Bitcoin Forum
November 05, 2024, 11:28:33 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Nonce randomness  (Read 2042 times)
auswalk (OP)
Full Member
***
Offline Offline

Activity: 128
Merit: 100


View Profile
January 10, 2016, 01:05:26 PM
 #1

So is the nonce basically a random value between 1 and 2^32? That is, is the probability that the nonce is 1 the sane that it's any other value?

Thanks
CIYAM
Legendary
*
Offline Offline

Activity: 1890
Merit: 1086


Ian Knowles - CIYAM Lead Developer


View Profile WWW
January 10, 2016, 01:14:00 PM
 #2

The nonce is used in conjunction with the other block header information to work out the hash of the block.

As the header is based upon a previous hash (which is basically random) then whether you start testing your nonce from 1 or 1,000,000 makes little difference (all that matters is your resultant hash and whether or not it passes the difficulty requirement).

So you just keep on incrementing (or decrementing or randomly choosing) your nonce and re-trying the hash algo to match the current difficulty requirement.

For pools I think that each hasher starts with a different initial nonce value (to avoid any repeated work) but I haven't looked into that stuff for quite a long time.

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
amaclin
Legendary
*
Offline Offline

Activity: 1260
Merit: 1019


View Profile
January 10, 2016, 02:15:22 PM
 #3

So is the nonce basically a random value between 1 and 2^32?
... between 0 and (232-1) to be correct
That is, is the probability that the nonce is 1 the sane that it's any other value?
There is no abstract probability. Probability where? In confirmed blocks? The answer is: no.
In your miner algorithm? Check the sources. It is possible to exclude the number "1" from the range and your program would never return "1"
auswalk (OP)
Full Member
***
Offline Offline

Activity: 128
Merit: 100


View Profile
January 10, 2016, 03:38:05 PM
 #4

Ok. So is it fair to say the nonce is purely a random number statistically between 1 and 2^32 ?
shorena
Copper Member
Legendary
*
Offline Offline

Activity: 1498
Merit: 1540


No I dont escrow anymore.


View Profile
January 10, 2016, 03:39:28 PM
 #5

Ok. So is it fair to say the nonce is purely a random number statistically between 1 and 2^32 ?

If you want to use the nonce as a source for entropy I wouldnt do it. IIRC there is some bias based on the ASICs used.

Im not really here, its just your imagination.
amaclin
Legendary
*
Offline Offline

Activity: 1260
Merit: 1019


View Profile
January 10, 2016, 03:59:49 PM
 #6

Ok. So is it fair to say the nonce is purely a random number statistically between 1 and 2^32 ?
No.
In is not fair to say that the digit "4" (I like it more than yours "1") is a random number statistically between 1 and 2^32 Smiley
CIYAM
Legendary
*
Offline Offline

Activity: 1890
Merit: 1086


Ian Knowles - CIYAM Lead Developer


View Profile WWW
January 11, 2016, 02:03:11 AM
 #7

There is no more likelihood of the number 0 or 2^32-1 (or anything in between) being the "right nonce" as it depends upon the previous block's hash (which is effectively random).

https://en.bitcoin.it/wiki/Nonce

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
xhomerx10
Legendary
*
Offline Offline

Activity: 4018
Merit: 8842



View Profile
January 11, 2016, 03:40:11 AM
 #8

So is the nonce basically a random value between 1 and 2^32? That is, is the probability that the nonce is 1 the sane that it's any other value?

Thanks

 Yes, the nonce of the successful hash has the same probability of being a "1" as it does a "4" or "231-1"...

 BUT

For the cryptographic function (with respect to Bitcoin mining):

 sha(sha(block+nonce)) < target

 The only variable for any given block is "nonce" which has a finite set of values that would yield the proper result but we can't know what they are without doing the calculation and checking the result against the target.  The nonce itself is not a random value but a specific set of values which are unknown.  The only way to find the right one is to check the function using different nonces until one of the correct values is found.

  ...so no, the nonce is not a random number.

You might however find a nonce that solves the block by randomly selecting numbers from 0 to 232-1




xhomerx10
Legendary
*
Offline Offline

Activity: 4018
Merit: 8842



View Profile
January 11, 2016, 03:48:29 AM
 #9

There is no more likelihood of the number 0 or 2^32-1 (or anything in between) being the "right nonce" as it depends upon the previous block's hash (which is effectively random).

https://en.bitcoin.it/wiki/Nonce



 I would say the hash of the previous block is constant and unalterable which is how security is built into the blockchain.  SHA256 is not a randomization function.


theymos
Administrator
Legendary
*
Offline Offline

Activity: 5376
Merit: 13372


View Profile
January 11, 2016, 04:27:27 AM
 #10

I think that some (most?) miners start at 0 and go through them sequentially, so I'd guess that lower nonce values are more common in the block chain.

If you're trying to solve a block, any nonce value will have equal probability of solving it. If you can find any bias or pattern, then you've demonstrated a weakness in SHA-256.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
ZephramC
Sr. Member
****
Offline Offline

Activity: 475
Merit: 255



View Profile
January 11, 2016, 02:07:07 PM
Last edit: January 15, 2016, 03:22:36 PM by ZephramC
 #11

It can even happen that for given block header (Merkle Root, timestamp, fixed Coinbase tx) there is NO valid* nonce anywhere in the interval (0,232-1). This means different timestamp/coinbase tx/etc. must be used.
* - Resuting in subTarget hash.

I think that in valid blocks so far, lower values of nonce are much more prevalent then higher, because miners tend to start from 0 and (have no reason not to) stop as soon as they find valid nonce.

Edit: This was true in the beginning of mining. See next post from -ck.
-ck
Legendary
*
Offline Offline

Activity: 4284
Merit: 1645


Ruu \o/


View Profile WWW
January 14, 2016, 05:15:25 AM
 #12

Modern mining hardware exhausts the entire 2^32 nonce range in under 1 milisecond, so there will be no clustering of nonces at the bottom any more. What's left up to the miner these days (as opposed to the fixed component chosen by the pool) is a combination of an extranonce of up to 8 more bytes and the regular nonce giving a hell of a lot more room for variability depending on how the mining hardware/software approaches it. Nonce was of historical relevance only in days where it was the only thing altered to look for a block solve or share.

Developer/maintainer for cgminer, ckpool/ckproxy, and the -ck kernel
2% Fee Solo mining at solo.ckpool.org
-ck
auswalk (OP)
Full Member
***
Offline Offline

Activity: 128
Merit: 100


View Profile
January 16, 2016, 07:41:30 PM
 #13

So you are saying the nonce is pretty much a random value now when a new block is found. And if it's not truly "random" there's no way to determine a bias anyway, making it "random".

Put it this way, if you were to bet on a nonce value, would you say 1 has as good a chance as any other value < 2^32 of being the next block's nonce?
theymos
Administrator
Legendary
*
Offline Offline

Activity: 5376
Merit: 13372


View Profile
January 16, 2016, 08:48:53 PM
 #14

So you are saying the nonce is pretty much a random value now when a new block is found. And if it's not truly "random" there's no way to determine a bias anyway, making it "random".

Put it this way, if you were to bet on a nonce value, would you say 1 has as good a chance as any other value < 2^32 of being the next block's nonce?

No, I think lower values would have higher probability. Even if miners go through the range very quickly, they're going to be going 0, 1, ..., 2^32, 0, 1, ..., 2^32, ... repeatedly, and the place where they stop will almost always exclude some of the higher nonce values, making lower values more likely overall.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
-ck
Legendary
*
Offline Offline

Activity: 4284
Merit: 1645


Ruu \o/


View Profile WWW
January 16, 2016, 11:11:40 PM
 #15

So you are saying the nonce is pretty much a random value now when a new block is found. And if it's not truly "random" there's no way to determine a bias anyway, making it "random".

Put it this way, if you were to bet on a nonce value, would you say 1 has as good a chance as any other value < 2^32 of being the next block's nonce?

No, I think lower values would have higher probability. Even if miners go through the range very quickly, they're going to be going 0, 1, ..., 2^32, 0, 1, ..., 2^32, ... repeatedly, and the place where they stop will almost always exclude some of the higher nonce values, making lower values more likely overall.
They don't stop any more theymos. They scour the entire range because it's cheaper to do so in ASICs and report all nonces found rather than to abort.

Developer/maintainer for cgminer, ckpool/ckproxy, and the -ck kernel
2% Fee Solo mining at solo.ckpool.org
-ck
theymos
Administrator
Legendary
*
Offline Offline

Activity: 5376
Merit: 13372


View Profile
January 17, 2016, 01:22:39 AM
 #16

They don't stop any more theymos. They scour the entire range because it's cheaper to do so in ASICs and report all nonces found rather than to abort.

Oh, OK. Then it'd depend on which one is chosen in case more than one is found, which I suppose is arbitrary.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
-ck
Legendary
*
Offline Offline

Activity: 4284
Merit: 1645


Ruu \o/


View Profile WWW
January 17, 2016, 02:55:30 AM
 #17

They don't stop any more theymos. They scour the entire range because it's cheaper to do so in ASICs and report all nonces found rather than to abort.

Oh, OK. Then it'd depend on which one is chosen in case more than one is found, which I suppose is arbitrary.
Modern ASICs return all the nonces they find. I did a distribution analysis and it was not uncommon for there to be no diff 1 solves in any of the nonces for some work, and not rare for there to be up to 8 for others.

Developer/maintainer for cgminer, ckpool/ckproxy, and the -ck kernel
2% Fee Solo mining at solo.ckpool.org
-ck
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!