《比特币:点对点电子现金系统》全文重译,终于自己能看明白了
Bitcoin: A Peer-to-Peer Electronic Cash System
比特币:点对点电子现金系统
Abstract. A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution. Digital signatures provide part of the solution, but the main benefits are lost if a trusted third party is still required to prevent double-spending. We propose a solution to the double-spending problem using a peer-to-peer network. The network timestamps transactions by hashing them into an ongoing chain of hash-based proof-of-work, forming a record that cannot be changed without redoing the proof-of-work. The longest chain not only serves as proof of the sequence of events witnessed, but proof that it came from the largest pool of CPU power. As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network, they'll generate the longest chain and outpace attackers. The network itself requires minimal structure. Messages are broadcast on a best effort basis, and nodes can leave and rejoin the network at will, accepting the longest proof-of-work chain as proof of what happened while they were gone.
摘要 完全的peer-to-peer电子现金,使得在线支付不再需要任何一个金融中介,而是直接从一方发送给另一方。数字签名虽然为此提供了部分解决方案,但因其仍然需要一个可信第三方才能避免双重支付(Double-spending)问题,就失去了其带来的主要应用价值。针对这一情况,本文提出了一种使用peer-to-peer网络解决双重支付(Double-spending)问题的方案。peer-to-peer网络通过将交易不断hash进一条持续延伸的 proof-of-work链,形成一个不重做proof-of-work就无法更改的交易序列记录。最长的链不仅可作为交易结果的目击证据,同时也可作为其来自拥有最大CPU算力池的证据。只要大多数CPU算力不是控制在合作攻击网络的结点手中,正常节点就会超越攻击节点,生成最长的链。该网络自身需要最小结构,产生新消息时尽力广播, 即使节点(Nodes)离线也无妨,当他们重新上线时,就会收到离线期间所发生的所有交易的电子证据,即最长的proof-of-work链 。
1.Inroduction简介
Commerce on the Internet has come to rely almost exclusively on financial institutions serving as trusted third parties to process electronic payments. While the system works well enough for most transactions, it still suffers from the inherent weaknesses of the trust based model. Completely non-reversible transactions are not really possible, since financial institutions cannot avoid mediating disputes. The cost of mediation increases transaction costs, limiting the minimum practical transaction size and cutting off the possibility for small casual transactions, and there is a broader cost in the loss of ability to make non-reversible payments for non- reversible services. With the possibility of reversal, the need for trust spreads. Merchants must be wary of their customers, hassling them for more information than they would otherwise need. A certain percentage of fraud is accepted as unavoidable. These costs and payment uncertainties can be avoided in person by using physical currency, but no mechanism exists to make payments over a communications channel without a trusted party.
目前,几乎所有网络交易都依赖于金融机构作为可信的第三方来处理电子支付。虽然多数情况下这种模式运作良好,但这种模式却始终承受着基于信任的内生性风险 (或弱点)。因为金融机构无法避免地要调停各种交易争端,所以在这种模式下完全不可逆的交易几乎不可能存在 。而金融机构的中介费用,既增加了交易成本,又限制了最小可行的交易规模,降低了日常小额交易发生的可能性,让针对不可退货的服务等需要进行不可逆支付的交易,面临更大的损失成本。由于可逆性的存在, 商家为了增强自身遇到欺诈时抵御潜在风险的能力,信用的需求就扩大了,他们会向客户索取本来完全没必要的信息。如果人们的交易使用的是实体现金, 压根儿就不需要金融机构参与其中了,大家的交易成本和支付的不确定性也能完全避免。可遗憾的是,到目前为止,还没有出现无金融中介参与的在线支付机制。
What is needed is an electronic payment system based on cryptographic proof instead of trust, allowing any two willing parties to transact directly with each other without the need for a trusted third party. Transactions that are computationally impractical to reverse would protect sellers from fraud, and routine escrow mechanisms could easily be implemented to protect buyers. In this paper, we propose a solution to the double-spending problem using a peer-to-peer distributed timestamp server to generate computational proof of the chronological order of transactions. The system is secure as long as honest nodes collectively control more CPU power than any cooperating group of attacker nodes.
我们需要的是一个无需信用中介的,基于密码学证据而非基于信任的,允许有交易意向的任意两方可直接进行交易的电子支付系统。交易会因计算上的难度变得不可逆转,既可保护卖方免受欺诈,也可利用常规履约保证机制轻松实现对买方的保护。本文提出了一种通过peer-to-peer分布式时间戳服务器,为交易按其发生的时间顺序生成电子证据,来解决双重支付问题的系统解决方案。当诚实节点控制的CPU总算力超过合谋发动网络攻击的节点所控制的CPU总算力时,该方案描述的系统就是安全的。
2.Transactions交易
We define an electronic coin as a chain of digital signatures. Each owner transfers the coin to the next by digitally signing a hash of the previous transaction and the public key of the next owner and adding these to the end of the coin. A payee can verify the signatures to verify the chain of ownership.
我们将一串数字签名定义为一个电子货币。 使用前一交易的hash值和目标收款人的公钥hash出新的数字签名,并将该签名附在待转帐电子货币尾部,所有者即可将这些签名后的电子货币转账给下收款人。收款人收到电子货币后,通过检验这一系列hash数字签名,就可验证电子货币的所有权了。
The problem of course is the payee can't verify that one of the owners did not double-spend the coin. A common solution is to introduce a trusted central authority, or mint, that checks every transaction for double spending. After each transaction, the coin must be returned to the mint to issue a new coin, and only coins issued directly from the mint are trusted not to be double-spent. The problem with this solution is that the fate of the entire money system depends on the company running the mint, with every transaction having to go through them, just like a bank.
当然, 问题是收款人此时还不能验证电子货币的前所有者们都没有对该电子货币进行过双重支付(double-spend)。通常,防止双重支付(double-spend)的办法是引入一个可信的中央权威,或造币厂(Mint),来对交易进行逐笔检查 。每一交易发生后, 造币厂需要先回收旧币,而后发行等值新币。只有造币厂直接发行的货币才被相信不会发生双重支付,但这样一来,每一笔交易又都需要通过造币厂之手,就像以前通过银行之手那样,整个货币系统的命运就又会依赖于运营造币厂的公司了。
We need a way for the payee to know that the previous owners did not sign any earlier transactions. For our purposes, the earliest transaction is the one that counts, so we don't care about later attempts to double-spend. The only way to confirm the absence of a transaction is to be aware of all transactions. In the mint based model, the mint was aware of all transactions and decided which arrived first. To accomplish this without a trusted party, transactions must be publicly announced [1], and we need a system for participants to agree on a single history of the order in which they were received. The payee needs proof that at the time of each transaction, the majority of nodes agreed it was the first received.
因此,我们需要一种新的、能让收款人知道电子货币前所有者们都没有对较早的任何交易实施过签名的方法。 为此, 需要一并考察包含最早的交易在内的所有早期交易,而不用关心这笔交易之后的双重支付问题;而唯一可确认之前交易有无缺失的方法,便是让收款人获悉已发生过的全部交易。在基于造币厂(mint)的模型中,造币厂(mint)知晓全部交易,并可决定那一笔交易先到 。所以,要抛开金融中介实现这一切,就必须对交易进行公告(public announce),我们需要让所有参与者共同认可系统的记录是按照交易原本的接收顺序形成的唯一历史序列。因为收款人需要证据证明每一笔交易发生时大多数节点都认同它是首次出现的。
3.Timestamp Server时间戳服务器
The solution we propose begins with a timestamp server. A timestamp server works by taking a hash of a block of items to be timestamped and widely publishing the hash, such as in a newspaper or Usenet post [2-5]. The timestamp proves that the data must have existed at the time, obviously, in order to get into the hash. Each timestamp includes the previous timestamp in its hash, forming a chain, with each additional timestamp reinforcing the ones before it.
我们提出的方案始于“时间戳服务器”。时间戳服务器先将某个区块(区块由一系列交易组成)的 hash值打上时间戳,而后将打上时间戳的hash值像发行报纸或在Usenent发帖那样广泛地发布出去。很显然, 交易如果没有发生,hash值上就不会有时间戳,时间戳证实了数据在彼时必然真实存在。 每一个hash的时间戳都包含了前一hash的时间戳,通过不断叠加,时间戳得到不断增强、加固,最终会形成一个链条。
4.Proof-of-work工作量证明
To implement a distributed timestamp server on a peer-to-peer basis, we will need to use a proof- of-work system similar to Adam Back's Hashcash [6], rather than newspaper or Usenet posts. The proof-of-work involves scanning for a value that when hashed, such as with SHA-256, the hash begins with a number of zero bits. The average work required is exponential in the number of zero bits required and can be verified by executing a single hash.
为了在peer-to-peer网络上实现分布式时间戳服务器,我们将使用一个称之为proof-of-work的系统,该系统类似于 Adam Back提出的Hash cash系统,而非报纸发行或Usenet发帖系统 。比如使用SHA-256算法加密时,生成的hash值开始于1个或多个0位,proof-of-work就是通过不断扫描,找到的一个特定值,使得hash值拥有其生成时的那么多个0位,proof-of-work的平均必要工作量随着所需的0位数量的增加呈指数式增长。
For our timestamp network, we implement the proof-of-work by incrementing a nonce in the block until a value is found that gives the block's hash the required zero bits. Once the CPU effort has been expended to make it satisfy the proof-of-work, the block cannot be changed without redoing the work. As later blocks are chained after it, the work to change the block would include redoing all the blocks after it.
为此,我们通过在区块中引入一个随机数(Nounce),使区块的hash串中有特定数量的0位,从而为其构建Proof-of-work。 CPU通过不断尝试,一旦找到满足proof-of-work的随机数,这个区块就不可更改(除非重新进行验证 )。当后续区块已连接到当前区块时,任何企图更改当前区块的proof-of-work,都必须先要对后续所有区块一并进行proof-of-work。
The proof-of-work also solves the problem of determining representation in majority decision making. If the majority were based on one-IP-address-one-vote, it could be subverted by anyone able to allocate many IPs. Proof-of-work is essentially one-CPU-one-vote. The majority decision is represented by the longest chain, which has the greatest proof-of-work effort invested in it. If a majority of CPU power is controlled by honest nodes, the honest chain will grow the fastest and outpace any competing chains. To modify a past block, an attacker would have to redo the proof-of-work of the block and all blocks after it and then catch up with and surpass the work of the honest nodes. We will show later that the probability of a slower attacker catching up diminishes exponentially as subsequent blocks are added.
proof-of-work也解决了集体决策的代表性决定问题。如果大多数是基于IP地址的,1个IP地址1票,那么有人就可以通过分配很多IP地址来颠覆该机制。而proof-of-work本质是一CPU一票。大多数人的决定表现为最长的链,因为最长的链包含了 最大已投入的proof-of-work量。如果大多数CPU算力被诚实节点所控制,那么诚实链将以最快的速度延伸,超越其他任何竞争链。要想修改已产生的区块,攻击者就要对目标区块以及紧随其后的所有区块重做proof-of-work,并且攻击者的proof-of-work的速度要非常快,快到能赶上并超过诚实节点的proof-of-work。我们将在后面证明较慢的攻击者赶上诚实节点的概率呈指数化递减。
To compensate for increasing hardware speed and varying interest in running nodes over time, the proof-of-work difficulty is determined by a moving average targeting an average number of blocks per hour. If they're generated too fast, the difficulty increases.
为弥补不断增加的硬件运算速度和在线节点随时间起伏变化出现的差距,proof-of-work的难度由每小时产生区块量的移动平均值决定,若区块产生速度的过快,难度就会相应增加。
5.Network网络
The steps to run the network are as follows:
1) New transactions are broadcast to all nodes.
2) Each node collects new transactions into a block.
3) Each node works on finding a difficult proof-of-work for its block.
4) When a node finds a proof-of-work, it broadcasts the block to all nodes.
5) Nodes accept the block only if all transactions in it are valid and not already spent.
6) Nodes express their acceptance of the block by working on creating the next block in the chain, using the hash of the accepted block as the previous hash.
网络运行步骤如下:
- 新交易向所有节点广播;
- 每个节点将新交易收纳进一个区块;
- 每个节点都尝试在各自的区块中找到一个有足够难度的 proof-of-work;
- 当有一个节点率先找到了proof-of-work后,就将区块向全部节点广播。
- 当且仅当该区块包含的所有交易信息是有效的、且之前未支付过,其他节点才接受该区块。
- 其他节点表示接受该区块的方式是在该区块后面创建链上的新区块 。
Nodes always consider the longest chain to be the correct one and will keep working on extending it. If two nodes broadcast different versions of the next block simultaneously, some nodes may receive one or the other first. In that case, they work on the first one they received, but save the other branch in case it becomes longer. The tie will be broken when the next proof- of-work is found and one branch becomes longer; the nodes that were working on the other branch will then switch to the longer one.
节点始终将最长的链视为正确的链,并通过持续的proof-of-work来延长它。假如两个节点同时广播了不同版本的新区块,有些节点可能会出现先收到这个后收到那个的情况。当此情形,他们将对率先收到的block进行proof-of-work,但也会保留另一个分支以防它变得更长。当下一个proof-of-work被发现后,这一联系就会破裂,其中一条分支链就会变长,在另一条分支上工作的节点就会转换到较长的链上工作。
New transaction broadcasts do not necessarily need to reach all nodes. As long as they reach many nodes, they will get into a block before long. Block broadcasts are also tolerant of dropped messages. If a node does not receive a block, it will request it when it receives the next block and realizes it missed one.
对新交易的广播不必到达所有节点。只要交易信息能够到达许多节点,就会很快被整合进一个区块中。而且区块广播也能容忍丢失的信息,如果一个节点没有收到某一区块,该节点将在收到下一区块时请求自身所缺失的那个区块。
6.Incentive激励
By convention, the first transaction in a block is a special transaction that starts a new coin owned by the creator of the block. This adds an incentive for nodes to support the network, and provides a way to initially distribute coins into circulation, since there is no central authority to issue them. The steady addition of a constant of amount of new coins is analogous to gold miners expending resources to add gold to circulation. In our case, it is CPU time and electricity that is expended.
从惯例上来说,区块中的第一笔交易是特殊的交易,该交易是一枚归区块创建者所有的新币。这就为节点支持区块链网络发展增加了激励机制,同时这也开辟了无需中央权威发行机构,电子货币即可进入流通领域额的途径 。这种将一定数量的新币持续注入流通领域的方法,非常类似于矿工耗费资源去开采黄金并将黄金注入流通流域。不过,与矿工挖黄金不同的是,我们需要耗费的资源的是CPU的时间以及所需电力。
The incentive can also be funded with transaction fees. If the output value of a transaction is less than its input value, the difference is a transaction fee that is added to the incentive value of the block containing the transaction. Once a predetermined number of coins have entered circulation, the incentive can transition entirely to transaction fees and be completely inflation free.
激励也可由交易费用来提供。如果一笔交易的价值输出少于价值输入,那么差额就是交易费,就可新增到对包含该交易的区块的激励中。一旦预定数量的电子货币全部进入流通流域,激励就可以逐渐转换为完全依靠交易费来维系,而不会发生通货膨胀。
The incentive may help encourage nodes to stay honest. If a greedy attacker is able to assemble more CPU power than all the honest nodes, he would have to choose between using it to defraud people by stealing back his payments, or using it to generate new coins. He ought to find it more profitable to play by the rules, such rules that favour him with more new coins than everyone else combined, than to undermine the system and the validity of his own wealth.
激励有助于鼓励节点保持诚实。如果贪婪的攻击者能够调集比所有诚实节点加起来都要多的CPU算力,他就不得不权衡是偷回已支付的钱进行欺诈,还是用它来产生新的电子货币来得划算。他会发现与其破坏系统挖自己财富的墙角,不如按规则行事更为有利。如果按规则行事,他将获得比其他个体加起来都多的回报 。
7.Reclaiming Disk Space 回收硬盘空间
Once the latest transaction in a coin is buried under enough blocks, the spent transactions before it can be discarded to save disk space. To facilitate this without breaking the block's hash, transactions are hashed in a Merkle Tree [7][2][5], with only the root included in the block's hash. Old blocks can then be compacted by stubbing off branches of the tree. The interior hashes do not need to be stored.
为节省硬盘空间,电子货币的最后一笔交易一旦淹没在后续足够多的区块之中,该电子货币的过往的支付交易就可以被丢弃。为了能够在不破坏区块hash值的同时做到这一点,我们将交易hash进一棵 Merkle树 中,在这棵树上,仅保留了该区块hash值的根(root) 。此时,即可拔除该树的分支来压缩旧区块,而不必保留其内部的hash值。
A block header with no transactions would be about 80 bytes. If we suppose blocks are generated every 10 minutes, 80 bytes * 6 * 24 * 365 = 4.2MB per year. With computer systems typically selling with 2GB of RAM as of 2008, and Moore's Law predicting current growth of 1.2GB per year, storage should not be a problem even if the block headers must be kept in memory.
一个不含交易的区块链头大约是80字节。假定所有区块产生速度是10分钟,则1年的数据量大约是80bytes*6*24*365=4.2MB。2008年在售的主流电脑的内存RAM是2GB,按照摩尔定律预测,当前内存增长速度1.2GB/年;以此来看, 即使将区块头全部保存到内存中都不成问题。
8.Simplified Payment Verification 简化的支付确认
It is possible to verify payments without running a full network node. A user only needs to keep a copy of the block headers of the longest proof-of-work chain, which he can get by querying network nodes until he's convinced he has the longest chain, and obtain the Merkle branch linking the transaction to the block it's timestamped in. He can't check the transaction for himself, but by linking it to a place in the chain, he can see that a network node has accepted it, and blocks added after it further confirm the network has accepted it.
即使网络节点没有全部运行,也能进行支付验证。用户只需保存一个最长的proof-of-work链的区块头备份,通过不断向其他网络节点查询,直到确认自己也拥有最长的链,从而获取那些与Merkle分支链接着的、已加上时间戳而被纳入区块的交易。节点想自行检验这些交易的有效性原本是不可能的,但可以看到某个网络节点曾经接受了它,而且其后续追加进的区块更进一步证明全网曾接受过它。
As such, the verification is reliable as long as honest nodes control the network, but is more vulnerable if the network is overpowered by an attacker. While network nodes can verify transactions for themselves, the simplified method can be fooled by an attacker's fabricated transactions for as long as the attacker can continue to overpower the network. One strategy to protect against this would be to accept alerts from network nodes when they detect an invalid block, prompting the user's software to download the full block and alerted transactions to confirm the inconsistency. Businesses that receive frequent payments will probably still want to run their own nodes for more independent security and quicker verification.
这样,只要诚实的节点控制着网络,验证机制就是可靠的。但是,全网如果被一个过于强大的攻击者攻击时,就会变得非常脆弱。因为网络节点可以自行检验交易的有效性,假如攻击者能够持续对网络保持压制态势,简化的机制就会被攻击者伪造的交易所愚弄。一个免于被愚弄的策略是,只要检测到无效的区块,就会从网络收到警报,提醒用户下载整个区块和报警交易,以确认不一致的地方。对于频繁发生大量支付的商业机构,为了更加独立、安全和快速的验证,可能仍会运行他们自己的节点。
9.Combining and Splitting Value 价值的组合与分割
Although it would be possible to handle coins individually, it would be unwieldy to make a separate transaction for every cent in a transfer. To allow value to be split and combined, transactions contain multiple inputs and outputs. Normally there will be either a single input from a larger previous transaction or multiple inputs combining smaller amounts, and at most two outputs: one for the payment, and one returning the change, if any, back to the sender.
尽管可以对单个电子货币货币进行处理,但是对交易中每一分钱发起一次单独交易将是一种笨拙的办法。为了便于价值的分割和组合,交易包含了多个输入和输出。通常,输入(inputs)既可以是源于前一笔交易的单一大金额输入,也可以是由若干小金额合并而成的多个输入;但是,输出最多只有两个:一个用于支付,一个用于找零(如有必要向发送者找零的必要)。
It should be noted that fan-out, where a transaction depends on several transactions, and those transactions depend on many more, is not a problem here. There is never the need to extract a complete standalone copy of a transaction's history.
需要指出的是,即使出现扇出(fan-out),即一笔交易依赖于多笔交易,而这多笔交易的又各自依赖于更多交易时,也是没有问题的,没有必要单独提取完全独立的交易历史记录。
10.隐私保护
The traditional banking model achieves a level of privacy by limiting access to information to the parties involved and the trusted third party. The necessity to announce all transactions publicly precludes this method, but privacy can still be maintained by breaking the flow of information in another place: by keeping public keys anonymous. The public can see that someone is sending an amount to someone else, but without information linking the transaction to anyone. This is similar to the level of information released by stock exchanges, where the time and size of individual trades, the "tape", is made public, but without telling who the parties were.
通过限制交易所涉及的各方和第三方信用中介获取信息的范围, 传统的银行模式得以在一定程度上保护隐私。在区块链网络中,因为所有交易必须要公告,所以这种限制隐私获取的方法就行不通了, 我们将通过让公钥匿名,来打破完整的信息流,这样隐私就仍然可以得到保护了。公众可以看到有人正在发送一个金额给其他人,但无法将交易信息与特定的人联系起来。这与证券交易所发布信息的机制相似,证券交易的时间和交易量是记录在案且可供查询的,但交易双方的身份信息严格保密。
As an additional firewall, a new key pair should be used for each transaction to keep them from being linked to a common owner. Some linking is still unavoidable with multi-input transactions, which necessarily reveal that their inputs were owned by the same owner. The risk is that if the owner of a key is revealed, linking could reveal other transactions that belonged to the same owner.
作为额外的防火墙, 每一笔交易都应该使用一对新的**,以防止有人将交易同某个特定的所有者联系起来。但在有并行输入的交易中, 联系仍然不可避免,因为并行输入表明这些货币都属于同一个所有者。此时的风险在于一旦所有者的公钥被确认属于他,那么人们就可以据此追溯此人的其他交易。
11.计算
We consider the scenario of an attacker trying to generate an alternate chain faster than the honest chain. Even if this is accomplished, it does not throw the system open to arbitrary changes, such as creating value out of thin air or taking money that never belonged to the attacker. Nodes are not going to accept an invalid transaction as payment, and honest nodes will never accept a block containing them. An attacker can only try to change one of his own transactions to take back money he recently spent.
我们设想一个场景,在这个场景中,攻击者试图以更快的速度产生一条链来替代诚实链。此种情形下,即使攻击者真的达成了目的,系统也不会开放到让他随意篡改、支配的境地,来凭空创造价值或拿走本来不属于他的钱。因为节点不会接受无效的交易作为支付,诚实节点永远不会接受包含了无效交易的区块。攻击者最多是篡改他自己的交易信息,尝试拿回最近一笔交易中已花出去的钱款。
The race between the honest chain and an attacker chain can be characterized as a Binomial Random Walk. The success event is the honest chain being extended by one block, increasing its lead by +1, and the failure event is the attacker's chain being extended by one block, reducing the gap by -1.
诚实链与攻击链之间的竞赛可用二叉树随机游走模型(Binomial Radom Walk)来描述。成功事件定义为诚实链延伸了一区块,诚实链的领先差距+1;失败事件定义为攻击链延长了一区块,诚实链的领先差距-1。
The probability of an attacker catching up from a given deficit is analogous to a Gambler's Ruin problem. Suppose a gambler with unlimited credit starts at a deficit and plays potentially an infinite number of trials to try to reach breakeven. We can calculate the probability he ever reaches breakeven, or that an attacker ever catches up with the honest chain, as follows [8]:
攻击者成功填补既定差距的可能性,可以近似的看成赌徒破产问题。假设一个可无限透支信用的赌徒,为了弥补自己的亏空,开始了一场次数为无穷大的**, 我们可以计算他填上亏空的概率,也就是攻击链赶上诚实链的概率。如下所示:
Given our assumption that p > q, the probability drops exponentially as the number of blocks the attacker has to catch up with increases. With the odds against him, if he doesn't make a lucky lunge forward early on, his chances become vanishingly small as he falls further behind.
假定p>q,随着必须赶上的区块数的增加,攻击者成功的概率将呈指数式下降。如果他不能幸运且快速地获得成功,那么他获得成功的机会就会随着进一步的落后而变得愈发渺茫。
We now consider how long the recipient of a new transaction needs to wait before being sufficiently certain the sender can't change the transaction. We assume the sender is an attacker who wants to make the recipient believe he paid him for a while, then switch it to pay back to himself after some time has passed. The receiver will be alerted when that happens, but the sender hopes it will be too late.
我们现在来考虑下一笔新交易需要等待多久,收款人才能确定付款人已经难以更改这笔交易了。我们假定付款人是一个攻击者,他试图让收款人在一段时间内相信已经付款给他了,然后过一段时间又将已经支付的款项重新支付给自己。尽管收款人届时会收到警告发现这一点,但发送者希望收款人收到警告时为时已晚。
The receiver generates a new key pair and gives the public key to the sender shortly before signing. This prevents the sender from preparing a chain of blocks ahead of time by working on it continuously until he is lucky enough to get far enough ahead, then executing the transaction at that moment. Once the transaction is sent, the dishonest sender starts working in secret on a parallel chain containing an alternate version of his transaction.
收款人生成了一个新的**对,然后在签名前的很短时间内将新的公钥交给付款人,就能防止付款人提前准备好一个区块链并幸运地取得足够大的领先优势后才进行支付,等交易发出后,不诚实的付款人就悄悄开始在一条含有替代交易的并行链上进行工作 。
The recipient waits until the transaction has been added to a block and z blocks have been linked after it. He doesn't know the exact amount of progress the attacker has made, but assuming the honest blocks took the average expected time per block, the attacker's potential progress will be a Poisson distribution with expected value:
交易发出后,收款人将一直等待,直到交易被加入到一个区块且已有z个区块链接到所加入的区块;收款人在这段时间内并不知道攻击者取得的确切进度,假设诚实链在每块区块上所花费时间等于平均期望时间,该攻击者的可能进度将服从泊松分布,其期望值为:
To get the probability the attacker could still catch up now, we multiply the Poisson density for each amount of progress he could have made by the probability he could catch up from that point:
用攻击者取得进展区块数量的泊松分布概率密度,乘以每一个从攻击时刻开始攻击者能够赶上的概率,即可算出攻击者可以赶上进度的概率:
Rearranging to avoid summing the infinite tail of the distribution...
此处图略
Converting to C code... 我们将其转化为C代码即为
k=0
#include <math.h>
double AttackerSuccessProbability(double q, int z) {
double p = 1.0 - q;
double lambda = z * (q / p);
double sum = 1.0;
int i, k;
for (k = 0; k <= z; k++) {
double poisson = exp(-lambda);
for (i = 1; i <= k; i++)
poisson *= lambda / i;
sum -= poisson * (1 - pow(q / p, z - k));
}
return sum;
}
Running some results, we can see the probability drop off exponentially with z.
运行代码后,我们可以从运行结果中看到,概率随z的增加呈指数式下降。
1)q=0.1
z=0 P=1.0000000
z=1 P=0.2045873
z=2 P=0.0509779
z=3 P=0.0131722
z=4 P=0.0034552
z=5 P=0.0009137
z=6 P=0.0002428
z=7 P=0.0000647
z=8 P=0.0000173
z=9 P=0.0000046
z=10 P=0.0000012
2)q=0.3
z=0 P=1.0000000
z=5 P=0.1773523
z=10 P=0.0416605
z=15 P=0.0101008
z=20 P=0.0024804
z=25 P=0.0006132
z=30 P=0.0001522
z=35 P=0.0000379
z=40 P=0.0000095
z=45 P=0.0000024
z=50 P=0.0000006
Solving for P less than 0.1%... 当P<0.1%时
P < 0.001
q=0.10 z=5
q=0.15 z=8
q=0.20 z=11
q=0.25 z=15
q=0.30 z=24
q=0.35 z=41
q=0.40 z=89
q=0.45 z=340
12.Conclusion结论
We have proposed a system for electronic transactions without relying on trust. We started with the usual framework of coins made from digital signatures, which provides strong control of ownership, but is incomplete without a way to prevent double-spending. To solve this, we proposed a peer-to-peer network using proof-of-work to record a public history of transactions that quickly becomes computationally impractical for an attacker to change if honest nodes control a majority of CPU power. The network is robust in its unstructured simplicity. Nodes work all at once with little coordination. They do not need to be identified, since messages are not routed to any particular place and only need to be delivered on a best effort basis. Nodes can leave and rejoin the network at will, accepting the proof-of-work chain as proof of what happened while they were gone. They vote with their CPU power, expressing their acceptance of valid blocks by working on extending them and rejecting invalid blocks by refusing to work on them. Any needed rules and incentives can be enforced with this consensus mechanism.
至此,我们已提出了不依赖于信任的电子交易系统。本文开始讨论了基于数字签名的常用货币框架,该框架虽然提供了对所有权的强控制,却因没有阻止双重支付(double-spending)的功能而不具完备能力。为了解决双重支付(double-spending)问题,我们提出了一种新的peer-to-peer网络,该网络使用proof-of-work来公开记录交易历史,使得在诚实节点控制大多数CPU算力的情形下,攻击者试图改变交易的行为变的不切实际。该网络的鲁棒性(Robust)在于其非结构化的简易性。节点在很少合作的情况下即可在一起工作,而无需对其进行识别;消息不必送达任何特定的地方,只需尽力传递即可;节点可以随意离线或重新上线,节点重新上线后,只需接收proof-of-work链作为离线期间所发生交易的证据即可。节点用CPU算力进行投票,表达接受就通过proof-of-work 来延伸有效区块,表达反对就拒绝为无效区块进行proof-of–work 。使用这个共识机制,任何必要的规则和激励均能被强制执行。
References
[1] W. Dai, "b-money," http://www.weidai.com/bmoney.txt, 1998.
[2] H. Massias, X.S. Avila, and J.-J. Quisquater, "Design of a secure timestamping service with minimal trust requirements," In 20th Symposium on Information Theory in the Benelux, May 1999.
[3] S. Haber, W.S. Stornetta, "How to time-stamp a digital document," In Journal of Cryptology, vol 3, no 2, pages 99-111, 1991.
[4] D. Bayer, S. Haber, W.S. Stornetta, "Improving the efficiency and reliability of digital time-stamping," In Sequences II: Methods in Communication, Security and Computer Science, pages 329-334, 1993.
[5] S. Haber, W.S. Stornetta, "Secure names for bit-strings," In Proceedings of the 4th ACM Conference on Computer and Communications Security, pages 28-35, April 1997.
[6] A. Back, "Hashcash - a denial of service counter-measure," http://www.hashcash.org/papers/hashcash.pdf, 2002.
[7] R.C. Merkle, "Protocols for public key cryptosystems," In Proc. 1980 Symposium on Security and Privacy, IEEE Computer Society, pages 122-133, April 1980.
[8] W. Feller, "An introduction to probability theory and its applications," 1957.