How does proof of work inspire trust when the work is just guessing?












9















I'm struggling to understand the value added by machines guessing at inputs to create a hash below a target value in order to produce a proof of work. I understand the proof of work is somehow supposed to inspire trust in the distributed record of transactions. How? Why should someone winning a lottery cause me to have trust in a blockchain?










share|improve this question



























    9















    I'm struggling to understand the value added by machines guessing at inputs to create a hash below a target value in order to produce a proof of work. I understand the proof of work is somehow supposed to inspire trust in the distributed record of transactions. How? Why should someone winning a lottery cause me to have trust in a blockchain?










    share|improve this question

























      9












      9








      9








      I'm struggling to understand the value added by machines guessing at inputs to create a hash below a target value in order to produce a proof of work. I understand the proof of work is somehow supposed to inspire trust in the distributed record of transactions. How? Why should someone winning a lottery cause me to have trust in a blockchain?










      share|improve this question














      I'm struggling to understand the value added by machines guessing at inputs to create a hash below a target value in order to produce a proof of work. I understand the proof of work is somehow supposed to inspire trust in the distributed record of transactions. How? Why should someone winning a lottery cause me to have trust in a blockchain?







      proof-of-work






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Jan 23 at 21:24









      mrwnt10mrwnt10

      483




      483






















          3 Answers
          3






          active

          oldest

          votes


















          17














          Forget PoW for a second: lets instead imagine that you have a box, and you've placed a lock on it, in order to secure it's contents.



          Now, if someone asks you how secure the contents are, then the size and type of lock is fairly important. Tying the box closed with a bit of string isn't very good security, at least compared to a heavy-duty padlock. For an attacker to get into the box and alter it's contents, they will need to work much harder to get past the padlock, compared to the string. We can use the word 'work' here in the thermodynamic sense: energy being used to perform an action. In order to break into the box, there is a minimum amount of work we would expect the assailant to have done. The minimum amount of work to break the padlock is obviously higher than the string, so we consider the padlock more secure.



          Keep that point in mind: breaking into a more secure box requires more work. You cannot fake the work, you either have the resources to cut the lock, or not.



          So lets go back to Bitcoin mining: when a miner is hashing to find a valid PoW, they are doing work by expending energy as computational cycles. The PoW function is devised such that we can expect a certain amount of work to be done (on average), in order for the miner to find a valid block. You can think of this PoW as the 'lock' that has been put on the block: in order for an attacker to alter the history of transactions, they will have to perform (on average) this same amount of work (spending energy, a real resource) in order to find a new, valid PoW and replace the block ('breaking the lock', as in our example from above).



          Thus, the history of transactions is secured by miners spending energy to create the PoW that is required for a block to be valid. More energy spent mining creates a 'more secure lock', since a malicious miner would be expected to spend an equal amount of energy in order to break it. Miners are incentivized to continue building upon old blocks, thus piling one lock on top of another lock, on top of another lock... and it is this mechanism which allows the history of Bitcoin transactions to be considered secure.






          share|improve this answer


























          • The minimum amount of work for bitcoin mining is very low. you just have to randomly get the number right each time. The average amount of work is more important.

            – Qwertie
            Jan 24 at 4:53






          • 1





            @Qwertie thats true, and its why I added the caveat "(on average)" in several places. The lock example isn't absolutely perfect, since cutting a padlock requires a ~deterministic amount of work to be spent, whereas bitcoin mining requires a probabilistic amount of work-- but I thought the example was best kept simple. To be more accurate, the lock example could be altered to describe two different combination locks: one with a 1-number code, and one with a 3-number code. The 1-number code lock would require less work to crack, but only on average.

            – chytrik
            Jan 24 at 9:00






          • 1





            If you can squeeze in the fact that verifying PoW is relatively cheap then that would really add to your answer.

            – Abdussamad
            Jan 24 at 10:42



















          3














          It is because of the nature of the hashing algorithms and one-way functions in general. The amount of work to get an input that hashes below a certain value is directly related to how low that value is.



          This is because there is no known way to reverse calculate the input of SHA256 that will result in a valid hash. The work is basically the number of guesses, on average, that it will take to get a valid hash at a given difficulty. While it is true that it is random chance to get a valid hash, the probability decreases with a lower value, so more work must be done (on average). It's important to think of it in terms of probabilities and average number of attempts required.



          It inspires trust because in order to reverse the transactions, one must redo the work (or execute the same number of guesses - on average) in order for replacement blocks to be accepted in place of blocks in the existing chain. This is called a 51% attack.






          share|improve this answer































            0














            It's not "a" lottery. Bitcoin transactions are considered reliable only after half a dozen or so blocks. Suppose someone wins the sixth lottery (lottery6). This results in block6, and it was built off of block5, which resulted from someone winning lottery5, and so on. Suppose you have a transaction in block1 where someone sent you some Bitcoin. If someone wanted to go back to back and insert a transaction into the blockchain where those Bitcoin instead go to someone else, they would have to go back to block0 and make an alternative block1b from that block with the new transaction. Block1b would then be in a shorter blockchain than the one where you received the Bitcoin. For that alternative transaction to be considered authoritative, at least five more blocks would have to be mined in that blockchain (five to tie the current blockchain and six to beat it), and all before any more blocks are added to the original blockchain. Not only would that take a tremendous amount of work, but miners would generally not have an incentive to work on that blockchain; if someone were to win the lottery and get block2b in the new blockchain, their mining reward wouldn't be secure until four more blocks are mined on that blockchain.



            So a single person winning a lottery doesn't mean a transaction is secured, especially right after the block is found and hasn't propagated to all the nodes. But once a transaction is several blocks back in the blockchain, anyone who wants to nullify that transaction would have to basically either win lottery after lottery, or somehow get a majority of miners to participate in a massive conspiracy.






            share|improve this answer

























              Your Answer








              StackExchange.ready(function() {
              var channelOptions = {
              tags: "".split(" "),
              id: "308"
              };
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function() {
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled) {
              StackExchange.using("snippets", function() {
              createEditor();
              });
              }
              else {
              createEditor();
              }
              });

              function createEditor() {
              StackExchange.prepareEditor({
              heartbeatType: 'answer',
              autoActivateHeartbeat: false,
              convertImagesToLinks: false,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: null,
              bindNavPrevention: true,
              postfix: "",
              imageUploader: {
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              },
              noCode: true, onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              });


              }
              });














              draft saved

              draft discarded


















              StackExchange.ready(
              function () {
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fbitcoin.stackexchange.com%2fquestions%2f83951%2fhow-does-proof-of-work-inspire-trust-when-the-work-is-just-guessing%23new-answer', 'question_page');
              }
              );

              Post as a guest















              Required, but never shown

























              3 Answers
              3






              active

              oldest

              votes








              3 Answers
              3






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              17














              Forget PoW for a second: lets instead imagine that you have a box, and you've placed a lock on it, in order to secure it's contents.



              Now, if someone asks you how secure the contents are, then the size and type of lock is fairly important. Tying the box closed with a bit of string isn't very good security, at least compared to a heavy-duty padlock. For an attacker to get into the box and alter it's contents, they will need to work much harder to get past the padlock, compared to the string. We can use the word 'work' here in the thermodynamic sense: energy being used to perform an action. In order to break into the box, there is a minimum amount of work we would expect the assailant to have done. The minimum amount of work to break the padlock is obviously higher than the string, so we consider the padlock more secure.



              Keep that point in mind: breaking into a more secure box requires more work. You cannot fake the work, you either have the resources to cut the lock, or not.



              So lets go back to Bitcoin mining: when a miner is hashing to find a valid PoW, they are doing work by expending energy as computational cycles. The PoW function is devised such that we can expect a certain amount of work to be done (on average), in order for the miner to find a valid block. You can think of this PoW as the 'lock' that has been put on the block: in order for an attacker to alter the history of transactions, they will have to perform (on average) this same amount of work (spending energy, a real resource) in order to find a new, valid PoW and replace the block ('breaking the lock', as in our example from above).



              Thus, the history of transactions is secured by miners spending energy to create the PoW that is required for a block to be valid. More energy spent mining creates a 'more secure lock', since a malicious miner would be expected to spend an equal amount of energy in order to break it. Miners are incentivized to continue building upon old blocks, thus piling one lock on top of another lock, on top of another lock... and it is this mechanism which allows the history of Bitcoin transactions to be considered secure.






              share|improve this answer


























              • The minimum amount of work for bitcoin mining is very low. you just have to randomly get the number right each time. The average amount of work is more important.

                – Qwertie
                Jan 24 at 4:53






              • 1





                @Qwertie thats true, and its why I added the caveat "(on average)" in several places. The lock example isn't absolutely perfect, since cutting a padlock requires a ~deterministic amount of work to be spent, whereas bitcoin mining requires a probabilistic amount of work-- but I thought the example was best kept simple. To be more accurate, the lock example could be altered to describe two different combination locks: one with a 1-number code, and one with a 3-number code. The 1-number code lock would require less work to crack, but only on average.

                – chytrik
                Jan 24 at 9:00






              • 1





                If you can squeeze in the fact that verifying PoW is relatively cheap then that would really add to your answer.

                – Abdussamad
                Jan 24 at 10:42
















              17














              Forget PoW for a second: lets instead imagine that you have a box, and you've placed a lock on it, in order to secure it's contents.



              Now, if someone asks you how secure the contents are, then the size and type of lock is fairly important. Tying the box closed with a bit of string isn't very good security, at least compared to a heavy-duty padlock. For an attacker to get into the box and alter it's contents, they will need to work much harder to get past the padlock, compared to the string. We can use the word 'work' here in the thermodynamic sense: energy being used to perform an action. In order to break into the box, there is a minimum amount of work we would expect the assailant to have done. The minimum amount of work to break the padlock is obviously higher than the string, so we consider the padlock more secure.



              Keep that point in mind: breaking into a more secure box requires more work. You cannot fake the work, you either have the resources to cut the lock, or not.



              So lets go back to Bitcoin mining: when a miner is hashing to find a valid PoW, they are doing work by expending energy as computational cycles. The PoW function is devised such that we can expect a certain amount of work to be done (on average), in order for the miner to find a valid block. You can think of this PoW as the 'lock' that has been put on the block: in order for an attacker to alter the history of transactions, they will have to perform (on average) this same amount of work (spending energy, a real resource) in order to find a new, valid PoW and replace the block ('breaking the lock', as in our example from above).



              Thus, the history of transactions is secured by miners spending energy to create the PoW that is required for a block to be valid. More energy spent mining creates a 'more secure lock', since a malicious miner would be expected to spend an equal amount of energy in order to break it. Miners are incentivized to continue building upon old blocks, thus piling one lock on top of another lock, on top of another lock... and it is this mechanism which allows the history of Bitcoin transactions to be considered secure.






              share|improve this answer


























              • The minimum amount of work for bitcoin mining is very low. you just have to randomly get the number right each time. The average amount of work is more important.

                – Qwertie
                Jan 24 at 4:53






              • 1





                @Qwertie thats true, and its why I added the caveat "(on average)" in several places. The lock example isn't absolutely perfect, since cutting a padlock requires a ~deterministic amount of work to be spent, whereas bitcoin mining requires a probabilistic amount of work-- but I thought the example was best kept simple. To be more accurate, the lock example could be altered to describe two different combination locks: one with a 1-number code, and one with a 3-number code. The 1-number code lock would require less work to crack, but only on average.

                – chytrik
                Jan 24 at 9:00






              • 1





                If you can squeeze in the fact that verifying PoW is relatively cheap then that would really add to your answer.

                – Abdussamad
                Jan 24 at 10:42














              17












              17








              17







              Forget PoW for a second: lets instead imagine that you have a box, and you've placed a lock on it, in order to secure it's contents.



              Now, if someone asks you how secure the contents are, then the size and type of lock is fairly important. Tying the box closed with a bit of string isn't very good security, at least compared to a heavy-duty padlock. For an attacker to get into the box and alter it's contents, they will need to work much harder to get past the padlock, compared to the string. We can use the word 'work' here in the thermodynamic sense: energy being used to perform an action. In order to break into the box, there is a minimum amount of work we would expect the assailant to have done. The minimum amount of work to break the padlock is obviously higher than the string, so we consider the padlock more secure.



              Keep that point in mind: breaking into a more secure box requires more work. You cannot fake the work, you either have the resources to cut the lock, or not.



              So lets go back to Bitcoin mining: when a miner is hashing to find a valid PoW, they are doing work by expending energy as computational cycles. The PoW function is devised such that we can expect a certain amount of work to be done (on average), in order for the miner to find a valid block. You can think of this PoW as the 'lock' that has been put on the block: in order for an attacker to alter the history of transactions, they will have to perform (on average) this same amount of work (spending energy, a real resource) in order to find a new, valid PoW and replace the block ('breaking the lock', as in our example from above).



              Thus, the history of transactions is secured by miners spending energy to create the PoW that is required for a block to be valid. More energy spent mining creates a 'more secure lock', since a malicious miner would be expected to spend an equal amount of energy in order to break it. Miners are incentivized to continue building upon old blocks, thus piling one lock on top of another lock, on top of another lock... and it is this mechanism which allows the history of Bitcoin transactions to be considered secure.






              share|improve this answer















              Forget PoW for a second: lets instead imagine that you have a box, and you've placed a lock on it, in order to secure it's contents.



              Now, if someone asks you how secure the contents are, then the size and type of lock is fairly important. Tying the box closed with a bit of string isn't very good security, at least compared to a heavy-duty padlock. For an attacker to get into the box and alter it's contents, they will need to work much harder to get past the padlock, compared to the string. We can use the word 'work' here in the thermodynamic sense: energy being used to perform an action. In order to break into the box, there is a minimum amount of work we would expect the assailant to have done. The minimum amount of work to break the padlock is obviously higher than the string, so we consider the padlock more secure.



              Keep that point in mind: breaking into a more secure box requires more work. You cannot fake the work, you either have the resources to cut the lock, or not.



              So lets go back to Bitcoin mining: when a miner is hashing to find a valid PoW, they are doing work by expending energy as computational cycles. The PoW function is devised such that we can expect a certain amount of work to be done (on average), in order for the miner to find a valid block. You can think of this PoW as the 'lock' that has been put on the block: in order for an attacker to alter the history of transactions, they will have to perform (on average) this same amount of work (spending energy, a real resource) in order to find a new, valid PoW and replace the block ('breaking the lock', as in our example from above).



              Thus, the history of transactions is secured by miners spending energy to create the PoW that is required for a block to be valid. More energy spent mining creates a 'more secure lock', since a malicious miner would be expected to spend an equal amount of energy in order to break it. Miners are incentivized to continue building upon old blocks, thus piling one lock on top of another lock, on top of another lock... and it is this mechanism which allows the history of Bitcoin transactions to be considered secure.







              share|improve this answer














              share|improve this answer



              share|improve this answer








              edited Jan 24 at 9:13

























              answered Jan 23 at 22:01









              chytrikchytrik

              6,8222627




              6,8222627













              • The minimum amount of work for bitcoin mining is very low. you just have to randomly get the number right each time. The average amount of work is more important.

                – Qwertie
                Jan 24 at 4:53






              • 1





                @Qwertie thats true, and its why I added the caveat "(on average)" in several places. The lock example isn't absolutely perfect, since cutting a padlock requires a ~deterministic amount of work to be spent, whereas bitcoin mining requires a probabilistic amount of work-- but I thought the example was best kept simple. To be more accurate, the lock example could be altered to describe two different combination locks: one with a 1-number code, and one with a 3-number code. The 1-number code lock would require less work to crack, but only on average.

                – chytrik
                Jan 24 at 9:00






              • 1





                If you can squeeze in the fact that verifying PoW is relatively cheap then that would really add to your answer.

                – Abdussamad
                Jan 24 at 10:42



















              • The minimum amount of work for bitcoin mining is very low. you just have to randomly get the number right each time. The average amount of work is more important.

                – Qwertie
                Jan 24 at 4:53






              • 1





                @Qwertie thats true, and its why I added the caveat "(on average)" in several places. The lock example isn't absolutely perfect, since cutting a padlock requires a ~deterministic amount of work to be spent, whereas bitcoin mining requires a probabilistic amount of work-- but I thought the example was best kept simple. To be more accurate, the lock example could be altered to describe two different combination locks: one with a 1-number code, and one with a 3-number code. The 1-number code lock would require less work to crack, but only on average.

                – chytrik
                Jan 24 at 9:00






              • 1





                If you can squeeze in the fact that verifying PoW is relatively cheap then that would really add to your answer.

                – Abdussamad
                Jan 24 at 10:42

















              The minimum amount of work for bitcoin mining is very low. you just have to randomly get the number right each time. The average amount of work is more important.

              – Qwertie
              Jan 24 at 4:53





              The minimum amount of work for bitcoin mining is very low. you just have to randomly get the number right each time. The average amount of work is more important.

              – Qwertie
              Jan 24 at 4:53




              1




              1





              @Qwertie thats true, and its why I added the caveat "(on average)" in several places. The lock example isn't absolutely perfect, since cutting a padlock requires a ~deterministic amount of work to be spent, whereas bitcoin mining requires a probabilistic amount of work-- but I thought the example was best kept simple. To be more accurate, the lock example could be altered to describe two different combination locks: one with a 1-number code, and one with a 3-number code. The 1-number code lock would require less work to crack, but only on average.

              – chytrik
              Jan 24 at 9:00





              @Qwertie thats true, and its why I added the caveat "(on average)" in several places. The lock example isn't absolutely perfect, since cutting a padlock requires a ~deterministic amount of work to be spent, whereas bitcoin mining requires a probabilistic amount of work-- but I thought the example was best kept simple. To be more accurate, the lock example could be altered to describe two different combination locks: one with a 1-number code, and one with a 3-number code. The 1-number code lock would require less work to crack, but only on average.

              – chytrik
              Jan 24 at 9:00




              1




              1





              If you can squeeze in the fact that verifying PoW is relatively cheap then that would really add to your answer.

              – Abdussamad
              Jan 24 at 10:42





              If you can squeeze in the fact that verifying PoW is relatively cheap then that would really add to your answer.

              – Abdussamad
              Jan 24 at 10:42











              3














              It is because of the nature of the hashing algorithms and one-way functions in general. The amount of work to get an input that hashes below a certain value is directly related to how low that value is.



              This is because there is no known way to reverse calculate the input of SHA256 that will result in a valid hash. The work is basically the number of guesses, on average, that it will take to get a valid hash at a given difficulty. While it is true that it is random chance to get a valid hash, the probability decreases with a lower value, so more work must be done (on average). It's important to think of it in terms of probabilities and average number of attempts required.



              It inspires trust because in order to reverse the transactions, one must redo the work (or execute the same number of guesses - on average) in order for replacement blocks to be accepted in place of blocks in the existing chain. This is called a 51% attack.






              share|improve this answer




























                3














                It is because of the nature of the hashing algorithms and one-way functions in general. The amount of work to get an input that hashes below a certain value is directly related to how low that value is.



                This is because there is no known way to reverse calculate the input of SHA256 that will result in a valid hash. The work is basically the number of guesses, on average, that it will take to get a valid hash at a given difficulty. While it is true that it is random chance to get a valid hash, the probability decreases with a lower value, so more work must be done (on average). It's important to think of it in terms of probabilities and average number of attempts required.



                It inspires trust because in order to reverse the transactions, one must redo the work (or execute the same number of guesses - on average) in order for replacement blocks to be accepted in place of blocks in the existing chain. This is called a 51% attack.






                share|improve this answer


























                  3












                  3








                  3







                  It is because of the nature of the hashing algorithms and one-way functions in general. The amount of work to get an input that hashes below a certain value is directly related to how low that value is.



                  This is because there is no known way to reverse calculate the input of SHA256 that will result in a valid hash. The work is basically the number of guesses, on average, that it will take to get a valid hash at a given difficulty. While it is true that it is random chance to get a valid hash, the probability decreases with a lower value, so more work must be done (on average). It's important to think of it in terms of probabilities and average number of attempts required.



                  It inspires trust because in order to reverse the transactions, one must redo the work (or execute the same number of guesses - on average) in order for replacement blocks to be accepted in place of blocks in the existing chain. This is called a 51% attack.






                  share|improve this answer













                  It is because of the nature of the hashing algorithms and one-way functions in general. The amount of work to get an input that hashes below a certain value is directly related to how low that value is.



                  This is because there is no known way to reverse calculate the input of SHA256 that will result in a valid hash. The work is basically the number of guesses, on average, that it will take to get a valid hash at a given difficulty. While it is true that it is random chance to get a valid hash, the probability decreases with a lower value, so more work must be done (on average). It's important to think of it in terms of probabilities and average number of attempts required.



                  It inspires trust because in order to reverse the transactions, one must redo the work (or execute the same number of guesses - on average) in order for replacement blocks to be accepted in place of blocks in the existing chain. This is called a 51% attack.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Jan 23 at 21:30









                  JBaczukJBaczuk

                  4,4911321




                  4,4911321























                      0














                      It's not "a" lottery. Bitcoin transactions are considered reliable only after half a dozen or so blocks. Suppose someone wins the sixth lottery (lottery6). This results in block6, and it was built off of block5, which resulted from someone winning lottery5, and so on. Suppose you have a transaction in block1 where someone sent you some Bitcoin. If someone wanted to go back to back and insert a transaction into the blockchain where those Bitcoin instead go to someone else, they would have to go back to block0 and make an alternative block1b from that block with the new transaction. Block1b would then be in a shorter blockchain than the one where you received the Bitcoin. For that alternative transaction to be considered authoritative, at least five more blocks would have to be mined in that blockchain (five to tie the current blockchain and six to beat it), and all before any more blocks are added to the original blockchain. Not only would that take a tremendous amount of work, but miners would generally not have an incentive to work on that blockchain; if someone were to win the lottery and get block2b in the new blockchain, their mining reward wouldn't be secure until four more blocks are mined on that blockchain.



                      So a single person winning a lottery doesn't mean a transaction is secured, especially right after the block is found and hasn't propagated to all the nodes. But once a transaction is several blocks back in the blockchain, anyone who wants to nullify that transaction would have to basically either win lottery after lottery, or somehow get a majority of miners to participate in a massive conspiracy.






                      share|improve this answer






























                        0














                        It's not "a" lottery. Bitcoin transactions are considered reliable only after half a dozen or so blocks. Suppose someone wins the sixth lottery (lottery6). This results in block6, and it was built off of block5, which resulted from someone winning lottery5, and so on. Suppose you have a transaction in block1 where someone sent you some Bitcoin. If someone wanted to go back to back and insert a transaction into the blockchain where those Bitcoin instead go to someone else, they would have to go back to block0 and make an alternative block1b from that block with the new transaction. Block1b would then be in a shorter blockchain than the one where you received the Bitcoin. For that alternative transaction to be considered authoritative, at least five more blocks would have to be mined in that blockchain (five to tie the current blockchain and six to beat it), and all before any more blocks are added to the original blockchain. Not only would that take a tremendous amount of work, but miners would generally not have an incentive to work on that blockchain; if someone were to win the lottery and get block2b in the new blockchain, their mining reward wouldn't be secure until four more blocks are mined on that blockchain.



                        So a single person winning a lottery doesn't mean a transaction is secured, especially right after the block is found and hasn't propagated to all the nodes. But once a transaction is several blocks back in the blockchain, anyone who wants to nullify that transaction would have to basically either win lottery after lottery, or somehow get a majority of miners to participate in a massive conspiracy.






                        share|improve this answer




























                          0












                          0








                          0







                          It's not "a" lottery. Bitcoin transactions are considered reliable only after half a dozen or so blocks. Suppose someone wins the sixth lottery (lottery6). This results in block6, and it was built off of block5, which resulted from someone winning lottery5, and so on. Suppose you have a transaction in block1 where someone sent you some Bitcoin. If someone wanted to go back to back and insert a transaction into the blockchain where those Bitcoin instead go to someone else, they would have to go back to block0 and make an alternative block1b from that block with the new transaction. Block1b would then be in a shorter blockchain than the one where you received the Bitcoin. For that alternative transaction to be considered authoritative, at least five more blocks would have to be mined in that blockchain (five to tie the current blockchain and six to beat it), and all before any more blocks are added to the original blockchain. Not only would that take a tremendous amount of work, but miners would generally not have an incentive to work on that blockchain; if someone were to win the lottery and get block2b in the new blockchain, their mining reward wouldn't be secure until four more blocks are mined on that blockchain.



                          So a single person winning a lottery doesn't mean a transaction is secured, especially right after the block is found and hasn't propagated to all the nodes. But once a transaction is several blocks back in the blockchain, anyone who wants to nullify that transaction would have to basically either win lottery after lottery, or somehow get a majority of miners to participate in a massive conspiracy.






                          share|improve this answer















                          It's not "a" lottery. Bitcoin transactions are considered reliable only after half a dozen or so blocks. Suppose someone wins the sixth lottery (lottery6). This results in block6, and it was built off of block5, which resulted from someone winning lottery5, and so on. Suppose you have a transaction in block1 where someone sent you some Bitcoin. If someone wanted to go back to back and insert a transaction into the blockchain where those Bitcoin instead go to someone else, they would have to go back to block0 and make an alternative block1b from that block with the new transaction. Block1b would then be in a shorter blockchain than the one where you received the Bitcoin. For that alternative transaction to be considered authoritative, at least five more blocks would have to be mined in that blockchain (five to tie the current blockchain and six to beat it), and all before any more blocks are added to the original blockchain. Not only would that take a tremendous amount of work, but miners would generally not have an incentive to work on that blockchain; if someone were to win the lottery and get block2b in the new blockchain, their mining reward wouldn't be secure until four more blocks are mined on that blockchain.



                          So a single person winning a lottery doesn't mean a transaction is secured, especially right after the block is found and hasn't propagated to all the nodes. But once a transaction is several blocks back in the blockchain, anyone who wants to nullify that transaction would have to basically either win lottery after lottery, or somehow get a majority of miners to participate in a massive conspiracy.







                          share|improve this answer














                          share|improve this answer



                          share|improve this answer








                          edited Jan 25 at 17:39

























                          answered Jan 25 at 17:02









                          AcccumulationAcccumulation

                          1612




                          1612






























                              draft saved

                              draft discarded




















































                              Thanks for contributing an answer to Bitcoin Stack Exchange!


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid



                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.


                              To learn more, see our tips on writing great answers.




                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function () {
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fbitcoin.stackexchange.com%2fquestions%2f83951%2fhow-does-proof-of-work-inspire-trust-when-the-work-is-just-guessing%23new-answer', 'question_page');
                              }
                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown







                              Popular posts from this blog

                              Probability when a professor distributes a quiz and homework assignment to a class of n students.

                              Aardman Animations

                              Are they similar matrix