Basic Knowledge of Bitcoin

reference：Peking University Professor Xiao Zhen's Open Course "Blockchain Technology and Applications"

Three Properties of Hash Functions in Bitcoin#

Collision Resistance#

For two different inputs, if the outputs are equal, this is called a hash collision.

A good hash function should avoid hash collisions as much as possible and possess the property of collision resistance.

No hash algorithm can prove to be collision resistant; hash collisions are inevitable because the input space is always larger than the output space.

Function of this property

To obtain a digest of a message.

For example, if the hash value of the message is H(m)=digest, if someone wants to tamper with the value of m while keeping H(m) unchanged, it cannot be done.

Hiding#

The computation process of a hash function is one-way and irreversible (x cannot be derived from H(x)).

The hiding property requires that the input space is sufficiently large and distributed relatively evenly.

In addition to these two properties required in cryptography, the hash function used in Bitcoin has a third property.

Puzzle Friendly#

The process of Bitcoin mining is essentially finding a nonce (number of once); the nonce combined with other information in the block header serves as input, and the resulting hash value must be less than or equal to a specified target value. H(block header) ≤ target. The block header refers to the header of the block, which contains many fields, one of which is the random number nonce that we can set. The mining process involves continuously trying random numbers to ensure that the hash of the block header falls within the specified range.

Puzzle friendly means that there are no shortcuts during the mining process; to make the output value fall within the specified range, one can only try one by one, so this process can also serve as proof of work.

The hash value is inherently unpredictable; mining is difficult, but verification is easy. (Difficult to solve, but easy to verify)

SHA-256 (Secure Hash Algorithm)#

The hash function used in Bitcoin is called SHA-256 (Secure Hash Algorithm), which satisfies the above three properties.

If a certain blockchain transaction system uses the SHA256 algorithm, there will be $2^{256}$ possible outputs. If $2^{256}+1$ inputs are performed, a collision will inevitably occur; even from a probabilistic perspective, performing $2^{130}$ inputs will have a $99%$ chance of causing a collision.

Assuming a computer performs hash operations at a speed of 10,000 times per second, it would take $10^{27}$ years to complete $2^{128}$ hash operations.

Accounts in Bitcoin#

Creating a public-private key pair (public key, private key) locally constitutes an account. The public-private key pair comes from asymmetric encryption technology.

In BTC transactions, the private key is used for signing, while others use the public key to verify the signature.

Generating a public-private key requires a good source of randomness; the generation of public-private keys is random, and if the random source is poor, it may produce the same public-private key. In cryptographic implementations, physical noise source chips are generally used as random sources.

The signature algorithm used in Bitcoin requires a good random source not only when generating the public-private key but also for every subsequent signature. If the random source used for any signature is poor, it may leak the private key.

The probability of randomly generating the same pair of public and private keys is negligible and can be ignored.

Important Data Structures in Bitcoin#

Hash Pointer#

The most basic structure in Bitcoin is the blockchain, which is a linked list composed of blocks. What is the difference between a blockchain and a regular linked list?

Bitcoin uses hash pointers instead of regular pointers (the blockchain is a linked list using hash pointers).

The first block in the blockchain is called the genesis block, and the last block is the most recently produced block. Each block contains a hash pointer pointing to the previous block.

Through this structure, a tamper-evident log can be achieved. If someone changes the content of a block, the hash pointer of the subsequent block will not match because the hash pointer of the latter block is calculated based on the content of the previous block, so the latter hash pointer must also be changed, and so on. The last hash value we retain will also change. Therefore, as long as the last block's hash is recorded, it can be ensured that all previous blocks have not been tampered with.

A pointer saves the address in local memory, which only makes sense on that local computer; it becomes meaningless when sent to other computers. So how can hash pointers be transmitted over the network when blocks are published?

The so-called hash pointer is just a figurative term; in the actual system, only hashes are used, not pointers.

Merkle Tree#

The block header contains the root hash of the Merkle tree; as long as the root hash of the Merkle tree is remembered, any modification to any part of the tree can be detected.

Finding the position of a transaction in the Merkle tree (all transactions are at the leaf nodes), the path from that block up to the root node is called the Merkle proof.

Light nodes only store the block header. If a light node wants to know whether a certain transaction is included in the Merkle tree, it needs to request a full node for a Merkle proof that can prove this transaction is included, which contains the hash needed by the light node for local verification.

What can Merkle proof prove? It proves whether a certain transaction is in a given block.

For example, a light node does not maintain the entire UTXO content of the block; it only knows the block header. The light node asks a full node: Is this transaction in this block? The full node returns a Merkle proof as proof, and the light node can verify its authenticity.

The difference between Merkle tree and binary tree: hash pointers replace regular pointers.

Problems to Solve for Decentralized Digital Currency#

A decentralized digital currency needs to solve two problems.

The first problem is, who has the right to issue currency?
The second problem is, how to verify the legality of transactions?

Double Spending Problem#

Double spending refers to a situation where a sum of money is spent twice. Centralized ledgers can easily solve double spending attacks; decentralized solutions need a data structure to maintain the correctness of the ledger, and this data structure is the blockchain.

In the Bitcoin system, each transaction contains two parts: inputs and outputs. The input part must specify the source of the coins, and the output part must provide the hash of the recipient's public key.

The information needed for A to transfer money to B: A's private key signature and B's address (B's receiving address is derived from the public key).

Here, there are two types of hash pointers; the first connects various blocks to form a linked list, and the second hash pointer in the transaction details points to a previous transaction to indicate the source of the coins (to prevent double spending).

Distributed Consensus#

Each account can publish transactions, and these transactions are broadcast to all nodes. Some transactions are legitimate, while others may be illegal. So who decides which transactions should be written to the next block? In what order should they be written?

A simple example of distributed consensus is a distributed hash table; for instance, if there are many machines in the system, they jointly maintain a global hash table.

What content needs to reach consensus? The key-value pairs contained in the hash table. If someone inserts a key-value pair 'xiao' corresponding to 12345 into their computer, others on another machine must also be able to read it; this is called a global hash table.

Impossibility Result#

There are many impossibility results regarding distributed systems, the most famous being the FLP impossibility result. These three letters are the initials of three experts' names. In an asynchronous system (where network transmission delays have no upper limit, it is called an asynchronous system), even if only one member is faulty, consensus cannot be achieved.

CAP Theorem#

Another famous conclusion is the CAP Theorem, which states that in a distributed system, Consistency, Availability, and Partition Tolerance cannot all be achieved simultaneously. Consistency, Availability, and Partition Tolerance can only satisfy two of the three.

Blockchain Trilemma#

The blockchain trilemma was proposed by Vitalik, the founder of Ethereum.

It states that blockchain technology cannot simultaneously achieve decentralization, security, and efficiency.

Decentralization
Scalability
Security

POW - Consensus Protocol in Bitcoin#

Voting-Based Consensus Scheme#

Some nodes may be malicious. If most nodes in the system are good, how should the consensus protocol be designed?

One scheme is voting. Any voting-based consensus scheme must first determine who has voting rights, right? There must be a membership issue. If this blockchain has a strictly defined membership. For example, not everyone can join, like the consortium chain Hyperledger Fabric, which is a consortium chain protocol. Only certain qualified large companies can join. In this case, a voting-based scheme is feasible. We assume that most members are good, so voting is feasible.

Simple direct voting is not feasible in public chains.

The Bitcoin system is not like this. In the Bitcoin system, creating an account is very easy. You just generate a public-private key pair locally; an account does not require anyone's approval, and others may not even know. Only when a transaction occurs with the outside world will others know that such an account exists. If there are malicious nodes, they could set up a supercomputer and do nothing else but continuously generate various accounts, and if the accounts they generate exceed half of the total, they would have control and could manipulate the voting results. This is called a Sybil attack.

The Bitcoin system employs a clever mechanism to solve this problem. It also involves voting, but instead of voting by the number of accounts, it is voting by computational power.

Accounting Rights#

Each node can locally assemble a candidate block, placing the transactions it considers valid into this block, and then start trying various random nonce values. If a certain node finds a valid nonce (4 bytes) that satisfies the inequality H(block header) ≤ target, we consider it has obtained accounting rights.

H(block header) ≤ target

Accounting rights refer to the right to write the next block into Bitcoin's decentralized ledger. Only the node that finds this nonce and obtains accounting rights has the right to publish the next block.

Verifying the Legitimacy of Blocks#

When other nodes receive this block, they need to verify the legitimacy of the block.

For example, first verify whether the contents of the block header are filled in correctly. The block header contains a field called nBits. In fact, it is an encoding of the target value; check whether the nBits field is set according to the difficulty requirements specified in the Bitcoin protocol. Then check whether this nonce satisfies the inequality H(block header) ≤ target.

In other words, when you publish a block, do you really have the right to publish it? Did you really obtain accounting rights? Assuming all requirements are met, then look at the transaction list in the block body and verify whether each transaction is legitimate. First, there must be a valid signature. Second, the coins used must not have been spent before. If any item does not meet the requirements, this block cannot be accepted.

Forking Attack#

If all conditions are met, the block may still not be accepted.

Under what circumstances can a block that meets all conditions still not be accepted? The transactions in the block are legitimate, but it is not on the longest valid chain. This is called a forking attack.

A forking attack involves inserting a block into the middle of the blockchain to roll back a transaction that has already occurred.

Forks can also occur under normal circumstances in the blockchain. If two nodes obtain accounting rights simultaneously, each node assembles a block that it considers appropriate locally and then tries various nonces. If both nodes find a valid nonce at roughly the same time, both can publish their blocks, resulting in two equal-length forks, both of which are the longest valid chains.

Which one should be accepted? In the Bitcoin protocol, by default, each node accepts the one it received first. Therefore, depending on the position of different nodes in the network, some nodes may hear about one of the newly generated blocks first and accept that block, while others may hear about the other block first and accept that one.

How to determine if a block is accepted? The Bitcoin protocol uses implicit consent; if it continues to expand along this block, it is considered to have recognized the published block. For example, if a new block is generated after one of the blocks, and another block is expanded after it, it indicates that the new block has been recognized.

So how will the two chains that generate new blocks simultaneously develop? Equal-length temporary forks will last for a while until one fork wins. That is, whichever chain generates a new block first will be the longest valid chain. The other one becomes an orphan block. These two new blocks may each attract miners, and the stronger hash power will prevail, sometimes depending on luck.

Consensus Mechanism in the Bitcoin System#

Taking a distributed hash table as an example, in a distributed system with many servers, what consensus do the servers need to reach? The content of the hash table, which key-value pairs it contains.

Thus, the content of the decentralized ledger in Bitcoin is the consensus to be reached; only nodes that obtain accounting rights can write into it.

Why Do People Compete for Accounting Rights?#

Why do people compete for accounting rights? First, the nodes with accounting rights have certain powers to decide which transactions are written into the next block.

However, when designing this protocol, we should not let this become the main motivation for competing for accounting rights because we hope that all legitimate transactions should be written into the blockchain. This leads to the concepts of block rewards and transaction fees.

Who Decides the Issuance of Currency?#

The coinbase transaction is the only way to issue new bitcoins in the Bitcoin system; this transaction does not need to specify the source of the coins, and subsequent transactions are based on the transfer of bitcoins.

The process of competing for accounting rights in Bitcoin is called mining. Therefore, nodes competing for accounting rights are called miners. If they obtain accounting rights, we say they have mined a block or found a block.

How to Obtain Accounting Rights (POW Proof of Work)#

By trying various random nonce values to solve the puzzle.

The consensus mechanism of Bitcoin relies on computational power for voting. We discussed the three properties of Bitcoin's hash function, among which the puzzle friendly property ensures that there are no shortcuts in solving this puzzle; one can only try nonce values one by one.

Thus, if one node has ten times the computational power of another node, its probability of obtaining accounting rights is also ten times that of the other node. This is the special nature of voting in Bitcoin. It is not one person one vote, nor one computer one vote; it depends on how many nonce values you can try per second. This is sometimes referred to as hash rate, which determines the weight of the vote. The higher your node's hash rate, the greater the probability of obtaining accounting rights and receiving block rewards.

In Bitcoin, POW proof of work prevents Sybil attacks by counting votes based on computational power; even if many accounts are created, it does not enhance computational power.

The process of solving the puzzle in Bitcoin has no practical significance other than competing for computational power. Bitcoin becomes increasingly difficult to mine because block rewards are artificially reduced, and the scarcity of Bitcoin is artificially created. Although mining to solve the puzzle itself has no practical significance, the mining process is crucial for maintaining the security of the Bitcoin system; Bitcoin is secured by mining. Mining provides an effective means of voting based on computational power; as long as most of the computational power is held by honest people, the system's security can be guaranteed.

Will Miners Steal Answers During Mining?#

No. The published block contains a coinbase transaction, which has a recipient address that is the address of the miner who mined the block. If A mines a block, it contains A's receiving address. If someone wants to steal the answer, they would have to change A's address to their own, and if the address changes, the content of the coinbase transaction will also change.

This would lead to a change in the root hash of the Merkle tree because this transaction is combined with other transactions in the block to form the Merkle tree. Any change in any part will change the root hash. Since the nonce is in the block header, and the root hash is also in the block header, once the content of the block header changes, the previously found nonce becomes invalid. Therefore, it is impossible to steal the answer because each miner's nonce is bound to their own receiving address.

Bernoulli Trial#

Bernoulli trial: a random experiment with binary outcomes.

A Bernoulli trial is a single random experiment with only two possible outcomes.

Bernoulli process

A Bernoulli process is a sequence of independent Bernoulli trials.

The mining process, where each attempt at a nonce can be viewed as a Bernoulli trial, constitutes a Bernoulli process.

One of its properties is: memorylessness. A property of the Bernoulli process is memorylessness, meaning that after many experiments, the previous results do not affect the subsequent ones.

The probability of successfully trying a nonce is very small, requiring a large number of experiments; at this point, a Poisson process can replace the Bernoulli process.

Progress Free - Guaranteeing Fairness in Mining#

What we are really concerned about is the system's block generation time. In probability theory, it can be derived that block time follows an exponential distribution.

The average block time for the entire system is 10 minutes, which is designed to maintain the average block time around 10 minutes by periodically adjusting the mining difficulty. Specifically, for each miner, the time it takes to mine the next block depends on the percentage of the miner's computational power relative to the total computational power of the system.

The exponential distribution is also memoryless, which guarantees fairness in mining.

The memorylessness of the exponential distribution means that the probability distribution curve has the characteristic that if you truncate it from any point, the remaining part of the curve is the same as the original. For example: If it has been ten minutes and no one has found a valid block, how much longer do we need to wait? We still refer to the probability density function distribution; on average, we still need to wait ten minutes. How long it takes to mine in the future has no relation to how long has been mined in the past. This process is also called: progress free.

A coordinate axis can be drawn, with the vertical axis representing probability density and the horizontal axis representing block time (the block time of the entire system, not each miner's block time). Specifically, for each miner, the time it takes to mine the next block depends on the percentage of the miner's computational power relative to the total computational power of the system. If a person's computational power accounts for 1% of the total computational power of the system, then out of 100 blocks generated by the system, one block will be mined by this person.

If there is no progress free, what phenomenon will occur: strong miners will have a disproportionate advantage. Because strong miners have done more work in the past, after trying so many unsuccessful nonces, the probability of success for subsequent nonces will increase. Thus, progress free guarantees fairness in mining.

How Many Coins Can Be Created Out of Thin Air?#

At the beginning, when Bitcoin was first launched, each published block could generate a block reward of 50 bitcoins.

In the Bitcoin system, a block is generated approximately every 10 minutes. According to the Bitcoin protocol, after 210,000 blocks, the block reward will be halved to 25 BTC, and after another 210,000 blocks, it will be halved again.

The block reward is halved approximately every four years, resulting in the number of bitcoins produced forming a geometric series.

210000 * 50 (1+\frac{1}{2}+\frac{1}{4}+...)

According to this calculation, there will be a maximum of 21 million bitcoins.

As of 2022, Bitcoin miners receive 6.25 bitcoins for successfully mining a block.

Security Analysis of Bitcoin#

The premise is that most of the computational power is held by honest people. Mining only provides a probabilistic guarantee; it can only be said that there is a relatively high probability that the next block will be published by an honest miner, but it cannot guarantee that accounting rights will not fall into the hands of malicious individuals.

If a malicious node obtains accounting rights, it may do the following:

1. Forge an Illegal Transaction#

For example, transferring money from someone else's account to their own. However, since they do not know the private key of the other person, it is illegal and will not pass verification. Therefore, other honest nodes will not recognize this block because it contains illegal transactions, so they will continue to extend the previous block, and according to the longest valid chain, this block will not receive the block reward, but will waste a lot of electricity and manpower, ultimately not obtaining the block reward.

2. Double Spending#

By spending the same money again. For example, M transfers money to A, and M publishes another transaction to transfer this money back to themselves (or someone else). In this case, there are two scenarios.

The new block has been written to the blockchain - forking attack to roll back the transaction

A malicious node needs to fork the blockchain, creating a new chain from a previous block. In this case, the attack is very difficult. It is not enough for a malicious node to obtain accounting rights once; they need to continuously obtain accounting rights because honest nodes only recognize the longest valid chain. For details, see selfish mining.

To prevent such attacks, it is necessary to wait for several block confirmations; by default, six confirmations are needed, at which point the previous transaction is considered immutable, and the waiting time is approximately one hour.

The transaction is not written into the blockchain - initiating multiple transactions in a short time

This situation is also called zero confirmation, which is very common in practical applications.

Each transaction contains a timestamp; in the Bitcoin protocol, by default, each node accepts the transaction it received first. If the correct transaction is accepted first, subsequent duplicate transactions will not be accepted; otherwise, the recipient can directly refuse to acknowledge this transaction.

In fact, there is still some risk at this point because a malicious attacker's node may have a very small probability of obtaining accounting rights. To be absolutely safe, one can wait for six confirmations (one hour).

3. Intentionally Not Writing Legal Transactions#

This is not a big problem; legal transactions can still be written into the next block, and there will always be honest nodes writing legal transactions.

In normal circumstances, it may also happen that legal transactions are not written into a block because there may be too many transactions for a certain period. The Bitcoin protocol stipulates that each block has a size limit, and the block size cannot exceed 1MB, so if there are too many transactions, some transactions can only wait for the next block to be published.

4. Selfish Mining (Similar to 51% Attack)#

Under normal circumstances, if a block is mined, it will be published in a timely manner to avoid making one's block invalid after others mine it. However, in selfish mining, a malicious node mines a block but does not publish it, hiding a chain and waiting to publish it when it exceeds the longest valid chain.

This is a method of forking attack, but malicious nodes generally need more than 51% of the computational power, which is difficult to achieve.

If the goal is to earn more normal block rewards, not publishing immediately after mining the first block means that others will continue mining the previous block, while they extend the block they have mined, reducing competition for that block. If they have already mined the second block, when others claim to have mined the first block, they can publish both together, becoming the longest valid chain. However, this approach is risky; when others mine the first block, they must have already mined the second; otherwise, when others publish the first block, they will only have one, and at that point, it will be an equal-length chain, leading to competition, which may result in losing the reward for the first block.

What Consensus Mechanism in the Bitcoin System Seeks to Achieve#

Thus, the content of the decentralized ledger in Bitcoin is the consensus to be reached; only nodes that obtain accounting rights can write into it.

Why Do People Compete for Accounting Rights?#

Why do people compete for accounting rights? First, the nodes with accounting rights have certain powers to decide which transactions are written into the next block.

Who Decides the Issuance of Currency?#

How to Obtain Accounting Rights (POW Proof of Work)#

By trying various random nonce values to solve the puzzle.

In Bitcoin, POW proof of work prevents Sybil attacks by counting votes based on computational power; even if many accounts are created, it does not enhance computational power.

Will Miners Steal Answers During Mining?#

Bernoulli Trial#

Bernoulli trial: a random experiment with binary outcomes.

A Bernoulli trial is a single random experiment with only two possible outcomes.

Bernoulli process

A Bernoulli process is a sequence of independent Bernoulli trials.

The mining process, where each attempt at a nonce can be viewed as a Bernoulli trial, constitutes a Bernoulli process.

One of its properties is: memorylessness. A property of the Bernoulli process is memorylessness, meaning that after many experiments, the previous results do not affect the subsequent ones.

The probability of successfully trying a nonce is very small, requiring a large number of experiments; at this point, a Poisson process can replace the Bernoulli process.

Progress Free - Guaranteeing Fairness in Mining#

What we are really concerned about is the system's block generation time. In probability theory, it can be derived that block time follows an exponential distribution.

The exponential distribution is also memoryless, which guarantees fairness in mining.

How Many Coins Can Be Created Out of Thin Air?#

At the beginning, when Bitcoin was first launched, each published block could generate a block reward of 50 bitcoins.

The block reward is halved approximately every four years, resulting in the number of bitcoins produced forming a geometric series.

210000 * 50 (1+\frac{1}{2}+\frac{1}{4}+...)

According to this calculation, there will be a maximum of 21 million bitcoins.

As of 2022, Bitcoin miners receive 6.25 bitcoins for successfully mining a block.

Security Analysis of Bitcoin#

If a malicious node obtains accounting rights, it may do the following:

1. Forge an Illegal Transaction#

2. Double Spending#

The new block has been written to the blockchain - forking attack to roll back the transaction

The transaction is not written into the blockchain - initiating multiple transactions in a short time

This situation is also called zero confirmation, which is very common in practical applications.

3. Intentionally Not Writing Legal Transactions#

This is not a big problem; legal transactions can still be written into the next block, and there will always be honest nodes writing legal transactions.

4. Selfish Mining (Similar to 51% Attack)#

This is a method of forking attack, but malicious nodes generally need more than 51% of the computational power, which is difficult to achieve.

What Consensus Mechanism in the Bitcoin System Seeks to Achieve#

Thus, the content of the decentralized ledger in Bitcoin is the consensus to be reached; only nodes that obtain accounting rights can write into it.

Why Do People Compete for Accounting Rights?#

Why do people compete for accounting rights? First, the nodes with accounting rights have certain powers to decide which transactions are written into the next block.

Who Decides the Issuance of Currency?#

How to Obtain Accounting Rights (POW Proof of Work)#

By trying various random nonce values to solve the puzzle.

In Bitcoin, POW proof of work prevents Sybil attacks by counting votes based on computational power; even if many accounts are created, it does not enhance computational power.

Will Miners Steal Answers During Mining?#

Bernoulli Trial#

Bernoulli trial: a random experiment with binary outcomes.

A Bernoulli trial is a single random experiment with only two possible outcomes.

Bernoulli process

A Bernoulli process is a sequence of independent Bernoulli trials.

The mining process, where each attempt at a nonce can be viewed as a Bernoulli trial, constitutes a Bernoulli process.

One of its properties is: memorylessness. A property of the Bernoulli process is memorylessness, meaning that after many experiments, the previous results do not affect the subsequent ones.

The probability of successfully trying a nonce is very small, requiring a large number of experiments; at this point, a Poisson process can replace the Bernoulli process.

Progress Free - Guaranteeing Fairness in Mining#

What we are really concerned about is the system's block generation time. In probability theory, it can be derived that block time follows an exponential distribution.

The exponential distribution is also memoryless, which guarantees fairness in mining.

How Many Coins Can Be Created Out of Thin Air?#

At the beginning, when Bitcoin was first launched, each published block could generate a block reward of 50 bitcoins.

The block reward is halved approximately every four years, resulting in the number of bitcoins produced forming a geometric series.

210000 * 50 (1+\frac{1}{2}+\frac{1}{4}+...)

According to this calculation, there will be a maximum of 21 million bitcoins.

As of 2022, Bitcoin miners receive 6.25 bitcoins for successfully mining a block.

Security Analysis of Bitcoin#

If a malicious node obtains accounting rights, it may do the following:

1. Forge an Illegal Transaction#

2. Double Spending#

The new block has been written to the blockchain - forking attack to roll back the transaction

The transaction is not written into the blockchain - initiating multiple transactions in a short time

This situation is also called zero confirmation, which is very common in practical applications.

3. Intentionally Not Writing Legal Transactions#

This is not a big problem; legal transactions can still be written into the next block, and there will always be honest nodes writing legal transactions.

4. Selfish Mining (Similar to 51% Attack)#

This is a method of forking attack, but malicious nodes generally need more than 51% of the computational power, which is difficult to achieve.

What Consensus Mechanism in the Bitcoin System Seeks to Achieve#

Thus, the content of the decentralized ledger in Bitcoin is the consensus to be reached; only nodes that obtain accounting rights can write into it.

Why Do People Compete for Accounting Rights?#

Why do people compete for accounting rights? First, the nodes with accounting rights have certain powers to decide which transactions are written into the next block.

Who Decides the Issuance of Currency?#

How to Obtain Accounting Rights (POW Proof of Work)#

By trying various random nonce values to solve the puzzle.

In Bitcoin, POW proof of work prevents Sybil attacks by counting votes based on computational power; even if many accounts are created, it does not enhance computational power.

Will Miners Steal Answers During Mining?#

Bernoulli Trial#

Bernoulli trial: a random experiment with binary outcomes.

A Bernoulli trial is a single random experiment with only two possible outcomes.

Bernoulli process

A Bernoulli process is a sequence of independent Bernoulli trials.

The mining process, where each attempt at a nonce can be viewed as a Bernoulli trial, constitutes a Bernoulli process.

One of its properties is: memorylessness. A property of the Bernoulli process is memorylessness, meaning that after many experiments, the previous results do not affect the subsequent ones.

The probability of successfully trying a nonce is very small, requiring a large number of experiments; at this point, a Poisson process can replace the Bernoulli process.

Progress Free - Guaranteeing Fairness in Mining#

What we are really concerned about is the system's block generation time. In probability theory, it can be derived that block time follows an exponential distribution.

The exponential distribution is also memoryless, which guarantees fairness in mining.

How Many Coins Can Be Created Out of Thin Air?#

At the beginning, when Bitcoin was first launched, each published block could generate a block reward of 50 bitcoins.

The block reward is halved approximately every four years, resulting in the number of bitcoins produced forming a geometric series.

210000 * 50 (1+\frac{1}{2}+\frac{1}{4}+...)

According to this calculation, there will be a maximum of 21 million bitcoins.

As of 2022, Bitcoin miners receive 6.25 bitcoins for successfully mining a block.

Security Analysis of Bitcoin#

If a malicious node obtains accounting rights, it may do the following:

1. Forge an Illegal Transaction#

2. Double Spending#

The new block has been written to the blockchain - forking attack to roll back the transaction

The transaction is not written into the blockchain - initiating multiple transactions in a short time

This situation is also called zero confirmation, which is very common in practical applications.

3. Intentionally Not Writing Legal Transactions#

This is not a big problem; legal transactions can still be written into the next block, and there will always be honest nodes writing legal transactions.

4. Selfish Mining (Similar to 51% Attack)#

This is a method of forking attack, but malicious nodes generally need more than 51% of the computational power, which is difficult to achieve.

What Consensus Mechanism in the Bitcoin System Seeks to Achieve#

Thus, the content of the decentralized ledger in Bitcoin is the consensus to be reached; only nodes that obtain accounting rights can write into it.

Why Do People Compete for Accounting Rights?#

Why do people compete for accounting rights? First, the nodes with accounting rights have certain powers to decide which transactions are written into the next block.

Who Decides the Issuance of Currency?#

How to Obtain Accounting Rights (POW Proof of Work)#

By trying various random nonce values to solve the puzzle.

In Bitcoin, POW proof of work prevents Sybil attacks by counting votes based on computational power; even if many accounts are created, it does not enhance computational power.

Will Miners Steal Answers During Mining?#

Bernoulli Trial#

Bernoulli trial: a random experiment with binary outcomes.

A Bernoulli trial is a single random experiment with only two possible outcomes.

Bernoulli process

A Bernoulli process is a sequence of independent Bernoulli trials.

The mining process, where each attempt at a nonce can be viewed as a Bernoulli trial, constitutes a Bernoulli process.

One of its properties is: memorylessness. A property of the Bernoulli process is memorylessness, meaning that after many experiments, the previous results do not affect the subsequent ones.

The probability of successfully trying a nonce is very small, requiring a large number of experiments; at this point, a Poisson process can replace the Bernoulli process.

Progress Free - Guaranteeing Fairness in Mining#

What we are really concerned about is the system's block generation time. In probability theory, it can be derived that block time follows an exponential distribution.

The exponential distribution is also memoryless, which guarantees fairness in mining.

How Many Coins Can Be Created Out of Thin Air?#

At the beginning, when Bitcoin was first launched, each published block could generate a block reward of 50 bitcoins.

The block reward is halved approximately every four years, resulting in the number of bitcoins produced forming a geometric series.

210000 * 50 (1+\frac{1}{2}+\frac{1}{4}+...)

According to this calculation, there will be a maximum of 21 million bitcoins.

As of 2022, Bitcoin miners receive 6.25 bitcoins for successfully mining a block.

Security Analysis of Bitcoin#

If a malicious node obtains accounting rights, it may do the following:

1. Forge an Illegal Transaction#

2. Double Spending#

The new block has been written to the blockchain - forking attack to roll back the transaction

The transaction is not written into the blockchain - initiating multiple transactions in a short time

This situation is also called zero confirmation, which is very common in practical applications.

3. Intentionally Not Writing Legal Transactions#

This is not a big problem; legal transactions can still be written into the next block, and there will always be honest nodes writing legal transactions.

4. Selfish Mining (Similar to 51% Attack)#

This is a method of forking attack, but malicious nodes generally need more than 51% of the computational power, which is difficult to achieve.

What Consensus Mechanism in the Bitcoin System Seeks to Achieve#

Thus, the content of the decentralized ledger in Bitcoin is the consensus to be reached; only nodes that obtain accounting rights can write into it.

Why Do People Compete for Accounting Rights?#

Why do people compete for accounting rights? First, the nodes with accounting rights have certain powers to decide which transactions are written into the next block.

Who Decides the Issuance of Currency?#

How to Obtain Accounting Rights (POW Proof of Work)#

By trying various random nonce values to solve the puzzle.

In Bitcoin, POW proof of work prevents Sybil attacks by counting votes based on computational power; even if many accounts are created, it does not enhance computational power.

Will Miners Steal Answers During Mining?#

Bernoulli Trial#

Bernoulli trial: a random experiment with binary outcomes.

A Bernoulli trial is a single random experiment with only two possible outcomes.

Bernoulli process

A Bernoulli process is a sequence of independent Bernoulli trials.

The mining process, where each attempt at a nonce can be viewed as a Bernoulli trial, constitutes a Bernoulli process.

One of its properties is: memorylessness. A property of the Bernoulli process is memorylessness, meaning that after many experiments, the previous results do not affect the subsequent ones.

The probability of successfully trying a nonce is very small, requiring a large number of experiments; at this point, a Poisson process can replace the Bernoulli process.

Progress Free - Guaranteeing Fairness in Mining#

What we are really concerned about is the system's block generation time. In probability theory, it can be derived that block time follows an exponential distribution.

The exponential distribution is also memoryless, which guarantees fairness in mining.

The memorylessness of the exponential distribution means that the probability distribution curve has the characteristic that if you truncate it from any point, the remaining part of the curve is the same as the original. For example: **If it has been ten minutes and no one has found a valid block, how much longer do we need to wait? We still refer to the probability density function distribution; on average, we still