the one to generate the random number
how is it protected from us to know it
what makes the that random number itself
tamper proof is the whole network
contributing to the random number all
right so the nonce the random number is
calculated independently billions and
billions and billions of times per
second by each mining hardware system so
when a miner is mining what they're
doing essentially is coordinating over
network a very large number of mining
computers and these mining computers are
calculating billions of nonces per
second and there's nothing manual about
this by the way this when we say a miner
is mining a announces being calculated
there's no one sitting there doing a
calculation or validating transactions
or clicking a proof these are completely
automated unattended operations that
happen where computers calculate
billions of nonces per second so what is
the purpose of the nonce the nonce is
simply a random number and it's a very
large random number the space for an
ounce is bits which gives billion
possible combinations but there's also
some extra space in the block which is
called extra notes and extra months
really allows you to expand that to much
more than bits so you can try many
many many many billions upon billions of
combinations you're gonna hear me say
billions and billions again and again in
this talk because these numbers are
truly very very large so the purpose of
the nonce is to plug it in to the block
header in the specific location in the
block header that is for the nonce and
then calculate a new block header hash
and when you put the header information
plus the nonce into the hashing
algorithm you'll get a hash
a number will pop out it's a bit
number now that number has to start with
a lot of zeros if it doesn't you try
again with another nonce so the only
part of the header you can change is the
nots so when the minor is mining what
they're doing is they're constructing a
block they're putting all of the
transactions and the other information
into the header the timestamp etc etc
and then once they've got that header
they plug in a nonce any notes let's say
the number one and then they calculate
the header hash and they look to see if
it matches this special pattern which is
that it starts with a lot of zeros and
the chances of it starting with a zero
well they get lower the more zeros you
expect to find at the beginning of the
number but in the in the beginning let's
say you're looking just for one bit to
be zero then about half the hashes you
produce will have a zero bit in the
beginning and half the hashes will have
a one if you want to zeros in the
beginning that it's a one in four chance
if you want three zeros in the beginning
then it's a one and eight chances you
want four zero bits in the beginning
then it's a one in chance and by the
time you get to the numbers we see with
blocks today we're looking about one in
five septillion chance of you having
that many zeros at the beginning of the
block and how do you find the one in
several septillion chances well you try
a septillion times per second and you do
that by trying as many possible
different nonces with a header you've
constructed one of the miners is going
to be lucky in one of those attempts
they will find nonce that when fitted
into the block that they've constructed
as a candidate will produce a header
that has this many bits of zeros in the
beginning that match
as the pattern matches the difficulty
required by the network and that is a
winning block that is a valid block and
as soon as they found that they can then
announce this random number so the
random number isn't tamper proof it's
not secret and the mining pool doesn't
pick this random number every mining
machine out there is trying billions of
these random numbers every second and
they discard all of the results until
they find one random number if it
produces a hash that has this particular
property it starts with a lot of zeros
heceta asks is it possible to develop an
algorithm for guessing announce which
will fast-track solving the Bitcoin
challenge by a miner could that be
related to the recent shattering of
sha- yes that's an excellent question
Oh Sita in fact yes there is the
possibility of creating a shortcut that
allows you to predict the value that is
required and announce in order to
produce proof of work of a specific
target that would involve breaking
shattering if you like sha- sha- was
recently shattered as the popular
expression goes meaning that the sha-
cryptographic algorithm hurts or graphic
hashing algorithm sorry has been
compromised in such a way that you can
Det you can create a collision that
means that you can produce a specific
pre image to the cryptographic hash
algorithm which will result in a desired
hash as its output that ability to
produce a desired hash from a pre-image
that is identical perhaps to another to
the fingerprint of another pre image a
collision as it's called is a fatal flaw
and if you discover a fatal flaw in an
algorithm as has been discovered in
sha- then that algorithm is no longer
suitable as a cryptographic hash
algorithm you cannot use it for the
purpose of fingerprinting documents
cannot use it for the purpose of for
example fingerprinting Digital Keys
certificates SSL cryptographic keys and
the integrity of messages that are
validated through cryptographic hash
algorithms and sha- can no longer be
used for those purposes because it has
been fatally compromised
however Bitcoin mining uses sha-
sha- is enormous ly more complicated
to compromise so every cryptographic
algorithm has a certain shelf life on
average to years before a
cryptographic algorithm can no longer be
considered secure depending on the
cryptographic algorithm the shelf life
if you like for that algorithm may be
greater or lesser some have weaknesses
that are discovered which shorten the
shelf life make it easier to find a
shortcut to compromise most
cryptographic algorithms are based on
some kind of trapdoor function a
mathematical function that has no
shortcut where the amount of computation
required to go one way through the
algorithm versus to go the opposite way
is immense and as long as you can't find
the shortcuts that algorithm is secure
to a certain amount of computation if
there is no shortcut sha-
will continue to be secure for decades
and decades longer if a compromise is
found or some kind of shortcuts that
doesn't mean it's fatal it doesn't
necessarily immediately invalidate the
algorithm it may weaken it by a certain
percentage so it may make it twice as
hard
sorry twice as easy to find a suitable
hash or maybe four times as easy to find
this usable hash and that was certainly
by weakening the algorithm shorten its
shelf life because as computing power
continues to develop that means that at
some points it would be viable to break
the algorithm essentially now so far
there is no shortcut that has been
discovered for sha- and
one of the reasons we know that is
because Bitcoin represents effectively a
giant global pinata stuffed with fifteen
billion dollars that if you bash with
the right shortcuts for sha- you can
break it open and collect fifteen
billion dollars or you can collect some
percentage of that before the value
collapses catastrophic ly by breaking
the piata essentially it's a honeypot
Bitcoin represents a global test that
tells us that child to is secure how
do you know sha- is secure
bitcoin is worth fifteen billion and no
one's cracked it yet
now at some point it may become obvious
that sha- is no longer secure or it's
reaching at the end of its life or we
find new vectors that perhaps in a
decade or a longer period of time may
make it insecure at that point the
bitcoin developers in collaboration with
the rest of the community would have to
work to modify the proof-of-work
algorithm and replace it with a more
modern algorithm and certainly that
would be a very big undertaking so
that's how we know that there is no
shortcut to sha- and if bitcoin was
using sha-
then some minor out there today would
have been able to break it and very
quickly every miner out there would have
been able to break his at which point
it's no longer useful as a mining
algorithm is bit quite an incentive for
the development of the quantum computer
I mean being a possible threat to the
network security
doesn't this accelerate the race towards
it do you think miners think about this
at all great question
i'm bitcoin is a honeypot effectively it
provides a bounty for anyone who
produces any type of technology whether
it's a sha- collision that we were
talking about before whether it's a
quantum computing shortcut to sha or to
elliptic curve digital signature
algorithms that may result in
being able to compromise some or part of
Bitcoin or being able to weaken Bitcoin
certainly that provides an incentive so
you can think of Bitcoin as a test
Bitcoin tells us sha- is secure ECDSA
is secure today from any and all threats
and how do we know that it's because it
continues to maintain security over
billion dollars therefore we can assume
that these technologies have not been
compromised yet does it accelerate the
development of these things probably
although I think most of the really
interesting developments in quantum
computing can deliver a far far greater
reward for those who develop these
technologies than simply the fifteen
billion dollars that's tied up in in
Bitcoin because quantum computing has
very broad applications furthermore the
application of quantum computing to
Bitcoin is marginal at best
first of all sha- and cryptographic
hash algorithms like sha are not
particularly easy to optimize using
quantum algorithms and let's take curved
digital signature algorithm an elliptic
curve cryptography can be massively
optimized with quantum computing and
quantum algorithms for doing the
elliptic curve factoring in fact du will
exist and they will allow someone to
break elliptic curve cryptography
eventually in fact our large elliptic
prime fields elliptic curve fields for
now the elliptic curves that we used are
far greater in the field that's used for
the elliptic curve is far greater than
any quantum computer can factor so
that's not a risk at some point it would
become a risk and at that point you have
very very powerful quantum computers
that can do that and then the security
of elliptic curve cryptography is no
longer good but elliptic curve
cryptography can be replaced in Bitcoin
by other algorithms and because of the
mechanism by which public keys are not
demonstrated to the network until an
amount is spent if you follow the best
practice of only using an address once
for each transaction then the only time
your public key is demonstrated to the
network shown to the network is when
you've spent the amount of Bitcoin that
was in that address and therefore even
if you were able to break public keys as
used in elliptic curve cryptography you
wouldn't have any Bitcoin to get behind
it because it was only ever used once
Bitcoin addresses of course are secured
through two applications of hashing
algorithms sha- and ripe MD and
those are far less susceptible those two
algorithms as well as the mining
algorithm on sha- as well are far
less susceptible to quantum algorithm
optimizations as far as we know and
therefore it may be a very long time
until quantum cryptography has any
impact on Bitcoin and of course the
other thing to consider is it also
depends on how broadly quantum
cryptography is available if sorry
quantum computing is available if
quantum computing is broadly available
then just as much as you can make better
algorithms for cracking keys you can
also make better algorithms for making
keys you can make quantum mining
algorithms you can make quantum
cryptography algorithms so if quantum
cryptography is very quantum computing
is broadly available then I can use
quantum computing to do encryption and
digital signatures and mining and then
the fact that others have quantum
computing doesn't make any difference
because my cryptography my digital
signatures and my mining algorithm
adjust to secure so really it's about
the unequal availability of quantum