比特币白皮书的中文版

币安

  比特币:一种点对点的电子现款体例

  abstract. a purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution. digital signatures provide part of the solution, but the main benefits are lost if a trusted third party is still required to prevent double-spending. we propose a solution to the double-spending problem using a peer-to-peer network. the network timestamps transactions by hashing them into an ongoing chain of hash-based proof-of-work, forming a record that cannot be changed without redoing the proof-of-work. the longest chain not only serves as proof of the sequence of events witnessed, but proof that it came from the largest pool of cpu power. as long as a majority of cpu power is controlled by nodes that are not cooperating to attack the network, they'll generate the longest chain and outpace attackers. the network itself requires minimal structure. messages are broadcast on a best effort basis, and nodes can leave and rejoin the network at will, accepting the longest proof-of-work chain as proof of what happened while they were gone.

  大纲:一个简单的点对点本子的电子现款体例,将承诺在线付出径直从一方发送给另一方,而无需经过金融组织比特币存户端载入。数字出面固然供给了局部处置计划,但,假如仍旧须要被断定的第三方来提防双重开销的话,那么电子付出的重要上风就被对消了。咱们提出一个计划,运用点对点搜集去处置双重开销题目。点对点搜集将为每笔买卖标志功夫戳,本领是:把买卖的散列数据录入一个连接延长的、以散名列普通的处事表明链上,产生一个如非实足重做就不大概变换的记载。最长链,一上面用来表明已被见证的事变及其程序,与此同声,也用来表明它来自于最大的 cpu 算力池。只有绝大普遍 cpu 算力被良性节点遏制 —— 即,它们不与那些试验报复搜集的节点协作 —— 那么,良性节点将会天生最长链,而且在速率上胜过报复者。这个搜集自己须要最小化的构造。消息将以最大全力为基础去传递,节点往返自在;但,介入之时老是须要接收最长的处事表明链动作它们未介入功夫所爆发之十足的表明。

  1. 简介 (introduction)

  commerce on the internet has come to rely almost exclusively on financial institutions serving as trusted third parties to process electronic payments. while the system works well enough for most transactions, it still suffers from the inherent weaknesses of the trust based model. completely non-reversible transactions are not really possible, since financial institutions cannot avoid mediating disputes. the cost of mediation increases transaction costs, limiting the minimum practical transaction size and cutting off the possibility for small casual transactions, and there is a broader cost in the loss of ability to make non-reversible payments for non-reversible services. with the possibility of reversal, the need for trust spreads. merchants must be wary of their customers, hassling them for more information than they would otherwise need. a certain percentage of fraud is accepted as unavoidable. these costs and payment uncertainties can be avoided in person by using physical currency, but no mechanism exists to make payments over a communications channel without a trusted party.

  互联网络贸易简直实足依附金融组织动作确凿第三方去向理电子付出比特币存户端载入。固然对准大普遍买卖来说,这个体例还算不错,但,它仍旧被鉴于断定的模子所固有的缺点所累赘。实足不行逆转的买卖本质上并不大概,由于金融组织不许制止评断争议。评断本钱减少了买卖本钱,从而控制了最小大概买卖的范围,且简洁遏止了很多小额付出买卖。除此除外,再有更大的本钱:体例没辙为那些不行逆的效劳供给不行逆的付出。逆转的大概性,形成了对于断定的需要无所不在。商家必需堤防着她们的主顾,烦恼主顾供给要不是如许(假如断定)就并不需要的更多消息。确定比率的讹诈,被觉得是不行制止的。那些本钱和付出不决定性,固然在人与人之间径直运用物理钱币付出的功夫是不妨制止的;但,没有任何一个体制能在两边在个中一方不被断定的情景下经过勾通渠道举行付出。

  what is needed is an electronic payment system based on cryptographic proof instead of trust, allowing any two willing parties to transact directly with each other without the need for a trusted third party. transactions that are computationally impractical to reverse would protect sellers from fraud, and routine escrow mechanisms could easily be implemented to protect buyers. in this paper, we propose a solution to the double-spending problem using a peer-to-peer distributed timestamp server to generate computational proof of the chronological order of transactions. the system is secure as long as honest nodes collectively control more cpu power than any cooperating group of attacker nodes.

  咱们真实须要的是一种鉴于加密表明而非鉴于断定的电子付出体例,承诺大肆两边在不须要断定第三方的情景下径直买卖比特币存户端载入。算力保护的不行逆转买卖能扶助卖方不被讹诈,而养护买家的凡是保证体制也很简单实行。在本舆论中,咱们将提出一种对准双重开销的处置计划,运用点对点的、散布式的功夫戳效劳器去天生鉴于算力的表明,依照功夫程序记载每条买卖。此体例是安定的,只有淳厚节点总体上对立于彼此协作的报复者控制更多的 cpu 算力。

  2. 买卖 (transactions)

  we define an electronic coin as a chain of digital signatures. each owner transfers the coin to the next by digitally signing a hash of the previous transaction and the public key of the next owner and adding these to the end of the coin. a payee can verify the signatures to verify the chain of ownership.

  咱们将一枚电子金币设置为一个数字出面链比特币存户端载入。一位一切者将一枚金币交给另一部分的功夫,要经过在这个数字出面链的结束附加上以次数字出面:上一笔买卖的哈希(hash,译音,亦翻译为“散列值”),以及新一切者的公钥。收款人不妨经过考证出面去考证数字出面链的分属权。

  the problem of course is the payee can't verify that one of the owners did not double-spend the coin. a common solution is to introduce a trusted central authority, or mint, that checks every transaction for double spending. after each transaction, the coin must be returned to the mint to issue a new coin, and only coins issued directly from the mint are trusted not to be double-spent. the problem with this solution is that the fate of the entire money system depends on the company running the mint, with every transaction having to go through them, just like a bank.

  这个路途的题目在乎收款人没辙考证已经的一切者之中没有人双重付出过比特币存户端载入。罕见的处置计划是引入一个确凿的重心化权势方,或称“铸币厂”,让它去查看每一笔买卖能否生存双重付出。每一次爆发买卖之后,金币必需归来到铸币厂,铸币厂再刊行一枚新的金币。从而,惟有铸币厂径直刊行的金币才是确凿的、未被双重付出过的。这个处置计划的题目在乎,所有钱币体例的运气被拴在经营铸币厂的谁人公司(就犹如钱庄那么)身上,每一笔买卖必需经过它。

  we need a way for the payee to know that the previous owners did not sign any earlier transactions. for our purposes, the earliest transaction is the one that counts, so we don't care about later attempts to double-spend. the only way to confirm the absence of a transaction is to be aware of all transactions. in the mint based model, the mint was aware of all transactions and decided which arrived first. to accomplish this without a trusted party, transactions must be publicly announced1, and we need a system for participants to agree on a single history of the order in which they were received. the payee needs proof that at the time of each transaction, the majority of nodes agreed it was the first received.

  咱们须要一种办法,不妨让收款人确认之前的一切者并没有在任何之前的买卖上出面比特币存户端载入。就咱们的手段而言,惟有最早的买卖是算数的,以是,咱们并不关怀后来的双重付出计划。确认一笔买卖不生存的独一本领是得悉一切的买卖。在铸币厂模子之中,铸币厂未然知悉一切的买卖,而且不妨确认那些买卖的程序。为了能在没有“被断定的一方”介入的情景下实行之上工作,买卖记载必需被公然颁布1,从而咱们须要一个体例能让介入者们认可它们所接受到的同一个独一的买卖汗青。收款人须要表明在每笔买卖爆发之时,大普遍节点不妨认可它是第一个被接受的。

  3. 功夫戳效劳器 (timestamp server)

  the solution we propose begins with a timestamp server. a timestamp server works by taking a hash of a block of items to be timestamped and widely publishing the hash, such as in a newspaper or usenet post2 3 4 5. the timestamp proves that the data must have existed at the time, obviously, in order to get into the hash. each timestamp includes the previous timestamp in its hash, forming a chain, with each additional timestamp reinforcing the ones before it.

  本处置计划起步于一种功夫戳效劳器比特币存户端载入。功夫戳效劳器是如许处事的:为一组(block)记载(items)的哈希打上功夫戳,尔后把哈希播送出去,就犹如一份白报纸所做的那么,大概像是在消息组(usenet)里的一个帖子那么2 3 4 5。明显,功夫戳不妨表明那数据在谁人功夫点之前未然生存,要不那哈希也就没辙天生。每个功夫戳在其哈希中包括着之前的功夫戳,所以形成了一个链;每一个新的功夫戳被增添到之前的功夫戳之后。

  4. 处事表明 (proof-of-work)

  to implement a distributed timestamp server on a peer-to-peer basis, we will need to use a proof-of-work system similar to adam back's hashcash6, rather than newspaper or usenet posts. the proof-of-work involves scanning for a value that when hashed, such as with sha-256, the hash begins with a number of zero bits. the average work required is exponential in the number of zero bits required and can be verified by executing a single hash.

  为了实行一个鉴于点对点的散布式功夫戳效劳器,咱们须要运用一致亚当·伯克的哈希现款6那么的一个处事表明体例,而不是白报纸大概消息组帖子那么的货色比特币存户端载入。所谓的处事表明,即是去探求一个数值;这个数值要满意以次前提:为它索取散列数值之后 —— 比方运用 sha-256 计划散列数值 —— 这个散列数值必需以确定数目的 0 发端。每减少一个 0 的诉求,将使得处事量指数级减少,而且,这个处事量的考证却只需经过计划一个哈希。

  for our timestamp network, we implement the proof-of-work by incrementing a nonce in the block until a value is found that gives the block's hash the required zero bits. once the cpu effort has been expended to make it satisfy the proof-of-work, the block cannot be changed without redoing the work. as later blocks are chained after it, the work to change the block would include redoing all the blocks after it.

  在咱们的功夫戳搜集中,咱们是如许实行处事表明的:连接在区块之中减少一个随机数(nonce),直到一个满意前提的数值被找到;这个前提即是,这个区块的哈希以指定数目的 0 发端比特币存户端载入。一旦 cpu 的奢侈算力所获的的截止满意处事表明,那么这个区块将不复能被变动,只有从新实行之前的一切处事量。跟着新的区块连接被增添进入,变换暂时区块即表示着说要从新实行一切后来区块的处事。

  the proof-of-work also solves the problem of determining representation in majority decision making. if the majority were based on one-ip-address-one-vote, it could be subverted by anyone able to allocate many ips. proof-of-work is essentially one-cpu-one-vote. the majority decision is represented by the longest chain, which has the greatest proof-of-work effort invested in it. if a majority of cpu power is controlled by honest nodes, the honest chain will grow the fastest and outpace any competing chains. to modify a past block, an attacker would have to redo the proof-of-work of the block and all blocks after it and then catch up with and surpass the work of the honest nodes. we will show later that the probability of a slower attacker catching up diminishes exponentially as subsequent blocks are added.

  处事表明同声处置了怎样确定谁能代办大普遍做确定的题目比特币存户端载入。即使所谓的“大普遍”是鉴于“一个ip地方一票”的办法确定的话,那么任何一个不妨搞定很多 ip 地方的人就不妨被觉得是“大普遍”。处事表明实质上去看,是“一个cpu一票”。所谓的“大普遍确定”是由最长链所代办的,由于被加入最多处事的链即是它。即使大普遍 cpu 算力被淳厚的节点所遏制,那么淳厚链生长最为赶快,其速率会远超其余比赛链。为了变动一个仍旧爆发的区块,报复者将不得不从新实行谁人区块以及一切后来区块的的处事表明,尔后还要追上并胜过淳厚节点的处事。后文展现干什么一个被缓慢了的报复者不妨追上的大概性将跟着区块的连接减少而指数级贬低。

  to compensate for increasing hardware speed and varying interest in running nodes over time, the proof-of-work difficulty is determined by a moving average targeting an average number of blocks per hour. if they're generated too fast, the difficulty increases.

  为了应付硬件算力归纳的连接减少,以及跟着功夫促成大概爆发的节点介入数目变革,处事表明难度由此确定:鉴于平衡每钟点爆发的区块数目的一个挪动平衡值比特币存户端载入。即使区块天生得过快,那么难度将会减少。

  5. 搜集 (network)

  the steps to run the network are as follows:

  new transactions are broadcast to all nodes.

  each node collects new transactions into a block.

  each node works on finding a difficult proof-of-work for its block.

  when a node finds a proof-of-work, it broadcasts the block to all nodes.

  nodes accept the block only if all transactions in it are valid and not already spent.

  nodes express their acceptance of the block by working on creating the next block in the chain, using the hash of the accepted block as the previous hash.

  运转搜集的办法如次:

  一切新的买卖向一切节点播送;

  每个节点将新友易打包到一个区块;

  每个节点发端为此区块找一个完备难度的处事表明;

  当某个区块找到其处事表明比特币存户端载入,它就要将此区块播送给一切节点;

  稠密其余节点当且只当以次前提满意才会接收这个区块:个中一切的买卖都是灵验的比特币存户端载入,且未被双重付出;

  稠密节点向搜集表白本人接收这个区块的本领是,在创造下一个区块的功夫,把被接收区块的哈希看成新区块之前的哈希比特币存户端载入。

  nodes always consider the longest chain to be the correct one and will keep working on extending it. if two nodes broadcast different versions of the next block simultaneously, some nodes may receive one or the other first. in that case, they work on the first one they received, but save the other branch in case it becomes longer. the tie will be broken when the next proof-of-work is found and one branch becomes longer; the nodes that were working on the other branch will then switch to the longer one.

  节点一直觉得最长链是精确的谁人,且会连接向其增添新数据比特币存户端载入。假如有两个节点同声向搜集播送了两个各别本子的“下一个区块”,有些节点会先接受到个中一个,而其余少许节点会先接受到其余一个。这种情景下,节点将在它们先接受到的谁人区块上连接处事,但也会把其余一个分支生存下来,以防后者变成最长链。当下一个处事表明被找到,而个中的一个分支变成更长的链之后,这个姑且的分别会被废除,在其余一个分支上处事的节点们会切换到更长的链上。

  new transaction broadcasts do not necessarily need to reach all nodes. as long as they reach many nodes, they will get into a block before long. block broadcasts are also tolerant of dropped messages. if a node does not receive a block, it will request it when it receives the next block and realizes it missed one.

  新的买卖不见得确定要播送达到一切的节点比特币存户端载入。只有达到充满多的节点,那么没多久那些买卖就会被打包进一个区块。区块播送也承诺少许动静被抛弃。即使一个节点并未接受到某个区块,那么这个节点会在它接受到下一个区块的功夫认识到本人错失了之前的区块,所以会发出弥补谁人丢失区块的乞求。

  6. 赞美 (incentive)

  by convention, the first transaction in a block is a special transaction that starts a new coin owned by the creator of the block. this adds an incentive for nodes to support the network, and provides a way to initially distribute coins into circulation, since there is no central authority to issue them. the steady addition of a constant of amount of new coins is analogous to gold miners expending resources to add gold to circulation. in our case, it is cpu time and electricity that is expended.

  依照商定,每个区块的第一笔买卖是一个特出的买卖,它会天生一枚新的金币,分属权是这个区块的天生者比特币存户端载入。这么做,使得节点扶助搜集有所赞美,也供给了一种将金币刊行到流利之中的办法 —— 在这个体例中,归正也没有一个重心化的权势方去刊行那些金币。如许这般宁静地减少确定数目的新金币加入流利,就犹如是黄金开拓者连接耗用她们的资源往流利之中减少黄金一律。在咱们的体例中,被耗用的资源是 cpu 处事功夫和它们所用的风力。

  the incentive can also be funded with transaction fees. if the output value of a transaction is less than its input value, the difference is a transaction fee that is added to the incentive value of the block containing the transaction. once a predetermined number of coins have entered circulation, the incentive can transition entirely to transaction fees and be completely inflation free.

  赞美还不妨来自买卖用度比特币存户端载入。即使一笔买卖的输入值小于它的输出值,那么个中的差额即是买卖费;而该买卖费即是用来赞美节点把该买卖打包进此区块的。一旦既定数目的金币仍旧加入流利,那么赞美将所有交由买卖手续费来实行,且一致不会有通货伸展。

  the incentive may help encourage nodes to stay honest. if a greedy attacker is able to assemble more cpu power than all the honest nodes, he would have to choose between using it to defraud people by stealing back his payments, or using it to generate new coins. he ought to find it more profitable to play by the rules, such rules that favour him with more new coins than everyone else combined, than to undermine the system and the validity of his own wealth.

  赞美体制也大概会激动节点维持淳厚比特币存户端载入。即使一个贪心的报复者不妨包括比一切淳厚节点都更多的 cpu 算力,他必需做出一个采用:是用那些算力经过把本人花出去的钱偷回往返捉弄旁人呢?仍旧用那些算力去天生新的金币?他该当不妨创造依照准则行事是更合算的,暂时准则使得他不妨赢得比一切其余人加起来都更多的金币,这明显比黑暗破坏体例并使本人的财产化为虚无更合算。

  7. 接收硬盘空间 (reclaiming disk space)

  once the latest transaction in a coin is buried under enough blocks, the spent transactions before it can be discarded to save disk space. to facilitate this without breaking the block's hash, transactions are hashed in a merkle tree257, with only the root included in the block's hash. old blocks can then be compacted by stubbing off branches of the tree. the interior hashes do not need to be stored.

  即使一枚金币迩来爆发的买卖爆发在充满多的区块之前,那么,这笔买卖之前该金币的花销买卖记载不妨被抛弃 —— 手段是为了俭朴磁盘空间比特币存户端载入。为了在不妨害该区块的哈希的基础下实行此功效,买卖记载的哈希将被归入一个 merkle 树257之中,而惟有树根被归入该区块的哈希之中。经过砍掉树枝本领,老解放区块即可被收缩。里面的哈希并不须要被生存。

  a block header with no transactions would be about 80 bytes. if we suppose blocks are generated every 10 minutes, 80 bytes * 6 * 24 * 365 = 4.2mb per year. with computer systems typically selling with 2gb of ram as of 2008, and moore's law predicting current growth of 1.2gb per year, storage should not be a problem even if the block headers must be kept in memory.

  一个没有任何买卖记载的区块头大概是 80 个字节比特币存户端载入。假如每格外钟爆发一个区块,80 字节乘以 6 乘以 24 乘以 365,即是年年 4.2m。截至 2008 年,大普遍在售的计划机配有 2gb 外存,而依照摩尔定理的猜测,年年会减少 1.2 gb,即使是区块头必需保存在外存之中也不会是什么题目。

  8. 简化版付出确认 (simplified payment verification)

  it is possible to verify payments without running a full network node. a user only needs to keep a copy of the block headers of the longest proof-of-work chain, which he can get by querying network nodes until he's convinced he has the longest chain, and obtain the merkle branch linking the transaction to the block it's timestamped in. he can't check the transaction for himself, but by linking it to a place in the chain, he can see that a network node has accepted it, and blocks added after it further confirm the network has accepted it.

  即使不必运转一个完备搜集节点也有大概确认付出比特币存户端载入。用户只须要有一份具有处事表明的最长链的区块头正片 —— 他不妨经过查问在线节点确认本人具有的真实来自最长链 —— 尔后获得 merkle 树的树枝节点,从而贯穿到这个区块被打上功夫戳时的买卖。用户并不许本人查看买卖,但,经过贯穿到链上的某个场合,他不妨看到某个搜集节点仍旧接收了这个买卖,而尔后加进入的区块进一步确认了搜集仍旧接收了此笔买卖。

  as such, the verification is reliable as long as honest nodes control the network, but is more vulnerable if the network is overpowered by an attacker. while network nodes can verify transactions for themselves, the simplified method can be fooled by an attacker's fabricated transactions for as long as the attacker can continue to overpower the network. one strategy to protect against this would be to accept alerts from network nodes when they detect an invalid block, prompting the user's software to download the full block and alerted transactions to confirm the inconsistency. businesses that receive frequent payments will probably still want to run their own nodes for more independent security and quicker verification.

  只有淳厚节点仍旧在掌握控制搜集,如许这般,考证即为真实的比特币存户端载入。但是,即使搜集被报复者所遏制的功夫,考证就没那么真实了。纵然搜集节点不妨本人考证买卖记载,然而,只有报复者不妨连接遏制搜集的话,那么简化版考证办法大概会被报复者臆造的买卖记载所捉弄。应付战略之一是,存户端软硬件要接收来自搜集节点的劝告。当搜集节点创造失效区块的功夫,即发出警报,在用户的软硬件上弹出报告,奉告用户载入完备区块,劝告用户确认买卖普遍性。那些有高频收付爆发的商家该当仍旧蓄意运转属于本人的完备节点,以此保护更独力的安定性和更快的买卖确认。

  9. 价格的拉拢与分隔 (combining and splitting value)

  although it would be possible to handle coins individually, it would be unwieldy to make a separate transaction for every cent in a transfer. to allow value to be split and combined, transactions contain multiple inputs and outputs. normally there will be either a single input from a larger previous transaction or multiple inputs combining smaller amounts, and at most two outputs: one for the payment, and one returning the change, if any, back to the sender.

  纵然逐一地处置金币是大概的,但为每分钱树立一个独立的记载是很蠢笨的比特币存户端载入。为了承诺价格的分隔与兼并,买卖记载包括多个输出和输入。普遍情景下,要么是一个独立的来自于一个对立大的之前的买卖的输出,要么是很多个输出来自于更小金额的拉拢;与此同声,最多有两个输入:一个是付出(指向收款方),即使需要的话,其余一个是找零(指向发款方)。

  it should be noted that fan-out, where a transaction depends on several transactions, and those transactions depend on many more, is not a problem here. there is never the need to extract a complete standalone copy of a transaction's history.

  犯得着提防的是,“扇出”在这边并不是题目 —— 所谓“扇出”,即是指一笔买卖依附于数笔买卖,且那些买卖又依附于更多笔买卖比特币存户端载入。历来就没有需要去索取任何一笔买卖的完备独力的汗青正片。

  10. 秘密 (privacy)

  the traditional banking model achieves a level of privacy by limiting access to information to the parties involved and the trusted third party. the necessity to announce all transactions publicly precludes this method, but privacy can still be maintained by breaking the flow of information in another place: by keeping public keys anonymous. the public can see that someone is sending an amount to someone else, but without information linking the transaction to anyone. this is similar to the level of information released by stock exchanges, where the time and size of individual trades, the "tape", is made public, but without telling who the parties were.

  保守的钱庄模子经过控制他人获得买卖者和确凿第三方的消息而完毕确定水平的秘密养护比特币存户端载入。出于对将一切买卖记载公然的需要破坏了这种本领。然而,保护秘密可经过于另一处的割断消息流来实行——公钥隐姓埋名。大众不妨看到某某向某某转账了确定的金额,然而,没有任何消息指向某个决定的人。这种程度的消息颁布有点像书市买卖,惟有功夫和各个买卖的金额被颁布,然而,没有人领会买卖两边都是谁。

  as an additional firewall, a new key pair should be used for each transaction to keep them from being linked to a common owner. some linking is still unavoidable with multi-input transactions, which necessarily reveal that their inputs were owned by the same owner. the risk is that if the owner of a key is revealed, linking could reveal other transactions that belonged to the same owner.

  再有其余一层风火墙比特币存户端载入。买卖者该当对准每一笔买卖起用一对新的公私钥,再不他人没辙将那些买卖追究到同一个一切者身上。有些多输出的买卖仍旧不免被追究,由于那些输出必定会被辨别出来自于同一个一切者。伤害在乎,即使一个公钥的一切者被暴光之后,与之关系的一切其余买卖城市被暴光。

  11. 计划 (calculations)

  we consider the scenario of an attacker trying to generate an alternate chain faster than the honest chain. even if this is accomplished, it does not throw the system open to arbitrary changes, such as creating value out of thin air or taking money that never belonged to the attacker. nodes are not going to accept an invalid transaction as payment, and honest nodes will never accept a block containing them. an attacker can only try to change one of his own transactions to take back money he recently spent.

  假如一个场景,某个报复者正在试图天生一个比淳厚链更快的代替链比特币存户端载入。就算他胜利了,也不会使暂时体例置于不置可否的为难地步,即,他不大概捏造创造出价格,也没辙获得从未属于他的钱。搜集节点不会把一笔失效买卖看成付出,而淳厚节点也长久不会接收一个包括这种付出的区块。报复者最多只能窜改属于他本人的买卖,从而试图取回他仍旧花出去的钱。

  the race between the honest chain and an attacker chain can be characterized as a binomial random walk. the success event is the honest chain being extended by one block, increasing its lead by +1, and the failure event is the attacker's chain being extended by one block, reducing the gap by -1.

  淳厚链和报复者之间的比赛不妨用二项式随机散步来刻画比特币存户端载入。胜利事变是淳厚链方才被增添了一个新的区块,使得它的上风减少了 ;而波折事变是报复者的链方才被减少了一个新的区块,使得淳厚链的上风缩小了 。

  the probability of an attacker catching up from a given deficit is analogous to a gambler's ruin problem. suppose a gambler with unlimited credit starts at a deficit and plays potentially an infinite number of trials to try to reach breakeven. we can calculate the probability he ever reaches breakeven, or that an attacker ever catches up with the honest chain, as follows8:

  报复者不妨从掉队场合追平的几率一致于赌棍崩溃题目比特币存户端载入。假如,一个拿着无穷筹码的赌棍,从不足发端,承诺他赌无穷次,目的是弥补上已有的不足。咱们能算出他最后能弥补不足的几率,也即是报复者不妨超过淳厚链的几率8,如次:

  诚

  实

  节

  点

  找

  到

  下

  一

  个

  区

  块

  的

  概

  率

  攻

  击

  者

  找

  到

  下

  一

  个

  区

  块

  的

  概

  率

  攻

  击

  者

  落

  后

  个

  区

  块

  却

  依

  然

  能

  够

  赶

  上

  的

  概

  率

  given our assumption that , the probability drops exponentially as the number of blocks the attacker has to catch up with increases. with the odds against him, if he doesn't make a lucky lunge forward early on, his chances become vanishingly small as he falls further behind.

  既是咱们仍旧假设 , 既是报复者须要赶上并超过的区块数目越来越多,那么其胜利几率就会指数级低沉比特币存户端载入。于赢面倒霉时,即使报复者没有在开始就能倒霉地做一个前移步刺,那么他的胜率将在他进一步掉队的同声消释殆尽。

  we now consider how long the recipient of a new transaction needs to wait before being sufficiently certain the sender can't change the transaction. we assume the sender is an attacker who wants to make the recipient believe he paid him for a while, then switch it to pay back to himself after some time has passed. the receiver will be alerted when that happens, but the sender hopes it will be too late.

  此刻商量一下一笔新友易的收款人须要等多久本领充溢决定发款人不许变动这笔买卖比特币存户端载入。咱们假设发款人是个报复者,计划让收款人在一段功夫里断定他仍旧付出周旋金钱,随后将这笔钱再转回给本人。爆发这种情景时,收款人固然会收到劝告,但发款人蓄意其时米已成炊。

  the receiver generates a new key pair and gives the public key to the sender shortly before signing. this prevents the sender from preparing a chain of blocks ahead of time by working on it continuously until he is lucky enough to get far enough ahead, then executing the transaction at that moment. once the transaction is sent, the dishonest sender starts working in secret on a parallel chain containing an alternate version of his transaction.

  收款人天生了一对新的公私钥,尔后在签订之前不久将公钥奉告发款人比特币存户端载入。如许不妨提防一种景象:发款人提早经过贯串演算去筹备一条链上的区块,而且只有有充满的幸运就会充满超过,直到其时再实行买卖。一旦金钱已被发出,谁人不淳厚的发款人发端神秘地在另一条平行链上动工,试图在个中介入一个反向本子的买卖。

  the recipient waits until the transaction has been added to a block and blocks have been linked after it. he doesn't know the exact amount of progress the attacker has made, but assuming the honest blocks took the average expected time per block, the attacker's potential progress will be a poisson distribution with expected value:

  收款人比及此笔买卖被打包进区块,并仍旧有 个区块随后被介入比特币存户端载入。他并不领会报复者的处事发达毕竟怎样,然而不妨假设淳厚区块在每个区块天生进程中奢侈的平衡功夫;报复者的潜伏发达适合泊松散布,其憧憬值为:

  to get the probability the attacker could still catch up now, we multiply the poisson density for each amount of progress he could have made by the probability he could catch up from that point:

  为了算出报复者仍旧不妨超过的几率比特币存户端载入,咱们要把每一个报复者已有的发达的帕松密度乘以他不妨从那一点不妨追上去的几率:

  rearranging to avoid summing the infinite tail of the distribution...

  为了制止对密度散布的无量级数乞降从新整治…

  converting to c code...

  变换为 c 谈话步调……

  #include <math.h>

  double attackersuccessprobability(double q, int z)

  {

  double p = 1.0 - q;

  double lambda = z * (q / p);

  double sum = 1.0;

  int i, k;

  for (k = 0; k <= z; k++)

  {

  double poisson = exp(-lambda);

  for (i = 1; i <= k; i++)

  poisson *= lambda / i;

  sum -= poisson * (1 - pow(q / p, z - k));

  }

  return sum;

  }

  running some results, we can see the probability drop off exponentially with .

  获得局部截止比特币存户端载入,咱们不妨看到几率跟着 的减少指数级低沉:

  q=0.1

  z=0 p=1.0000000

  z=1 p=0.2045873

  z=2 p=0.0509779

  z=3 p=0.0131722

  z=4 p=0.0034552

  z=5 p=0.0009137

  z=6 p=0.0002428

  z=7 p=0.0000647

  z=8 p=0.0000173

  z=9 p=0.0000046

  z=10 p=0.0000012

  q=0.3

  z=0 p=1.0000000

  z=5 p=0.1773523

  z=10 p=0.0416605

  z=15 p=0.0101008

  z=20 p=0.0024804

  z=25 p=0.0006132

  z=30 p=0.0001522

  z=35 p=0.0000379

  z=40 p=0.0000095

  z=45 p=0.0000024

  z=50 p=0.0000006

  solving for p less than 0.1%...

  假如 p 小于 0.1%……

  p < 0.001

  q=0.10 z=5

  q=0.15 z=8

  q=0.20 z=11

  q=0.25 z=15

  q=0.30 z=24

  q=0.35 z=41

  q=0.40 z=89

  q=0.45 z=340

  12. 论断 (conclusion)

  we have proposed a system for electronic transactions without relying on trust. we started with the usual framework of coins made from digital signatures, which provides strong control of ownership, but is incomplete without a way to prevent double-spending. to solve this, we proposed a peer-to-peer network using proof-of-work to record a public history of transactions that quickly becomes computationally impractical for an attacker to change if honest nodes control a majority of cpu power. the network is robust in its unstructured simplicity. nodes work all at once with little coordination. they do not need to be identified, since messages are not routed to any particular place and only need to be delivered on a best effort basis. nodes can leave and rejoin the network at will, accepting the proof-of-work chain as proof of what happened while they were gone. they vote with their cpu power, expressing their acceptance of valid blocks by working on extending them and rejecting invalid blocks by refusing to work on them. any needed rules and incentives can be enforced with this consensus mechanism.

  咱们提出了一个不用依附断定的电子买卖体例;开始是一个普遍的运用数字出面的金币框架发端,固然它供给了兴盛的一切权遏制,却没辙制止双重付出比特币存户端载入。为领会决这个题目,咱们提出一个运用处事表明体制的点对点搜集去记载一个公然的买卖记载汗青,只有淳厚节点不妨遏制大普遍 cpu 算力,那么报复者就仅从算力上面就不大概胜利窜改体例。这个搜集的兴盛在乎它的无构造的大略。节点们不妨在很少共同的情景下刹时同声处事。它们以至不须要被辩别,由于动静的路途并非在于于一定的尽头;动静只须要被以最大全力为基础去传递即可。节点往返自在,从新加时髦,只须要接收处事表明链,动作它们离线之时所爆发之十足的表明。它们经过它们的 cpu 算力开票,经过连接为链增添新的灵验区块、中断失效区块,去表白它们对灵验买卖的接收与否。任何需要的准则和赞美都不妨经过这个共鸣体制来强迫实行。

  李笑来 译

本文转载自互联网,如有侵权,联系删除

相关推荐

评论列表
我钱包的手机一般都不下载其他软件的,都不怎么玩的
2021-05-06 04:13:45 回复该评论
我通过Defi智能合约金融池群,认识了个同城的大佬,几千万资产
2021-05-06 04:13:45 回复该评论
DOG还有韭菜上车吗
2021-05-06 17:04:40 回复该评论
有人愿意呗,不见黄河心不死
2021-05-06 17:04:40 回复该评论
这个月投资100多个eth准备跟着火币组织一起套利
2021-05-06 17:04:40 回复该评论