The Alto was a revolutionary computer designed at Xerox PARC in 1973 to investigate personal computing. It introduced high-resolution bitmapped displays, the GUI, Ethernet and laser printers to the world, among other things. In the photo above, the Alto computer is in the lower cabinet. The black box is the 2.5 megabyte disk drive. The Alto's unusual portrait display and an early optical mouse are on top.
How Bitcoin mining works
Bitcoin, a digital currency that can be transmitted across the Internet, has attracted a lot of attention lately. The Bitcoin system can be thought of as a ledger that keeps track of who owns which bitcoins, and allows them to be transferred from one person to another. The revolutionary feature of Bitcoin is there's no central machine or authority keeping track of things. Instead, the "blockchain" is stored across thousands of machines on the Internet, and the system works with nobody in charge.
To ensure everyone agrees on which transactions are valid, Bitcoin uses a process called mining—about every 10 minutes a block of outstanding transactions is mined, which makes the block "official". Bitcoin mining is designed to take an insanely huge amount of computational effort to mine a block, so nobody can take over the mining process. Miners compete against each other, generating trillions and trillions of "hashes" until someone finds a lucky one that succeeds in mining a block. It's hard to visualize just how difficult the hashing process is: finding a valid hash is less likely than finding a single grain of sand out of all the sand on Earth.
Bitcoin mining is based on cryptography, with a "hash function" that converts a block into an essentially random hash value. If the hash starts with 17 zeros,1 the block is successfully mined and is sent into the Bitcoin network. Most of the time the hash isn't successful, so the miner will modify the block slightly and try again, over and over billions of times. About every 10 minutes someone will successfully mine a block, and the process starts over. It's kind of like a lottery, where miners keep trying until someone "wins".
As a side-effect, mining adds new bitcoins to the system. For each block mined, miners currently get 12.5 new bitcoins (currently worth about $30,000) as well as fees, which encourages miners to do the hard work of mining blocks. With the possibility of receiving $30,000 every 10 minutes, miners invest in datacenters full of specialized mining hardware using huge amounts of electricity2.
The diagram above shows what actually goes into a block that is mined. The yellow part is the block header (which gets hashed), and it is followed by the transactions that go into the block. Each block contains the hash of the previous block, causing all the blocks to be linked together forming the blockchain. You can see that for the block above, the hash is successful because it starts with lots of zeros: 0000000000000000e067a478024addfecdc93628978aa52d91fabd4292982a50. The "Merkle root" is a hash of all the transactions that go into the block; this ensures that none of the mined transactions can be changed. The nonce is an arbitrary number; each attempt at mining the block changes the nonce.
To summarize the mining process: you collect new Bitcoin transactions and create a header (as in the diagram above). You do the cryptographic hash of the block. If by some incredible chance the result starts with 17 zeros you send the block into the Bitcoin network and "win" $30,000 in bitcoin. Otherwise, you change the nonce and try again. Probably none of the nonce values will work, so you change something else in the header and start over. If someone else succeeds in mining the block, you start over with the new previous block hash and new transactions.
I've simplified a lot of details above. For in-depth information on Bitcoin and mining, see my articles Bitcoins the hard way and Bitcoin mining the hard way.
The SHA-256 hash algorithm used by Bitcoin
Next, I'll discuss the hash function used in Bitcoin, which is based on a standard cryptographic hash function called SHA-256.3 The SHA-256 algorithm is so simple you can literally do it by hand, but it manages to scramble the data entirely unpredictably. The SHA-256 hash algorithm takes input blocks of 512 bits (i.e. 64 bytes), combines the data cryptographically, and generates a 256-bit (32 byte) output.
The SHA-256 algorithm consists of a simple round repeated 64 times. The diagram below shows one round, which takes eight 4-byte inputs, A through H, performs a few operations, and generates new values for A through H. As can be seen from the diagram above, only A and E are changed in a round, while the others are just shifted over. Even so, after 64 rounds the input data will be completely scrambled, generating the unpredictable hash output.
The SHA-256 algorithm is pretty simple, about a page of pseudocode and can be easily implemented on a computer, even one as old as the Alto, using simple arithmetic and logic operations.5
The dark blue boxes mix up the values in non-linear ways that are hard to analyze cryptographically. (If you could figure out a mathematical shortcut to generate successful hashes, you could take over Bitcoin mining.) The Ch "choose" box chooses bits from F or G, based on the value of input E. The Σ "sum" boxes rotate the bits of A (or E) to form three rotated versions, and then sum them together. The Ma "majority" box looks at the bits in each position of A, B, and C, and selects 0 or 1, whichever value is in the majority. The red boxes perform 32-bit addition, generating new values for A and E. The input data enters the algorithm through the Wt values. The Kt values are constants defined for each round.4
Implementing SHA-256 in BCPL
I implemented SHA-256 in BCPL, a programming language that was a precursor to C. It's a lot like C with syntax changes, except the only type is 16-bit words. My SHA-256 code is in sha256.bcpl. The snippet below (the choose function) will give you an idea of what BCPL looks like. Each value is two words; BCPL does array access with !1 instead of [1]. Like C++, comments are indicated with a double slash. Unlike C, BCPL uses words for xor and not.
// ch := (e and f) xor ((not e) and g) ch!0 = (e!0 & f!0) xor ((not e!0) & g!0) ch!1 = (e!1 & f!1) xor ((not e!1) & g!1)
The mining is done in bitcoin.bcpl: it creates a Bitcoin header (from hardcoded values), substitutes the nonce, and calls the SHA-256 code to hash the header twice. One interesting feature of the code is the structure definition for the Bitcoin header in BCPL (below), similar to a C struct. It defines a two word field for version, 16 words for prevHash, and so forth; compare with the Bitcoin structure diagram earlier.
Interestingly, ^1,16 indicates an array with indices from 1 to 16 inclusive.
BCPL is not 0-indexed or 1-indexed, but lets you start array indices at arbitrary values.7
structure HEADER: [ version^1,2 word prevHash^1,16 word merkleRoot^1,16 word timestamp^1,2 word bits^1,2 word nonce^1,2 word ]
The line shows how structures are accessed in BCPL; it initializes one word of the header, using the slightly strange BCPL syntax.
>>HEADER sort of casts the header variable to the HEADER structure described earlier. Then .prevhash^1 accesses the first word of the prevhash field.
Also note that #13627 is an octal value; BCPL inconveniently doesn't include hex constants.6
header>>HEADER.prevHash^1 = #13627
The screenshot below shows the output as the program runs. The number on the left is each nonce in sequence as it is tested. The long hex number on the right is the resulting hash value. Each nonce results in a totally different hash value, due to the cryptographic hash algorithm.
Performance
The Alto can hash about 1.5 blocks per second, which is exceedingly slow by Bitcoin standards. At this speed, mining a single block on the Alto would take about 5000 times the age of the universe The electricity would cost about 2x10^16 dollars. And you'd get 12.5 bitcoins (₿12.5) worth about $30,000. Obviously, mining Bitcoin on a Xerox Alto isn't a profitable venture.
In comparison, a USB stick miner performs 3.6 billion hashes per second. The Alto cost about $12,000 to manufacture in 1973 (about $60,000 in current dollars), while the stick miner costs $200. The Alto used hundreds of watts, while the stick minter uses about 4 watts. The enormous difference in performance is due to huge increase in computer speed since the 1970s described by Moore's law as well as the giant speed gain from custom Bitcoin mining hardware.
The Alto wasn't a particularly fast machine, performing about 400,000 instructions per second. The Alto's instruction set lacks many of the operations you'd find on a modern processor. For instance, the SHA-256 algorithm makes heavy use of Boolean operations including exclusive-OR and OR. These are pretty basic instructions that you'd find on even something as primitive as the 6502, but the Alto doesn't have them. Instead, these operations are implemented with an inefficient subroutine call that does a sequence of operations with the same effect.
In addition, SHA-256 heavily uses bit shift and rotate operations. Modern processors typically have a "barrel shifter" that lets you shift by as many bits as you want in one step. The Alto's shift instructions, on the other hand, only shift a single bit. Thus, to shift by, say 10 bits, the Alto code calls a subroutine that performs 10 separate shift instructions. The result is a shift operation is much slower than you might expect.
You can see the Alto's arithmetic-logic board below. The Alto didn't use a microprocessor but instead built a CPU from simple TTL chips. You can see that even providing single-bit shifts required 8 separate chips—it's not surprising that the Alto doesn't do more complex shift operations.
I should point out that I'm not trying to write the best possible mining code for the Alto, and there are plenty of optimizations that one could do.8 For instance, writing the code in microcode would speed it up considerably, but Alto microcode is very hard to understand, let along write. My blog post on generating the Mandelbrot set on the Alto discussed Alto performance optimizations in detail, so I won't say more about optimization here.
Conclusion
The screenshot below shows a successful hash, ending in a bunch of zeros9. (I also display an image to show off the Alto's high-resolution bitmapped display.) Since the Alto would take well beyond the lifetime of the universe to find a successful hash, you might wonder how I found this. For this demonstration I simply used as input a block that had been successfully mined in the past, specifically block #286819. Thus, the algorithm succeeded quickly, but since it was an old block, I didn't make any money off it.
My code is on github if you want to look at BCPL code or try it out.
Notes and references
- 
At current difficulty, about 1 in 3x10^21 hashes will be successful at mining a block; a valid hash must start with approximately 17 zeros. The mining difficulty changes periodically to keep the time between blocks at approximately 10 minutes. As mining hardware gets faster, the difficulty factor is automatically updated to make mining more difficult so miners can never really catch up. ↩ 
- 
A while back I estimated that Bitcoin mining uses about as much electricity as the entire country of Cambodia. One paper puts mining's energy consumption comparable to Ireland's electricity usage. ↩ 
- 
Bitcoin uses "double SHA-256" which simply consists of applying the SHA-256 function twice. ↩ 
- 
The K constants used in the SHA-256 algorithm are provided by the NSA. You might worry that the NSA cleverly designed these constants to provide a backdoor. However, to prove that these are just arbitrary random constants, the NSA simply used the cube roots of the first 64 primes. ↩ 
- 
While SHA-256 is easy to implement, that's not the case for all the cryptography used by Bitcoin. To create a Bitcoin transaction, the transaction must be signed with elliptic curve cryptography. This requires 256-bit modular arithmetic, which is about as hard as it sounds. Even a simple implementation is 1000 lines of C. I decided that porting this to BCPL was too much effort for me. ↩ 
- 
I wrote a simple Python script to convert the many 32-bit hexadecimal constants used by SHA-256 to 16-bit octal constants. It's a good thing that hex has almost entirely replaced octal, as it is much better. ↩ 
- 
Some people claim that BCPL arrays are 0-based. However, arrays in BCPL structures can start at an arbitrary value. I start with 1 because that's what the Alto code typically does. (This caused me no end of confusion until I realized the indices weren't zero-based.) ↩ 
- 
The code could be made 33% faster by taking advantage of an interaction between SHA-256 and the Bitcoin header structure. Bitcoin performs a SHA-256 hash twice on the 80-byte header. Since SHA-256 only handles 64 bytes at a time, the first hash requires two SHA-256 cycles. The second hash takes a third SHA-256 cycle. However, when mining, the only thing that changes from one attempt to the next is the nonce value in the header. It happens to be in the second half of the header, which means the SHA-256 cycle performed on the first half of the header can be done once and then reused. Thus, the double SHA-256 hash can be done with two SHA-256 cycles instead of three. Bitcoin mining usually performs this optimization, but I left it out of the code to make the code less confusing. ↩ 
- 
You might wonder why Bitcoin successful hashes start with a bunch of zeros, while the displayed hash ends with a bunch of zeros. The reason is that Bitcoin reverses the byte order of the SHA-256 output. If you look closely, you'll see that the displayed hash matches the hash in the Bitcoin block diagram if you reverse bytes (i.e. pairs of hex digits). ↩ 

 
 



 
 
20 comments:
Darn it, my plan to become rich mining Bitcoin with the Alto is spoiled!
By the way, the link to the microcode file is broken - it is missing an http:// at start.
omfg
What early microprocessor based system is comparable to the Xerox Alto in performance?
Matteo: thanks; I fixed the link. David: I haven't done any direct performance comparisons, but as far as instructions per second, the Alto is about the same as a 6502 or 8080A. The Alto would still have an edge since it is 16 bits while those microprocessors are 8 bits. A 68000 should easily beat an Alto. Maybe I'll try some benchmarks on the Alto to see where it stands.
Thanks for the post bro, I enjoyed it a lot :-)
BTW I think you meant "hashes" instead of "blocks" in the sentence "The Alto can hash about 1.5 blocks per second"
Little impresses me these days, but you have succeeded, Sir.
Interesting post, thanks !
I would do anything to spend the rest of my life doing this kind of stuff. This is so fucking awesome
There's an up & coming YouTube video on my real Mac Plus running a Think 'C' version of the BCPL Mandelbrot program. It's a pretty comparable implementation & runs in 143s making it about 12x faster with an equivalent screen size.
Wow, genial post.
I'd love to see more photos of your the Xerox Alto.
Greetings from Mexico.
Hi , this post brought back great memories of playing mazewars at 2 AM on an Alto in the CMU comp Sci graduate Dept in the late 1970s. A friend was a grad student there and would lets us lowly undergrads in to show off his latest Alto hacks. We would take the elevator down into the bowels of science hall and play for a few hours. There were at least a dozen of these machines in the lab. We played mazewars a networked 3D maze game along with a star wars game.
Great work in keeping the old jedi ways alive!!
dave
EE cmu 1978-82
Excellent project and really well explained. NOW I understand Bitcoin mining!
has anyone tried putting this on the contralto emulator? lol
Absolutely brilliant! I love watching old machines working. I'm jealous! That Alto looks awesome :-)
could we mine bitcoin by typing a nonce value manually ?
or by trying just the values of a segment [NonceMin, NonceMax]
What an incredible computer for the time. The Bitcoin side is interesting enough and well explained, but can you describe the mechanism for displaying images on the bitmapped display? How are your original images processed into the raw format, and is the display memory-mapped?
Unknown: you asked about how I display images. The Alto display is memory-mapped, with a complex display-list system where different horizontal stripes can come from different regions of memory. (This makes scrolling fast since you can just update pointers rather than moving pixels.) The in-memory format is just one bit = one pixel. I wrote a short Python script (using the PIL image library) to convert (via dithering) a jpg to a file of raw pixels, and then load this file into the Alto's memory. So now I can easily display arbitrary images like this one. While the Alto is only black and white, Xerox PARC also developed a color system in 1972 called SuperPaint.
Thanks Ken. I've downloaded an Alto emulator to see this for myself. I know enough to appreciate how incredible this machine was at a time then the predominant method of interaction with a computer was via a teletype. The bitmapped display and contemporary-like approach to programming (or beyond, in fact, since programs could be changed on-the-fly), not to mention the networking potential, makes me somewhat sad that the tech was largely unimplemented until the early-80s: imagine what could have been. On the flip side, this machine was no-doubt incredibly expensive: but with a bit of vision, those prices could have fallen through bulk-adoption. (Twitter: 8bitadc)
May the best wishes of these individuals @https://en.wikipedia.org/wiki/List_of_people_associated_with_PARC be upon your great project permanently and forever and of course on Steve for "getting it". Poor Adele! Results have to come to the people at some point. The article summary could simply be to dollar-cost-average into BTC (slowly) -- it's probably too late. I think there are less than 5M BTC's left to go and they get really impossible to mine.
Thank you for sharing it's great
Post a Comment