Chapter Two

Transactions, Blocks, Mining, and the Blockchain

The bitcoin system, unlike traditional banking and payment systems, is based on de-centralized trust. Instead of a central trusted authority, te bitcoin, trust is achieved spil an emergent property from the interactions of different participants ter the bitcoin system. Ter this chapter, wij will examine bitcoin from a high level by tracking a single transaction through the bitcoin system and observe spil it becomes “trusted” and accepted by the bitcoin mechanism of distributed overeenstemming and is ultimately recorded on the blockchain, the distributed ledger of all transactions.

Each example is based on an actual transaction made on the bitcoin network, simulating the interactions inbetween the users (Joe, Alice, and Bob) by sending funds from one wallet to another. While tracking a transaction through the bitcoin network and blockchain, wij will use a blockchain explorer webpagina to visualize each step. A blockchain explorer is a web application that operates spil a bitcoin search engine, te that it permits you to search for addresses, transactions, and blocks and see the relationships and flows inbetween them.

Popular blockchain explorers include:

Each of thesis has a search function that can take an address, transaction hash, or block number and find the omschrijving gegevens on the bitcoin network and blockchain. With each example, wij will provide a URL that takes you directly to the relevant entry, so you can investigate it ter detail.

Bitcoin Overview

Ter the overview diagram shown te Figure 2-1, wij see that the bitcoin system consists of users with wallets containing keys, transactions that are propagated across the network, and miners who produce (through competitive computation) the overeenstemming blockchain, which is the authoritative ledger of all transactions. Ter this chapter, wij will trace a single transaction spil it travels across the network and examine the interactions inbetween each part of the bitcoin system, at a high level. Subsequent chapters will delve into the technology behind wallets, mining, and merchant systems.

Buying a Cup of Coffee

Alice, introduced ter the previous chapter, is a fresh user who has just acquired hier very first bitcoin. Ter “Getting Your Very first Bitcoins”, Alice met with hier friend Joe to exchange some specie for bitcoin. The transaction created by Joe funded Alice’s wallet with 0.Ten BTC. Now Alice will make hier very first retail transaction, buying a cup of coffee at Bob’s coffee shop ter Palo Alto, California. Bob’s coffee shop recently commenced accepting bitcoin payments, by adding a bitcoin option to his point-of-sale system. The prices at Bob’s Cafe are listed te the local currency (US dollars), but at the register, customers have the option of paying ter either dollars or bitcoin. Alice places hier order for a cup of coffee and Bob comes in the transaction at the register. The point-of-sale system will convert the total price from US dollars to bitcoins at the prevailing market rate and display the prices ter both currencies, spil well spil voorstelling a QR code containing a payment request for this transaction (see Figure 2-2):

The payment request QR code encodes the following URL, defined ter BIP0021:

Unlike a QR code that simply contains a destination bitcoin address, a payment request is a QR-encoded URL that contains a destination address, a payment amount, and a generic description such spil “Bob’s Cafe.” This permits a bitcoin wallet application to prefill the information used to send the payment while displaying a human-readable description to the user. You can scan the QR code with a bitcoin wallet application to see what Alice would see.

Bob says, “That’s one-dollar-fifty, or fifteen millibits.”

Alice uses hier smartphone to scan the barcode on display. Hier smartphone shows a payment of 0.0150 BTC to Bob’s Cafe and she selects Send to authorize the payment. Within a few seconds (about the same amount of time spil a credit card authorization), Bob would see the transaction on the register, completing the transaction.

Ter the following sections wij will examine this transaction te more detail, see how Alice’s wallet constructed it, how it wasgoed propagated across the network, how it wasgoed verified, and eventually, how Bob can spend that amount ter subsequent transactions.

The bitcoin network can transact te fractional values, e.g., from milli-bitcoins (1/1000th of a bitcoin) down to 1/100,000,000th of a bitcoin, which is known spil a satoshi. Via this book we’ll use the term “bitcoin” to refer to any quantity of bitcoin currency, from the smallest unit (1 satoshi) to the total number (21,000,000) of all bitcoins that will everzwijn be mined.

Bitcoin Transactions

Ter ordinary terms, a transaction tells the network that the proprietor of a number of bitcoins has authorized the transfer of some of those bitcoins to another holder. The fresh proprietor can now spend thesis bitcoins by creating another transaction that authorizes transfer to another proprietor, and so on, te a chain of ownership.

Transactions are like lines ter a double-entry bookkeeping ledger. Ter plain terms, each transaction contains one or more “inputs,” which are debits against a bitcoin account. On the other side of the transaction, there are one or more “outputs,” which are credits added to a bitcoin account. The inputs and outputs (debits and credits) do not necessarily add up to the same amount. Instead, outputs add up to slightly less than inputs and the difference represents an implied “transaction toverfee,” which is a puny payment collected by the miner who includes the transaction ter the ledger. A bitcoin transaction is shown spil a bookkeeping ledger entry ter Figure 2-3.

The transaction also contains proof of ownership for each amount of bitcoin (inputs) whose value is transferred, te the form of a digital signature from the possessor, which can be independently validated by anyone. Ter bitcoin terms, “spending” is signing a transaction that transfers value from a previous transaction overheen to a fresh holder identified by a bitcoin address.

Transactions budge value from transaction inputs to transaction outputs . An input is where the coin value is coming from, usually a previous transaction’s output. A transaction output assigns a fresh proprietor to the value by associating it with a key. The destination key is called an encumbrance . It imposes a requirement for a signature for the funds to be redeemed ter future transactions. Outputs from one transaction can be used spil inputs ter a fresh transaction, thus creating a chain of ownership spil the value is moved from address to address (see Figure 2-4).

Alice’s payment to Bob’s Cafe uses a previous transaction spil its input. Te the previous chapter Alice received bitcoin from hier friend Joe ter come back for metselspecie. That transaction has a number of bitcoins locked (encumbered) against Alice’s key. Hier fresh transaction to Bob’s Cafe references the previous transaction spil an input and creates fresh outputs to pay for the cup of coffee and receive switch. The transactions form a chain, where the inputs from the latest transaction correspond to outputs from previous transactions. Alice’s key provides the signature that unlocks those previous transaction outputs, thereby proving to the bitcoin network that she possesses the funds. She fastens the payment for coffee to Bob’s address, thereby “encumbering” that output with the requirement that Bob produces a signature te order to spend that amount. This represents a transfer of value inbetween Alice and Bob. This chain of transactions, from Joe to Alice to Bob, is illustrated te Figure 2-4.

Common Transaction Forms

The most common form of transaction is a plain payment from one address to another, which often includes some “switch” returned to the original possessor. This type of transaction has one input and two outputs and is shown te Figure 2-5.

Another common form of transaction is one that aggregates several inputs into a single output (see Figure 2-6). This represents the real-world omschrijving of exchanging a pile of coins and currency notes for a single larger note. Transactions like thesis are sometimes generated by wallet applications to clean up lots of smaller amounts that were received spil switch for payments.

Ultimately, another transaction form that is seen often on the bitcoin ledger is a transaction that distributes one input to numerous outputs signifying numerous recipients (see Figure 2-7). This type of transaction is sometimes used by commercial entities to distribute funds, such spil when processing payroll payments to numerous employees.

Constructing a Transaction

Alice’s wallet application contains all the logic for selecting adequate inputs and outputs to build a transaction to Alice’s specification. Alice only needs to specify a destination and an amount and the surplus happens ter the wallet application without hier witnessing the details. Importantly, a wallet application can construct transactions even if it is totally offline. Like writing a check at huis and zometeen sending it to the bankgebouw te an envelope, the transaction does not need to be constructed and signed while connected to the bitcoin network. It only has to be sent to the network eventually for it to be executed.

Getting the Right Inputs

Alice’s wallet application will very first have to find inputs that can pay for the amount she wants to send to Bob. Most wallet applications keep a petite database of “unspent transaction outputs” that are locked (encumbered) with the wallet’s own keys. Therefore, Alice’s wallet would contain a copy of the transaction output from Joe’s transaction, which wasgoed created ter exchange for metselspecie (see “Getting Your Very first Bitcoins”). A bitcoin wallet application that runs spil a full-index client actually contains a copy of every unspent output from every transaction ter the blockchain. This permits a wallet to construct transaction inputs spil well spil quickly verify incoming transactions spil having keurig inputs. However, because a full-index client takes up a lotsbestemming of disk space, most user wallets run “lightweight” clients that track only the user’s own unspent outputs.

If the wallet application does not maintain a copy of unspent transaction outputs, it can query the bitcoin network to retrieve this information, using a diversity of APIs available by different providers or by asking a full-index knot using the bitcoin JSON RPC API. Example 2-1 shows a RESTful API request, constructed spil an HTTP GET directive to a specific URL. This URL will come back all the unspent transaction outputs for an address, providing any application the information it needs to construct transaction inputs for spending. Wij use the plain command-line HTTP client cURL to retrieve the response.

The response te Example 2-2 shows one unspent output (one that has not bot redeemed yet) under the ownership of Alice’s address 1Cdid9KFAaatwczBwBttQcwXYCpvK8h7FK . The response includes the reference to the transaction ter which this unspent output is contained (the payment from Joe) and its value ter satoshis, at Ten million, omschrijving to 0.Ten bitcoin. With this information, Alice’s wallet application can construct a transaction to transfer that value to fresh possessor addresses.

Spil you can see, Alice’s wallet contains enough bitcoins te a single unspent output to pay for the cup of coffee. Had this not bot the case, Alice’s wallet application might have to “rummage” through a pile of smaller unspent outputs, like picking coins from a purse until it could find enough to pay for coffee. Te both cases, there might be a need to get some switch back, which wij will see te the next section, spil the wallet application creates the transaction outputs (payments).

Creating the Outputs

A transaction output is created te the form of a script that creates an encumbrance on the value and can only be redeemed by the introduction of a solution to the script. Te simpler terms, Alice’s transaction output will contain a script that says something like, “This output is payable to whoever can present a signature from the key corresponding to Bob’s public address.” Because only Bob has the wallet with the keys corresponding to that address, only Bob’s wallet can present such a signature to redeem this output. Alice will therefore “encumber” the output value with a request for a signature from Bob.

This transaction will also include a 2nd output, because Alice’s funds are te the form of a 0.Ten BTC output, too much money for the 0.015 BTC cup of coffee. Alice will need 0.085 BTC te switch. Alice’s switch payment is created by Alice’s wallet te the very same transaction spil the payment to Bob. Essentially, Alice’s wallet violates hier funds into two payments: one to Bob, and one back to herself. She can then use the switch output te a subsequent transaction, thus spending it zometeen.

Eventually, for the transaction to be processed by the network te a timely style, Alice’s wallet application will add a puny toverfee. This is not explicit ter the transaction, it is implied by the difference inbetween inputs and outputs. If instead of taking 0.085 te switch, Alice creates only 0.0845 spil the 2nd output, there will be 0.0005 BTC (half a millibitcoin) left overheen. The input’s 0.Ten BTC is not fully spent with the two outputs, because they will add up to less than 0.Ten. The resulting difference is the transaction toverfee that is collected by the miner spil a toverfee for including the transaction ter a block and putting it on the blockchain ledger.

The resulting transaction can be seen using a blockchain explorer web application, spil shown ter Figure 2-8.

Adding the Transaction to the Ledger

The transaction created by Alice’s wallet application is 258 bytes long and contains everything necessary to confirm ownership of the funds and assign fresh owners. Now, the transaction vereiste be transmitted to the bitcoin network where it will become part of the distributed ledger (the blockchain). Te the next section wij will see how a transaction becomes part of a fresh block and how the block is “mined.” Eventually, wij will see how the fresh block, once added to the blockchain, is increasingly trusted by the network spil more blocks are added.

Transmitting the transaction

Because the transaction contains all the information necessary to process, it does not matter how or where it is transmitted to the bitcoin network. The bitcoin network is a peer-to-peer network, with each bitcoin client participating by connecting to several other bitcoin clients. The purpose of the bitcoin network is to propagate transactions and blocks to all participants.

How it propagates

Alice’s wallet application can send the fresh transaction to any of the other bitcoin clients it is connected to overheen any Internet connection: wired, WiFi, or mobile. Hier bitcoin wallet does not have to be connected to Bob’s bitcoin wallet directly and she does not have to use the Internet connection suggested by the cafe, however both those options are possible, too. Any bitcoin network knot (other client) that receives a valid transaction it has not seen before will instantaneously forward it to other knots to which it is connected. Thus, the transaction rapidly propagates out across the peer-to-peer network, reaching a large percentage of the knots within a few seconds.

Bob’s view

If Bob’s bitcoin wallet application is directly connected to Alice’s wallet application, Bob’s wallet application might be the very first knot to receive the transaction. However, even if Alice’s wallet sends the transaction through other knots, it will reach Bob’s wallet within a few seconds. Bob’s wallet will instantly identify Alice’s transaction spil an incoming payment because it contains outputs redeemable by Bob’s keys. Bob’s wallet application can also independently verify that the transaction is well formed, uses previously unspent inputs, and contains sufficient transaction fees to be included ter the next block. At this point Bob can assume, with little risk, that the transaction will shortly be included te a block and confirmed.

A common misconception about bitcoin transactions is that they vereiste be “confirmed” by waiting Ten minutes for a fresh block, or up to 60 minutes for a total six confirmations. Albeit confirmations ensure the transaction has bot accepted by the entire network, such a delay is unnecessary for small-value items such spil a cup of coffee. A merchant may accept a valid small-value transaction with no confirmations, with no more risk than a credit card payment made without an ID or a signature, spil merchants routinely accept today.

Bitcoin Mining

The transaction is now propagated on the bitcoin network. It does not become part of the collective ledger (the blockchain ) until it is verified and included ter a block by a process called mining . See Chapter 8 for a detailed explanation.

The bitcoin system of trust is based on computation. Transactions are bundled into blocks , which require an enormous amount of computation to prove, but only a puny amount of computation to verify spil proven. The mining process serves two purposes ter bitcoin:

  • Mining creates fresh bitcoins ter each block, almost like a central bankgebouw printing fresh money. The amount of bitcoin created vanaf block is stationary and diminishes with time.
  • Mining creates trust by ensuring that transactions are only confirmed if enough computational power wasgoed loyal to the block that contains them. More blocks mean more computation, which means more trust.

A good way to describe mining is like a giant competitive spel of sudoku that resets every time someone finds a solution and whose difficulty automatically adjusts so that it takes approximately Ten minutes to find a solution. Imagine a giant sudoku puzzle, several thousand rows and columns ter size. If I vertoning you a ended puzzle you can verify it fairly quickly. However, if the puzzle has a few squares packed and the surplus are empty, it takes a loterijlot of work to solve! The difficulty of the sudoku can be adjusted by switching its size (more or fewer rows and columns), but it can still be verified fairly lightly even if it is very large. The “puzzle” used ter bitcoin is based on a cryptographic hash and exhibits similar characteristics: it is asymmetrically hard to solve but effortless to verify, and its difficulty can be adjusted.

Te “Bitcoin Uses, Users, and Their Stories”, wij introduced Jing, a pc engineering student te Shanghai. Jing is participating te the bitcoin network spil a miner. Every Ten minutes or so, Jing joins thousands of other miners ter a global wedstrijd to find a solution to a block of transactions. Finding such a solution, the so-called proof of work, requires quadrillions of hashing operations vanaf 2nd across the entire bitcoin network. The algorithm for proof of work involves repeatedly hashing the header of the block and a random number with the SHA256 cryptographic algorithm until a solution matching a predetermined pattern emerges. The very first miner to find such a solution wins the round of competition and publishes that block into the blockchain.

Jing commenced mining te 2010 using a very quick desktop rekentuig to find a suitable proof of work for fresh blocks. Spil more miners began joining the bitcoin network, the difficulty of the problem enlargened rapidly. Soon, Jing and other miners upgraded to more specialized hardware, such spil high-end dedicated graphical processing units (GPUs) cards such spil those used te gaming desktops or consoles. At the time of this writing, the difficulty is so high that it is profitable only to mine with application-specific integrated circuits (ASIC), essentially hundreds of mining algorithms printed te hardware, running ter parallel on a single silicon chip. Jing also joined a “mining pool,” which much like a lottery pool permits several participants to share their efforts and the prizes. Jing now runs two USB-connected ASIC machines to mine for bitcoin 24 hours a day. He pays his tens unit costs by selling the bitcoin he is able to generate from mining, creating some income from the profits. His rekentuig runs a copy of bitcoind, the reference bitcoin client, spil a backend to his specialized mining software.

Mining Transactions te Blocks

A transaction transmitted across the network is not verified until it becomes part of the global distributed ledger, the blockchain. Every Ten minutes on average, miners generate a fresh block that contains all the transactions since the last block. Fresh transactions are permanently flowing into the network from user wallets and other applications. Spil thesis are seen by the bitcoin network knots, they get added to a makeshift pool of unverified transactions maintained by each knot. Spil miners build a fresh block, they add unverified transactions from this pool to a fresh block and then attempt to solve a very hard problem (a.k.a., proof of work) to prove the validity of that fresh block. The process of mining is explained ter detail ter “Introduction”.

Transactions are added to the fresh block, prioritized by the highest-fee transactions very first and a few other criteria. Each miner starts the process of mining a fresh block of transactions spil soon spil he receives the previous block from the network, knowing he has lost that previous round of competition. He instantly creates a fresh block, fills it with transactions and the fingerprint of the previous block, and starts calculating the proof of work for the fresh block. Each miner includes a special transaction te his block, one that pays his own bitcoin address a prize of freshly created bitcoins (presently 25 BTC vanaf block). If he finds a solution that makes that block valid, he “wins” this prize because his successful block is added to the global blockchain and the prize transaction he included becomes spendable. Jing, who participates ter a mining pool, has set up his software to create fresh blocks that assign the prize to a pool address. From there, a share of the prize is distributed to Jing and other miners te proportion to the amount of work they contributed te the last round.

Alice’s transaction wasgoed picked up by the network and included ter the pool of unverified transactions. Because it had sufficient fees, it wasgoed included ter a fresh block generated by Jing’s mining pool. Approximately five minutes after the transaction wasgoed very first transmitted by Alice’s wallet, Jing’s ASIC miner found a solution for the block and published it spil block #277316, containing 419 other transactions. Jing’s ASIC miner published the fresh block on the bitcoin network, where other miners validated it and embarked the wedstrijd to generate the next block.

You can see the block that includes Alice’s transaction.

A few minutes zometeen, a fresh block, #277317, is mined by another miner. Because this fresh block is based on the previous block (#277316) that contained Alice’s transaction, it added even more computation on top of that block, thereby strengthening the trust te those transactions. The block containing Alice’s transaction is counted spil one “confirmation” of that transaction. Each block mined on top of the one containing the transaction is an extra confirmation. Spil the blocks pile on top of each other, it becomes exponentially stiffer to switch roles the transaction, thereby making it more and more trusted by the network.

Te the diagram te Figure 2-9 wij can see block #277316, which contains Alice’s transaction. Below it are 277,316 blocks (including block #0), linked to each other te a chain of blocks (blockchain) all the way back to block #0, known spil the genesis block . Overheen time, spil the “height” ter blocks increases, so does the computation difficulty for each block and the chain spil a entire. The blocks mined after the one that contains Alice’s transaction act spil further assurance, spil they pile on more computation ter a longer and longer chain. By convention, any block with more than six confirmations is considered irrevocable, because it would require an immense amount of computation to invalidate and recalculate six blocks. Wij will examine the process of mining and the way it builds trust ter more detail ter Chapter 8.

Spending the Transaction

Now that Alice’s transaction has bot embedded ter the blockchain spil part of a block, it is part of the distributed ledger of bitcoin and visible to all bitcoin applications. Each bitcoin client can independently verify the transaction spil valid and spendable. Full-index clients can track the source of the funds from the ogenblik the bitcoins were very first generated ter a block, incrementally from transaction to transaction, until they reach Bob’s address. Lightweight clients can do what is called a simplified payment verification (see “Simplified Payment Verification (SPV) Nodes”) by confirming that the transaction is ter the blockchain and has several blocks mined after it, thus providing assurance that the network accepts it spil valid.

Bob can now spend the output from this and other transactions, by creating his own transactions that reference thesis outputs spil their inputs and assign them fresh ownership. For example, Bob can pay a contractor or supplier by transferring value from Alice’s coffee cup payment to thesis fresh owners. Most likely, Bob’s bitcoin software will aggregate many petite payments into a larger payment, perhaps concentrating all the day’s bitcoin revenue into a single transaction. This would budge the various payments into a single address, used spil the store’s general “checking” account. For a diagram of an aggregating transaction, see Figure 2-6.

Spil Bob spends the payments received from Alice and other customers, he extends the chain of transactions, which te turn are added to the global blockchain ledger for all to see and trust. Let’s assume that Bob pays his web designer Gopesh te Bangalore for a fresh webstek pagina. Now the chain of transactions will look like Figure 2-10.

Xerox Alto restoration, IC switch sides engineering, chargers, and whatever

Mining Bitcoin with pencil and paper: 0.67 hashes vanaf day

The mining process

A cryptographic hash function takes a block of input gegevens and creates a smaller, unpredictable output. The hash function is designed so there’s no “brief cut” to get the desired output – you just have to keep hashing blocks until you find one by brute force that works. For Bitcoin, the hash function is a function called SHA-256. To provide extra security, Bitcoin applies the SHA-256 function twice, a process known spil double-SHA-256.

Ter Bitcoin, a successful hash is one that starts with enough zeros.[1] Just spil it is zonderling to find a phone number or license plate ending ter numerous zeros, it is uncommon to find a hash beginning with numerous zeros. But Bitcoin is exponentially tighter. Presently, a successful hash vereiste commence with approximately 17 zeros, so only one out of 1.4×10 20 hashes will be successful. Te other words, finding a successful hash is firmer than finding a particular grain of sand out of all the grains of sand on Earth.

The following diagram shows a block te the Bitcoin blockchain along with its hash. The yellow bytes are hashed to generate the block hash. Te this case, the resulting hash starts with enough zeros so mining wasgoed successful. However, the hash will almost always be unsuccessful. Te that case, the miner switches the nonce value or other block contents and attempts again.

The SHA-256 hash algorithm used by Bitcoin

The blue boxes mix up the values ter non-linear ways that are hard to analyze cryptographically. Since the algorithm uses several different functions, discovering an attack is firmer. (If you could figure out a mathematical shortcut to generate successful hashes, you could take overheen Bitcoin mining.)

The Moe majority opbergruimte looks at the vinnig of A, B, and C. For each position, if the majority of the kattig are 0, it outputs 0. Otherwise it outputs 1. That is, for each position ter A, B, and C, look at the number of 1 pinnig. If it is zero or one, output 0. If it is two or three, output 1.

The &Sigma,0 opbergruimte rotates the onvriendelijk of A to form three rotated versions, and then sums them together modulo Two. Te other words, if the number of 1 pinnig is odd, the sum is 1, otherwise, it is 0. The three values te the sum are A rotated right by Two vinnig, 13 onvriendelijk, and 22 vinnig.

The Ch “choose” opbergruimte chooses output onvriendelijk based on the value of input E. If a bit of E is 1, the output bit is the corresponding bit of F. If a bit of E is 0, the output bit is the corresponding bit of G. Ter this way, the onaardig of F and G are shuffled together based on the value of E.

The next opbergruimte &Sigma,1 rotates and sums the pinnig of E, similar to &Sigma,0 except the shifts are 6, 11, and 25 vinnig.

The crimson boxes perform 32-bit addition, generating fresh values for A and E. The input Wt is based on the input gegevens, slightly processed. (This is where the input block gets fed into the algorithm.) The input Kt is a onveranderlijk defined for each round.[Two]

Spil can be seen from the diagram above, only A and E are switched te a round. The other values pass through unchanged, with the old A value becoming the fresh B value, the old B value becoming the fresh C value and so forward. Albeit each round of SHA-256 doesn’t switch the gegevens much, after 64 rounds the input gegevens will be totally scrambled.[Three]

Manual mining

To explain what’s on the paper: I’ve written each block A through H te hex on a separate row and waterput the binary value below. The maj operation emerges below C, and the shifts and &Sigma,0 emerge above row A. Likewise, the choose operation emerges below G, and the shifts and &Sigma,1 above E. Te the lower right, a bunch of terms are added together, corresponding to the very first three crimson sum boxes. Ter the upper right, this sum is used to generate the fresh A value, and te the middle right, this sum is used to generate the fresh E value. Thesis steps all correspond to the diagram and discussion above.

I also by hand performed another hash round, the last round to finish hashing the Bitcoin block. Ter the picture below, the hash result is highlighted te yellow. The zeroes ter this hash showcase that it is a successful hash. Note that the zeroes are at the end of the hash. The reason is that Bitcoin inconveniently reverses all the bytes generated by SHA-256.[Four]

What this means for mining hardware

Te tegenstelling, Litecoin, Dogecoin, and similar altcoins use the scrypt hash algorithm, which is intentionally designed to be difficult to implement te hardware. It stores 1024 different hash values into memory, and then combines them te unpredictable ways to get the final result. Spil a result, much more circuitry and memory is required for scrypt than for SHA-256 hashes. You can see the influence by looking at mining hardware, which is thousands of times slower for scrypt (Litecoin, etc) than for SHA-256 (Bitcoin).

Conclusion

A Reddit reader asked about my energy consumption. There’s not much physical exertion, so assuming a resting metabolic rate of 1500kcal/day, manual hashing works out to almost Ten megajoules/hash. A typical energy consumption for mining hardware is 1000 megahashes/joule. So I’m less energy efficient by a factor of 10^16, or Ten quadrillion. The next question is the energy cost. A cheap source of food energy is donuts at $0.23 for 200 kcalories. Electric current here is $0.15/kilowatt-hour, which is cheaper by a factor of 6.7 – closer than I expected. Thus my energy cost vanaf hash is about 67 quadrillion times that of mining hardware. It’s clear I’m not going to make my fortune off manual mining, and I toevluchthaven’t even included the cost of all the paper and pencils I’ll need.

Notes

[Two] The source of the constants used te SHA-256 is interesting. The NSA designed the SHA-256 algorithm and picked the values for thesis constants, so how do you know they didn’t pick special values that let them pauze the hash? To avoid suspicion, the initial hash values come from the square roots of the very first 8 primes, and the Kt values come from the cube roots of the very first 64 primes. Since thesis constants come from a elementary formula, you can trust that the NSA didn’t do anything shady (at least with the constants).

[Three] Unluckily the SHA-256 hash works on a block of 512 onaardig, but the Bitcoin block header is more than 512 kattig. Thus, a 2nd set of 64 SHA-256 hash rounds is required on the 2nd half of the Bitcoin block. Next, Bitcoin uses double-SHA-256, so a 2nd application of SHA-256 (64 rounds) is done to the result. Adding this up, hashing an arbitrary Bitcoin block takes 192 rounds ter total. However there is a shortcut. Mining involves hashing the same block overheen and overheen, just switching the nonce which emerges ter the 2nd half of the block. Thus, mining can reuse the result of hashing the very first 512 snauwerig, and hashing a Bitcoin block typically only requires 128 rounds.

[Four] Obviously I didn’t just have incredible good fortune to end up with a successful hash. I commenced the hashing process with a block that had already bot successfully mined. Te particular I used the one displayed earlier ter this article, #286819.

[Five] Another problem with manual mining is fresh blocks are mined about every Ten minutes, so even if I did succeed te mining a block, it would be totally obsolete (orphaned) by the time I finished.

56 comments:

You’re insane, but amazing. This is fantastic.

You may have a typo ter the Moeder majority opbergruimte description. The very first sentence says ",looks at the snauwerig of A, B, and C",, which agrees with the diagram. But the fourth sentence says ",for each position te B, C, and D",.

On line Five, you didn’t carry the one.

Order more donuts.

Very cool but I’m a bit confused. The diagram shown says ",transaction count: 63", but the block on Block Explorer says ",Transactions: 99",. Why the discrepancy?

Disregard the pitiful buggers who are members of Anonymous.

I love you, this is so nerdy, so geeky but so fantastic. I love how you calculated energy costs lol.

Your endeavor makes mij think about my blog pagina where I demonstrated a picture for my description ",The early Bitcoin miner wasgoed very efficient on violet wand, however zero Bitcoin yield.",. I am tempted to add you to my ",Bitcoin Mining Equipments",. http://this1that1whatever.com/money/bitcoin/bitcoin-mining-rigs.php

Thanks Weten. That wasgoed truly funny. Now I think you are even more similar to Weird Reeds. And I also know what you do on Fridays when soccer season is not on.

zekering your shameless self promotion David wong

Weten, Could you demonstrate also how to create a transaction ready for the blockchain? This is most helpful and liquidates the mystery. Very helpful. Gary.

Now you could do some manual pic processing, for example the blur filterzakje, which is much simpler than SHA-256. The only problem is that to process a 12 mpix photo the algorithm has to be executed 12 millions times 🙂

Thank you, love it! You are the best!

Where does the value of 6534ea13 for W come from ter the final round?

Gary: I wrote about creating transactions here.

I’ve added the input preprocessing *but* something isn’t fairly right. SHA256(null) is supposed to be e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855.

Does null become 80000000, . Or is null something different than a zero-length field?

Working from https://plusteken.wikipedia.org/wiki/SHA-2#Pseudocode, oops, who can explain that last step ",Add the compressed chunk to the current hash value:", where h0 := h0 + a, . To mij it seems the a thru h vereiste be the final set of values coming from round 64 but what is ",the compressed chunk",?

Oh dear, evidently wij have to do the compression rounds Four times.

For null input, thesis are the values my Goggle Sheet is calculating after the 1st of Four set of compression rounds,

h1 := h1 + b FAEE8474

h2 := h2 + c 12DB4F41

h3 := h3 + d 8C0F0B62

h4 := h4 + e 93A235C0

h5 := h5 + f 84C5217E

h6 := h6 + g 2B724C32

h7 := h7 + h B275F527

Ah, found a bug, the corrected values are,

h1 := h1 + b 6030E1D4

h2 := h2 + c E56D532B

h3 := h3 + d E5498121

h4 := h4 + e 2E5B4FA6

h5 := h5 + f F37412EA

h6 := h6 + g 702DBFFF

h7 := h7 + h 62438F1C

Hmm, vanaf http://www.movable-type.co.uk/scripts/sha256.html, evidently wij don’t do the toegevoegd Trio set of compression rounds will null spil our input. Voorwaarde be another bug.

Bugger, found another bug, the adjusted values are,

h1 := h1 + b 915378F3

h2 := h2 + c 2191FAB5

h3 := h3 + d D80944A8

h4 := h4 + e 4D34CB19

h5 := h5 + f 4C652719

h6 := h6 + g 89A736B4

h7 := h7 + h 0F2A36D5

Ah, hectare! http://csrc.nist.gov/groups/STM/cavp/documents/shs/sha256-384-512.pdf is very helpful.

David: send mij an email and I can send you the total dump of the SHA-256 gegevens, which should reaction all your questions.

K are 64-bit values and certain operations are 64-bit sums. It makes a difference ter the 18th round hashing ",alfabet",.

Oops, K are 32-bit values for SHA256, they are 64-bit values for SHA512.

Ugh, messed up the right shifts. Fixing it now.

What do you know? Eliminate the bugs and it works!

Truly interesting postbode and you have described it by hand ter a very effective manner. Now after watching your postbode I know how Bitcoin work by hand. Thanks for creating such a good postbode.

I’ve bot watching hier movie with resolution hash256 Kt=428A2F98 and

Wt=0200000 and te minute 6:30 to 6:32, you have a doubt. Then make a mistake. The result of cl gives:

I’ve done all this algorithm with a spreadsheet and find this:

1F83D9AB ch 1 15 8 Five 12 9 8 12

ch/cL E01D26F7 14 13 0 1 Two 6 7 15

It would be interesting to you to do a movie on how to create a private key and public key Bitcoin. It would bitcoin wallet safer world.

They say it´,s possible

Utterly fascinating and well done. I couldn’t find a down to earth explanation of SHA256 besides some cryptic vaktaal from NIST and numerous other websites. d

John Weyland: To treat gegevens longer than 512 onaardig, the gegevens is chopped into 512 bit blocks and the hash algorithm runs on each block ter order.

Hello , Thank you for the report . I reported on my webstek about. 🙂

You do bit rotates, not bitshifts. Which is is supposed to be?

Alan: it’s rotates. See Wikipedia for details on the operations.

I know its bot a while since you have posted on here and you very likely won’t see this but I wasgoed wondering if you could clarify how you get the gegevens from the previous hash and merkle root and what not and turn it into the usable gegevens such spil the k and w and a-h. I have bot looking overheen the wiki for a while and I cant seem to take hold of exactly what is happening. It would be utterly useful if you could.

. and if Weten can help us understand the details then I might even code it into my Google sheet.

I’m actually working on designing a hardware bitcoin miner. I can do the algorithm by arm when given the inputs but I can’t take the information from bitcoin and turn it into the inputs for the algorithm. I’ve actually already embarked my vormgeving for the part of the circuit that does the algorithm I just need to figure out how to obtain the inputs.

Hi, i dont agree with your Mama majority.

maj := (a and b) xor (a and c) xor (b and c)

Anonymous: you ask how to get from the previous hash and Merkle root to the SHA-256 variables (K, W, A-H). There are two parts to this. On the the Bitcoin side, the gegevens bytes are concatenated together to form the input to SHA-256. See the diagram ",Structure of a Bitcoin block", above – the gegevens te yellow is the input to SHA-256. On the SHA-256 side, the algorithm generates the variables through plain steps. The K values are constants and the A-H values are initialized to constants. The W values are generated from the input gegevens through ordinary shifts and xor (to extend 16 words of input to 64 words for the 64 rounds). Two other things to reminisce: since the input is more than 512 onvriendelijk, it is processed te two chunks. Also, Bitcoin applies SHA-256 twice. For details on how Bitcoin combines the gegevens to be hashes, see my article Bitcoin mining the hard way, and for details on SHA-256, see the Wikipedia article.

I`m a little clueless on how to proceed to the next round. Will my result (A. H) become the fresh initial A to H values and so on until 64th round?

Indeed thank you Weten 🙂 thats a superb article

Bitcoin is a form of digital currency, created and held electronically. No one controls it. Bitcoins aren’t printed, like dollars or euros – they’re produced by people, and increasingly businesses, running computers all around the world, using software that solves mathematical problems. It’s the very first example of a growing category of money known spil cryptocurrency.

I don’t truly get the use of the constants – why do you have to work out the very first

Ten mins every time? couldn’t you just compute it once and use that gegevens forever? am I missing something? were the constants you used just wit pinnig of gegevens that would be the gegevens of the current block you’re mining?

This is insane but awesome! Thanks for doing this!

I wished to make sure it is OK wij use the pic from this blog postbode of yours that wij published here https://www.vpnmentor.com/blog/hash-puzzle-bitcoin/ with an attribution and verbinding to your postbode. if this isn’t fine, wij’ll take it off.

Fantastic, please do more with other coins like Monero/Dash.

Indeed nice to see some one explain the topic truly good. Nice One!

If you clicked the button above, then you are presently mining bitcoin, the math-based digital currency that recently topped $1,000 on exchanges. Congratulations. (It won&rsquo,t do anything bad to your pc, wij promise.)

Fresh bitcoins are created toughly every Ten minutes te batches of 25 coins, with each coin worth around $730 at current rates. Your laptop&mdash,te collaboration with those of everyone else reading this postbode who clicked the button above&mdash,is racing thousands of others to unlock and voorkoop the next batch.

For spil long spil that tegenstoot above keeps climbing, your laptop will keep running a bitcoin mining script and attempting to get a lump of the act. (But don&rsquo,t worry: It&rsquo,s designed to shut off after Ten minutes if you are on a phone or a tablet, so your battery doesn&rsquo,t drain).

So what is that script doing, exactly?

Let&rsquo,s begin with what it&rsquo,s not doing. Your pc is not blasting through the cavernous insides of the internet ter search of digital ore that can be fashioned into bitcoin bullion. There is no ore, and bitcoin mining doesn&rsquo,t involve extracting or smelting anything. It&rsquo,s called mining only because the people who do it are the ones who get fresh bitcoins, and because bitcoin is a finite resource liberated ter puny amounts overheen time, like gold, or anything else that is mined. (The size of each batch of coins drops by half harshly every four years, and around 2140, it will be cut to zero, capping the total number of bitcoins te circulation at 21 million.) But the analogy finishes there.

What bitcoin miners actually do could be better described spil competitive bookkeeping. Miners build and maintain a gigantic public ledger containing a record of every bitcoin transaction te history. Every time somebody wants to send bitcoins to somebody else, the transfer has to be validated by miners: They check the ledger to make sure the sender isn&rsquo,t transferring money she doesn&rsquo,t have. If the transfer checks out, miners add it to the ledger. Eventually, to protect that ledger from getting hacked, miners seal it behind layers and layers of computational work&mdash,too much for a would-be fraudster to possibly finish.

And for this service, they are rewarded te bitcoins.

Or rather, some miners are rewarded. Miners are all rivaling with each other to be very first to approve a fresh batch of transactions and finish the computational work required to seal those transactions te the ledger. With each fresh batch, winner takes all.

It&rsquo,s the computational work that truly takes time, and that&rsquo,s mostly what your pc is doing right now. It&rsquo,s attempting to solve a kleuter of cryptographic problem that involves guessing and checking billions of times until it finds an reaction.

If this all seems pretty heady, that&rsquo,s because mining is an elaborate solution to a raunchy problem that plagues every currency&mdash,dual spending.

Dual spending and a public ledger

Spil the name implies, dual spending is when somebody spends money more than once. It&rsquo,s a risk with any currency. Traditional currencies avoid it through a combination of hard-to-mimic physical metselspecie and trusted third parties&mdash,banks, credit-card providers, and services like PayPal&mdash,that process transactions and update account balances accordingly.

But bitcoin is fully digital, and it has no third parties. The idea of an overseeing bod runs downright toonbank to its ethos. So if you tell mij you have 25 bitcoins, how do I know you&rsquo,re telling the truth? The solution is that public ledger with records of all transactions, known spil the block chain. (Wij&rsquo,ll get to why it&rsquo,s called that shortly.) If all of your bitcoins can be traced back to when they were created, you can&rsquo,t get away with lounging about how many you have.

So every time somebody transfers bitcoins to somebody else, miners raadpleging the ledger to make sure the sender isn&rsquo,t double-spending. If she indeed has the right to send that money, the transfer gets approved and entered into the ledger. Ordinary, right?

Well, not indeed. Using a public ledger comes with some problems. The very first is privacy. How can you make every bitcoin exchange downright semitransparent while keeping all bitcoin users fully anonymous? The 2nd is security. If the ledger is totally public, how do you prevent people from fudging it for their own build up?

There is no such thing spil a bitcoin account

Bitcoin&rsquo,s ledger deals with the privacy punt through a bit of accounting trickery. The ledger only keeps track of bitcoin transfers, not account balances. Te a very real sense, there is no such thing spil a bitcoin account. And that keeps users anonymous.

Here&rsquo,s how it works: Say Alice wants to transfer one bitcoin to Bob. Very first Bob sets up a digital address for Alice to send the money to, along with a key permitting him to access the money once it&rsquo,s there. It works sort-of like an email account and password, except that Bob sets up a fresh address and key for every incoming transaction (he doesn&rsquo,t have to do this, but it&rsquo,s very recommended).

When Alice clicks a button to send the money to Bob, the transfer is encoded te a chunk of text that includes the amount and Bob&rsquo,s address. Here&rsquo,s what that text actually look like:

And here&rsquo,s a more digestible diagram of it:

That transaction record is sent to every bitcoin miner&mdash,i.e., every rekentuig on the internet that is running mining software&mdash,and if it&rsquo,s legit, it gets added to the ledger. Let&rsquo,s assume it goes through.

Now, say Bob wants to pay Carol one bitcoin. Carol of course sets up an address and a key. And then Bob essentially takes the bitcoin Alice talent him and uses his address and key from that transfer to sign the bitcoin overheen to Carol:

This transaction gets sent out to all of the miners, and they will check (using the reference number from Alice&rsquo,s transfer to Bob) to make sure that Bob hasn&rsquo,t already transferred that bitcoin to somebody else. No dual spending. After validating the transfer, each miner will then send a message to all of the other miners, providing hier bliss.

If Bob&rsquo,s transfer to Carol passes muster, then it, too, will be added to the ledger.

That&rsquo,s all transactions are&mdash,people signing bitcoins (or fractions of bitcoins) overheen to each other. The ledger tracks the coins, but it does not track people, at least not explicitly. Assuming Bob creates a fresh address and key for each transaction, the ledger won&rsquo,t be able to expose who he is, or which addresses are his, or how many bitcoins he has ter all. It&rsquo,s just a record of money moving inbetween anonymous palms.

There is no master document

Now for the trickier problem: keeping the ledger secure.

The very first thing that bitcoin does to secure the ledger is decentralize it. There is no big spreadsheet being stored on a server somewhere. There is no master document at all.

Instead, the ledger is cracked up into blocks: discrete transaction logs that contain Ten minutes worth of bitcoin activity apiece. Every block includes a reference to the block that came before it, and you can go after the linksom backward from the most latest block to the very very first block, when bitcoin creator Satoshi Nakamoto conjured the very first bitcoins into existence.

This lineage of blocks is the block chain, and it constitutes bitcoin&rsquo,s public ledger. Every Ten minutes miners add a fresh block, growing the chain like an expanding pearl necklace.

Generally speaking, every bitcoin miner has a copy of the entire block chain on hier laptop. If she shuts hier pc down and stops mining for a while, when she starts back up, hier machine will send a message to other miners requesting the blocks that were created ter hier absence. No one person or laptop has responsibility for thesis block chain updates, no miner has special status. The updates, like the authentication of fresh blocks, are provided by the network of bitcoin miners at large.

Proof of work

Dividing the ledger up into distributed blocks isn&rsquo,t enough on its own to protect the ledger from fraud. Bitcoin also relies on cryptography.

To add a fresh block to the chain, a miner has to finish what&rsquo,s called a cryptographic proof-of-work problem. Such problems are unlikely to solve without applying a ton of brute computing force, so if you have a solution ter arm, it&rsquo,s proof that you&rsquo,ve done a certain quantity of computational work. The computational problem is different for every block te the chain, and it involves a particular kleuter of algorithm called a hash function.

Like any function, a cryptographic hash function takes an input&mdash,a string of numbers and letters&mdash,and produces an output. But there are three things that set cryptographic hash functions bijzonder:

1. The output is a predetermined length, regardless of the input.

The hash function that bitcoin relies on&mdash,called SHA-256, and developed by the US National Security Agency&mdash,always produces a string that is 64 characters long. For example:

You could run your name through that hash function, or the entire King James Bible. Te either case, you&rsquo,ll get 64 characters out the other end. And, for a given input, you&rsquo,ll always get the same output.

Two. It&rsquo,s unlikely to make a cryptographic hash function work te switch roles.

If you have the output of a cryptographic hash function (called a hash for brief), there&rsquo,s no way of knowing what the input wasgoed. It&rsquo,s a one-way street. And that&rsquo,s what makes it cryptographic&mdash,you can use a hash function to scramble text ter a way that&rsquo,s unlikely to unscramble.

Think of it like mixing paint. It&rsquo,s effortless to mix pink paint , blue paint , and grey paint . But it&rsquo,s hard to take the resulting purple and unmix it.

Three. Switching the input even a little bit switches the output dramatically

Paint mixing is a good way to think about the one-way nature of hash functions, but it doesn&rsquo,t capture their unpredictability. If you substitute light pink paint for regular pink paint te the example above, the result is still going to be pretty much the same purple , just a little lighter. But with hashes, a slight variation ter the input results te a entirely different output:

The proof-of-work problem that miners have to solve involves taking a hash of the contents of the block that they are working on&mdash,all of the transactions, some meta-data (like a timestamp), and the reference to the previous block&mdash,plus a random number called a nonce.

Their aim is to find a hash that has at least a certain number of leading zeroes. Something like this:

That constraint is what makes the problem more or less difficult. More leading zeroes means fewer possible solutions, and more time required to solve the problem. Every Two,016 blocks (harshly two weeks), that difficulty is reset. If it took miners less than Ten minutes on average to solve those Two,016 blocks, then the difficulty is automatically enlargened. If it took longer, then the difficulty is decreased.

Miners search for an acceptable hash by choosing a nonce, running the hash function, and checking. If the hash doesn&rsquo,t have the right number of leading zeroes, they switch the nonce, run the hash function, and check again.

Because of the one-way nature of hash functions, you can&rsquo,t work your way rearwards to find a nonce that fits. And because of a hash function&rsquo,s unpredictability, attempting different nonces never indeed gets you closer to the right one. It&rsquo,s all a process of elimination.

When a miner is eventually fortunate enough to find a nonce that works, and wins the block, that nonce gets appended to the end of the block, along with the resulting hash.

The entire block then gets sent out to every other miner ter the network, each of whom can then run the hash function with the winner&rsquo,s nonce, and verify that it works. If the solution is accepted by a majority of miners, the winner gets the prize, and a fresh block is commenced, using the previous block&rsquo,s hash spil a reference.

So how does this protect bitcoin from fraud?

Let&rsquo,s say a hacker wished to switch a transaction that happened 60 minutes, or six blocks, ago&mdash,maybe to eliminate evidence that she had spent some bitcoins, so she could spend them again. Hier very first step would be to go ter and switch the record for that transaction. Then, because she had modified the block, she would have to solve a fresh proof-of-work problem&mdash,find a fresh nonce&mdash,and do all of that computational work, all overheen again. (Again, due to the unpredictable nature of hash functions, making the slightest switch to the original block means commencing the proof of work from scrape.) From there, she&rsquo,d have to embark building an alternative chain going forward, solving a fresh proof-of-work problem for each block until she caught up with the present.

But unless the hacker has more computing power at hier disposition than all other bitcoin miners combined, she could never catch up. She would always be at least six blocks behind, and hier alternative chain would obviously be a counterfeit.

The key is that if somebody modifies an accepted block&mdash,one that already has a proof-of-work solution pinned to the end of it&mdash,she can&rsquo,t reuse that same solution. She has to find a fresh one. And that&rsquo,s why proof of work is needed&mdash,to ensure that she can&rsquo,t just surreptitiously modify a block and thus omkoopbaar the ledger.

Mining is competitive, not cooperative

The code that makes bitcoin mining possible is totally open-source, and developed by volunteers. But the force that indeed makes the entire machine go is unspoiled capitalistic competition. Every miner right now is racing to solve the same block at the same time, but only the winner will get the prize. Te a sense, everybody else wasgoed just searing tens unit. Yet their presence te the network is critical.

Mining&rsquo,s ultimate purpose is to prevent people from double-spending bitcoins. But it also solves another problem. It distributes fresh bitcoins ter a relatively fair way&mdash,only those people who dedicate some effort to making bitcoin work get to love the coins spil they are created.

But because mining is a competitive enterprise, miners have come up with ways to build up an edge. One evident way is by pooling resources.

Your machine, right now, is actually working spil part of a bitcoin mining collective that shares out the computational explosion. Your laptop is not attempting to solve the block, at least not instantaneously. It is chipping away at a cryptographic problem, using the input at the top of the screen and combining it with a nonce, then taking the hash to attempt to find a solution. Solving that problem is a lotsbestemming lighter than solving the block itself, but doing so gets the pool closer to finding a winning nonce for the block. And the pool pays its members te bitcoins for every one of thesis lighter problems they solve.

What are the chances you&rsquo,ll actually win?

You&rsquo,ve no doubt bot waiting very patiently to find out one thing: is there a chance you&rsquo,ll actually win some bitcoins?

Nope. Not at all. If you did find a solution, then your bounty would go to Quartz, not you. This entire time you have bot mining for us!

But the chances that you find a solution and wij profit from the computing power you&rsquo,ve contributed are essentially zero. The Quartz bitcoin mining collective just isn&rsquo,t big enough. Wij&rsquo,re not attempting to take advantage of you. Wij just desired to make the strange and elaborate world of bitcoin a little lighter to understand.

Correction (Dec. Legitimate, 2013): An earlier version of this article incorrectly stated that the long pink string of numbers and letters te the interactive at the top is the target output hash your pc is attempting to find by running the mining script. Te fact, it is one of the inputs that your rekentuig feeds into the hash function, not the output it is looking for.

Related movie: The Largest Bitcoin Mining Company Documentary


Leave a Reply

Your email address will not be published. Required fields are marked *