reference:Peking University Professor Xiao Zhen's Open Course "Blockchain Technology and Applications"
Three Properties of Hash Functions in Bitcoin#
Collision Resistance#
For two different inputs, if the outputs are equal, this is called a hash collision.
A good hash function should avoid hash collisions as much as possible and possess the property of collision resistance.
No hash algorithm can prove to be collision resistant; hash collisions are inevitable because the input space is always larger than the output space.
- Function of this property
To obtain a digest for a message.
For example, if the hash value of the message is H(m)=digest, if someone wants to tamper with the value of m while keeping H(m) unchanged, it cannot be done.
Hiding#
The computation process of a hash function is one-way and irreversible (it is impossible to deduce x from H(x)).
The hiding property requires that the input space is sufficiently large and distributed relatively evenly.
In addition to these two properties required in cryptography, the hash function used in Bitcoin has a third property.
Puzzle Friendly#
The process of Bitcoin mining is essentially finding a nonce (number of once); the nonce combined with other information in the block header serves as input, and the resulting hash value must be less than or equal to a specified target value. H(block header)≤target. The block header refers to the block header, which contains many fields, one of which is the random number nonce that we can set. The mining process involves continuously trying random numbers to ensure that the hash of the block header falls within the specified range.
Puzzle friendly means that there are no shortcuts in the mining process; to make the output value fall within the specified range, one can only try one by one, so this process can also serve as proof of work.
The hash value is inherently unpredictable; mining is difficult, but verification is easy. (difficult to solve, but easy to verify)
SHA-256 (Secure Hash Algorithm)#
The hash function used in Bitcoin is called SHA-256 (Secure Hash Algorithm), which satisfies the above three properties.
If a certain blockchain transaction system uses the SHA256 algorithm, there will be $2^{256}$ possible outputs. If $2^{256}+1$ inputs are performed, a collision will inevitably occur; even from a probabilistic perspective, performing $2^{130}$ inputs will have a $99%$ chance of causing a collision.
Assuming a computer performs hashing at a rate of 10,000 times per second, it would take $10^{27}$ years to complete $2^{128}$ hash operations.
Accounts in Bitcoin#
An account is created by establishing a public-private key pair (public key, private key) locally. The public-private key pair comes from asymmetric encryption technology.
When transacting BTC, the private key is used for signing, and others use the public key to verify the signature.
A good source of randomness is needed to generate the public-private key pair; the generation of the public-private key pair is random, and if the source of randomness is poor, it may produce the same public-private key pair. In cryptographic implementations, physical noise source chips are generally used as the source of randomness.
The signature algorithm used in Bitcoin requires a good source of randomness not only when generating the public-private key pair but also for every subsequent signature. If any signature uses a poor source of randomness, it may leak the private key.
The probability of randomly generating the same pair of public and private keys is negligible and can be ignored.
Important Data Structures in Bitcoin#
Hash Pointer#
The most basic structure in Bitcoin is the blockchain, which is a linked list composed of blocks. What is the difference between a blockchain and a regular linked list?
Bitcoin uses hash pointers instead of regular pointers (the blockchain is a linked list using hash pointers).
The first block in the blockchain is called the genesis block, and the last block is the most recently produced block. Each block contains a hash pointer pointing to the previous block.
Through this structure, a tamper-evident log can be achieved. If someone changes the content of a block, the hash pointer of the subsequent block will not match because the hash pointer of the subsequent block is calculated based on the content of the previous block, so the hash pointer of the subsequent block must also change, and so on. The last hash value we retain will also change. Therefore, as long as the hash of the last block is recorded, it can be ensured that all previous blocks have not been tampered with.
A pointer saves the address of local memory, which only makes sense on the local computer; it has no meaning when sent to other computers. So how can the hash pointer be transmitted over the network when a block is published?
The so-called hash pointer is just a figurative term; in the actual system, only the hash is used, not the pointer.
Merkle Tree#
The block header contains the root hash of the Merkle tree; as long as the Merkle tree root hash value is remembered, any modification to any part of the tree can be detected.
To find the position of a transaction in the Merkle tree (all transactions are in the leaf nodes), the path from that block up to the root node is called the Merkle proof.
Light nodes only save the block header. If a light node wants to know whether a certain transaction is included in the Merkle tree, it needs to request a full node for a Merkle proof that can prove this transaction is included, which contains the hash needed by the light node for local verification.
What can the Merkle proof prove? It proves whether a certain transaction is in the given block.
For example, a light node does not maintain the entire block UTXO content; it only knows the block header. The light node asks a full node: Is this transaction in this block? The full node returns a Merkle proof as proof, and the light node can verify its authenticity.
The difference between Merkle tree and binary tree: hash pointers replace regular pointers.
Problems to Solve for Decentralized Digital Currency#
A decentralized digital currency must solve two problems.
- The first problem: Who has the right to issue currency?
- The second problem: How to verify the legitimacy of transactions?
Double Spending Problem#
Double spending refers to the same money being spent twice. Centralized ledgers can easily solve double spending attacks, while decentralized solutions need a data structure to maintain the correctness of the ledger, and this data structure is the blockchain.
In the Bitcoin system, each transaction contains two parts: input and output. The input part must specify the source of the coins, and the output part must provide the hash of the recipient's public key.
The information needed for A to transfer money to B: A's private key signature and B's address (the address for receiving money is derived from the public key).
There are two types of hash pointers here; the first connects various blocks to form a linked list, and the second hash pointer in the transaction details points to a previous transaction to indicate the source of the coins (to prevent double spending).
Distributed Consensus#
Each account can publish transactions, and these transactions are broadcast to all nodes. Some transactions are legitimate, while others may be illegal. So who decides which transactions should be written to the next block? In what order should they be written?
A simple example of distributed consensus is the distributed hash table (DHT). For example, if there are many machines in the system, they jointly maintain a global hash table.
What content needs to reach consensus? What key-value pairs are included in the hash table. If someone inserts a key-value pair 'xiao' corresponding to 12345 into their computer, then others should also be able to read this from another machine; this is called a global hash table.
Impossibility Result#
There are many impossibility results regarding distributed systems, the most famous of which is the FLP impossibility result. These three letters are the initials of three experts' names. In an asynchronous system (where network transmission delays have no upper limit, which is called an asynchronous system), even if only one member is faulty, consensus cannot be achieved.
CAP Theorem#
Another famous conclusion is the CAP theorem, which states that in a distributed system, Consistency, Availability, and Partition tolerance cannot all be achieved simultaneously. Consistency, Availability, and Partition tolerance can only satisfy two of the three.
Blockchain Trilemma#
The blockchain trilemma was proposed by Vitalik, the founder of Ethereum.
It states that blockchain technology cannot simultaneously achieve decentralization, security, and efficiency.
- Decentralization
- Scalability
- Security
POW - Consensus Protocol in Bitcoin#
Voting-Based Consensus Scheme#
Some nodes may be malicious. Assuming that most nodes in the system are good, how should the consensus protocol be designed?
One solution is voting. Any voting-based consensus scheme must first determine who has the right to vote, right? There must be a membership issue. If this blockchain has a strictly defined membership, for example, in a consortium chain like Hyperledger Fabric, only certain qualified large companies can join. In this case, a voting-based scheme is feasible. We assume that most members are good, so voting is feasible.
Simple direct voting does not work in public chains.
The Bitcoin system is not like this. In the Bitcoin system, it is very easy to create an account. You generate a public-private key pair locally; an account does not require anyone's approval, and others may not even know about it. Only when a transaction occurs with the outside world will others know that there is such an account. If there are malicious nodes, they could set up a supercomputer and do nothing else but continuously generate various accounts. If the accounts they generate exceed half of the total, they will have control and can manipulate the voting results. This is called a Sybil attack.
The Bitcoin system uses a clever mechanism to solve this problem. It is also voting, but instead of voting by the number of accounts, it is voting by computational power.
Accounting Rights#
Each node can locally assemble a candidate block, putting the transactions it considers legitimate into this block, and then it starts trying various random nonce values. If a certain node finds a nonce (4 bytes) that meets the requirement of the inequality H(block header)≤target, we consider it has obtained accounting rights.
Accounting rights refer to the right to write the next block into the decentralized ledger of Bitcoin. Only the node that finds this nonce and obtains accounting rights has the right to publish the next block.
Verifying the Legitimacy of Blocks#
When other nodes receive this block, they need to verify the legitimacy of this block.
For example, first verify whether the content of this block header is filled in correctly. The block header has a field called nBits. In fact, it is an encoding of the target value; check whether the nBits field is set according to the difficulty requirements specified in the Bitcoin protocol. Then check whether this nonce satisfies the inequality H(block header)≤target.
In other words, when you publish a block, do you really have the right to publish it? Did you really obtain accounting rights? Assuming all requirements are met, then check the transaction list in the block body to verify whether each transaction is legitimate. First, there must be a valid signature. Second, the coins used must not have been spent before. If any one of these does not meet the requirements, this block cannot be accepted.
Forking Attack#
Even if all conditions are met, this block may not be accepted.
What situation can lead to a block not being accepted even if all conditions are met? The transactions in the block are legitimate, but it is not on the longest valid chain. This is called a forking attack.
A forking attack involves inserting a block into the middle of the blockchain to roll back a transaction that has already occurred.
Forks may also occur under normal circumstances in the blockchain. If two nodes simultaneously obtain accounting rights, each node assembles a block that it considers suitable locally and then tries various nonces. If both nodes find a nonce that meets the requirements at almost the same time, both can publish their blocks, resulting in two equal-length forks, both of which are the longest valid chains.
So which one should be accepted? In the Bitcoin protocol, by default, each node accepts the one it received first. Therefore, different nodes may hear about one of the new blocks first, and they will accept that block; some nodes may hear about the other block first and accept that one.
How to determine if a block is accepted? The Bitcoin protocol uses implicit consent; if it continues to expand along this block, it is considered to have recognized the published block. For example, if a new block is generated after one of the blocks, and another block is expanded behind it, it indicates that the new block is recognized.
How will the two chains that generate new blocks simultaneously develop? Equal-length temporary forks will last for a while until one fork wins. The chain that generates a new block first will be the longest valid chain. The other one will be called an orphan block. These two new blocks may each attract miners, and which blockchain wins may depend on which has stronger computational power or sometimes just luck.
Consensus Mechanism in the Bitcoin System#
Taking an example of a distributed hash table, in a distributed system with many servers, what consensus do these servers need to reach? It is the content of the hash table, which key-value pairs are included.
So the content of the decentralized ledger in Bitcoin is the consensus to be reached; only nodes that obtain accounting rights can write things into it.
Why Do People Compete for Accounting Rights?#
Why do people compete for accounting rights? First, nodes with accounting rights have certain powers to decide which transactions are written to the next block.
However, when designing this protocol, we should not let this become the main motivation for competing for accounting rights, because we hope that all legitimate transactions should be written into the blockchain. This leads to the concepts of block rewards and transaction fees.
Who Decides the Issuance of Currency?#
The coinbase transaction is the only way to issue new bitcoins in the Bitcoin system; this transaction does not need to specify the source of the coins, and subsequent transactions are based on the transfer of bitcoins.
The process of competing for accounting rights in Bitcoin is called mining. Therefore, nodes competing for accounting rights are called miners. If they obtain accounting rights, we say they have mined a block or found a block.
How to Obtain Accounting Rights (POW Proof of Work)#
By trying various random nonce values to solve the puzzle.
The consensus mechanism of Bitcoin relies on computational power to vote. We discussed the three properties of Bitcoin's hash function, among which the puzzle friendly property ensures that there are no shortcuts in the process of solving this puzzle; one can only try nonce values one by one.
Therefore, if one node has ten times the computational power of another node, its probability of obtaining accounting rights is also ten times that of the other node. Voting in Bitcoin is unique; it is not one person one vote, nor one computer one vote, but rather how many nonce values you can try per second. This is sometimes referred to as hash rate, which determines the weight of the vote; the higher the hash rate of your node, the greater the probability of obtaining accounting rights and receiving block rewards.
The POW proof of work in Bitcoin prevents Sybil attacks; voting is based on computational power, and even if many accounts are created, it does not enhance computational power.
The process of solving the puzzle in Bitcoin has no practical significance other than competing for computational power. Mining has become increasingly difficult due to the artificial reduction of block rewards; the scarcity of Bitcoin is artificially created. Although solving the puzzle itself has no practical significance, the mining process is crucial for maintaining the security of the Bitcoin system; Bitcoin is secured by mining. Mining provides an effective means of voting based on computational power; as long as most of the computational power is held by honest people, the security of the system can be guaranteed.
Will Miners Steal Answers During Mining?#
No. The published block contains a coinbase transaction, which has a recipient address that is the address of the miner who mined it. If A mined the block, it contains A's receiving address. If someone wants to steal the answer, they would have to change A's address to their own, and if the address changes, the content of the coinbase transaction would also change.
This would lead to a change in the root hash of the Merkle tree because this transaction is combined with other transactions in the block to form the Merkle tree. Any change in any part would change the root hash. Since the nonce is in the block header, and the root hash is also in the block header, once the content of the block header changes, the previously found nonce becomes invalid. Therefore, it is impossible to steal the answer because each miner's nonce is bound to their own receiving address.
Bernoulli Trial#
Bernoulli trial: a random experiment with binary outcome.
A Bernoulli trial is a single random experiment with only two possible outcomes.
Bernoulli process
A Bernoulli process is a sequence of independent Bernoulli trials.
The mining process can be viewed as a Bernoulli trial when trying a nonce; each random Bernoulli trial constitutes a Bernoulli process.
One of its properties is: memoryless. A property of the Bernoulli process is memoryless, meaning that after a large number of experiments, the previous results do not affect the subsequent ones.
The probability of successfully trying a nonce is very small, requiring a large number of experiments; at this point, a Poisson process can be used to replace the Bernoulli process.
Progress Free - Guaranteeing Fairness in Mining#
What we are really concerned about is the block generation time of the system. In probability theory, it can be derived that block time follows an exponential distribution.
The average block time of the entire system is 10 minutes, which is designed to maintain the average block time around 10 minutes by periodically adjusting the mining difficulty. Specifically for each miner, the time they can mine the next block depends on the percentage of their computational power in the total computational power of the system.
The exponential distribution is also memoryless, which guarantees fairness in mining.
The memoryless property of the exponential distribution means that the probability distribution curve has the characteristic that: if you cut it off from any point, the remaining part of the curve is the same as the original. For example: If it has been ten minutes and no one has found a valid block, how much longer do we need to wait? We still refer to the probability density function distribution, and on average, we still need to wait ten minutes. How long it will take to mine in the future has no relation to how long has been mined in the past. This process is also called: progress free.
A coordinate axis can be drawn, with the vertical axis representing probability density and the horizontal axis representing block time (the block time of the entire system, not the block time of each miner). Specifically for each miner, the time they can mine the next block depends on the percentage of their computational power in the total computational power of the system. If a person's computational power accounts for 1% of the total computational power of the system, then out of 100 blocks generated by the system, one block will be mined by that person.
If there is no progress free, what phenomenon will occur: miners with strong computational power will have a disproportionate advantage. Because miners with strong computational power have done more work in the past, the probability of success for subsequent nonces will increase after trying so many unsuccessful ones. Thus, progress free guarantees fairness in mining.
How Much Currency Can Be Created Out of Thin Air#
At the beginning, when Bitcoin was first launched, each published block could generate a block reward of 50 bitcoins.
In the Bitcoin system, a block is generated approximately every 10 minutes, and the Bitcoin protocol stipulates that after 210,000 blocks, the block reward will be halved to 25 BTC. After another 210,000 blocks, it will be halved again.
The block reward is halved approximately every four years, resulting in the total number of bitcoins produced forming a geometric series.
According to this calculation, there will be a maximum of 21 million bitcoins.
As of 2022, Bitcoin miners receive 6.25 bitcoins for successfully mining a block.
Security Analysis of Bitcoin#
The premise is that most of the computational power is held by honest people. Mining only provides a probabilistic guarantee; it can only be said that there is a relatively high probability that the next block will be published by an honest miner, but it cannot guarantee that accounting rights will not fall into the hands of malicious individuals.
If a malicious node obtains accounting rights, they may do the following:
1. Forge an Illegal Transaction#
For example, transferring money from someone else's account to their own. However, since they do not know the private key of others, it is illegal and will not pass verification. Therefore, other honest nodes will not recognize this block because it contains illegal transactions, and they will continue to extend the previous block. According to the longest valid chain, this block will not receive a block reward, wasting a lot of electricity and manpower, ultimately not receiving the block reward.
2. Double Spending#
By spending the money that has already been spent again. For example, M transfers money to A, M then publishes another transaction to transfer that money back to themselves (or someone else). In this case, there are two situations.
- The new block has been written to the blockchain - Forking attack to roll back the transaction
A malicious node needs to fork the blockchain, creating a new chain from a previous block. In this case, the attack is very difficult. A malicious node obtaining accounting rights once is not enough; they need to continuously obtain accounting rights because honest nodes only recognize the longest valid chain. For details, see selfish mining.
To prevent such attacks, it is necessary to wait for several blocks for confirmation; by default, 6 confirmations are required, at which point the previous transaction is considered immutable, and the waiting time is approximately around one hour.
- The transaction's block has not been written to the blockchain - Initiating multiple transactions in a short time
This situation is also called zero confirmation, which is very common in practical applications.
Each transaction contains a timestamp; in the Bitcoin protocol, by default, each node accepts the first transaction it receives. If the correct transaction is accepted first, subsequent duplicate transactions will not be accepted; otherwise, the recipient can directly refuse to acknowledge the transaction.
In fact, there is still some risk at this time because a malicious attacker's node has a very small probability of obtaining accounting rights; to be absolutely safe, one can wait for 6 confirmations (one hour).
3. Deliberately Not Writing Legitimate Transactions#
This is not a big problem; legitimate transactions can still be written to the next block, and there will always be honest nodes writing legitimate transactions.
In normal circumstances, there may also be legitimate transactions that are not written to the block because there may be too many transactions at a certain time. The Bitcoin protocol stipulates that each block has a size limit, and the block size cannot exceed 1MB, so if there are too many transactions, some transactions can only wait for the next block to be published.
4. Selfish Mining (Similar to 51% Power Attack)#
Under normal circumstances, if a block is mined, it will be published in a timely manner to avoid others mining and invalidating their block. However, in selfish mining, a malicious node mines a block but does not publish it, hiding a chain and waiting to publish it when it exceeds the longest valid chain.
This is a means of forking attack, but malicious nodes generally need more than 51% of the computational power, which is difficult to achieve.
If the goal is to earn more normal block rewards, not publishing immediately after mining means that others will continue mining the previous block, while they will continue mining along the block they have mined, reducing competition for that block. If they have already mined a second block, when others claim to have mined the first block, they can publish both together, becoming the longest valid chain. However, this approach is risky; when others mine the first block, they must have already mined the second; otherwise, when others publish the first block, they only have one, and at that point, it is an equal-length chain, and they can only compete, which may lead to losing the reward for the first block.
What Consensus Mechanism in the Bitcoin System Aims to Achieve#
Taking an example of a distributed hash table, in a distributed system with many servers, what consensus do these servers need to reach? It is the content of the hash table, which key-value pairs are included.
So the content of the decentralized ledger in Bitcoin is the consensus to be reached; only nodes that obtain accounting rights can write things into it.
Why Do People Compete for Accounting Rights?#
Why do people compete for accounting rights? First, nodes with accounting rights have certain powers to decide which transactions are written to the next block.
However, when designing this protocol, we should not let this become the main motivation for competing for accounting rights, because we hope that all legitimate transactions should be written into the blockchain. This leads to the concepts of block rewards and transaction fees.
Who Decides the Issuance of Currency?#
The coinbase transaction is the only way to issue new bitcoins in the Bitcoin system; this transaction does not need to specify the source of the coins, and subsequent transactions are based on the transfer of bitcoins.
The process of competing for accounting rights in Bitcoin is called mining. Therefore, nodes competing for accounting rights are called miners. If they obtain accounting rights, we say they have mined a block or found a block.
How to Obtain Accounting Rights (POW Proof of Work)#
By trying various random nonce values to solve the puzzle.
The consensus mechanism of Bitcoin relies on computational power to vote. We discussed the three properties of Bitcoin's hash function, among which the puzzle friendly property ensures that there are no shortcuts in the process of solving this puzzle; one can only try nonce values one by one.
Therefore, if one node has ten times the computational power of another node, its probability of obtaining accounting rights is also ten times that of the other node. Voting in Bitcoin is unique; it is not one person one vote, nor one computer one vote, but rather how many nonce values you can try per second. This is sometimes referred to as hash rate, which determines the weight of the vote; the higher the hash rate of your node, the greater the probability of obtaining accounting rights and receiving block rewards.
The POW proof of work in Bitcoin prevents Sybil attacks; voting is based on computational power, and even if many accounts are created, it does not enhance computational power.
The process of solving the puzzle in Bitcoin has no practical significance other than competing for computational power. Mining has become increasingly difficult due to the artificial reduction of block rewards; the scarcity of Bitcoin is artificially created. Although solving the puzzle itself has no practical significance, the mining process is crucial for maintaining the security of the Bitcoin system; Bitcoin is secured by mining. Mining provides an effective means of voting based on computational power; as long as most of the computational power is held by honest people, the security of the system can be guaranteed.
Will Miners Steal Answers During Mining?#
No. The published block contains a coinbase transaction, which has a recipient address that is the address of the miner who mined it. If A mined the block, it contains A's receiving address. If someone wants to steal the answer, they would have to change A's address to their own, and if the address changes, the content of the coinbase transaction would also change.
This would lead to a change in the root hash of the Merkle tree because this transaction is combined with other transactions in the block to form the Merkle tree. Any change in any part would change the root hash. Since the nonce is in the block header, and the root hash is also in the block header, once the content of the block header changes, the previously found nonce becomes invalid. Therefore, it is impossible to steal the answer because each miner's nonce is bound to their own receiving address.
Bernoulli Trial#
Bernoulli trial: a random experiment with binary outcome.
A Bernoulli trial is a single random experiment with only two possible outcomes.
Bernoulli process
A Bernoulli process is a sequence of independent Bernoulli trials.
The mining process can be viewed as a Bernoulli trial when trying a nonce; each random Bernoulli trial constitutes a Bernoulli process.
One of its properties is: memoryless. A property of the Bernoulli process is memoryless, meaning that after a large number of experiments, the previous results do not affect the subsequent ones.
The probability of successfully trying a nonce is very small, requiring a large number of experiments; at this point, a Poisson process can be used to replace the Bernoulli process.
Progress Free - Guaranteeing Fairness in Mining#
What we are really concerned about is the block generation time of the system. In probability theory, it can be derived that block time follows an exponential distribution.
The average block time of the entire system is 10 minutes, which is designed to maintain the average block time around 10 minutes by periodically adjusting the mining difficulty. Specifically for each miner, the time they can mine the next block depends on the percentage of their computational power in the total computational power of the system.
The exponential distribution is also memoryless, which guarantees fairness in mining.
The memoryless property of the exponential distribution means that the probability distribution curve has the characteristic that: if you cut it off from any point, the remaining part of the curve is the same as the original. For example: If it has been ten minutes and no one has found a valid block, how much longer do we need to wait? We still refer to the probability density function distribution, and on average, we still need to wait ten minutes. How long it will take to mine in the future has no relation to how long has been mined in the past. This process is also called: progress free.
A coordinate axis can be drawn, with the vertical axis representing probability density and the horizontal axis representing block time (the block time of the entire system, not the block time of each miner). Specifically for each miner, the time they can mine the next block depends on the percentage of their computational power in the total computational power of the system. If a person's computational power accounts for 1% of the total computational power of the system, then out of 100 blocks generated by the system, one block will be mined by that person.
If there is no progress free, what phenomenon will occur: miners with strong computational power will have a disproportionate advantage. Because miners with strong computational power have done more work in the past, the probability of success for subsequent nonces will increase after trying so many unsuccessful ones. Thus, progress free guarantees fairness in mining.
How Much Currency Can Be Created Out of Thin Air#
At the beginning, when Bitcoin was first launched, each published block could generate a block reward of 50 bitcoins.
In the Bitcoin system, a block is generated approximately every 10 minutes, and the Bitcoin protocol stipulates that after 210,000 blocks, the block reward will be halved to 25 BTC. After another 210,000 blocks, it will be halved again.
The block reward is halved approximately every four years, resulting in the total number of bitcoins produced forming a geometric series.
According to this calculation, there will be a maximum of 21 million bitcoins.
As of 2022, Bitcoin miners receive 6.25 bitcoins for successfully mining a block.
Security Analysis of Bitcoin#
The premise is that most of the computational power is held by honest people. Mining only provides a probabilistic guarantee; it can only be said that there is a relatively high probability that the next block will be published by an honest miner, but it cannot guarantee that accounting rights will not fall into the hands of malicious individuals.
If a malicious node obtains accounting rights, they may do the following:
1. Forge an Illegal Transaction#
For example, transferring money from someone else's account to their own. However, since they do not know the private key of others, it is illegal and will not pass verification. Therefore, other honest nodes will not recognize this block because it contains illegal transactions, and they will continue to extend the previous block. According to the longest valid chain, this block will not receive a block reward, wasting a lot of electricity and manpower, ultimately not receiving the block reward.
2. Double Spending#
By spending the money that has already been spent again. For example, M transfers money to A, M then publishes another transaction to transfer that money back to themselves (or someone else). In this case, there are two situations.
- The new block has been written to the blockchain - Forking attack to roll back the transaction
A malicious node needs to fork the blockchain, creating a new chain from a previous block. In this case, the attack is very difficult. A malicious node obtaining accounting rights once is not enough; they need to continuously obtain accounting rights because honest nodes only recognize the longest valid chain. For details, see selfish mining.
To prevent such attacks, it is necessary to wait for several blocks for confirmation; by default, 6 confirmations are required, at which point the previous transaction is considered immutable, and the waiting time is approximately around one hour.
- The transaction's block has not been written to the blockchain - Initiating multiple transactions in a short time
This situation is also called zero confirmation, which is very common in practical applications.
Each transaction contains a timestamp; in the Bitcoin protocol, by default, each node accepts the first transaction it receives. If the correct transaction is accepted first, subsequent duplicate transactions will not be accepted; otherwise, the recipient can directly refuse to acknowledge the transaction.
In fact, there is still some risk at this time because a malicious attacker's node has a very small probability of obtaining accounting rights; to be absolutely safe, one can wait for 6 confirmations (one hour).
3. Deliberately Not Writing Legitimate Transactions#
This is not a big problem; legitimate transactions can still be written to the next block, and there will always be honest nodes writing legitimate transactions.
In normal circumstances, there may also be legitimate transactions that are not written to the block because there may be too many transactions at a certain time. The Bitcoin protocol stipulates that each block has a size limit, and the block size cannot exceed 1MB, so if there are too many transactions, some transactions can only wait for the next block to be published.
4. Selfish Mining (Similar to 51% Power Attack)#
Under normal circumstances, if a block is mined, it will be published in a timely manner to avoid others mining and invalidating their block. However, in selfish mining, a malicious node mines a block but does not publish it, hiding a chain and waiting to publish it when it exceeds the longest valid chain.
This is a means of forking attack, but malicious nodes generally need more than 51% of the computational power, which is difficult to achieve.
If the goal is to earn more normal block rewards, not publishing immediately after mining means that others will continue mining the previous block, while they will continue mining along the block they have mined, reducing competition for that block. If they have already mined a second block, when others claim to have mined the first block, they can publish both together, becoming the longest valid chain. However, this approach is risky; when others mine the first block, they must have already mined the second; otherwise, when others publish the first block, they only have one, and at that point, it is an equal-length chain, and they can only compete, which may lead to losing the reward for the first block.
What Consensus Mechanism in the Bitcoin System Aims to Achieve#
Taking an example of a distributed hash table, in a distributed system with many servers, what consensus do these servers need to reach? It is the content of the hash table, which key-value pairs are included.
So the content of the decentralized ledger in Bitcoin is the consensus to be reached; only nodes that obtain accounting rights can write things into it.
Why Do People Compete for Accounting Rights?#
Why do people compete for accounting rights? First, nodes with accounting rights have certain powers to decide which transactions are written to the next block.
However, when designing this protocol, we should not let this become the main motivation for competing for accounting rights, because we hope that all legitimate transactions should be written into the blockchain. This leads to the concepts of block rewards and transaction fees.
Who Decides the Issuance of Currency?#
The coinbase transaction is the only way to issue new bitcoins in the Bitcoin system; this transaction does not need to specify the source of the coins, and subsequent transactions are based on the transfer of bitcoins.
The process of competing for accounting rights in Bitcoin is called mining. Therefore, nodes competing for accounting rights are called miners. If they obtain accounting rights, we say they have mined a block or found a block.
How to Obtain Accounting Rights (POW Proof of Work)#
By trying various random nonce values to solve the puzzle.
The consensus mechanism of Bitcoin relies on computational power to vote. We discussed the three properties of Bitcoin's hash function, among which the puzzle friendly property ensures that there are no shortcuts in the process of solving this puzzle; one can only try nonce values one by one.
Therefore, if one node has ten times the computational power of another node, its probability of obtaining accounting rights is also ten times that of the other node. Voting in Bitcoin is unique; it is not one person one vote, nor one computer one vote, but rather how many nonce values you can try per second. This is sometimes referred to as hash rate, which determines the weight of the vote; the higher the hash rate of your node, the greater the probability of obtaining accounting rights and receiving block rewards.
The POW proof of work in Bitcoin prevents Sybil attacks; voting is based on computational power, and even if many accounts are created, it does not enhance computational power.
The process of solving the puzzle in Bitcoin has no practical significance other than competing for computational power. Mining has become increasingly difficult due to the artificial reduction of block rewards; the scarcity of Bitcoin is artificially created. Although solving the puzzle itself has no practical significance, the mining process is crucial for maintaining the security of the Bitcoin system; Bitcoin is secured by mining. Mining provides an effective means of voting based on computational power; as long as most of the computational power is held by honest people, the security of the system can be guaranteed.
Will Miners Steal Answers During Mining?#
No. The published block contains a coinbase transaction, which has a recipient address that is the address of the miner who mined it. If A mined the block, it contains A's receiving address. If someone wants to steal the answer, they would have to change A's address to their own, and if the address changes, the content of the coinbase transaction would also change.
This would lead to a change in the root hash of the Merkle tree because this transaction is combined with other transactions in the block to form the Merkle tree. Any change in any part would change the root hash. Since the nonce is in the block header, and the root hash is also in the block header, once the content of the block header changes, the previously found nonce becomes invalid. Therefore, it is impossible to steal the answer because each miner's nonce is bound to their own receiving address.
Bernoulli Trial#
Bernoulli trial: a random experiment with binary outcome.
A Bernoulli trial is a single random experiment with only two possible outcomes.
Bernoulli process
A Bernoulli process is a sequence of independent Bernoulli trials.
The mining process can be viewed as a Bernoulli trial when trying a nonce; each random Bernoulli trial constitutes a Bernoulli process.
One of its properties is: memoryless. A property of the Bernoulli process is memoryless, meaning that after a large number of experiments, the previous results do not affect the subsequent ones.
The probability of successfully trying a nonce is very small, requiring a large number of experiments; at this point, a Poisson process can be used to replace the Bernoulli process.
Progress Free - Guaranteeing Fairness in Mining#
What we are really concerned about is the block generation time of the system. In probability theory, it can be derived that block time follows an exponential distribution.
The average block time of the entire system is 10 minutes, which is designed to maintain the average block time around 10 minutes by periodically adjusting the mining difficulty. Specifically for each miner, the time they can mine the next block depends on the percentage of their computational power in the total computational power of the system.
The exponential distribution is also memoryless, which guarantees fairness in mining.
The memoryless property of the exponential distribution means that the probability distribution curve has the characteristic that: if you cut it off from any point, the remaining part of the curve is the same as the original. For example: If it has been ten minutes and no one has found a valid block, how much longer do we need to wait? We still refer to the probability density function distribution, and on average, we still need to wait ten minutes. How long it will take to mine in the future has no relation to how long has been mined in the past. This process is also called: progress free.
A coordinate axis can be drawn, with the vertical axis representing probability density and the horizontal axis representing block time (the block time of the entire system, not the block time of each miner). Specifically for each miner, the time they can mine the next block depends on the percentage of their computational power in the total computational power of the system. If a person's computational power accounts for 1% of the total computational power of the system, then out of 100 blocks generated by the system, one block will be mined by that person.
If there is no progress free, what phenomenon will occur: miners with strong computational power will have a disproportionate advantage. Because miners with strong computational power have done more work in the past, the probability of success for subsequent nonces will increase after trying so many unsuccessful ones. Thus, progress free guarantees fairness in mining.
How Much Currency Can Be Created Out of Thin Air#
At the beginning, when Bitcoin was first launched, each published block could generate a block reward of 50 bitcoins.
In the Bitcoin system, a block is generated approximately every 10 minutes, and the Bitcoin protocol stipulates that after 210,000 blocks, the block reward will be halved to 25 BTC. After another 210,000 blocks, it will be halved again.
The block reward is halved approximately every four years, resulting in the total number of bitcoins produced forming a geometric series.
According to this calculation, there will be a maximum of 21 million bitcoins.
As of 2022, Bitcoin miners receive 6.25 bitcoins for successfully mining a block.
Security Analysis of Bitcoin#
The premise is that most of the computational power is held by honest people. Mining only provides a probabilistic guarantee; it can only be said that there is a relatively high probability that the next block will be published by an honest miner, but it cannot guarantee that accounting rights will not fall into the hands of malicious individuals.
If a malicious node obtains accounting rights, they may do the following:
1. Forge an Illegal Transaction#
For example, transferring money from someone else's account to their own. However, since they do not know the private key of others, it is illegal and will not pass verification. Therefore, other honest nodes will not recognize this block because it contains illegal transactions, and they will continue to extend the previous block. According to the longest valid chain, this block will not receive a block reward, wasting a lot of electricity and manpower, ultimately not receiving the block reward.
2. Double Spending#
By spending the money that has already been spent again. For example, M transfers money to A, M then publishes another transaction to transfer that money back to themselves (or someone else). In this case, there are two situations.
- The new block has been written to the blockchain - Forking attack to roll back the transaction
A malicious node needs to fork the blockchain, creating a new chain from a previous block. In this case, the attack is very difficult. A malicious node obtaining accounting rights once is not enough; they need to continuously obtain accounting rights because honest nodes only recognize the longest valid chain. For details, see selfish mining.
To prevent such attacks, it is necessary to wait for several blocks for confirmation; by default, 6 confirmations are required, at which point the previous transaction is considered immutable, and the waiting time is approximately around one hour.
- The transaction's block has not been written to the blockchain - Initiating multiple transactions in a short time
This situation is also called zero confirmation, which is very common in practical applications.
Each transaction contains a timestamp; in the Bitcoin protocol, by default, each node accepts the first transaction it receives. If the correct transaction is accepted first, subsequent duplicate transactions will not be accepted; otherwise, the recipient can directly refuse to acknowledge the transaction.
In fact, there is still some risk at this time because a malicious attacker's node has a very small probability of obtaining accounting rights; to be absolutely safe, one can wait for 6 confirmations (one hour).
3. Deliberately Not Writing Legitimate Transactions#
This is not a big problem; legitimate transactions can still be written to the next block, and there will always be honest nodes writing legitimate transactions.
In normal circumstances, there may also be legitimate transactions that are not written to the block because there may be too many transactions at a certain time. The Bitcoin protocol stipulates that each block has a size limit, and the block size cannot exceed 1MB, so if there are too many transactions, some transactions can only wait for the next block to be published.
4. Selfish Mining (Similar to 51% Power Attack)#
Under normal circumstances, if a block is mined, it will be published in a timely manner to avoid others mining and invalidating their block. However, in selfish mining, a malicious node mines a block but does not publish it, hiding a chain and waiting to publish it when it exceeds the longest valid chain.
This is a means of forking attack, but malicious nodes generally need more than 51% of the computational power, which is difficult to achieve.
If the goal is to earn more normal block rewards, not publishing immediately after mining means that others will continue mining the previous block, while they will continue mining along the block they have mined, reducing competition for that block. If they have already mined a second block, when others claim to have mined the first block, they can publish both together, becoming the longest valid chain. However, this approach is risky; when others mine the first block, they must have already mined the second; otherwise, when others publish the first block, they only have one, and at that point, it is an equal-length chain, and they can only compete, which may lead to losing the reward for the first block.
What Consensus Mechanism in the Bitcoin System Aims to Achieve#
Taking an example of a distributed hash table, in a distributed system with many servers, what consensus do these servers need to reach? It is the content of the hash table, which key-value pairs are included.
So the content of the decentralized ledger in Bitcoin is the consensus to be reached; only nodes that obtain accounting rights can write things into it.
Why Do People Compete for Accounting Rights?#
Why do people compete for accounting rights? First, nodes with accounting rights have certain powers to decide which transactions are written to the next block.
However, when designing this protocol, we should not let this become the main motivation for competing for accounting rights, because we hope that all legitimate transactions should be written into the blockchain. This leads to the concepts of block rewards and transaction fees.
Who Decides the Issuance of Currency?#
The coinbase transaction is the only way to issue new bitcoins in the Bitcoin system; this transaction does not need to specify the source of the coins, and subsequent transactions are based on the transfer of bitcoins.
The process of competing for accounting rights in Bitcoin is called mining. Therefore, nodes competing for accounting rights are called miners. If they obtain accounting rights, we say they have mined a block or found a block.
How to Obtain Accounting Rights (POW Proof of Work)#
By trying various random nonce values to solve the puzzle.
The consensus mechanism of Bitcoin relies on computational power to vote. We discussed the three properties of Bitcoin's hash function, among which the puzzle friendly property ensures that there are no shortcuts in the process of solving this puzzle; one can only try nonce values one by one.
Therefore, if one node has ten times the computational power of another node, its probability of obtaining accounting rights is also ten times that of the other node. Voting in Bitcoin is unique; it is not one person one vote, nor one computer one vote, but rather how many nonce values you can try per second. This is sometimes referred to as hash rate, which determines the weight of the vote; the higher the hash rate of your node, the greater the probability of obtaining accounting rights and receiving block rewards.
The POW proof of work in Bitcoin prevents Sybil attacks; voting is based on computational power, and even if many accounts are created, it does not enhance computational power.
The process of solving the puzzle in Bitcoin has no practical significance other than competing for computational power. Mining has become increasingly difficult due to the artificial reduction of block rewards; the scarcity of Bitcoin is artificially created. Although solving the puzzle itself has no practical significance, the mining process is crucial for maintaining the security of the Bitcoin system; Bitcoin is secured by mining. Mining provides an effective means of voting based on computational power; as long as most of the computational power is held by honest people, the security of the system can be guaranteed.
Will Miners Steal Answers During Mining?#
No. The published block contains a coinbase transaction, which has a recipient address that is the address of the miner who mined it. If A mined the block, it contains A's receiving address. If someone wants to steal the answer, they would have to change A's address to their own, and if the address changes, the content of the coinbase transaction would also change.
This would lead to a change in the root hash of the Merkle tree because this transaction is combined with other transactions in the block to form the Merkle tree. Any change in any part would change the root hash. Since the nonce is in the block header, and the root hash is also in the block header, once the content of the block header changes, the previously found nonce becomes invalid. Therefore, it is impossible to steal the answer because each miner's nonce is bound to their own receiving address.
Bernoulli Trial#
Bernoulli trial: a random experiment with binary outcome.
A Bernoulli trial is a single random experiment with only two possible outcomes.
Bernoulli process
A Bernoulli process is a sequence of independent Bernoulli trials.
The mining process can be viewed as a Bernoulli trial when trying a nonce; each random Bernoulli trial constitutes a Bernoulli process.
One of its properties is: memoryless. A property of the Bernoulli process is memoryless, meaning that after a large number of experiments, the previous results do not affect the subsequent ones.
The probability of successfully trying a nonce is very small, requiring a large number of experiments; at this point, a Poisson process can be used to replace the Bernoulli process.
Progress Free - Guaranteeing Fairness in Mining#
What we are really concerned about is the block generation time of the system. In probability theory, it can be derived that block time follows an exponential distribution.
The average block time of the entire system is 10 minutes, which is designed to maintain the average block time around 10 minutes by periodically adjusting the mining difficulty. Specifically for each miner, the time they can mine the next block depends on the percentage of their computational power in the total computational power of the system.
The exponential distribution is also memoryless, which guarantees fairness in mining.
The memoryless property of the exponential distribution means that the probability distribution curve has the characteristic that: if you cut it off from any point, the remaining part of the curve is the same as the original. For example: If it has been ten minutes and no one has found a valid block, how much longer do we need to wait? We still refer to the probability density function distribution, and on average, we still need to wait ten minutes. How long it will take to mine in the future has no relation to how long has been mined in the past. This process is also called: progress free.
A coordinate axis can be drawn, with the vertical axis representing probability density and the horizontal axis representing block time (the block time of the entire system, not the block time of each miner). Specifically for each miner, the time they can mine the next block depends on the percentage of their computational power in the total computational power of the system. If a person's computational power accounts for 1% of the total computational power of the system, then out of 100 blocks generated by the system, one block will be mined by that person.
If there is no progress free, what phenomenon will occur: miners with strong computational power will have a disproportionate advantage. Because miners with strong computational power have done more work in the past, the probability of success for subsequent nonces will increase after trying so many unsuccessful ones. Thus, progress free guarantees fairness in mining.
How Much Currency Can Be Created Out of Thin Air#
At the beginning, when Bitcoin was first launched, each published block could generate a block reward of 50 bitcoins.
In the Bitcoin system, a block is generated approximately every 10 minutes, and the Bitcoin protocol stipulates that after 210,000 blocks, the block reward will be halved to 25 BTC. After another 210,000 blocks, it will be halved again.
The block reward is halved approximately every four years, resulting in the total number of bitcoins produced forming a geometric series.
According to this calculation, there will be a maximum of 21 million bitcoins.
As of 2022, Bitcoin miners receive 6.25 bitcoins for successfully mining a block.
Security Analysis of Bitcoin#
The premise is that most of the computational power is held by honest people. Mining only provides a probabilistic guarantee; it can only be said that there is a relatively high probability that the next block will be published by an honest miner, but it cannot guarantee that accounting rights will not fall into the hands of malicious individuals.
If a malicious node obtains accounting rights, they may do the following:
1. Forge an Illegal Transaction#
For example, transferring money from someone else's account to their own. However, since they do not know the private key of others, it is illegal and will not pass verification. Therefore, other honest nodes will not recognize this block because it contains illegal transactions, and they will continue to extend the previous block. According to the longest valid chain, this block will not receive a block reward, wasting a lot of electricity and manpower, ultimately not receiving the block reward.
2. Double Spending#
By spending the money that has already been spent again. For example, M transfers money to A, M then publishes another transaction to transfer that money back to themselves (or someone else). In this case, there are two situations.
- The new block has been written to the blockchain - Forking attack to roll back the transaction
A malicious node needs to fork the blockchain, creating a new chain from a previous block. In this case, the attack is very difficult. A malicious node obtaining accounting rights once is not enough; they need to continuously obtain accounting rights because honest nodes only recognize the longest valid chain. For details, see selfish mining.
To prevent such attacks, it is necessary to wait for several blocks for confirmation; by default, 6 confirmations are required, at which point the previous transaction is considered immutable, and the waiting time is approximately around one hour.
- The transaction's block has not been written to the blockchain - Initiating multiple transactions in a short time
This situation is also called zero confirmation, which is very common in practical applications.
Each transaction contains a timestamp; in the Bitcoin protocol, by default, each node accepts the first transaction it receives. If the correct transaction is accepted first, subsequent duplicate transactions will not be accepted; otherwise, the recipient can directly refuse to acknowledge the transaction.
In fact, there is still some risk at this time because a malicious attacker's node has a very small probability of obtaining accounting rights; to be absolutely safe, one can wait for 6 confirmations (one hour).
3. Deliberately Not Writing Legitimate Transactions#
This is not a big problem; legitimate transactions can still be written to the next block, and there will always be honest nodes writing legitimate transactions.
In normal circumstances, there may also be legitimate transactions that are not written to the block because there may be too many transactions at a certain time. The Bitcoin protocol stipulates that each block has a size limit, and the block size cannot exceed 1MB, so if there are too many transactions, some transactions can only wait for the next block to be published.
4. Selfish Mining (Similar to 51% Power Attack)#
Under normal circumstances, if a block is mined, it will be published in a timely manner to avoid others mining and invalidating their block. However, in selfish mining, a malicious node mines a block but does not publish it, hiding a chain and waiting to publish it when it exceeds the longest valid chain.
This is a means of forking attack, but malicious nodes generally need more than 51% of the computational power, which is difficult to achieve.
If the goal is to earn more normal block rewards, not publishing immediately after mining means that others will continue mining the previous block, while they will continue mining along the block they have mined, reducing competition for that block. If they have already mined a second block, when others claim to have mined the first block, they can publish both together, becoming the longest valid chain. However, this approach is risky; when others mine the first block, they must have already mined the second; otherwise, when others publish the first block, they only have one, and at that point, it is an equal-length chain, and they can only compete, which may lead to losing the reward for the first block.
What Consensus Mechanism in the Bitcoin System Aims to Achieve#
Taking an example of a distributed hash table, in a distributed system with many servers, what consensus do these servers need to reach? It is the content of the hash table, which key-value pairs are included.
So the content of the decentralized ledger in Bitcoin is the consensus to be reached; only nodes that obtain accounting rights can write things into it.
Why Do People Compete for Accounting Rights?#
Why do people compete for accounting rights? First, nodes with accounting rights have certain powers to decide which transactions are written to the next block.
However, when designing this protocol, we should not let this become the main motivation for competing for accounting rights, because we hope that all legitimate transactions should be written into the blockchain. This leads to the concepts of block rewards and transaction fees.
Who Decides the Issuance of Currency?#
The coinbase transaction is the only way to issue new bitcoins in the Bitcoin system; this transaction does not need to specify the source of the coins, and subsequent transactions are based on the transfer of bitcoins.
The process of competing for accounting rights in Bitcoin is called mining. Therefore, nodes competing for accounting rights are called miners. If they obtain accounting rights, we say they have mined a block or found a block.
How to Obtain Accounting Rights (POW Proof of Work)#
By trying various random nonce values to solve the puzzle.
The consensus mechanism of Bitcoin relies on computational power to vote. We discussed the three properties of Bitcoin's hash function, among which the puzzle friendly property ensures that there are no shortcuts in the process of solving this puzzle; one can only try nonce values one by one.
Therefore, if one node has ten times the computational power of another node, its probability of obtaining accounting rights is also ten times that of the other node. Voting in Bitcoin is unique; it is not one person one vote, nor one computer one vote, but rather how many nonce values you can try per second. This is sometimes referred to as hash rate, which determines the weight of the vote; the higher the hash rate of your node, the greater the probability of obtaining accounting rights and receiving block rewards.
The POW proof of work in Bitcoin prevents Sybil attacks; voting is based on computational power, and even if many accounts are created, it does not enhance computational power.
The process of solving the puzzle in Bitcoin has no practical significance other than competing for computational power. Mining has become increasingly difficult due to the artificial reduction of block rewards; the scarcity of Bitcoin is artificially created. Although solving the puzzle itself has no practical significance, the mining process is crucial for maintaining the security of the Bitcoin system; Bitcoin is secured by mining. Mining provides an effective means of voting based on computational power; as long as most of the computational power is held by honest people, the security of the system can be guaranteed.
Will Miners Steal Answers During Mining?#
No. The published block contains a coinbase transaction, which has a recipient address that is the address of the miner who mined it. If A mined the block, it contains A's receiving address. If someone wants to steal the answer, they would have to change A's address to their own, and if the address changes, the content of the coinbase transaction would also change.
This would lead to a change in the root hash of the Merkle tree because this transaction is combined with other transactions in the block to form the Merkle tree. Any change in any part would change the root hash. Since the nonce is in the block header, and the root hash is also in the block header, once the content of the block header changes, the previously found nonce becomes invalid. Therefore, it is impossible to steal the answer because each miner's nonce is bound to their own receiving address.
Bernoulli Trial#
Bernoulli trial: a random experiment with binary outcome.
A Bernoulli trial is a single random experiment with only two possible outcomes.
Bernoulli process
A Bernoulli process is a sequence of independent Bernoulli trials.
The mining process can be viewed as a Bernoulli trial when trying a nonce; each random Bernoulli trial constitutes a Bernoulli process.
One of its properties is: memoryless. A property of the Bernoulli process is memoryless, meaning that after a large number of experiments, the previous results do not affect the subsequent ones.
The probability of successfully trying a nonce is very small, requiring a large number of experiments; at this point, a Poisson process can be used to replace the Bernoulli process.
Progress Free - Guaranteeing Fairness in Mining#
What we are really concerned about is the block generation time of the system. In probability theory, it can be derived that block time follows an exponential distribution.
The average block time of the entire system is 10 minutes, which is designed to maintain the average block time around 10 minutes by periodically adjusting the mining difficulty. Specifically for each miner, the time they can mine the next block depends on the percentage of their computational power in the total computational power of the system.
The exponential distribution is also memoryless, which guarantees fairness in mining.
The memoryless property of the exponential distribution means that the probability distribution curve has the characteristic that: if you cut it off from any point, the remaining part of the curve is the same as the original. For example: If it has been ten minutes and no one has found a valid block, how much longer do we need to wait? We still refer to the probability density function distribution, and on average, we still need to wait ten minutes. How long it will take to mine in the future has no relation to how long has been mined in the past. This process is also called: progress free.
A coordinate axis can be drawn, with the vertical axis representing probability density and the horizontal axis representing block time (the block time of the entire system, not the block time of each miner). Specifically for each miner, the time they can mine the next block depends on the percentage of their computational power in the total computational power of the system. If a person's computational power accounts for 1% of the total computational power of the system, then out of 100 blocks generated by the system, one block will be mined by that person.
If there is no progress free, what phenomenon will occur: miners with strong computational power will have a disproportionate advantage. Because miners with strong computational power have done more work in the past, the probability of success for subsequent nonces will increase after trying so many unsuccessful ones. Thus, progress free guarantees fairness in mining.
How Much Currency Can Be Created Out of Thin Air#
At the beginning, when Bitcoin was first launched, each published block could generate a block reward of 50 bitcoins.
In the Bitcoin system, a block is generated approximately every 10 minutes, and the Bitcoin protocol stipulates that after 210,000 blocks, the block reward will be halved to 25 BTC. After another 210,000 blocks, it will be halved again.
The block reward is halved approximately every four years, resulting in the total number of bitcoins produced forming a geometric series.
According to this calculation, there will be a maximum of 21 million bitcoins.
As of 2022, Bitcoin miners receive 6.25 bitcoins for successfully mining a block.
Security Analysis of Bitcoin#
The premise is that most of the computational power is held by honest people. Mining only provides a probabilistic guarantee; it can only be said that there is a relatively high probability that the next block will be published by an honest miner, but it cannot guarantee that accounting rights will not fall into the hands of malicious individuals.
If a malicious node obtains accounting rights, they may do the following:
1. Forge an Illegal Transaction#
For example, transferring money from someone else's account to their own. However, since they do not know the private key of others, it is illegal and will not pass verification. Therefore, other honest nodes will not recognize this block because it contains illegal transactions, and they will continue to extend the previous block. According to the longest valid chain, this block will not receive a block reward, wasting a lot of electricity and manpower, ultimately not receiving the block reward.
2. Double Spending#
By spending the money that has already been spent again. For example, M transfers money to A, M then publishes another transaction to transfer that money back to themselves (or someone else). In this case, there are two situations.
- The new block has been written to the blockchain - Forking attack to roll back the transaction
A malicious node needs to fork the blockchain, creating a new chain from a previous block. In this case, the attack is very difficult. A malicious node obtaining accounting rights once is not enough; they need to continuously obtain accounting rights because honest nodes only recognize the longest valid chain. For details, see selfish mining.
To prevent such attacks, it is necessary to wait for several blocks for confirmation; by default, 6 confirmations are required, at which point the previous transaction is considered immutable, and the waiting time is approximately around one hour.
- The transaction's block has not been written to the blockchain - Initiating multiple transactions in a short time
This situation is also called zero confirmation, which is very common in practical applications.
Each transaction contains a timestamp; in the Bitcoin protocol, by default, each node accepts the first transaction it receives. If the correct transaction is accepted first, subsequent duplicate transactions will not be accepted; otherwise, the recipient can directly refuse to acknowledge the transaction.
In fact, there is still some risk at this time because a malicious attacker's node has a very small probability of obtaining accounting rights; to be absolutely safe, one can wait for 6 confirmations (one hour).
3. Deliberately Not Writing Legitimate Transactions#
This is not a big problem; legitimate transactions can still be written to the next block, and there will always be honest nodes writing legitimate transactions.
In normal circumstances, there may also be legitimate transactions that are not written to the block because there may be too many transactions at a certain time. The Bitcoin protocol stipulates that each block has a size limit, and the block size cannot exceed 1MB, so if there are too many transactions, some transactions can only wait for the next block to be published.
4. Selfish Mining (Similar to 51% Power Attack)#
Under normal circumstances, if a block is mined, it will be published in a timely manner to avoid others mining and invalidating their block. However, in selfish mining, a malicious node mines a block but does not publish it, hiding a chain and waiting to publish it when it exceeds the longest valid chain.
This is a means of forking attack, but malicious nodes generally need more than 51% of the computational power, which is difficult to achieve.
If the goal is to earn more normal block rewards, not publishing immediately after mining means that others will continue mining the previous block, while they will continue mining along the block they have mined, reducing competition for that block. If they have already mined a second block, when others claim to have mined the first block, they can publish both together, becoming the longest valid chain. However, this approach is risky; when others mine the first block, they must have already mined the second; otherwise, when others publish the first block, they only have one, and at that point, it is an equal-length chain, and they can only compete, which may lead to losing the reward for the first block.
What Consensus Mechanism in the Bitcoin System Aims to Achieve#
Taking an example of a distributed hash table, in a distributed system with many servers, what consensus do these servers need to reach? It is the content of the hash table, which key-value pairs are included.
So the content of the decentralized ledger in Bitcoin is the consensus to be reached; only nodes that obtain accounting rights can write things into it.
Why Do People Compete for Accounting Rights?#
Why do people compete for accounting rights? First, nodes with accounting rights have certain powers to decide which transactions are written to the next block.
However, when designing this protocol, we should not let this become the main motivation for competing for accounting rights, because we hope that all legitimate transactions should be written into the blockchain. This leads to the concepts of block rewards and transaction fees.
Who Decides the Issuance of Currency?#
The coinbase transaction is the only way to issue new bitcoins in the Bitcoin system; this transaction does not need to specify the source of the coins, and subsequent transactions are based on the transfer of bitcoins.
The process of competing for accounting rights in Bitcoin is called mining. Therefore, nodes competing for accounting rights are called miners. If they obtain accounting rights, we say they have mined a block or found a block.
How to Obtain Accounting Rights (POW Proof of Work)#
By trying various random nonce values to solve the puzzle.
The consensus mechanism of Bitcoin relies on computational power to vote. We discussed the three properties of Bitcoin's hash function, among which the puzzle friendly property ensures that there are no shortcuts in the process of solving this puzzle; one can only try nonce values one by one.
Therefore, if one node has ten times the computational power of another node, its probability of obtaining accounting rights is also ten times that of the other node. Voting in Bitcoin is unique; it is not one person one vote, nor one computer one vote, but rather how many nonce values you can try per second. This is sometimes referred to as hash rate, which determines the weight of the vote; the higher the hash rate of your node, the greater the probability of obtaining accounting rights and receiving block rewards.
The POW proof of work in Bitcoin prevents Sybil attacks; voting is based on computational power, and even if many accounts are created, it does not enhance computational power.
The process of solving the puzzle in Bitcoin has no practical significance other than competing for computational power. Mining has become increasingly difficult due to the artificial reduction of block rewards; the scarcity of Bitcoin is artificially created. Although solving the puzzle itself has no practical significance, the mining process is crucial for maintaining the security of the Bitcoin system; Bitcoin is secured by mining. Mining provides an effective means of voting based on computational power; as long as most of the computational power is held by honest people, the security of the system can be guaranteed.
Will Miners Steal Answers During Mining?#
No. The published block contains a coinbase transaction, which has a recipient address that is the address of the miner who mined it. If A mined the block, it contains A's receiving address. If someone wants to steal the answer, they would have to change A's address to their own, and if the address changes, the content of the coinbase transaction would also change.
This would lead to a change in the root hash of the Merkle tree because this transaction is combined with other transactions in the block to form the Merkle tree. Any change in any part would change the root hash. Since the nonce is in the block header, and the root hash is also in the block header, once the content of the block header changes, the previously found nonce becomes invalid. Therefore, it is impossible to steal the answer because each miner's nonce is bound to their own receiving address.
Bernoulli Trial#
Bernoulli trial: a random experiment with binary outcome.
A Bernoulli trial is a single random experiment with only two possible outcomes.
Bernoulli process
A Bernoulli process is a sequence of independent Bernoulli trials.
The mining process can be viewed as a Bernoulli trial when trying a nonce; each random Bernoulli trial constitutes a Bernoulli process.
One of its properties is: memoryless. A property of the Bernoulli process is memoryless, meaning that after a large number of experiments, the previous results do not affect the subsequent ones.
The probability of successfully trying a nonce is very small, requiring a large number of experiments; at this point, a Poisson process can be used to replace the Bernoulli process.
Progress Free - Guaranteeing Fairness in Mining#
What we are really concerned about is the block generation time of the system. In probability theory, it can be derived that block time follows an exponential distribution.
The average block time of the entire system is 10 minutes, which is designed to maintain the average block time around 10 minutes by periodically adjusting the mining difficulty. Specifically for each miner, the time they can mine the next block depends on the percentage of their computational power in the total computational power of the system.
**The exponential