Bitcoin: A Peer-to-Peer Electronic Cash System

Satoshi Nakamoto

【Abstract】 A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution. Digital signatures provide part of the solution, but the main benefits are lost if a trusted third party is still required to prevent double-spending. We propose a solution to the double-spending problem using a peer-to-peer network. The network timestamps transactions by hashing them into an ongoing chain of hash-based proof-of-work, forming a record that cannot be changed without redoing the proof-of-work. The longest chain not only serves as proof of the sequence of events witnessed, but proof that it came from the largest pool of CPU power. As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network, they’ll generate the longest chain and outpace attackers. The network itself requires minimal structure. Messages are broadcast on a best effort basis, and nodes can leave and rejoin the network at will, accepting the longest proof-of-work chain as proof of what happened while they were gone.

摘要. 一种完全的点对点电子货币应当允许在线支付从一方直接发送到另一方而不需要通过一个金融机构。数字签名提供了部分解决方案,但如果仍需一个可信任第三方来防止双重支付,那就失去了电子货币的主要优点。我们提出一种使用点对点网络解决双重支付问题的方案。该网络通过将交易哈希进一条持续增长的基于哈希的工作量证明链来给交易打上时间戳,形成一条除非重做工作量证明否则不能更改的记录。最长的链不仅是被见证事件序列的证据,而且也是它本身是由最大 CPU 算力池产生的证据。只要多数的 CPU 算力被不打算联合攻击网络的节点控制,这些节点就将生成最长的链而超过攻击者。这种网络本身只需极简的架构。信息将被尽力广播,节点可以随时离开和重新加入网络,只需接受最长的工作量证明链作为它们离开时发生事件的证据。

1.简介 (Introduction)

Commerce on the Internet has come to rely almost exclusively on financial institutions serving astrusted third parties to process electronic payments. While the system works well enough formost transactions, it still suffers from the inherent weaknesses of the trust based model.Completely non-reversible transactions are not really possible, since financial institutions cannotavoid mediating disputes. The cost of mediation increases transaction costs, limiting theminimum practical transaction size and cutting off the possibility for small casual transactions,and there is a broader cost in the loss of ability to make non-reversible payments for nonreversible services. With the possibility of reversal, the need for trust spreads. Merchants mustbe wary of their customers, hassling them for more information than they would otherwise need.A certain percentage of fraud is accepted as unavoidable. These costs and payment uncertaintiescan be avoided in person by using physical currency, but no mechanism exists to make payments over a communications channel without a trusted party

  互联网上的商业几乎都要借助中心化金融机构作为可信赖第三方去处理电子支付。虽然对大多数交易来说,这个系统运行地还算不错,但它仍然有先天性的弱点,既要受制于基于信任模型(trust based model)。在这模型下,完全不可逆转的交易实际上并不可能存在,因为金融机构不能完全避免对某交易可能存在的仲裁争议。而仲裁成本又增加了交易成本,进而限制了使用金融机构交易的最小可交易规模,失去了用于微额支付交易的可能(如几聪BTC的交易),以及因系统无法用于为不可逆的服务提供不可逆支付的支付需求场景而将有更大损失。因为有交易逆转退款的可能性,造成了对于信任的过度需求。商家必须提防着他们的顾客潜在的支付了又退款,而去麻烦地向顾客索取提供原本不必要的更多信息。一定比例的信用卡盗刷等支付欺诈,被认为是不可避免的。这些代价和支付的不确定性,虽然在没有第三方的直接人与人面对面直接使用物理实物货币(physical currency 主要纸币硬币)支付的时候是可以避免的,但还尚没有能在没有信任的三方来保障的网上沟通渠道中顺利进行支付的机制存在。

What is needed is an electronic payment system based on cryptographic proof instead of trust, allowing any two willing parties to transact directly with each other without the need for a trusted third party. Transactions that are computationally impractical to reverse would protect sellers from fraud, and routine escrow mechanisms could easily be implemented to protect buyers. In this paper, we propose a solution to the double-spending problem using a peer-to-peer distributed timestamp server to generate computational proof of the chronological order of transactions. The system is secure as long as honest nodes collectively control more CPU power than any cooperating group of attacker nodes.

  我们真正需要的是一种基于加密算法密码学原理而非基于信任的数字货币支付系统,不需要可信任第三方参与的情况下,允许双方直接进行支付交易。算力保障下实现的交易不可逆转,能帮助卖家避免被支付欺诈,而用于保护买家的常规三方担保机制(routine escrow mechanisms类似支付宝担保淘宝)也很容易实现。在本白皮书中,我们将提出一种解决双花问题的方案,即由去中心化分布式的全节点服务器应用时间戳去记录每条交易时间先后顺序的全网算力共识见证的证明,从而避免双花。只要忠实节点(honest nodes)能掌握的总算力多于任何联合攻击者节点的总算力,那么此系统就是安全的。

2.交易 (Transactions)

We define an electronic coin as a chain of digital signatures. Each owner transfers the coin to the next by digitally signing a hash of the previous transaction and the public key of the next owner and adding these to the end of the coin. A payee can verify the signatures to verify the chain of ownership.

  我们将一个数字签名的链条上的数字记录定义为加密数字货币的(coin)。若一位币所有者将币发送给另一个收币人,需要其在这个记录币流动的数字签名链条的末尾加上新增的币交易流动记录,一笔记录的内容包括:输出项和输入项。输出项为新所有者即收币人的公钥(public key 或公钥哈希即币地址),而输入项为币来源交易的哈希和原所有者通过其私钥对交易哈希和新所有者的信息进行签署确认的数字签名(digitally signing来验证真想发交易非主体,故SW隔离验证将其移到1MB外存储实现软扩容)。收币人可通过查看最新数字签名链条的中公钥或公钥哈希是否是自己来确认对币的拥有权。


The problem of course is the payee can’t verify that one of the owners did not double-spend the coin. A common solution is to introduce a trusted central authority, or mint, that checks every transaction for double spending. After each transaction, the coin must be returned to the mint to issue a new coin, and only coins issued directly from the mint are trusted not to be double-spent. The problem with this solution is that the fate of the entire money system depends on the company running the mint, with every transaction having to go through them, just like a bank.


We need a way for the payee to know that the previous owners did not sign any earlier transactions. For our purposes, the earliest transaction is the one that counts, so we don’t care about later attempts to double-spend.The only way to confirm the absence of a transaction is to be aware of all transactions. In the mint based model, the mint was aware of all transactions and decided which arrived first. To accomplish this without a trusted party, transactions must be publicly announced[1], and we need a system for participants to to agree on a single history of the order in which they were received. The payee needs proof that at the time of each transaction, the majority of nodes agreed it was the first received.

  我们需要一种方式,可以让收币人知道币的前所有者并没有在更早之前的其它交易上签名而早已将币花出过了。为达到我们的目的,可以将最早的交易是视为有效交易的,而在其之后的企图双花的交易我们全部无视即可。要确认一笔更早交易是否已经存在的唯一方法,就是获得币创世以来的所有的历史交易记录去比对。在铸币厂模型之中,铸币厂已知悉所有的交易并能决定认这些交易的顺序,故能防双花。为了能在没有被信任方参与情况下也能完成任务,那交易记录必须全部被公开公告广播(publicly announced)[1],并且我们需要一个系统(即区块链)能让参与者们能共识出唯一的接收交易时间序列的记录历史。收币人收币时要去确保在每笔交易发生时,绝大多数节点能够认同是这币并非双花的首次支出交易。

3.时间戳服务 (Timestamp Server)

The solution we propose begins with a timestamp server. A timestamp server works by taking a hash of a block of items to be timestamped and widely publishing the hash, such as in a newspaper or Usenet post[2-5]. The timestamp proves that the data must have existed at the time, obviously, in order to get into the hash. Each timestamp includes the previous timestamp in its hash, forming a chain, with each additional timestamp reinforcing the ones before it.

  本解决方案要从一种时间戳服务说起。时间戳服务是这样工作的:将一组记录的区块(block of items)计算出其哈希值然后关联上当前时间的时间戳,形成时间戳区块头,而后广泛地传播出去,就好像一份报纸或像是在新闻组里发帖子那样[2-5]。显然,时间戳能够证明那些记录数据内容在那个时间点之前已存在,否则那时间戳区块头中的哈希结果值无法生成。每个时间戳区块头的用来哈希的原数据中,还包含着上一个的时间戳区块头的哈希值,因此能构成了一条(chain),每当有新的时间戳区块头被添加,那么之前的历史时间戳区块头将被不断地强化(reinforcing 即随着有清晰长链条,早期的难篡改更被认可)。


4.工作量证明 (Proof-of-Work)

To implement a distributed timestamp server on a peer-to-peer basis, we will need to use a proof-of-work system similar to Adam Back’s Hashcash[6], rather than newspaper or Usenet posts. The proof-of-work involves scanning for a value that when hashed, such as with SHA-256, the hash begins with a number of zero bits. The average work required is exponential in the number of zero bits required and can be verified by executing a single hash.

  为了基于点对点去中心化地去实现一个分布式时间戳服务,我们需要引用类似亚当·伯克(Adam Back)的哈希现金[6]那样的一个工作量证明POW系统,而不是报纸或新闻组帖子那样的东西。所谓的工作量证明POW,就是去暴力计算寻找一些特定的随机数数值。当使用这个找到的随机数值去进行例如使用SHA-256的哈希算法计算哈希数值,得到的结果哈希数值必须要以一定数量的0位开头。随着对0位的要求数量增加,将使得寻找到合适随机数的平均工作需求量(average work required 即难度)指数级增加。而验证别人的工作成果,只需带入其声称找到的随机数仅计算一次哈希即可。

For our timestamp network, we implement the proof-of-work by incrementing a nonce in the block until a value is found that gives the block’s hash the required zero bits. Once the CPU effort has been expended to make it satisfy the proof-of-work, the block cannot be changed without redoing the work. As later blocks are chained after it, the work to change the block would include redoing all the blocks after it.



The proof-of-work also solves the problem of determining representation in majority decision making. If the majority were based on one-IP-address-one-vote, it could be subverted by anyone able to allocate many IPs. Proof-of-work is essentially one-CPU-one-vote. The majority decision is represented by the longest chain, which has the greatest proof-of-work effort invested in it. If a majority of CPU power is controlled by honest nodes, the honest chain will grow the fastest and outpace any competing chains. To modify a past block, an attacker would have to redo the proof-of-work of the block and all blocks after it and then catch up with and surpass the work of the honest nodes. We will show later that the probability of a slower attacker catching up diminishes exponentially as subsequent blocks are added.

  工作量证明POW机制,同时顺便解决了谁能代表矿业大多数做多数算力共识决定的问题。如果所谓的大多数是基于一个IP地址一票(one-IP-address-one-vote)的方式决定的话,那么任何一个可搞来很多IP 地址的人就可以被误认为是大多数。工作量证明POW本质上来看,是一算力一票(one-CPU-one-vote)。所谓的大多数决定是由最长链所代表的,因难度同近时被投入最多工作量的链就是最长链。如果大多数算力被忠实的节点所控制,那么忠实链成长最为迅速,其工作量累积速度会远超代表其它方向的其它竞争链或分山链。为更改一个已产生的区块,攻击者将不得不去重新完成那个区块及其后所有区块的全部工作量,而后还要追上并超过忠实节点们的工作量。我们将在后文(即11.计算)中详细计算显示,一个低算力的攻击者能够成功追上的可能性,将会随着区块数的不断增加而指数级递减。

To compensate for increasing hardware speed and varying interest in running nodes over time, the proof-of-work difficulty is determined by a moving average targeting an average number of blocks per hour. If they’re generated too fast, the difficulty increases.


5.去中心化网络 (Network)

The steps to run the network are as follows:

  1. New transactions are broadcast to all nodes.
  2. Each node collects new transactions into a block.
  3. Each node works on finding a difficult proof-of-work for its block.
  4. When a node finds a proof-of-work, it broadcasts the block to all nodes.
  5. Nodes accept the block only if all transactions in it are valid and not already spent.
  6. Nodes express their acceptance of the block by working on creating the next block in the chain, using the hash of the accepted block as the previous hash.


  1. 新的交易向全网所有节点广播;
  2. 每个节点(主要是矿池节点)将收集到的新交易打包到一个区块;
  3. 每个节点(主要是各矿工)为此区块寻找能满足难度的POW工作量证明;
  4. 当某个矿工找到满足难度POW,矿工区块头数据交给矿池由其打包好区块广播给所有节点;
  5. 在验证区块中所有交易都是有效的且无双花冲突后,众节点才会接受这个区块为新区块;
  6. 各节点尤其矿池节点为表达已接受这新区块,会将此新区块的哈希作为前一区块哈希加入到其尝试打包的下个区块的区块头中。

Nodes always consider the longest chain to be the correct one and will keep working on extending it. If two nodes broadcast different versions of the next block simultaneously, some nodes may receive one or the other first. In that case, they work on the first one they received, but save the other branch in case it becomes longer. The tie will be broken when the next proof-of-work is found and one branch becomes longer; the nodes that were working on the other branch will then switch to the longer one.


New transaction broadcasts do not necessarily need to reach all nodes. As long as they reach many nodes, they will get into a block before long. Block broadcasts are also tolerant of dropped messages. If a node does not receive a block, it will request it when it receives the next block and realizes it missed one.


6.激励机制 (Incentive)

By convention, the first transaction in a block is a special transaction that starts a new coin owned by the creator of the block. This adds an incentive for nodes to support the network, and provides a way to initially distribute coins into circulation, since there is no central authority to issue them. The steady addition of a constant of amount of new coins is analogous to gold miners expending resources to add gold to circulation. In our case, it is CPU time and electricity that is expended.

  按照共识约定,每个区块的第一笔交易是一个特殊的交易(比特币中取名为coinbase交易,不存在空区块,至少要包含此条交易),它会由系统发行一定数量的新币(起始50BTC每约4年减半),发送给挖出这个区块的打包生成者。这么做一方面能支持网络节点奖励一份激励,另一方面也提供了一种将新币分发出来进入流通的公平途径。在这个系统中,也本就没有一个中心化的权威方去发行(issue)新币。这种以较稳定地速度不断新增加一定数量的新币,就好像是黄金矿工们不断耗用资源挖出的新黄金添加到流通(add gold to circulation 最早的将比特币比喻成黄金)。在我们的系统中,被耗用的资源具体是算力时间和所用的电力。

The incentive can also be funded with transaction fees. If the output value of a transaction is less than its input value, the difference is a transaction fee that is added to the incentive value of the block containing the transaction. Once a predetermined number of coins have entered circulation, the incentive can transition entirely to transaction fees and be completely inflation free.


The incentive may help encourage nodes to stay honest. If a greedy attacker is able to assemble more CPU power than all the honest nodes, he would have to choose between using it to defraud people by stealing back his payments, or using it to generate new coins. He ought to find it more profitable to play by the rules, such rules that favour him with more new coins than everyone else combined, than to undermine the system and the validity of his own wealth.

  激励机制有助于鼓励节点保持忠诚。如果一个贪婪的攻击者能够收集比所有忠诚矿工节点全加起来都还要更多的算力,那么他面临一个选择:要么用这些算力去冒险攻击回滚(stealing back)自己花出去的币去双花欺骗人呢?还是或者用这些算力去挖新币及手续费?他应该能够发现后者按照规则去忠诚地挖新区块收益是远远更划算的,因根据规则他能够挖得比所有其他人加起来都要还更多的币作为回报,而不应去选不断攻击而使系统和自身本应拥有正当币财富逐渐受损(undermine)。

7.修剪存储空间 (Reclaiming Disk Space)

Once the latest transaction in a coin is buried under enough blocks, the spent transactions before it can be discarded to save disk space. To facilitate this without breaking the block’s hash, transactions are hashed in a Merkle Tree [7、2、5], with only the root included in the block’s hash. Old blocks can then be compacted by stubbing off branches of the tree. The interior hashes do not need to be stored.

  如果一币已经获得足够多确认,即其最近的交易记录发生在足够多数量的区块之前,那么该币之前的历史交易记录不再使用(discarded),在需考虑节省磁盘存储空间时也可对其修剪。为使容易修剪且不影响改变该区块的哈希,将所有交易记录(包括coinbase交易)的交易哈希再不断二叉树式地两两层级哈希来构建一个默克尔树(Merkle Tree)[7、2、5],只将此树的树根哈希(root)纳入该区块的区块头之中且区块头的哈希作为区块哈希。这样一些老区块便可通过类修剪树枝(stubbing off branches)方式,用哈希替代交易来压缩修剪掉不再使用的历史交易记录。从裁剪处到树根之间的内部哈希不需保存(即图中虚线框的哈希用时可算不需保存,若为无修剪的全数据全节点只需保存Merkle Root根哈希)。


A block header with no transactions would be about 80 bytes. If we suppose blocks are generated every 10 minutes, 80 bytes * 6 * 24 * 365 = 4.2MB per year. With computer systems typically selling with 2GB of RAM as of 2008, and Moore’s Law predicting current growth of 1.2GB per year, storage should not be a problem even if the block headers must be kept in memory.

  不计入任何交易记录的纯区块头的大小只有约80字节。我们设计约每十分钟产生一个区块,那么一年的数据仅为:80 × 6 × 24 × 365 /1024 /1024 = 4.01 MB (原文误除两次1000算出4.2MB)。在2008年时大多数在售主流普通(typically selling)计算机都配有2GB内存,而按照摩尔定律(Moore’s Law)的预测,每年会增加约1.2GB(即预测2020年16GB内存为电脑主流配置基本符合)即便是所有区块头必须都读取在内存中也不会出现存储空间不够问题。

8.轻节点支付确认 (Simplified Payment Verification)

It is possible to verify payments without running a full network node. A user only needs to keep a copy of the block headers of the longest proof-of-work chain, which he can get by querying network nodes until he’s convinced he has the longest chain, and obtain the Merkle branch linking the transaction to the block it’s timestamped in. He can’t check the transaction for himself, but by linking it to a place in the chain, he can see that a network node has accepted it, and blocks added after it further confirm the network has accepted it.

  即便不去用运行一个完整网络数据的全节点(full network node)也是有可能去校验确认支付的。用户只需要有一份拥有最长工作量证明POW链的区块头数据备份。他可以通过请求询问众多在线网络全节点们,直到确信自己所拥有的确实来自最长链。要校验的某笔交易会有被打上的时间戳,进而找出所对应打包它的区块。而后轻节点向全节点请求获取这个打包区块的默克尔树中与这交易相关的各树枝哈希,从而能通过重构默克尔树来确认交易确实在此区块中。虽然轻节点并不能独立地仅靠自己完成检查校验交易,但通过(其它全节点的上述提供区块头链和默克尔树帮助下)可追溯到此交易在链条中的位置,即可以见证某个网络节点(现多为某矿池节点)已经接受了这笔交易打包进了区块,而在此区块后又延长加进来了一些区块,更进一步确认比特币网络已经接受了此笔交易。


As such, the verification is reliable as long as honest nodes control the network, but is more vulnerable if the network is overpowered by an attacker. While network nodes can verify transactions for themselves, the simplified method can be fooled by an attacker’s fabricated transactions for as long as the attacker can continue to overpower the network. One strategy to protect against this would be to accept alerts from network nodes when they detect an invalid block, prompting the user’s software to download the full block and alerted transactions to confirm the inconsistency. Businesses that receive frequent payments will probably still want to run their own nodes for more independent security and quicker verification.

  如上那般操作,只要诚实节点在主导着网络的环境下,轻节点对交易的验证也是较可靠的(reliable)。然而,如果网络正被算力占有的攻击者攻击时,验证就更脆弱(vulnerable)。网络的全节点可以靠自己的历史数据来验证交易,然而轻节点的这种借助别的节点给其提供数据才能简化验证方式,可能会被攻击者的伪造交易记录所欺骗,只要攻击者能够持续网络占优势。一个可行的应对策略是,轻节点要能接受来自网络全节点发现无效区块(invalid block)时发出的警报。在用户客户端软件上醒目提示用户下载完整区块,注意去确认这些交易的前后一致性(inconsistency)。那些有高频收币需求的商业机构应该仍然还是需要运行属于自己的完整数据全节点,以便获得更好的独立安全性(independent security)和更快的交易校验速度。

9.币值的组合与分割 (Combining and Splitting Value)

Although it would be possible to handle coins individually, it would be unwieldy to make a separate transaction for every cent in a transfer. To allow value to be split and combined, transactions contain multiple inputs and outputs. Normally there will be either a single input from a larger previous transaction or multiple inputs combining smaller amounts, and at most two outputs: one for the payment, and one returning the change, if any, back to the sender.



It should be noted that fan-out, where a transaction depends on several transactions, and those transactions depend on many more, is not a problem here. There is never the need to extract a complete standalone copy of a transaction’s history.


10.隐私保护 (Privacy)

The traditional banking model achieves a level of privacy by limiting access to information to the parties involved and the trusted third party. The necessity to announce all transactions publicly precludes this method, but privacy can still be maintained by breaking the flow of information in another place: by keeping public keys anonymous. The public can see that someone is sending an amount to someone else, but without information linking the transaction to anyone. This is similar to the level of information released by stock exchanges, where the time and size of individual trades, the “tape”, is made public, but without telling who the parties were.

  传统的银行模型能达成一定程度的隐私保护,主要依靠限制公众只能获取与自己有交易往来的对手方(parties involved)和可信第三方的相关信息。当作为加密数字货币,有将所有交易记录都公开的需求下,便不能再用这种方法了。但有新的隐私保护模式可以建立,即通过在另一处的切断信息流:保持公钥币地址匿名(keeping public keys anonymous,即不要实名认证币地址)。公众可以查区块链只看到某某地址向某某地址转账了一定数量的币,但是没有信息能把这笔交易与具体确定的某人联系在一起(除非其主动公开,像交易平台因公开热钱包能分析币流入流出平台情况,但谁流入和流出给谁匿名)。这种隐私保护模式有点像股票交易平台发成交记录信息,这个由公众生成的流水记录(tap)只有各笔交易的成交时间和成交股数金额被公布,但没有告知每笔交易背后双方是谁而形成隐私保护。


As an additional firewall, a new key pair should be used for each transaction to keep them from being linked to a common owner. Some linking is still unavoidable with multi-input transactions, which necessarily reveal that their inputs were owned by the same owner. The risk is that if the owner of a key is revealed, linking could reveal other transactions that belonged to the same owner.


11.计算 (Calculations)

We consider the scenario of an attacker trying to generate an alternate chain faster than the honest chain. Even if this is accomplished, it does not throw the system open to arbitrary changes, such as creating value out of thin air or taking money that never belonged to the attacker. Nodes are not going to accept an invalid transaction as payment, and honest nodes will never accept a block containing them. An attacker can only try to change one of his own transactions to take back money he recently spent.

  我们考虑一个场景,某攻击者正在试图生成一个比忠诚链更快的替代链。就算实现完成了这一点(即51%算力攻击),也不会使系统处于被攻击者能随意改变(arbitrary changes)的境地,例如攻击者就不可能凭空制造超发出来新币骗取价值,也无法盗取从未属于攻击者的别人囤的钱币。这是因为高度去中心化的网络节点们不会接受并传播一笔无效支付交易,而且忠诚的各全节点们也永远不会接受一个包含无效支付交易的区块作为最新区块。攻击者最多只能尝试删除或覆盖由他自己发出的交易,以便去试图回滚(take back)他最近刚刚花出去的那笔币(即对确认数较少的自己交易中的币进行双花,确认数多的历史交易无法双花)。

  The race between the honest chain and an attacker chain can be characterized as a Binomial Random Walk. The success event is the honest chain being extended by one block,increasing its lead by+1, and the failure event is the attacker’s chain being extended by one block,reducing the gap by-1.

  忠诚链和攻击者链之间的竞争可以用二项式随机漫步(Binomial Random Walk)来描述。成功事件定义为忠诚链延长了一个新的区块,使得它的优势增加+1;而失败事件则定义为攻击者链延长了一个新的区块,使得忠诚链的差距-1。

  The probability of an attacker catching up from a given deficit is analogous to a Gambler’s Ruin problem. Suppose a gambler with unlimited credit starts at a deficit and plays potentially an infinite number of trials to try to reach breakeven. We can calculate the probability he ever reaches breakeven, or that an attacker ever catches up with the honest chain[8], as follows:

  攻击者能够从区块数落后的局面追平的概率类似于赌徒破产问题(Gambler’s Ruin problem)。假定可以有无限筹码的赌徒,从有一定亏空(breakeven)开始,允许他以固定的赢率赢得固定金额的形式去赌无限次,目标是填补上亏空。我们能计算出他最终能成功填补亏空的概率,也就是攻击者能够赶上诚实链的概率[8],如下:

p = probability an honest node finds the next block(忠实节点找到新区块概率)
q = probability the attacker finds the next block(攻击者找到找到新区块概率)
qz = probability the attacker will ever catch up from z blocks behind(攻击者落后z个区块依然能够赶上的概率)


Given our assumption that p > q , the probability drops exponentially as the number of blocks the attacker has to catch up with increases. With the odds against him, if he doesn’t make a lucky lunge forward early on, his chances become vanishingly small as he falls further behind.

  我们考虑假定 p > q 的情况,随着攻击者需要赶超的区块数量越来越多,那么其成功概率就会指数级地下降。于是概率是攻击者的敌人,如果他不能幸运且快速地获得成功,那么他获得成功的机会随着时间的流逝就变得愈发渺茫,直至不可能。

  We now consider how long the recipient of a new transaction needs to wait before being sufficiently certain the sender can’t change the transaction. We assume the sender is an attacker who wants to make the recipient believe he paid him for a while, then switch it to pay back to himself after some time has passed. The receiver will be alerted when that happens, but the sender hopes it will be too late.


  The receiver generates a new key pair and gives the public key to the sender shortly before signing. This prevents the sender from preparing a chain of blocks ahead of time by working on it continuously until he is lucky enough to get far enough ahead, then executing the transaction at that moment. Once the transaction is sent, the dishonest sender starts working in secret on a parallel chain containing an alternate version of his transaction.

  收币人生成了一对新的公私钥币地址账户,而然后在新定的签署交易前的较短时间里才将公钥币地址告知发币人(即不提前告诉发币人,由收币人忽然随机选个的很短的时间段里才给新的币地址并要求其立刻签名发布交易)。这样做可以防止一种情形(即隐秘块双花攻击):发款人提前不断地运算去准备一条链上的隐秘区块,当有足够的运气产生足够多领先于主链的隐秘区块时,那时才执行那笔发给收币人的交易。一旦收币人过早的确定了收币并发货,那么不诚实的发币人将开始公开隐秘挖出的平行链(secret on a parallel chain)即瞬间成为最长链而所有算力跳到这条链上继续挖,而在这个隐密链中早就包含了一笔替代那笔正常交易而发给发币人的版本的交易。(即实现了隐秘双花,这种攻击有时间限制,若发币人忽然在奇怪时间发币且催促快点确认发货就可能攻击。而由收币人指定的短时间段里不许提前或延后发币即可避免,因攻击者难刚巧那段时间里挖出长的隐秘链。)

  The recipient waits until the transaction has been added to a block and z blocks have been linked after it. He doesn’t know the exact amount of progress the attacker has made, but assuming the honest blocks took the average expected time per block, the attacker’s potential progress will be a Poisson distribution with expected value:

  收币人等待到此笔交易被打包进区块,并后面有z个区块随后被链接加入。虽然并不知道攻击者的工作进展究竟已经挖出多少区块,但是可假定忠实区块将耗费平均预期时间以产生一个区块,那么攻击者的潜在进展区块数量便符合泊松分布(Poisson distribution),其期望值为:


  To get the probability the attacker could still catch up now, we multiply the Poisson density for each amount of progress he could have made by the probability he could catch up from that point:



Rearranging to avoid summing the infinite tail of the distribution…



Converting to C code…



Running some results, we can see the probability drop off exponentially with z.



Solving for P less than 0.1%…



12.结论 (Conclusion)

We have proposed a system for electronic transactions without relying on trust. We started with the usual framework of coins made from digital signatures, which provides strong control of ownership, but is incomplete without a way to prevent double-spending. To solve this, we proposed a peer-to-peer network using proof-of-work to record a public history of transactions that quickly becomes computationally impractical for an attacker to change if honest nodes control a majority of CPU power. The network is robust in its unstructured simplicity. Nodes work all at once with little coordination. They do not need to be identified, since messages are not routed to any particular place and only need to be delivered on a best effort basis. Nodes can leave and rejoin the network at will, accepting the proof-of-work chain as proof of what happened while they were gone. They vote with their CPU power, expressing their acceptance of valid blocks by working on extending them and rejecting invalid blocks by refusing to work on them. Any needed rules and incentives can be enforced with this consensus mechanism.

  我们提出了一个不需依赖信任的电子交易加密数字货币系统。我们开启于使用数字签名构建的一般的币框架,虽然它提供了对币所有权的良好加密账户控制,但却因没有避免双花的方法而不完整。为了解决这个问题,我们提出一个使用POW工作量证明机制的点对点去中心化网络,去记录一个公开的且攻击者不可能成功计算安全层面(computationally)篡改的交易记录历史,只要全网的大多数算力能够控制忠诚节点手中。这个网络的健壮在于其无组织的纯静精简(unstructured simplicity)。全节点们可在很少需协同的情况下相互独立地工作。甚至全节点们可以匿名身份不需实名,因为消息的传播路径并无特定的传播终点,消息只需被最大努力地向外传播即可。全节点在这个相互链接形成的去中心化网络中来去自由,当需要重新加入网络时,只需要接受最新最长POW区块链,作为它们离线期间所发生的一切的证明。节点们通过其算力投票,表决他们对有效区块的确认且拒绝为无效区块提供算力,他们不断用算力去延长由有效区块组成的区块链,来表达自己对交易区块的共识认可。任何有需要的新规则和奖励机制都可通过这个共识机制(consensus mechanism)来达成共识实施,来加强完善系统(即有充分共识下可以升级,系统并非一成不变)。

参考文献 (References)
W. Dai(戴伟), “b-money,” http://www.weidai.com/bmoney.txt, 1998.
H. Massias, X.S. Avila, and J.-J. Quisquater, “Design of a secure timestamping service with minimal trust requirements,”
《在最小化信任的基础上设计一种时间戳服务器》In 20th Symposium on Information Theory in the Benelux, May 1999.
S. Haber, W.S. Stornetta, “How to time-stamp a digital document,”
《怎样为电子文件添加时间戳》 In Journal of Cryptology, vol 3, no 2, pages 99-111, 1991.
D. Bayer, S. Haber, W.S. Stornetta, “Improving the efficiency and reliability of digital time-stamping,”
《提升电子时间戳的效率和可靠性》 In Sequences II: Methods in Communication, Security and Computer Science, pages 329-334, 1993.
S. Haber, W.S. Stornetta, “Secure names for bit-strings,”
《比特字串的安全命名》In Proceedings of the 4th ACM Conference on Computer and Communications Security, pages 28-35, April 1997.
A. Back(亚当.巴克), “Hashcash – a denial of service counter-measure,”
《哈希现金——拒绝服务式攻击的克制方法》 http://www.hashcash.org/papers/hashcash.pdf, 2002.
R.C. Merkle, “Protocols for public key cryptosystems,”
《公钥密码系统的协议》 In Proc. 1980 Symposium on Security and Privacy, IEEE Computer Society, pages 122-133, April 1980.
W. Feller, “An introduction to probability theory and its applications,”



打赏 微信扫一扫 微信扫一扫 支付宝扫一扫 支付宝扫一扫
上一篇 2021-06-17 18:47
下一篇 2021-06-19 22:55


  • NFT是什么?一篇文章读懂NFT


  • 比特币白皮书

    作者:中本聪 Satoshi Nakamoto 《比特币白皮书中文版》小龙博客转载自互联网 摘要. 一种完全的点对点电子货币应当允许在线支付从一方直接发送到另一方而不需要通过一个金融机构。数字签名提供了部分解决方案,但如果仍需一个可信任第三方来防止双重支付,那就失去了电子货币的主要优点。我们提出一种使用点对点网络解决双重支付问题的方案。该网络通过将交易哈希进…

  • EOS是什么币?

    EOS就是俗称的柚子币。 EOS,可以理解为Enterprise Operation System,即为商用分布式应用设计的一款区块链操作系统。EOS是引入的一种新的区块链架构,旨在实现分布式应用的性能扩展。它并不是像比特币和以太坊那样的货币,而是基于EOS软件项目之上发布的代币,被称为区块链3.0。 EOS是什么?简单来说EOS就像ETH以太坊一样,是一个…

  • 通俗易懂的让你知道什么是原宇宙


  • 万向区块链肖风:从网络平台到城市平台——城市数字化的另类思考

    演讲:肖风,万向区块链董事长兼总经理 6 月 22 日,「2021 苏州高新区区块链产业发展峰会暨万向区块链苏州研究院启动仪式」在苏州高新区狮山国际会议中心隆重举行。万向区块链董事长兼总经理肖风在活动上发表了题为《从网络平台到城市平台——城市数字化的另类思考》的演讲。 以下根据现场速记整理的演讲全文,略有删减。 各位来宾,很高兴有机会在此与大家分享我的新思考…






在线咨询: QQ交谈