Skip to content
— CH. 1 · INTRODUCTION —

Proof of work

~8 min read · Ch. 1 of 7
7 sections
  • Proof of work sits at the heart of Bitcoin, the technology that turned a whitepaper into a global currency network. But the idea is decades older than Bitcoin, and it began not with money but with spam. In 1993, two researchers named Cynthia Dwork and Moni Naor asked a simple question: what if sending junk email cost something? Not money, but computation. Their answer planted a seed that would grow into one of the most energy-consuming systems ever devised. The term "proof of work" itself was not coined until 1999, by Markus Jakobsson and Ari Juels in a formal academic paper. What came between that 1993 idea and Bitcoin's 2009 launch is a story of cryptographers, anti-spam researchers, and a pseudonymous inventor named Satoshi Nakamoto. It raises a question that has not been resolved: can a system designed to make abuse expensive also be sustainable when scaled to a planetary network?

  • Cynthia Dwork and Moni Naor published their foundational idea in a paper titled "Pricing via Processing or Combatting Junk Mail." Their proposed puzzles included computing modular square roots, tasks that are hard to produce but trivial to check. That asymmetry is the core of every proof-of-work scheme that has followed.

    British cryptographer Adam Back took that asymmetry and built something practical. In 1997, he released Hashcash, a system that required email senders to compute a partial inversion of the SHA-1 hashing algorithm. The output had to begin with a specified number of leading zeros. Back described the system in a paper titled "Hashcash: A Denial of Service Counter-Measure." A single email required modest effort from a person, but a spammer sending millions of messages would face a crushing computational bill.

    The Hashcash header itself is a kind of fingerprint. A header sent to calvin@comics.net on the 19th of January 2038 encodes roughly 2 to the power of 52 hash computations. The recipient verifies that work with a single SHA-1 check, confirming the hash begins with 52 binary zeros. That check costs almost nothing; producing the header cost real CPU time.

    Hal Finney extended this logic in 2004 with a concept he called reusable proof of work, or RPoW. Finney used the 160-bit SHA-1 algorithm and built a system where a proof generated once could be passed along rather than discarded, a step toward using computational effort as a form of digital token.

  • Satoshi Nakamoto's 2008 whitepaper, "Bitcoin: A Peer-to-Peer Electronic Cash System," took the Hashcash model and reshaped it for an entirely different purpose. Where Hashcash produced static, one-time proofs, Bitcoin's system required dynamic difficulty adjustment. The network recalibrates so that a new block is found roughly every 10 minutes, regardless of how much computing power is pointed at it.

    Bitcoin replaced SHA-1 with SHA-256, a more robust hashing algorithm. Miners compete to find a hash that meets the current difficulty target, and when one succeeds, a new block is appended to the blockchain. That miner earns newly created bitcoin as a reward. The work is what prevents tampering: rewriting history would require redoing not just one block's computation but every block that followed it.

    The hardware story moved fast. Bitcoin mining began on standard CPUs, then shifted to graphics processors, then to field-programmable gate arrays, and finally to application-specific integrated circuits, or ASICs, built solely to compute SHA-256 as fast as possible. Each transition squeezed out participants who lacked access to the newest hardware.

    Litecoin attempted to slow that consolidation. It replaced SHA-256 with an algorithm called Scrypt, developed by Colin Percival and described in "The scrypt Password-Based Key Derivation Function." Scrypt is memory-intensive, requiring a meaningful amount of RAM, which was meant to limit the advantage ASICs could offer. That advantage was only delayed; Litecoin mining eventually followed the same path from CPUs through GPUs and FPGAs to dedicated ASICs.

  • Proof-of-work schemes fall into two broad classes. Challenge-response protocols require a live connection between the party requesting service and the party providing it. The provider issues a fresh puzzle on the spot, can tune its difficulty to match current load, and checks the answer immediately. Because the provider chose the puzzle, a known solution can exist within a bounded search space.

    Solution-verification protocols work without that live link. The requester must choose and solve a problem before asking for service. The provider then checks both that the problem was legitimate and that the solution is correct. Hashcash is the canonical example. Because no one pre-selects the answer, these schemes are unbounded probabilistic searches: the solver just keeps hashing until a valid result appears.

    Beyond those two classes, the underlying computation can be CPU-bound, memory-bound, or network-bound. CPU-bound work runs at processor speed and varies widely across hardware generations. Memory-bound work is constrained by RAM access speeds, which evolve more slowly and create a more level field. Network-bound schemes require the requester to collect tokens from remote servers, imposing delay without demanding heavy local computation.

    Some systems also allow shortcut computations for participants who hold a private key. A mailing-list operator, for instance, could stamp outgoing messages cheaply rather than paying full computational cost per recipient. Whether that shortcut is acceptable depends on the use case it is designed to serve.

  • At the IACR conference Crypto 2022, researchers presented a system called Ofelimos that tried to solve a long-standing criticism of standard proof of work: that the computation is inherently wasteful. Ofelimos is built around Doubly Parallel Local Search, an algorithm that doubles as a decentralized optimization problem solver. Miners in Ofelimos do not churn through meaningless hashes; they work on real optimization problems. The paper demonstrated the concept using a variant of WalkSAT, a well-known algorithm for solving Boolean satisfiability problems.

    A separate variant called Optimisable Proof of Work, or OPoW, takes a different angle. Rather than directing work toward a single fixed puzzle, OPoW draws challenges from computational science problems including Boolean satisfiability, capacitated vehicle routing, and the knapsack problem. It binds these challenges together through an influence calculation that distributes block rewards proportionally. OPoW creates two distinct roles: miners who solve problems and earn rewards for finding efficient algorithms, and algorithm contributors who submit improved solving methods and earn a share of rewards when miners adopt them. By separating problem-solving from block creation, OPoW allows many solutions to be found per block, effectively treating algorithm development as a tradable commodity.

  • Bitcoin's proof-of-work design is, by construction, vulnerable to what is called a 51% attack. Any entity controlling more than half the network's total hashing power can rewrite the canonical chain, reverse transactions, double-spend coins, and censor new transactions entirely. A real example occurred in March 2013, when a bug in the Bitcoin 0.8.0 client caused the chain to split. A merchant identified as OKPAY confirmed a deposit of ten thousand dollars from a customer on the 0.8.0 chain. Miners then coordinated to reverse 24 blocks, erasing that transaction and allowing the customer to spend the same bitcoin again on the pre-0.8.0 chain.

    A 2025 paper by Duke University Finance Professor Campbell Harvey estimated that a week-long 51% attack on Bitcoin could be executed for roughly six billion dollars at October 2025 prices. That figure amounts to less than one percent of Bitcoin's total market value, meaning an attacker could potentially profit simply by shorting Bitcoin before launching the attack.

    Proof of work also creates what the source describes as asymmetric security. The miners who control the network's defense are not the same people who hold most of the bitcoin. Their incentive to protect the network is weaker than it would be under a proof-of-stake system, where validators must hold the asset they are protecting. Bitcoin's security budget is roughly equal to the total block reward. With each halving event, that reward shrinks. Transaction fees currently generate only about one percent of the total block reward, and the long-term sustainability of that security model remains an open concern among Bitcoin developers.

  • University of Cambridge researchers estimated in 2018 that Bitcoin's total electricity consumption was comparable to that of Switzerland. The energy use is not incidental; it is structural. The lottery-like nature of Bitcoin mining means that enormous amounts of computation are discarded with every block. Only one miner wins; everyone else's work produces no lasting result except the heat that made it difficult to cheat.

    In January 2022, Erik Thedeen, vice-chair of the European Securities and Markets Authority, called on the European Union to ban the proof-of-work model entirely, proposing that networks shift to proof of stake, which achieves consensus without competitive computation.

    New York State acted in November 2022, enacting a two-year moratorium on cryptocurrency mining operations that do not run entirely on renewable energy. Existing mining companies were grandfathered in and allowed to continue, though they cannot expand or renew permits. No new operation without full renewable power was permitted to start.

    The interruptible nature of mining load does offer one potential upside: because miners can switch off quickly, they can act as demand-response resources on electrical grids, absorbing surplus power during periods when renewable generation exceeds demand. Whether that benefit offsets the baseline energy draw remains a contested question in energy policy circles.

Continue Browsing

Common questions

Who invented proof of work and when was the concept first proposed?

Cynthia Dwork and Moni Naor first proposed proof of work in 1993 as a way to deter junk email by requiring computational effort from senders. The term "proof of work" was formally coined in a 1999 paper by Markus Jakobsson and Ari Juels.

What is Hashcash and how does it use proof of work?

Hashcash is a proof-of-work system created by British cryptographer Adam Back in 1997 to combat email spam. It requires senders to compute a partial SHA-1 hash inversion, producing a result with a specified number of leading zeros. Recipients verify the work with a single computation.

How does Bitcoin use proof of work to secure its blockchain?

Bitcoin uses a SHA-256-based proof-of-work algorithm in which miners compete to find a hash meeting a difficulty target, earning newly created bitcoin as a reward. The difficulty adjusts dynamically so that a new block is found approximately every 10 minutes.

What is a 51% attack on a proof-of-work network?

A 51% attack occurs when a single entity controls more than half of a proof-of-work network's hashing power, allowing them to rewrite the blockchain, reverse transactions, and double-spend coins. A 2025 paper by Duke University Finance Professor Campbell Harvey estimated that a week-long 51% attack on Bitcoin could cost roughly six billion dollars at October 2025 prices.

How much energy does Bitcoin proof-of-work mining consume?

University of Cambridge researchers estimated in 2018 that Bitcoin's energy consumption was comparable to that of Switzerland. The high energy use is structural because Bitcoin mining operates as a computational lottery where only one miner's work per block produces a lasting result.

What is the difference between proof of useful work and standard proof of work?

Standard proof of work requires miners to solve arbitrary cryptographic puzzles whose only function is network security. Proof of useful work, as demonstrated in the Ofelimos protocol presented at Crypto 2022, directs that computation toward real optimization problems such as Boolean satisfiability, producing useful results alongside consensus.

All sources

48 references cited across the entry

  1. 1journalA Cross-Stack Approach Towards Defending Against CryptojackingNada Lachtar et al. — 2023-10-01
  2. 7journalRenewable Energy Transition Facilitated by BitcoinM. Velický — 2023
  3. 9journalProof-of-work proves not to workBen Laurie et al. — May 2004
  4. 11journalBitcoin: A Peer-to-Peer Electronic Cash SystemSatoshi Nakamoto — August 21, 2008
  5. 12citationPricing via Processing or Combatting Junk MailCynthia Dwork et al. — Springer Berlin Heidelberg — 1993
  6. 14reportThe scrypt Password-Based Key Derivation FunctionC. Percival et al. — RFC Editor — August 2016
  7. 16bookAdvances in Cryptology — CRYPTO' 92Cynthia Dwork et al. — Springer — 1993
  8. 17webHashCashAdam Back
  9. 18bookFinancial CryptographyEran Gabber et al. — 1998
  10. 19bookProceedings 19th International Conference on Data Engineering (Cat. No.03CH37405)Xiao-Feng Wang et al. — May 2003
  11. 20bookFinancial CryptographyMatthew K. Franklin et al. — 1997
  12. 21journalClient puzzles: A cryptographic defense against connection depletion attacksAri Juels et al. — 1999
  13. 23journalModerately hard, memory-bound functionsMartín Abadi et al. — 2005
  14. 24bookAdvances in Cryptology - CRYPTO 2003Cynthia Dwork et al. — Springer — 2003
  15. 26bookFinancial Cryptography and Data SecurityJohn Tromp — Springer — 2015
  16. 28book2009 Annual Computer Security Applications ConferenceMehmud Abliz et al. — December 2009
  17. 30webThe Innovation Game (Whitepaper v2.2)John Fletcher et al.
  18. 32webBitcoin: A Peer-to-Peer Electronic Cash SystemSatoshi Nakamoto — 24 May 2009
  19. 35newsShort-Term Fixes To Avert "51% Attack"Michael J. Casey et al. — Wall Street Journal — 16 June 2014
  20. 38webThe State of Cryptocurrency MiningDavid Vorick — 13 May 2018
  21. 42webMarch 2013 Chain Fork Post-MortemGavin Andresen — Bitcoin Core
  22. 44web51% attacks10 July 2020
  23. 46journalThe economic dependency of bitcoin securityPavel Ciaian et al. — 2021-10-21
  24. 49journalProofs of Work and Bread Pudding ProtocolsMarkus Jakobsson et al. — Kluwer Academic Publishers — 1999