Underpinning bitcoin is its proof of work algorithm. It is a computational problem which when solved proves you expended work to solve. In bitcoin’s context, work refers to electricity and proof to the ‘target check’.
Hashing
The actual algorithm involves a hash function.
An algorithm is a list of instructions for solving a problem. An abstract flow-chart of a computer program is an algorithm.
Algorithms can be put inside black boxes called functions. Things (input) go into a function, magic happens inside, and things (output) come out.
When programmers talk of algorithms, they mean a set of instructions or a procedure which they are interested in its inner workings. When speaking of a function, a programmer is referring more to what it does rather than how it works. So in this article, when we refer to the proof of work algorithm we are examining how it works. For the hash function which is used by the proof of work, we are less interested how it works and more what are its effects.
A hash function takes a single input and gives a single output that is not easily recognised from the input. Good hash functions (there are many variants from MD5 to SHA) should hardly never generate collisions- that is when two different inputs produce the same output.
In practice, this means that hash functions generate hashes that have many digits.
$ python
>>> import hashlib
>>> hashlib.sha256("hello").hexdigest()
'2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824'
We put hello into the SHA256 hash function, and its algorithm computed the hash value which the function spat out; 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824.
Another property of a good hash function is small changes in input lead to large changes in output. This makes it difficult (practically impossible) to reverse a hash function. Bad hash functions can be reversed with enough computation power. The output hash may not have enough digits and the total search space is too small. Or there are too many collisions in the hash function.
Small changes in the starting conditions lead to large hard to guess changes in output.
A security measure that all websites should employ is to not store your password on their server but a hash of the password. When you login, the website hashes your password and checks whether it matches their hash. This makes it impossible for an attacker who compromises the website to learn of the user’s passwords.
When MtGox had their database leaked online, that they were compromised in the first place was also confounded by their poor choice of a hashing algorithm. It was trivial to run through every possible combination of digits, recreate the hash and check for matches in the list to find user’s passwords. A good hashing algorithm makes this kind of attack infeasible.
Proof of work
The bitcoin proof of work algorithm is simple:
- Hash a block
- Calculate the current target from the difficulty
- Is the block hash value less than the current target?
A bitcoin miner is constantly hashing a block to see if it passes the above check. If not then it slightly modifies the block and tries again. It keeps doing this until it finds a block that passes. A valid block has been found, and the miner will broadcast this block to the network.
The difficulty is set by the network. Around every 2 weeks, the network reconvenes and decides on a new difficulty. If it was too easy to make blocks, then the difficulty rises. If too hard, then difficulty falls.
This is why bitcoin blocks all start with zeros. The block hashes are numbers. Block 163701 has a hash value in hexadecimal representation of:
00000000000009611e31fd14c3c786bb792e17f9b95f65620491ac55ed4bc018
In decimal this is:
15072061652479515824586354748403488046119941424972330391289880
Looking at block 163701, note the field labelled “Bits”.
Difficulty: 1307728.360604 ("Bits": 1a0cd43f)
To transform a bits value into a target we use the formula:
t = b2 · 28(b1 - 3)
b1 is the first byte of our “bits” value or 0x1a in hexadecimal (26 in decimal). b2 is the rest of the value or 0x0cd43f (840767).
t = 0x0cd43f · 28(0x1a - 3)
>>> 0x0cd43f * 2**(8*(0x1a - 3))
20615546854515052444405957679617344022137222968655050411343872L
>>> "%x"%(0x0cd43f * 2**(8*(0x1a - 3)))
'cd43f0000000000000000000000000000000000000000000000'
The maximum possible target is a constant defined by 0x1d00ffff.
>>> "%x"%(0x00ffff * 2**(8*(0x1d - 3)))
'ffff0000000000000000000000000000000000000000000000000000'
To find the difficulty we use:
difficulty = maximum possible target / currently agreed on target
Taking from our example:
>>> 0xffff0000000000000000000000000000000000000000000000000000 / float(0xcd43f0000000000000000000000000000000000000000000000)
1307728.3606040676
Which is the same difficulty we noted earlier on block explorer. We know the current target, and we have the block hash. If the block is valid and passes the proof of work test then that block hash will be a smaller number than the current target.
0x00000000000009611e31fd14c3c786bb792e17f9b95f65620491ac55ed4bc018 < 0xcd43f0000000000000000000000000000000000000000000000
True
A miner’s task is to make a block and keep modifying that block so that it produces a different hash, until that hash passes the above test. Noting our example block, there is a field called “Nonce”.
Nonce: 2528486661
To modify the blocks, miners usually keep adding one to the nonce and rehash the block. Although they can equally set it to random values or modify the block in other ways such as re-arranging the transactions contained in the block. And if the nonce reaches its maximum value, then miners will perform some trickery on their first transaction and continue on (trickery is increment coinbase nonce or IncrementExtraNonce(...)).
Creating a block is not easy. It takes computational processor cycles. Ergo it takes electricity. Ergo it costs money. Creating a block usually has miniscule profit or even negative expected value. As more people mine and create blocks, the network drives up the difficulty squeezing out all the profit.
Once a miner finds a valid block that passes the proof of work test, it is sent out to the network. Other participants in the network pick up the block, verify that it passes the test, accept it into their own blockchain and relay it on.
Thank you for your time to provide this much needed transparency to such a technical detail where as most people who understand this topic simply do not have to time to be bothered to explicate.
Thank you again.
Thank you for your careful and didactic exposition of the elements of the network bitcoin and deserves to be deeply shared.
Thank you, thank you;-)) ==> [Tweet-9, +1Google, LinkedIn] shared
How large in size is the block that is hashed?
Always a constant 80 bytes. This is so there is no disincentive for miners to include more transactions.
http://gitorious.org/libbitcoin/libbitcoin/blobs/master/include/bitcoin/messages.hpp
struct block { uint32_t version; hash_digest previous_block_hash; hash_digest merkle; uint32_t timestamp; uint32_t bits; uint32_t nonce; transaction_list transactions; };http://gitorious.org/libbitcoin/libbitcoin/blobs/master/src/block.cpp
hash_digest hash_block_header(const message::block& block) { serializer key; key.write_4_bytes(block.version); key.write_hash(block.previous_block_hash); key.write_hash(block.merkle); key.write_4_bytes(block.timestamp); key.write_4_bytes(block.bits); key.write_4_bytes(block.nonce); return generate_sha256_hash(key.data()); }Why don’t you explain “proof-of-stake” instead?
Excellent tutorial, thanks very much!
P.S.: Your site RSS is not working, please fix it
Looks to me like this steps on much of Stephen Wolfram’s work. Especially is the hash pyramid schema.
Except that Stephan Wolfram plagiarised all that work and claimed it as his own. His book ‘A New Kind of Science’ talks about cellular automata without other once mentioning the term ‘cellular automata’ nor mentioning the people who invented those algorithms he talks about. He speaks in an authoritative tone implying he developed those techniques (he didn’t) taking the credit for it.
The guy is a loser.
Thanks for explaining this so technical topic in great details. Bitcoin is really not a new thing now but of course, people are new to understand it. This article explains the Proof of Work used in the Bitcoin system very well!
Would you tell me how the current target can be calculated? you mentioned the formula to calculate target from bits, but I want two know when the difficulty changes per 2016 blocks and it concludes from difficulty= max target/current target. how the current target would be determined?