It is one of the most interesting platforms to develop smart contracts as it combines Bitcoin´s network security with the ease of use of Solidity. To power its system, Rootstock uses merged mining. Wondering what merged mining is all about? Let´s get started!
Brief Overview of Proof-of-Work
Let’s quickly summarize proof-of-work (POW) before going any further.
- The miners solve cryptographic puzzles to “mine” a block in order to add to the blockchain.
- This process requires an immense amount of energy and computational usage. The puzzles have been designed in a way that makes it hard and taxing on the system.
- When a miner solves the puzzle, they present their block to the network for verification.
Mining in Bitcoin’s ecosystem is a tough process. This is why miners pool their resources and hashrate together to create “mining pools.” Mining pools follow the client-server architecture where the miners (the clients) connect to the poolserver (the server). The poolserver runs one of the mining pool server software. Some common softwares are CKpool, BTCpool, and Eloipool.
If you want to gain a more in-depth look into POW then check out this guide. For now, let’s get deeper into merged mining.
What is Merged Mining?
Merged mining is a mechanism that allows different cryptocurrencies, that use the same algorithm, to be mined together. So, in this case, since both Bitcoin and RSK are based on the SHA-256 algorithm, they can be mined together via merged mining. The two biggest advantages of merged mining are:
- Greatly reducing the investment costs for miners since they won’t need to buy brand new equipment.
- Cryptocurrencies with lower hashrate can gain additional hashing power by piggybacking off a cryptocurrency with higher hashrate.
- Miners can also earn extra rewards by maintaining the secondary chain.
Namecoin was the first cryptocurrency to merge-mine with Bitcoin. Let’s see an overview of how the merge-mining process works:
- The block id from the secondary blockchain is embedded in the block of the primary blockchain. This block id is the cryptographic hash of a block in the secondary chain.
- This secondary block hash is prefixed by a merge-mining “tag.” This tag is can be some short descriptive text or magic bytes.
- To avoid confusion, a block in the primary chain cannot be associated with more than one block of the secondary chain.
- To ensure the overall security of merged mining, it must be more difficult to create a primary-blockchain block that can be associated with two blocks from the same secondary blockchain than to mine two different primary-blockchain blocks, one for each association, at the difficulty of the secondary blockchain.
In RSK-Bitcoin case, the RSK block difficulty compares to 70-bit security, while Bitcoin difficulty compares to 74 bits.
Bitcoin mining pools usually include a reference to RSK’s block in every mining job they deliver to the miners. Every time the miners find a solution, it is compared to both the Bitcoin and RSK difficulties. Following that, there are three possible outcomes:
- The solution satisfies Bitcoin network difficulty. The block is assembled and sent to the network. The Bitcoin network will also propagate RSK’s merged mining reference. Since the RSK difficulty is lower than Bitcoin, this solution will work for RSK.
- The solution satisfies RSK but not Bitcoin. The solution will be submitted to the RSK network and not to the Bitcoin network.
- The solution doesn’t satisfy any of the difficulty requirements.
Whatever be the case, the solution that is finally submitted to RSK allows the node to build an SPV proof. If the proof is valid, it is included as part of the block that will be sent to the network.
Looking deeper into Merged Mining
A bitcoin header works like a POW proxy in merged mining. The RSK blockchain interprets the POW of the Bitcoin block header. It searches for the tag within the block to know which RSK chain block is supposed to be linked to it. Also, keep in mind that the RSK blockchain doesn’t need a full Bitcoin block to validate the POW of the Bitcoin header and associate it with the corresponding RSK header. A simple SPV proof will be enough to establish this relationship. We will explore SPV proofs more in a bit. For now, let’s get a better understanding of the RSK tag.
The current format of the RSK tag is: RSKBLOCK:RskBlockHeaderHash
- “RSKBLOCK:” is an ASCII string consisting of the bytes: 52 53 4b 42 4c 4f 43 4b 3a.
- RskBlockHeaderHash is the Keccak hash digest of the RSK Block header in binary format, without the merged mining fields, which are filled after the PoW is solved.
While not mandatory, an RSK tag should be included after the OP_RETURN OP_PUSHDATA1 opcodes in an output script. This helps prevent spamming the Bitcoin UTXO.
The RskBlockHeaderHash is created by the standard RSK node (rskj daemon). The poolserver plugin polls the rskj daemon and maintains the latest RskBlockHeaderHash value to provide to the poolserver.
Along with these, the following additional restrictions may apply:
- The number of bytes following the RskBlockHeaderHash, up to the end of the coinbase transaction, must be lower than or equal to 128 bytes.
- The binary string “RSKBLOCK:” (52 53 4b 42 4c 4f 43 4b 3a) must not be included in the trailing raw bytes.
- If the RSK tag is located in a non-last output script, then there may be some chance of it appearing in the bytes of the next output. This is why it is highly recommended to use the last output script for the RSK tag.
- If the RSK tag is located in the coinbase field, then there is a chance that “RSKBLOCK:” may appear in the coinbase field.
What are SPV proofs?
As mentioned above, the association between the secondary RSK blockchain and the primary Bitcoin blockchain can be established by an SPV proof. SPV proof mainly comprises of Merkle tree membership proofs.
The blue boxes represent the information that is included in the SPV proof and transmitted along the RSK block. Due to the restrictions placed by the trailing bytes, RSK full node will be creating a compressed version of the SPV proof which will consist of:
- The Bitcoin block header (80 bytes).
- A Merkle Branch to the Coinbase transaction (approximately 320 bytes).
- A mid-state of SHA-256 consuming the head of the coinbase transaction (32 bytes).
- A 64-byte aligned chunk consists of a trail of the coinbase transaction and the RSK tag (max 169 bytes).
- Presently, the maximum size of an SPV merge-mining proof is 780 bytes.
The poolserver software can send to the rskj daemon the full block or this SPV proof. If rskj receives a block, it will parse it and extract the necessary fields to build the SPV proof.
Merged Mining Difficulty
Before going further, let’s understand what difficulty means and why this concept was introduced in the first place. Bitcoin, as you may know, has a hard cap of 21 million coins. As more miners entered the space, it needed to do something to prevent them from pumping all the coins out into the ecosystem.
To prevent the supply of bitcoins from going out of hand and to make it a more sustainable model, Satoshi Nakamoto integrated difficulty mechanism. As more and more blocks get mined, the difficulty of the cryptographic puzzles increases exponentially. Basically, the more bitcoins you mine out, the more difficult the process of mining becomes.
Now that you know what it means consider this – the difficulty of the RSK chain is much lower than the difficulty of Bitcoin. Internally, the difficulty is translated into a “target,” which is inversely proportional to the difficulty. The target is a 256-bit unsigned integer.
Approximate targets for merged mined blockchain, on the same day. RSK has a higher target because blocks are 20 times more frequent.
This is the reason why a block header that solves the RSK POW puzzle may not be accepted by the Bitcoin network, since it may not satisfy its difficulty. So, the question to ask here is, how can a mining pool detect an RSK block if they are always looking out for a Bitcoin block? Well, it turns out that the miners are always looking to solve blocks at lower difficulty anyway. These intermediate, low difficulty blocks are called “shares” and are required by the poolserver for accounting. Many miners in the pools will actively create more shares between real solutions to provide higher granularity for accounting miners’ contributions.
Here are some more things to keep in mind about shares:
- The shares are transmitted to the poolserver pretty regularly. The server can accordingly split future earnings between the involved miners, depending upon their hashing contribution.
- The difficulty of the Bitcoin blocks can sometimes drop, depending on the overall hashing power of the system. This is why a share is transmitted within the system because it may be the solution to the current Bitcoin POW puzzle.
- If the share’s hash digest is lower than Bitcoin’s current target, then it gets forwarded to the bitcoind daemon, which spreads it over the network.
- Different secondary blockchains may have different difficulties. This is why a merged mined capable poolserver must compare the target of the share to all the targets of the secondary blockchains that it supports. So if the share satisfies RSK’s target then the corresponding block is deemed valid to the RSK network.
RSK Merged Mining Security
A rational miner in RSK’s merged mining mechanism will need to conduct only 2^69 operations (the current difficulty of RSK). An irrational attacker will need to compute as much as 2^80 hash operations in less than 30 seconds to inflict any sort of damage to the system. In order to conduct this attack, this irrational attacker will have to invest in 2000 times more hardware than the rational miner. The investment would amount to around five trillion dollars.
However, there is one more thing to consider here. The attacker can only produce one or more blocks that share the POW for the same RSK block height. If that’s the case, then it’s just a waste of 5 trillion dollars at the end of the day.
Hypothetical SHA256 vulnerability
RSK uses a non-standard cryptographic trick to compress the generation transaction. RSK only transmits the tail instead of the full transaction by hashing from the midstate of the Merkle–Damgård construction. However, this trick assumes the SHA256 algorithm to be completely resistant to “freestart collision.” According to RSK’s setup, the SHA256 needs to be at least as secure as brute-forcing 80 bits.
No freestart collision has been found in SHA256, and the best results correspond to finding semi-free-start collisions in a reduced-round version of SHA256 (38 of the 64 rounds, at the cost of 2^65 operations).
So far, the algorithm has been deemed safe for use. However, if such an attack is discovered, RSK can be protected by a network upgrade. In that case, RSK will not use the cryptographic compression trick. This will, however, lead to a small increase in block size.
NOTE: If SHA256 does suffer from a free-start collision attack, it would render it completely useless. This will be extremely problematic from Bitcoin as well.
Also, RSK’s 1.0.0 release provides 80-bit security against possible tag collisions. An 80-bit collision attack is theoretically, economically and computationally irrational.
- Computational POV: An attack of this magnitude will need an unrealistic amount of memory. Also, the CPU cost of the collision attack is more than 2000 times higher than the cost of solving the RSK PoW puzzle (69 vs. 80 bits).
- Theoretical POV: RSK’s DECOR+ consensus the colliding blocks would share the block reward, so there is no benefit to find new siblings of past blocks if the past block reward is approximately equal to the reward of a new block. What this essentially means is that the attacker would be mainly competing with themselves.
- Economic POV: An honest merged miner earns Bitcoin transaction fees, so merged mining is subsidized by Bitcoin. An attacker, on the other hand, will have to pay the full cost of the collision attack. This means that any attack on the POW linkage is not cost-efficient.
According to RSK, “We think the tag is secure for the next 20 years, even considering a breakthrough in computing efficiency. However, if computing trends radically change, a future network upgrade could easily expand the size of the hash to the full 32 bytes.”
RSK is the most profitable option for merged mining on Bitcoin. The RSK team has developed several fully working plugins for several pool implementations such as CoiniumServ, CKpool, BTCpool, and Eloipool. Other pools have implemented their own plugins. They personally recommend CKpool over other mining pool software as it is appropriately optimized. If you are a mining pool that wants to get started, just follow the instructions on the RSK merged mining section.