Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
514 lines (371 sloc) 15.4 KB

labels: Blog Cryptography Blockchain Bitcoin image: /2016/09/bitcoinmining.png description: There is a lottery in bitcoin network that takes place every ~10 minutes. The lottery winner submits a new block to blockchain and awards with bitcoins. The winner is someone who was first to find a nonce that beeing concatenated with some other data results in a hash function output smaller than some value keywords: bitcoin,mining,sha256 created: 2016-09-27T12:47 modified: 2016-10-02T11:52 place: Phuket, Thailand comments: true

SHA-256 and bitcoin mining

[TOC]

There is a lottery in bitcoin network that takes place every ~10 minutes. The lottery winner submits a new block to blockchain (if the majority of the network agrees with it) and awards with bitcoins (25 initally, halve every 210000 blocks or ~4 years). The winner is someone who was first to find a nonce (a number) that beeing concatenated with some other data (including previous block hash and timestamp) results in a hash function output smaller than some value (difficulty, adjusts every ~2 weeks in order to keep the time needs to resolve the task in about 10 minutes).

What to hash:

  • version: 0x20000000
  • reversed previous block hash
  • transactions (reversed Merkle tree root)
  • timestamp
  • nonce
block_hash = sha256(sha256(
	version +
	reversed(prev_block) +
    reversed(mrkl_root) +
    timestamp +
    bits +
    nonce
))

An example using python

Took a block from the blockchain:

Previous block: 00000000000000000146161cdb757ffc5a8b22dff06b27a76f6f7d0584f5df05 Hash: 00000000000000000244bf1d3600aada272d2d08aa1919a88ba9ecd14f42f3ae Merkle root: 536e129807282bf22dcb0c169dc0e5cfeb47dac85c7afde3afb2e0fb02161076 Timestamp: 2016-09-27 13:38:38 (0x57ea765e) Bits: 402951892 (0x18048ed4) Nonce: 2612046070 (0x9bb0a8f6)

bits = 0x18048ed4
exp = bits >> 24  # 0x18
mant = bits & 0xffffff  # 0x48ed4
target_hexstr = '%064x' % (mant * (1<<(8*(exp - 3))))
# '0000000000000000048ed4000000000000000000000000000000000000000000'
import hashlib
import struct
import binascii


sha256 = hashlib.sha256


block = (
	struct.pack('<L', 0x20000000) +
	bytes.fromhex('00000000000000000146161cdb757ffc5a8b22dff06b27a76f6f7d0584f5df05')[::-1] +
	bytes.fromhex('536e129807282bf22dcb0c169dc0e5cfeb47dac85c7afde3afb2e0fb02161076')[::-1] +
	struct.pack('<LLL', 0x57ea765e, 0x18048ed4, 0x9bb0a8f6)
)


first_hash = sha256(block).digest()
second_hash = sha256(first_hash).digest()


print(binascii.b2a_hex(block))
print(binascii.b2a_hex(first_hash[::-1]))
print(binascii.b2a_hex(second_hash[::-1]))

# b'0000002005dff584057d6f6fa7276bf0df228b5afc7f75db1c164601000000000000000076101602fbe0b2afe3fd7a5cc8da47ebcfe5c09d160ccb2df22b280798126e535e76ea57d48e0418f6a8b09b'
# b'57e9fff3d914c07dd4eadc189887cbcc0ead44bc0e753c6ee963e59e618b215d'
# b'00000000000000000244bf1d3600aada272d2d08aa1919a88ba9ecd14f42f3ae'

SHA-256

This code has been written just for fun, it is slow and may produce inaccurate results. The idea was to transition from mathematics to an algorithm.

sha256.py gist on GitHub.

import binascii
import hashlib
import itertools


def int_to_list(n):

    return [int(i) for i in '{:32b}'.format(n).replace(' ', '0')]


def list_to_int(l):

    s = 0
    c = 1
    for i in reversed(l):
        s += i * c
        c *= 2

    return s


def list_to_digest(binary):

    res = b''
    for i in range(0, len(binary), 8):
        res += list_to_int(binary[i: i + 8]).to_bytes(1, byteorder='big')
    return res


def bin_maj(*parts):

    res = []
    for i in range(0, 32):
        s = 0
        for part in parts:
            s += part[i]
        res.append(1 if s > len(parts) // 2 else 0)

    return res


def bin_rrot(a, shift):

    return a[-shift:] + a[:-shift]


def bin_rshift(a, shift):

    return (shift * [0]) + list(a[:-shift])


def bin_xor(*parts):

    res = []
    for i in range(0, len(parts[0])):
        s = 0
        for part in parts:
            s += part[i]
        res.append(1 if s % 2 == 1 else 0)
    return res


def bin_ch(n, l1, l2):

    res = []
    for i in range(0, len(n)):
        res.append(l1[i] if n[i] else l2[i])
    return res


def bin_sum(*parts):

    res = []
    mov = 0
    for i in range(0, len(parts[0])):
        s = 0
        for p in parts:
            s += p[-i-1]
        s += mov
        res.append(s % 2)
        mov = s // 2
    res.reverse()
    return res[-32:]


def to_chunks(iterable, n=512):

    it = iter(iterable)
    while True:
        chunk = tuple(itertools.islice(it, n))
        if not chunk:
            return
        yield chunk


# Provided by NSA

_k = (
    0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
    0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
    0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
    0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
    0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
    0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
    0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
    0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
    0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
    0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
    0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
    0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
    0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
    0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
    0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
    0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
)

_h = (
    0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
    0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19
)


def preprocess(data_str):

    data_bin = []
    for c in data_str:
        for i in '{:8b}'.format(c).replace(' ', '0'):
            data_bin.append(int(i))

    data_bin.append(1)

    while len(data_bin) % 512 != 448:
        data_bin.append(0)

    for i in '{:64b}'.format(len(data_str) * 8).replace(' ', '0'):
        data_bin.append(int(i))

    return data_bin


def sha256(data):

    a0, b0, c0, d0, e0, f0, g0, h0 = map(int_to_list, _h)

    for chunk in to_chunks(preprocess(data), n=512):

        w = [0] * 64
        w[0:16] = to_chunks(chunk, n=32)

        for i in range(16, 64):
            s0 = bin_xor(bin_rrot(w[i-15], 7), bin_rrot(w[i-15], 18), bin_rshift(w[i-15], 3))
            s1 = bin_xor(bin_rrot(w[i-2], 17), bin_rrot(w[i-2], 19), bin_rshift(w[i-2], 10))

            w[i] = bin_sum(
                w[i-16],
                s0,
                w[i-7],
                s1
            )

        a, b, c, d, e, f, g, h = a0, b0, c0, d0, e0, f0, g0, h0

        for i in range(0, 64):

            sum1 = bin_sum(
                w[i],
                int_to_list(_k[i]),
                h,
                bin_ch(e, f, g),
                bin_xor(bin_rrot(e, 6), bin_rrot(e, 11), bin_rrot(e, 25))
            )

            sum2 = bin_sum(
                bin_xor(bin_rrot(a, 2), bin_rrot(a, 13), bin_rrot(a, 22)),
                bin_maj(a, b, c),
                sum1
            )

            a, b, c, d, e, f, g, h = sum2, a, b, c, bin_sum(d, sum1)[-32:], e, f, g

        a0 = bin_sum(a0, a)
        b0 = bin_sum(b0, b)
        c0 = bin_sum(c0, c)
        d0 = bin_sum(d0, d)
        e0 = bin_sum(e0, e)
        f0 = bin_sum(f0, f)
        g0 = bin_sum(g0, g)
        h0 = bin_sum(h0, h)

    return a0 + b0 + c0 + d0 + e0 + f0 + g0 + h0


if __name__ == '__main__':
    assert binascii.b2a_hex(list_to_digest(sha256(''))) == b'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
    block = b'0000002005dff584057d6f6fa7276bf0df228b5afc7f75db1c164601000000000000000076101602fbe0b2afe3fd7a5cc8da47ebcfe5c09d160ccb2df22b280798126e535e76ea57d48e0418f6a8b09b'
    assert list_to_digest(sha256(block)) == hashlib.sha256(block).digest()

Optimizations

Bitcoin mining schema

Image source.

On the image:

  • green: fixed data
  • yellow: changes slowly (for each new block)
  • red: changes frequently

One may notice that if we manipulate only nonce we may reuse results of the first computation.

Here we omit sha256 computation of first message parts for all nonce except the first one:

bitcoinminer.py on Gist.

import struct


class Miner():

    def __init__(self, previous_hash, transactions_hash, timestamp, bits, nonces):
        self.previous_hash = previous_hash
        self.transactions_hash = transactions_hash
        self.timestamp = timestamp
        self.bits = bits
        self.nonces = nonces

    _h = (
        0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
        0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19
    )

    _k = (
        0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
        0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
        0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
        0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
        0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
        0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
        0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
        0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
        0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
        0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
        0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
        0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
        0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
        0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
        0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
        0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
    )

    @staticmethod
    def rrot(v, shift):
        return ((v >> shift) | (v << (32-shift))) & 0xFFFFFFFF

    @staticmethod
    def ch(a, b, c):
        return (a & b) ^ ((~a) & c)

    @staticmethod
    def maj(a, b, c):
        return (a & b) ^ (a & c) ^ (b & c)

    @classmethod
    def get_w(cls, block):
        w = [0] * 64
        w[0:16] = [(block >> (480 - i * 32)) & 0xffffffff for i in range(0, 16)]

        for i in range(16, 64):

            w[i] = (
                w[i-16] +
                (cls.rrot(w[i-15], 7) ^ cls.rrot(w[i-15], 18) ^ (w[i-15] >> 3)) +
                w[i-7] +
                (cls.rrot(w[i-2], 17) ^ cls.rrot(w[i-2], 19) ^ (w[i-2] >> 10))
            ) & 0xffffffff

        return w

    @classmethod
    def iteration(cls, w, k, a, b, c, d, e, f, g, h):

        s = (w + k + h + cls.ch(e, f, g) + (cls.rrot(e, 6) ^ cls.rrot(e, 11) ^ cls.rrot(e, 25))) & 0xffffffff

        a, b, c, d, e, f, g, h = (
            ((cls.rrot(a, 2) ^ cls.rrot(a, 13) ^ cls.rrot(a, 22)) + cls.maj(a, b, c) + s) & 0xffffffff,
            a, b, c,
            (d + s) & 0xffffffff,
            e, f, g
        )

        return a, b, c, d, e, f, g, h

    def run(self):

        pack = (
            struct.pack('<L', 0x20000000) +
            bytes.fromhex(self.previous_hash)[::-1] +
            (bytes.fromhex(self.transactions_hash)[::-1])[:-4]
        )
        block = 0
        for i in pack[:512]:
            block = (block << 8) | i

        w = self.get_w(block)
        sha1 = list(self._h)

        for i in range(0, 64):
            sha1 = self.iteration(w[i], self._k[i], *sha1)
        sha1 = [(sha1[i] + self._h[i]) & 0xffffffff for i in range(0, 8)]

        results = []

        for nonce in self.nonces:

            pack = (
                (bytes.fromhex(self.transactions_hash)[::-1])[-4:] +
                struct.pack('<LLL', self.timestamp, self.bits, nonce) +
                struct.pack('>LLLLLLLLLLLL', 0x80000000, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 640)
            )
            block = 0
            for i in pack[:512]:
                block = (block << 8) | i

            w = self.get_w(block)

            sha2 = list(sha1)
            for i in range(0, 64):
                sha2 = self.iteration(w[i], self._k[i], *sha2)
            sha2 = [((sha2[i] + sha1[i]) & 0xffffffff) for i in range(0, 8)]

            block = 0
            for i in range(0, 8):
                block = block << 32 | sha2[i]
            block = (block << 256) | (1 << 255) | 256

            w = self.get_w(block)

            sha3 = list(self._h)
            for i in range(0, 64):
                sha3 = self.iteration(w[i], self._k[i], *sha3)
            sha3 = [(sha3[i] + self._h[i]) & 0xffffffff for i in range(0, 8)]

            result = 0
            for i in struct.pack('>LLLLLLLL', *sha3)[::-1]:
                result = (result << 8) | i

            results.append(result)

        return results


if __name__ == '__main__':
    previous_hash = '00000000000000000146161cdb757ffc5a8b22dff06b27a76f6f7d0584f5df05'
    transactions_hash = '536e129807282bf22dcb0c169dc0e5cfeb47dac85c7afde3afb2e0fb02161076'
    timestamp = 1474983518
    bits = 0x18048ed4
    nonces = [
        0x9bb0a8f6,
        0xabb0a8f6
    ]

    assert Miner(previous_hash=previous_hash,
        transactions_hash=transactions_hash,
        timestamp=timestamp,
        bits=bits,
        nonces=nonces
    ).run() == [
        55624467632295270487489375918890129241800824638908068782,
        75916835553102774891823884113900634385218467396093025039177034268615350443547
    ]

It gives us about 30% efficiency increase. We may still improve the algorithm for a few more percents (see The Unreasonable Fundamental Incertitudes Behind Bitcoin Mining).

Hardware

Mining with CPU: ~4000W / GH. Mining with GPU: ~210W / GH (Radeon 7790). Mining with FPGA (45nm): ~50W / GH. Mining with ASIC (16nm): ~0.1W / GH, 14TH/s (ANTMINER S9, 12 June 2016 model).

Vocabulary

Big and small endian

Endianness is the order of the bytes that compose a digital word in computer memory. When storing a word in big-endian format the most significant byte, which is the byte containing the most significant bit, is stored first.

See python struct Byte Order, Size, and Alignment.

import struct
import binascii


binascii.b2a_hex(struct.pack('<L', 10))  # little-endian
# b'0a000000'
binascii.b2a_hex(struct.pack('>L', 10))  # big-endian
# b'0000000a'

L - unsigned long, 4 bites.

Hash digest

Accrding to hashlib - Secure hashes and message digests:

Return the digest of the data passed to the update() method so far. This is a bytes object of size digest_size which may contain bytes in the whole range from 0 to 255.

Links

Bitcoin mining the hard way: the algorithms, protocols, and bytes, Ken Shirriff's blog pysha2 by thomdixon on GitHub Mining Bitcoin with pencil and paper: 0.67 hashes per day on Ken Shirriff's blog Endianness on Wikipedia SHA-2 on Wikipedia The Unreasonable Fundamental Incertitudes Behind Bitcoin Mining paper by Nicolas T. Courtois, Marek Grajek and Rahul Naik