Asicboost and segwit


The discussion on asicboost and segwit has been deserted a lot, but I still want to try to explain it from a technical point of view:

  1. What is asicboost

  2. What is the relationship between asicboost and segwit

Before saying these two things, we cannot do without a keyword:mining, let’s talk about mining first!


Mining mechanism of bitcoin: the mining mechanism of bitcoin adopts sha256 algorithm, but sha256 algorithm is not for the whole block, but only for the block header. The following figure shows the composition of block:
Asicboost and segwit

As can be seen from the above figure, block hash is obtained by combining the fields and then hashing. The field with yellow background is the block header, which contains:

  1. Version number

  2. Hash of previous block

  3. Merkle root

  4. Timestamp (timestamp)

  5. Bits (difficulty)

  6. Nonce (random number)

In the process of a round of mining, the version number, the hash of the previous block and the difficulty are determined. What the miner needs to do is constantly modify nonce to change the hash value of the current block to find the one less than the current difficultyBlock Header
However, the available search space of nonce is not enough, because the number of digits of nonce is only4bytes。 Number of bits occupied by each field in block header:
Asicboost and segwit
Nonce of 4 bytesWhich means his search probability space is2^32, that is, 4G hash operations can be traversed. For the current single miner, it can be completed in an instant.
When nonce’s search space is not enough, onlytimestampandMerkle rootIt can be changed, timestamp can be adjusted before and after, but the search space after adjustment is still not enough.
Miners obtain new information by modifying coinbase transactions, or transaction sequences, or other waysMerkle Root, redo the traversal of nonce 2 ^ 32 times. andMerkle RootIt is 32 bytes, and its search space is large enough.
Summarize bitcoin Mining:

In short, bitcoin mining is to change the block hash by constantly changing nonce to find a block header less difficult than the current difficulty. However, the search space of nonce is too small. If the corresponding block header is not found after 2 ^ 32 hashes, the Merkle root needs to be changed for recalculation.

It’s said above, and the mining mechanism of bitcoin is briefly described, soAsicBoostWhat’s going on?


AsicBoostYes andCalculation of sha256Block header structureFor a related algorithm, when calculating the block header hash, it needs to be supplemented to 128 bytes before sha256 calculation, while the block header shown above is only 80 bytes, and the rest needs to be filled to 128 bytes with a fixed 48 bytes.
While calculating128 bytesThe hash process of is divided into two processes. The first 64 bytes are calculated together, and the last 64 bytes are calculated together:
Asicboost and segwit
Such a filled block header is divided into two parts. The more interesting part is Merkle root. Among the 32 bytes of Merkle root, the first 28 bytes are calculated in the front part and the last 4 bytes are calculated in the back part,Block Header hashThe calculation formula is:

Chunk1=(version)+(Previous hash)+F28(Merkle root)
Chunk2=B4(Merkle Root)+Timetamp+Bits+Nonce+padding

In combination with the above, a phenomenon occurs during block hash calculation:

Every time you change the value of nonce, the value of chunk1 remains unchanged, which means that you only need to recalculate every time you change nonceB(Chunk2)Combined with the last calculationF(Chunk1)Just.

This is a method of optimizing mining, after optimization, every time nonce is changed in the searchable space, the formula for calculating sha256 becomes:

Sha256 = f (chunk1) (unchanged) + B (chunk2)`

Basically, all mining machines have been optimized。 andAsicBoostOn the basis of this optimization, the idea is extended and another optimization method is found:

Since you can keepChunk 1Unchanged, is there any way to keep itChunk 2Unchanged? As you can see from the previous formula, as long as you keepMerkle RootThe last 4 bits, timestamp, and nonce of the can be kept unchangedChunk 2unchanged.

If you can findMerkle RootIf the last four digits are the same, another optimization formula can be obtained when the same timestamp and nonce remain unchanged:

Sha256 = f (chunk1) ` + B (chunk2) (unchanged)

For timestamp, it is basically unchanged during a round of mining, while nonce traverses the search space in 2 ^ 32. The remaining problem is to find enough last four bits that are the sameMerkle RootIn this way, the calculation results of the latter part can be reused each time the nonce is traversed, which effectively reduces the calculation and improves the probability of finding the block hash.
As mentioned earlier, we can get a new Markle root by changing the transaction order and coinbase, so that we can find the same Merkle root in the last four bits through collision. What is the probability of finding the same hash in the last four bits through collision? According to the “birthday paradox” (the same number of bytes in the last four bits means the same probability of 32 bits), its probability is:

Asicboost and segwit

About 77000 collisions have a 50% probability of the same hash in the last four digits. How much probability can such a collision improve? The results presented in the asicboost white paper are as follows:
Asicboost and segwit
This optimization can theoretically improve the collision efficiency by 20%, while the combined performance improvement is about 7%.AsicBoostIt can be realized in software and on chip (hardware). changeMerkle RootHow to:

  1. Modify the coinbase transaction, and the white paper believes that it is not efficient enough

  2. The other is to update the sorting of Merkle tree

  3. … Other ways

It can be seen thatAsicBoostyesAn optimization based on bitcoin block and sha256 algorithm, it’s not an attack.

Asicboost has only one technology optimization

Obviously, asicboost neither destroys the current bitcoin protocol, nor produces unusable blocks, nor does it have the security problem for bitcoin.
The optimization based on sha256 algorithm has also appeared several times in the history of bitcoin:

  1. When changing nonce mentioned earlier, the first half f (chunk1) does not need to be recalculated

  2. The first three wheels of the rear part are also a reference for optimizationms3steps

  3. ……

  4. AsicBoost

It can be said that all software and systems have the possibility of being optimized. The mining history of bitcoin is a process of continuously optimizing efficiency.
How exactly should we define itoptimizationandattackAnd? This is a question worth thinking about. It is allowed to optimize the calculation of the first 64 bits of sha256, and it is allowed to optimize the calculation of the second 64 bitsattackDid you?

AsicBoostIt is an optimization algorithm, which only improves the probability of collision hash based on the original bitcoin mining to find a more suitable oneBlock Header, it improves the probability of finding the block. It is not a vulnerability

If there is a technology to improve the mining efficiency of bitcoin, I prefer that miners apply this technology as soon as possible, so that attackers have no technical advantages compared with miners. After all, computing power is the basis of bitcoin security. If the attacker leads the miners in technology, the possibility of bitcoin being attacked will increase a lot.

The introduction is overAsicBoost, take another lookAsicBoostWhat’s the relationship with segwit?

Segwit and asicboost

Segwit (aggregated witness) is isolation verification. Its application will change TX, and it will adopt a new TX ID:Witness ID

Asicboost and segwit
Accordingly, the witness ID corresponds toWitness Merkle TreeAnd then there’sWiness Merkel Root, andWiness Merkel RootWhere is it written? The answer isCoinbase
staySegWitA new output will be added to coinbase in the protocol. The new output is:

output_data = WITNESS_COMMITMENT_HEADER + ser_uint256(uint256_from_str(hash256(ser_uint256(witness_root)+ser_uint256(witness_nonce))))
script = CScript([OP_RETURN, output_data])

The new output includes: OP_ Return + witness information+Witness Merkle RootA script consisting of a hash of.
andWitness Merkle RootThe calculation does not includeCoinbase, which avoids coinbase andWitness Merkle RootA dead circle caused by mutual changes.

So there is a problem, that is, ifSegWitChanging any trading position in will lead toWitness Merkle RootAnd coinbase is to includeWitness Merkle RootThis will affect the change of coinbase. The change of coinbase will lead to the change of Merkle root of the whole block.
If the asicboost used in segwit obtains a new Merkle root by changing the transaction order, the efficiency will be reduced because it needs to be calculated at the same timeWitness Merkle RootandMerkle Root, which in turn reducesAsicBoostEfficiency.
This is the impact of segwit on asicboost. But one important fact cannot be ignored:SegWitandAsicBoostNot mutually exclusive:

As long as the block structure remains unchangedAsicBoostThe optimization still exists and is still effective.

Change coinbase acquisition in segwitMerkle RootThe method is the same as the effect of changing coinbase in the current agreement, becauseWitness Merkle RootCoinbase TX is not included in.
Segwit and asicboost are not mutually exclusive, and there is no asicboost optimization in segwit. And inSegWitUsed inAsicBoostIt can also be optimized in Engineering: the calculation of Merkle root also needs to calculate the hash. The calculation of block hash can be blocked from time to time during the calculation of Merkle root. Parallel computing will be a better optimization method, and changes can be used in parallelCoinbaseobtainMerkle RootThe resulting reduction in efficiency is not particularly significant.


Principle of asicboost:

When calculating the block header, the Merkle root is divided into two parts. As a result, if the Merkle root with the same last four bits is used to calculate the block hash, the mining efficiency will be improved


Segwit requiresWintess TX IDAnd then there’s a newWitness Merkle Root, andWitness Merkle RootIt will be written into coinbase. Coinbase itself will not be writtenWitness Merkle Rootof Because of the soft bifurcation, the structure of the block head has not changed.

Based on the above, the following conclusions can be drawn:

Asicboost is essentially just an optimization based on block structure and sha256 algorithm

Asicboost and segwit are not mutually exclusive

The premise that the block structure and sha256 algorithm remain unchanged,AsicBoostWill always exist.

Segwit will have an impact on the way of transaction swap in asicboost

In segwit, every change of transaction order will lead to the change of coinbase, and then it needs to be recalculatedMerkle Root。 The change of transaction order will lead toWitness Merkle RootandMerkle RootChanges in.

If there is still a better way of optimization in the wise boost project

Except that the efficiency of updating Merkle root by changing the transaction order will be reduced, the method of using engineering optimization asicboost can still be effective. Such as parallel computing

AsicBoostIt’s just a way to optimize mining, and in segwitAsicBoostOptimization did not disappear because the structure of the block did not change. G Maxwell proposed a way to change the block header in the emailAsicBoostIt can no longer be used. I don’t object to this proposal, but I don’t think it’s necessary. If miners are not allowed to optimize the calculation of 64 bytes, should the optimization calculation of the first 64 bytes be banned? And there will be other similar optimizations in the future. Should they all be banned?

Under given conditions, human beings always have a way to find that method a is better than the original method B. human history is the history of continuous improvement of efficiency

Share one you seemicro-blog, share:
Asicboost and segwit