比特幣白皮書
Bitcoin:APeer-to-PeerElectronicCashSystem
SatoshiNakamoto
satoshin@gmx.com
www.bitcoin.org
Abstract
Bitcoin:APeer-to-PeerElectronicCashSystem
SatoshiNakamoto
satoshin@gmx.com
www.bitcoin.org
1.Introduction
CommerceontheInternethascometorelyalmostexclusivelyonfinancialinstitutionsservingastrustedthirdpartiestoprocesselectronicpayments.Whilethesystemworkswellenoughformosttransactions,itstillsuffersfromtheinherentweaknessesofthetrustbasedmodel.Completelynon-reversibletransactionsarenotreallypossible,sincefinancialinstitutionscannotavoidmediatingdisputes.Thecostofmediationincreasestransactioncosts,limitingtheminimumpracticaltransactionsizeandcuttingoffthepossibilityforsmallcasualtransactions,andthereisabroadercostinthelossofabilitytomakenon-reversiblepaymentsfornonreversibleservices.Withthepossibilityofreversal,theneedfortrustspreads.Merchantsmustbewaryoftheircustomers,hasslingthemformoreinformationthantheywouldotherwiseneed.Acertainpercentageoffraudisacceptedasunavoidable.Thesecostsandpaymentuncertaintiescanbeavoidedinpersonbyusingphysicalcurrency,butnomechanismexiststomakepaymentsoveracommunicationschannelwithoutatrustedparty.
Whatisneededisanelectronicpaymentsystembasedoncryptographicproofinsteadoftrust,allowinganytwowillingpartiestotransactdirectlywitheachotherwithouttheneedforatrustedthirdparty.Transactionsthatarecomputationallyimpracticaltoreversewouldprotectsellersfromfraud,androutineescrowmechanismscouldeasilybeimplementedtoprotectbuyers.Inthispaper,weproposeasolutiontothedouble-spendingproblemusingapeer-to-peerdistributedtimestampservertogeneratecomputationalproofofthechronologicalorderoftransactions.ThesystemissecureaslongashonestnodescollectivelycontrolmoreCPUpowerthananycooperatinggroupofattackernodes.
2.Transactions
Wedefineanelectroniccoinasachainofdigitalsignatures.Eachownertransfersthecointothenextbydigitallysigningahashoftheprevioustransactionandthepublickeyofthenextownerandaddingthesetotheendofthecoin.Apayeecanverifythesignaturestoverifythechainofownership.
保加利亞證券交易所推出8個基于比特幣和以太坊的交易所交易票據:2月21日消息,保加利亞證券交易所(BSE)最近推出了8個基于比特幣和以太坊的交易所交易票據(ETN)。BSE執行董事Manyu Moravenov表示,ETN將允許投資者將資金投入數字資產,而不需要創建和擁有加密錢包和私鑰。同時,他們將有機會獲得符合監管要求的加密貨幣工具。
保加利亞股票市場機構解釋說,基于加密貨幣的ETN交易是BSE與德意志交易所和做市商Tradegate AG長期合作的延續。該公告指出,這將確保加密貨幣工具的流動性。該產品以歐元為單位,在正常交易時段進行交易。(News bitcoin)[2022/2/21 10:05:22]
Theproblemofcourseisthepayeecan'tverifythatoneoftheownersdidnotdouble-spendthecoin.Acommonsolutionistointroduceatrustedcentralauthority,ormint,thatcheckseverytransactionfordoublespending.Aftereachtransaction,thecoinmustbereturnedtotheminttoissueanewcoin,andonlycoinsissueddirectlyfromthemintaretrustednottobedouble-spent.Theproblemwiththissolutionisthatthefateoftheentiremoneysystemdependsonthecompanyrunningthemint,witheverytransactionhavingtogothroughthem,justlikeabank.
Weneedawayforthepayeetoknowthatthepreviousownersdidnotsignanyearliertransactions.Forourpurposes,theearliesttransactionistheonethatcounts,sowedon'tcareaboutlaterattemptstodouble-spend.Theonlywaytoconfirmtheabsenceofatransactionistobeawareofalltransactions.Inthemintbasedmodel,themintwasawareofalltransactionsanddecidedwhicharrivedfirst.Toaccomplishthiswithoutatrustedparty,transactionsmustbepubliclyannounced,andweneedasystemforparticipantstoagreeonasinglehistoryoftheorderinwhichtheywerereceived.Thepayeeneedsproofthatatthetimeofeachtransaction,themajorityofnodesagreeditwasthefirstreceived.
3.TimestampServer
Thesolutionweproposebeginswithatimestampserver.Atimestampserverworksbytakingahashofablockofitemstobetimestampedandwidelypublishingthehash,suchasinanewspaperorUsenetpost.Thetimestampprovesthatthedatamusthaveexistedatthetime,obviously,inordertogetintothehash.Eachtimestampincludestheprevioustimestampinitshash,formingachain,witheachadditionaltimestampreinforcingtheonesbeforeit.
4.Proof-of-Work
Toimplementadistributedtimestampserveronapeer-to-peerbasis,wewillneedtouseaproofof-worksystemsimilartoAdamBack'sHashcash,ratherthannewspaperorUsenetposts.Theproof-of-workinvolvesscanningforavaluethatwhenhashed,suchaswithSHA-256,thehashbeginswithanumberofzerobits.Theaverageworkrequiredisexponentialinthenumberofzerobitsrequiredandcanbeverifiedbyexecutingasinglehash.
數據:比特幣單日鏈上交易量創下年內新高:據歐科云鏈OKLink數據顯示,9月7日比特幣鏈上交易量達到298.59萬BTC,約合306.35億美元,鏈上交易量觸及近一年新高;且近14日比特幣鏈上交易量持續位于較高水平,8月17日比特幣鏈上交易量達到293.86萬小幅回落后,再度回升并突破近一年高位。[2020/9/8]
Forourtimestampnetwork,weimplementtheproof-of-workbyincrementinganonceintheblockuntilavalueisfoundthatgivestheblock'shashtherequiredzerobits.OncetheCPUefforthasbeenexpendedtomakeitsatisfytheproof-of-work,theblockcannotbechangedwithoutredoingthework.Aslaterblocksarechainedafterit,theworktochangetheblockwouldincluderedoingalltheblocksafterit.
Theproof-of-workalsosolvestheproblemofdeterminingrepresentationinmajoritydecisionmaking.Ifthemajoritywerebasedonone-IP-address-one-vote,itcouldbesubvertedbyanyoneabletoallocatemanyIPs.Proof-of-workisessentiallyone-CPU-one-vote.Themajoritydecisionisrepresentedbythelongestchain,whichhasthegreatestproofof-workeffortinvestedinit.IfamajorityofCPUpoweriscontrolledbyhonestnodes,thehonestchainwillgrowthefastestandoutpaceanycompetingchains.Tomodifyapastblock,anattackerwouldhavetoredotheproof-ofworkoftheblockandallblocksafteritandthencatchupwithandsurpasstheworkofthehonestnodes.Wewillshowlaterthattheprobabilityofaslowerattackercatchingupdiminishesexponentiallyassubsequentblocksareadded.
Tocompensateforincreasinghardwarespeedandvaryinginterestinrunningnodesovertime,theproof-of-workdifficultyisdeterminedbyamovingaveragetargetinganaveragenumberofblocksperhour.Ifthey'regeneratedtoofast,thedifficultyincreases.
5.Network
Thestepstorunthenetworkareasfollows:
1)Newtransactionsarebroadcasttoallnodes.
2)Eachnodecollectsnewtransactionsintoablock.
3)Eachnodeworksonfindingadifficultproof-of-workforitsblock.
4)Whenanodefindsaproof-of-work,itbroadcaststheblocktoallnodes.
5)Nodesaccepttheblockonlyifalltransactionsinitarevalidandnotalreadyspent.
6)Nodesexpresstheiracceptanceoftheblockbyworkingoncreatingthenextblockinthechain,usingthehashoftheacceptedblockastheprevioushash.
Nodesalwaysconsiderthelongestchaintobethecorrectoneandwillkeepworkingonextendingit.Iftwonodesbroadcastdifferentversionsofthenextblocksimultaneously,somenodesmayreceiveoneortheotherfirst.Inthatcase,theyworkonthefirstonetheyreceived,butsavetheotherbranchincaseitbecomeslonger.Thetiewillbebrokenwhenthenextproofof-workisfoundandonebranchbecomeslonger;thenodesthatwereworkingontheotherbranchwillthenswitchtothelongerone.
動態 | 美國前100大慈善機構中有12家接受比特幣捐款:The Block發文就接受加密貨幣捐贈的慈善組織進行了梳理。文章稱,2019年美國前100大慈善機構中有12家接受比特幣捐款。慈善機構大多使用BitPay作為主要的支付處理器。(The Block)[2020/1/7]
Newtransactionbroadcastsdonotnecessarilyneedtoreachallnodes.Aslongastheyreachmanynodes,theywillgetintoablockbeforelong.Blockbroadcastsarealsotolerantofdroppedmessages.Ifanodedoesnotreceiveablock,itwillrequestitwhenitreceivesthenextblockandrealizesitmissedone.
6.Incentive
Byconvention,thefirsttransactioninablockisaspecialtransactionthatstartsanewcoinownedbythecreatoroftheblock.Thisaddsanincentivefornodestosupportthenetwork,andprovidesawaytoinitiallydistributecoinsintocirculation,sincethereisnocentralauthoritytoissuethem.Thesteadyadditionofaconstantofamountofnewcoinsisanalogoustogoldminersexpendingresourcestoaddgoldtocirculation.Inourcase,itisCPUtimeandelectricitythatisexpended.
Theincentivecanalsobefundedwithtransactionfees.Iftheoutputvalueofatransactionislessthanitsinputvalue,thedifferenceisatransactionfeethatisaddedtotheincentivevalueoftheblockcontainingthetransaction.Onceapredeterminednumberofcoinshaveenteredcirculation,theincentivecantransitionentirelytotransactionfeesandbecompletelyinflationfree.
Theincentivemayhelpencouragenodestostayhonest.IfagreedyattackerisabletoassemblemoreCPUpowerthanallthehonestnodes,hewouldhavetochoosebetweenusingittodefraudpeoplebystealingbackhispayments,orusingittogeneratenewcoins.Heoughttofinditmoreprofitabletoplaybytherules,suchrulesthatfavourhimwithmorenewcoinsthaneveryoneelsecombined,thantounderminethesystemandthevalidityofhisownwealth.
7.ReclaimingDiskSpace
Oncethelatesttransactioninacoinisburiedunderenoughblocks,thespenttransactionsbeforeitcanbediscardedtosavediskspace.Tofacilitatethiswithoutbreakingtheblock'shash,transactionsarehashedinaMerkleTree,withonlytherootincludedintheblock'shash.Oldblockscanthenbecompactedbystubbingoffbranchesofthetree.Theinteriorhashesdonotneedtobestored.
Ablockheaderwithnotransactionswouldbeabout80bytes.Ifwesupposeblocksaregeneratedevery10minutes,80bytes*6*24*365=4.2MBperyear.Withcomputersystemstypicallysellingwith2GBofRAMasof2008,andMoore'sLawpredictingcurrentgrowthof1.2GBperyear,storageshouldnotbeaproblemeveniftheblockheadersmustbekeptinmemory.
動態 | 報告:比特幣價格由不到50%的流通量決定:金色財經報道,根據CoinMetrics的最新報告,在過去的一年里,靜態狀態的比特幣數量定期增加。截至11月31日的數據顯示,生態系統中有300多萬個BTC一年多沒有移動。此外,據報道,在2019年5月18日之前,45526個比特幣至少在12個月內沒有流通。上述數據還強調,隨著時間的推移,比特幣的稀缺性價值有所提高。這表明,在2019年期間表現出的價格走勢取決于流通量中不到一半的比特幣。[2019/12/5]
8.SimplifiedPaymentVerification
Itispossibletoverifypaymentswithoutrunningafullnetworknode.Auseronlyneedstokeepacopyoftheblockheadersofthelongestproof-of-workchain,whichhecangetbyqueryingnetworknodesuntilhe'sconvincedhehasthelongestchain,andobtaintheMerklebranchlinkingthetransactiontotheblockit'stimestampedin.Hecan'tcheckthetransactionforhimself,butbylinkingittoaplaceinthechain,hecanseethatanetworknodehasacceptedit,andblocksaddedafteritfurtherconfirmthenetworkhasacceptedit.
Assuch,theverificationisreliableaslongashonestnodescontrolthenetwork,butismorevulnerableifthenetworkisoverpoweredbyanattacker.Whilenetworknodescanverifytransactionsforthemselves,thesimplifiedmethodcanbefooledbyanattacker'sfabricatedtransactionsforaslongastheattackercancontinuetooverpowerthenetwork.Onestrategytoprotectagainstthiswouldbetoacceptalertsfromnetworknodeswhentheydetectaninvalidblock,promptingtheuser'ssoftwaretodownloadthefullblockandalertedtransactionstoconfirmtheinconsistency.Businessesthatreceivefrequentpaymentswillprobablystillwanttoruntheirownnodesformoreindependentsecurityandquickerverification.
9.CombiningandSplittingValue
Althoughitwouldbepossibletohandlecoinsindividually,itwouldbeunwieldytomakeaseparatetransactionforeverycentinatransfer.Toallowvaluetobesplitandcombined,transactionscontainmultipleinputsandoutputs.Normallytherewillbeeitherasingleinputfromalargerprevioustransactionormultipleinputscombiningsmalleramounts,andatmosttwooutputs:oneforthepayment,andonereturningthechange,ifany,backtothesender.
Itshouldbenotedthatfan-out,whereatransactiondependsonseveraltransactions,andthosetransactionsdependonmanymore,isnotaproblemhere.Thereisnevertheneedtoextractacompletestandalonecopyofatransaction'shistory.
10.Privacy
Thetraditionalbankingmodelachievesalevelofprivacybylimitingaccesstoinformationtothepartiesinvolvedandthetrustedthirdparty.Thenecessitytoannouncealltransactionspubliclyprecludesthismethod,butprivacycanstillbemaintainedbybreakingtheflowofinformationinanotherplace:bykeepingpublickeysanonymous.Thepubliccanseethatsomeoneissendinganamounttosomeoneelse,butwithoutinformationlinkingthetransactiontoanyone.Thisissimilartothelevelofinformationreleasedbystockexchanges,wherethetimeandsizeofindividualtrades,the"tape",ismadepublic,butwithouttellingwhothepartieswere.
動態 | 比特幣礦工獲利為其他加密礦工8倍:據zycrypto報道,比特幣礦工所獲利潤是其他加密貨幣礦工的8倍。據悉,2019年5月10日比特幣挖礦利潤創下58萬美元的記錄。以太坊的礦工利潤比比特幣礦工低8倍。截至2019年5月10日,以太坊礦工的共獲得6.8萬美元利潤,萊特幣礦工獲得1100美元利潤。[2019/5/24]
Asanadditionalfirewall,anewkeypairshouldbeusedforeachtransactiontokeepthemfrombeinglinkedtoacommonowner.Somelinkingisstillunavoidablewithmulti-inputtransactions,whichnecessarilyrevealthattheirinputswereownedbythesameowner.Theriskisthatiftheownerofakeyisrevealed,linkingcouldrevealothertransactionsthatbelongedtothesameowner.
11.Calculations
Weconsiderthescenarioofanattackertryingtogenerateanalternatechainfasterthanthehonestchain.Evenifthisisaccomplished,itdoesnotthrowthesystemopentoarbitrarychanges,suchascreatingvalueoutofthinairortakingmoneythatneverbelongedtotheattacker.Nodesarenotgoingtoacceptaninvalidtransactionaspayment,andhonestnodeswillneveracceptablockcontainingthem.Anattackercanonlytrytochangeoneofhisowntransactionstotakebackmoneyherecentlyspent.
TheracebetweenthehonestchainandanattackerchaincanbecharacterizedasaBinomialRandomWalk.Thesuccesseventisthehonestchainbeingextendedbyoneblock,increasingitsleadby+1,andthefailureeventistheattacker'schainbeingextendedbyoneblock,reducingthegapby-1.
TheprobabilityofanattackercatchingupfromagivendeficitisanalogoustoaGambler'sRuinproblem.Supposeagamblerwithunlimitedcreditstartsatadeficitandplayspotentiallyaninfinitenumberoftrialstotrytoreachbreakeven.Wecancalculatetheprobabilityheeverreachesbreakeven,orthatanattackerevercatchesupwiththehonestchain,asfollows:
Givenourassumptionthatp>q,theprobabilitydropsexponentiallyasthenumberofblockstheattackerhastocatchupwithincreases.Withtheoddsagainsthim,ifhedoesn'tmakealuckylungeforwardearlyon,hischancesbecomevanishinglysmallashefallsfurtherbehind.
Wenowconsiderhowlongtherecipientofanewtransactionneedstowaitbeforebeingsufficientlycertainthesendercan'tchangethetransaction.Weassumethesenderisanattackerwhowantstomaketherecipientbelievehepaidhimforawhile,thenswitchittopaybacktohimselfaftersometimehaspassed.Thereceiverwillbealertedwhenthathappens,butthesenderhopesitwillbetoolate.
Thereceivergeneratesanewkeypairandgivesthepublickeytothesendershortlybeforesigning.Thispreventsthesenderfrompreparingachainofblocksaheadoftimebyworkingonitcontinuouslyuntilheisluckyenoughtogetfarenoughahead,thenexecutingthetransactionatthatmoment.Oncethetransactionissent,thedishonestsenderstartsworkinginsecretonaparallelchaincontaininganalternateversionofhistransaction.
Therecipientwaitsuntilthetransactionhasbeenaddedtoablockandzblockshavebeenlinkedafterit.Hedoesn'tknowtheexactamountofprogresstheattackerhasmade,butassumingthehonestblockstooktheaverageexpectedtimeperblock,theattacker'spotentialprogresswillbeaPoissondistributionwithexpectedvalue:
Togettheprobabilitytheattackercouldstillcatchupnow,wemultiplythePoissondensityforeachamountofprogresshecouldhavemadebytheprobabilityhecouldcatchupfromthatpoint:
Rearrangingtoavoidsummingtheinfinitetailofthedistribution...
ConvertingtoCcode...
#includedoubleAttackerSuccessProbability(doubleq,intz)
{
doublep=1.0-q;
doublelambda=z*(q/p);
doublesum=1.0;
inti,k;
for(k=0;k<=z;k++)
{
doublepoisson=exp(-lambda);
for(i=1;i<=k;i++)
poisson*=lambda/i;
sum-=poisson*(1-pow(q/p,z-k));
}
returnsum;
}
Runningsomeresults,wecanseetheprobabilitydropoffexponentiallywithz.
q=0.1
z=0P=1.0000000
z=1P=0.2045873
z=2P=0.0509779
z=3P=0.0131722
z=4P=0.0034552
z=5P=0.0009137
z=6P=0.0002428
z=7P=0.0000647
z=8P=0.0000173
z=9P=0.0000046
z=10P=0.0000012
q=0.3
z=0P=1.0000000
z=5P=0.1773523
z=10P=0.0416605
z=15P=0.0101008
z=20P=0.0024804
z=25P=0.0006132
z=30P=0.0001522
z=35P=0.0000379
z=40P=0.0000095
z=45P=0.0000024
z=50P=0.0000006
SolvingforPlessthan0.1%...
P<0.001
q=0.10z=5
q=0.15z=8
q=0.20z=11
q=0.25z=15
q=0.30z=24
q=0.35z=41
q=0.40z=89
q=0.45z=340
12.Conclusion
Wehaveproposedasystemforelectronictransactionswithoutrelyingontrust.Westartedwiththeusualframeworkofcoinsmadefromdigitalsignatures,whichprovidesstrongcontrolofownership,butisincompletewithoutawaytopreventdouble-spending.Tosolvethis,weproposedapeer-to-peernetworkusingproof-of-worktorecordapublichistoryoftransactionsthatquicklybecomescomputationallyimpracticalforanattackertochangeifhonestnodescontrolamajorityofCPUpower.Thenetworkisrobustinitsunstructuredsimplicity.Nodesworkallatoncewithlittlecoordination.Theydonotneedtobeidentified,sincemessagesarenotroutedtoanyparticularplaceandonlyneedtobedeliveredonabesteffortbasis.Nodescanleaveandrejointhenetworkatwill,acceptingtheproof-ofworkchainasproofofwhathappenedwhiletheyweregone.TheyvotewiththeirCPUpower,expressingtheiracceptanceofvalidblocksbyworkingonextendingthemandrejectinginvalidblocksbyrefusingtoworkonthem.Anyneededrulesandincentivescanbeenforcedwiththisconsensusmechanism.
References
W.Dai,"b-money,"http://www.weidai.com/bmoney.txt,1998.
H.Massias,X.S.Avila,andJ.-J.Quisquater,"Designofasecuretimestampingservicewithminimal
trustrequirements,"In20thSymposiumonInformationTheoryintheBenelux,May1999.
S.Haber,W.S.Stornetta,"Howtotime-stampadigitaldocument,"InJournalofCryptology,vol3,no
2,pages99-111,1991.
D.Bayer,S.Haber,W.S.Stornetta,"Improvingtheefficiencyandreliabilityofdigitaltime-stamping,"
InSequencesII:MethodsinCommunication,SecurityandComputerScience,pages329-334,1993.
S.Haber,W.S.Stornetta,"Securenamesforbit-strings,"InProceedingsofthe4thACMConference
onComputerandCommunicationsSecurity,pages28-35,April1997.
A.Back,"Hashcash-adenialofservicecounter-measure,"
http://www.hashcash.org/papers/hashcash.pdf,2002.
R.C.Merkle,"Protocolsforpublickeycryptosystems,"InProc.1980SymposiumonSecurityand
Privacy,IEEEComputerSociety,pages122-133,April1980.
W.Feller,"Anintroductiontoprobabilitytheoryanditsapplications,"1957.
沙棘財經是沙棘傳媒旗下專注大數據、人工智能、區塊鏈、幣圈的深度報道的垂直自媒體。微信公眾號:shaji-media
于2017年的日內瓦車展上,大眾汽車公司展示了其品牌最新的MPV車型大眾Bulli。從外觀來看,大眾Bulli與大眾最早的面包車microbus十分的相似,同樣一臉人畜無害的樣子特別惹人喜愛.
1900/1/1 0:00:00不知道各位注意到沒有,“頭腦王者”這款游戲類的小程序最近火到什么程度?在不到兩周時間,“頭腦王者”的百度搜索相關結果已經突破470萬條,百度搜索指數也呈現了暴漲的趨勢.
1900/1/1 0:00:00央廣網北京2月3日消息據經濟之聲《天下財經》報道,目前比特幣的總供應量已經用掉了80%,只剩下約420萬枚,等待全球的“礦工”們瓜分.
1900/1/1 0:00:00這幾天關于區塊鏈和加密數字貨幣的消息比較多,下跌,下跌、還是下跌,幣圈可謂是人心惶惶,拋開這一輪莊家的表現不說,我們來看看各國的動態,這個比單純的看幣市更為重要.
1900/1/1 0:00:00比特幣價格五天連續下跌,自去年11月以來首次跌破7000美元,導致其他數字代幣走低,這是由于銀行和政府監管機構打擊投機狂潮,去年狂熱的投機推動加密貨幣一路飆升.
1900/1/1 0:00:00加密數字幣風潮正席卷全球。截至目前,在Coinmarketcap平臺有統計的加密數字貨幣類型,已超過1500種,總市值突破4000億美元,這一數字還在增加.
1900/1/1 0:00:00