Pick a nonce and try a hash

Donald MacKenzie on bitcoin

Every time a bitcoin ‘miner’ is successful they create for themselves 12.5 new bitcoins, currently worth around $60,000. If they don’t succeed, they can have another go roughly ten minutes later – all day, every day. It isn’t surprising, therefore, that despite the sharp fall in bitcoin’s dollar price in 2018 there is still a lot of mining going on. You can try mining on your laptop, but don’t get your hopes up. Nowadays, to have a serious chance of winning the prize you need a specialised computer system – ideally, hundreds or thousands of computers, linked together in a network. The world’s largest ‘mine’, run by a subsidiary of the Chinese company Bitmain in the high desert of Inner Mongolia, has more than twenty thousand machines.

Bitcoin mining uses a lot of electricity. Each individual machine consumes about two kilowatts, around the same as a domestic electric heater. It’s a big headache to keep a warehouse packed with thousands of machines cool enough to stop them breaking down. A paper in the energy research magazine Joule in May 2018 estimated that bitcoin mining globally was consuming at least 2.5 gigawatts, almost as much as the country of Ireland in its entirety, implying that each individual bitcoin transaction required, on average, between two hundred and three hundred kilowatt hours of electricity. That’s equivalent to leaving a heater running full-blast for four days or more. Given that most bitcoin transactions are tiny by the standards of global finance, it’s strikingly profligate.

Mining was the way bitcoin’s original designer, the unknown figure who goes by the name Satoshi Nakamoto, sought to solve the basic problem of any electronic currency: how to make sure that a user doesn’t spend the same unit of currency more than once.[1] Since the vast majority of pounds, dollars and euros are also now electronic, the problem isn’t unique to bitcoin. The way it is usually solved is by keeping a centralised record of transactions, with tight controls over who can amend or add to the record. That, for example, is how your bank does it.

Satoshi didn’t want to do it that way. Even though we don’t know the designer’s real identity (they might, perhaps, be a group of people, not a single individual), it is clear from the paper that originally proposed bitcoin in 2008, and from the emails in which Satoshi discussed it, that he was familiar with – and may have been part of – a strand of thinking in computer science that combined technical sophistication with fears about the invasion of privacy and a libertarian distrust of centralised authority. Bitcoin isn’t a company; it isn’t even an organisation in any full sense. It is a software system. Satoshi seems to have done all the initial programming. The system was then refined by other programmers, many of whom worked on the same voluntary basis as, for example, those who contribute to and police Wikipedia. Those programmers seemed – and many of them still seem – strongly committed to Satoshi’s vision. A decade later, the central features of the bitcoin system remain almost entirely unchanged.

Satoshi’s original paper had the title ‘Bitcoin: A Peer-to-Peer Electronic Cash System’. ‘Peer-to-peer’ wasn’t just a libertarian aspiration: it described a particular type of technical configuration. In conventional electronic banking, your laptop or mobile phone acts as an electronic ‘client’ interacting with a central server operated by your bank. In a peer-to-peer network, by contrast, each user’s machine can be both client and server. The attractiveness of a peer-to-peer configuration had been boosted by the failure, in 1998, of an earlier form of electronic money, eCash, developed by the computer scientist David Chaum. When Chaum’s firm, which ran the system in a centralised fashion, went bankrupt, it took eCash down with it.

With bitcoin, there is no central computer, and therefore no single point of failure, but there isn’t a central record either. How, then, does a decentralised, peer-to-peer network of computers build a single, agreed record of transactions? After all, anyone can join bitcoin, and it is to be expected that some participants will be thieves or fraudsters. Mining was Satoshi’s brilliant solution to this difficult problem.[2] The software system offers the prospect of rewards, in the form of bitcoin, as an incentive to users to have their computers continuously check the validity of bitcoin transactions, pack them into an evolving public record of every bitcoin transaction that has ever taken place, and check other users’ additions to the record. That record is bitcoin’s ‘blockchain’.

With an agreed record – a single version of history – in place, checking the validity of a transaction is straightforward. When you join bitcoin, you use its software to generate for yourself an anonymous electronic address, along with a ‘private key’, which is a long string of binary digits that your computer uses electronically to sign a transaction, and an associated ‘public key’ that others can use to check the validity of that electronic signature. (You can generate as many different anonymous addresses as you like, each with its own equally anonymous digital key.) If you want to send an amount of bitcoin from one of these addresses, the blockchain must contain an earlier transaction in which the address received at least that amount, and no transaction in which it has already been spent. A bitcoin is not a discrete thing – not even an electronic thing – that you own. It’s simply a chain of transactions, always leading back either to the ‘genesis block’ of fifty bitcoins mined by Satoshi in January 2009 or to subsequent instances of successful mining.

When a bitcoin user initiates a transaction, their computer system dispatches a message embodying the transaction to other computers in the bitcoin network. Those systems retransmit the message, and eventually it reaches all or nearly all of the network. (Because there’s no central server, there is no way of broadcasting a message directly to the entire network.) A miner’s computers gather these messages together into a block of around two thousand transactions, ‘hashing’ them as they go. Hashing is what miners’ computers spend most of their time doing, and how they do it explains bitcoin’s chief technical achievement – a near-immutable, fully consensual record without a central record-keeper – and its alarming electricity consumption. A hashing algorithm takes a message, scrambles it thoroughly, and condenses it into a relatively short, fixed-length form called a ‘digest’. The algorithm used by bitcoin is known as SHA-256, one of a family of ‘secure hash algorithms’ based on research conducted by the US National Security Agency. The ‘256’ refers to the number of binary digits in the digest.

It may well give you pause to learn that a crucial technical component of bitcoin was devised by an intelligence agency renowned as one of the world’s premier code-breakers. As far as I can see, though, there are no grounds for worrying that the NSA has built a subtle flaw into the software so that it can decrypt messages scrambled using SHA-256. The algorithm was made public by the US National Institute of Standards and Technology, and the steps in it are simple enough that a ‘back door’ of this kind would be hard to conceal. It would in any case have been foolish to insert a back door into cryptographic techniques that were going to be used widely in the civilian world. Those techniques are central to everyday electronic commerce and to the global financial system. If the bad guys discovered the back door, chaos would ensue.

The standard written form of an SHA-256 hash is not a long string of binary digits but a sequence of 64 characters, each of them either a decimal digit or one of the first six letters of the alphabet. Here is the hash – the ‘digest’ – of The Waste Land:[3]

b7529e2290b3f69ecee705055c19e5d6891a1409aa02f0f3e5545a625bcace66

For a modern digital computer SHA-256 hashing is a very straightforward operation. Crucially, though, it isn’t ‘invertible’: even with all the computer power in the world, it would take you aeons to work back to the original message from the digest produced by a well-designed hash function.

Hashing has another important property. Change a single letter in The Waste Land, for example by altering ‘Starnbergersee’ to ‘Stirnbergersee’, and you’ll find that the new hash is completely different. In this case, it becomes:

aa652e3ba70b42d129330e8c692f3b4f3f4ea1ac925526569dfa8739b1c082a9

That extreme sensitivity to the tiniest detail of the input makes hashing an excellent technique for building a permanent record of transactions. When bitcoin miners hash the current block of transactions, they also incorporate the hash of the previous block, which in its turn includes the hash that came before it, and so on all the way back in time to Satoshi’s ‘genesis block’. Suppose just one aspect of a single transaction is altered (perhaps several years ago someone received one bitcoin and now tries to alter that to ten bitcoins). It isn’t just the hash of the old block that would completely change. The hash of every subsequent block would too, making it clear that the blockchain had been tampered with.

Bitcoin would work perfectly well, technically speaking, with just a single miner doing all this hashing. The miner would need only a standard computer; the electricity consumption would be minimal. But the idea of a single miner is alien to Satoshi’s vision: it would be a form of centralisation. The miner would have the power, for example, to exclude transactions from the blockchain, to demand excessive payments for including them, or to alter their details. Hence the need for multiple miners, each acting as a check on the others.

*

The software of the bitcoin system, from Satoshi’s day onwards, turned mining into a competition by requiring the miner not just to hash a block of transactions – that, as I’ve said, is easy – but to produce a hash corresponding to a binary number below a certain threshold size: in effect, a hash that begins with at least a specified minimum number of zeros. Originally, the requirement was for only a small number of zeros, but as more and more computer power gets devoted to mining, the bitcoin software automatically increases the difficulty of the computation by requiring a greater number of zeros. Here, to pluck an example at random, is the successful hash of block 540062, mined at 4.36 p.m. (UK time) on 5 September 2018:

0000000000000000001bc052e0aded766c 4c6d4ab07608530de4c19f004f1c75

If you translate that hash back into a string of binary digits, it begins with 75 zeros. For a miner, that’s a daunting prospect. You have to try a gigantic number of hashes before you can expect to find one like that, which is why mining consumes so much electricity. What miners have to hash includes not just a bundle of transactions but also what cryptographers call a ‘nonce’, an arbitrary 32-digit binary number. (It’s an old word, found for example in Hamlet; ‘for the nonce’ meant ‘for this occasion’.) If a miner ran just the block through the hash algorithm, they would always get the same result and therefore rarely get a hash below the threshold – the nonce is the varying factor. There’s no known way of predicting in advance the results of SHA-256 hashing, so the only way to find a hash with the requisite number of initial zeros is randomly to pick a nonce and try a hash. If that fails to produce the desired result, and it almost always will, then there’s nothing for it but to try again with a different nonce. Since there are more than four billion such numbers, there are a lot of nonces to try.

Nowadays, given the very demanding nature of the goal, it’s usual to find that not a single one of these nonces will work. If that happens, the miner’s computer then turns to what is in effect a second nonce. It’s a data field in the special ‘coinbase’ transaction that a miner always adds to a block, a transaction that creates the 12.5 new bitcoins if the miner is successful. The computer changes that second nonce, then starts over again trying every possible value of the first nonce, and so on until it manages to find a hash with at least the required minimum number of zeros – or, more likely, until somebody else’s computer does, in which case all the miner’s work goes without reward.

Precisely because there’s no known way of finding a successful hash that is better than picking nonces at random, mining isn’t just hard, it is also a lottery. This fitted Satoshi’s peer-to-peer vision well. Any bitcoin user could leave their computer gently humming away – it’s easy enough to make the process of mining entirely automatic – and every so often they would discover they had a winning ticket. Even if that didn’t happen, their computer would usefully have joined in the process of checking that’s necessary to secure a single version of history.

The snake in Satoshi’s Eden turned out to be one of the most attractive features of SHA-256 hashing: its computational simplicity. Its core operations don’t require that data be moved between a computer’s microprocessor chip and the computer’s main memory, and the arithmetic involved is simply a form of the addition of whole numbers, so there’s no need to use the microprocessor’s ‘floating point unit’, which performs arithmetic with numbers that aren’t integers. It was soon realised that hashing could be ‘parallelised’, as a computer scientist would put it: instead of doing hashes one after another on a standard computer, a miner can use other forms of hardware that have less flexibility but on which one can try multiple hashes simultaneously, each with a different nonce.

The person who is first recorded as taking this approach to mining is a Hungarian-American programmer called Laszlo Hanyecz.[4] In 2010, Hanyecz started using a graphics processing chip of the kind used in computer game consoles. Generating an ever changing image involves doing large numbers of simple operations as quickly as possible – just what’s needed for bitcoin mining. With his graphics chip, Hanyecz overpowered the original bitcoin miners, who were using standard computers, and soon he was winning a disproportionate number of newly created bitcoins. Satoshi sent Hanyecz a message, successfully persuading him to curb his high-powered mining: ‘I don’t mean to sound like a socialist, I don’t care if wealth is concentrated, but for now, we get more growth [of bitcoin] by giving that money [rewards for successful mining] to 100 per cent of the people than giving it to 20 per cent.’ In 2010, bitcoin had little or no dollar value, so it probably didn’t seem too big a sacrifice for Hanyecz to comply.

Graphics processing chips did not in fact completely end mining’s hobbyist phase. Many of the young men who seem to have formed the majority of bitcoin’s early users were also computer gamers who were familiar with graphics chips. What finally turned mining from an amateur into a predominantly professional activity was the introduction, from 2013 onwards, of ASICs, or application-specific integrated circuits. These are chips in which the circuitry to perform a specific task is etched directly into the silicon during the chip’s manufacture. Because SHA-256 hashing is such a simple operation, it is possible (though far from cheap) to design and have someone build a chip that has many separate processor circuits, each of which hashes independently of the others. The most prominent of the firms that does this is Bitmain. The chips that power its mine in Inner Mongolia, are of its own design, and are manufactured by the Taiwan Semiconductor Manufacturing Company, owner of the world’s largest silicon-chip foundry. Each of Bitmain’s Antminer S9 machines contains 189 of these ASICs; each of these ASICs, in turn, has more than a hundred separate little SHA-256 processor units hardwired into the chip.

There is no hope of your laptop successfully competing against an Antminer. The current top-of-the-line version, the water-cooled S9 Hydro, can perform 18 trillion hashes per second, and Bitmain is selling Hydros for a surprisingly modest $780 each. (Before you buy, note that Bitmain has been earning more money selling Antminers than it does by mining with them. As the saying goes: in a gold rush, sell shovels.) Each S9 Hydro gobbles up 1.7 kilowatts of electricity – that’s where the water-cooling comes in – but the enormous rate at which it hashes means that it uses much less electricity per hash than a standard computer or even a graphics chip.

Why, then, does bitcoin’s global electricity consumption remain so high? The reason is that the cheaper and more efficient hashing becomes, the more of it miners in the aggregate do in their efforts to win the prize. But there’s also a twist. Satoshi didn’t want the bitcoin system to operate too quickly. The rationale seems to be that in the absence of a centralised form of broadcasting, the messages containing transactions and successfully hashed blocks of transactions percolate only relatively slowly through a globally distributed network of computers. If mining were too fast a process, different segments of the network might start to treat different blocks as the one most recently mined, and so get out of sync with each other. The blockchain could thus fragment – ‘fork’, as a miner would put it – into multiple competing versions.

The bitcoin system is therefore designed to ensure that it takes an average of around ten minutes before any miner anywhere manages to discover a nonce, or a pair of nonces, that generates a hash with the right number of zeros. That makes mining a treadmill. Suppose the computing power devoted to mining increases. Blocks will then start to be successfully hashed in less than ten minutes. That’s when the bitcoin software system simply increases the difficulty of the problem by requiring more zeros. (These adjustments happen every 2016 blocks, or roughly every fortnight.) That’s how we got to block 540062, with its 75 zeros.

Conversely, if the aggregate computer power devoted globally to mining falls (this has been much less common), the system keeps to the ten-minute target by making mining a little easier, in other words requiring slightly fewer zeros. In the first half of last year, miners kept piling in even though bitcoin’s dollar price had fallen dramatically from the high levels of late 2017: the estimated aggregate amount of mining worldwide peaked, at the end of August 2018, at an astonishing 62 million terahashes per second (a terahash is a trillion hashes). However, many miners found that what they were earning was insufficient to pay their very large electricity bills, so they had to switch off their Antminers. By the start of December, the aggregate hash rate had halved. In recent weeks, though, there have been signs of a modest recovery in bitcoin’s dollar price, and at the time of writing (early April), the aggregate rate at which the world’s miners are hashing is fluctuating between around 45 and 50 million terahashes per second.

*

In the early summer of 1381, much of England was convulsed by insurrections of the common people. The townspeople of St Albans stormed its imposing Benedictine monastery, whose abbot was their feudal overlord. They burned the rolls, the records of the manorial courts. They also set about smashing the monastery’s stone floors. Fifty years previously, its then abbot had finally succeeded in prohibiting the townspeople from milling grain by hand, and, as Marc Bloch recorded in an article from 1935, translated in the posthumous collection Land and Work in Medieval Europe (1967), ‘from all over the town the millstones were brought into the monastery, and the monks paved their parlours with them, like so many trophies.’

The confiscation of the St Albans millstones was an act of what we might call ‘material political economy’.[5] The abbot reordered the material world in a way that was economically consequential and also political. Throughout the Middle Ages in Europe, feudal lords such as the abbot had sought to suppress handmilling and replace it with windmills or watermills, because they were easier to police. If peasants or townspeople could mill in private, it was harder for their lords to exact what they regarded as their dues. The preference of the St Albans townspeople for handmilling – despite the physical effort involved – wasn’t at all unusual. Even as wind and water were joined by steam power, handmilling continued. As late as the end of the 19th century, Bloch notes, Prussian villagers were still grinding grain on handmills, and even though landowners no longer had the right to prohibit handmilling, they still ‘felt obliged … to hide from strangers as they did so’.

The material political economy of the mining of cryptocurrencies is more esoteric than that of the milling of grain: it doesn’t determine who eats and who does not. Nor does it resemble conventional democratic politics: you ‘vote’ by either downloading and using a new version of a cryptocurrency’s software system, or by not doing so, and the influence of your vote depends on the computing power at your disposal. But material political economy is what it is. The closest equivalent in the world of cryptocurrency to the defence of handgrinding is the effort to design currencies with hashing algorithms that are, in the terminology of the field, ‘ASIC-resistant’ – in other words, algorithms for which it is hard to design specialised chips that will perform substantially better than ordinary computers. (A typical way of doing it is to try to force the algorithm’s operations, unlike those of SHA-256, to make heavy use of a computer’s main memory.) The design of bitcoin’s main rival, ethereum, included an attempt to make it ASIC-resistant.

Reordering the material world isn’t easy work. The defence of the egalitarian, hobbyist mining of ethereum, for instance, has been only partly successful. It turns out that it is possible after all to design an ASIC chip for ethereum mining, though such chips haven’t yet swept the board as their bitcoin equivalents have done. Efforts to change bitcoin itself have to contend with a strongly entrenched status quo. Bitcoin’s software looks malleable. It is open-source: anyone can download it, and provided they have the appropriate skills – it helps if you are an experienced C++ programmer – anyone can modify it. But modifying a cryptocurrency’s software is of no avail unless other users – especially the crucial users, the miners – take up the new version. Switching from bitcoin’s SHA-256 to an ASIC-resistant hashing algorithm is, for example, politically unthinkable, because it would immediately render all those tens of thousands of Antminers and similar machines near worthless.

A particular fear that sometimes lurks in the background when proposals to alter bitcoin are canvassed is of a ‘majority attack’, in which a single miner or group of miners deploys more computing power than every other bitcoin miner put together (which has indeed happened briefly at various times in the past), in order to make money not just by mining but by manipulating the evolving record of transactions (which has happened to other cryptocurrencies but not, so far, to bitcoin). If you have more than half the total computing power, you can mine blocks faster than others can, which gives you the capacity to create a version of the blockchain that includes more hashing work and more blocks than alternative versions. If other miners’ computer systems are following Satoshi’s rules, they will accept your version as valid. Your version could, for example, exclude transactions in which you have spent bitcoin, and this could enable you to do precisely what Satoshi wanted to stop users doing: spend the same unit of currency more than once.

A successful majority attack is a catastrophic event: it destroys a cryptocurrency’s foundation, the agreed record of past transactions. To prevent the mounting of a majority attack becoming an attractive proposition, the rewards of honest mining need to be kept high, and what you can earn by manipulation kept low. That, as the economist Eric Budish showed in a paper released in June last year, places real constraints on the ways in which bitcoin can safely evolve. Budish’s analysis also suggests an irony. The undermining by specialist ASIC chips of Satoshi’s egalitarian ideal may actually be helping protect bitcoin from majority attack, because gaining a majority of computer power would involve heavy investment in hardware for SHA-256 hashing that would lose much of its value when the price of bitcoin collapsed in the wake of such an attack.

Even what seems on the face of it to be a minor technical change to the bitcoin system can spark fierce controversy among miners and core programmers. The system’s deliberately slow pace means that it cannot process more than around seven transactions per second globally, and in practice the rate can fall as low as two or three per second. Yet all proposals to change the bitcoin system in order to increase its capacity have foundered – even the apparently very modest proposal to increase the maximum size of a block from one megabyte to two megabytes. Those who design and mine cryptocurrencies are intelligent people. They realise that bitcoin’s limited capacity is a major constraint, and they also see that it can’t be right to devote such huge amounts of electricity to the trial-and-error solution of hugely daunting but ultimately arbitrary mathematical problems. But, as in politics generally, recognising a problem is not the same as agreeing what to do about it.

The most widely canvassed alternative to the form of mining used in bitcoin, which those involved call ‘proof-of-work’, is what’s known as ‘proof-of-stake’. In proof-of-stake, a cryptocurrency’s software system randomly chooses a user and offers that user’s computer the opportunity to be the one that hashes the current block of transactions and earns the associated reward. Mining wouldn’t then take the form of a race, and there would be no need for specialised hardware or to make the problem artificially hard so that the race isn’t over too quickly. There would, though, still be a worry that the user who gets selected in proof-of-stake might try to manipulate the evolving blockchain. That’s where the ‘stake’ comes in: proposals include requiring the chosen miner to make a chunky security deposit, and/or choosing a form of lottery that’s most likely to be won by a user who has heavy investments in the currency and who is therefore less likely to take actions that might cause the currency to lose value. There remain some who doubt that measures such as this would be enough to keep proof-of-stake secure, and more than a few who think it is inherently plutocratic.

There are further aspects of bitcoin that are, in a broad sense of the word, political. You might think, for example, that each bitcoin would be worth the same as every other bitcoin – that, after all, is how money is supposed to work. But the history of a particular bitcoin matters. A dollar bill can bear traces of its history (cocaine, explosives etc), but a bitcoin is its history. Although bitcoin transactions are anonymous, they are recorded, publicly and indelibly, in the blockchain. Sometimes, the chain that constitutes a particular amount of bitcoin includes a bitcoin address which, it transpires, has been used in, say, theft, money laundering, or the sale of weapons or illicit drugs. Bitcoin traders refer to such bitcoins as ‘tainted’. You can try to remove the taint by using a ‘tumbler’ or ‘mixing service’, which receives coins from multiple addresses and jumbles them before returning them, but this can simply spread a diluted form of the taint rather than eliminating it. The fear of taint – of, for example, a legal demand for the return of allegedly stolen coins – has deterred some mainstream financial organisations, such as institutional investors, from getting involved in bitcoin. Others, it is reported, have been paying a premium of around 20 per cent to buy, direct from miners, new coins, because they are free of history and therefore of the risk of taint.

In November 2008, a participant in the cryptography email list to which Satoshi Nakamoto sent his original bitcoin proposal objected: ‘You will not find a solution to political problems in cryptography.’ Satoshi’s reply was vanilla libertarianism: ‘But we can … gain a new territory of freedom for several years. Governments are good at cutting off the heads of … centrally controlled networks like Napster, but pure P2P [peer-to-peer] networks like Gnutella and Tor seem to be holding their own.’ Bitcoin has done a great deal better than just hold its own, but Satoshi’s critic has turned out to be right. Politics saturates bitcoin and the numerous rival cryptocurrencies it has inspired, and the question of whether and how their political problems can be solved remains open.

[1] Andrew O’Hagan wrote about Satoshi Nakamoto in the LRB of 30 June 2016.

[2] It was an adaptation of an earlier proposal by, among others, the British programmer Adam Back.

[3] John Lanchester hashed Joyce’s Ulysses for his article on bitcoin in the LRB of 21 April 2016.

[4] Nathaniel Popper tells the story in his history of bitcoin, Digital Gold (2016).

[5] The sociologists of science John Law and Annemarie Mol coined the phrase ‘material politics’ to describe a broader category: ‘material ordering[s] of the world’ to which there are actual or potential alternatives.