# Hashcash – Bitcoin Wiki

This pagina explains hashcash and how bitcoin uses it.

## Contents

## Hashcash

Bitcoin uses the hashcash Proof_of_work function spil the mining core. All bitcoin miners whether CPU, GPU, FPGA or ASICs are expending their effort creating hashcash proofs-of-work which act spil a vote te the blockchain evolution and validate the blockchain transaction loom.

Like many cryptographic algorithms hashcash uses a hash function spil a building block, te the same way that HMAC, or RSA signatures are defined on a pluggable hash-function (commonly denoted by the naming convention of algorithm-hash: HMAC-SHA1, HMAC-MD5, HMAC-SHA256, RSA-SHA1, etc), hashcash can be instantiated with different functions, hashcash-SHA1 (original), hashcash-SHA256^2 (bitcoin), hashcash-Scrypt(iter=1) (litecoin).

### History

The Hashcash proof-of-work function wasgoed invented ter 1997 by Adam Back, and proposed for anti-DoS uses including preventing: anonymous remailer and mail2news gateway manhandle, nym name squatting on nymservers (replyable pseudonymous remailer severs), spil well spil general email anti-spam and general network manhandle throttling. Before bitcoin, hashcash wasgoed used by SpamAssasin, and (with an incompatible format) by Microsoft (with the name “email postmark”) te hotmail, exchange, outlook etc and by i2p anonymity network, mixmaster anonymous remailer components and other systems. Hashcash wasgoed also used by Ridderzaal Finney’s bitcoin precursor RPOW spil a way to mine coins. Weide Dai’s B-money Proposal, and Nick Szabo’s similar Bit Gold proposal bitcoin precursors, also were proposed te the setting of hashcash mining.

### Hash function choices

Te the original 1997 algorithm hashcash used SHA1 because at that time, this wasgoed the defacto and NIST recommended hash, and the previous defacto hash MD5 had recently commenced to showcase signs of weakness. Bitcoin being specified/released te 2008/2009 uses SHA256. There is actually no strong reason SHA1 would not have worked also, hashcash relies only on the hash partial preimage resistance property (security up to hash-size, 160-bit with SHA1) and not bday collision firmness (security up to 80-bit), so the SHA1 hash is big enough. Bitcoin is anyway built to 128-bit security because 256-bit ECDSA is used, which also offers 128-bit security. Never the less SHA256 is the keurig and more conservative choice because even SHA1 has commenced to vertoning some weakenesses, however only ter bday collision, not ter 2nd-preimage.

### Dual Hash

Bitcoin is using two hash iterations (denoted SHA256^2 ie “SHA256 function squared”) and the reason for this relates to a partial attack on the smaller but related SHA1 hash. SHA1’s resistance to bday attacks has bot partially violated spil of 2005 te O(2^64) vs the vormgeving O(2^80), with practical attacks having bot used successfully te early 2018. While hashcash relies on pre-image resistance and so is not vulnerable to bday attacks, a generic method of hardening SHA1 against the bday collision attack is to iterate it twice. A comparable attack on SHA256 does not exist so far, however spil the vormgeving of SHA256 is similar to SHA1 it is very likely defensive for applications to use dual SHA256. And this is what bitcoin does, it is not necessary given hashcash reliance on preimage security, but it is a defensive step against future cryptanalytic developments. The attack on SHA1 and te principle other hashes of similar vormgeving like SHA256, wasgoed also the motivation for the NIST SHA3 vormgeving competition which is still ongoing.

### Future Hash

Once the NIST SHA3 contest has finalised, bitcoin might te the future consider adopting hashcash-SHA3 spil a security upgrade (eg a single invocation of SHA3 vs a dual invocation of SHA256). It seems clear from the SHA1 pauze, and SHA256 is a similar vormgeving, that there wasgoed previously a misunderstanding about the security of hash functions against bday collisions, and SHA3 finalists all aim to fix that punt. One facet of relevance for hashcash-SHA3 is that there is some debate within the NIST comments process on the proposal of weakening SHA3’s resistance to pre-image attacks down to 128-bit (vs the total hash size spil with previous hashes). The motivation is a petite spectacle build up, with the rationale that some hash-pluggable algorithms do not rely on full-length pre-image resistance. The proposal has met with significant negative terugkoppeling due to it creating a non-standard security assumption (compared to all previous hashes), and therefore it creates risk and all hash-pluggable algorithms (like HMAC, RSA, DSA, hashcash etc) would need to be re-examined on a case by case poot to see if SHA3 is safe to use with them, from the balance of the terugkoppeling it seems probable that NIST will accept the terugkoppeling and SHA3 will retain the utter 256-bit pre-image resistance.

### Cryptanalytic Risks

A practical punt with switching to hashcash-SHA3 is that it would invalidate all existing ASIC mining hardware, and so is a switch that would unlikely to be made except ter the face of security risk, there is no indication that SHA1 or SHA256, or SHA256^2 are vulnerable to pre-image attack so the motivation is missing absent fresh cryptanalytic developments. Te addition even if SHA256^2 became lighter due to cryptanalytic attack, and miners commenced using whatever the fresh algorithmic treatment wasgoed, it does not necessarily matter spil difficulty would just adapt to it. One likely side-effect however would be that it would introduce more memory or pre-computation tradeoffs which could make ASICs unprofitable, or give advantages to people with large resources to do the pre-computations. Pre-computation advantages would perhaps be enough motivation to substitute the hash with SHA3. Anyway this is all speculation if and until any pre-image affecting cryptanalytic attacks are found on SHA256.

## Hashcash function

The hashcash algorithm is relatively ordinary to understand. The idea builds on a security property of cryptographic hashes, that they are designed to be hard to invert (so-called one-way or pre-image resistant property). You can compute y from x cheaply y=H(x) but it’s very hard to find x given only y. A utter hash inversion has a known computationally infeasible brute-force running time, being O(2^k) where k is the hash size eg SHA256, k=256, and if a pre-image wasgoed found anyone could very efficiently verify it by computing one hash, so there is a big asymmetry te total pre-image mining (computationally infeasible) vs verification (a single hash invocation).

A 2nd hash pre-image means given one-preimage x of hash y where y=H(x), the task is to find another pre-image of hash y: x’ so that y=H(x’). This is not to be confused with a bday collision which is to find two values x, x’ so that H(x)=H(x’), this can be done ter much lower work O(sqrt(2^k))=O(2^(k/Two)) because you can proceed by computing many H(x) values and storing them until you find a matching pair. It takes a lotsbestemming of memory, but there are memory-time tradeoffs.

Version 0 of hashcash protocol (1997) used a partial 2nd pre-image, however the straks version 1 (2002) uses partial pre-images of a fairly chosen string, rather than digits of pi or something arbitrary, 0^k (ie all 0 string) is used for convenience, so the work is to find x such that H(x)=0. This is also identically fair and only requires one hash invocation to verify vs two with 2nd partial-pre-images. (This optimisation wasgoed proposed by Ontvangstruimte Finney &, independently by Thomas Boschloo). To make the work lighter the definition of a partial-pre-image is to find x such that H(x)/2^(n-k) = 0 where / is the rechtschapen quotient from division, n is the size of the hash output (n=256-bits for SHA256) and k is the work factor, ie, the very first k onverdraagzaam of the hash output are 0 . So for example k=20 requires average 1 million attempts. It is actually the output that partially matches, not the pre-image, so could perhaps more accurately called a pre-image with a partial output match, however partial pre-image effectively a short-hand for that.

### Adding purpose

If the partial-pre-image x from y=H(x) is random it is just a disconnected proof-of-work to no purpose, everyone can see you did do the work, but they don’t know why, so users could reuse the same work for different services. To make the proof-of-work be strapped to a service, or purpose, the hash voorwaarde include s, a service string so the work becomes to find H(s,c)/2^(n-k)=0. The miner varies toonbank c until this is true. The service string could be a web server domain name, a recipients email address, or te bitcoin a block of the bitcoin blockchain ledger.

One extra problem is that if numerous people are mining, using the same service string, they voorwaarde not begin with the same x or they may end up with the same proof, and anyone looking at it will not honor a duplicated copy of the same work spil it could have bot copied without work, the very first to present it will be rewarded, and others will find their work rejected. To avoid taking a chance wasting work ter this way, there needs to be a random beginning point, and so the work becomes to find H(s,x,c)/2^(n-k) = 0 where x is random (eg 128-bits to make it statistically infeasible for two users to maliciously or accidentally embark at the same point), and c is the toonbank being varied, and s is the service string.

This is what hashcash version 1 and bitcoin does. Ter fact ter bitcoin the service string is the coinbase and the coinbase includes the recipients prize address, spil well spil the transactions to validate ter the block. Bitcoin actually does not include a random commence point x, reusing the prize address spil the randomization factor to avoid collisions for this random embark point purpose, which saves 16-bytes of space ter the coinbase. For privacy bitcoin expect the miner to use a different prize address on each successful block.

### More Precise Work

Hashcash spil originally proposed has work 2^k where k is an rechtschapen, this means difficulty can only be scaled ter powers of Two, this is slightly simpler spil you can see and fully measure the difficulty just by counting 0s ter hex/binary and wasgoed adequate for prior uses. (A lotsbestemming of hashcash vormgeving choices are motivated by simpleness).

But because bitcoin needs more precise and dynamic control of work (to target 10-minute block interval accurately), it switches k to be a fractional (floating-point) so the work becomes to find H(s,x,c) <, 2^(n-k) which is omschrijving if k is an rechtschapen. Bitcoin defines target = 2^(n-k), so the work can be more simply written to find H(s,x,c) <, target. Of course because of luck the block time actually has fairly high variance, but the average is still more accurately targeted by the introduction of fractional k.

### Work, difficulty &, cryptographic security

Hashcash voices security margin ter the standard cryptographic security terms O(2^k) where for comparison DES offers k=56-bits of security, ECDSA-256 offers k=128-bits of security, and because its widely used this log2 way of voicing work and security can also be useful for making security comparisons.

Bitcoin rate of work is called the network hashrate te GH/sec. Spil the target block interval is Ten minutes that can be converted to cryptographic security spil log2(hashrate*600), so that of Nov 2013 hashrate is Four petahash/sec and bitcoin’s hashcash-256^2 proofs-of-works are 62-bits (including +1 for dual hash).

Bitcoin also defines a fresh notion of (relative) difficulty which is the work required so that at current network hashrate a block is expected to be found every Ten minutes. It is voiced relative to a ondergrens work unit of 2^32 iterations (approximately, technically ondergrens work is 0xFFFF0000 due to bitcoin implementation level details). Bitcoin difficulty is plain to approximately convert to log2 cryptographic security: k=log2(difficulty)+32 (or for high accuracy log2(difficulty*0xFFFF0000)). Difficulty is related to the target simply spil difficulty = target / 0xFFFF0000.

It is perhaps lighter to overeenkomst with high difficulties ter log2 scale (a petahash/2nd is a 16 decimal digit number of hashes vanaf 2nd), and makes them comparable to other cryptographic security statements. For example the EFF “deepcrack” DES cracker project built a hardware brute force machine capable of violating a DES key ter 56 hours to make a political point that 56-bit DES wasgoed too feeble ter 1998 at a cost of $250,000 (plus volunteer vormgeving time). By comparison bitcoin network does 62-bits (including +1 for dual hash) every 10-minutes and is 537,000 times more powerful than deepcrack, or could if it were focused on DES rather than SHA256 crack a DES key ter 9 seconds to deepcracks 56 hours.

### Miner privacy

Ter principle a miner should therefore for privacy use a different reward-address for each block (and reset the tegenstoot to 0). Why Satoshi’s early mined bitcoins were potentially linked, wasgoed because while he switched the reward-addresss, he left behind to reset the tegenstoot after each successful mine, which is a bitcoin mining privacy bug. Ter fact with bitcoin the toonbank also should be obscured otherwise you would expose your effort level, and if you have a lotsbestemming of mining power that may imply who the coin belongs to. Bitcoin does this via the nonce and extra-nonce. Nonce starts at 0, but toegevoegd nonce is random. Together thesis form a randomized toonbank hiding the amount of effort that went into the proof, so no one can tell if it wasgoed a powerful but unlucky miner who worked hard, or a powerless miner who wasgoed very fortunate.

Additionally with the introduction of mining pools, if the miner uses the same prize address for all users, which is what the current mining protocols do, then there is risk that users may redo work. To avoid users redoing work, miners palm out defined work for the users to do. However this creates an unnecessary communication round excursion and te early protocol versions perhaps wasgoed a factor te the decision to have the pool send the actual block to mine, which means the miners are not validating their own blocks, which delegates validation authority, however not work, to the pool technicus, reducing the security of the bitcoin network. The more latest mining protocol version permits the user to add their own block definition, but still unnecessarily incur round trips for handing out work allocation. Because the fresh pooled-mining protocol has a miner chosen extraNonce this acts spil a random embark factor so there is actually no need to talk to the pool for work allocation, a pool could have a static published address, and miners could just do work of whatever size they chose, and submit it to the pool spil a UDP packet. (If privacy is required by the miner, it could use the public derivation method from BIP 32 to permit the knot to tell the miner via an encrypted message with the mining work, which factor to multiply the static public key by.)

### Scrypt proof-of-work

It is a misunderstanding to talk about the Scrypt proof-of-work. Scrypt is not intended spil a proof-of-work function, but a opened up key-derivation function, and while it is by vormgeving expensive to compute with high iterations, it can not be used to make an efficiently publicly auditable proof-of-work, spil verifying costs the same spil creating.

Hashcash with the internal hash function of Scrypt may be denoted hashcash-Scrypt(1). Scrypt, by Colin Percival, is a key-derivation function for converting user chosen passphrases into keys. It is salted (to prevent pre-computation/rainbow table attacks), and the hash is iterated many times to slow down passphrase grinding. Scrypt is similar ter purpose to the defacto standard passphrase key-derivation function PBKDF2 (which uses HMAC-SHA1 internally). The differentiator and why people might choose Scrypt rather than PBDF2 is that Scrypt’s internal hash uses more memory so the GPU (or theoretical Scrypt ASIC/FPGA) advantage ter password grinding is diminished compared to CPUs.

This does not use the key-stretching feature of Scrypt so mining is not actually using Scrypt directly, but only the inward Scrypt hash (accessed by setting the iteration parameter to one iteration). So Scrypt’s key-stretching function is not being used at all to contribute to the stiffness, unlike its normal use for key protection eg ter deriving the encryption key from user passphrase to encrypt bitcoin wallets. The reason Scrypt’s key-stretching can not be used for mining is because that at the same time makes it more expensive to verify by the same factor. This hashcash variant can be denoted hashcash-Scrypt(iter=1,mem=128KB) or shortened to hashcash-Scrypt(1). The other major scrypt parameter denotes the amount of memory used (usually 128kB).

### Decentralization: hashcash-Scrypt vs hashcash-SHA256

The 128kB Scrypt memory footprint makes litecoin arguably less vulnerable to centralization of mining power arising from limited access to or ownership of ASIC equipment by users. It’s arguable and unclear, because there are tegenstoot arguments: that hashcash-SHA256^2 is very plain, so a skilled individual with his private savings or a petite Kickstarter project could vormgeving and waterput ter an order with a chip-fabricator. This simpleness ensures that many people will do it and ASICs should become available. Conversely it is somewhat more difficult ter comparison to make an hashcash-Scrypt(1) ASIC so perhaps litecoin will prove te the mid-term actually worse for centralization, if a well funded commercial entity corners the market by having quicker, but proprietary, not available on the market, hashcash-Scrypt(1) ASICs that render litecoin GPU mining unprofitable.

Note also a mitigating factor is that it is considered that hashcash-Scrypt(1) should opoffering less speed up from ASIC implementation vs GPUs than hashcash-SHA256^2. This is claimed because of the argument that the diegene area taken up by 128kB of RAM, which it might be thought voorwaarde be dedicated to each Scrypt(1) core, would reduce the number of Scrypt(1) cores that getraind vanaf chip. Note however that Scrypt(1) is not actually securely memory-hard ter that it makes no attempt to prevent time-memory tradeoffs, so it is actually possible to repeat the computation of internal rounds to reduce the memory requirement. Te theory therefore it would be possible however more computation expensive to implement Scrypt(iter=1, mem=128kB) with minimal memory, just with more work. Te hardware the time-memory tradeoff would be optimized to find the optimal amount of memory to use, and it is fairly possible the optimal amount would be less than 128kB.

Hashcash-Scrypt(1) also has a disadvantage relative to hashcash-SHA256^2 te that it is significantly slower to verify, spil the verification cost of one iteration of Scrypt(mem=128kB) is far higher than a two SHA256 hashes. This makes validating the litecoin blockchain more CPU and memory intensive for all utter knots. Note however that the predominant CPU work of validation is the verification of the vanaf transaction ECDSA signatures of the numerous transactions te a block. Even one ECDSA signature is slower than one Scrypt(1) verification which is done once vanaf block, and there are many transactions (and so ECDSA signature verifications) to verify within a block.