Author

Topic: Nonce randomness (Read 2045 times)

-ck
legendary
Activity: 4088
Merit: 1631
Ruu \o/
January 16, 2016, 09:55:30 PM
#17
They don't stop any more theymos. They scour the entire range because it's cheaper to do so in ASICs and report all nonces found rather than to abort.

Oh, OK. Then it'd depend on which one is chosen in case more than one is found, which I suppose is arbitrary.
Modern ASICs return all the nonces they find. I did a distribution analysis and it was not uncommon for there to be no diff 1 solves in any of the nonces for some work, and not rare for there to be up to 8 for others.
administrator
Activity: 5222
Merit: 13032
January 16, 2016, 08:22:39 PM
#16
They don't stop any more theymos. They scour the entire range because it's cheaper to do so in ASICs and report all nonces found rather than to abort.

Oh, OK. Then it'd depend on which one is chosen in case more than one is found, which I suppose is arbitrary.
-ck
legendary
Activity: 4088
Merit: 1631
Ruu \o/
January 16, 2016, 06:11:40 PM
#15
So you are saying the nonce is pretty much a random value now when a new block is found. And if it's not truly "random" there's no way to determine a bias anyway, making it "random".

Put it this way, if you were to bet on a nonce value, would you say 1 has as good a chance as any other value < 2^32 of being the next block's nonce?

No, I think lower values would have higher probability. Even if miners go through the range very quickly, they're going to be going 0, 1, ..., 2^32, 0, 1, ..., 2^32, ... repeatedly, and the place where they stop will almost always exclude some of the higher nonce values, making lower values more likely overall.
They don't stop any more theymos. They scour the entire range because it's cheaper to do so in ASICs and report all nonces found rather than to abort.
administrator
Activity: 5222
Merit: 13032
January 16, 2016, 03:48:53 PM
#14
So you are saying the nonce is pretty much a random value now when a new block is found. And if it's not truly "random" there's no way to determine a bias anyway, making it "random".

Put it this way, if you were to bet on a nonce value, would you say 1 has as good a chance as any other value < 2^32 of being the next block's nonce?

No, I think lower values would have higher probability. Even if miners go through the range very quickly, they're going to be going 0, 1, ..., 2^32, 0, 1, ..., 2^32, ... repeatedly, and the place where they stop will almost always exclude some of the higher nonce values, making lower values more likely overall.
full member
Activity: 128
Merit: 100
January 16, 2016, 02:41:30 PM
#13
So you are saying the nonce is pretty much a random value now when a new block is found. And if it's not truly "random" there's no way to determine a bias anyway, making it "random".

Put it this way, if you were to bet on a nonce value, would you say 1 has as good a chance as any other value < 2^32 of being the next block's nonce?
-ck
legendary
Activity: 4088
Merit: 1631
Ruu \o/
January 14, 2016, 12:15:25 AM
#12
Modern mining hardware exhausts the entire 2^32 nonce range in under 1 milisecond, so there will be no clustering of nonces at the bottom any more. What's left up to the miner these days (as opposed to the fixed component chosen by the pool) is a combination of an extranonce of up to 8 more bytes and the regular nonce giving a hell of a lot more room for variability depending on how the mining hardware/software approaches it. Nonce was of historical relevance only in days where it was the only thing altered to look for a block solve or share.
sr. member
Activity: 475
Merit: 255
January 11, 2016, 09:07:07 AM
#11
It can even happen that for given block header (Merkle Root, timestamp, fixed Coinbase tx) there is NO valid* nonce anywhere in the interval (0,232-1). This means different timestamp/coinbase tx/etc. must be used.
* - Resuting in subTarget hash.

I think that in valid blocks so far, lower values of nonce are much more prevalent then higher, because miners tend to start from 0 and (have no reason not to) stop as soon as they find valid nonce.

Edit: This was true in the beginning of mining. See next post from -ck.
administrator
Activity: 5222
Merit: 13032
January 10, 2016, 11:27:27 PM
#10
I think that some (most?) miners start at 0 and go through them sequentially, so I'd guess that lower nonce values are more common in the block chain.

If you're trying to solve a block, any nonce value will have equal probability of solving it. If you can find any bias or pattern, then you've demonstrated a weakness in SHA-256.
legendary
Activity: 3808
Merit: 7912
January 10, 2016, 10:48:29 PM
#9
There is no more likelihood of the number 0 or 2^32-1 (or anything in between) being the "right nonce" as it depends upon the previous block's hash (which is effectively random).

https://en.bitcoin.it/wiki/Nonce



 I would say the hash of the previous block is constant and unalterable which is how security is built into the blockchain.  SHA256 is not a randomization function.


legendary
Activity: 3808
Merit: 7912
January 10, 2016, 10:40:11 PM
#8
So is the nonce basically a random value between 1 and 2^32? That is, is the probability that the nonce is 1 the sane that it's any other value?

Thanks

 Yes, the nonce of the successful hash has the same probability of being a "1" as it does a "4" or "231-1"...

 BUT

For the cryptographic function (with respect to Bitcoin mining):

 sha(sha(block+nonce)) < target

 The only variable for any given block is "nonce" which has a finite set of values that would yield the proper result but we can't know what they are without doing the calculation and checking the result against the target.  The nonce itself is not a random value but a specific set of values which are unknown.  The only way to find the right one is to check the function using different nonces until one of the correct values is found.

  ...so no, the nonce is not a random number.

You might however find a nonce that solves the block by randomly selecting numbers from 0 to 232-1




legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
January 10, 2016, 09:03:11 PM
#7
There is no more likelihood of the number 0 or 2^32-1 (or anything in between) being the "right nonce" as it depends upon the previous block's hash (which is effectively random).

https://en.bitcoin.it/wiki/Nonce
legendary
Activity: 1260
Merit: 1019
January 10, 2016, 10:59:49 AM
#6
Ok. So is it fair to say the nonce is purely a random number statistically between 1 and 2^32 ?
No.
In is not fair to say that the digit "4" (I like it more than yours "1") is a random number statistically between 1 and 2^32 Smiley
copper member
Activity: 1498
Merit: 1528
No I dont escrow anymore.
January 10, 2016, 10:39:28 AM
#5
Ok. So is it fair to say the nonce is purely a random number statistically between 1 and 2^32 ?

If you want to use the nonce as a source for entropy I wouldnt do it. IIRC there is some bias based on the ASICs used.
full member
Activity: 128
Merit: 100
January 10, 2016, 10:38:05 AM
#4
Ok. So is it fair to say the nonce is purely a random number statistically between 1 and 2^32 ?
legendary
Activity: 1260
Merit: 1019
January 10, 2016, 09:15:22 AM
#3
So is the nonce basically a random value between 1 and 2^32?
... between 0 and (232-1) to be correct
That is, is the probability that the nonce is 1 the sane that it's any other value?
There is no abstract probability. Probability where? In confirmed blocks? The answer is: no.
In your miner algorithm? Check the sources. It is possible to exclude the number "1" from the range and your program would never return "1"
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
January 10, 2016, 08:14:00 AM
#2
The nonce is used in conjunction with the other block header information to work out the hash of the block.

As the header is based upon a previous hash (which is basically random) then whether you start testing your nonce from 1 or 1,000,000 makes little difference (all that matters is your resultant hash and whether or not it passes the difficulty requirement).

So you just keep on incrementing (or decrementing or randomly choosing) your nonce and re-trying the hash algo to match the current difficulty requirement.

For pools I think that each hasher starts with a different initial nonce value (to avoid any repeated work) but I haven't looked into that stuff for quite a long time.
full member
Activity: 128
Merit: 100
January 10, 2016, 08:05:26 AM
#1
So is the nonce basically a random value between 1 and 2^32? That is, is the probability that the nonce is 1 the sane that it's any other value?

Thanks
Jump to: