abstract. a purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution. digital signatures provide part of the solution, but the main benefits are lost if a trusted third party is still required to prevent double-spending. we propose a solution to the double-spending problem using a peer-to-peer network. the network timestamps transactions by hashing them into an ongoing chain of hash-based proof-of-work, forming a record that cannot be changed without redoing the proof-of-work. the longest chain not only serves as proof of the sequence of events witnessed, but proof that it came from the largest pool of cpu power. as long as a majority of cpu power is controlled by nodes that are not cooperating to attack the network, they'll generate the longest chain and outpace attackers. the network itself requires minimal structure. messages are broadcast on a best effort basis, and nodes can leave and rejoin the network at will, accepting the longest proof-of-work chain as proof of what happened while they were gone.

  大纲:一个简单的点对点本子的电子现款体例,将承诺在线付出径直从一方发送给另一方,而无需经过金融组织比特币存户端载入。数字出面固然供给了局部处置计划,但,假如仍旧须要被断定的第三方来提防双重开销的话,那么电子付出的重要上风就被对消了。咱们提出一个计划,运用点对点搜集去处置双重开销题目。点对点搜集将为每笔买卖标志功夫戳,本领是:把买卖的散列数据录入一个连接延长的、以散名列普通的处事表明链上,产生一个如非实足重做就不大概变换的记载。最长链,一上面用来表明已被见证的事变及其程序,与此同声,也用来表明它来自于最大的 cpu 算力池。只有绝大普遍 cpu 算力被良性节点遏制 —— 即,它们不与那些试验报复搜集的节点协作 —— 那么,良性节点将会天生最长链,而且在速率上胜过报复者。这个搜集自己须要最小化的构造。消息将以最大全力为基础去传递,节点往返自在;但,介入之时老是须要接收最长的处事表明链动作它们未介入功夫所爆发之十足的表明。

  1. 简介 (introduction)

  commerce on the internet has come to rely almost exclusively on financial institutions serving as trusted third parties to process electronic payments. while the system works well enough for most transactions, it still suffers from the inherent weaknesses of the trust based model. completely non-reversible transactions are not really possible, since financial institutions cannot avoid mediating disputes. the cost of mediation increases transaction costs, limiting the minimum practical transaction size and cutting off the possibility for small casual transactions, and there is a broader cost in the loss of ability to make non-reversible payments for non-reversible services. with the possibility of reversal, the need for trust spreads. merchants must be wary of their customers, hassling them for more information than they would otherwise need. a certain percentage of fraud is accepted as unavoidable. these costs and payment uncertainties can be avoided in person by using physical currency, but no mechanism exists to make payments over a communications channel without a trusted party.


  what is needed is an electronic payment system based on cryptographic proof instead of trust, allowing any two willing parties to transact directly with each other without the need for a trusted third party. transactions that are computationally impractical to reverse would protect sellers from fraud, and routine escrow mechanisms could easily be implemented to protect buyers. in this paper, we propose a solution to the double-spending problem using a peer-to-peer distributed timestamp server to generate computational proof of the chronological order of transactions. the system is secure as long as honest nodes collectively control more cpu power than any cooperating group of attacker nodes.

  咱们真实须要的是一种鉴于加密表明而非鉴于断定的电子付出体例,承诺大肆两边在不须要断定第三方的情景下径直买卖比特币存户端载入。算力保护的不行逆转买卖能扶助卖方不被讹诈,而养护买家的凡是保证体制也很简单实行。在本舆论中,咱们将提出一种对准双重开销的处置计划,运用点对点的、散布式的功夫戳效劳器去天生鉴于算力的表明,依照功夫程序记载每条买卖。此体例是安定的,只有淳厚节点总体上对立于彼此协作的报复者控制更多的 cpu 算力。

  2. 买卖 (transactions)

  we define an electronic coin as a chain of digital signatures. each owner transfers the coin to the next by digitally signing a hash of the previous transaction and the public key of the next owner and adding these to the end of the coin. a payee can verify the signatures to verify the chain of ownership.


  the problem of course is the payee can't verify that one of the owners did not double-spend the coin. a common solution is to introduce a trusted central authority, or mint, that checks every transaction for double spending. after each transaction, the coin must be returned to the mint to issue a new coin, and only coins issued directly from the mint are trusted not to be double-spent. the problem with this solution is that the fate of the entire money system depends on the company running the mint, with every transaction having to go through them, just like a bank.


  we need a way for the payee to know that the previous owners did not sign any earlier transactions. for our purposes, the earliest transaction is the one that counts, so we don't care about later attempts to double-spend. the only way to confirm the absence of a transaction is to be aware of all transactions. in the mint based model, the mint was aware of all transactions and decided which arrived first. to accomplish this without a trusted party, transactions must be publicly announced1, and we need a system for participants to agree on a single history of the order in which they were received. the payee needs proof that at the time of each transaction, the majority of nodes agreed it was the first received.


  3. 功夫戳效劳器 (timestamp server)

  the solution we propose begins with a timestamp server. a timestamp server works by taking a hash of a block of items to be timestamped and widely publishing the hash, such as in a newspaper or usenet post2 3 4 5. the timestamp proves that the data must have existed at the time, obviously, in order to get into the hash. each timestamp includes the previous timestamp in its hash, forming a chain, with each additional timestamp reinforcing the ones before it.

  本处置计划起步于一种功夫戳效劳器比特币存户端载入。功夫戳效劳器是如许处事的:为一组(block)记载(items)的哈希打上功夫戳,尔后把哈希播送出去,就犹如一份白报纸所做的那么,大概像是在消息组(usenet)里的一个帖子那么2 3 4 5。明显,功夫戳不妨表明那数据在谁人功夫点之前未然生存,要不那哈希也就没辙天生。每个功夫戳在其哈希中包括着之前的功夫戳,所以形成了一个链;每一个新的功夫戳被增添到之前的功夫戳之后。

  4. 处事表明 (proof-of-work)

  to implement a distributed timestamp server on a peer-to-peer basis, we will need to use a proof-of-work system similar to adam back's hashcash6, rather than newspaper or usenet posts. the proof-of-work involves scanning for a value that when hashed, such as with sha-256, the hash begins with a number of zero bits. the average work required is exponential in the number of zero bits required and can be verified by executing a single hash.

  为了实行一个鉴于点对点的散布式功夫戳效劳器,咱们须要运用一致亚当·伯克的哈希现款6那么的一个处事表明体例,而不是白报纸大概消息组帖子那么的货色比特币存户端载入。所谓的处事表明,即是去探求一个数值;这个数值要满意以次前提:为它索取散列数值之后 —— 比方运用 sha-256 计划散列数值 —— 这个散列数值必需以确定数目的 0 发端。每减少一个 0 的诉求,将使得处事量指数级减少,而且,这个处事量的考证却只需经过计划一个哈希。

  for our timestamp network, we implement the proof-of-work by incrementing a nonce in the block until a value is found that gives the block's hash the required zero bits. once the cpu effort has been expended to make it satisfy the proof-of-work, the block cannot be changed without redoing the work. as later blocks are chained after it, the work to change the block would include redoing all the blocks after it.

  在咱们的功夫戳搜集中,咱们是如许实行处事表明的:连接在区块之中减少一个随机数(nonce),直到一个满意前提的数值被找到;这个前提即是,这个区块的哈希以指定数目的 0 发端比特币存户端载入。一旦 cpu 的奢侈算力所获的的截止满意处事表明,那么这个区块将不复能被变动,只有从新实行之前的一切处事量。跟着新的区块连接被增添进入,变换暂时区块即表示着说要从新实行一切后来区块的处事。

  the proof-of-work also solves the problem of determining representation in majority decision making. if the majority were based on one-ip-address-one-vote, it could be subverted by anyone able to allocate many ips. proof-of-work is essentially one-cpu-one-vote. the majority decision is represented by the longest chain, which has the greatest proof-of-work effort invested in it. if a majority of cpu power is controlled by honest nodes, the honest chain will grow the fastest and outpace any competing chains. to modify a past block, an attacker would have to redo the proof-of-work of the block and all blocks after it and then catch up with and surpass the work of the honest nodes. we will show later that the probability of a slower attacker catching up diminishes exponentially as subsequent blocks are added.

  处事表明同声处置了怎样确定谁能代办大普遍做确定的题目比特币存户端载入。即使所谓的“大普遍”是鉴于“一个ip地方一票”的办法确定的话,那么任何一个不妨搞定很多 ip 地方的人就不妨被觉得是“大普遍”。处事表明实质上去看,是“一个cpu一票”。所谓的“大普遍确定”是由最长链所代办的,由于被加入最多处事的链即是它。即使大普遍 cpu 算力被淳厚的节点所遏制,那么淳厚链生长最为赶快,其速率会远超其余比赛链。为了变动一个仍旧爆发的区块,报复者将不得不从新实行谁人区块以及一切后来区块的的处事表明,尔后还要追上并胜过淳厚节点的处事。后文展现干什么一个被缓慢了的报复者不妨追上的大概性将跟着区块的连接减少而指数级贬低。

  to compensate for increasing hardware speed and varying interest in running nodes over time, the proof-of-work difficulty is determined by a moving average targeting an average number of blocks per hour. if they're generated too fast, the difficulty increases.


  5. 搜集 (network)

  the steps to run the network are as follows:

  new transactions are broadcast to all nodes.

  each node collects new transactions into a block.

  each node works on finding a difficult proof-of-work for its block.

  when a node finds a proof-of-work, it broadcasts the block to all nodes.

  nodes accept the block only if all transactions in it are valid and not already spent.

  nodes express their acceptance of the block by working on creating the next block in the chain, using the hash of the accepted block as the previous hash.








  nodes always consider the longest chain to be the correct one and will keep working on extending it. if two nodes broadcast different versions of the next block simultaneously, some nodes may receive one or the other first. in that case, they work on the first one they received, but save the other branch in case it becomes longer. the tie will be broken when the next proof-of-work is found and one branch becomes longer; the nodes that were working on the other branch will then switch to the longer one.


  new transaction broadcasts do not necessarily need to reach all nodes. as long as they reach many nodes, they will get into a block before long. block broadcasts are also tolerant of dropped messages. if a node does not receive a block, it will request it when it receives the next block and realizes it missed one.


  6. 赞美 (incentive)

  by convention, the first transaction in a block is a special transaction that starts a new coin owned by the creator of the block. this adds an incentive for nodes to support the network, and provides a way to initially distribute coins into circulation, since there is no central authority to issue them. the steady addition of a constant of amount of new coins is analogous to gold miners expending resources to add gold to circulation. in our case, it is cpu time and electricity that is expended.

  依照商定,每个区块的第一笔买卖是一个特出的买卖,它会天生一枚新的金币,分属权是这个区块的天生者比特币存户端载入。这么做,使得节点扶助搜集有所赞美,也供给了一种将金币刊行到流利之中的办法 —— 在这个体例中,归正也没有一个重心化的权势方去刊行那些金币。如许这般宁静地减少确定数目的新金币加入流利,就犹如是黄金开拓者连接耗用她们的资源往流利之中减少黄金一律。在咱们的体例中,被耗用的资源是 cpu 处事功夫和它们所用的风力。

  the incentive can also be funded with transaction fees. if the output value of a transaction is less than its input value, the difference is a transaction fee that is added to the incentive value of the block containing the transaction. once a predetermined number of coins have entered circulation, the incentive can transition entirely to transaction fees and be completely inflation free.


  the incentive may help encourage nodes to stay honest. if a greedy attacker is able to assemble more cpu power than all the honest nodes, he would have to choose between using it to defraud people by stealing back his payments, or using it to generate new coins. he ought to find it more profitable to play by the rules, such rules that favour him with more new coins than everyone else combined, than to undermine the system and the validity of his own wealth.

  赞美体制也大概会激动节点维持淳厚比特币存户端载入。即使一个贪心的报复者不妨包括比一切淳厚节点都更多的 cpu 算力,他必需做出一个采用:是用那些算力经过把本人花出去的钱偷回往返捉弄旁人呢?仍旧用那些算力去天生新的金币?他该当不妨创造依照准则行事是更合算的,暂时准则使得他不妨赢得比一切其余人加起来都更多的金币,这明显比黑暗破坏体例并使本人的财产化为虚无更合算。

  7. 接收硬盘空间 (reclaiming disk space)

  once the latest transaction in a coin is buried under enough blocks, the spent transactions before it can be discarded to save disk space. to facilitate this without breaking the block's hash, transactions are hashed in a merkle tree257, with only the root included in the block's hash. old blocks can then be compacted by stubbing off branches of the tree. the interior hashes do not need to be stored.

  即使一枚金币迩来爆发的买卖爆发在充满多的区块之前,那么,这笔买卖之前该金币的花销买卖记载不妨被抛弃 —— 手段是为了俭朴磁盘空间比特币存户端载入。为了在不妨害该区块的哈希的基础下实行此功效,买卖记载的哈希将被归入一个 merkle 树257之中,而惟有树根被归入该区块的哈希之中。经过砍掉树枝本领,老解放区块即可被收缩。里面的哈希并不须要被生存。

  a block header with no transactions would be about 80 bytes. if we suppose blocks are generated every 10 minutes, 80 bytes * 6 * 24 * 365 = 4.2mb per year. with computer systems typically selling with 2gb of ram as of 2008, and moore's law predicting current growth of 1.2gb per year, storage should not be a problem even if the block headers must be kept in memory.

  一个没有任何买卖记载的区块头大概是 80 个字节比特币存户端载入。假如每格外钟爆发一个区块,80 字节乘以 6 乘以 24 乘以 365,即是年年 4.2m。截至 2008 年,大普遍在售的计划机配有 2gb 外存,而依照摩尔定理的猜测,年年会减少 1.2 gb,即使是区块头必需保存在外存之中也不会是什么题目。

  8. 简化版付出确认 (simplified payment verification)

  it is possible to verify payments without running a full network node. a user only needs to keep a copy of the block headers of the longest proof-of-work chain, which he can get by querying network nodes until he's convinced he has the longest chain, and obtain the merkle branch linking the transaction to the block it's timestamped in. he can't check the transaction for himself, but by linking it to a place in the chain, he can see that a network node has accepted it, and blocks added after it further confirm the network has accepted it.

  即使不必运转一个完备搜集节点也有大概确认付出比特币存户端载入。用户只须要有一份具有处事表明的最长链的区块头正片 —— 他不妨经过查问在线节点确认本人具有的真实来自最长链 —— 尔后获得 merkle 树的树枝节点,从而贯穿到这个区块被打上功夫戳时的买卖。用户并不许本人查看买卖,但,经过贯穿到链上的某个场合,他不妨看到某个搜集节点仍旧接收了这个买卖,而尔后加进入的区块进一步确认了搜集仍旧接收了此笔买卖。

  as such, the verification is reliable as long as honest nodes control the network, but is more vulnerable if the network is overpowered by an attacker. while network nodes can verify transactions for themselves, the simplified method can be fooled by an attacker's fabricated transactions for as long as the attacker can continue to overpower the network. one strategy to protect against this would be to accept alerts from network nodes when they detect an invalid block, prompting the user's software to download the full block and alerted transactions to confirm the inconsistency. businesses that receive frequent payments will probably still want to run their own nodes for more independent security and quicker verification.


  9. 价格的拉拢与分隔 (combining and splitting value)

  although it would be possible to handle coins individually, it would be unwieldy to make a separate transaction for every cent in a transfer. to allow value to be split and combined, transactions contain multiple inputs and outputs. normally there will be either a single input from a larger previous transaction or multiple inputs combining smaller amounts, and at most two outputs: one for the payment, and one returning the change, if any, back to the sender.


  it should be noted that fan-out, where a transaction depends on several transactions, and those transactions depend on many more, is not a problem here. there is never the need to extract a complete standalone copy of a transaction's history.

  犯得着提防的是,“扇出”在这边并不是题目 —— 所谓“扇出”,即是指一笔买卖依附于数笔买卖,且那些买卖又依附于更多笔买卖比特币存户端载入。历来就没有需要去索取任何一笔买卖的完备独力的汗青正片。

  10. 秘密 (privacy)

  the traditional banking model achieves a level of privacy by limiting access to information to the parties involved and the trusted third party. the necessity to announce all transactions publicly precludes this method, but privacy can still be maintained by breaking the flow of information in another place: by keeping public keys anonymous. the public can see that someone is sending an amount to someone else, but without information linking the transaction to anyone. this is similar to the level of information released by stock exchanges, where the time and size of individual trades, the "tape", is made public, but without telling who the parties were.


  as an additional firewall, a new key pair should be used for each transaction to keep them from being linked to a common owner. some linking is still unavoidable with multi-input transactions, which necessarily reveal that their inputs were owned by the same owner. the risk is that if the owner of a key is revealed, linking could reveal other transactions that belonged to the same owner.


  11. 计划 (calculations)

  we consider the scenario of an attacker trying to generate an alternate chain faster than the honest chain. even if this is accomplished, it does not throw the system open to arbitrary changes, such as creating value out of thin air or taking money that never belonged to the attacker. nodes are not going to accept an invalid transaction as payment, and honest nodes will never accept a block containing them. an attacker can only try to change one of his own transactions to take back money he recently spent.


  the race between the honest chain and an attacker chain can be characterized as a binomial random walk. the success event is the honest chain being extended by one block, increasing its lead by +1, and the failure event is the attacker's chain being extended by one block, reducing the gap by -1.

  淳厚链和报复者之间的比赛不妨用二项式随机散步来刻画比特币存户端载入。胜利事变是淳厚链方才被增添了一个新的区块,使得它的上风减少了 ;而波折事变是报复者的链方才被减少了一个新的区块,使得淳厚链的上风缩小了 。

  the probability of an attacker catching up from a given deficit is analogous to a gambler's ruin problem. suppose a gambler with unlimited credit starts at a deficit and plays potentially an infinite number of trials to try to reach breakeven. we can calculate the probability he ever reaches breakeven, or that an attacker ever catches up with the honest chain, as follows8:















































  given our assumption that , the probability drops exponentially as the number of blocks the attacker has to catch up with increases. with the odds against him, if he doesn't make a lucky lunge forward early on, his chances become vanishingly small as he falls further behind.

  既是咱们仍旧假设 , 既是报复者须要赶上并超过的区块数目越来越多,那么其胜利几率就会指数级低沉比特币存户端载入。于赢面倒霉时,即使报复者没有在开始就能倒霉地做一个前移步刺,那么他的胜率将在他进一步掉队的同声消释殆尽。

  we now consider how long the recipient of a new transaction needs to wait before being sufficiently certain the sender can't change the transaction. we assume the sender is an attacker who wants to make the recipient believe he paid him for a while, then switch it to pay back to himself after some time has passed. the receiver will be alerted when that happens, but the sender hopes it will be too late.


  the receiver generates a new key pair and gives the public key to the sender shortly before signing. this prevents the sender from preparing a chain of blocks ahead of time by working on it continuously until he is lucky enough to get far enough ahead, then executing the transaction at that moment. once the transaction is sent, the dishonest sender starts working in secret on a parallel chain containing an alternate version of his transaction.


  the recipient waits until the transaction has been added to a block and blocks have been linked after it. he doesn't know the exact amount of progress the attacker has made, but assuming the honest blocks took the average expected time per block, the attacker's potential progress will be a poisson distribution with expected value:

  收款人比及此笔买卖被打包进区块,并仍旧有 个区块随后被介入比特币存户端载入。他并不领会报复者的处事发达毕竟怎样,然而不妨假设淳厚区块在每个区块天生进程中奢侈的平衡功夫;报复者的潜伏发达适合泊松散布,其憧憬值为:

  to get the probability the attacker could still catch up now, we multiply the poisson density for each amount of progress he could have made by the probability he could catch up from that point:


  rearranging to avoid summing the infinite tail of the distribution...


  converting to c code...

  变换为 c 谈话步调……

  #include <math.h>

  double attackersuccessprobability(double q, int z)


  double p = 1.0 - q;

  double lambda = z * (q / p);

  double sum = 1.0;

  int i, k;

  for (k = 0; k <= z; k++)


  double poisson = exp(-lambda);

  for (i = 1; i <= k; i++)

  poisson *= lambda / i;

  sum -= poisson * (1 - pow(q / p, z - k));


  return sum;


  running some results, we can see the probability drop off exponentially with .

  获得局部截止比特币存户端载入,咱们不妨看到几率跟着 的减少指数级低沉:


  z=0 p=1.0000000

  z=1 p=0.2045873

  z=2 p=0.0509779

  z=3 p=0.0131722

  z=4 p=0.0034552

  z=5 p=0.0009137

  z=6 p=0.0002428

  z=7 p=0.0000647

  z=8 p=0.0000173

  z=9 p=0.0000046

  z=10 p=0.0000012


  z=0 p=1.0000000

  z=5 p=0.1773523

  z=10 p=0.0416605

  z=15 p=0.0101008

  z=20 p=0.0024804

  z=25 p=0.0006132

  z=30 p=0.0001522

  z=35 p=0.0000379

  z=40 p=0.0000095

  z=45 p=0.0000024

  z=50 p=0.0000006

  solving for p less than 0.1%...

  假如 p 小于 0.1%……

  p < 0.001

  q=0.10 z=5

  q=0.15 z=8

  q=0.20 z=11

  q=0.25 z=15

  q=0.30 z=24

  q=0.35 z=41

  q=0.40 z=89

  q=0.45 z=340

  12. 论断 (conclusion)

  we have proposed a system for electronic transactions without relying on trust. we started with the usual framework of coins made from digital signatures, which provides strong control of ownership, but is incomplete without a way to prevent double-spending. to solve this, we proposed a peer-to-peer network using proof-of-work to record a public history of transactions that quickly becomes computationally impractical for an attacker to change if honest nodes control a majority of cpu power. the network is robust in its unstructured simplicity. nodes work all at once with little coordination. they do not need to be identified, since messages are not routed to any particular place and only need to be delivered on a best effort basis. nodes can leave and rejoin the network at will, accepting the proof-of-work chain as proof of what happened while they were gone. they vote with their cpu power, expressing their acceptance of valid blocks by working on extending them and rejecting invalid blocks by refusing to work on them. any needed rules and incentives can be enforced with this consensus mechanism.

  咱们提出了一个不用依附断定的电子买卖体例;开始是一个普遍的运用数字出面的金币框架发端,固然它供给了兴盛的一切权遏制,却没辙制止双重付出比特币存户端载入。为领会决这个题目,咱们提出一个运用处事表明体制的点对点搜集去记载一个公然的买卖记载汗青,只有淳厚节点不妨遏制大普遍 cpu 算力,那么报复者就仅从算力上面就不大概胜利窜改体例。这个搜集的兴盛在乎它的无构造的大略。节点们不妨在很少共同的情景下刹时同声处事。它们以至不须要被辩别,由于动静的路途并非在于于一定的尽头;动静只须要被以最大全力为基础去传递即可。节点往返自在,从新加时髦,只须要接收处事表明链,动作它们离线之时所爆发之十足的表明。它们经过它们的 cpu 算力开票,经过连接为链增添新的灵验区块、中断失效区块,去表白它们对灵验买卖的接收与否。任何需要的准则和赞美都不妨经过这个共鸣体制来强迫实行。

  李笑来 译



2021-05-06 04:13:45 回复该评论
2021-05-06 04:13:45 回复该评论
2021-05-06 17:04:40 回复该评论
2021-05-06 17:04:40 回复该评论
2021-05-06 17:04:40 回复该评论