
|
2023-05-23 20:40:36 +00:00
|
|
|
|
The blockchain forks described in this section occur naturally as a
|
|
|
|
|
result of transmission delays in the global network. We will also look
|
|
|
|
|
at deliberately induced forks later in this chapter.
|
2017-05-10 19:06:23 +00:00
|
|
|
|
====
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
In the next few diagrams, we follow the progress of a "fork" event
|
|
|
|
|
across the network. The diagram is a simplified representation of the
|
|
|
|
|
Bitcoin network. For illustration purposes, different blocks are shown
|
|
|
|
|
as different shapes (star, triangle, upside-down triangle, rhombus),
|
|
|
|
|
spreading across the network. Each node in the network is represented as
|
|
|
|
|
a circle.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
Each node has its own perspective of the global blockchain. As each node
|
|
|
|
|
receives blocks from its neighbors, it updates its own copy of the
|
|
|
|
|
blockchain, selecting the greatest-cumulative-work chain. For
|
|
|
|
|
illustration purposes, each node contains a shape that represents the
|
2023-05-25 15:05:55 +00:00
|
|
|
|
block that it believes is currently the tip of the best chain. So, if
|
2023-05-23 20:40:36 +00:00
|
|
|
|
you see a star shape in the node, that means that the star block is the
|
2023-05-25 15:05:55 +00:00
|
|
|
|
tip of the best chain, as far as that node is concerned.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
In the first diagram (<<fork1>>), the network has a unified perspective
|
2023-05-25 15:05:55 +00:00
|
|
|
|
of the blockchain, with the star block as the tip of the best chain.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
[[fork1]]
|
2017-05-18 15:11:55 +00:00
|
|
|
|
[role="smallereighty"]
|
2017-04-24 21:09:15 +00:00
|
|
|
|
.Before the fork—all nodes have the same perspective
|
|
|
|
|
image::images/mbc2_1002.png["Before the fork - all nodes have the same perspective"]
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
A "fork" occurs whenever there are two candidate blocks competing to
|
|
|
|
|
form the longest blockchain. This occurs under normal conditions
|
|
|
|
|
whenever two miners solve the Proof-of-Work algorithm within a short
|
|
|
|
|
period of time from each other. As both miners discover a solution for
|
|
|
|
|
their respective candidate blocks, they immediately broadcast their own
|
|
|
|
|
"winning" block to their immediate neighbors who begin propagating the
|
|
|
|
|
block across the network. Each node that receives a valid block will
|
|
|
|
|
incorporate it into its blockchain, extending the blockchain by one
|
|
|
|
|
block. If that node later sees another candidate block extending the
|
|
|
|
|
same parent, it connects the second candidate on a secondary chain. As a
|
|
|
|
|
result, some nodes will "see" one candidate block first, while other
|
|
|
|
|
nodes will see the other candidate block and two competing versions of
|
|
|
|
|
the blockchain will emerge.
|
|
|
|
|
|
|
|
|
|
In <<fork2>>, we see two miners (Node X and Node Y) who mine two
|
|
|
|
|
different blocks almost simultaneously. Both of these blocks are
|
|
|
|
|
children of the star block, and extend the chain by building on top of
|
|
|
|
|
the star block. To help us track it, one is visualized as a triangle
|
|
|
|
|
block originating from Node X, and the other is shown as an upside-down
|
|
|
|
|
triangle block originating from Node Y.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
[[fork2]]
|
2017-05-18 15:37:14 +00:00
|
|
|
|
[role="smallersixty"]
|
2017-04-24 21:09:15 +00:00
|
|
|
|
.Visualization of a blockchain fork event: two blocks found simultaneously
|
|
|
|
|
image::images/mbc2_1003.png["Visualization of a blockchain fork event: two blocks found simultaneously"]
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
Let's assume, for example, that a miner Node X finds a Proof-of-Work
|
|
|
|
|
solution for a block "triangle" that extends the blockchain, building on
|
|
|
|
|
top of the parent block "star." Almost simultaneously, the miner Node Y
|
|
|
|
|
who was also extending the chain from block "star" finds a solution for
|
|
|
|
|
block "upside-down triangle," his candidate block. Now, there are two
|
|
|
|
|
possible blocks; one we call "triangle," originating in Node X; and one
|
|
|
|
|
we call "upside-down triangle," originating in Node Y. Both blocks are
|
|
|
|
|
valid, both blocks contain a valid solution to the Proof-of-Work, and
|
|
|
|
|
both blocks extend the same parent (block "star"). Both blocks likely
|
|
|
|
|
contain most of the same transactions, with only perhaps a few
|
|
|
|
|
differences in the order of transactions.
|
|
|
|
|
|
|
|
|
|
As the two blocks propagate, some nodes receive block "triangle" first
|
|
|
|
|
and some receive block "upside-down triangle" first. As shown in
|
|
|
|
|
<<fork3>>, the network splits into two different perspectives of the
|
|
|
|
|
blockchain; one side topped with a triangle block, the other with the
|
|
|
|
|
upside-down-triangle block.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2017-05-18 15:45:55 +00:00
|
|
|
|
[[fork3]]
|
|
|
|
|
[role="smallersixty"]
|
|
|
|
|
.Visualization of a blockchain fork event: two blocks propagate, splitting the network
|
|
|
|
|
image::images/mbc2_1004.png["Visualization of a blockchain fork event: two blocks propagate, splitting the network"]
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
In the diagram, a randomly chosen "Node X" received the triangle block
|
|
|
|
|
first and extended the star chain with it. Node X selected the chain
|
2023-05-25 15:05:55 +00:00
|
|
|
|
with "triangle" block as the best chain. Later, Node X also received the
|
2023-05-23 20:40:36 +00:00
|
|
|
|
"upside-down triangle" block. Since it was received second, it is
|
|
|
|
|
assumed to have "lost" the race. Yet, the "upside-down triangle" block
|
|
|
|
|
is not discarded. It is linked to the "star" block parent and forms a
|
|
|
|
|
secondary chain. While Node X assumes it has correctly selected the
|
|
|
|
|
winning chain, it keeps the "losing" chain so that it has the
|
|
|
|
|
information needed to reconverge if the "losing" chain ends up
|
|
|
|
|
"winning."
|
|
|
|
|
|
|
|
|
|
On the other side of the network, Node Y constructs a blockchain based
|
|
|
|
|
on its own perspective of the sequence of events. It received
|
|
|
|
|
"upside-down triangle" first and elected that chain as the "winner."
|
|
|
|
|
When it later received "triangle" block, it connected it to the "star"
|
|
|
|
|
block parent as a secondary chain.
|
|
|
|
|
|
|
|
|
|
Neither side is "correct," or "incorrect." Both are valid perspectives
|
|
|
|
|
of the blockchain. Only in hindsight will one prevail, based on how
|
|
|
|
|
these two competing chains are extended by additional work.
|
|
|
|
|
|
|
|
|
|
Mining nodes whose perspective resembles Node X will immediately begin
|
|
|
|
|
mining a candidate block that extends the chain with "triangle" as its
|
|
|
|
|
tip. By linking "triangle" as the parent of their candidate block, they
|
|
|
|
|
are voting with their hashing power. Their vote supports the chain that
|
2023-05-25 15:05:55 +00:00
|
|
|
|
they have elected as the best chain.
|
2023-05-23 20:40:36 +00:00
|
|
|
|
|
|
|
|
|
Any mining node whose perspective resembles Node Y will start building a
|
|
|
|
|
candidate node with "upside-down triangle" as its parent, extending the
|
2023-05-25 15:05:55 +00:00
|
|
|
|
chain that they believe is the best chain. And so, the race begins
|
2023-05-23 20:40:36 +00:00
|
|
|
|
again.
|
|
|
|
|
|
|
|
|
|
Forks are almost always resolved within one block. While part of the
|
|
|
|
|
network's hashing power is dedicated to building on top of "triangle" as
|
|
|
|
|
the parent, another part of the hashing power is focused on building on
|
|
|
|
|
top of "upside-down triangle." Even if the hashing power is almost
|
|
|
|
|
evenly split, it is likely that one set of miners will find a solution
|
|
|
|
|
and propagate it before the other set of miners have found any
|
|
|
|
|
solutions. Let's say, for example, that the miners building on top of
|
|
|
|
|
"triangle" find a new block "rhombus" that extends the chain (e.g.,
|
|
|
|
|
star-triangle-rhombus). They immediately propagate this new block and
|
|
|
|
|
the entire network sees it as a valid solution as shown in <<fork4>>.
|
|
|
|
|
|
|
|
|
|
All nodes that had chosen "triangle" as the winner in the previous round
|
|
|
|
|
will simply extend the chain one more block. The nodes that chose
|
|
|
|
|
"upside-down triangle" as the winner, however, will now see two chains:
|
|
|
|
|
star-triangle-rhombus and star-upside-down-triangle. The chain
|
|
|
|
|
star-triangle-rhombus is now longer (more cumulative work) than the
|
|
|
|
|
other chain. As a result, those nodes will set the chain
|
2023-05-25 15:05:55 +00:00
|
|
|
|
star-triangle-rhombus as the best chain and change the
|
2023-05-23 20:40:36 +00:00
|
|
|
|
star-upside-down-triangle chain to a secondary chain, as shown in
|
|
|
|
|
<<fork5>>. This is a chain reconvergence, because those nodes are forced
|
|
|
|
|
to revise their view of the blockchain to incorporate the new evidence
|
|
|
|
|
of a longer chain. Any miners working on extending the chain
|
|
|
|
|
star-upside-down-triangle will now stop that work because their
|
2023-05-25 16:56:42 +00:00
|
|
|
|
candidate block is "stale," as its parent "upside-down-triangle" is
|
2023-05-23 20:40:36 +00:00
|
|
|
|
no longer on the longest chain. The transactions within
|
|
|
|
|
"upside-down-triangle" that are not within "triangle" are re-inserted in
|
2023-05-25 15:05:55 +00:00
|
|
|
|
the mempool for inclusion in the next block to become a part of the best
|
2023-05-23 20:40:36 +00:00
|
|
|
|
chain. The entire network reconverges on a single blockchain
|
|
|
|
|
star-triangle-rhombus, with "rhombus" as the last block in the chain.
|
|
|
|
|
All miners immediately start working on candidate blocks that reference
|
|
|
|
|
"rhombus" as their parent to extend the star-triangle-rhombus chain.
|
2017-05-18 15:44:03 +00:00
|
|
|
|
|
2017-05-18 20:06:01 +00:00
|
|
|
|
[[fork4]]
|
2017-05-18 15:50:15 +00:00
|
|
|
|
[role="smallereighty"]
|
2023-02-01 16:31:10 +00:00
|
|
|
|
.Visualization of a blockchain fork event: a new block extends one fork, reconverging the network
|
2017-04-24 21:09:15 +00:00
|
|
|
|
image::images/mbc2_1005.png["Visualization of a blockchain fork event: a new block extends one fork"]
|
|
|
|
|
|
|
|
|
|
[[fork5]]
|
2017-05-18 15:50:15 +00:00
|
|
|
|
[role="smallereighty"]
|
2017-04-24 21:09:15 +00:00
|
|
|
|
.Visualization of a blockchain fork event: the network reconverges on a new longest chain
|
|
|
|
|
image::images/mbc2_1006.png["Visualization of a blockchain fork event: the network reconverges on a new longest chain"]
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
It is theoretically possible for a fork to extend to two blocks, if two
|
|
|
|
|
blocks are found almost simultaneously by miners on opposite "sides" of
|
|
|
|
|
a previous fork. However, the chance of that happening is very low.
|
|
|
|
|
Whereas a one-block fork might occur every day, a two-block fork occurs
|
|
|
|
|
at most once every few weeks.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
Bitcoin's block interval of 10 minutes is a design compromise between
|
|
|
|
|
fast confirmation times (settlement of transactions) and the probability
|
|
|
|
|
of a fork. A faster block time would make transactions clear faster but
|
|
|
|
|
lead to more frequent blockchain forks, whereas a slower block time
|
|
|
|
|
would decrease the number of forks but make settlement slower.((("",
|
|
|
|
|
startref="Bassemble10")))((("", startref="MACassembling10")))((("",
|
|
|
|
|
startref="forks10")))((("", startref="BCTfork10")))
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
=== Mining and the Hashing Race
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("mining and consensus", "hashing power race",
|
|
|
|
|
id="MAChash10")))Bitcoin mining is an extremely competitive industry.
|
|
|
|
|
The hashing power has increased exponentially every year of bitcoin's
|
|
|
|
|
existence. Some years the growth has reflected a complete change of
|
|
|
|
|
technology, such as in 2010 and 2011 when many miners switched from
|
|
|
|
|
using CPU mining to GPU mining and field programmable gate array (FPGA)
|
|
|
|
|
mining. In 2013 the introduction of ASIC mining lead to another giant
|
|
|
|
|
leap in mining power, by placing the SHA256 function directly on silicon
|
|
|
|
|
chips specialized for the purpose of mining. The first such chips could
|
|
|
|
|
deliver more mining power in a single box than the entire Bitcoin
|
|
|
|
|
network in 2010.
|
|
|
|
|
|
|
|
|
|
The following list shows the total hashing power of the Bitcoin network,
|
|
|
|
|
over the first eight years of operation:
|
2023-02-01 16:31:10 +00:00
|
|
|
|
|
|
|
|
|
2009:: 0.5 MH/sec–8 MH/sec (16× growth)
|
|
|
|
|
2010:: 8 MH/sec–116 GH/sec (14,500× growth)
|
|
|
|
|
2011:: 116 GH/sec–9 TH/sec (78× growth)
|
|
|
|
|
2012:: 9 TH/sec–23 TH/sec (2.5× growth)
|
|
|
|
|
2013:: 23 TH/sec–10 PH/sec (450× growth)
|
|
|
|
|
2014:: 10 PH/sec–300 PH/sec (30× growth)
|
|
|
|
|
2015:: 300 PH/sec-800 PH/sec (2.66× growth)
|
|
|
|
|
2016:: 800 PH/sec-2.5 EH/sec (3.12× growth)
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
In the chart in <<network_hashing_power>>, we can see that Bitcoin
|
|
|
|
|
network's hashing power increased over the past two years. As you can
|
|
|
|
|
see, the competition between miners and the growth of bitcoin has
|
|
|
|
|
resulted in an exponential increase in the hashing power (total hashes
|
|
|
|
|
per second across the network).
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
[[network_hashing_power]]
|
2023-02-01 16:31:10 +00:00
|
|
|
|
.Total hashing power, terahashes per second (TH/sec)
|
2017-04-24 21:09:15 +00:00
|
|
|
|
image::images/mbc2_1007.png["NetworkHashingRate"]
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
As the amount of hashing power applied to mining bitcoin has exploded,
|
|
|
|
|
the difficulty has risen to match it. The difficulty metric in the chart
|
|
|
|
|
shown in <<bitcoin_difficulty>> is measured as a ratio of current
|
|
|
|
|
difficulty over minimum difficulty (the difficulty of the first block).
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
[[bitcoin_difficulty]]
|
2023-02-01 16:31:10 +00:00
|
|
|
|
.Bitcoin's mining difficulty metric
|
2017-04-24 21:09:15 +00:00
|
|
|
|
image::images/mbc2_1008.png["BitcoinDifficulty"]
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
In the last two years, the ASIC mining chips have become increasingly
|
|
|
|
|
denser, approaching the cutting edge of silicon fabrication with a
|
|
|
|
|
feature size (resolution) of 16 nanometers (nm). Currently, ASIC
|
|
|
|
|
manufacturers are aiming to overtake general-purpose CPU chip
|
|
|
|
|
manufacturers, designing chips with a feature size of 14 nm, because the
|
|
|
|
|
profitability of mining is driving this industry even faster than
|
|
|
|
|
general computing. There are no more giant leaps left in bitcoin mining,
|
|
|
|
|
because the industry has reached the forefront of Moore's Law, which
|
|
|
|
|
stipulates that computing density will double approximately every 18
|
|
|
|
|
months. Still, the mining power of the network continues to advance at
|
|
|
|
|
an exponential pace as the race for higher density chips is matched with
|
|
|
|
|
a race for higher density data centers where thousands of these chips
|
|
|
|
|
can be deployed. It's no longer about how much mining can be done with
|
|
|
|
|
one chip, but how many chips can be squeezed into a building, while
|
|
|
|
|
still dissipating the heat and providing adequate power.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
[[extra_nonce]]
|
|
|
|
|
==== The Extra Nonce Solution
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("nonce values")))Since 2012, bitcoin mining has evolved to resolve a
|
|
|
|
|
fundamental limitation in the structure of the block header. In the
|
|
|
|
|
early days of bitcoin, a miner could find a block by iterating through
|
|
|
|
|
the nonce until the resulting hash was below the target. As difficulty
|
|
|
|
|
increased, miners often cycled through all 4 billion values of the nonce
|
|
|
|
|
without finding a block. However, this was easily resolved by updating
|
|
|
|
|
the block timestamp to account for the elapsed time. Because the
|
|
|
|
|
timestamp is part of the header, the change would allow miners to
|
|
|
|
|
iterate through the values of the nonce again with different results.
|
|
|
|
|
Once mining hardware exceeded 4 GH/sec, however, this approach became
|
|
|
|
|
increasingly difficult because the nonce values were exhausted in less
|
|
|
|
|
than a second. As ASIC mining equipment started pushing and then
|
|
|
|
|
exceeding the TH/sec hash rate, the mining software needed more space
|
|
|
|
|
for nonce values in order to find valid blocks. The timestamp could be
|
|
|
|
|
stretched a bit, but moving it too far into the future would cause the
|
|
|
|
|
block to become invalid. A new source of "change" was needed in the
|
|
|
|
|
block header. The solution was to use the coinbase transaction as a
|
|
|
|
|
source of extra nonce values. Because the coinbase script can store
|
|
|
|
|
between 2 and 100 bytes of data, miners started using that space as
|
|
|
|
|
extra nonce space, allowing them to explore a much larger range of block
|
|
|
|
|
header values to find valid blocks. The coinbase transaction is included
|
|
|
|
|
in the merkle tree, which means that any change in the coinbase script
|
|
|
|
|
causes the merkle root to change. Eight bytes of extra nonce, plus the 4
|
|
|
|
|
bytes of "standard" nonce allow miners to explore a total 2^96^ (8
|
|
|
|
|
followed by 28 zeros) possibilities _per second_ without having to
|
|
|
|
|
modify the timestamp. If, in the future, miners could run through all
|
|
|
|
|
these possibilities, they could then modify the timestamp. There is also
|
|
|
|
|
more space in the coinbase script for future expansion of the extra
|
|
|
|
|
nonce space.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
[[mining_pools]]
|
|
|
|
|
==== Mining Pools
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("mining pools", id="MACoverpool10")))((("mining pools", "benefits
|
|
|
|
|
of")))In this highly competitive environment, individual miners working
|
|
|
|
|
alone (also known as solo miners) don't stand a chance. The likelihood
|
|
|
|
|
of them finding a block to offset their electricity and hardware costs
|
|
|
|
|
is so low that it represents a gamble, like playing the lottery. Even
|
|
|
|
|
the fastest consumer ASIC mining system cannot keep up with commercial
|
|
|
|
|
systems that stack tens of thousands of these chips in giant warehouses
|
|
|
|
|
near hydroelectric powerstations. Miners now collaborate to form mining
|
|
|
|
|
pools, pooling their hashing power and sharing the reward among
|
|
|
|
|
thousands of participants. By participating in a pool, miners get a
|
|
|
|
|
smaller share of the overall reward, but typically get rewarded every
|
|
|
|
|
day, reducing uncertainty.
|
|
|
|
|
|
|
|
|
|
Let's look at a specific example. Assume a miner has purchased mining
|
|
|
|
|
hardware with a combined hashing rate of 14,000 gigahashes per second
|
|
|
|
|
(GH/s), or 14 TH/s. In 2017 this equipment costs approximately $2,500
|
|
|
|
|
USD. The hardware consumes 1375 watts (1.3 kW) of electricity when
|
|
|
|
|
running, 33 kW-hours a day, at a cost of $1 to $2 per day at very low
|
|
|
|
|
electricity rates. At current bitcoin difficulty, the miner will be able
|
|
|
|
|
to solo mine a block approximately once every 4 years. How do we work
|
|
|
|
|
out that probability? It is based on a network-wide hashing rate of 3
|
|
|
|
|
EH/sec (in 2017), and the miner's rate of 14 TH/sec:
|
2018-03-14 16:32:54 +00:00
|
|
|
|
|
2018-03-14 17:45:57 +00:00
|
|
|
|
++++
|
|
|
|
|
<ul class="simplelist">
|
|
|
|
|
<li>P = (14 * 10<sup>12</sup> / 3 * 10<sup>18</sup>) * 210240 = 0.98</li>
|
|
|
|
|
</ul>
|
|
|
|
|
++++
|
2018-03-14 16:32:54 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
...where 21240 is the number of blocks in four years. The miner has a
|
|
|
|
|
98% probability of finding a block over four years, based on the global
|
|
|
|
|
hash rate at the beginning of the period.
|
|
|
|
|
|
|
|
|
|
If the miner does find a single block in that timeframe, the payout of
|
|
|
|
|
12.5 bitcoin, at approximately $1,000 per bitcoin, will result in a
|
|
|
|
|
single payout of $12,500, which will produce a net profit of about
|
|
|
|
|
$7,000. However, the chance of finding a block in a 4-year period
|
|
|
|
|
depends on the miner's luck. He might find two blocks in 4 years and
|
|
|
|
|
make a very large profit. Or he might not find a block for 5 years and
|
|
|
|
|
suffer a bigger financial loss. Even worse, the difficulty of the
|
|
|
|
|
bitcoin Proof-of-Work algorithm is likely to go up significantly over
|
|
|
|
|
that period, at the current rate of growth of hashing power, meaning the
|
|
|
|
|
miner has, at most, one year to break even before the hardware is
|
|
|
|
|
effectively obsolete and must be replaced by more powerful mining
|
|
|
|
|
hardware. If this miner participates in a mining pool, instead of
|
|
|
|
|
waiting for a once-in-four-years $12,500 windfall, he will be able to
|
|
|
|
|
earn approximately $50 to $60 per week. The regular payouts from a
|
|
|
|
|
mining pool will help him amortize the cost of hardware and electricity
|
|
|
|
|
over time without taking an enormous risk. The hardware will still be
|
|
|
|
|
obsolete in one or two years and the risk is still high, but the revenue
|
|
|
|
|
is at least regular and reliable over that period. Financially this only
|
|
|
|
|
makes sense at very low electricity cost (less than 1 cent per kW-hour)
|
|
|
|
|
and only at very large scale.
|
|
|
|
|
|
|
|
|
|
Mining pools coordinate many hundreds or thousands of miners, over
|
|
|
|
|
specialized pool-mining protocols. The individual miners configure their
|
|
|
|
|
mining equipment to connect to a pool server, after creating an account
|
|
|
|
|
with the pool. Their mining hardware remains connected to the pool
|
|
|
|
|
server while mining, synchronizing their efforts with the other miners.
|
|
|
|
|
Thus, the pool miners share the effort to mine a block and then share in
|
|
|
|
|
the rewards.
|
|
|
|
|
|
|
|
|
|
Successful blocks pay the reward to a pool Bitcoin address, rather than
|
|
|
|
|
individual miners. The pool server will periodically make payments to
|
|
|
|
|
the miners' Bitcoin addresses, once their share of the rewards has
|
|
|
|
|
reached a certain threshold. Typically, the pool server charges a
|
|
|
|
|
percentage fee of the rewards for providing the pool-mining service.
|
|
|
|
|
|
|
|
|
|
((("mining pools", "operation of")))Miners participating in a pool split
|
|
|
|
|
the work of searching for a solution to a candidate block, earning
|
|
|
|
|
"shares" for their mining contribution. The mining pool sets a higher
|
|
|
|
|
target (lower difficulty) for earning a share, typically more than 1,000
|
|
|
|
|
times easier than the Bitcoin network's target. When someone in the pool
|
|
|
|
|
successfully mines a block, the reward is earned by the pool and then
|
|
|
|
|
shared with all miners in proportion to the number of shares they
|
|
|
|
|
contributed to the effort.
|
|
|
|
|
|
|
|
|
|
Pools are open to any miner, big or small, professional or amateur. A
|
|
|
|
|
pool will therefore have some participants with a single small mining
|
|
|
|
|
machine, and others with a garage full of high-end mining hardware. Some
|
|
|
|
|
will be mining with a few tens of a kilowatt of electricity, others will
|
|
|
|
|
be running a data center consuming a megawatt of power. How does a
|
|
|
|
|
mining pool measure the individual contributions, so as to fairly
|
|
|
|
|
distribute the rewards, without the possibility of cheating? The answer
|
|
|
|
|
is to use bitcoin's Proof-of-Work algorithm to measure each pool miner's
|
|
|
|
|
contribution, but set at a lower difficulty so that even the smallest
|
|
|
|
|
pool miners win a share frequently enough to make it worthwhile to
|
|
|
|
|
contribute to the pool. By setting a lower difficulty for earning
|
|
|
|
|
shares, the pool measures the amount of work done by each miner. Each
|
|
|
|
|
time a pool miner finds a block header hash that is less than the pool
|
|
|
|
|
target, she proves she has done the hashing work to find that result.
|
|
|
|
|
More importantly, the work to find shares contributes, in a
|
|
|
|
|
statistically measurable way, to the overall effort to find a hash lower
|
|
|
|
|
than the bitcoin network's target. Thousands of miners trying to find
|
|
|
|
|
low-value hashes will eventually find one low enough to satisfy the
|
|
|
|
|
bitcoin network target.
|
|
|
|
|
|
|
|
|
|
Let's return to the analogy of a dice game. If the dice players are
|
|
|
|
|
throwing dice with a goal of throwing less than four (the overall
|
|
|
|
|
network difficulty), a pool would set an easier target, counting how
|
|
|
|
|
many times the pool players managed to throw less than eight. When pool
|
|
|
|
|
players throw less than eight (the pool share target), they earn shares,
|
|
|
|
|
but they don't win the game because they don't achieve the game target
|
|
|
|
|
(less than four). The pool players will achieve the easier pool target
|
|
|
|
|
much more often, earning them shares very regularly, even when they
|
|
|
|
|
don't achieve the harder target of winning the game. Every now and then,
|
|
|
|
|
one of the pool players will throw a combined dice throw of less than
|
|
|
|
|
four and the pool wins. Then, the earnings can be distributed to the
|
|
|
|
|
pool players based on the shares they earned. Even though the target of
|
|
|
|
|
eight-or-less wasn't winning, it was a fair way to measure dice throws
|
|
|
|
|
for the players, and it occasionally produces a less-than-four throw.
|
|
|
|
|
|
|
|
|
|
Similarly, a mining pool will set a (higher and easier) pool target that
|
|
|
|
|
will ensure that an individual pool miner can find block header hashes
|
|
|
|
|
that are less than the pool target often, earning shares. Every now and
|
|
|
|
|
then, one of these attempts will produce a block header hash that is
|
|
|
|
|
less than the Bitcoin network target, making it a valid block and the
|
|
|
|
|
whole pool wins.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
===== Managed pools
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("mining pools", "managed pools")))((("pool operators",
|
|
|
|
|
seealso="mining pools")))Most mining pools are "managed," meaning that
|
|
|
|
|
there is a company or individual running a pool server. The owner of the
|
|
|
|
|
pool server is called the _pool operator_, and he charges pool miners a
|
|
|
|
|
percentage fee of the earnings.
|
|
|
|
|
|
|
|
|
|
The pool server runs specialized software and a pool-mining protocol
|
|
|
|
|
that coordinate the activities of the pool miners. The pool server is
|
|
|
|
|
also connected to one or more full Bitcoin nodes and has direct access
|
|
|
|
|
to a full copy of the blockchain database. This allows the pool server
|
|
|
|
|
to validate blocks and transactions on behalf of the pool miners,
|
|
|
|
|
relieving them of the burden of running a full node. For pool miners,
|
|
|
|
|
this is an important consideration, because a full node requires a
|
|
|
|
|
dedicated computer with at least 100 to 150 GB of persistent storage
|
|
|
|
|
(disk) and at least 2 to 4 GB of memory (RAM). Furthermore, the Bitcoin
|
|
|
|
|
software running on the full node needs to be monitored, maintained, and
|
|
|
|
|
upgraded frequently. Any downtime caused by a lack of maintenance or
|
|
|
|
|
lack of resources will hurt the miner's profitability. For many miners,
|
|
|
|
|
the ability to mine without running a full node is another big benefit
|
|
|
|
|
of joining a managed pool.
|
|
|
|
|
|
|
|
|
|
Pool miners connect to the pool server using a mining protocol such as
|
|
|
|
|
Stratum (STM) or GetBlockTemplate (GBT). An older standard called
|
|
|
|
|
GetWork (GWK) has been mostly obsolete since late 2012, because it does
|
|
|
|
|
not easily support mining at hash rates above 4 GH/s. Both the STM and
|
|
|
|
|
GBT protocols create block _templates_ that contain a template of a
|
|
|
|
|
candidate block header. The pool server constructs a candidate block by
|
|
|
|
|
aggregating transactions, adding a coinbase transaction (with extra
|
|
|
|
|
nonce space), calculating the merkle root, and linking to the previous
|
|
|
|
|
block hash. The header of the candidate block is then sent to each of
|
|
|
|
|
the pool miners as a template. Each pool miner then mines using the
|
|
|
|
|
block template, at a higher (easier) target than the Bitcoin network
|
|
|
|
|
target, and sends any successful results back to the pool server to earn
|
|
|
|
|
shares.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
===== Peer-to-peer mining pool (P2Pool)
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("mining pools", "peer-to-peer pools (P2Pool)")))((("peer-to-peer
|
|
|
|
|
pools (P2Pool)")))Managed pools create the possibility of cheating by
|
|
|
|
|
the pool operator, who might direct the pool effort to double-spend
|
|
|
|
|
transactions or invalidate blocks (see <<consensus_attacks>>).
|
|
|
|
|
Furthermore, centralized pool servers represent a
|
|
|
|
|
single-point-of-failure. If the pool server is down or is slowed by a
|
|
|
|
|
denial-of-service attack, the pool miners cannot mine. In 2011, to
|
|
|
|
|
resolve these issues of centralization, a new pool mining method was
|
|
|
|
|
proposed and implemented: P2Pool, a peer-to-peer mining pool without a
|
|
|
|
|
central operator.
|
|
|
|
|
|
|
|
|
|
P2Pool works by decentralizing the functions of the pool server,
|
|
|
|
|
implementing a parallel blockchain-like system called a _share chain_. A
|
|
|
|
|
share chain is a blockchain running at a lower difficulty than the
|
|
|
|
|
Bitcoin blockchain. The share chain allows pool miners to collaborate in
|
|
|
|
|
a decentralized pool by mining shares on the share chain at a rate of
|
|
|
|
|
one share block every 30 seconds. Each of the blocks on the share chain
|
|
|
|
|
records a proportionate share reward for the pool miners who contribute
|
|
|
|
|
work, carrying the shares forward from the previous share block. When
|
|
|
|
|
one of the share blocks also achieves the Bitcoin network target, it is
|
|
|
|
|
propagated and included on the Bitcoin blockchain, rewarding all the
|
|
|
|
|
pool miners who contributed to all the shares that preceded the winning
|
|
|
|
|
share block. Essentially, instead of a pool server keeping track of pool
|
|
|
|
|
miner shares and rewards, the share chain allows all pool miners to keep
|
|
|
|
|
track of all shares using a decentralized consensus mechanism like
|
|
|
|
|
bitcoin's blockchain consensus mechanism.
|
|
|
|
|
|
|
|
|
|
P2Pool mining is more complex than pool mining because it requires that
|
|
|
|
|
the pool miners run a dedicated computer with enough disk space, memory,
|
|
|
|
|
and internet bandwidth to support a full Bitcoin node and the P2Pool
|
|
|
|
|
node software. P2Pool miners connect their mining hardware to their
|
|
|
|
|
local P2Pool node, which simulates the functions of a pool server by
|
|
|
|
|
sending block templates to the mining hardware. On P2Pool, individual
|
|
|
|
|
pool miners construct their own candidate blocks, aggregating
|
|
|
|
|
transactions much like solo miners, but then mine collaboratively on the
|
|
|
|
|
share chain. P2Pool is a hybrid approach that has the advantage of much
|
|
|
|
|
more granular payouts than solo mining, but without giving too much
|
|
|
|
|
control to a pool operator like managed pools.
|
|
|
|
|
|
|
|
|
|
Even though P2Pool reduces the concentration of power by mining pool
|
|
|
|
|
operators, it is conceivably vulnerable to 51% attacks against the share
|
|
|
|
|
chain itself. A much broader adoption of P2Pool does not solve the 51%
|
|
|
|
|
attack problem for bitcoin itself. Rather, P2Pool makes bitcoin more
|
|
|
|
|
robust overall, as part of a diversified mining ecosystem.((("",
|
|
|
|
|
startref="MAChash10")))((("", startref="MACoverpool10")))
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
[[consensus_attacks]]
|
|
|
|
|
=== Consensus Attacks
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("mining and consensus", "consensus attacks",
|
|
|
|
|
id="Cattack10")))((("security", "consensus attacks",
|
|
|
|
|
id="Sconsens10")))Bitcoin's consensus mechanism is, at least
|
|
|
|
|
theoretically, vulnerable to attack by miners (or pools) that attempt to
|
|
|
|
|
use their hashing power to dishonest or destructive ends. As we saw, the
|
|
|
|
|
consensus mechanism depends on having a majority of the miners acting
|
|
|
|
|
honestly out of self-interest. However, if a miner or group of miners
|
|
|
|
|
can achieve a significant share of the mining power, they can attack the
|
|
|
|
|
consensus mechanism so as to disrupt the security and availability of
|
|
|
|
|
the Bitcoin network.
|
|
|
|
|
|
|
|
|
|
It is important to note that consensus attacks can only affect future
|
|
|
|
|
consensus, or at best, the most recent past (tens of blocks). Bitcoin's
|
|
|
|
|
ledger becomes more and more immutable as time passes. While in theory,
|
|
|
|
|
a fork can be achieved at any depth, in practice, the computing power
|
|
|
|
|
needed to force a very deep fork is immense, making old blocks
|
|
|
|
|
practically immutable. Consensus attacks also do not affect the security
|
|
|
|
|
of the private keys and signing algorithm (ECDSA). A consensus attack
|
|
|
|
|
cannot steal bitcoin, spend bitcoin without signatures, redirect
|
|
|
|
|
bitcoin, or otherwise change past transactions or ownership records.
|
|
|
|
|
((("denial-of-service attacks")))((("security", "denial-of-service
|
|
|
|
|
attacks")))Consensus attacks can only affect the most recent blocks and
|
|
|
|
|
cause denial-of-service disruptions on the creation of future blocks.
|
|
|
|
|
|
|
|
|
|
One attack scenario against the consensus mechanism is called the "51%
|
|
|
|
|
attack." In this scenario a group of miners, controlling a majority
|
|
|
|
|
(51%) of the total network's hashing power, collude to attack bitcoin.
|
|
|
|
|
With the ability to mine the majority of the blocks, the attacking
|
|
|
|
|
miners can cause deliberate "forks" in the blockchain and double-spend
|
|
|
|
|
transactions or execute denial-of-service attacks against specific
|
|
|
|
|
transactions or addresses. A fork/double-spend attack is where the
|
|
|
|
|
attacker causes previously confirmed blocks to be invalidated by forking
|
|
|
|
|
below them and re-converging on an alternate chain. With sufficient
|
|
|
|
|
power, an attacker can invalidate six or more blocks in a row, causing
|
|
|
|
|
transactions that were considered immutable (six confirmations) to be
|
|
|
|
|
invalidated. Note that a double-spend can only be done on the attacker's
|
|
|
|
|
own transactions, for which the attacker can produce a valid signature.
|
|
|
|
|
Double-spending one's own transactions is profitable if by invalidating
|
|
|
|
|
a transaction the attacker can get an irreversible exchange payment or
|
|
|
|
|
product without paying for it.
|
|
|
|
|
|
|
|
|
|
Let's examine a practical example of a 51% attack. In the first chapter,
|
|
|
|
|
we looked at a transaction between ((("use cases", "buying
|
|
|
|
|
coffee")))Alice and Bob for a cup of coffee. Bob, the cafe owner, is
|
|
|
|
|
willing to accept payment for cups of coffee without waiting for
|
|
|
|
|
confirmation (mining in a block), because the risk of a double-spend on
|
|
|
|
|
a cup of coffee is low in comparison to the convenience of rapid
|
|
|
|
|
customer service. This is similar to the practice of coffee shops that
|
|
|
|
|
accept credit card payments without a signature for amounts below $25,
|
|
|
|
|
because the risk of a credit-card chargeback is low while the cost of
|
|
|
|
|
delaying the transaction to obtain a signature is comparatively larger.
|
|
|
|
|
In contrast, selling a more expensive item for bitcoin runs the risk of
|
|
|
|
|
a double-spend attack, where the buyer broadcasts a competing
|
|
|
|
|
transaction that spends the same inputs (UTXO) and cancels the payment
|
|
|
|
|
to the merchant. A double-spend attack can happen in two ways: either
|
|
|
|
|
before a transaction is confirmed, or if the attacker takes advantage of
|
|
|
|
|
a blockchain fork to undo several blocks. A 51% attack allows attackers
|
|
|
|
|
to double-spend their own transactions in the new chain, thus undoing
|
|
|
|
|
the corresponding transaction in the old chain.
|
|
|
|
|
|
|
|
|
|
In our example, malicious attacker Mallory goes to ((("use cases",
|
|
|
|
|
"retail sales", id="carolten")))Carol's gallery and purchases a
|
|
|
|
|
beautiful triptych painting depicting Satoshi Nakamoto as Prometheus.
|
|
|
|
|
Carol sells "The Great Fire" paintings for $250,000 in bitcoin to
|
|
|
|
|
Mallory. Instead of waiting for six or more confirmations on the
|
|
|
|
|
transaction, Carol wraps and hands the paintings to Mallory after only
|
|
|
|
|
one confirmation. Mallory works with an accomplice, Paul, who operates a
|
|
|
|
|
large mining pool, and the accomplice launches a 51% attack as soon as
|
|
|
|
|
Mallory's transaction is included in a block. Paul directs the mining
|
|
|
|
|
pool to remine the same block height as the block containing Mallory's
|
|
|
|
|
transaction, replacing Mallory's payment to Carol with a transaction
|
|
|
|
|
that double-spends the same input as Mallory's payment. The double-spend
|
|
|
|
|
transaction consumes the same UTXO and pays it back to Mallory's wallet,
|
|
|
|
|
instead of paying it to Carol, essentially allowing Mallory to keep the
|
|
|
|
|
bitcoin. Paul then directs the mining pool to mine an additional block,
|
|
|
|
|
so as to make the chain containing the double-spend transaction longer
|
|
|
|
|
than the original chain (causing a fork below the block containing
|
|
|
|
|
Mallory's transaction). When the blockchain fork resolves in favor of
|
|
|
|
|
the new (longer) chain, the double-spent transaction replaces the
|
|
|
|
|
original payment to Carol. Carol is now missing the three paintings and
|
|
|
|
|
also has no bitcoin payment. Throughout all this activity, Paul's mining
|
|
|
|
|
pool participants might remain blissfully unaware of the double-spend
|
|
|
|
|
attempt, because they mine with automated miners and cannot monitor
|
|
|
|
|
every transaction or block.((("", startref="carolten")))
|
|
|
|
|
|
|
|
|
|
((("confirmations", "of large-value transactions",
|
|
|
|
|
secondary-sortas="large-value transactions")))To protect against this
|
|
|
|
|
kind of attack, a merchant selling large-value items must wait at least
|
|
|
|
|
six confirmations before giving the product to the buyer. Alternatively,
|
|
|
|
|
the merchant should use an escrow multisignature account, again waiting
|
|
|
|
|
for several confirmations after the escrow account is funded. The more
|
|
|
|
|
confirmations elapse, the harder it becomes to invalidate a transaction
|
|
|
|
|
with a 51% attack. For high-value items, payment by bitcoin will still
|
|
|
|
|
be convenient and efficient even if the buyer has to wait 24 hours for
|
|
|
|
|
delivery, which would correspond to approximately 144 confirmations.
|
|
|
|
|
|
|
|
|
|
In addition to a double-spend attack, the other scenario for a consensus
|
|
|
|
|
attack is to deny service to specific bitcoin participants (specific
|
|
|
|
|
Bitcoin addresses). An attacker with a majority of the mining power can
|
|
|
|
|
simply ignore specific transactions. If they are included in a block
|
|
|
|
|
mined by another miner, the attacker can deliberately fork and remine
|
|
|
|
|
that block, again excluding the specific transactions. This type of
|
|
|
|
|
attack can result in a sustained denial-of-service against a specific
|
|
|
|
|
address or set of addresses for as long as the attacker controls the
|
|
|
|
|
majority of the mining power.
|
|
|
|
|
|
|
|
|
|
Despite its name, the 51% attack scenario doesn't actually require 51%
|
|
|
|
|
of the hashing power. In fact, such an attack can be attempted with a
|
|
|
|
|
smaller percentage of the hashing power. The 51% threshold is simply the
|
|
|
|
|
level at which such an attack is almost guaranteed to succeed. A
|
|
|
|
|
consensus attack is essentially a tug-of-war for the next block and the
|
|
|
|
|
"stronger" group is more likely to win. With less hashing power, the
|
|
|
|
|
probability of success is reduced, because other miners control the
|
|
|
|
|
generation of some blocks with their "honest" mining power. One way to
|
|
|
|
|
look at it is that the more hashing power an attacker has, the longer
|
|
|
|
|
the fork he can deliberately create, the more blocks in the recent past
|
|
|
|
|
he can invalidate, or the more blocks in the future he can control.
|
|
|
|
|
Security research groups have used statistical modeling to claim that
|
|
|
|
|
various types of consensus attacks are possible with as little as 30% of
|
|
|
|
|
the hashing power.
|
|
|
|
|
|
|
|
|
|
The massive increase of total hashing power has arguably made bitcoin
|
|
|
|
|
impervious to attacks by a single miner. There is no possible way for a
|
|
|
|
|
solo miner to control more than a small percentage of the total mining
|
|
|
|
|
power. However, the centralization of control caused by mining pools has
|
|
|
|
|
introduced the risk of for-profit attacks by a mining pool operator. The
|
|
|
|
|
pool operator in a managed pool controls the construction of candidate
|
|
|
|
|
blocks and also controls which transactions are included. This gives the
|
|
|
|
|
pool operator the power to exclude transactions or introduce
|
|
|
|
|
double-spend transactions. If such abuse of power is done in a limited
|
|
|
|
|
and subtle way, a pool operator could conceivably profit from a
|
|
|
|
|
consensus attack without being noticed.
|
|
|
|
|
|
|
|
|
|
Not all attackers will be motivated by profit, however. One potential
|
|
|
|
|
attack scenario is where an attacker intends to disrupt the Bitcoin
|
|
|
|
|
network without the possibility of profiting from such disruption. A
|
|
|
|
|
malicious attack aimed at crippling bitcoin would require enormous
|
|
|
|
|
investment and covert planning, but could conceivably be launched by a
|
|
|
|
|
well-funded, most likely state-sponsored, attacker. Alternatively, a
|
|
|
|
|
well-funded attacker could attack bitcoin's consensus by simultaneously
|
|
|
|
|
amassing mining hardware, compromising pool operators, and attacking
|
|
|
|
|
other pools with denial-of-service. All of these scenarios are
|
|
|
|
|
theoretically possible, but increasingly impractical as the Bitcoin
|
|
|
|
|
network's overall hashing power continues to grow exponentially.
|
|
|
|
|
|
|
|
|
|
Undoubtedly, a serious consensus attack would erode confidence in
|
|
|
|
|
bitcoin in the short term, possibly causing a significant price decline.
|
|
|
|
|
However, the Bitcoin network and software are constantly evolving, so
|
|
|
|
|
consensus attacks would be met with immediate countermeasures by the
|
|
|
|
|
bitcoin community, making bitcoin more robust.((("",
|
|
|
|
|
startref="Cattack10")))((("", startref="MACattack10")))((("",
|
|
|
|
|
startref="Sconsens10")))
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
[[consensus_changes]]
|
|
|
|
|
=== Changing the Consensus Rules
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("mining and consensus", "consensus rules", "changing",
|
|
|
|
|
id="Crule10")))The rules of consensus determine the validity of
|
|
|
|
|
transactions and blocks. These rules are the basis for collaboration
|
|
|
|
|
between all Bitcoin nodes and are responsible for the convergence of all
|
|
|
|
|
local perspectives into a single consistent blockchain across the entire
|
|
|
|
|
network.
|
|
|
|
|
|
|
|
|
|
While the consensus rules are invariable in the short term and must be
|
|
|
|
|
consistent across all nodes, they are not invariable in the long term.
|
|
|
|
|
In order to evolve and develop the Bitcoin system, the rules have to
|
|
|
|
|
change from time to time to accommodate new features, improvements, or
|
|
|
|
|
bug fixes. Unlike traditional software development, however, upgrades to
|
|
|
|
|
a consensus system are much more difficult and require coordination
|
|
|
|
|
between all the participants.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
[[hard_forks]]
|
|
|
|
|
==== Hard Forks
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("forks", "changing consensus rules", id="forks10a")))((("forks",
|
|
|
|
|
"changing consensus rules", "hard forks")))In <<forks>> we looked at how
|
|
|
|
|
the Bitcoin network may briefly diverge, with two parts of the network
|
|
|
|
|
following two different branches of the blockchain for a short time. We
|
|
|
|
|
saw how this process occurs naturally, as part of the normal operation
|
|
|
|
|
of the network and how the network reconverges on a common blockchain
|
|
|
|
|
after one or more blocks are mined.
|
|
|
|
|
|
|
|
|
|
There is another scenario in which the network may diverge into
|
|
|
|
|
following two chains: a change in the consensus rules. This type of fork
|
|
|
|
|
is called a _hard fork_, because after the fork the network does not
|
|
|
|
|
reconverge onto a single chain. Instead, the two chains evolve
|
|
|
|
|
independently. Hard forks occur when part of the network is operating
|
|
|
|
|
under a different set of consensus rules than the rest of the network.
|
|
|
|
|
This may occur because of a bug or because of a deliberate change in the
|
|
|
|
|
implementation of the consensus rules.
|
|
|
|
|
|
|
|
|
|
Hard forks can be used to change the rules of consensus, but they
|
|
|
|
|
require coordination between all participants in the system. Any nodes
|
|
|
|
|
that do not upgrade to the new consensus rules are unable to participate
|
|
|
|
|
in the consensus mechanism and are forced onto a separate chain at the
|
|
|
|
|
moment of the hard fork. Thus, a change introduced by a hard fork can be
|
|
|
|
|
thought of as not "forward compatible," in that nonupgraded systems can
|
|
|
|
|
no longer process the new consensus rules.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
Let's examine the mechanics of a hard fork with a specific example.
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
<<blockchainwithforks>> shows a blockchain with two forks. At block
|
|
|
|
|
height 4, a one-block fork occurs. This is the type of spontaneous fork
|
|
|
|
|
we saw in <<forks>>. With the mining of block 5, the network reconverges
|
|
|
|
|
on one chain and the fork is resolved.
|
2017-04-24 21:35:13 +00:00
|
|
|
|
|
2017-04-24 21:09:15 +00:00
|
|
|
|
[[blockchainwithforks]]
|
|
|
|
|
.A blockchain with forks
|
|
|
|
|
image::images/mbc2_1009.png[A blockchain with forks]
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
Later, however, at block height 6, a hard fork occurs. Let's assume that
|
|
|
|
|
a new implementation of the client is released with a change in the
|
|
|
|
|
consensus rules. Starting on block height 7, miners running this new
|
|
|
|
|
implementation will accept a new type of digital signature, let's call
|
|
|
|
|
it a "Smores" signature, that is not ECDSA based. Immediately after, a
|
|
|
|
|
node running the new implementation creates a transaction that contains
|
|
|
|
|
a Smores signature and a miner with the updated software mines block 7b
|
|
|
|
|
containing this transaction.
|
|
|
|
|
|
|
|
|
|
Any node or miner that has not upgraded the software to validate Smores
|
|
|
|
|
signatures is now unable to process block 7b. From their perspective,
|
|
|
|
|
both the transaction that contained a Smores signature and block 7b that
|
|
|
|
|
contained that transaction are invalid, because they are evaluating them
|
|
|
|
|
based upon the old consensus rules. These nodes will reject the
|
|
|
|
|
transaction and the block and will not propagate them. Any miners that
|
|
|
|
|
are using the old rules will not accept block 7b and will continue to
|
|
|
|
|
mine a candidate block whose parent is block 6. In fact, miners using
|
|
|
|
|
the old rules may not even receive block 7b if all the nodes they are
|
|
|
|
|
connected to are also obeying the old rules and therefore not
|
|
|
|
|
propagating the block. Eventually, they will be able to mine block 7a,
|
|
|
|
|
which is valid under the old rules and does not contain any transactions
|
|
|
|
|
with Smores signatures.
|
|
|
|
|
|
|
|
|
|
The two chains continue to diverge from this point. Miners on the "b"
|
|
|
|
|
chain will continue to accept and mine transactions containing Smores
|
|
|
|
|
signatures, while miners on the "a" chain will continue to ignore these
|
|
|
|
|
transactions. Even if block 8b does not contain any Smores-signed
|
|
|
|
|
transactions, the miners on the "a" chain cannot process it. To them it
|
2023-05-25 16:56:42 +00:00
|
|
|
|
appears to be an invalid block, as its parent "7b" is not recognized as a
|
2023-05-23 20:40:36 +00:00
|
|
|
|
valid block.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2017-05-10 17:04:27 +00:00
|
|
|
|
==== Hard Forks: Software, Network, Mining, and Chain
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("forks", "changing consensus rules", "software forks")))For software
|
|
|
|
|
developers, the term "fork" has another meaning, adding confusion to the
|
|
|
|
|
term "hard fork." In open source software, a fork occurs when a group of
|
|
|
|
|
developers choose to follow a different software roadmap and start a
|
|
|
|
|
competing implementation of an open source project. We've already
|
|
|
|
|
discussed two circumstances that will lead to a hard fork: a bug in the
|
|
|
|
|
consensus rules and a deliberate modification of the consensus rules. In
|
|
|
|
|
the case of a deliberate change to the consensus rules, a software fork
|
|
|
|
|
precedes the hard fork. However, for this type of hard fork to occur, a
|
|
|
|
|
new software implementation of the consensus rules must be developed,
|
|
|
|
|
adopted, and launched.
|
|
|
|
|
|
|
|
|
|
Examples of software forks that have attempted to change consensus rules
|
|
|
|
|
include Bitcoin XT, Bitcoin Classic, and most recently Bitcoin
|
|
|
|
|
Unlimited. However, none of these software forks have resulted in a hard
|
|
|
|
|
fork. While a software fork is a necessary precondition, it is not in
|
|
|
|
|
itself sufficient for a hard fork to occur. For a hard fork to occur,
|
|
|
|
|
the competing implementation must be adopted and the new rules
|
|
|
|
|
activated, by miners, wallets, and intermediary nodes. Conversely, there
|
|
|
|
|
are numerous alternative implementations of Bitcoin Core, and even
|
|
|
|
|
software forks, that do not change the consensus rules and barring a
|
|
|
|
|
bug, can coexist on the network and interoperate without causing a hard
|
|
|
|
|
fork.
|
|
|
|
|
|
|
|
|
|
Consensus rules may differ in obvious and explicit ways, in the
|
|
|
|
|
validation of transactions or blocks. The rules may also differ in more
|
|
|
|
|
subtle ways, in the implementation of the consensus rules as they apply
|
|
|
|
|
to bitcoin scripts or cryptographic primitives such as digital
|
|
|
|
|
signatures. Finally, the consensus rules may differ in unanticipated
|
|
|
|
|
ways because of implicit consensus constraints imposed by system
|
|
|
|
|
limitations or implementation details. An example of the latter was seen
|
|
|
|
|
in the unanticipated hard fork during the upgrade of Bitcoin Core 0.7 to
|
|
|
|
|
0.8, which was caused by a limitation in the Berkley DB implementation
|
|
|
|
|
used to store blocks.
|
|
|
|
|
|
|
|
|
|
Conceptually, we can think of a hard fork as developing in four stages:
|
|
|
|
|
a software fork, a network fork, a mining fork, and a chain fork.
|
|
|
|
|
|
|
|
|
|
The process begins when an alternative implementation of the client,
|
|
|
|
|
with modified consensus rules, is created by developers.
|
|
|
|
|
|
|
|
|
|
When this forked implementation is deployed in the network, a certain
|
|
|
|
|
percentage of miners, wallet users, and intermediate nodes may adopt and
|
|
|
|
|
run this implementation. A resulting fork will depend upon whether the
|
|
|
|
|
new consensus rules apply to blocks, transactions, or some other aspect
|
|
|
|
|
of the system. If the new consensus rules pertain to transactions, then
|
|
|
|
|
a wallet creating a transaction under the new rules may precipitate a
|
|
|
|
|
network fork, followed by a hard fork when the transaction is mined into
|
|
|
|
|
a block. If the new rules pertain to blocks, then the hard fork process
|
|
|
|
|
will begin when a block is mined under the new rules.
|
|
|
|
|
|
|
|
|
|
First, the network will fork. Nodes based on the original implementation
|
|
|
|
|
of the consensus rules will reject any transactions and blocks that are
|
|
|
|
|
created under the new rules. Furthermore, the nodes following the
|
|
|
|
|
original consensus rules will temporarily ban and disconnect from any
|
|
|
|
|
nodes that are sending them these invalid transactions and blocks. As a
|
|
|
|
|
result, the network will partition into two: old nodes will only remain
|
|
|
|
|
connected to old nodes and new nodes will only be connected to new
|
|
|
|
|
nodes. A single transaction or block based on the new rules will ripple
|
|
|
|
|
through the network and result in the partition into two networks.
|
|
|
|
|
|
|
|
|
|
Once a miner using the new rules mines a block, the mining power and
|
|
|
|
|
chain will also fork. New miners will mine on top of the new block,
|
|
|
|
|
while old miners will mine a separate chain based on the old rules. The
|
|
|
|
|
partitioned network will make it so that the miners operating on
|
|
|
|
|
separate consensus rules won't likely receive each other's blocks, as
|
|
|
|
|
they are connected to two separate networks.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
==== Diverging Miners and Difficulty
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("forks", "changing consensus rules", "diverging miners and
|
|
|
|
|
difficulty")))As miners diverge into mining two different chains, the
|
|
|
|
|
hashing power is split between the chains. The mining power can be split
|
|
|
|
|
in any proportion between the two chains. The new rules may only be
|
|
|
|
|
followed by a minority, or by the vast majority of the mining power.
|
|
|
|
|
|
|
|
|
|
Let's assume, for example, an 80%–20% split, with the majority of
|
|
|
|
|
the mining power using the new consensus rules. Let's also assume that
|
|
|
|
|
the fork occurs immediately after a retargeting period.
|
|
|
|
|
|
|
|
|
|
The two chains would each inherit the difficulty from the retargeting
|
|
|
|
|
period. The new consensus rules would have 80% of the previously
|
|
|
|
|
available mining power committed to them. From the perspective of this
|
|
|
|
|
chain, the mining power has suddenly declined by 20% vis-a-vis the
|
|
|
|
|
previous period. Blocks will be found on average every 12.5 minutes,
|
|
|
|
|
representing the 20% decline in mining power available to extend this
|
|
|
|
|
chain. This rate of block issuance will continue (barring any changes in
|
|
|
|
|
hashing power) until 2016 blocks are mined, which will take
|
|
|
|
|
approximately 25,200 minutes (at 12.5 minutes per block), or 17.5 days.
|
|
|
|
|
After 17.5 days, a retarget will occur and the difficulty will adjust
|
|
|
|
|
(reduced by 20%) to produce 10-minute blocks again, based on the reduced
|
|
|
|
|
amount of hashing power in this chain.
|
|
|
|
|
|
|
|
|
|
The minority chain, mining under the old rules with only 20% of the
|
|
|
|
|
hashing power, will face a much more difficult task. On this chain,
|
|
|
|
|
blocks will now be mined every 50 minutes on average. The difficulty
|
|
|
|
|
will not be adjusted for 2016 blocks, which will take 100,800 minutes,
|
|
|
|
|
or approximately 10 weeks to mine. Assuming a fixed capacity per block,
|
|
|
|
|
this will also result in a reduction of transaction capacity by a factor
|
|
|
|
|
of 5, as there are fewer blocks per hour available to record
|
|
|
|
|
transactions.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
==== Contentious Hard Forks
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("forks", "changing consensus rules", "contentious hard
|
|
|
|
|
forks")))((("hard forks")))This is the dawn of consensus software
|
|
|
|
|
development. Just as open source development changed both the methods
|
|
|
|
|
and products of software and created new methodologies, new tools, and
|
|
|
|
|
new communities in its wake, consensus software development also
|
|
|
|
|
represents a new frontier in computer science. Out of the debates,
|
|
|
|
|
experiments, and tribulations of the bitcoin development roadmap, we
|
|
|
|
|
will see new development tools, practices, methodologies, and
|
|
|
|
|
communities emerge.
|
|
|
|
|
|
|
|
|
|
Hard forks are seen as risky because they force a minority to either
|
|
|
|
|
upgrade or remain on a minority chain. The risk of splitting the entire
|
|
|
|
|
system into two competing systems is seen by many as an unacceptable
|
|
|
|
|
risk. As a result, many developers are reluctant to use the hard fork
|
|
|
|
|
mechanism to implement upgrades to the consensus rules, unless there is
|
|
|
|
|
near-unanimous support from the entire network. Any hard fork proposals
|
|
|
|
|
that do not have near-unanimous support are considered too "contentious"
|
|
|
|
|
to attempt without risking a partition of the system.
|
|
|
|
|
|
|
|
|
|
The issue of hard forks is highly controversial in the bitcoin
|
|
|
|
|
development community, especially as it relates to any proposed changes
|
|
|
|
|
to the consensus rules controlling the maximum block size limit. Some
|
|
|
|
|
developers are opposed to any form of hard fork, seeing it as too risky.
|
|
|
|
|
Others see the mechanism of hard fork as an essential tool for upgrading
|
|
|
|
|
the consensus rules in a way that avoids "technical debt" and provides a
|
|
|
|
|
clean break with the past. Finally, some developers see hard forks as a
|
|
|
|
|
mechanism that should be used rarely, with a lot of advance planning and
|
|
|
|
|
only under near-unanimous consensus.
|
|
|
|
|
|
|
|
|
|
Already we have seen the emergence of new methodologies to address the
|
|
|
|
|
risks of hard forks. In the next section, we will look at soft forks,
|
2023-05-23 20:47:54 +00:00
|
|
|
|
and the BIP34 and BIP9 methods for signaling and activation of
|
2023-05-23 20:40:36 +00:00
|
|
|
|
consensus modifications.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
==== Soft Forks
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("forks", "changing consensus rules", "soft forks")))((("soft forks",
|
|
|
|
|
"defined")))Not all consensus rule changes cause a hard fork. Only
|
|
|
|
|
consensus changes that are forward-incompatible cause a fork. If the
|
|
|
|
|
change is implemented in such a way that an unmodified client still sees
|
|
|
|
|
the transaction or block as valid under the previous rules, the change
|
|
|
|
|
can happen without a fork.
|
|
|
|
|
|
|
|
|
|
The term _soft fork_ was introduced to distinguish this upgrade method
|
|
|
|
|
from a "hard fork." In practice, a soft fork is not a fork at all. A
|
|
|
|
|
soft fork is a forward-compatible change to the consensus rules that
|
|
|
|
|
allows unupgraded clients to continue to operate in consensus with the
|
|
|
|
|
new rules.
|
|
|
|
|
|
|
|
|
|
One aspect of soft forks that is not immediately obvious is that soft
|
|
|
|
|
fork upgrades can only be used to constrain the consensus rules, not to
|
|
|
|
|
expand them. In order to be forward compatible, transactions and blocks
|
|
|
|
|
created under the new rules must be valid under the old rules too, but
|
|
|
|
|
not vice versa. The new rules can only limit what is valid; otherwise,
|
|
|
|
|
they will trigger a hard fork when rejected under the old rules.
|
|
|
|
|
|
|
|
|
|
Soft forks can be implemented in a number of ways—the term does
|
|
|
|
|
not specify a particular method, rather a set of methods that all have
|
|
|
|
|
one thing in common: they don't require all nodes to upgrade or force
|
|
|
|
|
nonupgraded nodes out of consensus.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
===== Soft forks redefining NOP opcodes
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("opcodes", "redefinition by soft forks")))((("soft forks",
|
|
|
|
|
"redefinition of NOP codes")))A number of soft forks have been
|
|
|
|
|
implemented in bitcoin, based on the re-interpretation of NOP opcodes.
|
|
|
|
|
Bitcoin Script had ten opcodes reserved for future use, NOP1 through
|
|
|
|
|
NOP10. Under the consensus rules, the presence of these opcodes in a
|
|
|
|
|
script is interpreted as a null-potent operator, meaning they have no
|
|
|
|
|
effect. Execution continues after the NOP opcode as if it wasn't there.
|
|
|
|
|
|
|
|
|
|
A soft fork therefore can modify the semantics of a NOP code to give it
|
2023-05-23 20:47:54 +00:00
|
|
|
|
new meaning. For example, BIP65 (+CHECKLOCKTIMEVERIFY+) reinterpreted
|
|
|
|
|
the NOP2 opcode. Clients implementing BIP65 interpret NOP2 as
|
2023-05-23 20:40:36 +00:00
|
|
|
|
+OP_CHECKLOCKTIMEVERIFY+ and impose an absolute locktime consensus rule
|
|
|
|
|
on UTXO that contain this opcode in their locking scripts. This change
|
2023-05-23 20:47:54 +00:00
|
|
|
|
is a soft fork because a transaction that is valid under BIP65 is also
|
|
|
|
|
valid on any client that is not implementing (ignorant of) BIP65. To
|
2023-05-23 20:40:36 +00:00
|
|
|
|
the old clients, the script contains an NOP code, which is ignored.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
===== Other ways to soft fork upgrade
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
The reinterpretation of NOP opcodes was both planned for and an obvious
|
|
|
|
|
mechanism for consensus upgrades. Recently, however, another soft fork
|
|
|
|
|
mechanism was introduced that does not rely on NOP opcodes for a very
|
|
|
|
|
specific type of consensus change. This is examined in more detail in
|
|
|
|
|
<<segwit>>. Segwit is an architectural change to the structure of a
|
|
|
|
|
transaction, which moves the unlocking script (witness) from inside the
|
|
|
|
|
transaction to an external data structure (segregating it). Segwit was
|
|
|
|
|
initially envisioned as a hard fork upgrade, as it modified a
|
|
|
|
|
fundamental structure (transaction). In November 2015, a developer
|
|
|
|
|
working on Bitcoin Core proposed a mechanism by which segwit could be
|
|
|
|
|
introduced as a soft fork. The mechanism used for this is a modification
|
|
|
|
|
of the locking script of UTXO created under segwit rules, such that
|
|
|
|
|
unmodified clients see the locking script as redeemable with any
|
|
|
|
|
unlocking script whatsoever. As a result, segwit can be introduced
|
|
|
|
|
without requiring every node to upgrade or split from the chain: a soft
|
|
|
|
|
fork.
|
|
|
|
|
|
|
|
|
|
It is likely that there are other, yet to be discovered, mechanisms by
|
|
|
|
|
which upgrades can be made in a forward-compatible way as a soft fork.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
==== Criticisms of Soft Forks
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("forks", "changing consensus rules", "soft fork drawbacks")))((("soft
|
|
|
|
|
forks", "drawbacks of")))Soft forks based on the NOP opcodes are
|
|
|
|
|
relatively uncontroversial. The NOP opcodes were placed in Bitcoin
|
|
|
|
|
Script with the explicit goal of allowing non-disruptive upgrades.
|
|
|
|
|
|
|
|
|
|
However, many developers are concerned that other methods of soft fork
|
|
|
|
|
upgrades make unacceptable tradeoffs. Common criticisms of soft fork
|
|
|
|
|
changes include:
|
|
|
|
|
|
|
|
|
|
Technical debt:: Because soft forks are more technically complex than a
|
|
|
|
|
hard fork upgrade, they introduce _technical debt_, a term that refers
|
|
|
|
|
to increasing the future cost of code maintenance because of design
|
|
|
|
|
tradeoffs made in the past. Code complexity in turn increases the
|
|
|
|
|
likelihood of bugs and security vulnerabilities.
|
|
|
|
|
|
|
|
|
|
Validation relaxation:: Unmodified clients see transactions as valid,
|
|
|
|
|
without evaluating the modified consensus rules. In effect, the
|
|
|
|
|
unmodified clients are not validating using the full range of consensus
|
|
|
|
|
rules, as they are blind to the new rules. This applies to NOP-based
|
|
|
|
|
upgrades, as well as other soft fork upgrades.
|
|
|
|
|
|
|
|
|
|
Irreversible upgrades:: Because soft forks create transactions with
|
|
|
|
|
additional consensus constraints, they become irreversible upgrades in
|
|
|
|
|
practice. If a soft fork upgrade were to be reversed after beings
|
|
|
|
|
activated, any transactions created under the new rules could result in
|
|
|
|
|
a loss of funds under the old rules. For example, if a CLTV transaction
|
|
|
|
|
is evaluated under the old rules, there is no timelock constraint and it
|
|
|
|
|
can be spent at any time. Therefore, critics contend that a failed soft
|
|
|
|
|
fork that had to be reversed because of a bug would almost certainly
|
|
|
|
|
lead to loss of funds.((("", startref="Crule10")))
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
[[softforksignaling]]
|
|
|
|
|
=== Soft Fork Signaling with Block Version
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("forks", "changing consensus rules", "soft fork
|
|
|
|
|
activation")))((("soft forks", "activation")))Since soft forks allow
|
|
|
|
|
unmodified clients to continue to operate within consensus, the
|
|
|
|
|
mechanism for "activating" a soft fork is through miners signaling
|
|
|
|
|
readiness: a majority of miners must agree that they are ready and
|
|
|
|
|
willing to enforce the new consensus rules. To coordinate their actions,
|
|
|
|
|
there is a signaling mechanism that allows them to show their support
|
|
|
|
|
for a consensus rule change. This mechanism was introduced with the
|
2023-05-23 20:47:54 +00:00
|
|
|
|
activation of BIP34 in March 2013 and replaced by the activation of
|
|
|
|
|
BIP9 in July 2016.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:47:54 +00:00
|
|
|
|
==== BIP34 Signaling and Activation
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("bitcoin improvement proposals", "Block v2, Height in Coinbase
|
2023-05-23 20:47:54 +00:00
|
|
|
|
(BIP34)")))The first implementation, in BIP34, used the block version
|
2023-05-23 20:40:36 +00:00
|
|
|
|
field to allow miners to signal readiness for a specific consensus rule
|
2023-05-23 20:47:54 +00:00
|
|
|
|
change. Prior to BIP34, the block version was set to "1" by
|
2023-05-23 20:40:36 +00:00
|
|
|
|
_convention_ not enforced by _consensus_.
|
|
|
|
|
|
2023-05-23 20:47:54 +00:00
|
|
|
|
BIP34 defined a consensus rule change that required the coinbase field
|
2023-05-23 20:40:36 +00:00
|
|
|
|
(input) of the coinbase transaction to contain the block height. Prior
|
2023-05-23 20:47:54 +00:00
|
|
|
|
to BIP34, the coinbase could contain any arbitrary data the miners
|
|
|
|
|
chose to include. After activation of BIP34, valid blocks had to
|
2023-05-23 20:40:36 +00:00
|
|
|
|
contain a specific block-height at the beginning of the coinbase and be
|
|
|
|
|
identified with a version number greater than or equal to "2."
|
|
|
|
|
|
2023-05-23 20:47:54 +00:00
|
|
|
|
To signal the change and activation of BIP34, miners set the block
|
2023-05-23 20:40:36 +00:00
|
|
|
|
version to "2," instead of "1." This did not immediately make version
|
|
|
|
|
"1" blocks invalid. Once activated, version "1" blocks would become
|
|
|
|
|
invalid and all version "2" blocks would be required to contain the
|
|
|
|
|
block height in the coinbase to be valid.
|
|
|
|
|
|
2023-05-23 20:47:54 +00:00
|
|
|
|
BIP34 defined a two-step activation mechanism, based on a rolling
|
2023-05-23 20:40:36 +00:00
|
|
|
|
window of 1000 blocks. A miner would signal his or her individual
|
2023-05-23 20:47:54 +00:00
|
|
|
|
readiness for BIP34 by constructing blocks with "2" as the version
|
2023-05-23 20:40:36 +00:00
|
|
|
|
number. Strictly speaking, these blocks did not yet have to comply with
|
|
|
|
|
the new consensus rule of including the block-height in the coinbase
|
|
|
|
|
transaction because the consensus rule had not yet been activated. The
|
|
|
|
|
consensus rules activated in two steps:
|
|
|
|
|
|
|
|
|
|
- If 75% (750 of the most recent 1000 blocks) are marked with version
|
|
|
|
|
"2," then version "2" blocks must contain block height in the coinbase
|
|
|
|
|
transaction or they are rejected as invalid. Version "1" blocks are
|
|
|
|
|
still accepted by the network and do not need to contain block-height.
|
|
|
|
|
The old and new consensus rules coexist during this period.
|
|
|
|
|
|
|
|
|
|
- When 95% (950 of the most recent 1000 blocks) are version "2," version
|
|
|
|
|
"1" blocks are no longer considered valid. Version "2" blocks are
|
|
|
|
|
valid only if they contain the block-height in the coinbase (as per
|
|
|
|
|
the previous threshold). Thereafter, all blocks must comply with the
|
|
|
|
|
new consensus rules, and all valid blocks must contain block-height in
|
|
|
|
|
the coinbase transaction.
|
|
|
|
|
|
2023-05-23 20:47:54 +00:00
|
|
|
|
After successful signaling and activation under the BIP34 rules, this
|
2023-05-23 20:40:36 +00:00
|
|
|
|
mechanism was used twice more to activate soft forks:
|
|
|
|
|
|
2023-05-23 20:47:54 +00:00
|
|
|
|
- https://github.com/bitcoin/bips/blob/master/bip-0066.mediawiki[BIP66]
|
|
|
|
|
Strict DER Encoding of Signatures was activated by BIP34 style
|
2023-05-23 20:40:36 +00:00
|
|
|
|
signaling with a block version "3" and invalidating version "2"
|
|
|
|
|
blocks.
|
|
|
|
|
|
2023-05-23 20:47:54 +00:00
|
|
|
|
- https://github.com/bitcoin/bips/blob/master/bip-0065.mediawiki[BIP65]
|
|
|
|
|
+CHECKLOCKTIMEVERIFY+ was activated by BIP34 style signaling with a
|
2023-05-23 20:40:36 +00:00
|
|
|
|
block version "4" and invalidating version "3" blocks.
|
|
|
|
|
|
2023-05-23 20:47:54 +00:00
|
|
|
|
After the activation of BIP65, the signaling and activation mechanism
|
|
|
|
|
of BIP34 was retired and replaced with the BIP9 signaling mechanism
|
2023-05-23 20:40:36 +00:00
|
|
|
|
described next.
|
|
|
|
|
|
|
|
|
|
The standard is defined in
|
2023-05-23 20:47:54 +00:00
|
|
|
|
https://github.com/bitcoin/bips/blob/master/bip-0034.mediawiki[BIP34
|
2023-05-23 20:40:36 +00:00
|
|
|
|
(Block v2, Height in Coinbase)].
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:47:54 +00:00
|
|
|
|
==== BIP9 Signaling and Activation
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("bitcoin improvement proposals", "Version bits with timeout and delay
|
2023-05-23 20:47:54 +00:00
|
|
|
|
(BIP9)")))((("bitcoin improvement proposals", "CHECKLOCKTIMEVERIFY
|
|
|
|
|
(BIP65)")))((("bitcoin improvement proposals", "Strict DER signatures
|
|
|
|
|
(BIP66)")))The mechanism used by BIP34, BIP66, and BIP65 was
|
2023-05-23 20:40:36 +00:00
|
|
|
|
successful in activating three soft forks. However, it was replaced
|
|
|
|
|
because it had several limitations:
|
|
|
|
|
|
|
|
|
|
- By using the integer value of the block version, only one soft fork
|
|
|
|
|
could be activated at a time, so it required coordination between soft
|
|
|
|
|
fork proposals and agreement on their prioritization and sequencing.
|
|
|
|
|
|
|
|
|
|
- Furthermore, because the block version was incremented, the mechanism
|
|
|
|
|
didn't offer a straightforward way to reject a change and then propose
|
|
|
|
|
a different one. If old clients were still running, they could mistake
|
|
|
|
|
signaling for a new change as signaling for the previously rejected
|
|
|
|
|
change.
|
|
|
|
|
|
|
|
|
|
- Each new change irrevocably reduced the available block versions for
|
|
|
|
|
future changes.
|
|
|
|
|
|
2023-05-23 20:47:54 +00:00
|
|
|
|
BIP9 was proposed to overcome these challenges and improve the rate and
|
2023-05-23 20:40:36 +00:00
|
|
|
|
ease of implementing future changes.
|
|
|
|
|
|
2023-05-23 20:47:54 +00:00
|
|
|
|
BIP9 interprets the block version as a bit field instead of an integer.
|
2023-05-23 20:40:36 +00:00
|
|
|
|
Because the block version was originally used as an integer, versions 1
|
|
|
|
|
through 4, only 29 bits remain available to be used as a bit field. This
|
|
|
|
|
leaves 29 bits that can be used to independently and simultaneously
|
|
|
|
|
signal readiness on 29 different proposals.
|
|
|
|
|
|
2023-05-23 20:47:54 +00:00
|
|
|
|
BIP9 also sets a maximum time for signaling and activation. This way
|
2023-05-23 20:40:36 +00:00
|
|
|
|
miners don't need to signal forever. If a proposal is not activated
|
|
|
|
|
within the +TIMEOUT+ period (defined in the proposal), the proposal is
|
|
|
|
|
considered rejected. The proposal may be resubmitted for signaling with
|
|
|
|
|
a different bit, renewing the activation period.
|
|
|
|
|
|
|
|
|
|
Furthermore, after the +TIMEOUT+ has passed and a feature has been
|
|
|
|
|
activated or rejected, the signaling bit can be reused for another
|
|
|
|
|
feature without confusion. Therefore, up to 29 changes can be signaled
|
|
|
|
|
in parallel and after +TIMEOUT+ the bits can be "recycled" to propose
|
|
|
|
|
new changes.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
[NOTE]
|
|
|
|
|
====
|
2023-05-23 20:40:36 +00:00
|
|
|
|
While signaling bits can be reused or recycled, as long as the voting
|
2023-05-23 20:47:54 +00:00
|
|
|
|
period does not overlap, the authors of BIP9 recommend that bits are
|
2023-05-23 20:40:36 +00:00
|
|
|
|
reused only when necessary; unexpected behavior could occur due to bugs
|
|
|
|
|
in older software. In short, we should not expect to see reuse until all
|
|
|
|
|
29 bits have been used once.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
====
|
|
|
|
|
|
|
|
|
|
Proposed changes are identified by a data structure that contains the following fields:
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
name:: A short description used to distinguish between proposals. Most
|
|
|
|
|
often the BIP describing the proposal, as "bipN," where N is the BIP
|
|
|
|
|
number.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
bit:: 0 through 28, the bit in the block version that miners use to
|
|
|
|
|
signal approval for this proposal.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
starttime:: The time (based on Median Time Past, or MTP) that signaling
|
|
|
|
|
starts after which the bit's value is interpreted as signaling readiness
|
|
|
|
|
for the proposal.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
endtime:: The time (based on MTP) after which the change is considered
|
|
|
|
|
rejected if it has not reached the activation threshold.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:47:54 +00:00
|
|
|
|
Unlike BIP34, BIP9 counts activation signaling in whole intervals
|
2023-05-23 20:40:36 +00:00
|
|
|
|
based on the difficulty retarget period of 2016 blocks. For every
|
|
|
|
|
retarget period, if the sum of blocks signaling for a proposal exceeds
|
|
|
|
|
95% (1916 of 2016), the proposal will be activated one retarget period
|
|
|
|
|
later.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:47:54 +00:00
|
|
|
|
BIP9 offers a proposal state diagram to illustrate the various stages
|
2023-05-23 20:40:36 +00:00
|
|
|
|
and transitions for a proposal, as shown in <<bip9states>>.
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
Proposals start in the +DEFINED+ state, once their parameters are known
|
|
|
|
|
(defined) in the bitcoin software. For blocks with MTP after the start
|
|
|
|
|
time, the proposal state transitions to +STARTED+. If the voting
|
|
|
|
|
threshold is exceeded within a retarget period and the timeout has not
|
|
|
|
|
been exceeded, the proposal state transitions to +LOCKED_IN+. One
|
|
|
|
|
retarget period later, the proposal becomes +ACTIVE+. Proposals remain
|
|
|
|
|
in the +ACTIVE+ state perpetually once they reach that state. If the
|
|
|
|
|
timeout elapses before the voting threshold has been reached, the
|
|
|
|
|
proposal state changes to +FAILED+, indicating a rejected proposal.
|
|
|
|
|
+FAILED+ proposals remain in that state perpetually.
|
2017-05-18 15:54:01 +00:00
|
|
|
|
|
2017-04-24 21:09:15 +00:00
|
|
|
|
[[bip9states]]
|
2023-05-23 20:47:54 +00:00
|
|
|
|
.BIP9 state transition diagram
|
|
|
|
|
image::images/mbc2_1010.png[BIP9 Proposal State Transition Diagram]
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:47:54 +00:00
|
|
|
|
BIP9 was first implemented for the activation of +CHECKSEQUENCEVERIFY+
|
2023-05-23 20:40:36 +00:00
|
|
|
|
and associated BIPs (68, 112, 113). The proposal named "csv" was
|
|
|
|
|
activated successfully in July of 2016.((("", startref="forks10a")))
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
The standard is defined in
|
2023-05-23 20:47:54 +00:00
|
|
|
|
https://github.com/bitcoin/bips/blob/master/bip-0009.mediawiki[BIP9
|
2023-05-23 20:40:36 +00:00
|
|
|
|
(Version bits with timeout and delay)].
|
2017-04-24 21:09:15 +00:00
|
|
|
|
|
|
|
|
|
=== Consensus Software Development
|
|
|
|
|
|
2023-05-23 20:40:36 +00:00
|
|
|
|
((("mining and consensus", "consensus software
|
|
|
|
|
development")))((("development environment", "consensus software
|
|
|
|
|
development")))Consensus software continues to evolve and there is much
|
|
|
|
|
discussion on the various mechanisms for changing the consensus rules.
|
|
|
|
|
By its very nature, bitcoin sets a very high bar on coordination and
|
|
|
|
|
consensus for changes. As a decentralized system, it has no "authority"
|
|
|
|
|
that can impose its will on the participants of the network. Power is
|
|
|
|
|
diffused between multiple constituencies such as miners, core
|
|
|
|
|
developers, wallet developers, exchanges, merchants, and end users.
|
|
|
|
|
Decisions cannot be made unilaterally by any of these constituencies.
|
|
|
|
|
For example, while miners can theoretically change the rules by simple
|
|
|
|
|
majority (51%), they are constrained by the consent of the other
|
|
|
|
|
constituencies. If they act unilaterally, the rest of the participants
|
|
|
|
|
may simply refuse to follow them, keeping the economic activity on a
|
|
|
|
|
minority chain. Without economic activity (transactions, merchants,
|
|
|
|
|
wallets, exchanges), the miners will be mining a worthless coin with
|
|
|
|
|
empty blocks. This diffusion of power means that all the participants
|
|
|
|
|
must coordinate, or no changes can be made. Status quo is the stable
|
|
|
|
|
state of this system with only a few changes possible if there is strong
|
|
|
|
|
consensus by a very large majority. The 95% threshold for soft forks is
|
|
|
|
|
reflective of this reality.
|
|
|
|
|
|
|
|
|
|
((("hard forks")))It is important to recognize that there is no perfect
|
|
|
|
|
solution for consensus development. Both hard forks and soft forks
|
|
|
|
|
involve tradeoffs. For some types of changes, soft forks may be a better
|
|
|
|
|
choice; for others, hard forks may be a better choice. There is no
|
|
|
|
|
perfect choice; both carry risks. The one constant characteristic of
|
|
|
|
|
consensus software development is that change is difficult and consensus
|
|
|
|
|
forces compromise.
|
|
|
|
|
|
|
|
|
|
Some see this as a weakness of consensus systems. In time, you may come
|
|
|
|
|
to see it as I do, as the system's greatest strength.
|