Skip to content

The Mining Process: nonce, extranonce & the coinbase

We know the goal: find a block header whose double-SHA-256 hash falls below the target. We know it’s a lottery you win by sheer volume of tries. But a header is only 80 bytes, and the nonce is only 4 of them — that’s a mere ~4.3 billion guesses, which modern hardware exhausts in a blink. So what does a miner actually do when the nonce runs out and no block has been found? This page is the concrete loop, and it has more moving parts than the cartoon “just increment the nonce” version suggests.

Before hashing anything, a miner builds a candidate block:

  1. Collect transactions from the mempool, generally preferring those paying the highest fees per byte (the economics of which are covered under miner incentives).
  2. Create the coinbase transaction — the special first transaction that pays the miner the block subsidy plus the fees. It has no real inputs; its input field is free-form space the miner controls.
  3. Build the Merkle tree over all those transactions. Its root — the Merkle root — is a single 32-byte fingerprint that commits to every transaction and their order. Change any transaction, or even reorder them, and the root changes completely.
  4. Fill in the header: previous block hash, the Merkle root, the current timestamp, the bits (target), and a starting nonce.
┌────────────────────── 80-byte block header ──────────────────────┐
│ version │ prev block hash │ MERKLE ROOT │ timestamp │ bits │ NONCE │
└────────────────────────────────────────────▲──────────────▲──────┘
│ │
changes when the coinbase changes the easy knob (4 bytes)

The two highlighted fields — the nonce and (indirectly) the Merkle root — are the miner’s search space.

The fast inner loop is just: hash the header, check against the target, increment the nonce, repeat.

for nonce in 0 .. 2³²-1:
header.nonce = nonce
if SHA256d(header) ≤ target: → WIN, broadcast the block
# ...fell through without a win

The nonce is a 4-byte field, so it offers only 2³² ≈ 4.3 billion distinct headers. At today’s difficulty a serious miner blows through all 4.3 billion in a tiny fraction of a second and finds nothing. The nonce alone is nowhere near enough randomness to be likely to win. We need more headers to try — which means we need to change the header in some other way.

Step 3: roll the extranonce (change the Merkle root)

Section titled “Step 3: roll the extranonce (change the Merkle root)”

Here’s the trick. The coinbase transaction’s input contains an arbitrary data field (the “coinbase scriptSig”) that the miner can stuff with anything. A few bytes of it are designated as the extranonce. When the miner increments the extranonce:

  1. the coinbase transaction’s bytes change, so
  2. the coinbase’s hash changes, so
  3. the Merkle root changes (the coinbase is a leaf of the tree), so
  4. the header changes — handing the miner a brand-new 4.3-billion-nonce search space to grind through.
extranonce = 0 → new coinbase → new Merkle root → fresh 2³² nonces to try
extranonce = 1 → new coinbase → new Merkle root → fresh 2³² nonces to try
...

So mining is really a two-level loop: the cheap inner loop sweeps the 4-byte nonce; when that’s exhausted, the outer loop bumps the extranonce, rebuilds the Merkle root, and the inner sweep starts over. Between them they provide effectively unlimited headers to test — enough to keep an entire mining farm busy for the full ~10 minutes between blocks.

The header’s timestamp is a third, smaller knob. Miners are allowed to nudge it within the consensus bounds (it must stay above the median of the last 11 blocks and not too far ahead of real time). Each distinct timestamp is yet another distinct header to hash. In practice the extranonce does the heavy lifting and the timestamp is a minor extra source of variation — but it’s part of why two miners working on “the same” block almost never collide on the same exact header.

Step back and the picture is stark: there is no algorithm, no shortcut, no insight that finds a winning header faster than trying candidates and checking each one. Mining is brute-force search over a space of headers, parallelized across as much hardware as a miner can afford. The “smartest” miner and the “dumbest” miner use the identical procedure; the only thing that differs is how many candidates per second they can test (their hashrate). That equality of method is exactly why the winner is decided by expended work and nothing else.

How does this help untrusting strangers agree on one ledger? The mining loop is where abstract “work” becomes a concrete, mechanical grind that anyone can audit. The winning header simultaneously commits to a specific set and ordering of transactions (via the Merkle root) and proves the energy spent to propose them (via the sub-target hash). A stranger receiving the block re-hashes once and gets both guarantees at no cost. The miner’s freedom to roll the nonce, extranonce, and timestamp is just bookkeeping for the search; the ledger everyone agrees on is whatever the winning header happened to commit to.

Step back from the loop and answer the five questions that turn an implementer into an architect:

  • Why does it exist? To give a miner enough distinct headers to test — the 4-byte nonce is only 2³² ≈ 4.3 billion tries, which one ASIC exhausts ~23,000 times a second, so the design layers an extranonce (in the coinbase) and the timestamp on top to manufacture effectively unlimited candidates.
  • What problem does it solve? It makes “work” a concrete, auditable grind: the winning header simultaneously commits to a specific set and ordering of transactions (via the Merkle root) and proves the energy spent to propose them — both checkable by re-hashing once.
  • What are the trade-offs? It’s pure brute force — no algorithm, no shortcut, no progress bar — so it’s enormously energy-hungry; and its internal structure leaks optimizations like AsicBoost (~20% energy savings) that can bend network politics.
  • When is this the wrong design? When you want mining to favor commodity hardware — memory-hard PoW (Scrypt, Ethash, RandomX) deliberately resists the ASIC specialization that this simple SHA-256-double loop rewards. And any non-PoW chain skips header-grinding entirely.
  • What breaks if I remove it? Without rolling the nonce/extranonce there aren’t enough headers to search, so a miner could never find one below target; without the coinbase extranonce changing the Merkle root, the search space collapses to 4.3 billion and mining stalls. The “equal method, unequal hashrate” property — the reason work alone decides the winner — depends on this exact loop.
  1. Why is the 4-byte nonce, by itself, not enough search space at modern difficulty?
  2. Trace the chain of effects when a miner increments the extranonce — from coinbase bytes all the way to a fresh nonce search space.
  3. Why is the coinbase transaction the natural place to put the extranonce, rather than some other transaction?
  4. Name the three header-affecting knobs a miner varies, and rank them by how much search space each provides.
  5. In what sense is mining “brute-force,” and why does that make the winner purely a function of hashrate?
Show answers
  1. The nonce is only 4 bytes — 2³² ≈ 4.3 billion distinct headers — which a serious miner exhausts in a tiny fraction of a second and still finds nothing. At modern difficulty that’s nowhere near enough randomness to be likely to win, so the header must be changed some other way.
  2. Incrementing the extranonce (arbitrary bytes in the coinbase’s input) changes the coinbase transaction’s bytes → changes the coinbase’s hash → changes the Merkle root (the coinbase is a leaf) → changes the header → handing the miner a fresh 4.3-billion-nonce search space to grind.
  3. Because the coinbase is the one transaction the miner fully owns and is free to mutate — no third-party signatures to invalidate and no other UTXOs to disturb — so stuffing search entropy there is the cleanest possible place.
  4. The extranonce (effectively unlimited search space — does the heavy lifting), the nonce (~4.3 billion per setting), and the timestamp (a small extra source of variation within consensus bounds).
  5. There is no algorithm or shortcut — you can only try candidate headers and check each one, so mining is brute-force search over headers. Since the smartest and dumbest miners use the identical procedure, the only difference is how many candidates per second each can test (hashrate) — which is exactly why the winner is decided by expended work alone.