比特幣白皮書
Bitcoin:APeer-to-PeerElectronicCashSystem
SatoshiNakamoto
satoshin@gmx.com
www.bitcoin.org
Abstract
Bitcoin:APeer-to-PeerElectronicCashSystem
SatoshiNakamoto
satoshin@gmx.com
www.bitcoin.org
1.Introduction
CommerceontheInternethascometorelyalmostexclusivelyonfinancialinstitutionsservingastrustedthirdpartiestoprocesselectronicpayments.Whilethesystemworkswellenoughformosttransactions,itstillsuffersfromtheinherentweaknessesofthetrustbasedmodel.Completelynon-reversibletransactionsarenotreallypossible,sincefinancialinstitutionscannotavoidmediatingdisputes.Thecostofmediationincreasestransactioncosts,limitingtheminimumpracticaltransactionsizeandcuttingoffthepossibilityforsmallcasualtransactions,andthereisabroadercostinthelossofabilitytomakenon-reversiblepaymentsfornonreversibleservices.Withthepossibilityofreversal,theneedfortrustspreads.Merchantsmustbewaryoftheircustomers,hasslingthemformoreinformationthantheywouldotherwiseneed.Acertainpercentageoffraudisacceptedasunavoidable.Thesecostsandpaymentuncertaintiescanbeavoidedinpersonbyusingphysicalcurrency,butnomechanismexiststomakepaymentsoveracommunicationschannelwithoutatrustedparty.
Whatisneededisanelectronicpaymentsystembasedoncryptographicproofinsteadoftrust,allowinganytwowillingpartiestotransactdirectlywitheachotherwithouttheneedforatrustedthirdparty.Transactionsthatarecomputationallyimpracticaltoreversewouldprotectsellersfromfraud,androutineescrowmechanismscouldeasilybeimplementedtoprotectbuyers.Inthispaper,weproposeasolutiontothedouble-spendingproblemusingapeer-to-peerdistributedtimestampservertogeneratecomputationalproofofthechronologicalorderoftransactions.ThesystemissecureaslongashonestnodescollectivelycontrolmoreCPUpowerthananycooperatinggroupofattackernodes.
2.Transactions
Wedefineanelectroniccoinasachainofdigitalsignatures.Eachownertransfersthecointothenextbydigitallysigningahashoftheprevioustransactionandthepublickeyofthenextownerandaddingthesetotheendofthecoin.Apayeecanverifythesignaturestoverifythechainofownership.
當前比特幣市值占比升至40.5%:金色財經報道,據CoinGecko數據顯示,當前加密貨幣市值為1.828萬億美元,24小時交易量為1110億美元,當前比特幣市值占比為40.5%,以太坊市值占比為17.7%。[2022/2/26 10:17:14]
Theproblemofcourseisthepayeecan'tverifythatoneoftheownersdidnotdouble-spendthecoin.Acommonsolutionistointroduceatrustedcentralauthority,ormint,thatcheckseverytransactionfordoublespending.Aftereachtransaction,thecoinmustbereturnedtotheminttoissueanewcoin,andonlycoinsissueddirectlyfromthemintaretrustednottobedouble-spent.Theproblemwiththissolutionisthatthefateoftheentiremoneysystemdependsonthecompanyrunningthemint,witheverytransactionhavingtogothroughthem,justlikeabank.
Weneedawayforthepayeetoknowthatthepreviousownersdidnotsignanyearliertransactions.Forourpurposes,theearliesttransactionistheonethatcounts,sowedon'tcareaboutlaterattemptstodouble-spend.Theonlywaytoconfirmtheabsenceofatransactionistobeawareofalltransactions.Inthemintbasedmodel,themintwasawareofalltransactionsanddecidedwhicharrivedfirst.Toaccomplishthiswithoutatrustedparty,transactionsmustbepubliclyannounced,andweneedasystemforparticipantstoagreeonasinglehistoryoftheorderinwhichtheywerereceived.Thepayeeneedsproofthatatthetimeofeachtransaction,themajorityofnodesagreeditwasthefirstreceived.
3.TimestampServer
Thesolutionweproposebeginswithatimestampserver.Atimestampserverworksbytakingahashofablockofitemstobetimestampedandwidelypublishingthehash,suchasinanewspaperorUsenetpost.Thetimestampprovesthatthedatamusthaveexistedatthetime,obviously,inordertogetintothehash.Eachtimestampincludestheprevioustimestampinitshash,formingachain,witheachadditionaltimestampreinforcingtheonesbeforeit.
4.Proof-of-Work
Toimplementadistributedtimestampserveronapeer-to-peerbasis,wewillneedtouseaproofof-worksystemsimilartoAdamBack'sHashcash,ratherthannewspaperorUsenetposts.Theproof-of-workinvolvesscanningforavaluethatwhenhashed,suchaswithSHA-256,thehashbeginswithanumberofzerobits.Theaverageworkrequiredisexponentialinthenumberofzerobitsrequiredandcanbeverifiedbyexecutingasinglehash.
Forourtimestampnetwork,weimplementtheproof-of-workbyincrementinganonceintheblockuntilavalueisfoundthatgivestheblock'shashtherequiredzerobits.OncetheCPUefforthasbeenexpendedtomakeitsatisfytheproof-of-work,theblockcannotbechangedwithoutredoingthework.Aslaterblocksarechainedafterit,theworktochangetheblockwouldincluderedoingalltheblocksafterit.
數據:已有11家紐交所上市公司官宣持有比特幣,占流通量的3.2%:微博財經博主BeatleNews表示,根據BitcoinTreasuries提供的數據,已經有11家紐交所上市公司官宣持有比特幣,總量59.28萬,約占流通量中的3.2%。需要注意的是,Grayscale,Coinshare等這類基金相當于托管。據悉,紐交所上市公司大概有4000家左右。[2020/10/10]
Theproof-of-workalsosolvestheproblemofdeterminingrepresentationinmajoritydecisionmaking.Ifthemajoritywerebasedonone-IP-address-one-vote,itcouldbesubvertedbyanyoneabletoallocatemanyIPs.Proof-of-workisessentiallyone-CPU-one-vote.Themajoritydecisionisrepresentedbythelongestchain,whichhasthegreatestproofof-workeffortinvestedinit.IfamajorityofCPUpoweriscontrolledbyhonestnodes,thehonestchainwillgrowthefastestandoutpaceanycompetingchains.Tomodifyapastblock,anattackerwouldhavetoredotheproof-ofworkoftheblockandallblocksafteritandthencatchupwithandsurpasstheworkofthehonestnodes.Wewillshowlaterthattheprobabilityofaslowerattackercatchingupdiminishesexponentiallyassubsequentblocksareadded.
Tocompensateforincreasinghardwarespeedandvaryinginterestinrunningnodesovertime,theproof-of-workdifficultyisdeterminedbyamovingaveragetargetinganaveragenumberofblocksperhour.Ifthey'regeneratedtoofast,thedifficultyincreases.
5.Network
Thestepstorunthenetworkareasfollows:
1)Newtransactionsarebroadcasttoallnodes.
2)Eachnodecollectsnewtransactionsintoablock.
3)Eachnodeworksonfindingadifficultproof-of-workforitsblock.
4)Whenanodefindsaproof-of-work,itbroadcaststheblocktoallnodes.
5)Nodesaccepttheblockonlyifalltransactionsinitarevalidandnotalreadyspent.
6)Nodesexpresstheiracceptanceoftheblockbyworkingoncreatingthenextblockinthechain,usingthehashoftheacceptedblockastheprevioushash.
Nodesalwaysconsiderthelongestchaintobethecorrectoneandwillkeepworkingonextendingit.Iftwonodesbroadcastdifferentversionsofthenextblocksimultaneously,somenodesmayreceiveoneortheotherfirst.Inthatcase,theyworkonthefirstonetheyreceived,butsavetheotherbranchincaseitbecomeslonger.Thetiewillbebrokenwhenthenextproofof-workisfoundandonebranchbecomeslonger;thenodesthatwereworkingontheotherbranchwillthenswitchtothelongerone.
Newtransactionbroadcastsdonotnecessarilyneedtoreachallnodes.Aslongastheyreachmanynodes,theywillgetintoablockbeforelong.Blockbroadcastsarealsotolerantofdroppedmessages.Ifanodedoesnotreceiveablock,itwillrequestitwhenitreceivesthenextblockandrealizesitmissedone.
外媒:IMF報告稱冠狀病引發的經濟衰退會對比特幣不利:4月14日,國際貨幣基金組織(IMF)發布了《世界經濟展望》(World Economic Outlook)季度報告,稱COVID-19引發的封鎖是90年來最嚴重的經濟衰退,并預測到2022年,全球經濟損失總額將達到9萬億美元。Cointelegraph分析稱,該預測可能會對比特幣造成不利影響,因為BTC最近與標普500指數的關聯度創下歷史新高。Coinmetrics 4月14日公布的數據顯示,3月中旬的市場動蕩使比特幣與傳統市場的相關性創下新高。(Cointelegraph)[2020/4/15]
6.Incentive
Byconvention,thefirsttransactioninablockisaspecialtransactionthatstartsanewcoinownedbythecreatoroftheblock.Thisaddsanincentivefornodestosupportthenetwork,andprovidesawaytoinitiallydistributecoinsintocirculation,sincethereisnocentralauthoritytoissuethem.Thesteadyadditionofaconstantofamountofnewcoinsisanalogoustogoldminersexpendingresourcestoaddgoldtocirculation.Inourcase,itisCPUtimeandelectricitythatisexpended.
Theincentivecanalsobefundedwithtransactionfees.Iftheoutputvalueofatransactionislessthanitsinputvalue,thedifferenceisatransactionfeethatisaddedtotheincentivevalueoftheblockcontainingthetransaction.Onceapredeterminednumberofcoinshaveenteredcirculation,theincentivecantransitionentirelytotransactionfeesandbecompletelyinflationfree.
Theincentivemayhelpencouragenodestostayhonest.IfagreedyattackerisabletoassemblemoreCPUpowerthanallthehonestnodes,hewouldhavetochoosebetweenusingittodefraudpeoplebystealingbackhispayments,orusingittogeneratenewcoins.Heoughttofinditmoreprofitabletoplaybytherules,suchrulesthatfavourhimwithmorenewcoinsthaneveryoneelsecombined,thantounderminethesystemandthevalidityofhisownwealth.
7.ReclaimingDiskSpace
Oncethelatesttransactioninacoinisburiedunderenoughblocks,thespenttransactionsbeforeitcanbediscardedtosavediskspace.Tofacilitatethiswithoutbreakingtheblock'shash,transactionsarehashedinaMerkleTree,withonlytherootincludedintheblock'shash.Oldblockscanthenbecompactedbystubbingoffbranchesofthetree.Theinteriorhashesdonotneedtobestored.
Ablockheaderwithnotransactionswouldbeabout80bytes.Ifwesupposeblocksaregeneratedevery10minutes,80bytes*6*24*365=4.2MBperyear.Withcomputersystemstypicallysellingwith2GBofRAMasof2008,andMoore'sLawpredictingcurrentgrowthof1.2GBperyear,storageshouldnotbeaproblemeveniftheblockheadersmustbekeptinmemory.
8.SimplifiedPaymentVerification
比特幣期貨收跌逾2%:CME比特幣期貨BTC 6月合約收跌235美元,跌幅超過2.43%,報9435美元,5月3日以9675美元創3月7日以來主力合約收盤最高位、上周漲約6.5%。CBOE比特幣期貨XBT 6月合約收跌300美元,跌超3.09%,報9405美元,5月4日以9705美元錄得3月7日以來主力合約收盤最高位,上周漲約6.2%。[2018/5/8]
Itispossibletoverifypaymentswithoutrunningafullnetworknode.Auseronlyneedstokeepacopyoftheblockheadersofthelongestproof-of-workchain,whichhecangetbyqueryingnetworknodesuntilhe'sconvincedhehasthelongestchain,andobtaintheMerklebranchlinkingthetransactiontotheblockit'stimestampedin.Hecan'tcheckthetransactionforhimself,butbylinkingittoaplaceinthechain,hecanseethatanetworknodehasacceptedit,andblocksaddedafteritfurtherconfirmthenetworkhasacceptedit.
Assuch,theverificationisreliableaslongashonestnodescontrolthenetwork,butismorevulnerableifthenetworkisoverpoweredbyanattacker.Whilenetworknodescanverifytransactionsforthemselves,thesimplifiedmethodcanbefooledbyanattacker'sfabricatedtransactionsforaslongastheattackercancontinuetooverpowerthenetwork.Onestrategytoprotectagainstthiswouldbetoacceptalertsfromnetworknodeswhentheydetectaninvalidblock,promptingtheuser'ssoftwaretodownloadthefullblockandalertedtransactionstoconfirmtheinconsistency.Businessesthatreceivefrequentpaymentswillprobablystillwanttoruntheirownnodesformoreindependentsecurityandquickerverification.
9.CombiningandSplittingValue
Althoughitwouldbepossibletohandlecoinsindividually,itwouldbeunwieldytomakeaseparatetransactionforeverycentinatransfer.Toallowvaluetobesplitandcombined,transactionscontainmultipleinputsandoutputs.Normallytherewillbeeitherasingleinputfromalargerprevioustransactionormultipleinputscombiningsmalleramounts,andatmosttwooutputs:oneforthepayment,andonereturningthechange,ifany,backtothesender.
Itshouldbenotedthatfan-out,whereatransactiondependsonseveraltransactions,andthosetransactionsdependonmanymore,isnotaproblemhere.Thereisnevertheneedtoextractacompletestandalonecopyofatransaction'shistory.
10.Privacy
Thetraditionalbankingmodelachievesalevelofprivacybylimitingaccesstoinformationtothepartiesinvolvedandthetrustedthirdparty.Thenecessitytoannouncealltransactionspubliclyprecludesthismethod,butprivacycanstillbemaintainedbybreakingtheflowofinformationinanotherplace:bykeepingpublickeysanonymous.Thepubliccanseethatsomeoneissendinganamounttosomeoneelse,butwithoutinformationlinkingthetransactiontoanyone.Thisissimilartothelevelofinformationreleasedbystockexchanges,wherethetimeandsizeofindividualtrades,the"tape",ismadepublic,butwithouttellingwhothepartieswere.
投資者將以19.62萬美元賣出比特幣是現價的26倍:據美聯社的一項統計,普通投資者將以196165.78美元的價格出售自己的比特幣,比目前的價格高出26倍以上。調查顯示,只有16.49%的受訪者表示計劃持有比特幣不到一年,而超過三分之二的人沒有賣出的任何打算。[2017/11/17]
Asanadditionalfirewall,anewkeypairshouldbeusedforeachtransactiontokeepthemfrombeinglinkedtoacommonowner.Somelinkingisstillunavoidablewithmulti-inputtransactions,whichnecessarilyrevealthattheirinputswereownedbythesameowner.Theriskisthatiftheownerofakeyisrevealed,linkingcouldrevealothertransactionsthatbelongedtothesameowner.
11.Calculations
Weconsiderthescenarioofanattackertryingtogenerateanalternatechainfasterthanthehonestchain.Evenifthisisaccomplished,itdoesnotthrowthesystemopentoarbitrarychanges,suchascreatingvalueoutofthinairortakingmoneythatneverbelongedtotheattacker.Nodesarenotgoingtoacceptaninvalidtransactionaspayment,andhonestnodeswillneveracceptablockcontainingthem.Anattackercanonlytrytochangeoneofhisowntransactionstotakebackmoneyherecentlyspent.
TheracebetweenthehonestchainandanattackerchaincanbecharacterizedasaBinomialRandomWalk.Thesuccesseventisthehonestchainbeingextendedbyoneblock,increasingitsleadby+1,andthefailureeventistheattacker'schainbeingextendedbyoneblock,reducingthegapby-1.
TheprobabilityofanattackercatchingupfromagivendeficitisanalogoustoaGambler'sRuinproblem.Supposeagamblerwithunlimitedcreditstartsatadeficitandplayspotentiallyaninfinitenumberoftrialstotrytoreachbreakeven.Wecancalculatetheprobabilityheeverreachesbreakeven,orthatanattackerevercatchesupwiththehonestchain,asfollows:
Givenourassumptionthatp>q,theprobabilitydropsexponentiallyasthenumberofblockstheattackerhastocatchupwithincreases.Withtheoddsagainsthim,ifhedoesn'tmakealuckylungeforwardearlyon,hischancesbecomevanishinglysmallashefallsfurtherbehind.
Wenowconsiderhowlongtherecipientofanewtransactionneedstowaitbeforebeingsufficientlycertainthesendercan'tchangethetransaction.Weassumethesenderisanattackerwhowantstomaketherecipientbelievehepaidhimforawhile,thenswitchittopaybacktohimselfaftersometimehaspassed.Thereceiverwillbealertedwhenthathappens,butthesenderhopesitwillbetoolate.
Thereceivergeneratesanewkeypairandgivesthepublickeytothesendershortlybeforesigning.Thispreventsthesenderfrompreparingachainofblocksaheadoftimebyworkingonitcontinuouslyuntilheisluckyenoughtogetfarenoughahead,thenexecutingthetransactionatthatmoment.Oncethetransactionissent,thedishonestsenderstartsworkinginsecretonaparallelchaincontaininganalternateversionofhistransaction.
Therecipientwaitsuntilthetransactionhasbeenaddedtoablockandzblockshavebeenlinkedafterit.Hedoesn'tknowtheexactamountofprogresstheattackerhasmade,butassumingthehonestblockstooktheaverageexpectedtimeperblock,theattacker'spotentialprogresswillbeaPoissondistributionwithexpectedvalue:
Togettheprobabilitytheattackercouldstillcatchupnow,wemultiplythePoissondensityforeachamountofprogresshecouldhavemadebytheprobabilityhecouldcatchupfromthatpoint:
Rearrangingtoavoidsummingtheinfinitetailofthedistribution...
ConvertingtoCcode...
#includedoubleAttackerSuccessProbability(doubleq,intz)
{
doublep=1.0-q;
doublelambda=z*(q/p);
doublesum=1.0;
inti,k;
for(k=0;k<=z;k++)
{
doublepoisson=exp(-lambda);
for(i=1;i<=k;i++)
poisson*=lambda/i;
sum-=poisson*(1-pow(q/p,z-k));
}
returnsum;
}
Runningsomeresults,wecanseetheprobabilitydropoffexponentiallywithz.
q=0.1
z=0P=1.0000000
z=1P=0.2045873
z=2P=0.0509779
z=3P=0.0131722
z=4P=0.0034552
z=5P=0.0009137
z=6P=0.0002428
z=7P=0.0000647
z=8P=0.0000173
z=9P=0.0000046
z=10P=0.0000012
q=0.3
z=0P=1.0000000
z=5P=0.1773523
z=10P=0.0416605
z=15P=0.0101008
z=20P=0.0024804
z=25P=0.0006132
z=30P=0.0001522
z=35P=0.0000379
z=40P=0.0000095
z=45P=0.0000024
z=50P=0.0000006
SolvingforPlessthan0.1%...
P<0.001
q=0.10z=5
q=0.15z=8
q=0.20z=11
q=0.25z=15
q=0.30z=24
q=0.35z=41
q=0.40z=89
q=0.45z=340
12.Conclusion
Wehaveproposedasystemforelectronictransactionswithoutrelyingontrust.Westartedwiththeusualframeworkofcoinsmadefromdigitalsignatures,whichprovidesstrongcontrolofownership,butisincompletewithoutawaytopreventdouble-spending.Tosolvethis,weproposedapeer-to-peernetworkusingproof-of-worktorecordapublichistoryoftransactionsthatquicklybecomescomputationallyimpracticalforanattackertochangeifhonestnodescontrolamajorityofCPUpower.Thenetworkisrobustinitsunstructuredsimplicity.Nodesworkallatoncewithlittlecoordination.Theydonotneedtobeidentified,sincemessagesarenotroutedtoanyparticularplaceandonlyneedtobedeliveredonabesteffortbasis.Nodescanleaveandrejointhenetworkatwill,acceptingtheproof-ofworkchainasproofofwhathappenedwhiletheyweregone.TheyvotewiththeirCPUpower,expressingtheiracceptanceofvalidblocksbyworkingonextendingthemandrejectinginvalidblocksbyrefusingtoworkonthem.Anyneededrulesandincentivescanbeenforcedwiththisconsensusmechanism.
References
W.Dai,"b-money,"http://www.weidai.com/bmoney.txt,1998.
H.Massias,X.S.Avila,andJ.-J.Quisquater,"Designofasecuretimestampingservicewithminimal
trustrequirements,"In20thSymposiumonInformationTheoryintheBenelux,May1999.
S.Haber,W.S.Stornetta,"Howtotime-stampadigitaldocument,"InJournalofCryptology,vol3,no
2,pages99-111,1991.
D.Bayer,S.Haber,W.S.Stornetta,"Improvingtheefficiencyandreliabilityofdigitaltime-stamping,"
InSequencesII:MethodsinCommunication,SecurityandComputerScience,pages329-334,1993.
S.Haber,W.S.Stornetta,"Securenamesforbit-strings,"InProceedingsofthe4thACMConference
onComputerandCommunicationsSecurity,pages28-35,April1997.
A.Back,"Hashcash-adenialofservicecounter-measure,"
http://www.hashcash.org/papers/hashcash.pdf,2002.
R.C.Merkle,"Protocolsforpublickeycryptosystems,"InProc.1980SymposiumonSecurityand
Privacy,IEEEComputerSociety,pages122-133,April1980.
W.Feller,"Anintroductiontoprobabilitytheoryanditsapplications,"1957.
沙棘財經是沙棘傳媒旗下專注大數據、人工智能、區塊鏈、幣圈的深度報道的垂直自媒體。微信公眾號:shaji-media
區塊鏈兄弟社區,區塊鏈技術專業問答先行者,中國區塊鏈技術愛好者聚集地來源:區塊鏈社區HiBlock內容綜合自公眾號:區塊鏈及加密貨幣研究、EXV星球、區塊鏈艾迪生華章圖書:《鏈接未來:迎接區塊鏈.
1900/1/1 0:00:00昨天李笑來罵幣圈和散戶傻X,罵得眾人目瞪口呆。一個幣民說,李笑來就像揭開了皇帝的新裝,這都是幣圈公開的秘密,這個圈子的真實狀況,無非就是交易所的幣種大都是空氣幣、傳銷幣,然后大佬套路散戶,割韭菜.
1900/1/1 0:00:00比特幣挖礦重現淘金熱潮當我們對上網挖礦的認知,還停留在黃金礦工的小游戲時,有一群“礦工”已經開始忙著上網挖礦賺錢了。當然,他們挖的并不是真正的礦,而是一種叫做比特幣的數字貨幣.
1900/1/1 0:00:00最近氨糖軟骨素特別流行,有很多人問什么牌子的氨糖軟骨素?氨糖軟骨素價格都為多少?下面我們就來詳細說一下。 舉一個我家里人的例子.
1900/1/1 0:00:00在比特幣這個市場中90%以上的投資者都是普通投資者,這些人都有一個共性,那么就是他們不是正在虧錢,就是在虧錢的路上.
1900/1/1 0:00:00本期重點解讀比特幣的白皮書,對此有一定了解的讀者可略過。上期最后講到中本聰在2008年發明了比特幣,那么比特幣到底是什么呢?我們先看中本聰自己在白皮書中的說法:一種完全通過點對點技術實現的電子現.
1900/1/1 0:00:00