If you're seeing this message, it means we're having trouble loading external resources on our website.

If you're behind a web filter, please make sure that the domains *.kastatic.org and *.kasandbox.org are unblocked.

### Course: Finance and capital markets>Unit 8

Lesson 8: Bitcoin

# Bitcoin: Proof of work

An explanation of cryptographic proof-of-work protocols, which are used in various cryptographic applications and in bitcoin mining. Created by Zulfikar Ramzan.

## Want to join the conversation?

• I am confused about how applying this scaling to bitcoin results in the difficulty changes seen in the wild. As near as I can tell, the 'number of leading zeroes' approach to scaling the work necessarily translates into the work increasing or decreasing by powers of two. Is this not true? While I am not a miner, I had the impression that the difficulty scaling was much finer-grained than simple powers of two. What am I missing?
• Yes, this also confused me at first. Just mentioning the number of leading bits is good for illustrative purposes, but is also a simplification.
The trick (and the way I think it is done in Bitcoin) is to look at the hash as a number in binary notation. Then we can say that this number has to be smaller than some limit, instead of just having a minimum of leading zeroes. Doing this is a lot more fine-grained.
• What is the challenge string in Bitcoin? Also, does it really use the 'leading number of 0s' as it's proof of work?
• The challenge string is a hashing together of all the transactions in the block and a few other things like the timestamp, the block number, and a link to the previous block. The miner then needs to put the challenge string and the proof string, known as the nonce, into the hashing algorithm SHA-256, and get a string with a certain number of leading zeroes. Numerically, you can think of it as the output having to be less than a certain value.
• Does exist a website where the current target for POW from difficulty or bits can be calculated?
• good stuff. this is way too confusing still. will there ever be a video on the step by step basics? Basic questions i am talking about are these:

alice Vka sends bob VKb 50. got it.

only 1 transaction must be made, no matter how big your account is, lets say Alice has 10,000 bitcoin.
she would have to send 50 bitcoin to bob and 9950 back to herself?

where is the bitcoin miner price listed?
is there a section where you could type it in?
i.e. bitcoin miner fee ____

what about the rest of the transaction... Alice will not send Bob bitcoins for free...will bob send a product back to Alice?

what if many people , Jay, Alice, John, send Bob 50 bitcoin? how does BOB know alice sent the bitcoin and not Jon? so Bob knows where to send the product

could you please over the very basics? not what it is, but the process in a transaction? thanks
• thanks for the great video,, i have two question that i couldn't figure out
1)how double spending can be bypassed? suppose the attacker has more CPU power than the honest nodes, he will generate a blockchain that is Not the same as the other nodes' block-chain; it's supposed to be easily detected?(for example, the attacker changed the ledger by generating a block that is 4 blocks before the last block and continued redoing the rest) even though he did a proof-of-work,, the block chain generated and broadcasted will NOT be the same as the block chain stored in honest nodes' computers. so how it can double spending be bypassed?? isn't supposed to lead to inconsistency between the attacker's generated blockchain and the others' ones?

also,2) how the longest chain is identified?
(1 vote)
• To have more CPU power than honest nodes, attacker must spend tens of millions dollars. That's amount of capital currently invested into mining equipment. You won't do that to fraudulently buy a TV set. If you try to use that power to play against the rules, Bitcoin value will crash to zero, and you will have nothing to double-spend. If, however, you use that power to honestly compete with other miners for block rewards, you will receive \$millions in rewards and maybe even recoup your investment. In addition, Bitcoin will become more resistant to attacks and arguably more valuable, so you earn twice. So the system of economic incentives in Bitcoin strongly encourages playing by the rules. However, it is possible that the attacker does not care about economic gain, and just wants to destroy Bitcoin. It can be a nation state, or a large company for example. This is one of the known weaknesses of Bitcoin.
• I have some basic question in regards to the Bitcoin ecosystem. It is a very decentralized but it seems that some entity is doing administrative work, such as making the challenges for the nodes, updating the challenges, distributing the challenges etc. Who is doing these activities?
• That, too, is decentralized. The challenge string is created by the miner, and it is the result of hashing together all of the transactions in the block, a reference to the previous block, the timestamp, the node version the miner is using, and a few other things. Everyone involved knows exactly how to find what the challenge string is, and everyone can easily verify that all the rules are followed.
(1 vote)
• Hi I understand the value of proof of work while there are still bitcoin to be mined but once all bitcoin are mined would it not be more useful to have bitcoin as a global currency that does not require a large amount of effort to be validated by nodes for every transaction? Therefore almost nullifying transaction fee's and the need for miners?
• The proof of work is there to make sure that the network is secure against double-spend attacks. That threat will exist whether or not there are still bitcoin to mine.
• I have a question about the verification of proof of work. If I understand correctly the result of the pow is the p (proof response) and it is easily verified by putting it as input together with the c (challenge) into the hash function and making sure you get an acceptable result. To make this happen the one who wants to show his pow must show the p. That means that the one who wants to verify the pow will get the p. If p is the pow then the verifier will have the pow without putting in the work. If this is true, someone wanting to make a blockchain can just ask for all the p´s in the chain and make a new false one without most of the work. There must be a function no one talks about thet prohibits this but I have not seen it anywhere. What am I missing.
(1 vote)
• I think that you are missing the fact that the PoW not only needs as an input a p but also a message. The p will only give PoW for that input message.

In blockchains this means that if you get someone elses p then you can only use it to spread the block that he used to create his p with since the p will be invalid for other blocks. And since the reward is part of the block you can only use his p to spread a block that will send the reward to his address of choosing.
(1 vote)
• Why do we want the first 40 bit to be zeros ?
(1 vote)
• Because that is hard to do and would require a lot of guesses. Also note that 40 is an arbitrary number, in Bitcoin this number changes depending on the desired difficulty.
(1 vote)
• Why do miners need to provide a proof of work? What if a miner provides an acceptable proof of work without actually verifying the transactions?
(1 vote)