原文:Blockchain Proof-of-Work Is a Decentralized Clock
The original text starts from the basic problem of how the blockchain keeps transactions in order, and elaborates on this problem in detail, and proposes that PoW essentially implements a "clock". One tick of this clock corresponds to PoW calculated once untie.
This article explains the key elements of Bitcoin PoW (Proof-of-Work, Proof-of-Work), especially a feature that is indispensable for PoW, and also shows that some other features often talked about about PoW are actually secondary , such as safety, these secondary effects are useful, but not necessary.
To understand this article, it is first necessary to understand some interesting properties of how PoW works in blockchains, which are not so intuitive, even counter-intuitive, such as how participants can never communicate with each other , to solve a problem together.
When you understand these properties, you should be able to draw a conclusion: the mechanism of PoW mainly implements a distributed, decentralized time system, that is, a clock.
Note that this article does not focus on the details of the PoW algorithm itself, but instead explores how the blockchain "fits perfectly" with PoW. If you haven't heard of PoW, please read here .
Distributed ledger time ordering problem
Before talking about the solution, let's focus on the problem itself. Much of the PoW literature is confusing because they often try to articulate the solution without articulating the problem.
There is no doubt that any ledger needs to be in order. You can't send money that you haven't received, and you can't spend money that's been spent. Blockchain transactions (or blocks containing transactions) must be orderly, unambiguous, and without a trusted third party.
Even if the blockchain is not a ledger, but data like a log, order is essential for all nodes if they want to jointly maintain an identical copy of the blockchain. The transaction order is different, that is, the two chains are different.
But how can this be achieved if transactions are generated by anonymous participants around the world and there is no centralized authority responsible for ordering transactions? Some would argue that transactions (or blocks) can contain timestamps, but how can these timestamps be trusted?
Time is a human concept , and any source of time, such as an atomic clock, is a "trusted third party", and beyond that , clocks are slightly inaccurate most of the time due to network delays and relativistic effects . Unfortunately, in a decentralized system, it is impossible to determine the order of events through timestamps.
The "time" we care about is not the familiar concept of year, month, and day. What we need is a mechanism that can be used to confirm that one event happened before another, or possibly concurrently.
First, in order to establish the concept of before and after, one must first establish the concept of a point in time . In theory, establishing a concept of a point time seems unlikely, since no technology can measure Planck . But you will see that Bitcoin solves this problem in disguise by creating its own concept of time, making it de facto possible to establish a precise concept of a point in time.
This problem is described in detail in Leslie Lamport 's 1978 paper "Time, Clocks and Order of Events in Distributed Systems", but does not actually provide a detailed solution other than "properly synchronized physical clocks". Lamport also described the "Byzantine Generals Problem" in 1982, and Satoshi Nakamoto explained how PoW solved this problem, and the Bitcoin white paper stated "in order to achieve a distributed time To poke the server , we will use a proof-of-work system", which also shows that it mainly solves the problem of timestamps.
time is the fundamental issue
It must be emphasized that in a distributed system, it is impossible to associate events with points in time . This is an unsolvable problem. It was not until Satoshi Nakamoto found a solution that made distributed ledgers possible. There are many other technical details in blockchain, but time is the most fundamental and most important. Without time, there is no blockchain.
PoW Review
In short, Bitcoin's PoW is a solution where the SHA-2 hash satisfies certain conditions, and this solution is hard to find. By requiring the hash to satisfy a specific number, a difficulty is determined. The smaller the value of difficulty, the fewer numbers that satisfy the input, and the more difficult it is to find a solution.
This is called "Proof of Work" because solutions that satisfy the hashing requirements are very rare, which means that finding such a solution requires a lot of trial and error, aka, "work". And work means time .
No change between blocks
The state of the chain is reflected by blocks, and each new block produces a new state. The state of the blockchain pushes forward one block at a time, with an average of 10 minutes per block, which is the smallest unit of time measurement in the blockchain.
SHA has no memory, no progress
SHA (Secure Hash Algorithm) is known for being memoryless in statistics and probability . For us humans, memorylessness is a bit counter-intuitive. The so-called memorylessness means that no matter what happened before, it does not affect the probability of this event happening.
The best example of memorylessness is tossing a coin. If a coin is heads 10 times in a row, is it more likely to be tails the next time? Our intuition is that it will, but in reality, no matter what the last result was, every coin toss has a 50/50 chance of heads and tails.
And for problems that require progress-free, memorylessness is a necessary condition. Progress-free means that when miners try to solve a puzzle by iterating over nonces , each attempt is an independent event, and the probability of finding the answer is fixed for each attempt, no matter how many times it has been counted before. In other words, with each attempt, the participant did not get any closer to the "answer," or any progress. As far as the next attempt is concerned, a miner who has been counting for a year has the same probability as a miner who has just started counting the last second.
In a specified time, given a difficulty, the probability of finding an answer is uniquely determined by how fast all participants can iterate through the hash . It has nothing to do with previous history, nothing to do with data, only about computing power.
Thus, hashrate is a function of the number of participants and the speed of those devices used to calculate the hash.
SHA is input independent
In Bitcoin, the input is the block header. But if you pass it some random value, the probability of finding a suitable hash is still the same. Whether the input is a valid block header, or some random bytes in /dev/random, it takes an average of 10 minutes to find a solution.
If you find a suitable hash, but the input is not a valid block header, the block cannot be on-chain, but it is still a proof-of-work (even if useless).
Difficulty belongs to the galaxy
Surprisingly, the difficulty is universe (universal, or universal) , which means it fills the entire universe, everywhere. Miners on Mars can also participate in mining, but they do not need to perceive the existence of miners on Earth, nor do they need to communicate with miners on Earth, and still solve a "hard problem" every 10 minutes. (Well, they need to tell the miners on Earth when they solve the puzzle, or we'll never know).
What's remarkable is that the distant participants do not need to communicate through actual mutual communication, because they are jointly solving the same statistical problem, and they are not even aware of each other's presence.
The "universal property" looks amazing at first, but it's actually pretty easy to explain. I used the word "universal" because that's enough of a word, but it really means "all participants know (this difficulty)".
The input to SHA-256 can be any integer between 0 and 2 to the 256-square (because the output is 32 bytes, that is, between 0 and 2^256, any number outside this range will cause a collision, which is redundant ). Even though the set is already very large ( larger than all the atoms in the known universe combined ), each participant knows the set and can only pick one number from the set.
If the input set is known to the world, SHA-256 is known to the world, and the difficulty requirement is also known to the world, then the probability of finding a solution is naturally "universe".
Calculating SHA is participating
If the problem is to find a suitable hash, then it only takes one try to solve the problem, but even with one try, you're already affecting the entire hashrate. As far as this attempt is concerned, you have become a participant in helping other people solve their problems. While you don't need to tell others that you "did it" (unless you found the answer), and others don't need to know, this attempt to find a solution really affects the outcome. The same is true for the entire universe.
If the above statement still doesn't seem convincing, a good analogy is the problem of finding large primes. Finding the largest prime number is difficult, and once found, it is "found" or "known". There are an infinite number of prime numbers, but there is only one instance of each number in the entire universe. So whoever tries to find the largest prime is solving the same problem, not a separate instance of the problem. You don't need to tell other people that you are going to find the largest prime number, you just need to notify others when you find it. If no one ever looks for the largest prime number, it will never be found. So just participating (aka trying to find primes), even if it's going on in secret, will still affect the results, as long as the last discovery (if found) is published.
That's the subtlety of Satoshi Nakamoto's design, he exploits this incredible statistical phenomenon that any participation affects the outcome, even if done secretly, even if it hasn't been successful.
It's worth noting that because SHA is progress-free, each attempt can be considered a participant to join and then exit immediately. Therefore, it can be understood that miners come and go, countless times per second.
Engagement revealed by statistics
This magical secret participation property works the other way around. The global computing power displayed on many websites does not come from each miner registering with a certain "miner registration office" and reporting their computing power on a regular basis. There is no such thing.
Because the computing power required to find a solution of a given difficulty in 10 minutes is known, on average a person must try this many times (about 10^21 at the time of writing) to find the answer, no matter who the person is, he Where.
We don't know who these actors are, they never say I'm involved, the people who don't find a solution (in fact they are) never tell anyone else that they're doing calculations, they may be anywhere in the world A place, but we are sure they must exist. Because life goes on, the problem (finding a hash that satisfies the condition) always has to be solved.
work is a clock
The point is: the difficulty of finding a hash that satisfies the condition is similar to the role of a clock. A universe clock, because there is only one such clock in the entire universe, no synchronization is required, and anyone can "see" this clock.
It doesn't matter if this clock is imprecise. Importantly, it is the same clock for all, and the state of the chain is unambiguously tied to the tick of this clock.
This clock is operated by an unknown number of participants spread across the planet, who are completely independent of each other.
last part of the puzzle
The solution must be the block hash (to be precise, the block header). As mentioned above, for SHA, it doesn't matter what the input is, but if it's a real block, then whenever a solution is found, it happens at the tick of the PoW clock. Not earlier, not later, but just at this point. We know this is unambiguous because blocks are part of the whole mechanism.
In other words, if the block is not an input to the SHA256 function, we still have a distributed clock, but we cannot bind the block to the ticks of this clock. Taking the block as input solves the problem.
It's worth noting that our PoW clock only provides ticks. But we have no way to separate the order from the ticks, so a hash chain is introduced.
Distributed consensus
Consensus means agreement. All participants had no choice but to agree that "the clock is ticking." And everyone knows the ticks and the attached data. This does solve the Byzantine Generals problem, as explained by Satoshi Nakamoto in the email.
In a rare but common case where there is a consensus split, there are two consecutive ticks associated with a block, which collide. This conflict is resolved by which block is associated with the next tick, while making the disputed block an "orphan". How the chain continues is a matter of chance, which may also be indirectly attributed to PoW's clock.
that's it
This is the PoW (Proof of Work) of the blockchain. It's not a "lottery" for miners to win block rights, nor is it about converting actual energy into a valuable concept, which is beyond the essence.
For example, from the perspective of miner rewards, although these rewards motivate miners to participate, this is not a necessary factor for the birth of the blockchain. Block hashes form a chain, but this has nothing to do with the amount of work, it is cryptographically enforced to guarantee the order of the blocks. The chain of hashes makes the previous tick "more certain", "more non-repudiation", or in short, more secure.
PoW also makes blocks immutable, which is a nice side effect and also makes Segregated Witness possible, but Segregated Witness can also be achieved by preserving signatures (witness), so this is secondary too.
in conclusion
The PoW of Bits is just a distributed, decentralized clock.
If you understand this explanation, then you should be able to better understand the similarities and differences between PoW and PoS. Obviously, the two are not comparable: PoS is about (randomly distributed) authority, while PoW is a clock.
In the context of blockchain, the name PoW may be a misuse and not very well-placed. The term comes from the Hashcash project, which is indeed used to attest to work. In blockchain, it's mostly about verifiable time spent. When one finds a hash that satisfies the difficulty, we know it's bound to take some time. The way to implement a time delay is "work", and the hash is the proof of that time.
The fact that PoW is about time and not work also suggests that there may be some other statistical issues that also consume time but require less energy. It could also mean that Bitcoin hashrate is a bit "excessive," since the Bitcoin clock we described above is credible with only a fraction of the hashrate, and it's this incentive structure that drives energy consumption.
If you find a way to tick synchronously and require less work, which is a trillion dollar problem, please do let me know!
PS Special thanks to Sasha Trubetskoy of UChicago Statistics for her review and suggestions on the above text.