|
|
|
|
@ -1,13 +1,6 @@
|
|
|
|
|
[[mining]]
|
|
|
|
|
== Mining and Consensus
|
|
|
|
|
|
|
|
|
|
[[duplicate_transactions]]
|
|
|
|
|
=== Preventing Duplicate Transactions
|
|
|
|
|
|
|
|
|
|
FIXME:BIP30 and 34
|
|
|
|
|
|
|
|
|
|
=== Introduction
|
|
|
|
|
|
|
|
|
|
((("mining and consensus", "purpose of")))The word "mining" is somewhat
|
|
|
|
|
misleading. By evoking the extraction of precious metals, it focuses our
|
|
|
|
|
attention on the reward for mining, the new bitcoin created in each
|
|
|
|
|
@ -16,8 +9,8 @@ purpose of mining is not the reward or the generation of new coins. If
|
|
|
|
|
you view mining only as the process by which coins are created, you are
|
|
|
|
|
mistaking the means (incentives) as the goal of the process. Mining is
|
|
|
|
|
the mechanism that underpins the decentralized clearinghouse, by which
|
|
|
|
|
transactions are validated and cleared. Mining is the invention that
|
|
|
|
|
makes bitcoin special, a decentralized security mechanism that is the
|
|
|
|
|
transactions are validated and cleared. Mining is one of the inventions that
|
|
|
|
|
makes Bitcoin special, a decentralized consensus mechanism that is the
|
|
|
|
|
basis for P2P digital cash.
|
|
|
|
|
|
|
|
|
|
((("mining and consensus", "decentralized consensus")))((("central
|
|
|
|
|
@ -32,7 +25,7 @@ implementing the monetary supply.
|
|
|
|
|
====
|
|
|
|
|
((("decentralized systems", "bitcoin mining and")))The purpose of mining
|
|
|
|
|
is not the creation of new bitcoin. That's the incentive system. Mining
|
|
|
|
|
is the mechanism by which bitcoin's _security_ is _decentralized_.
|
|
|
|
|
is the mechanism by which Bitcoin's _consensus security_ is _decentralized_.
|
|
|
|
|
====
|
|
|
|
|
|
|
|
|
|
Miners record new transactions on the global ledger. A
|
|
|
|
|
@ -55,26 +48,25 @@ solution to the problem, called the Proof-of-Work, is included in the
|
|
|
|
|
new block and acts as proof that the miner expended significant
|
|
|
|
|
computing effort. The competition to solve the Proof-of-Work algorithm
|
|
|
|
|
to earn the reward and the right to record transactions on the
|
|
|
|
|
blockchain is the basis for bitcoin's security model.
|
|
|
|
|
blockchain is the basis for Bitcoin's security model.
|
|
|
|
|
|
|
|
|
|
The process is called mining because the reward (new coin generation) is
|
|
|
|
|
designed to simulate diminishing returns, just like mining for precious
|
|
|
|
|
metals. Bitcoin's money supply is created through mining, similar to how
|
|
|
|
|
Bitcoin's money supply is created in a process that's similar to how
|
|
|
|
|
a central bank issues new money by printing bank notes. The maximum
|
|
|
|
|
amount of newly created bitcoin a miner can add to a block decreases
|
|
|
|
|
approximately every four years (or precisely every 210,000 blocks). It
|
|
|
|
|
started at 50 bitcoin per block in January of 2009 and halved to 25
|
|
|
|
|
bitcoin per block in November of 2012. It halved again to 12.5 bitcoin
|
|
|
|
|
in July 2016. Based on this formula, bitcoin mining rewards decrease
|
|
|
|
|
in July 2016, and again to 6.25 in May 2020. Based on this formula, bitcoin mining rewards decrease
|
|
|
|
|
exponentially until approximately the year 2140, when all bitcoin
|
|
|
|
|
(20.99999998 million) will have been issued. After 2140, no new bitcoin
|
|
|
|
|
will have been issued. After 2140, no new bitcoin
|
|
|
|
|
will be issued.
|
|
|
|
|
|
|
|
|
|
Bitcoin miners also earn fees from transactions. Every transaction may
|
|
|
|
|
include a transaction fee, in the form of a surplus of bitcoin between
|
|
|
|
|
the transaction's inputs and outputs. The winning bitcoin miner gets to
|
|
|
|
|
"keep the change" on the transactions included in the winning block.
|
|
|
|
|
Today, the fees represent 0.5% or less of a bitcoin miner's income, the
|
|
|
|
|
Today, the fees usually represent only a small percentage of a bitcoin
|
|
|
|
|
miner's income, with the
|
|
|
|
|
vast majority coming from the newly minted bitcoin. However, as the
|
|
|
|
|
reward decreases over time and the number of transactions per block
|
|
|
|
|
increases, a greater proportion of bitcoin mining earnings will come
|
|
|
|
|
@ -85,7 +77,7 @@ will be incentivized only by transaction fees.
|
|
|
|
|
|
|
|
|
|
In this chapter, we will first examine mining as a monetary supply
|
|
|
|
|
mechanism and then look at the most important function of mining: the
|
|
|
|
|
decentralized consensus mechanism that underpins bitcoin's security.
|
|
|
|
|
decentralized consensus mechanism that underpins Bitcoin's security.
|
|
|
|
|
|
|
|
|
|
To understand mining and consensus, we will follow Alice's transaction
|
|
|
|
|
as it is received and added to a block by Jing's mining equipment. Then
|
|
|
|
|
@ -93,7 +85,7 @@ we will follow the block as it is mined, added to the blockchain, and
|
|
|
|
|
accepted by the Bitcoin network through the process of emergent
|
|
|
|
|
consensus.
|
|
|
|
|
|
|
|
|
|
==== Bitcoin Economics and Currency Creation
|
|
|
|
|
=== Bitcoin Economics and Currency Creation
|
|
|
|
|
|
|
|
|
|
((("mining and consensus", "bitcoin economics and currency
|
|
|
|
|
creation")))((("currency creation")))((("money supply")))((("issuance
|
|
|
|
|
@ -104,15 +96,15 @@ minutes, contains entirely new bitcoin, created from nothing. Every
|
|
|
|
|
rate is decreased by 50%. For the first four years of operation of the
|
|
|
|
|
network, each block contained 50 new bitcoin.
|
|
|
|
|
|
|
|
|
|
In November 2012, the new bitcoin issuance rate was decreased to 25
|
|
|
|
|
bitcoin per block. In July of 2016 it was decreased again to 12.5
|
|
|
|
|
bitcoin per block. It will halve again to 6.25 bitcoin at block 630,000,
|
|
|
|
|
which will be mined sometime in 2020. The rate of new coins decreases
|
|
|
|
|
like this exponentially over 32 "halvings" until block 6,720,000 (mined
|
|
|
|
|
The first halving occurred at block 210,000. The next expected halving
|
|
|
|
|
after publication of this book will occur at block 840,000, which will
|
|
|
|
|
probably be produced in April or May of 2024.
|
|
|
|
|
The rate of new coins decreases
|
|
|
|
|
exponentially over 32 of these _halvings_ until block 6,720,000 (mined
|
|
|
|
|
approximately in year 2137), when it reaches the minimum currency unit
|
|
|
|
|
of 1 satoshi. Finally, after 6.93 million blocks, in approximately 2140,
|
|
|
|
|
almost 2,099,999,997,690,000 satoshis, or almost 21 million bitcoin,
|
|
|
|
|
will be issued. Thereafter, blocks will contain no new bitcoin, and
|
|
|
|
|
will have been issued. Thereafter, blocks will contain no new bitcoin, and
|
|
|
|
|
miners will be rewarded solely through the transaction fees.
|
|
|
|
|
<<bitcoin_money_supply>> shows the total bitcoin in circulation over
|
|
|
|
|
time, as the issuance of currency decreases.
|
|
|
|
|
@ -156,8 +148,8 @@ Total BTC to ever be created: 2099999997690000 Satoshis
|
|
|
|
|
|
|
|
|
|
The finite and diminishing issuance creates a fixed monetary supply that
|
|
|
|
|
resists inflation. Unlike a fiat currency, which can be printed in
|
|
|
|
|
infinite numbers by a central bank, bitcoin can never be inflated by
|
|
|
|
|
printing.
|
|
|
|
|
infinite numbers by a central bank, no individual party has the ability
|
|
|
|
|
to inflate the supply of bitcoin.
|
|
|
|
|
|
|
|
|
|
.Deflationary Money
|
|
|
|
|
****
|
|
|
|
|
@ -166,7 +158,7 @@ fixed and diminishing monetary issuance is that the currency tends to be
|
|
|
|
|
inherently _deflationary_. Deflation is the phenomenon of appreciation
|
|
|
|
|
of value due to a mismatch in supply and demand that drives up the value
|
|
|
|
|
(and exchange rate) of a currency. The opposite of inflation, price
|
|
|
|
|
deflation, means that the money has more purchasing power over time.
|
|
|
|
|
deflation means that the money has more purchasing power over time.
|
|
|
|
|
|
|
|
|
|
Many economists argue that a deflationary economy is a disaster that
|
|
|
|
|
should be avoided at all costs. That is because in a period of rapid
|
|
|
|
|
@ -225,7 +217,7 @@ mechanism for _emergent consensus_. Emergent, because consensus is not
|
|
|
|
|
achieved explicitly—there is no election or fixed moment when consensus
|
|
|
|
|
occurs. Instead, consensus is an emergent artifact of the asynchronous
|
|
|
|
|
interaction of thousands of independent nodes, all following simple
|
|
|
|
|
rules. All the properties of bitcoin, including currency, transactions,
|
|
|
|
|
rules. All the properties of Bitcoin, including currency, transactions,
|
|
|
|
|
payments, and the security model that does not depend on central
|
|
|
|
|
authority or trust, derive from this invention.
|
|
|
|
|
|
|
|
|
|
@ -256,8 +248,8 @@ trusted, public, global ledger.
|
|
|
|
|
|
|
|
|
|
((("mining and consensus", "independent transaction
|
|
|
|
|
verification")))((("transactions", "independent verification of")))In
|
|
|
|
|
<<transactions>>, we saw how wallet software creates transactions by
|
|
|
|
|
collecting UTXO, providing the appropriate unlocking scripts, and then
|
|
|
|
|
<<c_transactions>>, we saw how wallet software creates transactions by
|
|
|
|
|
collecting UTXO, providing the appropriate authentication data, and then
|
|
|
|
|
constructing new outputs assigned to a new owner. The resulting
|
|
|
|
|
transaction is then sent to the neighboring nodes in the Bitcoin network
|
|
|
|
|
so that it can be propagated across the entire Bitcoin network.
|
|
|
|
|
@ -298,11 +290,8 @@ criteria:
|
|
|
|
|
- The scripts for each input must validate against the
|
|
|
|
|
corresponding output scripts.
|
|
|
|
|
|
|
|
|
|
These conditions can be seen in detail in the functions
|
|
|
|
|
+AcceptToMemoryPool+, +CheckTransaction+, and +CheckInputs+ in Bitcoin
|
|
|
|
|
Core. Note that the conditions change over time, to address new types of
|
|
|
|
|
denial-of-service attacks or sometimes to relax the rules so as to
|
|
|
|
|
include more types of transactions.
|
|
|
|
|
Note that the conditions change over time, to add new features or
|
|
|
|
|
address new types of denial-of-service attacks.
|
|
|
|
|
|
|
|
|
|
By independently verifying each transaction as it is received and before
|
|
|
|
|
propagating it, every node builds a pool of valid (but unconfirmed)
|
|
|
|
|
@ -315,7 +304,7 @@ _mempool_.
|
|
|
|
|
nodes")))Some of the nodes on the Bitcoin network are specialized nodes
|
|
|
|
|
called _miners_. In <<ch01_intro_what_is_bitcoin>> we introduced ((("use
|
|
|
|
|
cases", "mining for bitcoin", id="jingten")))Jing, a computer
|
|
|
|
|
engineering student in Shanghai, China, who is a bitcoin miner. Jing
|
|
|
|
|
engineering student in Shanghai, China, who is a Bitcoin miner. Jing
|
|
|
|
|
earns bitcoin by running a "mining rig," which is a specialized
|
|
|
|
|
computer-hardware system designed to mine bitcoin. Jing's specialized
|
|
|
|
|
mining hardware is connected to a server running a full Bitcoin node.
|
|
|
|
|
@ -326,7 +315,7 @@ however, also aggregates these transactions into new blocks.
|
|
|
|
|
|
|
|
|
|
Jing's node is listening for new blocks, propagated on the Bitcoin
|
|
|
|
|
network, as do all nodes. However, the arrival of a new block has
|
|
|
|
|
special significance for a mining node. The competition among miners
|
|
|
|
|
special significance for a mining node. Each round of competition among miners
|
|
|
|
|
effectively ends with the propagation of a new block that acts as an
|
|
|
|
|
announcement of a winner. To miners, receiving a valid new block means
|
|
|
|
|
someone else won the competition and they lost. However, the end of one
|
|
|
|
|
@ -370,7 +359,7 @@ preparation for the next block. By now it has collected a few thousand
|
|
|
|
|
transactions in the memory pool. Upon receiving the new block and
|
|
|
|
|
validating it, Jing's node will also compare it against all the
|
|
|
|
|
transactions in the memory pool and remove any that were included in
|
|
|
|
|
block that block. Whatever transactions remain in the memory pool are
|
|
|
|
|
that block. Whatever transactions remain in the memory pool are
|
|
|
|
|
unconfirmed and are waiting to be recorded in a new block.
|
|
|
|
|
|
|
|
|
|
((("Proof-of-Work algorithm")))((("mining and consensus", "Proof-of-Work
|
|
|
|
|
@ -384,6 +373,7 @@ When Jing's node aggregates all the transactions from the memory pool,
|
|
|
|
|
the new candidate block has several thousand transactions that pays him
|
|
|
|
|
their total transaction fees.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
==== The Coinbase Transaction
|
|
|
|
|
|
|
|
|
|
((("coinbase transactions", id="coinbtrans10")))((("transactions",
|
|
|
|
|
@ -525,6 +515,7 @@ is filled with 4 bytes all set to 0xFF (255 decimal). The
|
|
|
|
|
+scriptSig+ is replaced by coinbase data, a data field used by
|
|
|
|
|
the miners, as we will see next.
|
|
|
|
|
|
|
|
|
|
[[duplicate_transactions]]
|
|
|
|
|
==== Coinbase Data
|
|
|
|
|
|
|
|
|
|
((("coinbase transactions", "coinbase data")))Coinbase transactions do
|
|
|
|
|
@ -538,12 +529,12 @@ be used by miners in any way they want; it is arbitrary data.
|
|
|
|
|
example, Satoshi Nakamoto added the text "The Times 03/Jan/2009
|
|
|
|
|
Chancellor on brink of second bailout for banks" in the coinbase data,
|
|
|
|
|
using it as a proof of the date and to convey a message. Currently,
|
|
|
|
|
miners use the coinbase data to include extra nonce values and strings
|
|
|
|
|
miners often use the coinbase data to include extra nonce values and strings
|
|
|
|
|
identifying the mining pool.
|
|
|
|
|
|
|
|
|
|
The first few bytes of the coinbase used to be arbitrary, but that is no
|
|
|
|
|
longer the case. As per BIP34, version-2 blocks (blocks with the
|
|
|
|
|
version field set to 2) must contain the block height index as a script
|
|
|
|
|
version field set to 2 or higher) must contain the block height index as a script
|
|
|
|
|
"push" operation in the beginning of the coinbase field.
|
|
|
|
|
|
|
|
|
|
<<satoshi_words>> uses the libbitcoin library introduced in
|
|
|
|
|
@ -610,7 +601,7 @@ nonce field.
|
|
|
|
|
|
|
|
|
|
[TIP]
|
|
|
|
|
====
|
|
|
|
|
The protocol upgrades defined in BIPs 34, 66, and 65 occured in that
|
|
|
|
|
The protocol upgrades defined in BIPs 34, 66, and 65 occurred in that
|
|
|
|
|
order--with BIP66 (strict DER) occuring before BIP65
|
|
|
|
|
(+OP_CHECKTIMELOCKVERIFY+)--so Bitcoin developers often list them in
|
|
|
|
|
that order rather than sorted numerically.
|
|
|
|
|
@ -679,7 +670,7 @@ for Jing's hardware mining rig to "mine" the block, to find a solution
|
|
|
|
|
to the Proof-of-Work algorithm that makes the block valid. Throughout
|
|
|
|
|
this book we have studied cryptographic hash functions as used in
|
|
|
|
|
various aspects of the Bitcoin system. The hash function SHA256 is the
|
|
|
|
|
function used in bitcoin's mining process.((("", startref="jingten")))
|
|
|
|
|
function used in Bitcoin's mining process.((("", startref="jingten")))
|
|
|
|
|
|
|
|
|
|
((("mining and consensus", "defined")))In the simplest terms, mining is
|
|
|
|
|
the process of hashing the block header repeatedly, changing one
|
|
|
|
|
@ -687,7 +678,7 @@ parameter, until the resulting hash matches a specific target. The hash
|
|
|
|
|
function's result cannot be determined in advance, nor can a pattern be
|
|
|
|
|
created that will produce a specific hash value. This feature of hash
|
|
|
|
|
functions means that the only way to produce a hash result matching a
|
|
|
|
|
specific target is to try again and again, randomly modifying the input
|
|
|
|
|
specific target is to try again and again, modifying the input
|
|
|
|
|
until the desired hash result appears by chance.
|
|
|
|
|
|
|
|
|
|
==== Proof-of-Work Algorithm
|
|
|
|
|
@ -864,7 +855,7 @@ hash of this block's header and sees if it is smaller than the current
|
|
|
|
|
_target_. If the hash is not less than the target, the miner will modify
|
|
|
|
|
the nonce (usually just incrementing it by one) and try again. At the
|
|
|
|
|
current difficulty in the Bitcoin network, miners have to try
|
|
|
|
|
quadrillions of times before finding a nonce that results in a low
|
|
|
|
|
a huge number of times before finding a nonce that results in a low
|
|
|
|
|
enough block header hash.
|
|
|
|
|
|
|
|
|
|
A very simplified Proof-of-Work algorithm is implemented in Python in
|
|
|
|
|
@ -960,8 +951,8 @@ second, it still requires 10 minutes on a laptop to find this solution.
|
|
|
|
|
==== Target Representation
|
|
|
|
|
|
|
|
|
|
((("mining and consensus", "mining the block", "target
|
|
|
|
|
representation")))((("targets", id="targets10")))In <<block277316>>, we
|
|
|
|
|
saw that the block contains the target, in a notation called "target
|
|
|
|
|
representation")))((("targets", id="targets10")))
|
|
|
|
|
Block headers contain the target in a notation called "target
|
|
|
|
|
bits" or just "bits," which in block 277,316 has the value of
|
|
|
|
|
+0x1903a30c+. This notation expresses the Proof-of-Work target as a
|
|
|
|
|
coefficient/exponent format, with the first two hexadecimal digits for
|
|
|
|
|
@ -1022,7 +1013,7 @@ Proof-of-Work algorithm. This leads to the obvious questions: Why is the
|
|
|
|
|
difficulty adjustable, who adjusts it, and how?
|
|
|
|
|
|
|
|
|
|
Bitcoin's blocks are generated every 10 minutes, on average. This is
|
|
|
|
|
bitcoin's heartbeat and underpins the frequency of currency issuance and
|
|
|
|
|
Bitcoin's heartbeat and underpins the frequency of currency issuance and
|
|
|
|
|
the speed of transaction settlement. It has to remain constant not just
|
|
|
|
|
over the short term, but over a period of many decades. Over this time,
|
|
|
|
|
it is expected that computer power will continue to increase at a rapid
|
|
|
|
|
@ -1091,7 +1082,6 @@ total time of the previous 2,015 blocks (not 2,016 as it should be),
|
|
|
|
|
resulting in a retargeting bias toward higher difficulty by 0.05%.
|
|
|
|
|
====
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The parameters +Interval+ (2,016 blocks) and +TargetTimespan+ (two weeks
|
|
|
|
|
as 1,209,600 seconds) are defined in _chainparams.cpp_.
|
|
|
|
|
|
|
|
|
|
@ -1115,8 +1105,8 @@ by lowering or raising the target.
|
|
|
|
|
Note that the target is independent of the number of transactions or the
|
|
|
|
|
value of transactions. This means that the amount of hashing power and
|
|
|
|
|
therefore electricity expended to secure bitcoin is also entirely
|
|
|
|
|
independent of the number of transactions. Bitcoin can scale up, achieve
|
|
|
|
|
broader adoption, and remain secure without any increase in hashing
|
|
|
|
|
independent of the number of transactions. Bitcoin can scale up
|
|
|
|
|
and remain secure without any increase in hashing
|
|
|
|
|
power from today's level. The increase in hashing power represents
|
|
|
|
|
market forces as new miners enter the market to compete for the reward.
|
|
|
|
|
As long as enough hashing power is under the control of miners acting
|
|
|
|
|
@ -1174,7 +1164,7 @@ To remove the incentive to lie and strengthen the security of timelocks,
|
|
|
|
|
BIP113 was proposed and activated at the same time as the BIPs for
|
|
|
|
|
relative timelocks.
|
|
|
|
|
The median time past became the consensus
|
|
|
|
|
time and is used for all timelock calculations. By taking the midpoint
|
|
|
|
|
time used for all timelock calculations. By taking the midpoint
|
|
|
|
|
from approximately two hours in the past, the influence of any one
|
|
|
|
|
block's timestamp is reduced. By incorporating 11 blocks, no single
|
|
|
|
|
miner can influence the timestamps in order to gain fees from
|
|
|
|
|
@ -1201,7 +1191,7 @@ Jing's desktop transmits the block header to his mining hardware, which
|
|
|
|
|
starts testing trillions of nonces per second. Because the nonce is only
|
|
|
|
|
32 bits, after exhausting all the nonce possibilities (about 4 billion),
|
|
|
|
|
the mining hardware changes the block header (adjusting the coinbase
|
|
|
|
|
extra nonce space or timestamp) and resets the nonce counter, testing
|
|
|
|
|
extra nonce space, versionbits, or timestamp) and resets the nonce counter, testing
|
|
|
|
|
new combinations.
|
|
|
|
|
|
|
|
|
|
Almost 11 minutes after starting to mine a particular block, one of the
|
|
|
|
|
@ -1229,17 +1219,16 @@ startref="MACmining10")))((("", startref="jingtentwo")))
|
|
|
|
|
=== Validating a New Block
|
|
|
|
|
|
|
|
|
|
((("mining and consensus", "new block validation")))((("blocks", "new
|
|
|
|
|
block validation")))((("validation")))The third step in bitcoin's
|
|
|
|
|
block validation")))((("validation")))The third step in Bitcoin's
|
|
|
|
|
consensus mechanism is independent validation of each new block by every
|
|
|
|
|
node on the network. As the newly solved block moves across the network,
|
|
|
|
|
each node performs a series of tests to validate it before propagating
|
|
|
|
|
it to its peers. This ensures that only valid blocks are propagated on
|
|
|
|
|
the network. The independent validation also ensures that miners who act
|
|
|
|
|
each node performs a series of tests to validate it.
|
|
|
|
|
The independent validation also ensures that miners who act
|
|
|
|
|
honestly get their blocks incorporated in the blockchain, thus earning
|
|
|
|
|
the reward. Those miners who act dishonestly have their blocks rejected
|
|
|
|
|
and not only lose the reward, but also waste the effort expended to find
|
|
|
|
|
a Proof-of-Work solution, thus incurring the cost of electricity without
|
|
|
|
|
compensation.
|
|
|
|
|
a Proof-of-Work solution, thus incurring all of the costs of creating a
|
|
|
|
|
block but receiving none of the rewards.
|
|
|
|
|
|
|
|
|
|
When a node receives a new block, it will validate the block by checking
|
|
|
|
|
it against a long list of criteria that must all be met; otherwise, the
|
|
|
|
|
@ -1265,7 +1254,7 @@ The independent validation of each new block by every node on the
|
|
|
|
|
network ensures that the miners cannot cheat. In previous sections we
|
|
|
|
|
saw how miners get to write a transaction that awards them the new
|
|
|
|
|
bitcoin created within the block and claim the transaction fees. Why
|
|
|
|
|
don't miners write themselves a transaction for a thousand bitcoin
|
|
|
|
|
don't miners write themselves a transaction for a thousand bitcoins
|
|
|
|
|
instead of the correct reward? Because every node validates blocks
|
|
|
|
|
according to the same rules. An invalid coinbase transaction would make
|
|
|
|
|
the entire block invalid, which would result in the block being rejected
|
|
|
|
|
@ -1280,15 +1269,15 @@ independent validation is a key component of decentralized consensus.
|
|
|
|
|
|
|
|
|
|
((("mining and consensus", "assembling and selecting chains of blocks",
|
|
|
|
|
id="MACassembling10")))((("blocks", "assembling and selecting chains
|
|
|
|
|
of", id="Bassemble10")))The final step in bitcoin's decentralized
|
|
|
|
|
of", id="Bassemble10")))The final step in Bitcoin's decentralized
|
|
|
|
|
consensus mechanism is the assembly of blocks into chains and the
|
|
|
|
|
selection of the chain with the most Proof-of-Work. Once a node has
|
|
|
|
|
validated a new block, it will then attempt to assemble a chain by
|
|
|
|
|
connecting the block to the existing blockchain.
|
|
|
|
|
|
|
|
|
|
Nodes maintain three sets of blocks: those connected to the best
|
|
|
|
|
blockchain, those that form branches off the best blockchain (stale
|
|
|
|
|
blocks), and finally. Invalid blocks are rejected as soon as any one
|
|
|
|
|
blockchain and those that form branches off the best blockchain (stale
|
|
|
|
|
blocks). Invalid blocks are rejected as soon as any one
|
|
|
|
|
of the validation criteria fails and are therefore not included in any
|
|
|
|
|
chain.
|
|
|
|
|
|
|
|
|
|
@ -1303,7 +1292,7 @@ chains is extended to exceed the best chain in work. In the next section
|
|
|
|
|
(<<forks>>), we will see how secondary chains occur as a result of an
|
|
|
|
|
almost simultaneous mining of blocks at the same height.
|
|
|
|
|
|
|
|
|
|
When a new block is received, a node will try to slot it into the
|
|
|
|
|
When a new block is received, a node will try to add it onto the
|
|
|
|
|
existing blockchain. The node will look at the block's "previous block
|
|
|
|
|
hash" field, which is the reference to the block's parent. Then, the
|
|
|
|
|
node will attempt to find that parent in the existing blockchain. Most
|
|
|
|
|
@ -1314,10 +1303,10 @@ Sometimes, as we will see in <<forks>>, the new block extends a chain
|
|
|
|
|
that is not the best chain. In that case, the node will attach the new
|
|
|
|
|
block to the secondary chain it extends and then compare the work of the
|
|
|
|
|
secondary chain to the best chain. If the secondary chain has more
|
|
|
|
|
cumulative work than the best chain, the node will _reconverge_ on the
|
|
|
|
|
secondary chain, meaning it will select the secondary chain as its new
|
|
|
|
|
cumulative work than the best chain, the node will _reorganize_ its
|
|
|
|
|
chain to use the secondary chain, meaning it will select the secondary chain as its new
|
|
|
|
|
best chain, making the old best chain a secondary chain. If the node is
|
|
|
|
|
a miner, it will now construct a block extending this new, longer,
|
|
|
|
|
a miner, it will now construct a candidate block extending this new, more-Proof of Work,
|
|
|
|
|
chain.
|
|
|
|
|
|
|
|
|
|
By selecting the greatest-cumulative-work valid chain, all nodes
|
|
|
|
|
@ -1342,9 +1331,9 @@ id="forks10")))Because the blockchain is a decentralized data structure,
|
|
|
|
|
different copies of it are not always consistent. Blocks might arrive at
|
|
|
|
|
different nodes at different times, causing the nodes to have different
|
|
|
|
|
perspectives of the blockchain. To resolve this, each node always
|
|
|
|
|
selects and attempts to extend the chain of blocks that represents the
|
|
|
|
|
most Proof-of-Work, also known as the longest chain or greatest
|
|
|
|
|
cumulative work chain. By summing the work recorded in each block in a
|
|
|
|
|
selects and attempts to extend the valid chain of blocks that contains the
|
|
|
|
|
most Proof-of-Work, also known as the _best blockchain_.
|
|
|
|
|
By summing the work recorded in each block in a
|
|
|
|
|
chain, a node can calculate the total amount of work that has been
|
|
|
|
|
expended to create that chain. As long as all nodes select the
|
|
|
|
|
greatest-cumulative-work chain, the global Bitcoin network eventually
|
|
|
|
|
@ -1382,7 +1371,7 @@ of the blockchain, with the star block as the tip of the best chain.
|
|
|
|
|
.Before the fork—all nodes have the same perspective
|
|
|
|
|
image::images/mbc2_1002.png["Before the fork - all nodes have the same perspective"]
|
|
|
|
|
|
|
|
|
|
A "fork" occurs whenever there are two candidate blocks competing to
|
|
|
|
|
A "fork" occurs whenever there are two valid blocks competing to
|
|
|
|
|
form the longest blockchain. This occurs under normal conditions
|
|
|
|
|
whenever two miners solve the Proof-of-Work algorithm within a short
|
|
|
|
|
period of time from each other. As both miners discover a solution for
|
|
|
|
|
@ -1487,7 +1476,7 @@ to revise their view of the blockchain to incorporate the new evidence
|
|
|
|
|
of a longer chain. Any miners working on extending the chain
|
|
|
|
|
star-upside-down-triangle will now stop that work because their
|
|
|
|
|
candidate block is "stale," as its parent "upside-down-triangle" is
|
|
|
|
|
no longer on the longest chain. The transactions within
|
|
|
|
|
no longer on the best chain. The transactions within
|
|
|
|
|
"upside-down-triangle" that are not within "triangle" are re-inserted in
|
|
|
|
|
the mempool for inclusion in the next block to become a part of the best
|
|
|
|
|
chain. The entire network converges on a single blockchain
|
|
|
|
|
@ -1505,11 +1494,9 @@ image::images/mbc2_1005.png["Visualization of a blockchain fork event: a new blo
|
|
|
|
|
.Visualization of a blockchain fork event: the network reorganizes on a new longest chain
|
|
|
|
|
image::images/mbc2_1006.png["Visualization of a blockchain fork event: the network reorganizes on a new longest chain"]
|
|
|
|
|
|
|
|
|
|
It is theoretically possible for a fork to extend to two blocks, if two
|
|
|
|
|
It is possible for a fork to extend to two blocks, if two
|
|
|
|
|
blocks are found almost simultaneously by miners on opposite "sides" of
|
|
|
|
|
a previous fork. However, the chance of that happening is very low.
|
|
|
|
|
Whereas a one-block fork might occur every day, a two-block fork occurs
|
|
|
|
|
at most once every few weeks.
|
|
|
|
|
a previous fork. However, the chance of that happening is low.
|
|
|
|
|
|
|
|
|
|
Bitcoin's block interval of 10 minutes is a design compromise between
|
|
|
|
|
fast confirmation times and the probability
|
|
|
|
|
@ -1527,23 +1514,23 @@ secure. A malicious miner wanting to double spend that transaction
|
|
|
|
|
would need to do an amount of work equal to 10 minutes of the total
|
|
|
|
|
network hash rate in order to create a chain with equal proof of work.
|
|
|
|
|
|
|
|
|
|
Shorter times between blocks doesn't result in earlier settlement. It's
|
|
|
|
|
Shorter times between blocks doesn't result in earlier settlement. Its
|
|
|
|
|
only advantage is providing weaker guarantees to people who are willing
|
|
|
|
|
to accept those guarantees. For example, if you're willing to accept
|
|
|
|
|
three minutes of miners agreeing on the best block chain as sufficient
|
|
|
|
|
security, you'd prefer a system with 1-minute blocks, where you could
|
|
|
|
|
wait for there blocks, over a system with 10-minute blocks.
|
|
|
|
|
wait for three blocks, over a system with 10-minute blocks.
|
|
|
|
|
====
|
|
|
|
|
|
|
|
|
|
((("",
|
|
|
|
|
startref="Bassemble10")))((("", startref="MACassembling10")))((("",
|
|
|
|
|
startref="forks10")))((("", startref="BCTfork10")))
|
|
|
|
|
|
|
|
|
|
=== Mining and the Hashing Race
|
|
|
|
|
=== Mining and the Hashing Competition
|
|
|
|
|
|
|
|
|
|
((("mining and consensus", "hashing power race",
|
|
|
|
|
id="MAChash10")))Bitcoin mining is an extremely competitive industry.
|
|
|
|
|
The hashing power has increased exponentially every year of bitcoin's
|
|
|
|
|
The hashing power has increased exponentially every year of Bitcoin's
|
|
|
|
|
existence. Some years the growth has reflected a complete change of
|
|
|
|
|
technology, such as in 2010 and 2011 when many miners switched from
|
|
|
|
|
using CPU mining to GPU mining and field programmable gate array (FPGA)
|
|
|
|
|
@ -1558,11 +1545,9 @@ leaps left in Bitcoin mining equipment,
|
|
|
|
|
because the industry has reached the forefront of Moore's Law, which
|
|
|
|
|
stipulates that computing density will double approximately every 18
|
|
|
|
|
months. Still, the mining power of the network continues to advance at
|
|
|
|
|
an exponential pace as the race for higher density chips is matched with
|
|
|
|
|
a race for higher density data centers where thousands of these chips
|
|
|
|
|
can be deployed. It's no longer about how much mining can be done with
|
|
|
|
|
one chip, but how many chips can be squeezed into a building, while
|
|
|
|
|
still dissipating the heat and providing adequate power.
|
|
|
|
|
a rapid pace as the race for higher density chips is matched with
|
|
|
|
|
a race for locations with lower electrical costs where these chips
|
|
|
|
|
can be deployed.
|
|
|
|
|
|
|
|
|
|
[[extra_nonce]]
|
|
|
|
|
==== The Extra Nonce Solution
|
|
|
|
|
@ -1583,7 +1568,9 @@ exceeding the TH/sec hash rate, the mining software needed more space
|
|
|
|
|
for nonce values in order to find valid blocks. The timestamp could be
|
|
|
|
|
stretched a bit, but moving it too far into the future would cause the
|
|
|
|
|
block to become invalid. A new source of "change" was needed in the
|
|
|
|
|
block header. The solution was to use the coinbase transaction as a
|
|
|
|
|
block header.
|
|
|
|
|
|
|
|
|
|
One solution that was widely implemented was to use the coinbase transaction as a
|
|
|
|
|
source of extra nonce values. Because the coinbase script can store
|
|
|
|
|
between 2 and 100 bytes of data, miners started using that space as
|
|
|
|
|
extra nonce space, allowing them to explore a much larger range of block
|
|
|
|
|
@ -1596,7 +1583,7 @@ modify the timestamp.
|
|
|
|
|
|
|
|
|
|
Another solution widely used today is to use up to 16 bits of the block
|
|
|
|
|
header versionbits field for mining, as described in BIP320. If each
|
|
|
|
|
piece of mining equimpent has its own coinbase transaction, this allows
|
|
|
|
|
piece of mining equipment has its own coinbase transaction, this allows
|
|
|
|
|
an individual piece of mining equipment to perform up to 281 TH/s by
|
|
|
|
|
only making changes to the block header. This keeps mining equipment
|
|
|
|
|
and protocols simpler than incrementing the extranonce in the coinbase
|
|
|
|
|
@ -1612,7 +1599,7 @@ of them finding a block to offset their electricity and hardware costs
|
|
|
|
|
is so low that it represents a gamble, like playing the lottery. Even
|
|
|
|
|
the fastest consumer ASIC mining system cannot keep up with commercial
|
|
|
|
|
systems that stack tens of thousands of these chips in giant warehouses
|
|
|
|
|
near hydroelectric powerstations. Miners now collaborate to form mining
|
|
|
|
|
near hydroelectric powerstations. Many miners now collaborate to form mining
|
|
|
|
|
pools, pooling their hashing power and sharing the reward among
|
|
|
|
|
thousands of participants. By participating in a pool, miners get a
|
|
|
|
|
smaller share of the overall reward, but typically get rewarded every
|
|
|
|
|
@ -1632,7 +1619,7 @@ same amount (not counting pool fees) as if they found an average block
|
|
|
|
|
on their own. The only fundamental difference is the frequency of the
|
|
|
|
|
payments they receive.
|
|
|
|
|
|
|
|
|
|
Mining pools coordinate many hundreds or thousands of miners, over
|
|
|
|
|
Mining pools coordinate many hundreds or thousands of miners over
|
|
|
|
|
specialized pool-mining protocols. The individual miners configure their
|
|
|
|
|
mining equipment to connect to a pool server, after creating an account
|
|
|
|
|
with the pool. Their mining hardware remains connected to the pool
|
|
|
|
|
@ -1655,14 +1642,14 @@ successfully mines a block, the reward is earned by the pool and then
|
|
|
|
|
shared with all miners in proportion to the number of shares they
|
|
|
|
|
contributed to the effort.
|
|
|
|
|
|
|
|
|
|
Pools are open to any miner, big or small, professional or amateur. A
|
|
|
|
|
Many pools are open to any miner, big or small, professional or amateur. A
|
|
|
|
|
pool will therefore have some participants with a single small mining
|
|
|
|
|
machine, and others with a garage full of high-end mining hardware. Some
|
|
|
|
|
will be mining with a few tens of a kilowatt of electricity, others will
|
|
|
|
|
be running a data center consuming a megawatt of power. How does a
|
|
|
|
|
be running a data center consuming megawatts of power. How does a
|
|
|
|
|
mining pool measure the individual contributions, so as to fairly
|
|
|
|
|
distribute the rewards, without the possibility of cheating? The answer
|
|
|
|
|
is to use bitcoin's Proof-of-Work algorithm to measure each pool miner's
|
|
|
|
|
is to use Bitcoin's Proof-of-Work algorithm to measure each pool miner's
|
|
|
|
|
contribution, but set at a lower difficulty so that even the smallest
|
|
|
|
|
pool miners win a share frequently enough to make it worthwhile to
|
|
|
|
|
contribute to the pool. By setting a lower difficulty for earning
|
|
|
|
|
@ -1707,24 +1694,17 @@ percentage fee of the earnings.
|
|
|
|
|
|
|
|
|
|
The pool server runs specialized software and a pool-mining protocol
|
|
|
|
|
that coordinate the activities of the pool miners. The pool server is
|
|
|
|
|
also connected to one or more full Bitcoin nodes and has direct access
|
|
|
|
|
to a full copy of the blockchain database. This allows the pool server
|
|
|
|
|
also connected to one or more full Bitcoin nodes.
|
|
|
|
|
This allows the pool server
|
|
|
|
|
to validate blocks and transactions on behalf of the pool miners,
|
|
|
|
|
relieving them of the burden of running a full node. For pool miners,
|
|
|
|
|
this is an important consideration, because a full node requires a
|
|
|
|
|
dedicated computer with at least 100 to 150 GB of persistent storage
|
|
|
|
|
(disk) and at least 2 to 4 GB of memory (RAM). Furthermore, the Bitcoin
|
|
|
|
|
software running on the full node needs to be monitored, maintained, and
|
|
|
|
|
upgraded frequently. Any downtime caused by a lack of maintenance or
|
|
|
|
|
lack of resources will hurt the miner's profitability. For many miners,
|
|
|
|
|
the ability to mine without running a full node is another big benefit
|
|
|
|
|
relieving them of the burden of running a full node.
|
|
|
|
|
For some miners,
|
|
|
|
|
the ability to mine without running a full node is another benefit
|
|
|
|
|
of joining a managed pool.
|
|
|
|
|
|
|
|
|
|
Pool miners connect to the pool server using a mining protocol such as
|
|
|
|
|
Stratum (STM) or GetBlockTemplate (GBT). An older standard called
|
|
|
|
|
GetWork (GWK) has been mostly obsolete since late 2012, because it does
|
|
|
|
|
not easily support mining at hash rates above 4 GH/s. Both the STM and
|
|
|
|
|
GBT protocols create block _templates_ that contain a template of a
|
|
|
|
|
Stratum (either version 1 or version 2).
|
|
|
|
|
Stratum v1 creates block _templates_ that contain a template of a
|
|
|
|
|
candidate block header. The pool server constructs a candidate block by
|
|
|
|
|
aggregating transactions, adding a coinbase transaction (with extra
|
|
|
|
|
nonce space), calculating the merkle root, and linking to the previous
|
|
|
|
|
@ -1734,10 +1714,14 @@ block template, at a higher (easier) target than the Bitcoin network
|
|
|
|
|
target, and sends any successful results back to the pool server to earn
|
|
|
|
|
shares.
|
|
|
|
|
|
|
|
|
|
Stratum v2 optionally allows individual miners in the pool to choose
|
|
|
|
|
which transactions appear in their own blocks, which they can select
|
|
|
|
|
using their own full node.
|
|
|
|
|
|
|
|
|
|
===== Peer-to-peer mining pool (P2Pool)
|
|
|
|
|
|
|
|
|
|
((("mining pools", "peer-to-peer pools (P2Pool)")))((("peer-to-peer
|
|
|
|
|
pools (P2Pool)")))Managed pools create the possibility of cheating by
|
|
|
|
|
pools (P2Pool)")))Managed pools using Stratum v1 create the possibility of cheating by
|
|
|
|
|
the pool operator, who might direct the pool effort to double-spend
|
|
|
|
|
transactions or invalidate blocks (see <<consensus_attacks>>).
|
|
|
|
|
Furthermore, centralized pool servers represent a
|
|
|
|
|
@ -1761,7 +1745,7 @@ pool miners who contributed to all the shares that preceded the winning
|
|
|
|
|
share block. Essentially, instead of a pool server keeping track of pool
|
|
|
|
|
miner shares and rewards, the share chain allows all pool miners to keep
|
|
|
|
|
track of all shares using a decentralized consensus mechanism like
|
|
|
|
|
bitcoin's blockchain consensus mechanism.
|
|
|
|
|
Bitcoin's blockchain consensus mechanism.
|
|
|
|
|
|
|
|
|
|
P2Pool mining is more complex than pool mining because it requires that
|
|
|
|
|
the pool miners run a dedicated computer with enough disk space, memory,
|
|
|
|
|
@ -1779,7 +1763,10 @@ Even though P2Pool reduces the concentration of power by mining pool
|
|
|
|
|
operators, it is conceivably vulnerable to 51% attacks against the share
|
|
|
|
|
chain itself. A much broader adoption of P2Pool does not solve the 51%
|
|
|
|
|
attack problem for bitcoin itself. Rather, P2Pool makes bitcoin more
|
|
|
|
|
robust overall, as part of a diversified mining ecosystem.((("",
|
|
|
|
|
robust overall, as part of a diversified mining ecosystem. As of this
|
|
|
|
|
writing, P2Pool has fallen into disuse, but new protocols such as
|
|
|
|
|
Stratum v2 can allow individual miners to choose the transactions they
|
|
|
|
|
include in their blocks.((("",
|
|
|
|
|
startref="MAChash10")))((("", startref="MACoverpool10")))
|
|
|
|
|
|
|
|
|
|
[[consensus_attacks]]
|
|
|
|
|
@ -1796,18 +1783,13 @@ can achieve a significant share of the mining power, they can attack the
|
|
|
|
|
consensus mechanism so as to disrupt the security and availability of
|
|
|
|
|
the Bitcoin network.
|
|
|
|
|
|
|
|
|
|
It is important to note that consensus attacks can only affect future
|
|
|
|
|
consensus, or at best, the most recent past (tens of blocks). Bitcoin's
|
|
|
|
|
It is important to note that consensus attacks have the greatest effect on future
|
|
|
|
|
consensus. Bitcoin's
|
|
|
|
|
ledger becomes more and more immutable as time passes. While in theory,
|
|
|
|
|
a fork can be achieved at any depth, in practice, the computing power
|
|
|
|
|
needed to force a very deep fork is immense, making old blocks
|
|
|
|
|
practically immutable. Consensus attacks also do not affect the security
|
|
|
|
|
of the private keys and signing algorithm (ECDSA). A consensus attack
|
|
|
|
|
cannot steal bitcoin, spend bitcoin without signatures, redirect
|
|
|
|
|
bitcoin, or otherwise change past transactions or ownership records.
|
|
|
|
|
((("denial-of-service attacks")))((("security", "denial-of-service
|
|
|
|
|
attacks")))Consensus attacks can only affect the most recent blocks and
|
|
|
|
|
cause denial-of-service disruptions on the creation of future blocks.
|
|
|
|
|
very hard to change. Consensus attacks also do not affect the security
|
|
|
|
|
of the private keys and signing algorithms.
|
|
|
|
|
|
|
|
|
|
One attack scenario against the consensus mechanism is called the "51%
|
|
|
|
|
attack." In this scenario a group of miners, controlling a majority
|
|
|
|
|
@ -1828,10 +1810,10 @@ product without paying for it.
|
|
|
|
|
|
|
|
|
|
Let's examine a practical example of a 51% attack. In the first chapter,
|
|
|
|
|
we looked at a transaction between ((("use cases", "buying
|
|
|
|
|
coffee")))Alice and Bob for a cup of coffee. Bob, the cafe owner, is
|
|
|
|
|
willing to accept payment for cups of coffee without waiting for
|
|
|
|
|
coffee")))Alice and Bob. Bob, the seller, is
|
|
|
|
|
willing to accept payment without waiting for
|
|
|
|
|
confirmation (mining in a block), because the risk of a double-spend on
|
|
|
|
|
a cup of coffee is low in comparison to the convenience of rapid
|
|
|
|
|
a small item is low in comparison to the convenience of rapid
|
|
|
|
|
customer service. This is similar to the practice of coffee shops that
|
|
|
|
|
accept credit card payments without a signature for amounts below $25,
|
|
|
|
|
because the risk of a credit-card chargeback is low while the cost of
|
|
|
|
|
@ -1847,7 +1829,7 @@ the corresponding transaction in the old chain.
|
|
|
|
|
|
|
|
|
|
In our example, malicious attacker Mallory goes to ((("use cases",
|
|
|
|
|
"retail sales", id="carolten")))Carol's gallery and purchases a
|
|
|
|
|
beautiful triptych painting depicting Satoshi Nakamoto as Prometheus.
|
|
|
|
|
set of beautiful triptych paintings depicting Satoshi Nakamoto as Prometheus.
|
|
|
|
|
Carol sells "The Great Fire" paintings for $250,000 in bitcoin to
|
|
|
|
|
Mallory. Instead of waiting for six or more confirmations on the
|
|
|
|
|
transaction, Carol wraps and hands the paintings to Mallory after only
|
|
|
|
|
@ -1906,10 +1888,7 @@ Security research groups have used statistical modeling to claim that
|
|
|
|
|
various types of consensus attacks are possible with as little as 30% of
|
|
|
|
|
the hashing power.
|
|
|
|
|
|
|
|
|
|
The massive increase of total hashing power has arguably made bitcoin
|
|
|
|
|
impervious to attacks by a single miner. There is no possible way for a
|
|
|
|
|
solo miner to control more than a small percentage of the total mining
|
|
|
|
|
power. However, the centralization of control caused by mining pools has
|
|
|
|
|
The centralization of control caused by mining pools has
|
|
|
|
|
introduced the risk of for-profit attacks by a mining pool operator. The
|
|
|
|
|
pool operator in a managed pool controls the construction of candidate
|
|
|
|
|
blocks and also controls which transactions are included. This gives the
|
|
|
|
|
@ -1924,17 +1903,16 @@ network without the possibility of profiting from such disruption. A
|
|
|
|
|
malicious attack aimed at crippling bitcoin would require enormous
|
|
|
|
|
investment and covert planning, but could conceivably be launched by a
|
|
|
|
|
well-funded, most likely state-sponsored, attacker. Alternatively, a
|
|
|
|
|
well-funded attacker could attack bitcoin's consensus by simultaneously
|
|
|
|
|
well-funded attacker could attack Bitcoin's consensus by simultaneously
|
|
|
|
|
amassing mining hardware, compromising pool operators, and attacking
|
|
|
|
|
other pools with denial-of-service. All of these scenarios are
|
|
|
|
|
theoretically possible, but increasingly impractical as the Bitcoin
|
|
|
|
|
network's overall hashing power continues to grow exponentially.
|
|
|
|
|
theoretically possible.
|
|
|
|
|
|
|
|
|
|
Undoubtedly, a serious consensus attack would erode confidence in
|
|
|
|
|
bitcoin in the short term, possibly causing a significant price decline.
|
|
|
|
|
However, the Bitcoin network and software are constantly evolving, so
|
|
|
|
|
consensus attacks would be met with immediate countermeasures by the
|
|
|
|
|
bitcoin community, making bitcoin more robust.((("",
|
|
|
|
|
Bitcoin community, making Bitcoin more robust.((("",
|
|
|
|
|
startref="Cattack10")))((("", startref="MACattack10")))((("",
|
|
|
|
|
startref="Sconsens10")))
|
|
|
|
|
|
|
|
|
|
@ -1950,11 +1928,11 @@ network.
|
|
|
|
|
|
|
|
|
|
While the consensus rules are invariable in the short term and must be
|
|
|
|
|
consistent across all nodes, they are not invariable in the long term.
|
|
|
|
|
In order to evolve and develop the Bitcoin system, the rules have to
|
|
|
|
|
In order to evolve and develop the Bitcoin system, the rules can
|
|
|
|
|
change from time to time to accommodate new features, improvements, or
|
|
|
|
|
bug fixes. Unlike traditional software development, however, upgrades to
|
|
|
|
|
a consensus system are much more difficult and require coordination
|
|
|
|
|
between all the participants.
|
|
|
|
|
between all participants.
|
|
|
|
|
|
|
|
|
|
[[hard_forks]]
|
|
|
|
|
==== Hard Forks
|
|
|
|
|
@ -1969,8 +1947,8 @@ after one or more blocks are mined.
|
|
|
|
|
|
|
|
|
|
There is another scenario in which the network may diverge into
|
|
|
|
|
following two chains: a change in the consensus rules. This type of fork
|
|
|
|
|
is called a _hard fork_, because after the fork the network does not
|
|
|
|
|
converge onto a single chain. Instead, the two chains evolve
|
|
|
|
|
is called a _hard fork_, because after the fork the network may not
|
|
|
|
|
converge onto a single chain. Instead, the two chains can evolve
|
|
|
|
|
independently. Hard forks occur when part of the network is operating
|
|
|
|
|
under a different set of consensus rules than the rest of the network.
|
|
|
|
|
This may occur because of a bug or because of a deliberate change in the
|
|
|
|
|
@ -2004,8 +1982,9 @@ node running the new implementation creates a transaction that contains
|
|
|
|
|
a foocoin and a miner with the updated software mines block 7b
|
|
|
|
|
containing this transaction.
|
|
|
|
|
|
|
|
|
|
signatures is now unable to process block 7b. From their perspective,
|
|
|
|
|
both the transaction that contained a Foo signature and block 7b that
|
|
|
|
|
Any node or miner that has not upgraded the software to validate foocoin
|
|
|
|
|
is now unable to process block 7b. From their perspective,
|
|
|
|
|
both the transaction that contained a foocoin and block 7b that
|
|
|
|
|
contained that transaction are invalid, because they are evaluating them
|
|
|
|
|
based upon the old consensus rules. These nodes will reject the
|
|
|
|
|
transaction and the block and will not propagate them. Any miners that
|
|
|
|
|
@ -2040,8 +2019,8 @@ new software implementation of the consensus rules must be developed,
|
|
|
|
|
adopted, and launched.
|
|
|
|
|
|
|
|
|
|
Examples of software forks that have attempted to change consensus rules
|
|
|
|
|
include Bitcoin XT, Bitcoin Classic, and most recently Bitcoin
|
|
|
|
|
Unlimited. However, none of these software forks have resulted in a hard
|
|
|
|
|
include Bitcoin XT and Bitcoin Classic.
|
|
|
|
|
However, neither of those programs resulted in a hard
|
|
|
|
|
fork. While a software fork is a necessary precondition, it is not in
|
|
|
|
|
itself sufficient for a hard fork to occur. For a hard fork to occur,
|
|
|
|
|
the competing implementation must be adopted and the new rules
|
|
|
|
|
@ -2064,32 +2043,24 @@ used to store blocks.
|
|
|
|
|
|
|
|
|
|
Conceptually, we can think of a hard fork as developing in four stages:
|
|
|
|
|
a software fork, a network fork, a mining fork, and a chain fork.
|
|
|
|
|
|
|
|
|
|
The process begins when an alternative implementation of the client,
|
|
|
|
|
with modified consensus rules, is created by developers.
|
|
|
|
|
|
|
|
|
|
When this forked implementation is deployed in the network, a certain
|
|
|
|
|
percentage of miners, wallet users, and intermediate nodes may adopt and
|
|
|
|
|
run this implementation. A resulting fork will depend upon whether the
|
|
|
|
|
new consensus rules apply to blocks, transactions, or some other aspect
|
|
|
|
|
of the system. If the new consensus rules pertain to transactions, then
|
|
|
|
|
a wallet creating a transaction under the new rules may precipitate a
|
|
|
|
|
network fork, followed by a hard fork when the transaction is mined into
|
|
|
|
|
a block. If the new rules pertain to blocks, then the hard fork process
|
|
|
|
|
will begin when a block is mined under the new rules.
|
|
|
|
|
|
|
|
|
|
run this implementation.
|
|
|
|
|
First, the network will fork. Nodes based on the original implementation
|
|
|
|
|
of the consensus rules will reject any transactions and blocks that are
|
|
|
|
|
created under the new rules. Furthermore, the nodes following the
|
|
|
|
|
original consensus rules will temporarily ban and disconnect from any
|
|
|
|
|
original consensus rules may disconnect from any
|
|
|
|
|
nodes that are sending them these invalid transactions and blocks. As a
|
|
|
|
|
result, the network will partition into two: old nodes will only remain
|
|
|
|
|
result, the network may partition into two: old nodes will only remain
|
|
|
|
|
connected to old nodes and new nodes will only be connected to new
|
|
|
|
|
nodes. A single transaction or block based on the new rules will ripple
|
|
|
|
|
nodes. A single block based on the new rules will ripple
|
|
|
|
|
through the network and result in the partition into two networks.
|
|
|
|
|
|
|
|
|
|
Once a miner using the new rules mines a block, the mining power and
|
|
|
|
|
chain will also fork. New miners will mine on top of the new block,
|
|
|
|
|
chain will also fork. New miners may mine on top of the new block,
|
|
|
|
|
while old miners will mine a separate chain based on the old rules. The
|
|
|
|
|
partitioned network will make it so that the miners operating on
|
|
|
|
|
separate consensus rules won't likely receive each other's blocks, as
|
|
|
|
|
@ -2132,8 +2103,8 @@ transactions.
|
|
|
|
|
==== Contentious Hard Forks
|
|
|
|
|
|
|
|
|
|
((("forks", "changing consensus rules", "contentious hard
|
|
|
|
|
forks")))((("hard forks")))This is the dawn of consensus software
|
|
|
|
|
development. Just as open source development changed both the methods
|
|
|
|
|
forks")))((("hard forks")))This is the dawn of the development of software
|
|
|
|
|
for decentralized consensus. Just as other innovations in development changed both the methods
|
|
|
|
|
and products of software and created new methodologies, new tools, and
|
|
|
|
|
new communities in its wake, consensus software development also
|
|
|
|
|
represents a new frontier in computer science. Out of the debates,
|
|
|
|
|
@ -2151,8 +2122,7 @@ that do not have near-unanimous support are considered too "contentious"
|
|
|
|
|
to attempt without risking a partition of the system.
|
|
|
|
|
|
|
|
|
|
The issue of hard forks is highly controversial in the bitcoin
|
|
|
|
|
development community, especially as it relates to any proposed changes
|
|
|
|
|
to the consensus rules controlling the maximum block size limit. Some
|
|
|
|
|
development community. Some
|
|
|
|
|
developers are opposed to any form of hard fork, seeing it as too risky.
|
|
|
|
|
Others see the mechanism of hard fork as an essential tool for upgrading
|
|
|
|
|
the consensus rules in a way that avoids "technical debt" and provides a
|
|
|
|
|
@ -2162,7 +2132,7 @@ only under near-unanimous consensus.
|
|
|
|
|
|
|
|
|
|
Already we have seen the emergence of new methodologies to address the
|
|
|
|
|
risks of hard forks. In the next section, we will look at soft forks,
|
|
|
|
|
and the BIP34 and BIP9 methods for signaling and activation of
|
|
|
|
|
and the methods for signaling and activation of
|
|
|
|
|
consensus modifications.
|
|
|
|
|
|
|
|
|
|
==== Soft Forks
|
|
|
|
|
@ -2206,7 +2176,7 @@ A soft fork therefore can modify the semantics of a NOP code to give it
|
|
|
|
|
new meaning. For example, BIP65 (+CHECKLOCKTIMEVERIFY+) reinterpreted
|
|
|
|
|
the NOP2 opcode. Clients implementing BIP65 interpret NOP2 as
|
|
|
|
|
+OP_CHECKLOCKTIMEVERIFY+ and impose an absolute locktime consensus rule
|
|
|
|
|
on UTXO that contain this opcode in their locking scripts. This change
|
|
|
|
|
on UTXOs that contain this opcode in their locking scripts. This change
|
|
|
|
|
is a soft fork because a transaction that is valid under BIP65 is also
|
|
|
|
|
valid on any client that is not implementing (ignorant of) BIP65. To
|
|
|
|
|
the old clients, the script contains an NOP code, which is ignored.
|
|
|
|
|
@ -2236,7 +2206,7 @@ upgrades, as well as other soft fork upgrades.
|
|
|
|
|
|
|
|
|
|
Irreversible upgrades:: Because soft forks create transactions with
|
|
|
|
|
additional consensus constraints, they become irreversible upgrades in
|
|
|
|
|
practice. If a soft fork upgrade were to be reversed after beings
|
|
|
|
|
practice. If a soft fork upgrade were to be reversed after being
|
|
|
|
|
activated, any transactions created under the new rules could result in
|
|
|
|
|
a loss of funds under the old rules. For example, if a CLTV transaction
|
|
|
|
|
is evaluated under the old rules, there is no timelock constraint and it
|
|
|
|
|
@ -2249,12 +2219,12 @@ lead to loss of funds.((("", startref="Crule10")))
|
|
|
|
|
|
|
|
|
|
((("forks", "changing consensus rules", "soft fork
|
|
|
|
|
activation")))((("soft forks", "activation")))Since soft forks allow
|
|
|
|
|
unmodified clients to continue to operate within consensus, the
|
|
|
|
|
mechanism for "activating" a soft fork is through miners signaling
|
|
|
|
|
readiness: a majority of miners must agree that they are ready and
|
|
|
|
|
willing to enforce the new consensus rules. To coordinate their actions,
|
|
|
|
|
there is a signaling mechanism that allows them to show their support
|
|
|
|
|
for a consensus rule change. This mechanism was introduced with the
|
|
|
|
|
unmodified clients to continue to operate within consensus, one
|
|
|
|
|
mechanism for "activating" a soft fork is through miners signaling that
|
|
|
|
|
they are ready and willing to enforce the new consensus rules. If
|
|
|
|
|
all miners enforce the new rules, there's no risk of unmodified
|
|
|
|
|
nodes accepting a block that upgraded nodes would reject.
|
|
|
|
|
This mechanism was introduced with the
|
|
|
|
|
activation of BIP34 in March 2013 and replaced by the activation of
|
|
|
|
|
BIP9 in July 2016.
|
|
|
|
|
|
|
|
|
|
@ -2320,6 +2290,7 @@ The standard is defined in
|
|
|
|
|
https://github.com/bitcoin/bips/blob/master/bip-0034.mediawiki[BIP34
|
|
|
|
|
(Block v2, Height in Coinbase)].
|
|
|
|
|
|
|
|
|
|
[[bip9]]
|
|
|
|
|
==== BIP9 Signaling and Activation
|
|
|
|
|
|
|
|
|
|
((("bitcoin improvement proposals", "Version bits with timeout and delay
|
|
|
|
|
@ -2431,9 +2402,9 @@ to enforce segwit for several months.
|
|
|
|
|
It was later discovered that some miners, especially miners associated
|
|
|
|
|
with the dissenters, may have been using hardware that gave them a
|
|
|
|
|
hidden advantage over other miners using a feature called _covert
|
|
|
|
|
ASICBoost_. Unintentionally, segwit interferred with the ability to use
|
|
|
|
|
covert ASICBoost---if segwit was activated, the miners would lose their
|
|
|
|
|
hidden advantage.
|
|
|
|
|
ASICBoost_. Unintentionally, segwit interfered with the ability to use
|
|
|
|
|
covert ASICBoost--if segwit was activated, the miners using it would
|
|
|
|
|
lose their hidden advantage.
|
|
|
|
|
|
|
|
|
|
After the community discovered this conflict of interest, some users
|
|
|
|
|
decided they wanted to exercise their power not to accept blocks from
|
|
|
|
|
@ -2446,11 +2417,11 @@ BIP148, which required any node implementing it to reject all blocks
|
|
|
|
|
that didn't signal for segwit starting on a certain date and continuing
|
|
|
|
|
until segwit activated.
|
|
|
|
|
|
|
|
|
|
Although only a limited number of users actually ran that code, many
|
|
|
|
|
Although only a limited number of users actually ran BIP148 code, many
|
|
|
|
|
other users seemed to agree with the sentiment and may have been
|
|
|
|
|
prepared to commit to BIP148. A few days before BIP148 was due to go
|
|
|
|
|
into effect, almost all miners began signaling their readiness to
|
|
|
|
|
enforce segwit's rules. Segwit reach its lock-in threshold about two
|
|
|
|
|
enforce segwit's rules. Segwit reached its lock-in threshold about two
|
|
|
|
|
weeks later and activated about two weeks after that.
|
|
|
|
|
|
|
|
|
|
Many users came to believe that it was a flaw in BIP9 that miners could
|
|
|
|
|
@ -2496,7 +2467,7 @@ _speedy trial_ by one of the people who helped promote it.
|
|
|
|
|
Speedy trial activation was tried, miners quickly signaled their
|
|
|
|
|
willingness to enforce the rules of taproot, and taproot was successful
|
|
|
|
|
activated about six months later. To proponents of speedy trial, it was
|
|
|
|
|
a clear success. Others were still disapointed that BIP8 wasn't used.
|
|
|
|
|
a clear success. Others were still disappointed that BIP8 wasn't used.
|
|
|
|
|
|
|
|
|
|
It's not clear whether or not speedy trial will be used again for a
|
|
|
|
|
future attempt to activate a soft fork.
|
|
|
|
|
@ -2510,13 +2481,13 @@ discussion on the various mechanisms for changing the consensus rules.
|
|
|
|
|
By its very nature, bitcoin sets a very high bar on coordination and
|
|
|
|
|
consensus for changes. As a decentralized system, it has no "authority"
|
|
|
|
|
that can impose its will on the participants of the network. Power is
|
|
|
|
|
diffused between multiple constituencies such as miners, core
|
|
|
|
|
diffused between multiple constituencies such as miners, protocol
|
|
|
|
|
developers, wallet developers, exchanges, merchants, and end users.
|
|
|
|
|
Decisions cannot be made unilaterally by any of these constituencies.
|
|
|
|
|
For example, while miners can theoretically change the rules by simple
|
|
|
|
|
For example, while miners can censor transactions by simple
|
|
|
|
|
majority (51%), they are constrained by the consent of the other
|
|
|
|
|
constituencies. If they act unilaterally, the rest of the participants
|
|
|
|
|
may simply refuse to follow them, keeping the economic activity on a
|
|
|
|
|
may refuse to accept their blocks, keeping the economic activity on a
|
|
|
|
|
minority chain. Without economic activity (transactions, merchants,
|
|
|
|
|
wallets, exchanges), the miners will be mining a worthless coin with
|
|
|
|
|
empty blocks. This diffusion of power means that all the participants
|
|
|
|
|
@ -2534,4 +2505,4 @@ consensus software development is that change is difficult and consensus
|
|
|
|
|
forces compromise.
|
|
|
|
|
|
|
|
|
|
Some see this as a weakness of consensus systems. In time, you may come
|
|
|
|
|
to see it as I do, as the system's greatest strength.
|
|
|
|
|
to see it as the system's greatest strength.
|
|
|
|
|
|
David A. Harding
12 months ago