读比特币白皮书(4.Proof-of-Work,工作量证明)
原文
To implement a distributed timestamp server on a peer-to-peer basis, we will need to use a proofof-work system similar to Adam Back's Hashcash [6], rather than newspaper or Usenet posts. The proof-of-work involves scanning for a value that when hashed, such as with SHA-256, the hash begins with a number of zero bits. The average work required is exponential in the number of zero bits required and can be verified by executing a single hash. For our timestamp network, we implement the proof-of-work by incrementing a nonce in the block until a value is found that gives the block's hash the required zero bits. Once the CPU effort has been expended to make it satisfy the proof-of-work, the block cannot be changed without redoing the work. As later blocks are chained after it, the work to change the block would include redoing all the blocks after it.
The proof-of-work also solves the problem of determining representation in majority decision making. If the majority were based on one-IP-address-one-vote, it could be subverted by anyone able to allocate many IPs. Proof-of-work is essentially one-CPU-one-vote. The majority decision is represented by the longest chain, which has the greatest proof-of-work effort invested in it. If a majority of CPU power is controlled by honest nodes, the honest chain will grow the fastest and outpace any competing chains. To modify a past block, an attacker would have to redo the proof-of-work of the block and all blocks after it and then catch up with and surpass the work of the honest nodes. We will show later that the probability of a slower attacker catching up diminishes exponentially as subsequent blocks are added. To compensate for increasing hardware speed and varying interest in running nodes over time, the proof-of-work difficulty is determined by a moving average targeting an average number of blocks per hour. If they're generated too fast, the difficulty increases.
译文整理
为了在点对点的环境中构建一个分布式的时间戳服务,仅仅像报纸或新闻网络组那样是不够的,我们需要一个类似于亚当•柏克(Adam Back)提出的哈希现金(Hashcash)[6]那样的工作量证明(proof of work)系统 。在进行Hash运算时,工作量证明机制引入了对某一个特定值的扫描工作,比方说SHA-256下,Hash值以一个或多个0开头。那么随着要求的0比特数量上升, 找到这个解所需要的工作量将呈指数增长,而对结果进行验证则仅需要一次Hash运算。
我们在区块中增加一个随机数(Nonce),这个随机数要使得该给定区块的hash值出现了所需的特定数量个0。我们通过反复尝试来找到这个随机数,直到找到为止,这样我们就构建了一个工作量证明机制。只要该CPU耗费的工作量能够满足该工作量证明机制,那么该区块的信息无法被更改,除非重新完成之前所有的工作量。由于之后的区块是链接在该区块之后的,所以想要更改当前区块中的信息,就需要重新完成之后所有区块的全部工作量。
同时,该工作量证明机制还解决了在集体投票表决时,谁是大多数的问题。如果决定大多数的方式是基于IP地址的,一IP地址一票,那么如果有人拥有分配大量IP地址的权力,则该机制就被破坏了。而工作量证明机制的本质则是一CPU一票。“大多数”的决定被表达为最长的链,因为最长的链包含了最大的工作量。如果大多数的CPU为诚实的节点控制,那么诚实的链条将以最快的速度延长,并超越其他的竞争链条。如果想要对历史区块进行修改,攻击者必须重新完成该区块的工作量外加该区块之后所有区块的工作量,并最终赶上和超越诚实节点的工作量。我们将在后文证明,一个慢速的攻击者能够追上的概率随着区块的增加呈指数级递减。
随着时间的推移,为了应对硬件速度的日益增长以及网络中各个节点参与的不同利益,工作量证明的难度以平均每小时出块数的移动平均值来确定。如果每小时的区块生成太快,将增加工作量证明的难度。
关键词解读
1、Nonce(随机数)
工作量证明在数学角度,其实是求解下列哈希函数:
H(n)=Hash(T(n), Merkle(n), H(n-1), nounce(n)) ,使得H(n)<H0
H(n)为本区块(含区块头)的hash值,T(n)为时间戳,Merkle(n)为本区块中交易数据的hash值,H(n-1)为上一区块的hash值,nounce(n)为随机数,H0为目标hash值。
目标是找到一个nounce值,使得计算出的H(n)值小于目标哈希值。由于hash函数的单向加密特征,只能通过穷举法来找这个值,这也叫“哈希碰撞”,有点撞大运的意思。
2、zero bits(0字符)
随着算力的增强,穷举的速度也加快了,每分钟产生的区块数量变多了,此时系统需要自动增加难度,确保出块速度保持平衡。做法就是调整目标值H0,怎么调整H0能让难度变大呢?文中的办法是指定H0值前N位必须为0,比如SHA256算法计算的hash值有256位2进制数据,规定目标值H0的前8位必须为0。此时hash碰撞的几率就降低了,因此穷举的工作量增大,速度减慢。等算力增加后,再规定前9位、前10位。。。。必须为0,这样的计算难度是指数级增加的。
3、Proof-of-work(POW,工作量证明)
工作量证明是比特币系统的一个核心机制,1个CPU1票的做法相对比较公平合理,加上难度的自动调整,系统得以稳定运行。
但是,这也是比特币系统最被人诟病的一个机制,因为这种暴力破解就是简单单纯的耗费CPU算力,进而耗费电力,对社会并没有什么益处。而在后续的区块链发展中,人们基本上摒弃了这种挖矿机制,代之以更环保的方式。
