数学
比特币 (Bitcoin)
区块链(Blockchain)

比特币挖矿一定要用计算机吗?用纸笔来计算可行吗?

比特币挖矿在解一条方程吗?解方程一定要用到计算机吗能不能用纸笔算一个解出来? 相关问题: 如何笔算解码二维码?
关注者
2,781
被浏览
1,903,393

223 个回答

Mining Bitcoin With Pencil and Paper

楼主,这里有教程,我很看好你。解出来以后比特币的开采就有你掌控了。挣钱了记得给我冲50元话费。

结论写在这吧:作者做了个比喻,用手算出哈希值的难度比在全世界的沙子里面找到特定的一粒沙子还要难,可能性还要低。

教程每天算出来手算的速度是0.67hash(不吃不喝不睡),楼主经过训练以后速度应该有所提升,和现在主流挖矿机比起来挖矿机的速度是楼主的一百万的三次方倍(quintillion)。

但是楼主没问难不难,只问可不可以,所以答案是可以的。

Ken Shirriff

I decided to see how practical it would be to mine Bitcoin with pencil and paper. It turns out that the SHA-256 algorithm used for mining is pretty simple and can in fact be done by hand. Not surprisingly, the process is extremely slow compared to hardware mining and is entirely impractical. But performing the algorithm manually is a good way to understand exactly how it works.

我决定看看用铅笔和纸来演算挖比特币的矿是不是一件可行的事情。结果我发现挖矿所用的SHA-256算法其实很简单并且也可以用手算。当然了,与硬件挖矿相比这个过程是漫长的,但这不失为一中理解比特币挖矿算法的一种好方法。

The mining process

Bitcoin mining is a key part of the security of the Bitcoin system. The idea is that Bitcoin miners group a bunch of Bitcoin transactions into a block, then repeatedly perform a cryptographic operation called hashing zillions of times until someone finds a special extremely rare hash value. At this point, the block has been mined and becomes part of the Bitcoin block chain. The hashing task itself doesn't accomplish anything useful in itself, but because finding a successful block is so difficult, it ensures that no individual has the resources to take over the Bitcoin system. For more details on mining, see my Bitcoin mining article.

比特币挖矿是比特币系统安全的保证。中心思想就是比特币矿工们汇聚到一个矿区并且重复进行加密的哈希运算(不计其数的,zillion应该是比trillion还大的多得多的计量单位。)直到找到产生合适的哈希的字符串。到此为止,这个区块就已经被挖到了并成为了比特币区块链上的一环。哈希运算本省并没有任何意义。但是挖矿的难度由于是巨大的,这就保证了没有任何一个人可以有足够多的资源占据整个比特币系统。

A cryptographic hash function takes a block of input data and creates a smaller, unpredictable output. The hash function is designed so there's no "short cut" to get the desired output—you just have to keep hashing blocks until you find one by brute force that works. For Bitcoin, the hash function is a function called SHA-256. To provide additional security, Bitcoin applies the SHA-256 function twice, a process known as double-SHA-256.

加密的哈希计算确保了解出这个运算没有任何捷径,只能够不断觉得进行运算用暴力的方法直至成功。

In Bitcoin, a successful hash is one that starts with enough zeros. [1] Just as it is rare to find a phone number or license plate ending in multiple zeros, it is rare to find a hash starting with multiple zeros. But Bitcoin is exponentially harder. Currently, a successful hash must start with approximately 17 zeros, so only one out of 1.4x1020 hashes will be successful. In other words, finding a successful hash is harder than finding a particular grain of sand out of all the grains of sand on Earth.

The following diagram shows a block in the Bitcoin blockchain along with its hash. The yellow bytes are hashed to generate the block hash. In this case, the resulting hash starts with enough zeros so mining was successful. However, the hash will almost always be unsuccessful. In that case, the miner changes the nonce value or other block contents and tries again.

Structure of a Bitcoin block


The SHA-256 hash algorithm used by Bitcoin

The SHA-256 hash algorithm takes input blocks of 512 bits (i.e. 64 bytes), combines the data cryptographically, and generates a 256-bit (32 byte) output. The SHA-256 algorithm consists of a relatively simple round repeated 64 times. The diagram below shows one round, which takes eight 4-byte inputs—A through H—then performs a few operations, and generates new values of A through H.

SHA-256 算法把输入为64bytes的区块整合成加密数据并产生了32byte的输出。SHA-256 算法包含了相对而言简单的64轮操作。下面的图展示了把8个4byte的输入从A到H,展开了一些运算以后产生了从A到H新的值。


One round of the SHA-256 algorithm showing the 8 input blocks A-H, the processing steps, and the new blocks. Diagram created by kockmeyer, CC BY-SA 3.0.

The blue boxes mix up the values in non-linear ways that are hard to analyze cryptographically. Since the algorithm uses several different functions, discovering an attack is harder. (If you could figure out a mathematical shortcut to generate successful hashes, you could take over Bitcoin mining.)

右侧深蓝色的格子里面把输入的数值用非线性的方法进行整合,这样就很难进行分析。因为这种算法用到了数种方法,找到一条捷径就更难了。如果谁找出来了,他就能掌管比特币的开采。

The Ma majority box looks at the bits of A, B, and C. For each position, if the majority of the bits are 0, it outputs 0. Otherwise it outputs 1. That is, for each position in A, B, and C, look at the number of 1 bits. If it is zero or one, output 0. If it is two or three, output 1.

Ma这个运算主要关注与A,B和C的值。如果他们主要的值是0.那输出就是0.如果主要不是0,那输出就是1.比如说,A,B,C上都是0或者1,那么输出0,如果是2或3那么就输出1.

The Σ0 box rotates the bits of A to form three rotated versions, and then sums them together modulo 2. In other words, if the number of 1 bits is odd, the sum is 1; otherwise, it is 0. The three values in the sum are A rotated right by 2 bits, 13 bits, and 22 bits.

Σ0转换A的值并且相加,找出除以2的余数。如果1bits是偶数那么总和为偶,不然就为0.三个值加起来的总和是A向右移2bits,13bits和22bits。

The Ch "choose" box chooses output bits based on the value of input E. If a bit of E is 1, the output bit is the corresponding bit of F. If a bit of E is 0, the output bit is the corresponding bit of G. In this way, the bits of F and G are shuffled together based on the value of E.

Ch的值由E的输入来决定。如果E的bit为1,那么输出为F的bit。如果E为0,那么输出为G的bit。这样F 和 G 一定程度上有E决定。

The next box Σ1 rotates and sums the bits of E, similar to Σ0 except the shifts are 6, 11, and 25 bits.

Σ1与Σ0类似,只是向右移6,11,25bits.

The red boxes perform 32-bit addition, generating new values for A and E. The input Wt is based on the input data, slightly processed. (This is where the input block gets fed into the algorithm.) The input Kt is a constant defined for each round.[2]

红格子产生了新的A和E. 输入的Wt是由输入的数据决定的,经过稍微的处理。输入的Kt 是一个常数由每一轮运算定义。

As can be seen from the diagram above, only A and E are changed in a round. The other values pass through unchanged, with the old A value becoming the new B value, the old B value becoming the new C value and so forth. Although each round of SHA-256 doesn't change the data much, after 64 rounds the input data will be completely scrambled. [3]

每一轮只有A和E产生了变化。其他的值都没有变。旧的A变成了新的B.旧的B变成了新的C.尽管每一轮都没有太大的变化,但是六十四轮以后输入的值就会有翻天覆地的变化。

Manual mining

The video below shows how the SHA-256 hashing steps described above can be performed with pencil and paper. I perform the first round of hashing to mine a block. Completing this round took me 16 minutes, 45 seconds.

youtube.com/watch? 这里有视频地址,需要翻墙才能看。

To explain what's on the paper: I've written each block A through H in hex on a separate row and put the binary value below. The major peration appears below C, and the shifts and Σ0 appear above row A. Likewise, the choose operation appears below G, and the shifts and Σ1 above E. In the lower right, a bunch of terms are added together, corresponding to the first three red sum boxes. In the upper right, this sum is used to generate the new A value, and in the middle right, this sum is used to generate the new E value. These steps all correspond to the diagram and discussion above.

解释一下我在纸上做了什么,我把从A到H分别在一行上面十六进制转换为二进制。主要的运算写在C下面。bits转换和Σ0展示在A行上面。同样的,choose运算在G下面,bits转换和Σ1在E的上方。在右下角,相对应于三个红格子的数值被加了上去。在右上方,总和被用于产生一个新的A值。在右中侧,总和被用于产生新的E值。

I also manually performed another hash round, the last round to finish hashing the Bitcoin block. In the image below, the hash result is highlighted in yellow. The zeroes in this hash show that it is a successful hash. Note that the zeroes are at the end of the hash. The reason is that Bitcoin inconveniently reverses all the bytes generated by SHA-256. [4]


What this means for mining hardware

Each step of SHA-256 is very easy to implement in digital logic—simple Boolean operations and 32-bit addition. (If you've studied electronics, you can probably visualize the circuits already.) For this reaon, custom ASIC chips can implement the SHA-256 algorithm very efficiently in hardware, putting hundreds of rounds on a chip in parallel. The image below shows a mining chip that runs at 2-3 billion hashes/second; Zeptobars has more photos.



In contrast, Litecoin, Dogecoin, and similar altcoins use the scrypt hash algorithm, which is intentionally designed to be difficult to implement in hardware. It stores 1024 different hash values into memory, and then combines them in unpredictable ways to get the final result. As a result, much more circuitry and memory is required for scrypt than for SHA-256 hashes. You can see the impact by looking at mining hardware, which is thousands of times slower for scrypt (Litecoin, etc) than for SHA-256 (Bitcoin).

Conclusion

The SHA-256 algorithm is surprisingly simple, easy enough to do by hand. (The elliptic curve algorithm for signing Bitcoin transactions would be very painful to do by hand since it has lots of multiplication of 32-byte integers.) Doing one round of SHA-256 by hand took me 16 minutes, 45 seconds. At this rate, hashing a full Bitcoin block (128 rounds) [3] would take 1.49 days, for a hash rate of 0.67 hashes per day (although I would probably get faster with practice). In comparison, current Bitcoin mining hardware does several terahashes per second, about a quintillion times faster than my manual hashing. Needless to say, manual Bitcoin mining is not at all practical.[5]

SHA-256运算出奇的简单,简单到可以拿手算。做一轮要花我16分钟45秒,以这个速度得到一个完整的比特币区块(128轮)需要1.49天(不吃不喝一直做)每天的速度是0.67 hashes.目前挖矿机的效率是我的一百万的三次方倍数。所以说手算挖矿是不实际的。

A Reddit reader asked about my energy consumption. There's not much physical exertion, so assuming a resting metabolic rate of 1500kcal/day, manual hashing works out to almost 10 megajoules/hash. A typical energy consumption for mining hardware is 1000 megahashes/joule. So I'm less energy efficient by a factor of 10^16, or 10 quadrillion. The next question is the energy cost. A cheap source of food energy is donuts at $0.23 for 200 kcalories. Electricity here is $0.15/kilowatt-hour, which is cheaper by a factor of 6.7 - closer than I expected. Thus my energy cost per hash is about 67 quadrillion times that of mining hardware. It's clear I'm not going to make my fortune off manual mining, and I haven't even included the cost of all the paper and pencils I'll need.

有一个reddit网友问我关于能量消耗的事。其实并没有消耗我多少的体能。假设一个人一天啥也不干他的机体消耗是1500卡路里。手动挖矿找到一个哈希值大约消耗10兆焦耳。硬件挖矿通常消耗是100兆焦耳。所以我的能耗比机器要低的多得多的多。关于补充能量的事,一个甜甜圈能提供200卡路里需要23美分(1块5).电的价格是一千瓦时15美分(九毛八)。所以我的耗能是机器的百万的四次方倍,很明显靠笔算挖矿挣不了钱。而且我还没有考虑笔和纸的消耗。

我觉得高赞答案那个老外还少算了,他就算了下SHA256,事实上还有其他麻烦...

不想看原理可以直接跳到最后一张图开始.

比特币挖矿,说来也容易,其实就是找到如下不等式的一个解而已:

\text{hash}(x)<\text{target}

其中hash就是常说的哈希函数,target则决定了难度.

哈希函数定义域为整数,值域则是某个范围的正整数.

可以看出其实解有无数个,但是发现其中一个并不容易.

你可能要说了,我能不能分析这个函数来求它的部分反函数?

有些哈希函数可以,比如CRC校验函数,但是一类用作加密的哈希函数不可以.

哈希加密函数,基本特点之一就是随机,以比特币使用的SHA256为例,画出前100个数字的哈希值:


可以看出这个函数图像几乎就是 0\sim 2^{256} \approx 1.15792\times 10^{77} 中的一个随机数.

也就是说随便说一个数,说中答案的概率只有 8.63616^{-78},宇宙原子总数才 10^{80} 左右...

Target用来调节难度.Target越小,找到一个解的难度自然就越高.

而唯一的求解方法就是穷举.

SHA256是SHA-2的一种,SHA-2的第t个加密循环如图所示:


图中的深蓝色方块是事先定义好的非线性函数.

\begin{aligned} &\operatorname {Ch} (E,F,G)=(E\land F)\oplus (\neg E\land G)\\ &\operatorname {Ma} (A,B,C)=(A\land B)\oplus (A\land C)\oplus (B\land C)\\ &\Sigma _{0}(A)=(A\!\ggg \!2)\oplus (A\!\ggg \!13)\oplus (A\!\ggg \!22)\\ &\Sigma _{1}(E)=(E\!\ggg \!6)\oplus (E\!\ggg \!11)\oplus (E\!\ggg \!25)\\ \end{aligned}

先把输入从16进制翻译成2进制,有256位哦.然后切片输入这个运算器.

  • \operatorname {Ch} 关注E,F,G.如果E为1,那么输出为F。如果E为0,那么输出为G.
  • \operatorname {Ma} 关注A,B,C.相互进行ADN然后相加取模二余数.
  • \Sigma _{0}(A) ,取A分别右移动2Bits,13Bits和22Bits,等价于数学上的除以$2^2$ , $2^13$ , $2^22$,然后相加取模二余数.
  • \Sigma _{1}(E)\Sigma _{0}(E) 类似,只是右移6,11,25 Bits.
  • 遇到红框模 2^{32} ,也就是抹去前面192位.

ABCDEFGH一开始分别是八个初始值,$K_t$是第t个密钥,$W_t$是本区块产生第t个word.

原消息被切成固定长度的区块,对每一个区块,产生n个word,通过重复运作循环n次对ABCDEFGH这八个工作区块循环加密.

最后一次循环所产生的八段字符串合起来即是此区块对应到的散列字符串.

比特币的方程(不等式)可以写成

\text{SHA256}(\text{SHA256}(C+x)) < \text{TARGET},0<x<2^{32}

其中C是个常数,根据环境而定

C = \text{version} + \text{prev_hash} + \text{merkle_root} + \text{ntime} + \text{nbits}

  • version = 版本号
  • prev_hash = 前一区块ID的字节反转
  • merkle_root = 本区块中所有交易的SHA256的墨克哈希树根的字节反转
  • ntime = 时间戳
  • nbits = 网络难度

Target根据之前上千个区块的平均求解速度调整,算法会将找到一个解的期望时间控制在10分钟左右.

解出来还要广播,其他终端会验证是否正确,如果正确就会被接受,然后大家一起去算下一个区块.

如果和别人几乎同时算出来,那么出现小分叉,然后继续挖,直到其中一个比较短被遗弃.

那么问题来了,人力能否求解这个方程?

不能...第一步就GG了...

时间戳(ntime)是从1970年1月1日0时0分0秒(格林尼治天文台时间)开始经过的秒数...

好吧 题主是最强大脑,大脑内置铯原子钟 ,这个问题不考虑.

然后以上所有运算都是16进制运算

一个这样的输入(prev_hash)有64位16进制之长,然后你得取反然后根据其他条件算出 C ,然后算出 C+x ,而且你得翻译成二进制进一步运算.

好吧 题主作为尖子生熟练掌握16进制加法和进制转换

这么大的整数至少要算20分钟的样子,列竖式大概只要一张纸,然后还不能有错.

当然 题主作为特长生学过珠心算 ,花了1秒打了下算盘就搞定了,然后花59秒写到纸上...

算错...不存在的...这可是国粹......

第二,取两次SHA256,一次是64个循环,两次128.这个比较简单无脑了,都是位运算就是在纸上位移不大方便.

那个老外算了16分钟,题主单身多年手速不知高到哪里去了,只花了4分钟就搞定了一轮(一共有128轮).

然而还是没有什么卵用,题主猜的这个x不是答案,还要继续穷举.

  • 然而呢,上面说了平均运算时间是10分钟.你算得比别人慢......白算!!!
  • 和别人同时几乎同时算出来,还要看谁被更多的终端承认,否则...白算!!!

题主是在上海上大学,聆听过人生经验,知道一些时间的奥秘,所以题主跑的很快...

根据相对论,跑的快的话时间就会变慢...

我查了下今天的全网算力是7,844 PH/s,题主静止状态下算力是1/(5*60*128) H/s

题主希望他能在一天内挖出一个比特币

一天有24*60/10=144个结算周期.根据伯努利概型:

E=n p=144\times\frac{s}{7844P+s}=1

1 P=10^3 T=10^6 G=10^{15}

speed=5.4472\times 10^{16} H/s

根据相对论,题主的速度达到了 1-1.516\times10^{-29} 倍光速!!!!

终于...题主算出了一个比特币...

但是,题主的速度实在是太快了,以至于时空畸变是如此的激烈

强大的能量,散发的辐射足以把地球轰的连原子都不剩!!!

这么大的能量从哪里来?

根据质量守恒,一定是题主燃烧了YY之魂才能换取如此不可思议的能量吧.

终于,地球OL服务器卡机了...题主滥用外挂被封号...

哪天这个问题或回答没了一定是GM回档了...