The discussion on asicboost and segwit has been deserted a lot, but I still want to try to explain it from a technical point of view:

What is asicboost

What is the relationship between asicboost and segwit
Before saying these two things, we cannot do without a keyword:mining
, let’s talk about mining first!
mining
Mining mechanism of bitcoin: the mining mechanism of bitcoin adopts sha256 algorithm, but sha256 algorithm is not for the whole block, but only for the block header. The following figure shows the composition of block:
As can be seen from the above figure, block hash is obtained by combining the fields and then hashing. The field with yellow background is the block header, which contains:
Version number
Hash of previous block
Merkle root
Timestamp (timestamp)
Bits (difficulty)
Nonce (random number)
In the process of a round of mining, the version number, the hash of the previous block and the difficulty are determined. What the miner needs to do is constantly modify nonce to change the hash value of the current block to find the one less than the current difficultyBlock Header
。
However, the available search space of nonce is not enough, because the number of digits of nonce is only4bytes。 Number of bits occupied by each field in block header:
Nonce of 4 bytesWhich means his search probability space is2^32
, that is, 4G hash operations can be traversed. For the current single miner, it can be completed in an instant.
When nonce’s search space is not enough, onlytimestamp
andMerkle root
It can be changed, timestamp can be adjusted before and after, but the search space after adjustment is still not enough.
Miners obtain new information by modifying coinbase transactions, or transaction sequences, or other waysMerkle Root
, redo the traversal of nonce 2 ^ 32 times. andMerkle Root
It is 32 bytes, and its search space is large enough.
Summarize bitcoin Mining:
In short, bitcoin mining is to change the block hash by constantly changing nonce to find a block header less difficult than the current difficulty. However, the search space of nonce is too small. If the corresponding block header is not found after 2 ^ 32 hashes, the Merkle root needs to be changed for recalculation.
It’s said above, and the mining mechanism of bitcoin is briefly described, soAsicBoost
What’s going on?
AsicBoost
AsicBoost
Yes andCalculation of sha256
、Block header structure
For a related algorithm, when calculating the block header hash, it needs to be supplemented to 128 bytes before sha256 calculation, while the block header shown above is only 80 bytes, and the rest needs to be filled to 128 bytes with a fixed 48 bytes.
While calculating128 bytes
The hash process of is divided into two processes. The first 64 bytes are calculated together, and the last 64 bytes are calculated together:
Such a filled block header is divided into two parts. The more interesting part is Merkle root. Among the 32 bytes of Merkle root, the first 28 bytes are calculated in the front part and the last 4 bytes are calculated in the back part,Block Header hash
The calculation formula is:
SHA256=F(Chunk1)+B(Chunk2)
Chunk1=(version)+(Previous hash)+F28(Merkle root)
Chunk2=B4(Merkle Root)+Timetamp+Bits+Nonce+padding
In combination with the above, a phenomenon occurs during block hash calculation:
Every time you change the value of nonce, the value of chunk1 remains unchanged, which means that you only need to recalculate every time you change nonce
B(Chunk2)
Combined with the last calculationF(Chunk1)
Just.
This is a method of optimizing mining, after optimization, every time nonce is changed in the searchable space, the formula for calculating sha256 becomes:
Sha256 = f (chunk1) (unchanged) + B (chunk2)`
Basically, all mining machines have been optimized。 andAsicBoost
On the basis of this optimization, the idea is extended and another optimization method is found:
Since you can keep
Chunk 1
Unchanged, is there any way to keep itChunk 2
Unchanged? As you can see from the previous formula, as long as you keepMerkle Root
The last 4 bits, timestamp, and nonce of the can be kept unchangedChunk 2
unchanged.
If you can findMerkle Root
If the last four digits are the same, another optimization formula can be obtained when the same timestamp and nonce remain unchanged:
Sha256 = f (chunk1) ` + B (chunk2) (unchanged)
For timestamp, it is basically unchanged during a round of mining, while nonce traverses the search space in 2 ^ 32. The remaining problem is to find enough last four bits that are the sameMerkle Root
In this way, the calculation results of the latter part can be reused each time the nonce is traversed, which effectively reduces the calculation and improves the probability of finding the block hash.
As mentioned earlier, we can get a new Markle root by changing the transaction order and coinbase, so that we can find the same Merkle root in the last four bits through collision. What is the probability of finding the same hash in the last four bits through collision? According to the “birthday paradox” (the same number of bytes in the last four bits means the same probability of 32 bits), its probability is:
About 77000 collisions have a 50% probability of the same hash in the last four digits. How much probability can such a collision improve? The results presented in the asicboost white paper are as follows:
This optimization can theoretically improve the collision efficiency by 20%, while the combined performance improvement is about 7%.AsicBoost
It can be realized in software and on chip (hardware). changeMerkle Root
How to:

Modify the coinbase transaction, and the white paper believes that it is not efficient enough

The other is to update the sorting of Merkle tree

… Other ways
It can be seen thatAsicBoost
yesAn optimization based on bitcoin block and sha256 algorithm, it’s not an attack.
Asicboost has only one technology optimization
Obviously, asicboost neither destroys the current bitcoin protocol, nor produces unusable blocks, nor does it have the security problem for bitcoin.
The optimization based on sha256 algorithm has also appeared several times in the history of bitcoin:

When changing nonce mentioned earlier, the first half f (chunk1) does not need to be recalculated

The first three wheels of the rear part are also a reference for optimizationms3steps

……

AsicBoost
It can be said that all software and systems have the possibility of being optimized. The mining history of bitcoin is a process of continuously optimizing efficiency.
How exactly should we define itoptimization
andattack
And? This is a question worth thinking about. It is allowed to optimize the calculation of the first 64 bits of sha256, and it is allowed to optimize the calculation of the second 64 bitsattack
Did you?
AsicBoost
It is an optimization algorithm, which only improves the probability of collision hash based on the original bitcoin mining to find a more suitable oneBlock Header
, it improves the probability of finding the block. It is not a vulnerability
If there is a technology to improve the mining efficiency of bitcoin, I prefer that miners apply this technology as soon as possible, so that attackers have no technical advantages compared with miners. After all, computing power is the basis of bitcoin security. If the attacker leads the miners in technology, the possibility of bitcoin being attacked will increase a lot.
The introduction is overAsicBoost
, take another lookAsicBoost
What’s the relationship with segwit?
Segwit and asicboost
Segwit (aggregated witness) is isolation verification. Its application will change TX, and it will adopt a new TX ID:Witness ID
Accordingly, the witness ID corresponds toWitness Merkle Tree
And then there’sWiness Merkel Root
, andWiness Merkel Root
Where is it written? The answer isCoinbase
。
staySegWit
A new output will be added to coinbase in the protocol. The new output is:
output_data = WITNESS_COMMITMENT_HEADER + ser_uint256(uint256_from_str(hash256(ser_uint256(witness_root)+ser_uint256(witness_nonce))))
script = CScript([OP_RETURN, output_data])
The new output includes: OP_ Return + witness information+Witness Merkle Root
A script consisting of a hash of.
andWitness Merkle Root
The calculation does not includeCoinbase
, which avoids coinbase andWitness Merkle Root
A dead circle caused by mutual changes.
So there is a problem, that is, ifSegWit
Changing any trading position in will lead toWitness Merkle Root
And coinbase is to includeWitness Merkle Root
This will affect the change of coinbase. The change of coinbase will lead to the change of Merkle root of the whole block.
If the asicboost used in segwit obtains a new Merkle root by changing the transaction order, the efficiency will be reduced because it needs to be calculated at the same timeWitness Merkle Root
andMerkle Root
, which in turn reducesAsicBoost
Efficiency.
This is the impact of segwit on asicboost. But one important fact cannot be ignored:SegWit
andAsicBoost
Not mutually exclusive:
As long as the block structure remains unchanged
AsicBoost
The optimization still exists and is still effective.
Change coinbase acquisition in segwitMerkle Root
The method is the same as the effect of changing coinbase in the current agreement, becauseWitness Merkle Root
Coinbase TX is not included in.
Segwit and asicboost are not mutually exclusive, and there is no asicboost optimization in segwit. And inSegWit
Used inAsicBoost
It can also be optimized in Engineering: the calculation of Merkle root also needs to calculate the hash. The calculation of block hash can be blocked from time to time during the calculation of Merkle root. Parallel computing will be a better optimization method, and changes can be used in parallelCoinbase
obtainMerkle Root
The resulting reduction in efficiency is not particularly significant.
summary
Principle of asicboost:
When calculating the block header, the Merkle root is divided into two parts. As a result, if the Merkle root with the same last four bits is used to calculate the block hash, the mining efficiency will be improved
SegWit：
Segwit requires
Wintess TX ID
And then there’s a newWitness Merkle Root
, andWitness Merkle Root
It will be written into coinbase. Coinbase itself will not be writtenWitness Merkle Root
of Because of the soft bifurcation, the structure of the block head has not changed.
Based on the above, the following conclusions can be drawn:
Asicboost is essentially just an optimization based on block structure and sha256 algorithm
Asicboost and segwit are not mutually exclusive
The premise that the block structure and sha256 algorithm remain unchanged,AsicBoost
Will always exist.
Segwit will have an impact on the way of transaction swap in asicboost
In segwit, every change of transaction order will lead to the change of coinbase, and then it needs to be recalculatedMerkle Root
。 The change of transaction order will lead toWitness Merkle Root
andMerkle Root
Changes in.
If there is still a better way of optimization in the wise boost project
Except that the efficiency of updating Merkle root by changing the transaction order will be reduced, the method of using engineering optimization asicboost can still be effective. Such as parallel computing
AsicBoost
It’s just a way to optimize mining, and in segwitAsicBoost
Optimization did not disappear because the structure of the block did not change. G Maxwell proposed a way to change the block header in the emailAsicBoost
It can no longer be used. I don’t object to this proposal, but I don’t think it’s necessary. If miners are not allowed to optimize the calculation of 64 bytes, should the optimization calculation of the first 64 bytes be banned? And there will be other similar optimizations in the future. Should they all be banned?
Under given conditions, human beings always have a way to find that method a is better than the original method B. human history is the history of continuous improvement of efficiency
Share one you seemicroblog, share: