20

I know that proof of work shows that the person has put in some time and power into the processing. I also know that bitcoin mining is adding a transaction into the blockchain and then the miner will need to solve a pow problem.

Why do we need this? What if we eliminated the proof of work step for the miners and what are the consequences of doing so?

user153882
  • 353
  • 1
  • 2
  • 5
  • I also know that bitcoin mining is adding a transaction into the blockchain and then the miner will need to solve a pow problem. Mining is constructing a block of transactions, and, with luck, solving the PoW problem for that block before any other miner adds a block, then adding the block to the blockchain. – brec Dec 24 '17 at 23:51
  • closely related: https://bitcoin.stackexchange.com/q/331/5406 – Murch Feb 11 '18 at 02:03

6 Answers6

14

Proof of Work (PoW) basically makes sure that miners don’t cheat.

There is no way to trust that everyone in the network is honest, so there has to be some way to prevent miners from creating new blocks that benefit themselves. The way it works is that you have a bunch of people all trying to guess the answer to the math problem and no one knows who is going to get the correct answer first. Whoever does get the right answer first gets a reward, but only if all the other miners agree to accept that transactional record (If it becomes apparent that a certain miner is creating fraudulent transactions then the other miners can collectively refuse to accept their contributions). This is why the process of creating a new block is designed to be energy intensive, so that there is a cost associated with creating each new block. This prevents miners from simply creating a whole bunch of new fraudulent blocks with the hopes that maybe they’ll get accepted, because the cost of doing so offsets the potential reward. It helps to think about proof of work as a possible solution to email spam. If there was a requirement for each computer to spend a minute on a PoW problem before every piece of mail was sent, then only people with genuine messages would agree to expend the effort. One minute of computer time is a very low cost for an individual, but the guy who is blasting 10 million spam emails couldn’t afford to wait 10 million minutes to do so. So going back to bitcoin, the chance of each individual miner being the one to solve each block is pretty small, and since it takes a lot of effort to solve the blocks they can’t just spam the network with solutions. This means that they are incentivized to only expend the effort if their contribution is going be accepted by the network.

Hope that makes sense.

This is the best breakdown I could find (http://nakamotoinstitute.org/mempool/the-proof-of-work-concept/)

JakeW
  • 141
  • 1
  • 2
  • "This prevents miners from simply creating a whole bunch of new fraudulent blocks with the hopes that maybe they’ll get accepted" But nothing prevents nodes spamming the network with fraudulent transactions, of course eventually all peers will block those nodes after certain amount mishaps, I don't see why wouldn't this work for blocks as well. – Calmarius Jan 24 '18 at 16:28
  • @Calmarius, indeed there exists two levels of consensus: Transaction level and Block level. So, spamming fraudulent transactions is quickly detected through consensus voting which handles Byzantine faults. – محمد جعفر نعمة Oct 22 '19 at 12:08
  • I'm not sure if I get it right, because in my mind, and the way I try to understand it, is that, a PoW is a delaying mechanism . So it forces every body to delay and pause. And once, this mandatory delay is there, kablam, the result is sequential ordering. I'm not sure, if this is the whole point. I just started reading Mastering Bitcoin last week. Please correct me if I'm wrong. – daparic May 17 '21 at 10:57
12

Imagine I have 1 bitcoin. And imagine I can form a transaction to send that bitcoin to Alice or I can form a transaction to send that bitcoin to Charlie.

Now, what stops me from forming both transactions? Nothing.

So, if I do that, how will people know which transaction is valid? Clearly, without some reliable way to tell which of those two transactions are valid, the system is doomed.

This is what PoW does. A miner cannot contribute PoW to both transactions at the same time -- he must pick one.

David Schwartz
  • 51,554
  • 6
  • 106
  • 178
  • Ok, I see how PoW is related to double spending, thanks – user153882 Feb 10 '17 at 00:27
  • "This is what PoW does. A miner cannot contribute PoW to both transactions at the same time -- he must pick one." Can you elaborate on this one? I am sure many users would appreciate this. as your answer stands now I can't see how and why POW is used in bitcoin still –  Jul 27 '17 at 06:13
  • @user200300 I'm not quite sure what you're unclear about. Do you understand the problem I'm describing? Someone can form two valid transactions and we need some way for everyone to eventually agree on which one to accept. (Maybe it would help to ask your own question about what specifically you don't understand?) – David Schwartz Jul 27 '17 at 07:29
  • Hi David. How does the miner decide which transaction to commit POW to? And how does this selection help maintain the integrity of the blockchain? Also, isn't POW performed on a block, not on a transaction per se? – nanonerd Dec 11 '17 at 03:17
  • PoW is performed on a block, but that block cannot form a chain that includes both transactions or that chain is invalid and will be ignored. A miner wants to get paid, so he mines on top of the longest chain he can find. – David Schwartz Dec 11 '17 at 04:56
  • I think this explanation is quite inadequate. All it says is that PoW grabs one of possibly competing transactions--fine. But what it doesn't explain is this: You send 1 bitcoin to BOTH Alice and Charlie as two separate transactions before either one is accepted. Now let's say the Alice transaction gets successfully added in a block after PoW. Now the Charlie transaction is still pending. Your explanation glosses over what the fate of the Charlie transaction will be... – Jazimov Jan 08 '18 at 19:12
  • @Jazimov Nothing can ever happen to it. – David Schwartz Jan 08 '18 at 19:36
  • Why is that? PoW enters the first transaction successfully onto a block that's verified by other nodes and added to the blockchain. When the second transaction is encountered, what blockchain mechanism causes it to be ignored? – Jazimov Jan 08 '18 at 23:20
  • It's not valid because it tries to claim an unspent output that no longer exists. No node will allow anything to happen to an invalid transaction. A block that tries to include it will be ignored. – David Schwartz Jan 09 '18 at 00:54
  • "So, if I do that, how will people know which transaction is valid? Clearly, without some reliable way to tell which of those two transactions are valid, the system is doomed." What about a conflict resolution consensus: if one wallet attempts to double spend, the transaction with a lower hash is considered to be the valid transaction? – Calmarius Jan 24 '18 at 16:18
  • @Calmarius That would be a disaster. No transaction would ever be final until and unless you could see every transaction that was ever going to happen to ensure that there didn't exist any conflicting transaction with a lower hash. How would you do business if you never when you could rely on a transaction not losing conflict resolution? – David Schwartz Jan 24 '18 at 18:13
  • Nodes can locally timestamp the transactions and declare it final if it's old enough (let's say 1 hour old) at that point no updates accepted. The bigger problem is making sure that nodes are in consensus and all of them are building the same chain, and I don't think that's possible without artificially slowing down the network with PoW and letting the blocks probagate to all nodes before the next comes. – Calmarius Jan 24 '18 at 22:07
  • @Calmarius No, they can't. What if one node thinks it's 1 hour old and another node thinks it's 59.9 minutes old when a conflicting transaction is discovered? How would they ever agree? A malicious user could create a thousand conflicting transactions, send the one with the highest hash, then wait 59 minutes, then send the other 999 (in hash order, highest to lowest) over the next two minutes and the network would never agree again. – David Schwartz Jan 24 '18 at 22:09
  • I don't understand how to double spend without PoF, I have created a new question maybe is easier to understand explaining a step by step problem: https://bitcoin.stackexchange.com/questions/76294/why-we-need-mining – Enrique Jun 15 '18 at 10:24
  • @David Schwartz answer: I can not fully understand how a PoW is related to mitigate for example double spending?! As I understood the PoW algorithm asks that hash of an string should start with some zeros..which is hard to find the proper number, etc, etc..but if the hash of some string (let's say the transaction that is added to the blockchain) starts with zero, it does not prove that the transaction is a valid one! It is highly appreciated if some one clarify this issue to me.. Thank you – M F Jul 04 '18 at 15:00
  • @MF The challenge is not to know which transactions are valid. The challenge is to know which of two valid, but conflicting, transactions everyone else will eventually accept. – David Schwartz Jul 05 '18 at 01:41
  • "Clearly, without some reliable way to tell which of those two transactions are valid, the system is doomed." Computationally, it's not required to produce PoW in order to verify that all the transactions packed in a certain block are mutually valid according to the current blockchain. If you pack both transactions into one block, the block will not be valid. If you pack one transaction into a block and it ends up in the blockchain, then any future block that my be added could not include the other transaction. No need for PoW to verify these conditions. – rapt Aug 25 '19 at 20:14
  • @rapt Can you explain how this would work? Say I have a blockchain that ends with block A, you have a blockchain that ends with block B, and block A has a transaction that conflicts with block B. How do I know which of those two conflicting transactions I can rely on without PoW? – David Schwartz Aug 25 '19 at 20:38
  • @DavidSchwartz To you as an outside observer, what you first care about is that all the current versions of the blockchain (BC) are valid. I.e., that for each version of the BC, the transactions within that BC are valid and not contradicting each other. This is "easy" to do, without PoW, by every user independently (no mutual trust is needed). Now, to you as an outside observer, the PoW process simply randomly picks one of the valid competing BCs. You don't really care how one is chosen (by work, lottery, etc). All you care is that the network accepts this process of picking the winner. – rapt Aug 25 '19 at 22:02
  • @rapt I guess I have no idea what your point is. You're saying a bunch of things that, while technically correct, are worded confusingly. What are you trying to accomplish? Are you trying to clarify something? If so, I think you're failing. Are you trying to correct what you perceive is an error? If so, can you be precise about what you think is incorrect? – David Schwartz Aug 25 '19 at 22:06
  • PoW is not used to protect against double spending attacks. PoW is used solely to pick which random miner out of all total miners gets to choose the content of the next block. The winning miner can still be dishonest, if so then the transactions of this new block may contain double spends, and if it did, the block would be seen as invalid, rejected by all the other miners, and orphaned. – dodgy_coder Jan 26 '20 at 08:20
  • @dodgy_coder You are incorrect. Double spends don't involve blocks that can be seen as invalid. An example of a double spend would be if Alice has 1 bitcoin and two blocks are mined at about the same time, one containing a valid transaction sending that bitcoin to Bob and one containing a valid transaction sending that bitcoin to Charlie. Anyone who sees only one of those two blocks mined at about the same time would accept it because it's valid. (Did you read my answer? It says exactly this.) – David Schwartz Jan 26 '20 at 19:26
  • @dodgy_coder Solving the double spend problem requires some way to have the network eventually agree on which of two individually valid but conflicting transactions to accept. Bitcoin uses PoW for this purpose. – David Schwartz Jan 26 '20 at 19:28
  • @DavidSchwartz I get what your saying, but hear me out. So though PoW a miner X has been awarded the right to form a new block. They put in that new block the transaction from Alice to Bob. Another miner Y through PoW again has (around the same time) found a new block and added the transaction from Alice to Charlie. How did PoW prevent a double spend? It didn't have anything to do with it. The protocol rule of extending the longest valid chain took care of that, on the next block, which was awarded to miner Z. All PoW did for us was to randomly choose a miner based on their current hash rate. – dodgy_coder Jan 27 '20 at 08:58
  • @DavidSchwartz Actually I said above it was the "protocol rule" .. its really the miner's own incentive of extending the longest valid chain. Miner Z had to choose one of the valid blocks (from miner X or miner Y) and this became the consensus chain. At the point in time that the double spend occurred, its possible (depending on Bob and Charlie's wallet software) that they both saw a valid tx with 0 confirmations. So the double spend happened, but then one tx block got orphaned and one didn't. – dodgy_coder Jan 27 '20 at 09:49
  • @David Schwartz Isn't there a mechanism to check balance before transaction? If 1 bitcoin is sent to 2 people, only one of them will recieve and other will be discarded as invalid. I don't get how PoW will prevent this. – Abhishek Choudhary Dec 30 '20 at 08:29
  • 1
    @AbhishekChaudhary How do thousands of people agree on which to receive and which to discard as invalid? That's what PoW does for bitcoin. – David Schwartz Dec 30 '20 at 16:35
  • @DavidSchwartz You fail to explain why is the PoW needed.

    (1) Node picks 1000 outstanding transactions and puts them in a block (2) It assesses no double spending on that block. (3) It hashes the block together with the previous hash in the blockchain. (4) It broadcasts the block to the other nodes. (5) Nodes check block and append it to the blockchain if valid.

    Is that it? What's the value of hashing the block 10K times, only changing the nonce until the hash starts with N zeroes, as to hashing it once? It adds no correctness.

    As a form of flow control it seems absurdly wasteful.

     – Lobotomik Feb 26 '21 at 09:45
  • @Lobotomik What if someone else does precisely the same thing but their block includes a transaction that conflicts with one in that block? What stops the network from breaking into two disagreeing sides? The value of the proof of work is that it resolves this problem -- the chain with the most work wins. And it's very expensive to change that. – David Schwartz Feb 26 '21 at 23:55
  • @DavidSchwartz is that really the main point of PoW? protection against double spending? can't nodes simply check that there isn't sufficient balance to accommodate both transactions and reject such "bad" blocks? – SpaceMonkey Apr 02 '21 at 20:43
  • @SpaceMonkey They can, but that's not the problem. The problem is that one node accepts a block that contains one transaction and another node accepts a block that contains a conflicting transaction. From then on, the two halves disagree on which transactions are valid after that (because each side sees accounts with different balances). How do you ensure eventual consistency and keep the network from accumulating more and more disagreement? Try to work out a way and you'll quickly find it's not simple at all. – David Schwartz Apr 04 '21 at 23:28
  • @DavidSchwartz Exact same thing happens in Bitcoin and the solution is to take the longest chain, but again why do we require PoW? I think it's to prevent attackers from spamming invalid blocks. So it seems like PoW is mainly for controlling participation in the network (you need to make an effort which is easily checked) so attackers can't build a longer chain without having more than 50% of the hashing power. Does that make sense? – SpaceMonkey Apr 06 '21 at 22:35
  • @SpaceMonkey If it's helpful to you to think about it, then I guess that's fine. I find that overly complicated. It's this simple: Longest chain is useless if everyone who wants to can make a chain that's as long as they want it to be. Longest chain is only a useful rule if it's hard to make a chain longer. – David Schwartz Apr 06 '21 at 22:39
  • @DavidSchwartz right, that's a good way to put it. So, aside from "transaction order" (which is double spending), what else does PoW give us? we don't need PoW for transaction validity since we can validate each transaction individually, so what else? – SpaceMonkey Apr 06 '21 at 22:41
  • 1
    @SpaceMonkey The canonical answer is to provide transaction ordering which we need to solve the double spend problem. The secondary answer is to accomplish the initial distribution without a central party. – David Schwartz Apr 07 '21 at 00:00
  • @DavidSchwartz I appreciate your replies, I think these are the best responses I got so far. Would you mind joining my chat room please instead of commenting here? https://chat.stackexchange.com/rooms/122747/spacemonkey-and-davidshwartz – SpaceMonkey Apr 07 '21 at 10:21
3

The way I understand how proof of work (PoW) works is this: its fundamental goal is to prevent cheating, or creating an inconsistent view of the distributed ledger.

Imagine a double spend scenario - where in participant A has only 1 BC to spend. But, he creates two independent transactions or "spends" each with 1 BC. He then presents each spend transaction to two different parties B and C as valid payments. Since there is no notion of serialization of transactions (as one would have in a centralized database with atomic commits), it is possible that some participants in the network have recorded A's payment to B first, while others have recorded A's payment to C first. At the same time, some will end up rejecting the latter payment (since A has only 1 BC to spend).

In the ideal world, if both transactions can be strictly serialized (as, for example - A's payment to B will be recorded in the distributed ledger before A's duplicate payment to C might be recorded), there will be no need for distributed consensus. In an ideal world, where in the transactions can be time-stamped using a "central" clock visible to every participant, we would have an easy solution.

The PoW process solves this problem algorithmically by forcing a non trivial finite delay for submitting and committing a block a transactions. In the bitcoin scheme, where transactions must be committed in a block level granularity, A's double spend transaction has two possibilities:

  1. Either both transactions are grouped together in the same block,
  2. Or, they are grouped in different blocks.

In the latter case, the inconsistency is easily detected and flagged. In the former case also, it is easy to detect the inconsistency & flag the same - but it is possible to do so only when both transactions (the good one and the bad one) are grouped in the same block. This is not possible if either the block sizes are too small or can be committed by the nodes very quickly. This is where PoW comes handy - it forces enough time to elapse in order compose a new block and have it committed by all participants.

The question that was not clear to me is this: Bitcoin uses a certain variation of computing the pre-image of a SHA-256 hash value. Since the purpose of PoW is only to delay the creation of new blocks by a sufficient time lag, this puzzle to solve could be anything - as for example, solving a 16-queens placement problem on a chess board, or something like that. It is not clear if the puzzle really needs to have a correlation with the actual data in the block being committed.

user13311
  • 53
  • 6
  • 2
    It is important the the puzzle's solution has a deterministic relationship with the blocks contents. This is because a mechanism is required to verify which block a new block was built on top of. It is also provides a way to quickly verify that transactions were included in a block. Lastly, using a function with properties like strong hash functions ensures that once a solution has been found, the contents on the blockchain cannot be changed with out detection. The puzzle needs to provide a tamper prevention mechanism. – Matthew Stannard Jan 07 '18 at 08:04
2

Without proof of work, anyone can start from the genesis block and the create a long chain of fake transactions. How can one decide which ledger is the correct one?

This is where the proof of work comes into play. The nodes accept the chain which took the most work to create and reject all others. This strongly incentivize the miners to build upon the established chain and also makes it hard to create a fake chain. To create a fake chain an adversary will need to work faster and also needs to catch up to rest of the network to get his fake chain accepted, which is practically impossible for established cryptocurrencies like Bitcoin.

Calmarius
  • 141
  • 5
1

short answer :

the proof of work is a protection and a solution for the Byzantine general problem without it miners will cheat easily without losing anything so they set this system POW to enforce the participants to loose money if they cheat (you loose the invested money in the POW process (electricity consumption and useless invested budget in the hardware)) instead you have an incentive if you don't cheat. Besides the POW is used to control the mining time windows (10 min) we could control the difficulty to make the mining easy or hard.

Badr Bellaj
  • 1,151
  • 12
  • 18
0

It provides a Proof of Consensus among the Bitcoin nodes that establishes the validity of any given block once it has about 6 blocks mined on top of it and it is the longest chain on the network

Since it is computationally expensive to mine blocks, it is unlikely that a single miner would be able to mine multiple blocks in a row. The rest of the mining community would mine the blocks much faster and create a longer chain.

Thus, given block A, to have 6 blocks mined above block A in the longest chain, a large percentage of the miners in the bitcoin mining community must all be working on the chain that includes block A.

The fact that so many miners have been proven to be working on a chain that includes block A implies that the community has come to the consensus that block A is a valid block.

Thus Proof of Consensus has been achieved.

Why is this Proof of Consensus needed? It protects against the block chain from being forked (intentionally or unintentionally). Other answers describe why someone may try to intentionally fork the blockchain (see the Double Spend scenario).

Zain Rizvi
  • 242
  • 2
  • 8