HN Theater

The best talks and videos of Hacker News.

Hacker News Comments on
Blockchain Demo

anders.com · 726 HN points · 20 HN comments
HN Theater has aggregated all Hacker News stories and comments that mention anders.com's video "Blockchain Demo".
Watch on anders.com [↗]
anders.com Summary
A live blockchain demo in a browser.
HN Theater Rankings
  • Ranked #17 all time · view

Hacker News Stories and Comments

All the comments and stories posted to Hacker News that reference this video.
Nov 17, 2018 · 3 points, 1 comments · submitted by febin
magma17
Older than the internet.
Sep 26, 2018 · beefman on How Blockchain Works
Original site: https://anders.com/blockchain/
tim333
And original discussion from back when ETH was $11 or so a year and a half ago https://news.ycombinator.com/item?id=13566951
Sep 26, 2018 · mathnmusic on How Blockchain Works
I used this blockchain demo to teach a class this weekend. Many thanks to Anders Brownworth for creating this: https://anders.com/blockchain/blockchain.html
nchuhoai
I created the following interactive tutorial: https://blockchain.nambrot.com/

Would love your feedback on it!

scottmsul
A cool idea would be to split the class into groups where they pass around a piece of paper and can add their group's block and pass to the next group.
s_dev
Even the MIT URL in the source uses Anders demo -- it's that good.

Edit: Oh wow -- Anders is the author of the MIT demo. All the same stuff really.

checkout https://blockchaindemo.io/ and https://anders.com/blockchain/hash.html
lorenzosnap
Thanks. I was not aware of those two sites. Similar ideas but different results.
I loved this one a lot: https://anders.com/blockchain/
abhishekjha
This is what got me a proper intuition for why a blockchain can be useful.
I think the most useful resource you have for understanding the foundation is directly reading and understanding the original Bitcoin whitepaper: https://bitcoin.org/bitcoin.pdf

For some of the basics, you can take a look at Anders Brownworth's web demonstration: https://anders.com/blockchain/

I'd also recommend looking at the source code of some of the bigger blockchains (Bitcoin Core, Geth, etc..) and look at some smaller demo blockchain implementations:

- https://github.com/Jeiwan/blockchain_go/tree/master

- https://github.com/kendricktan/misocoin

- https://github.com/jeffbarg/Littlecoin (disclaimer: I am the author of this project)

sgtnasty
This is really fantastic, thank you very much.
kanon11
I second this. We need good information about blockchain to help get more people involved and move it closer to mainstream. It's still sadly, very far away, and something needs to be done about this!
Skip this article (which hilariously tries to rename and redefine a hash properties) and play with this instead: https://anders.com/blockchain/
this is still my favorite https://anders.com/blockchain/
segmondy
yup, I was able to implement a basic blockchain at once the moment I watched that demo.
For explanation of both, watch this Video: https://anders.com/blockchain/ and then click on the "fork on github" link ;)
Sep 27, 2017 · cygned on Blockchain Basics
There are so many explanations on blockchains out there and the only one that made really sense to me was: https://anders.com/blockchain/

Watch the video, play with the examples and suddenly everything will make sense.

pierot
Great resource! Thanks for sharing
q-base
That was extremely helpful - thanks a lot!
jokoon
Great explanation.

Although I'm more curious about the mining process and how public/private keys are used.

hdhzy
Mining is just finding a combination of values that the hash of them will have a number of zeros in it. (intentionally brute force problem)

Public key crypto is used to confirm that the coins can move from one account to another, or to be more precise from one output to another input. (there are no accounts in Bitcoin, that's just an illusion)

jokoon
And how is it possible for newly mined blocks to be worth less bitcoins that earlier blocks? I'm talking about the limited quantity of bitcoins. How is that achieved?
hdhzy
The amount that the miner can claim is hardcoded in the client, something like "if block no < X you can create out of thin air only N coins". After some time N will be zero and the incentive for the miner will come purely from fees.

Of course a miner could just use a different, bigger value but then the block would not be accepted by anyone else and be basically worthless.

The rules are there because everyone is using the same client or bug to bug compatible alternative.

Super simple ! Looking forward for the part 2. Just reminded me this video https://anders.com/blockchain/?__s=vorsda25neenhsdtsbey
netvarun
All 6 parts have already been written/published - https://jeiwan.cc/
> Especially if you consider that the process of "mining" is literally computing hashes over and over again until you find the right nonce that meets some arbitrary criteria, it's hard to see this process as anything except wasting massive amounts of energy.

I think this wording obscures why the mining process gives the network trustworthiness.

You are changing the nonce over and over again until the HASH of the block meets some criteria. For example, your hash is below some value (it starts with a certain number of zeroes). This is important.

It's important because you can't 'fake' the work. The only physically possible way to come up with a block that has a conforming hash is to change the nonce and run the hashing algorithm and repeat this until your hash matches the criteria. There's no way I can know the nonce I need to use without running the hashing algorithm. Hence, if I present a block that hashes to a conforming value (you don't just take my word for it, you run the hashing algorithm on the block yourself to independently verify the work), you know that I've invested time and electricity (tangible, real-world things) in the creation of that conforming block.

Alone this doesn't seem like much, but the time and energy limitations it imposes gives a blockchain properties that make data more 'immutable' the longer it is stored in the chain by making it computationally more expensive to change data further back in time from the most recent block in the chain and makes it computationally expensive for a single bad actor to change past data that nodes in the network have 'agreed' upon. This computational expense is important when combined with the other rules that a node uses when receiving a new block and trying to independently determine that the block is valid and should be treated by that node as 'truth'.

The trustworthiness of the blockchain is an emergent network effect. It's not provided or enabled by one single thing, but by many things all contributing at the same time. Proof-of-work is just one small piece of a much larger system. For example, you also need to consider what other rules make proof-of-work useful in the system, such as the rule that a node must accept a chain with more work in it as more truthful than one with less work (hopefully I'm wording that somewhat right!).

Saying 'the miners provide security by hashing' is a massive oversimplification of what's going on. It's very much a sum-of-all-the-parts thing.

I found this helpful in particularly driving this process as a whole home: https://anders.com/blockchain/

I'm still really getting my head around blockchain itself, so if I'm way off base on anything in my understanding here I'm happy to be corrected :)

As I understand it, the challenging question is - is there something else we can use that's as independently verifiable as proof-of-work that's more energy efficient? What independent verification do we give up if we do choose something that's less energy consuming (but maybe less 'provable')?

nodamage
> You are changing the nonce over and over again until the HASH of the block meets some criteria. For example, your hash is below some value (it starts with a certain number of zeroes). This is important.

Yes I am aware of this, I simplified a bit so the sentence would read less awkwardly.

I am no expert on this but it depends on what is your interest? Is it from a use case perspective or a technical one?

Technical perspective, people tend to conflate crypto currency with blockchain and vice-versa. Both are not the same. Crypto currencies are an implementation of the blockchain concept with their own twist on how to leverage blockchain.

A good primer on blockchain is - https://anders.com/blockchain/

Then there is the bitcoin paper which not only introduces blockchain but also explains bitcoin: http://fermatslibrary.com/s/bitcoin

The white papers of various currencies also provide the technical perspective and details on their implementation.

Use case perspective, you will have to rely on white papers by the specific coins. They will delve into how they look at blockchain to solve their problems. Beware these papers tend to be verbose and full of marketing fluff. So unless, as Warren Buffett puts it[1], within your area of competence there is nothing to be gained.

One thing I have realized over time is that many people writing stuff on cryptocurrency tend to be very verbose. Case in point: https://www.igvita.com/2014/05/05/minimum-viable-block-chain...

This in my opinion, and I am known to be very wrong most of the time, is because it takes the technical route to explain things than standard expressions.

Basic stuff like - what is a block is elongated with many technical terms. The simplest answer is "block is a public ledger and contains all transactions". Ledger is a legit word and you can find tons of articles explaining what is a ledger. But then you have tons of articles which skip this simple explanation in favor of a elongated explanation using technical terms and putting their own versions of what constitutes a transaction.

[1] http://www.businessinsider.in/The-Circle-Of-Competence-Theor...

This demo/primer on the blockchain itself is fantastic, if you're looking to understand the underlying technology: https://anders.com/blockchain/
If this is an educational product then it would be even better to expose more details to the user. For example, the fundamental steps illustrated in the Blockchain Demo (https://anders.com/blockchain/). A nimiq blockchain explorer would also be a nice feature.
elionchin
A blockchain viewer (showing most recent blocks) is in the works for the Betanet and should go live soon. Full chain explorer will follow for the feature-complete Testnet.
I wrote this tiny toy blockchain code to help myself understand blockchains, based largely on the UI at https://anders.com/blockchain/ by Anders Brownworth.
Here is a really great video [1] which really made blockchains click for me. I believe this was posted on HN a while back.

[1] https://anders.com/blockchain/

I always find this introduction (including a "live demonstration") by Anders Brownworth very illustrative: https://anders.com/blockchain/
AngelloPozo
I keep forgetting this exists. The video is damn good at explaining how blockchain overall. I think the strongest bit, is showing how data manipulation is easily detectable.
rorykoehler
This is fantastic. Great explainer for both tech and non-tech alike. Thanks for sharing.
bernardlunn
I found this very clear and accessible
fergazen
wow. That Anders video is definitely the best description/explanation of blockchain I've ever seen.
jfaucett
This is a great video/site. After watching this, it made me think how amazing the blockchain would be if our accounting and trading systems were built on top of it. As a programmer outside the financial services sector, it seems to me something like this has to be the future. But it would be really interesting to see what quants and others in the field think.
fergazen
Back in 2008 I invented an algorithm for tree structures where the definition of the hash of any node, was "the hash of hashes of all its immediate children". I had invented a way to do 'tree node comparisons' where any time two tree nodes on a tree had the same 'hash' i knew the content (recursively deep into the tree) of those nodes was identical. I never went forward on that algorithm, because i knew it meant each time a tree node was modified, the hash of all it's parents (i.e. path to root), had to be recalculate. But I had explained it to several developers who were all amazed by it. It now realize I had invented blockchain. I am pretty sure i'm not the first one to realize hashing actual hashes (in a recursive or chained way) is a powerful concept. I may add this to my current project SubNode (sbnode.com), and I could pivot that app into a blockchain technology!
pacaro
I think Merkle got there first, in about 1979 or so.

https://en.m.wikipedia.org/wiki/Merkle_tree

fergazen
Very interesting, thanks. I had never heard of Merkle Tree. Since a linked list is merely a special case of a 'tree structure' (i.e. one where there is always only one child), we can consider Merkle to be the true 'inventor' of blockchain. However, really the concept is so simple and obvious that I wouldn't be surprised if Babbage/Lovelace era folks had written papers on it.

I'm sure there's at least one arse who'll tell me the DIFFERENCE between a tree and a linked list. lol. Gotta love social media.

komaromy
He'd also be the true inventor of Git then. It's a widely useful data structure.
fergazen
Merkel WAS a genuine innovation, and it DOES collapse into plain blockchain if all 'nodes' on a given tree have one child, because in this case the directed graph (tree) is a linked list. If the key innovation in both structures were not the same then your snarkyness would have been appropriate.
sbmassey
The point is that there is more to blockchain technology than just Merkle trees, I think. Just focussing on the underlying datastructure is like saying filesystems are just B trees or something.
fergazen
The Wikipedia article on blockchain has this sentence: "From the technical point of view a blockchain is a hashchain inside another hashchain", and that sums it up. The actual blockchain algorithm itself is as simple as that. Period. Full stop.

Of course, most actual APPLICATIONS of blockchain also ADD ON a lot of other concepts, like distributed ledger, distributed consensus, etc. Trust me, i'm not the guy in this conversation confusing algorithms with applications.

pacaro
Yes. I think that there a bunch of interesting ideas in blockchain technology, not all of which are necessarily new, but they are often new to the blog writer and/or audience. So introductory articles often focus on those basic concepts, which leads to this confusion
benchaney
A linked list is a special case of a tree structure, but a blockchain is not a special case of a Merkle tree. If you considered the special case of a Merkle tree that was just a list it would be both useless, and not a blockchain.

Edit: Its worth pointing out that the main innovation of the 2008 paper by Nakamoto introducing the concept of blockchain's wasn't just storing things in a linked list based on hashes. It was the Sybil tolerant distributed consensus algorithm. Most people include that in the definition of a blockchain.

jacquesm
It's a nice strike against software patents though, probably every programmer interested in data structures goes through a whole series of these independent inventions.

To award a patent to someone just because they thought of it first is ridiculous.

fergazen
I'm no lawyer, but they really need to outlaw patents on 'general purpose' technologies. Adam Carolla famously got sued for owning a podcast company, when someone claimed to have a patent on the entire concept of "downloadable audio". I think there should be a one year jail term for anyone who files a suit about something that ends up being determined "general purpose" technology. Would end the nonsense overnight.
This may help you also: https://anders.com/blockchain/. In fact is quite better, since it adds more info. Also the code of it is on github ;)
Good video+interactive explanation: https://anders.com/blockchain/
Feb 04, 2017 · 723 points, 147 comments · submitted by spaceboy
starik36
Pretty cool. This is the first time I looked at the blockchain and his explanation was immediately understandable.

Having said that, he mentioned that everyone has a copy of the blockchain. So, is that really true? Wouldn't "everyone" be overwhelmed by the number of blocks?

Is there a specific example where blockchain is used, other than bitcoin?

Taek
Well, yes. This is why blockchains are often called expensive. Every single full node on the network has the entire blockchain. And when you make a transaction, that transaction gets processed by every single node on the entire network.

Needless to say, there are some scalability problems here. And there are a lot of solutions to the scalability problems (such as the lightning network), but generally speaking scalability is probably the biggest and most heated topic in the blockchain space.

DiThi
The hash of each block is actually the hash of the header. That means you only need to store the headers to validate their hashes (not the transactions, that's a different matter). The header includes the root hash of all the transactions. Specifically, a Merkle tree, a hash three where you only need a few extra hashes to confirm a specific transaction was part of a block.
Taek
While true, this only works if you are assuming that the block is valid. To verify that the block is valid, you actually need the entire history of the blockchain, including processing yourself every single transaction that has ever been made over the blockchain.

What you describe is SPV verification, which basically says "if a miner decided to spend $10,000 in electricity mining this block, they probably verified the transactions first, so I probably don't need to verify it myself". Of course, if everyone makes this assumption, it's very easy for the miners to start slipping in illegal transactions without anyone noticing.

So, some of the network running SPV is okay, but too much is a great systemic risk.

DiThi
Yep, that's why I say "(not the transactions, that's a different matter)". A block is only truly valid when its transactions are. But if there are months of blocks after it and enough percentage of nodes are full nodes, you can safely assume it was indeed verified.
antocv
Not everyone, just people who like to run a full node, the others run "light clients" or other variants of light clients, like Electrum, but eventually, if nobody run full nodes it wouldnt work at all.

The bitcoin database size is more than 100GB now in 2017.

Blockchain is used by all altcoins and Namecoin for distributed DNS like system.

moxious
What's the rate of growth on the size of the block chain? How big would it be for example after 5 years if 1/100th of economic activity was in BTC?
antocv
The rate of growth depends on the amount and size of each transaction people are doing on it. There are methods of pruning or discarding spent transactions, but someone somewhere would have to keep it all.

The amount of transactions people are willing to do depends on the value each does, so some people think if bitcoin transactions are almost free some other people would "spam" the network with their "worthless" transactions, thus increasing/growing the size needlessly. So these people claim high fees should ensure only really valuable transactions happen on the network, and not for buying coffe/payment-processing.

So your other question, astronomical, completely otterly astronomical.

Which is why people invent https://byteball.org and others to solve these problems.

reddytowns
Why would someone need to keep the all? I would think that only the hash would be needed for blocks without UTXO's
RationPhantoms
That actually brings up the idea of sharding which is to assign a node a specific set of transactions and discard the rest. This allows us not to all need an entire record of the blockchain but implementing that into Bitcoin isn't exactly the easiest.
Taek
There's no method for sharding the blockchain today which is considered secure, but it is an active area of research.
Taek
You can also run a pruned node, basically you download everything and verify it as you go, but once you've computed the utxo set at a given block, you can throw that block away.

Pruned nodes I think are like 2 GB right now? Something in that ballpark.

Taek
I feel it is necessary to mention that there's an enormous amount of snakeoil in the blockchain/appcoin/altcoin industry, and that there are hundreds if not thousands of people who have invented broken "solutions" to blockchain problems that they are trying to sell.

Many of these solutions come from people who genuinely believe that they've solved fundamental problems with Bitcoin. But by and large, they have missed important security vectors. Writing a blockchain is a lot like rolling your own crypto - leave it to the experts, and don't trust one unless you've got a bunch of experts who agree that it seems sound.

These problems are very hard. If you are wondering why Bitcoin has not adopted some interesting new technology despite years of dozens of experts doing their best to get scaling into Bitcoin, it's probably because the interesting new technology has some fatal flaw.

nikcub
Have a look at this chart, it shows the size of the blockchain:

https://blockchain.info/charts/blocks-size?timespan=all

It now grows linearly because it has reached the maximum block size of 1MB per block (actually 1000 kB) (this is the block size debate you've likely heard about)

Blocks today are almost always 998, 998 kB in size and without a transaction fee your transaction can take multiple blocks to be processed.

Block every 10 minutes (goal) is 6 blocks an hour, 144 blocks a day is 144,000 kB a day, is around 4,320 MB a month.

6nf
All the miners run full nodes of course so there's always a bunch of full nodes around.
tromp
Most miners operate in a pool and rely on the pool for full node functionality.
6nf
Yea that's what I mean. Each mining pool runs at least one full node to support their own mining operation.
rocho
How is it possible then to know your balance? Do you have to go through all the blocks just to find those transactions that involve the public key of your wallet? This sounds extremely impractical, because the majority of the transactions would not involve yourself.

I assume then that there's a way to "query" the blockchain? How does Electrum do it?

Xophmeister
Maybe this is off-topic, as Bitcoin is an implementation of a blockchain, but I'm interested in how the reward and consensus system works.

This video implies that, while expensive, it's not that expensive to calculate a correct nonce. Why, therefore, is mining now only viable to huge ASIC farms? My presumption is that it must be to do to with either speed (i.e., the farms get there first), or influence (i.e., the farms have more peers, so can sway the vote in their favour).

imaginenore
Bitcoin has Difficulty, a measure of how many zeroes you must have in your hash.

https://en.bitcoin.it/wiki/Difficulty

https://en.bitcoin.it/wiki/Target

Basically, every 2016 blocks (around 11-14 days) new difficulty is calculated based on the time it took to find the previous 2016 blocks.

Whenever someone gets new fast hardware, blocks get solved quicker, but then the difficulty gets adjusted after 2016 blocks, and it becomes hard again (but even harder for the people with worse hardware).

akramhussein
Previous posters have done a good job to answer your question.

Just wanted to add that some people are looking replacing this 'Proof-of-Work/Mining' mechanism with a different method called 'Proof-of-Stake [0]. Other cryptocurrencies have already implemented this.

If you jump into the blockchain/bitcoin rabbit hole you will eventually come across this :)

[0] https://en.bitcoin.it/wiki/Proof_of_Stake

hackcasual
The problem with POS is that it ties to those coins and requires you to have them online in hot wallets
sneak
There is another model called DPoS (D=delegated) where you use your coins to vote for block producers, who then use their keys to sign blocks. It's pretty cool, because then the miners' (in DPoS known as "witnesses") keys need not directly control any coins (just sign blocks with the transactions of others).
Taek
There are a lot of problems with PoS: https://download.wpsoftware.net/bitcoin/pos.pdf

For the most part, proof-of-stake has been strictly rejected as a viable means of building decentralized consensus by the industry experts.

None
None
Taek
With Bitcoin today, instead of needing 4 leading zeroes you need something like 17 leading zeroes (in hex, or ~1 in 2^68 chance of finding a block).

Every 2016 blocks, the difficulty adjusts. This is supposed to take 20,160 minutes, but if the timestamps indicate that it took less than that, the difficulty will increase, requiring more leading zeroes. If it takes more time than 20,160 minutes, the difficulty will decrease, essentially requiring less leading zeroes.

Also worth pointing out that the hash can be evaluated as an integer. Instead of requiring an exact number of leading zeroes, you require the hash to have an integer representation than is lower than a certain value.

There's actually a lot of work that has gone into Bitcoin to make sure that having higher hashrate and higher influence does not make it more likely so that you can find a block. Ideally, if you have 0.01% of the hashrate, you have a 0.01% chance of finding each block, and if you have 33% hashrate, you have a 33% chance of finding each block. In reality, Bitcoin is not quite this perfect, but it's pretty close. The 33% hashrate miner may have a 34% or 35% of actually finding each block.

sneak
This, in my opinion, is one of the true core innovations in bitcoin: the negative feedback of collective hashpower causing the block target to shift.

It's absolutely brilliant. Blocks come at approximately 10 minute intervals whether it's just two people cpu mining in their basement or a global network of ASIC farms consuming megawatts.

It's certainly been fun to watch. When I started mining on the very first publicly released GPU miner, my ~$500USD ATI PCI GPU yielded a block (each with a 50 bitcoin reward) every hour or two. I was mining somewhere around 10% of all the blocks in the chain.

Now, doing that very nearly requires owning a hydroelectric dam.

mckoss
Nice job.

Nit - it would be nice not to use the term "signed" for a block that has a sufficiently small hash. The term "valid" is more commonly used for this attribute of a block, and less confusing with signed transactions.

zutronics
I saw Anders give this overview live at a Hubweek presentation at the Boston Fed a few months back. Excellent overview. Not sure if he's still working at Circle, but their recent pivot away from Bitcoin is a bummer - but I'm told they're still utilizing the Blockchain as an underlying technology for their systems.
anders94
Thanks for the comment - I am still with Circle, and indeed we still use the bitcoin blockchain behind the scenes. We're also working on a smart contract platform called Spark. More to come on that in a bit.
baby
Wait what is the coinbase thing?

EDIT: Oh, that's when you successfully mine a block. I'm guessing they chose the name "Coinbase" instead of "reward" to promote Coinbase.

wcoenen
"coinbase" is a term from the bitcoin source code[1]. The company came later.

[1] https://github.com/bitcoin/bitcoin/blob/master/src/coins.cpp

avenoir
I'm more than sure I misunderstand something. Is the purpose of mining to introduce cost to recalculating a chain? So basically if someone changes a block in the chain mining makes it impractical to extend the change upstream? If so how did this impact the security of blockchains in the early days when mining complexity was very low and attainable on a single CPU.

By the way, amazing find. Immensely thankful to the OP for sharing.

mthoms
You've definitely got the right idea.

It's not mentioned in the video, but mining is also how new currency is generated - Miners are rewarded for finding blocks (thus there is incentive to mine).

And to answer your question - In the early days, miners were hobyists and simply operated at a loss. The value of coins grew roughly along with the "hash power" of the collective network (as you might expect). And at the same time, the reward for finding new blocks is constantly shrinking.

bshanks
Yes, you are correct. Proof-of-work blockchains are vulnerable to an adversary who has more computing power than the sum of the computing power of all of the honest miners. This is called a "51% attack". So baby blockchains are quite vulnerable.
arglebarnacle
So in a blockchain, it's straightforward to verify whether a block contains only valid transactions or not (in the sense of an address only being allowed to spend coins it really has for example). Any node running the reference implementation will reject any block that is invalid regardless of mining.

The issue with one actor controlling over 50% of mining power is that they can spend their money, then go back in time to before the spend to create an alternative chain. Since they control the majority of hashpower, their alternative chain catches up and ultimately becomes the reference chain in the view of the nodes in the peer to peer network. The bad actor is then free to spend the coins from their original transaction again, despite presumably having already received the goods or services from the original transaction.

The real innovation of the blockchain is that it solves the Byzantine Generals problem in the case where less than 50% of the hashpower in the network belongs to coordinating bad actors. In the absence of that level of centralization and collusion, you can be sure that nobody is cheating.

blinry
I'd like to start a Reddit community around interactive explanations like this – wanna join? https://www.reddit.com/r/explorables/
Curious42
Yes please.
nul_byte
So I guess where he talks about the consensus of the peers 11.10seconds, this is a good way to understand a 51% attack?
baby
Yup, this is it.

What I'm wondering is how many blockchains are you verifying as a peer. When you download the blockchain software, you start verifying the entire blockchain, do you keep getting blockchain hashes from other peers and keep comparing them to see what's the consensus?

Natanael_L
You ask for blocks from everybody, starting with the genesis block (block #1).

You verify that they're all valid, and the blockchain with the greatest accumulated difficulty (correlated with chain length) is assumed to be the valid one used by the whole network.

Whenever you get new blocks you first verify validity, and then you check if they make up for a conflicting blockchain longer than yours (if so, you switch), shorter than yours (ignore), or if it extends the blockchain you have (then you add them).

Number of peers don't matter in Bitcoin.

baby
OK. So you get an arbitrary number of blockchains, you check which one is the longest, it wins. Doesn't matter if you have 50 against 1 that are shorter and on a different path?
Natanael_L
Only one thing matters - a validly formed blockchain with a total accumulated proof of work greater than that of any other individual chain.

This typically also means that the longest individual blockchain wins.

fidz
Great explanation. Thank you very much. However, it raises question for me:

- So "Hash" it combination of Block Number, Nonce, and the Data? - If "mining" means computing the Nonce, what is the actual data to be hashed? - For Coinbase case, is it the data is the miner's Coinbase Account? So that if mining successful, the miner will get the "money"? If so, how do the first miner advertise the result so that the other peer can trust that the first miner actually get the money?

Natanael_L
Coinbase the company is unrelated to the Bitcoin protocol, other then that they use it like everybody else.

The hash covers the Bitcoin block header. The header includes a Merkle Tree Hash of all transaction, including the transaction that is the base for creating new coins = coinbase.

You pay to public keys. Payments have to be signed by the private key holder for the public key that a given set of coins have been assigned to.

Publishing the block itself that you mined is how your announce it. Others then have to accept your block and continue building on it as a part of the blockchain.

Canada
It's an expression containing a public key controlled by the miner.

The way you give value to someone else is by saying, "whoever can make this expression evaluate true can move the funds"

https://en.bitcoin.it/wiki/Script

mnemotronic
At about 8:50 he describes how changes to early blocks cause the chain to "resist change". I understand how a change to a previous block will require re-computation of subsequent blocks, but how is this "resisting change"? Just recompute the nonce for each of the remaining 2 or 3 blocks. No big deal. What am I missing?
xxbondsxx
Even if it were computationally cheap to do so (despite a very long blockchain and new blocks arriving), it is a peer-driven system. So if you alter your blockchain, it will differ from the majority consensus from the rest of the crowd and your version of the truth will be rejected.
Natanael_L
You also need to compete with all the miners in the network to accumulate more proof of work in your chain than what's already been added in the existing chain.

Less proof of work = rejected blockchain fork.

bshanks
The blockchain is supposed to be used as an append-only data structure. There are a number of nodes who have copies of what is supposed to be (or at least, converge to) exactly the same data. The nodes are all constantly telling each other what they believe to be the most up-to-date version of the data. The purpose of the blockchain is to support a consensus-finding algorithm by which the nodes may start out disagreeing on the contents of the most recent few blocks in the log, but eventually converge to a consensus, at least for relatively old blocks.

But some of the nodes are evil (or maybe just faulty, or maybe just out-of-touch), and want to try to change past data and get the other nodes to accept their fake history (the "fake chain").

When any node notices that some other nodes are saying different things (proposing different chains), it prefers to believe in whichever chain is longer (this is a slight simplification, actually it's accumulated difficulty).

Many of the nodes are constantly accepting new data and 'mining' new blocks to append to the end of the real chain. They are doing this as fast as they can. The problem of finding a new hash for new blocks is embarrassingly parallel, so if there are 1000 nodes in the network they can mine about 1000x as fast as one node (however, the protocol is constantly adjusting the difficulty (the number of prefix zeros required in the hash) to ensure that on average the blockchain is getting longer at a fixed rate).

If the evil nodes want to change something far back in history, they're going to have to try to mine a whole bunch of new blocks before the fake chain gets as long as the real chain. Recall that the other nodes will reject the fake chain as long as they are aware of another chain which is longer. But while the evil nodes are trying to catch up, the good nodes are also going to be trying to mine new blocks to append to the end of the real chain.

Assuming there are more good nodes than evil ones (or rather, that the total computing power of the good nodes is greater than the total computing power of the evil ones), on average the speed that the evil nodes can mine new blocks is slower than the speed that the real chain is getting longer.

Therefore the rule that the longest chain is the right one works.

Now, through random chance it's always possible for the evil chain to get lucky and mine a block much faster than the good chain. But if it alters something deep in history, then in order to catch up, it would have to get lucky in this way many times in a row; the chance of that happening decreases geometrically with the number of blocks it is behind. Therefore, you can be very confident that a block deep in the chain won't be altered.

To reiterate, the reason that it's important that the further back you change something, the more hashes you need to recompute, is that this leads to the following property: if there are two competing chains of different lengths, the probability that the shorter chain will eventually become the longest decreases geometrically with the initial difference in lengths. This property is why the algorithm converges to a consensus on the data in older blocks.

mnemotronic
Thank you very much for that expanded explanation. I now know more, but knowledge is a dangerous thing.

Let's pretend I have the fastest hash generation engine (actually I'd need 2 for this scheme). I would create a real node that uses my engine and becomes part of the node community. Then I create 100 bogus nodes that proxy to my real node. Now I have a large number of nodes that are essentially using my version of "reality" which, in the beginning, is what everyone else says is truth. Meanwhile I'm busy re-writing history to give myself 10 bazillion bitcoins. My other hash engine is recomputing the chain with my bogus history in the background. At some point it catches up with the present. At that point I substitute my bogus chain for the real chain on my main node. My main node is now in disagreement with everyone else's view of reality. My bogus chain also shows up on my 100 other nodes that are proxying my main node. I now have 101 nodes showing my bogus bitcoins. If 101 nodes isn't enough to win the vote then add more bogus nodes until I have 51% of the total nodes.

Also, what's to prevent me from adding many real but zero sum transactions to my chain before I tell the world about those transactions? He who has the biggest chain wins.

Unrelated thought: quantum computing sounds like it could throw a monkey spanner into the wrench works.

bshanks
> If 101 nodes isn't enough to win the vote then add more bogus nodes until I have 51% of the total nodes.

You could do that, but it would be expensive. It's not the number of nodes that matters, it's the total computing power of those nodes, because they need to hash faster than the rest of the network. Your nodes, combined, would need to have more computing power than all of the other nodes, combined. If the blockchain you are attacking is popular, the cost of this much computing power would be prohibitive (eg for Bitcoin today [https://gobitcoin.io/tools/cost-51-attack/] estimates it would cost around $1 billion for the machines plus $2 million per day for electricity).

> Also, what's to prevent me from adding many real but zero sum transactions to my chain before I tell the world about those transactions? He who has the biggest chain wins.

Since each block must contain the hash of the previous block, these blocks, although empty of data, still have different hashes. So you have to compute just as many hashes, regardless.

> Unrelated thought: quantum computing sounds like it could throw a monkey spanner into the wrench works.

Yes, maybe. See [https://en.bitcoin.it/wiki/Quantum_computing_and_Bitcoin]

cyberfart
It doesn't "resist change" as much as it just makes it easy to tell that it was manipulated. Now you can go ahead and rehash the following blocks in the chain (if you can) but with only you having that chain and nobody else, it will be discarded in a distributed system.
eecks
How are updates propagated to all different copies of the blockchain?
myroon5
Reddit thread on this: https://www.reddit.com/r/Bitcoin/comments/2wjgpd/can_someone...
Taek
Another commenter linked to a discussion about updating the Bitcoin software, but are you talking about updates to the Bitcoin blockchain?

An 'update' would be a new block or transaction. The Bitcoin network shares new blocks and transaction over a flood network where every node is peered with 8+ other nodes, and will tell all of them when it sees a new block or transaction.

chrisseaton
Why does the number have to be a nonce? If you can find a number that gives a block the correct number of zeros, but it has been previously used to give a totally different block the correct number of zeros, what is wrong with using it?
DiThi
You can start counting from zero or you can start with any of the previous numbers, but in the end the probability that it is the correct number is exactly the same. The header is always different than other headers (even if it's just for the block number, or "height"), that guarantees the probability is random.
detaro
It's called that for whatever reason in bitcoin, but yes, there is no reason why it couldn't be reused in a different block. Maybe the name was used since it is similar to a cryptographic nonce in that it is choosen independently of the actual "payload" data?
mthoms
By design, the chance of a previous nonce being re-usable are virtually nill. http://preshing.com/20110504/hash-collision-probabilities/

The Bitcoin "nonce" is actually a much bigger number than shown in the video. 32 bits I believe.

Natanael_L
32 bits is actually just 4 billion values. Technically it isn't enough to reliably find valid blocks with today's difficulty if that's all that you modify.

That's why current miners tamper with both the coinbase transaction, timestamp AND the nonce to find potentially valid blocks in mining.

mthoms
Interesting. Is that allowed by the protocol?
Natanael_L
Yes, because there's multiple valid ways to format coinbase transactions and there's a few bits worth of margin in the timestamps that you can change.
fabianfabian
its just named that way, probably as in you don't try the same number twice for finding the hash of one block. The same number can be used for other blocks or even the same block if you change something else in it (like add more transactions).
sowbug
It doesn't, and there would be nothing wrong with using it. I haven't read TFA but it's probably using "nonce" in the more colloquial sense of a random number that is in a range so large that repetition is extremely unlikely.

Finding that a single number solved two blocks would be very similar to finding a SHA-256 collision (Bitcoin uses a double-SHA scheme that I think was designed to address a length-extension concern).

stevehiehn
There is something i don't understand: At the point a transaction is made there is only one copy. Does that not mean at that point its vulnerable to fraud before more copies are made?
stevehiehn
Ah! i get it now. I just watched a kahn academy video. When a transaction occurs between valid users (with public keys) the transaction is broadcast to the entire network.
pizza
https://en.bitcoin.it/wiki/Double-spending#Finney_attack

The key is to wait for confirmations

martinkallstrom
Very nice explanation. Not oversimplifying and not too detailed. Could anyone care to explain smart contracts in the same balanced fashion? I always struggle to convey my understanding.
baby
For Ethereum, IIRC, inside a transaction you can host a program (contract). A peer who runs your program will use your transaction money to run it (it's called gas) and display the result of the program as part of the new receiving transaction.

Everyone who verifies the contract needs to run the program as well, for free, that's why you can't have big programs.

You can then send new transactions to continue using the program, to interact with it, etc...

If you don't send enough gas, they can't run the program though. (Each functions in a program cost some amount of gas to run.)

DennisP
In Ethereum and similar systems, a smart contract is a script which can hold funds and various other data. It has functions that can be called by users, which can update data and move money around. The script can also act like a user and call other scripts.
antocv
In bitcoin you can have a transaction which requires 2 or more people to sign it before the transaction can happen/is considered valid at all.

Smart contracts, is specifying conditions which can be checked in the blockchain, like existence of certain data you expect to be posted in the OP_RETURN (comment-like field) by other transactions. When your conditions are met the "smart-contract" makes/signs and publishes its own transaction, and other contracts can depend on this output of your contract.

pcmaffey
So absolute truth on the blockchain is held by majority rule?
Taek
Not quite. Bitcoin has very specific rules that transactions must follow. For example, there is a very strict way that you can create new money. Existing money can only be spent by the owner, etc.

So, if the longest chain violates one of the core rules, that chain is ignored. You only ever follow the longest chain that also follows all of the rules.

runeks
It's not the longest chain (most blocks) that is preferred, it's the chain with the most cumulative work. Ie. the valid chain whose sum of block difficulties is the greatest.
bshanks
Yes, if you imagine that the number of "votes" that each computer gets is proportional to its computational power ("hashing power" or hashpower). (if instead, each node got one vote, then it would be too easy for someone to create a million fake nodes to game the vote)

Also as Taek points out, the protocol also contains some rules that constrain the content of the chain. No honest node will accept a chain violating these rules even if a majority of the hashpower supports such a chain.

Note that this describes a "proof-of-work" chain. There are other forms of blockchains, such as "proof-of-stake", in which the number of "votes" is proportional to something other than computational power.

c0achmcguirk
Yes, in a sense. The longest blockchain is the "truth." But with independently acting miners and mining pools there isn't a "majority" in the sense of a group of actors bullying the minority.

The 51% problem describes this but it probably won't happen. The miners don't want to be a part of a pool that achieves over 50% hashing power because it would undermine bitcoin and sabotage their efforts. Currently the biggest mining pool is either AntPool or F2Pool. They both have about 15% of the total hashing power [1].

- [1] https://blockchain.info/pools

2sk21
Anders Brownworth is the cohost of the Asymco podcast along with Horace Dediu. He mostly takes the back seat to Horace in that podcast so I'm amazed to see how talented he is at explaining things. He did in a podcast that he is working on blockchain related startup (apart from being a helicopter pilot!)
gamapuna
This was posted before , but IMO is very well written:- https://www.igvita.com/2014/05/05/minimum-viable-block-chain...
Curious42
There's a nice analogy that can be drawn between linked lists and the way blockchains work.
kriro
Very interesting and well explained. I like the style with the code/tabs. Link to that code: https://github.com/anders94/blockchain-demo
quwert95
I really like this demo; it makes sense and was stepped through beautifully.

I would love to see a 'weaknesses' explanations about blockchains though, like how 'truthiness' is generated and speed of verification and distribution.

Well done.

Natanael_L
If the blockchain follows the rules in the code / protocol and it is part of the blockchain fork currently known to have the greatest amount of accumulated proof of work, it is considered canonical / real.
Curious42
What's the guarantee that every peer has the same number of blocks? Are they asynchronously updated through a global endpoint or something similar?

And how do these peers communicate with each other?

Natanael_L
All full nodes propagates blocks they generate or receive to everybody else. The blockchain system aims for global concensus.

The chain with the greatest amount of proof of work will propagate to the majority of the network and be accepted as valid by these nodes (assuming it also follows the protocol rules).

dmux
One of his last comments -- the one about having an immutable, agreed upon history -- seems like a great tool for recording facts in our "alternate-facts" world.
moxious
Block chain has always seemed technically excellent but of limited practical value to me.

It clearly excels in a world where the participants are anonymous and can't trust each other. The trouble is that doesn't describe most business transactions worldwide. Humanity has a couple thousand years of business experience that generally always bent towards parties identifying one another, building trust, and using courts when those previous methods failed.

So there seems a big mismatch here...block chain seems really excellent at solving a problem that doesn't exist in most places.

Bitcoin is a good counter example. And crypto libertarians who would prefer anonymity will clearly always be attracted, but society would have a lot of cultural habits to undo before this would seem attractive in the mainstream.

None
None
Taek
> generally always bent towards parties identifying one another, building trust, and using courts when those previous methods failed

That costs a lot of money. It makes it hard to get started if you are untrusted, and it means you have to have a court system, you have to do legal stuff, you have to constantly be wary of the potentially changing trustworthiness of your counterparty.

Blockchains eliminate all of this overhead. It doesn't matter if you are dealing with a highly regulated bank or if you are dealing with Bob the hobo, the blockchain guarantees that you can't be stabbed in the back (... err, when used correctly. Used incorrectly it will not provide any security at all).

I think this is something a lot of people fail to grasp. The true power of the blockchain is its ability to bring trust to places where it's currently inaccessible. Banks that don't trust eachother can do buisness directly. Countries that don't trust eachother can do business directly. A person with no name, no reputation, and no tether to a court system can also be transacted with safely, because the courts, names, and reputations are made strictly unnecessary.

And the proposal is that doing things this way is much cheaper than doing things the traditional way, especially when you consider all of the innovation that could never happen simply because the innovator was unknown or untrusted. All of the energy and money that goes into mining Bitcoin, in my opinion, is more than made up for by the value-add here.

moxious
> The true power of the blockchain is its ability to bring trust to places where it's currently inaccessible.

Where is that? Because trust seems accessible to me everywhere there is a reasonably open democracy and rule of law.

And why does this trust cost so much? Take payment cards like VISA. Max, they cost 1-1.5%. There's not much to save there. Sure, it would be cheaper if I paid 0.01%, but the cost is already low enough that it's not really preventing any transactions. And of course bitcoin is not going in the direction of enabling micro payments because of transaction costs and volumes.

krrrh
> And why does this trust cost so much? Take payment cards like VISA. Max, they cost 1-1.5%. There's not much to save there. Sure, it would be cheaper if I paid 0.01%, but the cost is already low enough that it's not really preventing any transactions.

This is an important point that very few in the bitcoin community have bothered to investigate.

Credit card fees are even lower than the 1-1.5% you speculate. As credit companies increased their efficiency with technology they didn't lower the fees, but spent the extra profit on marketing in the form of rewards cards and cashback, which shifts money from retailers to card holders. Since vendors compensate by raising prices, that actually means that they redistribute money from people who pay cash or debit to those who use reward cards. There have been class action lawsuits in Canada and the US over this recently.

In Australia they took an administrative approach and capped interchange fees at 0.5% in 2003 and the result was that rewards cards went away.[1] The credit card companies still made profits.

Meanwhile, real transaction costs in Bitcoin are enormous, but instead of being transparent are currently handled via seigniorage through the currently relatively high inflation of the bitcoin supply (rewards to miners). As that is reduced and finally dries up Bitcoin transactions will require large fees. Either that or miners will exit the business and the whole system will collapse since it isn't designed to handle reductions in difficulty. 50% attacks will be easy to carry out, or trust of central authority will be even more important than it is now with the already tiny number of professional miners controlling the network.

[1] https://en.wikipedia.org/wiki/Interchange_fee#Australia_and_...

Natanael_L
In Bitcoin, when the coinbase reward falls, miners will approximately spend as much on mining as the users spend in fees. So the users collectively decides how much hash power they want to pay for, while miners decide what transactions to prioritize.
Taek
Ask any merchant who as ever received a chargeback for legitimate goods that they shipped for a credit card payment. Bitcoin has no chargebacks, which is great for merchants who are shipping to somebody they've never met on the other side of the world. VISA costs ~2.7% if you never have any customers who issue chargebacks. But if you're an online retailer, you've probably got an entire fraud department beyond just what VISA charges.

And some services (namely adult services and gambling services) can't get any access to digital payments at all. VISA, Paypal, etc. all block them, despite the fact that these services are entirely legal. Bitcoin makes it possible to use these types of services without some central party deciding that supporting an adult cam site is bad for business.

This is also great for the unbanked. If you are in Africa with no local bank, no government id, etc, something like Bitcoin can enable you where no bank would ever trust you.

And Bitcoin is in fact going in the direction of enabling micropayments. There is a huge upgrade to Bitcoin in the works called the lightning network, which means you basically have to make 1-6 starter transactions on-chain, but after that you can make an unlimited number of micropayments around the network for essentially free.

moxious
Not having charge backs doesn't make bitcoin less expensive, it just shifts costs. Good for retailers, bad for customers who can't dispute, or who had their money taken by fraud.

Bitcoin has been around for a number of years now, what do you think is the thing that's preventing it from catching on?

Natanael_L
Bitcoin does support using arbitrators via multisignature transactions
Taek
It has been catching on. The ecosystem has been growing substatially and consistently, even if the price is not keeping up.

http://www.coindesk.com/data/bitcoin-daily-transactions/

amadeuspzs
Terrific visual explanation. Would love to see this extended to explain permissions and smart contract aspects of hyperledger/ethereum.
None
None
pizza
(Are/Why aren't) encrypted wallet keys written to & referenced from the blockchain itself?
Natanael_L
Storing the master keys where?

Bitcoin already has brainwallets, password derived private keys.

pizza
Storing the keys into the ledger itself, maybe via the OP_RETURN field. People have stored images in the blockchain, so I imagine you can use it as a persistent decentralized filesystem in theory. Wouldn't you just need a way to chunk your desired keys into 80-byte segments? The initial wallet used to create the transaction is simply for bootstrapping, after that as long as you know which transactions are necessary to fetch the encrypted keys, and you retain the means of decryption, you could reconstitute the blockchain-stored keys necessary to sign further transactions. At that point you could even dispose of the bootstrapping wallet.

Kinda like if you kept a key in one of those banks that let you rent deposit boxes, and you stored another key there. Then you'd have a way to use the expected greater robustness of the bank (blockchain) compared to, say, keeping the key under your mattress.

Natanael_L
Why not just use the existing hierarchical wallets (BIP32) based on a secret you've got somewhere perhaps stored split up using Shamir's Secret Sharing Scheme?
pizza
Interesting. The use-case I was envisioning is an always-accessible but still secure, trust-less cloud wallet.
ianpurton
They could be. But storing data on the blockchain is relatively expensive and a bit clunky.
mrfusion
Can sha asics be put to other uses? Is there value in finding these hashes quickly?
runeks
Not really, no. As the name implies, these ASICs are highly specialized. They take in a half-calculated 512 bit SHA-256 block, and hash it twice.

So unless you need to SHA256 hash something twice at a rate of trillions of hashes per second, there's really no alternative use. But, again, that's the purpose of ASICs: an increase in performance from a decrease in generality.

luvz2code
Very nice demo and explanation of concepts. Thanks.
arc_of_descent
Really nice. Clear and concise.
mthoms
This is extraordinarily well done and begs to be shared widely.

Once blockchain tech is understood by the masses, the sky (moon?) is truly the limit. As this video demonstrates, it's not actually that complicated.

It could be made better (perhaps) by clearly establishing at the begining what problem the blockchain attempts to solve. Otherwise, this is a phenominal "blockchain for idiots" introduction that even your grandmother would understand. That's not easy.

grey-area
This is extraordinarily well done and begs to be shared widely.

Agreed, this is a wonderful demonstration of the interesting principles behind the idea of a blockchain (or a distributed merkle tree). Definitely worth playing with for anyone interested in this, and the video is a nice overview as well.

As far as the moon being the limit, unfortunately we still inhabit the corrupted sublunary sphere, and blockchain technology (at least as implemented in Bitcoin) has some limitations which make it unsuitable as a currency or log of transactions between untrusted parties. On your last point, I'm not really sure people know what problems blockchain solves, because there are no problems which directly map to this solution, and there are plenty of problems it half-solves.

Problems it purports to solve but fails at:

Anonymity - good enough to protect criminals, not good enough to protect citizens against a state

Trustless consensus - 51% attack makes this unreliable, esp. with semi-anonymous actors

Trustless transactions - POW as in bitcoin makes this impractical due to energy use and delays

People want centralised trust in many cases for verified identity, transaction rollback, legal constraints on transactions, so in an important sense it is solving the wrong problems (pseudo-anonymity, fungible cash, sort-of trustless consensus) while leaving important problems untouched.

Still, the video and website are an excellent demonstration of the ideas behind a blockchain or Bitcoin.

colordrops
I'm not sure what you mean in your explanation that it fails at trustless transactions.

Also, you are ignoring the main driving force for the development of bitcoin, that being the removal of the middleman/governments from the transaction.

grey-area
Bitcoin has failed to keep govs out of transactions between individuals because governments impose their will by force.
colordrops
If you are not trying to exchange currency, they can't really impose anything by force. You are taking about a failure of the exchange system, not bitcoin.
mthoms
Those are indeed valid criticisms of Bitcoin. But Bitcoin != blockchain (and vice-versa). There are hundreds of different blockchain implementations. That includes some, for example that will rely on Proof of Stake as opposed to POW. Thus solving the trust and energy problems you mention.

Well at least that's the theory :-) Time will tell.

c0achmcguirk
Anonymity - good enough to protect criminals, not good enough to protect citizens against a state

If you really want anonymity, bitcoin isn't the only blockchain technology you have. I know you were focusing on bitcoin in your answer, but I feel the need to expand here because blockchain != bitcoin.

Trustless consensus - 51% attack makes this unreliable, esp. with semi-anonymous actors

51% attack is overblown. The bitcoin miners self-police and are switching pools as they get close to 50%. And the worst thing that could happen with a 51% is a double-spend. Big whoop.

Trustless transactions - POW as in bitcoin makes this impractical due to energy use and delays

I don't follow you here. Sometimes the block size limit delays a transaction for a bit, but you still get trustless transactions. The bitcoin community is working to address this problem and I am confident this problem will be solved.

grey-area
Anonymity - most people don't need or want it, and those who do need real anonymity, not traceable pseudo-anonymity.

51% attack - consider other uses like a shared ledger between 5 big banks, all of a sudden you just need 3 colluding and your blockchain is broken. Or bitcoin, most of the miners are in China, the state intervenes one day and secretly requires collusion.

POW - 7 transactions a second, minutes to confirm and massive costs for those keeping full copies of the chain are big stumbling blocks to any blockchain based on POW as in the example or bitcoin.

I think it has some fascinating ideas around shared trust, but Blockchains based on POW are fundamentally unsuited to the sort of large networks of transactions they are being proposed for and centralised solutions involving signing or hashing have the same advantages but solve all these problems and others like trust.

Natanael_L
Things like Lightning Network helps Bitcoin scale by creating a network of payment channels, where you work with "transaction drafts" shared between various nodes that are updated for every transaction made by the involved parties, and which is frequently "settled" on the blockchain by being published to it in its latest version (followed by creating a new "draft").

This means that only a fraction of all transactions actually need to be visible on the blockchain since LN is a secure way to "keep tabs" on the current coin ownership.

Using multisignature mechanisms and timelocks, this is very secure and abuse resistant.

ajnin
> And the worst thing that could happen with a 51% is a double-spend.

Maybe I misunderstood something, but couldn't someone with 51% of the power rewrite a block at any point in time in the past, and change history ? Or even write bogus transactions to the blockchain ? This would seem much more serious than double-spend, which in itself is already unacceptable for a monetary transaction system, and not to be brushed off so casually.

sunshinerag
A much more precise list of what can or cannot be done by a 51% attack

https://en.bitcoin.it/wiki/Weaknesses#Attacker_has_a_lot_of_...

c0achmcguirk
but couldn't someone with 51% of the power rewrite a block at any point in time in the past, and change history.

In order to change history your miners would need to solve blocks much faster than the rest of the network consistently for multiple blocks. Then all the nodes on the bitcoin network would accept the false fork because it was longer.

Or even write bogus transactions to the blockchain ? This would seem much more serious than double-spend

You can't write a transaction without knowing the private key of the address you're transferring from. This is true whether there's a 51% attack or not. So you can't just write any old transaction to the blockchain. The rest of the network would reject the block with bad transactions in it.

The big problem is buying something with bitcoin and receiving the purchased good--this transaction goes in Fork A. Then the attacker would start the 51% attack and create another fork--Fork B--which competes with Fork A. In Fork B the attack writes another transaction in which she sends the coins back to a wallet she controls.

Then the attacker must continue to solve blocks at a faster rate than the rest of the network is solving it....AND before the rest of the bitcoin network notices what is going on. This is no small feat.

and not to be brushed off so casually

It's not brushed off casually. The 51% attack is brought up a lot in the cryptocurrency community. But it really isn't feasible on closer examination.

In bitcoin it hasn't been a big deal because everyone is aware of the potential and self-polices.

SkyMarshal
>And the worst thing that could happen with a 51% is a double-spend. Big whoop.

That was the #1 problem that Bitcoin/blockchain solved. If it fails at that it calls into question the whole endeavor moreso than any other possible problem could.

c0achmcguirk
And yet it hasn't failed to solve that. It's only a problem in theory. It requires hand-waving and speculation and then, in practice, it could be a problem.

If you're worried about a double-spend, wait for 6 confirmations. Or wait for 10 if you really want to be vigilant.

The 51% is one of the most successful FUD campaigns I've seen since Microsoft called the GPL a virus.

falcolas
All it would take is a state actor to decide to break that 51% mark, and bitcoin would crash. I wouldn't be terribly surprised if the US (specifically, the FBI or CIA) isn't poised to do just that if they feel it necessary.

An "accepted" blockchain where all of the funds are diverted to their own wallet even for a day would be enough for all of the speculation that provides bitcoins with value to fall apart. Who would want to invest in a product when can demonstrably be devalued?

Natanael_L
You can't steal money with a 51% attack, only take back your own. You also can't force a rule change / hard fork.
grey-area
Can't you double spend? You might not be stealing money, but you'd be stealing goods/services by using money twice. If so you're being really disingenuous saying you can't steal money.

Also, it doesn't really take 51%, that's an arbitrary figure, it depends on how many confirmations your adversary is using, and is just a probability, so 40% would probably do in some cases, there is no magical threshold of 51%.

Glad you brought up rule changes, as that's another area where a small group or groups can control blockchains, giving the lie to the idea of a completely distributed consensus - in practice the rules are only as distributed as those willing and able to develop clients (which is a very small group), so that small group have de-facto control of the network.

c0achmcguirk
The state actor in your scenario can't steal anyone's money. They can only create transactions for addresses they control with a private key.

If you listed everything that would need to happen to cause a 51% attack to be successful, along with the odds that this could happen, you'd see that it has zero chance to succeed.

(I'm using some quick back-of-the-napkin odds to calculate the feasibility that this is even possible...)

- Build large mining network under control of state actor that matches the hashing power of the entire network (5% chance this is possible)

- Bad state actor buys something with bitcoin. (100% possible)

- Bad state actor receives the good within 3 blocks or 30 minutes. (5% chance they receive this in time)

- Bad state actor starts building bad blocks with alternate transaction redirecting the BTC into their own wallet. (1% chance)

- Bad state actor solves 3 (3 blocks back to the original transaction) + 2 blocks (to make this a longer blockchain than the good blockchain) faster than the rest of the network. (3.5% chance if they have over 50% of the hashing power)

- Bad state actor did all of this without the rest of the bitcoin network noticing and routing around the state actor (10% chance)

So you have something like 5% X 100% X 5% X 1% X 3.5% X 10% => 0.00000875% chance that this is possible.

Granted, I'm taking a guess at the odds of most of the numbers, but I don't think I'm that far off. The bitcoin network is currently operating at over 3 million TH/s. [1].

To set up another network with that same hashing power would cost at least $2 billion dollars, if not more.

You could buy 250,000 AntMiner S9s (if you could even purchase that many without anyone knowing and to avoid availability problems) for about $500 million.

Then you'd have to set up a place that could hold that many miners. Okay so get a warehouse wired up and properly cooled for another $100 million.

Then electricity is about 1350 watts per miner, requiring a $200 power supply. So add another $50 million just for power supplies....but let's say you wire it up custom, so I'll knock that down to $25 million.

We need 337.5 million watts of power to run our miners. At 10 cents per KW/h, the electric bill will be around $24.3 million a month--just to run the miners. Round that up a bit to power the rest of the electricity, run the UPS and backups, the computers for the staff, and let's say the monthly electricity cost would be about $35 million a month...which is $420 million a year.

Back to the staff, you'd probably need 500 people to maintain such a big operation, minimum. If each state actor employee received about $100k/year in salary, the personnel costs are about $50 million/year.

Now multiply all this by two because you would never set up an operation like this without building in redundancy. This comes to about $2.2 billion for a year of operations.

$2.2 billion to have a 0.00000875% chance at a double spend or to reject some transactions from making it to the blockchain. You'd be insane to approve this project.

But let's say the bad state actor is able to pull off this feat. Then the bitcoin miners do a hard fork and just route around the bad state actor the next day. Everything picks up again where it left off on Monday.

- [1] https://blockchain.info/charts/hash-rate

kordless
Actually, it would take an irrational state actor to attempt this and even then they might only be able to forge a few transactions before a fork was called. A hard fork is not assured to "crash" Bitcoin, so please don't present this as a forgone conclusion.
SkyMarshal
Or a state actor that is rational given certain externalities. Just because Bitcoin is expensive to attack does not mean it's irrational under all possible circumstances to attack it. War is expensive too, but it happens. This is the fundamental problem when ledger security depends in part on economic incentives.
kordless
I think you might be missing the issue around rationality, as it causes actors to do things that are predictable within a certain probability...and cost. An irrational actor does things for irrational reasons and as such does not consider cost or results an intent.
nileshtrivedi
It doesn't explain either how the money is created in the first place or how actual resolution happens when coming across a block which differs from others' copies. Do I need to ping all the peers?
DennisP
When a block is found, the miner who found it is rewarded with newly minted bitcoins.

As a miner, you create your own block from the transactions you see. Every miner makes its own blocks.

This means sometimes two miners will find a block at about the same time, and they'll be different. Other miners will have to choose one or the other as the predecessor for their own blocks, and before long one of the candidate blocks will have another block on top of it.

Everybody considers the fork with the most accumulated difficulty to be the valid fork.

CydeWeys
Unfortunately it didn't explain this correctly, and this is the most important part of Bitcoin, as well as its biggest innovation.

The longest chain always wins. And since valid block hashes are very hard to find, the longest chain is the one that has the most mining effort behind it. This is why mining is essential to securing the blockchain. In order to make a fake chain of any appreciable length, you would need to have >50% of the total hashing power of the blockchain. And if you have that much power, then whatever you say is the right chain is the right chain, because you can mine more blocks than anyone else and so yours is right by virtue of being longest.

The video incorrectly implies that there is some sort of voting mechanism going on wherein the version of the chain with the most copies is correct, but this is incorrect, and would be horribly broken. The P2P network exists only to communicate transactions and blocks; it does not factor in to which version of a chain is considered valid (the longest one always wins). If the P2P network were used for this, then it would be trivial to take over Bitcoin using a Sybil attack, by e.g. hiring a botnet to run millions of fake nodes with your preferred version of the chain. With mining and validity determination by longest length, that doesn't even put a dent in Bitcoin, as even a million general purpose commodity computers can't get anywhere close to matching a small percentage of the overall hashing power of the miners.

Natanael_L
Actually length doesn't decide, but rather total accumulated hashing power.

This is because Bitcoin changes the difficulty per block over time to keep the time between blocks close to 10 minutes.

This means that two chains can be equally long but have different amounts of accumulated difficulty. It even means that long blockchains can have low amounts of accumulated difficulty.

But for short periods of time, less than ~2 weeks as it is for Bitcoin, the difficulty will not yet have changed and thus length = total difficulty for SHORT forks.

eecks
Two things stood out for me: How is a signature picked? (he says four 0s at the start). He also says Bob can't give Alice 4 dollars out of thin air right after giving Anders 100 dollars out of thin air.
POiNTx
This is my understanding of it.

How is a signature picked: This is arbitrary but should be a fixed sequence that you define before hand. It could start with 'abcd' as long as you decide on that sequence. In the example (and for bitcoin also) it is decided that the hashes should start with a specific number of zero's.

He also says Bob can't give Alice 4 dollars out of thin air right after giving Anders 100 dollars out of thin air: Anders gets 100 dollars out of thin air because he mined (calculated the hash with the specific starting sequence). This is the reward Anders gets. Looking for a specific hash such as a hash starting with a certain number of 0's is very computational intensive work. That's why he gets the reward.

Hashing is fast for a computer to calculate one way (go from a piece of data -> a hash) but very difficult and as such slow for a computer to calculate it in reverse (go from a hash to the original piece of data for which the hash was generated).

Taek
These come down to the specific rules of the Bitcoin blockchain. Today in Bitcoin, if you mine a block, you get 12.5 bitcoins out of thin air. The network allows you to have this money as a reward for finding the block.

That is the only way to get money out of thin air. And because blocks are hard to create, money is hard to create. All other money comes from people sending it to eachother.

For the signature question, we need to differentiate between two types of signatures. The first is the block signature, which is defined by having a bunch of leading zeroes. The second is an ECDSA signature, which is your more traditional cryptographic signature with a public key and a private key.

When coins are mined out of nowhere, they get assigned to a public key. I'm oversimplifying a little bit, but this is sufficient to understand. To spend coins from that public key, you need to sign a transaction saying something like "I send X coins to person A". This message is signed with the secret key that corresponds to the public key that owns the coins.

The really important part about the blockchain is that it prevents you from spending the same coins twice. So, if you only have 12.5 bitcoins, you can't sent 12.5 to Alice and then send the same 12.5 to Bob. You can create signed messages that claim both. Without a blockchain, it's impossible to tell which one is valid, because it's impossible to know which one came first.

But that's the magic of the blockchain. It's a history of transactions. If you try to spend the same money twice in the blockchain, we can very easily see that you've spend it twice. We also know which one is the valid original one, because it will be first in the blockchain. So we know to accept the transaction that's first in the blockchain, and to ignore the second one. (note, in Bitcoin, it's actually illegal to have two conflicting transactions in the same blockchain. The second transaction will never be included into a block at all).

And, as described early in the video, this history is very hard to re-write. If you decide one day later in Bitcoin that you want to actually undo your spend to Bob and instead spend that money back to yourself, you will have to outcompete all of the mining that happened over the past 24 hours to re-write the blockchain. Given that 'all of the mining' is hundreds of millions of dollars of hardware working non-stop, you will not be able to re-write the blockchain.

kriro
Just computing hashes seems a bit of a "waste" but given that this mining exists...does it essentially provide a market cap for renting GPU calculations for say deep learning? If I offer 13 coins for the estimated GPU usage it takes to mine a block, rational miners should switch over and let me rent their GPU farms, right (ignoring other costs for arguments sake)?

Is there something like Amazon p2s that mine bitcoin and show a running cost (x/h) where I could just bid >x/h and rent it for a while to do my calculations and when I "shutdown the instance" it goes back to mining?

The mega farms are build around scale and cheapest electricity usually. wouldn't it make sense for them to slap a "rent our servers for deep learning" on top? They know really well how much expected value they generate from the mining (with variance due to the BTC price swings) so they could charge a bit more (or 2x...depends on how well known the margins are) to let anyone rent the calculation for other stuff...then return to default-mining once the rented calculations are done.

Natanael_L
People use custom silicon, ASIC:s, designed to only run SHA256 mining. Almost nobody uses GPU:s.

There as are so called multipools that tell its miner clients to mine on whatever blockchain is currently most profitable. I can imagine merging this with a paid version of BOINC.

That would only be used by the "GPU coin miners", those in blockchains using ASIC resistant PoW like scrypt instead of SHA256.

daveguy
Why is scrypt ASIC resistant? If it is an algorithm hardware can be designed to implement the algorithm, right? It took a few years for people to start making bitcoin ASICs, but it happened. What would prevent the same for scrypt given enough financial incentive?
Natanael_L
Because it requires expensive components (lots of RAM) and doesn't significantly outperform a regular CPU / GPU.
Taek
Another hot topic. Many experts believe that ASIC resistance is a futile endeavor for the reasons you listed. But designing a worthwhile SHA ASIC is certainly a lot easier/cheaper than designing a worthwhile scrypt ASIC. Worth noting, there are actually scrypt ASICs already, for litecoin and dogecoin at least.

Ethereum and Zcash both tried to make asic resistant hashing algorithms. So far they have held up. Ethereum has a hardfork history though and also is trying to move to PoS. Given the cost of developing asics, I'm guessing most manufacturers aren't willing to risk that ethereum could just hardfork to invalidate the hardware, destroying the investment.

We will see, but I'm guessing the Zcash algo will see asics within 2 years if the coin sees successful adoption.

samlewis
So, all the miners race to mine the block but only the winner gets the 12.5 btc reward? Does that mean if you're a Joe Bloggs Bitcoin enthusiast, you'll never be able to get any reward if you only ever mine on your low key laptop setup?
TD-Linux
Mining is not a race - in fact, the mining being progress-free is a really important part of PoW. If you have a low power setup, you have a very small chance of winning the reward, but it's proportional to your power over the total network power.

There's unfortunately some things that make it a bit of a race - network latency and block verification time. That's why there's so much work spent on shrinking these (the FIBRE network, libsecp256k1)

Taek
Laptops are useless for mining, yes. You'd need to spend something like $1000 on electricity for every $1 of Bitcoins earned on a laptop. Not to mention machine wear and failure.

If you want to mine Bitcoins, you need a bunch of advantages. Special hardware, cheap space, low electricity cost, bulk manufacturing deals. Otherwise you probably aren't going to be breaking even, let alone profiting.

jacobwg
Yes, and that's why there are mining pools, where Joe Bloggs connects his computer to a pool of other similarly underpowered computers to perform the complex calculations required to mine a block in a distributed fashion. Then when a block is mined, the pool owner acquires the 12.5 btc reward and distributes it to all the pool participants based on how much computation power/time each participant contributed to the overall pool, keeping a small bit for themselves for the overhead of managing the pool. Obviously you have to trust your pool operator.

Also at this point in the BTC world, the difficulty has become so high that Joe Bloggs will never acquire any meaningful amount of BTC, even in a pool. There are specialized arrays of GPUs that can perform calculations at rates much higher than any standard PC or laptop. The same principles apply to any other bitcoin-like blockchain currency though.

nileshtrivedi
Not unlike setting up a gold mine to "create" money.
JohnKacz
> It could be made better (perhaps) by clearly establishing at the begining what problem the blockchain attempts to solve.

What would you say that is? Real question.

bshanks
The purpose of the blockchain is to be a shared append-only data structure. There are a number of nodes who have copies of what is supposed to be exactly the same data (but see below). The nodes are all constantly telling each other what they believe to be the most up-to-date version of the data. The purpose of the blockchain is to support a consensus-finding algorithm by which the nodes may start out disagreeing on the contents of the most recent few blocks in the log, but eventually converge to a consensus, at least for relatively old blocks.

This convergence occurs even if some of the nodes are evil or faulty or out-of-touch, provided that these bad nodes control less than 50% of the total computing power of all of the nodes.

SkyMarshal
>Once blockchain tech is understood by the masses, the sky (moon?) is truly the limit.

Not really. Security via economic incentives is still shaky. Bitcoin community is split, and Ethereum is still working out the kinks and has a high-risk move to PoS coming up soon. The tech is not remotely mature yet, and blockchain being better understood by the masses will have zero effect on that.

_coldfire
>Bitcoin community is split

Yet not even the advent of quantum computing with todays algorithms could undo a few hours of the Bitcoin blockchain.

A bit too much credence is given to people arguing on the internet rather than the raw state of things. The sheer computing power of bitcoin is a marvel of the modern world.

For all its problems I would say it has a long way to go yet unless the world solves the reality of a borderless economy.

SkyMarshal
True, Bitcoin's historical ledger is pretty durable. The community split is more about its future. And I'm not referring to people arguing on internet forums, but about the split between Bitcoin's core developers and its biggest miner. One day such discord may actually be a good thing, but right now it is hindering basic fixes from being implemented.
HN Theater is an independent project and is not operated by Y Combinator or any of the video hosting platforms linked to on this site.
~ [email protected]
;laksdfhjdhksalkfj more things
yahnd.com ~ Privacy Policy ~
Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.