How many SHA-256 hash calculations are counted in one "hash per second"?

[ttul]

When the hashing strength of the bitcoin network is advertised, it's advertised in "GHash/s". Does this mean if the hashing strength is 600GHash/s that the network is doing 600 billion SHA-256 hash calculations per second?

Because in the Bitcoin algorithm, each trial of a particular hash requires two SHA-256 steps: the first to calculate the SHA-256 checksum of the block, and the second to calculate the SHA-256 checksum of this checksum result (i.e. a "hash of a hash").

So, when the community talks about hashes per second, is it literally SHA-256 hashes per second, or is it SHA-256 trials per second (i.e. tests against the target difficulty value)?

Thanks!

[1713433634]

1713433634

[cdhowie]

So, when the community talks about hashes per second, is it literally SHA-256 hashes per second, or is it SHA-256 trials per second (i.e. tests against the target difficulty value)?

Pretty sure it's complete trials, not individual hashes.  A more accurate term might be nonces checked per second.

[ttul]

This makes sense. So it's not really hashes per second, but trials per second or something like that. So a GPU that is rated at 600 MHash/second is actually doing 1.2 billion SHA-256 checksums per second.

[cdhowie]

This makes sense. So it's not really hashes per second, but trials per second or something like that. So a GPU that is rated at 600 MHash/second is actually doing 1.2 billion SHA-256 checksums per second.

1.2 billion SHA-256 block transformations per second, yeah.  I'm still unclear if 1Mhash is 1000 or 1024 trials.  In terms of storage, OSes measure kB/MB etc. as powers of 1024 (which is in turn 2^10) since converting can be done by simply shifting bits.  So I tend to lean that way, but I've never really checked to see which convention is used in the BTC mining world.

[Alexium]

I'm still unclear if 1Mhash is 1000 or 1024 trials. 

Should be 1000.

[mrb]

1.2 billion SHA-256 block transformations per second, yeah.

That is correct. 1 "bitcoin hash" is defined as 2 SHA-256 hashes.

I'm still unclear if 1Mhash is 1000 or 1024 trials.  In terms of storage, OSes measure kB/MB etc. as powers of 1024 (which is in turn 2^10)

When you think about it, decimal prefixes are more common that binary prefixes even in the computer industry 

[cdhowie]

When you think about it, decimal prefixes are more common that binary prefixes even in the computer industry 

That link doesn't really prove anything though.  Of course manufacturers use powers of 1000 -- they can claim that their hard drive is 300GB when it is, in fact, only 279GB as measured by pretty much every operating system.  Also, AFAICT, the article is just plain wrong when it comes to RAM modules; if the amount of RAM on a chip were not a power of 2, it just plain wouldn't work.  Such statements can only be made by people who don't know how memory is addressed.

So, sorry, but I'm still not convinced. 

[Pieter Wuille]

One "hash" as in the 600Mhash/s a graphics card does, corresponds to one sha256(sha256(block_header)). The block header is 80 bytes, which is padded to 128 bytes, and split into to 64-byte parts.

The actual algorithm (in pseudo-code) is:

Code:

doHash(block_header) {
  hasher = new SHA256();
  hasher.update(block_header[0..63]);      // update A1
  hasher.update(block_header[64..127]);  // update A2
  hash1 = hasher.getHash();
  hasher.reset();
  hasher.update(hash1);                         // update B
  hash2 = hasher.getHash();
  return hash2
}

So, when looking at the actual algorithm, there are 3 sha256 updates involved. However, since the nonce is in the second part of the block header, the state of the hasher after update A1 is precomputed once for the whole range of nonces, limiting it to only 2 updates (A2 and B).

However, there are still more optimizations involved. Each sha256 update consists of 64 rounds. In the first 3 of update A2, the nonce isn't used, so these can be precomputed as well. Furthermore, the last 2 or 3 rounds do not influence the highest bits of the resulting hash (which are used for determining whether it passed the difficulty test), so these can be skipped as well.

Bottom line: a 600MH/s device, is actually doing 600000000*120 sha256 rounds per second. This roughly corresponds to doing 1125 million separate sha256 hashes (of data blocks < 64 bytes).

And yes, M stands for 1000000 here, not 1048576.

[mrb]

That link doesn't really prove anything though. Of course manufacturers use powers of 1000 -- they can claim that their hard drive is 300GB when it is, in fact, only 279GB as measured by pretty much every operating system.  Also, AFAICT, the article is just plain wrong when it comes to RAM modules; if the amount of RAM on a chip were not a power of 2, it just plain wouldn't work.

You read incorrectly. It does not talk about RAM capacity, but RAM throughput ("A PC6400 (as in 6400 MByte/s) memory module is 6400 * 10^6 byte/s").

I challenge you to name a single item in that list that is false. You won't find any. Surprising, huh?  

[cdhowie]

You read incorrectly. It does not talk about RAM capacity, but RAM throughput ("A PC6400 (as in 6400 MByte/s) memory module is 6400 * 10^6 byte/s").

Ah, yes.  My mistake.

I challenge you to name a single item in that list that is false. You won't find any. Surprising, huh?  

As mentioned, disk storage capacity is measured one way by OSes and another by manufacturers.  So it might not be false, but it's not really true either.  More like contested.    The rest of the list does seem to lean towards decimal powers though.  Shame.

[grondilu]

2

[casascius]

1.2 billion SHA-256 block transformations per second, yeah.

That is correct. 1 "bitcoin hash" is defined as 2 SHA-256 hashes.

I don't think so.  The first hash does not change with each trial.  The nonce is the only that changes most of the time.  That only influences the last hash.  One hash is one SHA256 op the vast majority of the time.

[Jim Hyslop]

1.2 billion SHA-256 block transformations per second, yeah.

That is correct. 1 "bitcoin hash" is defined as 2 SHA-256 hashes.

I don't think so.  The first hash does not change with each trial.  The nonce is the only that changes most of the time.  That only influences the last hash.  One hash is one SHA256 op the vast majority of the time.

Have another look at the pseudo code sipa posted. You'll see that there is another hash at the end.

The first hash op, which does not change for each trial, is labeled "update A1". The second hash op, which contains the nonce, is labeled "update A2". At that point, the hash algorithm is technically finished, and you could use that result. But for some reason which I haven't yet inquired about, Satoshi added another hash of the hash, which is B in the pseudo code.

So, why did Satoshi add that extra hash at the end? Is that a standard procedure for SHA-256?

[casascius]

1.2 billion SHA-256 block transformations per second, yeah.

That is correct. 1 "bitcoin hash" is defined as 2 SHA-256 hashes.

I don't think so.  The first hash does not change with each trial.  The nonce is the only that changes most of the time.  That only influences the last hash.  One hash is one SHA256 op the vast majority of the time.

Have another look at the pseudo code sipa posted. You'll see that there is another hash at the end.

The first hash op, which does not change for each trial, is labeled "update A1". The second hash op, which contains the nonce, is labeled "update A2". At that point, the hash algorithm is technically finished, and you could use that result. But for some reason which I haven't yet inquired about, Satoshi added another hash of the hash, which is B in the pseudo code.

So, why did Satoshi add that extra hash at the end? Is that a standard procedure for SHA-256?

I RTFM'd and stand corrected.