比特币白皮书（中英文对照版）

Bitcoin: A Peer-to-Peer Electronic Cash System
比特币：一种去中心化的加密数字货币系统

Satoshi Nakamoto
satoshin@gmx.com
www.bitcoin.org

【Abstract】 A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution. Digital signatures provide part of the solution, but the main benefits are lost if a trusted third party is still required to prevent double-spending. We propose a solution to the double-spending problem using a peer-to-peer network. The network timestamps transactions by hashing them into an ongoing chain of hash-based proof-of-work, forming a record that cannot be changed without redoing the proof-of-work. The longest chain not only serves as proof of the sequence of events witnessed, but proof that it came from the largest pool of CPU power. As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network, they’ll generate the longest chain and outpace attackers. The network itself requires minimal structure. Messages are broadcast on a best effort basis, and nodes can leave and rejoin the network at will, accepting the longest proof-of-work chain as proof of what happened while they were gone.

摘要. 一种完全的点对点电子货币应当允许在线支付从一方直接发送到另一方而不需要通过一个金融机构。数字签名提供了部分解决方案，但如果仍需一个可信任第三方来防止双重支付，那就失去了电子货币的主要优点。我们提出一种使用点对点网络解决双重支付问题的方案。该网络通过将交易哈希进一条持续增长的基于哈希的工作量证明链来给交易打上时间戳，形成一条除非重做工作量证明否则不能更改的记录。最长的链不仅是被见证事件序列的证据，而且也是它本身是由最大 CPU 算力池产生的证据。只要多数的 CPU 算力被不打算联合攻击网络的节点控制，这些节点就将生成最长的链而超过攻击者。这种网络本身只需极简的架构。信息将被尽力广播，节点可以随时离开和重新加入网络，只需接受最长的工作量证明链作为它们离开时发生事件的证据。

1.简介 (Introduction)

Commerce on the Internet has come to rely almost exclusively on financial institutions serving astrusted third parties to process electronic payments. While the system works well enough formost transactions, it still suffers from the inherent weaknesses of the trust based model.Completely non-reversible transactions are not really possible, since financial institutions cannotavoid mediating disputes. The cost of mediation increases transaction costs, limiting theminimum practical transaction size and cutting off the possibility for small casual transactions,and there is a broader cost in the loss of ability to make non-reversible payments for nonreversible services. With the possibility of reversal, the need for trust spreads. Merchants mustbe wary of their customers, hassling them for more information than they would otherwise need.A certain percentage of fraud is accepted as unavoidable. These costs and payment uncertaintiescan be avoided in person by using physical currency, but no mechanism exists to make payments over a communications channel without a trusted party

　　互联网上的商业几乎都要借助中心化金融机构作为可信赖第三方去处理电子支付。虽然对大多数交易来说，这个系统运行地还算不错，但它仍然有先天性的弱点，既要受制于基于信任模型（trust based model）。在这模型下，完全不可逆转的交易实际上并不可能存在，因为金融机构不能完全避免对某交易可能存在的仲裁争议。而仲裁成本又增加了交易成本，进而限制了使用金融机构交易的最小可交易规模，失去了用于微额支付交易的可能（如几聪BTC的交易），以及因系统无法用于为不可逆的服务提供不可逆支付的支付需求场景而将有更大损失。因为有交易逆转退款的可能性，造成了对于信任的过度需求。商家必须提防着他们的顾客潜在的支付了又退款，而去麻烦地向顾客索取提供原本不必要的更多信息。一定比例的信用卡盗刷等支付欺诈，被认为是不可避免的。这些代价和支付的不确定性，虽然在没有第三方的直接人与人面对面直接使用物理实物货币（physical currency 主要纸币硬币）支付的时候是可以避免的，但还尚没有能在没有信任的三方来保障的网上沟通渠道中顺利进行支付的机制存在。

What is needed is an electronic payment system based on cryptographic proof instead of trust, allowing any two willing parties to transact directly with each other without the need for a trusted third party. Transactions that are computationally impractical to reverse would protect sellers from fraud, and routine escrow mechanisms could easily be implemented to protect buyers. In this paper, we propose a solution to the double-spending problem using a peer-to-peer distributed timestamp server to generate computational proof of the chronological order of transactions. The system is secure as long as honest nodes collectively control more CPU power than any cooperating group of attacker nodes.

　　我们真正需要的是一种基于加密算法密码学原理而非基于信任的数字货币支付系统，不需要可信任第三方参与的情况下，允许双方直接进行支付交易。算力保障下实现的交易不可逆转，能帮助卖家避免被支付欺诈，而用于保护买家的常规三方担保机制（routine escrow mechanisms类似支付宝担保淘宝）也很容易实现。在本白皮书中，我们将提出一种解决双花问题的方案，即由去中心化分布式的全节点服务器应用时间戳去记录每条交易时间先后顺序的全网算力共识见证的证明，从而避免双花。只要忠实节点（honest nodes）能掌握的总算力多于任何联合攻击者节点的总算力，那么此系统就是安全的。

2.交易 (Transactions)

We define an electronic coin as a chain of digital signatures. Each owner transfers the coin to the next by digitally signing a hash of the previous transaction and the public key of the next owner and adding these to the end of the coin. A payee can verify the signatures to verify the chain of ownership.

　　我们将一个数字签名的链条上的数字记录定义为加密数字货币的币（coin）。若一位币所有者将币发送给另一个收币人，需要其在这个记录币流动的数字签名链条的末尾加上新增的币交易流动记录，一笔记录的内容包括：输出项和输入项。输出项为新所有者即收币人的公钥（public key 或公钥哈希即币地址），而输入项为币来源交易的哈希和原所有者通过其私钥对交易哈希和新所有者的信息进行签署确认的数字签名（digitally signing来验证真想发交易非主体，故SW隔离验证将其移到1MB外存储实现软扩容）。收币人可通过查看最新数字签名链条的中公钥或公钥哈希是否是自己来确认对币的拥有权。

The problem of course is the payee can’t verify that one of the owners did not double-spend the coin. A common solution is to introduce a trusted central authority, or mint, that checks every transaction for double spending. After each transaction, the coin must be returned to the mint to issue a new coin, and only coins issued directly from the mint are trusted not to be double-spent. The problem with this solution is that the fate of the entire money system depends on the company running the mint, with every transaction having to go through them, just like a bank.

　　这个数字签名的链条记录币流动路径的问题，在于收币人无法验证曾经的币所有者之中是否有人进行过双花支付。之前传统的解决方案是引入一个可信的中心化权威方，或“铸币厂（mint）”，让其去检查每一笔交易是否存在双花。每当一次发生交易之后，币必须返回到铸币厂销毁，同时铸币厂再铸造发行等量的新币给收币人。进而，只有由铸币厂直接发出的币才是可信的未被双花过的。这个解决方案的问题在于，整个货币系统的命运被拴在运营铸币厂的那个类似于银行一样的公司或机构身上，因每一笔交易都必须通过它的中转确认。

We need a way for the payee to know that the previous owners did not sign any earlier transactions. For our purposes, the earliest transaction is the one that counts, so we don’t care about later attempts to double-spend.The only way to confirm the absence of a transaction is to be aware of all transactions. In the mint based model, the mint was aware of all transactions and decided which arrived first. To accomplish this without a trusted party, transactions must be publicly announced^[1], and we need a system for participants to to agree on a single history of the order in which they were received. The payee needs proof that at the time of each transaction, the majority of nodes agreed it was the first received.

　　我们需要一种方式，可以让收币人知道币的前所有者并没有在更早之前的其它交易上签名而早已将币花出过了。为达到我们的目的，可以将最早的交易是视为有效交易的，而在其之后的企图双花的交易我们全部无视即可。要确认一笔更早交易是否已经存在的唯一方法，就是获得币创世以来的所有的历史交易记录去比对。在铸币厂模型之中，铸币厂已知悉所有的交易并能决定认这些交易的顺序，故能防双花。为了能在没有被信任方参与情况下也能完成任务，那交易记录必须全部被公开公告广播（publicly announced）^[1]，并且我们需要一个系统（即区块链）能让参与者们能共识出唯一的接收交易时间序列的记录历史。收币人收币时要去确保在每笔交易发生时，绝大多数节点能够认同是这币并非双花的首次支出交易。

3.时间戳服务 (Timestamp Server)

The solution we propose begins with a timestamp server. A timestamp server works by taking a hash of a block of items to be timestamped and widely publishing the hash, such as in a newspaper or Usenet post^[2-5]. The timestamp proves that the data must have existed at the time, obviously, in order to get into the hash. Each timestamp includes the previous timestamp in its hash, forming a chain, with each additional timestamp reinforcing the ones before it.

　　本解决方案要从一种时间戳服务说起。时间戳服务是这样工作的：将一组记录的区块（block of items）计算出其哈希值然后关联上当前时间的时间戳，形成时间戳区块头，而后广泛地传播出去，就好像一份报纸或像是在新闻组里发帖子那样^[2-5]。显然，时间戳能够证明那些记录数据内容在那个时间点之前已存在，否则那时间戳区块头中的哈希结果值无法生成。每个时间戳区块头的用来哈希的原数据中，还包含着上一个的时间戳区块头的哈希值，因此能构成了一条链（chain），每当有新的时间戳区块头被添加，那么之前的历史时间戳区块头将被不断地强化（reinforcing 即随着有清晰长链条，早期的难篡改更被认可）。

4.工作量证明 (Proof-of-Work)

To implement a distributed timestamp server on a peer-to-peer basis, we will need to use a proof-of-work system similar to Adam Back’s Hashcash^[6], rather than newspaper or Usenet posts. The proof-of-work involves scanning for a value that when hashed, such as with SHA-256, the hash begins with a number of zero bits. The average work required is exponential in the number of zero bits required and can be verified by executing a single hash.

　　为了基于点对点去中心化地去实现一个分布式时间戳服务，我们需要引用类似亚当·伯克（Adam Back）的哈希现金^[6]那样的一个工作量证明POW系统，而不是报纸或新闻组帖子那样的东西。所谓的工作量证明POW，就是去暴力计算寻找一些特定的随机数数值。当使用这个找到的随机数值去进行例如使用SHA-256的哈希算法计算哈希数值，得到的结果哈希数值必须要以一定数量的0位开头。随着对0位的要求数量增加，将使得寻找到合适随机数的平均工作需求量（average work required 即难度）指数级增加。而验证别人的工作成果，只需带入其声称找到的随机数仅计算一次哈希即可。

For our timestamp network, we implement the proof-of-work by incrementing a nonce in the block until a value is found that gives the block’s hash the required zero bits. Once the CPU effort has been expended to make it satisfy the proof-of-work, the block cannot be changed without redoing the work. As later blocks are chained after it, the work to change the block would include redoing all the blocks after it.

　　在构架我们的时间戳服务的网络中，我们在区块之中增加一个字段随机数（Nonce）来实现工作证明。不断变化随机数，直到得到的区块头的哈希值满足指定数量的0位开头条件的数值被找到（因只位数会难度突变，具体比特币代码实现时用的是类似的要求小于一定值）。一旦算力计算设备耗费算力所获的结果满足了工作量证明，那么这个区块将有资格加入区块链成为最新区块，除非重新花大量算力完成同量的工作量去冒险孤立它否则不会更改。随着新的区块不断地基于前一个区块添加进来，要改变某个历史区块中的信息，即意味着要重做此区块以及其之后所有区块。

The proof-of-work also solves the problem of determining representation in majority decision making. If the majority were based on one-IP-address-one-vote, it could be subverted by anyone able to allocate many IPs. Proof-of-work is essentially one-CPU-one-vote. The majority decision is represented by the longest chain, which has the greatest proof-of-work effort invested in it. If a majority of CPU power is controlled by honest nodes, the honest chain will grow the fastest and outpace any competing chains. To modify a past block, an attacker would have to redo the proof-of-work of the block and all blocks after it and then catch up with and surpass the work of the honest nodes. We will show later that the probability of a slower attacker catching up diminishes exponentially as subsequent blocks are added.

　　工作量证明POW机制，同时顺便解决了谁能代表矿业大多数做多数算力共识决定的问题。如果所谓的大多数是基于一个IP地址一票（one-IP-address-one-vote）的方式决定的话，那么任何一个可搞来很多IP 地址的人就可以被误认为是大多数。工作量证明POW本质上来看，是一算力一票（one-CPU-one-vote）。所谓的大多数决定是由最长链所代表的，因难度同近时被投入最多工作量的链就是最长链。如果大多数算力被忠实的节点所控制，那么忠实链成长最为迅速，其工作量累积速度会远超代表其它方向的其它竞争链或分山链。为更改一个已产生的区块，攻击者将不得不去重新完成那个区块及其后所有区块的全部工作量，而后还要追上并超过忠实节点们的工作量。我们将在后文（即11.计算）中详细计算显示，一个低算力的攻击者能够成功追上的可能性，将会随着区块数的不断增加而指数级递减。

To compensate for increasing hardware speed and varying interest in running nodes over time, the proof-of-work difficulty is determined by a moving average targeting an average number of blocks per hour. If they’re generated too fast, the difficulty increases.

　　为了适应硬件算力不断增加以及随着时间推进产生的节点参与挖矿兴趣的起伏，工作量证明的难度将以平均每小时产生的平均某数量区块的预期为目标来进行定期调整的决定（具体比特币代码中，中本聪设计为每小时目标平均6个区块，且每2016个区块约两周时间调整一次难度）。如果区块生成得过快，那么难度将会增加。

5.去中心化网络 (Network)

The steps to run the network are as follows:

1. New transactions are broadcast to all nodes.
2. Each node collects new transactions into a block.
3. Each node works on finding a difficult proof-of-work for its block.
4. When a node finds a proof-of-work, it broadcasts the block to all nodes.
5. Nodes accept the block only if all transactions in it are valid and not already spent.
6. Nodes express their acceptance of the block by working on creating the next block in the chain, using the hash of the accepted block as the previous hash.

去中心化网络的运行步骤如下：

1. 新的交易向全网所有节点广播；
2. 每个节点（主要是矿池节点）将收集到的新交易打包到一个区块；
3. 每个节点（主要是各矿工）为此区块寻找能满足难度的POW工作量证明；
4. 当某个矿工找到满足难度POW，矿工区块头数据交给矿池由其打包好区块广播给所有节点；
5. 在验证区块中所有交易都是有效的且无双花冲突后，众节点才会接受这个区块为新区块；
6. 各节点尤其矿池节点为表达已接受这新区块，会将此新区块的哈希作为前一区块哈希加入到其尝试打包的下个区块的区块头中。

Nodes always consider the longest chain to be the correct one and will keep working on extending it. If two nodes broadcast different versions of the next block simultaneously, some nodes may receive one or the other first. In that case, they work on the first one they received, but save the other branch in case it becomes longer. The tie will be broken when the next proof-of-work is found and one branch becomes longer; the nodes that were working on the other branch will then switch to the longer one.

　　节点要认可最长链是唯一正确的链，且继续在其基础上打包更多区块。若巧了有两个节点几乎同时挖出而向网络广播了两个不同版本的最新区块，有些节点会先接收到其中一个，而其它节点会先接收到另外一个。这种有两个最长链的情况下，节点将在其先接收到的那个区块基础上继续挖新区块，但也会把另一个分支区块也保存下来，以防其成为最长链。当下一个POW新区块被挖出时不分胜负局面（tie）将打破，那个新区块所在的分支变成更长的链，在另一个分支上的节点们会切换到这个更长的链上。（简单说即拼生孩子，谁先产出下一个区块则成为主链区块，另一个则成为未进区块链主链的孤立区块。孤立区块的产生是常发生的正常现象，即1确认也非绝对安全重要交易要多次确认。）

New transaction broadcasts do not necessarily need to reach all nodes. As long as they reach many nodes, they will get into a block before long. Block broadcasts are also tolerant of dropped messages. If a node does not receive a block, it will request it when it receives the next block and realizes it missed one.

　　新的交易需要广播但也没必要在广播阶段就到达所有节点。只要到达足够多的节点（尤其矿池节点），那么不久后这些交易就会被打包进区块中而随着区块一起广播全网。区块的广播也能容许一些滞后或丢失的区块。如果一个节点接收到某个新区块，发现这个新区块并非基于其当前区块，那就意味着自己错失了之前的一个或多个区块，从而会向其它节点提出补齐缺少的区块的同步请求。

6.激励机制 (Incentive)

By convention, the first transaction in a block is a special transaction that starts a new coin owned by the creator of the block. This adds an incentive for nodes to support the network, and provides a way to initially distribute coins into circulation, since there is no central authority to issue them. The steady addition of a constant of amount of new coins is analogous to gold miners expending resources to add gold to circulation. In our case, it is CPU time and electricity that is expended.

　　按照共识约定，每个区块的第一笔交易是一个特殊的交易（比特币中取名为coinbase交易，不存在空区块，至少要包含此条交易），它会由系统发行一定数量的新币（起始50BTC每约4年减半），发送给挖出这个区块的打包生成者。这么做一方面能支持网络节点奖励一份激励，另一方面也提供了一种将新币分发出来进入流通的公平途径。在这个系统中，也本就没有一个中心化的权威方去发行（issue）新币。这种以较稳定地速度不断新增加一定数量的新币，就好像是黄金矿工们不断耗用资源挖出的新黄金添加到流通（add gold to circulation 最早的将比特币比喻成黄金）。在我们的系统中，被耗用的资源具体是算力时间和所用的电力。

The incentive can also be funded with transaction fees. If the output value of a transaction is less than its input value, the difference is a transaction fee that is added to the incentive value of the block containing the transaction. Once a predetermined number of coins have entered circulation, the incentive can transition entirely to transaction fees and be completely inflation free.

　　激励也可以来自于收集各交易手续费。如果一笔交易的输出总币量小于它的输入总币量，那么两者的差额就是交易交易费，而该交易费就作为将该笔交易打包进区块者才能获得的额外激励。一旦既定数量的币（比特币是2100万BTC上限）已经进入流通，那么激励机制将逐渐转向依靠交易手续费，且完全不会再有任何增发通货膨胀。

The incentive may help encourage nodes to stay honest. If a greedy attacker is able to assemble more CPU power than all the honest nodes, he would have to choose between using it to defraud people by stealing back his payments, or using it to generate new coins. He ought to find it more profitable to play by the rules, such rules that favour him with more new coins than everyone else combined, than to undermine the system and the validity of his own wealth.

　　激励机制有助于鼓励节点保持忠诚。如果一个贪婪的攻击者能够收集比所有忠诚矿工节点全加起来都还要更多的算力，那么他面临一个选择：要么用这些算力去冒险攻击回滚（stealing back）自己花出去的币去双花欺骗人呢？还是或者用这些算力去挖新币及手续费？他应该能够发现后者按照规则去忠诚地挖新区块收益是远远更划算的，因根据规则他能够挖得比所有其他人加起来都要还更多的币作为回报，而不应去选不断攻击而使系统和自身本应拥有正当币财富逐渐受损（undermine）。

7.修剪存储空间 (Reclaiming Disk Space)

Once the latest transaction in a coin is buried under enough blocks, the spent transactions before it can be discarded to save disk space. To facilitate this without breaking the block’s hash, transactions are hashed in a Merkle Tree ^[7、2、5], with only the root included in the block’s hash. Old blocks can then be compacted by stubbing off branches of the tree. The interior hashes do not need to be stored.

　　如果一币已经获得足够多确认，即其最近的交易记录发生在足够多数量的区块之前，那么该币之前的历史交易记录不再使用（discarded），在需考虑节省磁盘存储空间时也可对其修剪。为使容易修剪且不影响改变该区块的哈希，将所有交易记录（包括coinbase交易）的交易哈希再不断二叉树式地两两层级哈希来构建一个默克尔树（Merkle Tree）^[7、2、5]，只将此树的树根哈希（root）纳入该区块的区块头之中且区块头的哈希作为区块哈希。这样一些老区块便可通过类修剪树枝（stubbing off branches）方式，用哈希替代交易来压缩修剪掉不再使用的历史交易记录。从裁剪处到树根之间的内部哈希不需保存（即图中虚线框的哈希用时可算不需保存，若为无修剪的全数据全节点只需保存Merkle Root根哈希）。

A block header with no transactions would be about 80 bytes. If we suppose blocks are generated every 10 minutes, 80 bytes * 6 * 24 * 365 = 4.2MB per year. With computer systems typically selling with 2GB of RAM as of 2008, and Moore’s Law predicting current growth of 1.2GB per year, storage should not be a problem even if the block headers must be kept in memory.

　　不计入任何交易记录的纯区块头的大小只有约80字节。我们设计约每十分钟产生一个区块，那么一年的数据仅为：80 × 6 × 24 × 365 /1024 /1024 = 4.01 MB （原文误除两次1000算出4.2MB）。在2008年时大多数在售主流普通（typically selling）计算机都配有2GB内存，而按照摩尔定律（Moore’s Law）的预测，每年会增加约1.2GB（即预测2020年16GB内存为电脑主流配置基本符合）即便是所有区块头必须都读取在内存中也不会出现存储空间不够问题。

8.轻节点支付确认 (Simplified Payment Verification)

It is possible to verify payments without running a full network node. A user only needs to keep a copy of the block headers of the longest proof-of-work chain, which he can get by querying network nodes until he’s convinced he has the longest chain, and obtain the Merkle branch linking the transaction to the block it’s timestamped in. He can’t check the transaction for himself, but by linking it to a place in the chain, he can see that a network node has accepted it, and blocks added after it further confirm the network has accepted it.

　　即便不去用运行一个完整网络数据的全节点（full network node）也是有可能去校验确认支付的。用户只需要有一份拥有最长工作量证明POW链的区块头数据备份。他可以通过请求询问众多在线网络全节点们，直到确信自己所拥有的确实来自最长链。要校验的某笔交易会有被打上的时间戳，进而找出所对应打包它的区块。而后轻节点向全节点请求获取这个打包区块的默克尔树中与这交易相关的各树枝哈希，从而能通过重构默克尔树来确认交易确实在此区块中。虽然轻节点并不能独立地仅靠自己完成检查校验交易，但通过（其它全节点的上述提供区块头链和默克尔树帮助下）可追溯到此交易在链条中的位置，即可以见证某个网络节点（现多为某矿池节点）已经接受了这笔交易打包进了区块，而在此区块后又延长加进来了一些区块，更进一步确认比特币网络已经接受了此笔交易。

As such, the verification is reliable as long as honest nodes control the network, but is more vulnerable if the network is overpowered by an attacker. While network nodes can verify transactions for themselves, the simplified method can be fooled by an attacker’s fabricated transactions for as long as the attacker can continue to overpower the network. One strategy to protect against this would be to accept alerts from network nodes when they detect an invalid block, prompting the user’s software to download the full block and alerted transactions to confirm the inconsistency. Businesses that receive frequent payments will probably still want to run their own nodes for more independent security and quicker verification.

　　如上那般操作，只要诚实节点在主导着网络的环境下，轻节点对交易的验证也是较可靠的（reliable）。然而，如果网络正被算力占有的攻击者攻击时，验证就更脆弱（vulnerable）。网络的全节点可以靠自己的历史数据来验证交易，然而轻节点的这种借助别的节点给其提供数据才能简化验证方式，可能会被攻击者的伪造交易记录所欺骗，只要攻击者能够持续网络占优势。一个可行的应对策略是，轻节点要能接受来自网络全节点发现无效区块（invalid block）时发出的警报。在用户客户端软件上醒目提示用户下载完整区块，注意去确认这些交易的前后一致性（inconsistency）。那些有高频收币需求的商业机构应该仍然还是需要运行属于自己的完整数据全节点，以便获得更好的独立安全性（independent security）和更快的交易校验速度。

9.币值的组合与分割 (Combining and Splitting Value)

Although it would be possible to handle coins individually, it would be unwieldy to make a separate transaction for every cent in a transfer. To allow value to be split and combined, transactions contain multiple inputs and outputs. Normally there will be either a single input from a larger previous transaction or multiple inputs combining smaller amounts, and at most two outputs: one for the payment, and one returning the change, if any, back to the sender.

　　尽管分别独自地处理每笔币是可能的，但若为每份币值的转移都设置一个单独的交易记录会显得很笨拙（unwieldy）。为实现币值的分割与合并，交易记录中允许包含多个输入和输出（即允许构造一对多，多对一和多对多交易）。通常情况下，作为交易输入（inputs），要么是单独的一笔较大币量的来自之前交易的UTXO（未花费交易输出），要么是由很多笔币量较少UTXO进行组合；与此同时，作为交易输出（outputs）一般有两种：一种是支付给收币人地址（可多个即Splitting分割），另外一种是找零币到发送币人的找零地址，当然若所有输入币减去手续费后全都给收币人的话，也可没有找零即多对一交易。（比特币的交易输出其实还有一种可选的OP_RETURN输出，用来公开留言信息，若以EW开头即永恒之墙链上留言。）

It should be noted that fan-out, where a transaction depends on several transactions, and those transactions depend on many more, is not a problem here. There is never the need to extract a complete standalone copy of a transaction’s history.

　　值得注意的是扇出现象（fan-out），就是指一笔交易因有多个输入而在校验时需要去校验之前地多笔交易，且这些笔交易的校验中可能又各自依赖于构成它们输入的更多笔交易（从而担心要校验一笔交易而需要过多的交易需校验）。在这里扇出现象并不会成为问题，因为校验交易本来就没必要去提取追溯（extract）一笔输入币的独立完整的交易历史进行重新校验（即校验交易要追溯币的来源历史时只要校验足够多的近几次甚至有足够多确认的一次即可，不必追溯到币诞生迭代出的巨量历史交易都校验）。

10.隐私保护 (Privacy)

The traditional banking model achieves a level of privacy by limiting access to information to the parties involved and the trusted third party. The necessity to announce all transactions publicly precludes this method, but privacy can still be maintained by breaking the flow of information in another place: by keeping public keys anonymous. The public can see that someone is sending an amount to someone else, but without information linking the transaction to anyone. This is similar to the level of information released by stock exchanges, where the time and size of individual trades, the “tape”, is made public, but without telling who the parties were.

　　传统的银行模型能达成一定程度的隐私保护，主要依靠限制公众只能获取与自己有交易往来的对手方（parties involved）和可信第三方的相关信息。当作为加密数字货币，有将所有交易记录都公开的需求下，便不能再用这种方法了。但有新的隐私保护模式可以建立，即通过在另一处的切断信息流：保持公钥币地址匿名（keeping public keys anonymous，即不要实名认证币地址）。公众可以查区块链只看到某某地址向某某地址转账了一定数量的币，但是没有信息能把这笔交易与具体确定的某人联系在一起（除非其主动公开，像交易平台因公开热钱包能分析币流入流出平台情况，但谁流入和流出给谁匿名）。这种隐私保护模式有点像股票交易平台发成交记录信息，这个由公众生成的流水记录（tap）只有各笔交易的成交时间和成交股数金额被公布，但没有告知每笔交易背后双方是谁而形成隐私保护。

As an additional firewall, a new key pair should be used for each transaction to keep them from being linked to a common owner. Some linking is still unavoidable with multi-input transactions, which necessarily reveal that their inputs were owned by the same owner. The risk is that if the owner of a key is revealed, linking could reveal other transactions that belonged to the same owner.

　　还有额外一层防范机制（firewall），就是应在每笔交易后都启用一对新的公钥私钥对的加密账户（即找零币到新币地址），以避免将这些交易关联到同一个币所有者身上。在有些多交易输入（multi-input）的多对一或多对多交易的中依然难免，因为那些输入必然会被透露（reveal）出来自同一个所有者。风险在于，如果有一个公钥币地址被曝光关联其所有者真实身份之后，查询区块链可分析暴露出与之相关的所有交易和币地址。（即比特币是公开透明的，匿名度并没那么高，不要试图用其做坏事。）

11.计算 (Calculations)

We consider the scenario of an attacker trying to generate an alternate chain faster than the honest chain. Even if this is accomplished, it does not throw the system open to arbitrary changes, such as creating value out of thin air or taking money that never belonged to the attacker. Nodes are not going to accept an invalid transaction as payment, and honest nodes will never accept a block containing them. An attacker can only try to change one of his own transactions to take back money he recently spent.

　　我们考虑一个场景，某攻击者正在试图生成一个比忠诚链更快的替代链。就算实现完成了这一点（即51%算力攻击），也不会使系统处于被攻击者能随意改变（arbitrary changes）的境地，例如攻击者就不可能凭空制造超发出来新币骗取价值，也无法盗取从未属于攻击者的别人囤的钱币。这是因为高度去中心化的网络节点们不会接受并传播一笔无效支付交易，而且忠诚的各全节点们也永远不会接受一个包含无效支付交易的区块作为最新区块。攻击者最多只能尝试删除或覆盖由他自己发出的交易，以便去试图回滚（take back）他最近刚刚花出去的那笔币（即对确认数较少的自己交易中的币进行双花，确认数多的历史交易无法双花）。

　　The race between the honest chain and an attacker chain can be characterized as a Binomial Random Walk. The success event is the honest chain being extended by one block,increasing its lead by+1, and the failure event is the attacker’s chain being extended by one block,reducing the gap by-1.

　　忠诚链和攻击者链之间的竞争可以用二项式随机漫步（Binomial Random Walk）来描述。成功事件定义为忠诚链延长了一个新的区块，使得它的优势增加+1；而失败事件则定义为攻击者链延长了一个新的区块，使得忠诚链的差距-1。

　　The probability of an attacker catching up from a given deficit is analogous to a Gambler’s Ruin problem. Suppose a gambler with unlimited credit starts at a deficit and plays potentially an infinite number of trials to try to reach breakeven. We can calculate the probability he ever reaches breakeven, or that an attacker ever catches up with the honest chain^[8], as follows:

　　攻击者能够从区块数落后的局面追平的概率类似于赌徒破产问题（Gambler’s Ruin problem）。假定可以有无限筹码的赌徒，从有一定亏空（breakeven）开始，允许他以固定的赢率赢得固定金额的形式去赌无限次，目标是填补上亏空。我们能计算出他最终能成功填补亏空的概率，也就是攻击者能够赶上诚实链的概率^[8]，如下：

p = probability an honest node finds the next block（忠实节点找到新区块概率）
q = probability the attacker finds the next block（攻击者找到找到新区块概率）
q_z = probability the attacker will ever catch up from z blocks behind（攻击者落后z个区块依然能够赶上的概率）

Given our assumption that p > q , the probability drops exponentially as the number of blocks the attacker has to catch up with increases. With the odds against him, if he doesn’t make a lucky lunge forward early on, his chances become vanishingly small as he falls further behind.

　　我们考虑假定 p > q 的情况，随着攻击者需要赶超的区块数量越来越多，那么其成功概率就会指数级地下降。于是概率是攻击者的敌人，如果他不能幸运且快速地获得成功，那么他获得成功的机会随着时间的流逝就变得愈发渺茫，直至不可能。

　　We now consider how long the recipient of a new transaction needs to wait before being sufficiently certain the sender can’t change the transaction. We assume the sender is an attacker who wants to make the recipient believe he paid him for a while, then switch it to pay back to himself after some time has passed. The receiver will be alerted when that happens, but the sender hopes it will be too late.

　　我们现在考虑一下，一笔新交易的收币人需要等多久（即经过几次新区块的确认，比特币中规定为重要交易需6确认约一小时），才能足够确认发币人不能更改这笔交易。我们假定作为攻击者的发币人，试图让收币人在一定时间里查询区块链数据下也相信他已经链上支付了币，在维持一段时间后再将这笔钱再转回双花发给自己。当发生这种情况时，收币人虽然可以收到正在双花的警告，但发币人只能希望攻击者已经太迟了（即希望那笔正常收币交易所在的忠实链能多出新区块，尽快获更多确认，让攻击者感觉太迟而放弃追赶）。

　　The receiver generates a new key pair and gives the public key to the sender shortly before signing. This prevents the sender from preparing a chain of blocks ahead of time by working on it continuously until he is lucky enough to get far enough ahead, then executing the transaction at that moment. Once the transaction is sent, the dishonest sender starts working in secret on a parallel chain containing an alternate version of his transaction.

　　收币人生成了一对新的公私钥币地址账户，而然后在新定的签署交易前的较短时间里才将公钥币地址告知发币人（即不提前告诉发币人，由收币人忽然随机选个的很短的时间段里才给新的币地址并要求其立刻签名发布交易）。这样做可以防止一种情形（即隐秘块双花攻击）：发款人提前不断地运算去准备一条链上的隐秘区块，当有足够的运气产生足够多领先于主链的隐秘区块时，那时才执行那笔发给收币人的交易。一旦收币人过早的确定了收币并发货，那么不诚实的发币人将开始公开隐秘挖出的平行链（secret on a parallel chain）即瞬间成为最长链而所有算力跳到这条链上继续挖，而在这个隐密链中早就包含了一笔替代那笔正常交易而发给发币人的版本的交易。（即实现了隐秘双花，这种攻击有时间限制，若发币人忽然在奇怪时间发币且催促快点确认发货就可能攻击。而由收币人指定的短时间段里不许提前或延后发币即可避免，因攻击者难刚巧那段时间里挖出长的隐秘链。）

　　The recipient waits until the transaction has been added to a block and z blocks have been linked after it. He doesn’t know the exact amount of progress the attacker has made, but assuming the honest blocks took the average expected time per block, the attacker’s potential progress will be a Poisson distribution with expected value:

　　收币人等待到此笔交易被打包进区块，并后面有z个区块随后被链接加入。虽然并不知道攻击者的工作进展究竟已经挖出多少区块，但是可假定忠实区块将耗费平均预期时间以产生一个区块，那么攻击者的潜在进展区块数量便符合泊松分布（Poisson distribution），其期望值为：

　　To get the probability the attacker could still catch up now, we multiply the Poisson density for each amount of progress he could have made by the probability he could catch up from that point:

　　为计算出攻击者依然可以赶上的总概率，我们要把每一个攻击者已有的进展区块数量的帕松密度，分别乘以其可从那数量下能够追上来的概率再取和：

Rearranging to avoid summing the infinite tail of the distribution…

　　为避免对密度分布的无穷级数求和，重新整理算式…

Converting to C code…

实现算法的C语言程序源代码……

Running some results, we can see the probability drop off exponentially with z.

展示部分q和z参数下的结果，我们可看到随着z的增加，追赶上的概率P指数级下降：

Solving for P less than 0.1%…

若目标P小于0.1%……（即若10%全网算力攻击，需5区块确认即可确保追赶概率小到无视）

12.结论 (Conclusion)

We have proposed a system for electronic transactions without relying on trust. We started with the usual framework of coins made from digital signatures, which provides strong control of ownership, but is incomplete without a way to prevent double-spending. To solve this, we proposed a peer-to-peer network using proof-of-work to record a public history of transactions that quickly becomes computationally impractical for an attacker to change if honest nodes control a majority of CPU power. The network is robust in its unstructured simplicity. Nodes work all at once with little coordination. They do not need to be identified, since messages are not routed to any particular place and only need to be delivered on a best effort basis. Nodes can leave and rejoin the network at will, accepting the proof-of-work chain as proof of what happened while they were gone. They vote with their CPU power, expressing their acceptance of valid blocks by working on extending them and rejecting invalid blocks by refusing to work on them. Any needed rules and incentives can be enforced with this consensus mechanism.

　　我们提出了一个不需依赖信任的电子交易加密数字货币系统。我们开启于使用数字签名构建的一般的币框架，虽然它提供了对币所有权的良好加密账户控制，但却因没有避免双花的方法而不完整。为了解决这个问题，我们提出一个使用POW工作量证明机制的点对点去中心化网络，去记录一个公开的且攻击者不可能成功计算安全层面（computationally）篡改的交易记录历史，只要全网的大多数算力能够控制忠诚节点手中。这个网络的健壮在于其无组织的纯静精简（unstructured simplicity）。全节点们可在很少需协同的情况下相互独立地工作。甚至全节点们可以匿名身份不需实名，因为消息的传播路径并无特定的传播终点，消息只需被最大努力地向外传播即可。全节点在这个相互链接形成的去中心化网络中来去自由，当需要重新加入网络时，只需要接受最新最长POW区块链，作为它们离线期间所发生的一切的证明。节点们通过其算力投票，表决他们对有效区块的确认且拒绝为无效区块提供算力，他们不断用算力去延长由有效区块组成的区块链，来表达自己对交易区块的共识认可。任何有需要的新规则和奖励机制都可通过这个共识机制（consensus mechanism）来达成共识实施，来加强完善系统（即有充分共识下可以升级，系统并非一成不变）。

参考文献 (References)
W. Dai（戴伟）, “b-money,” http://www.weidai.com/bmoney.txt, 1998.
H. Massias, X.S. Avila, and J.-J. Quisquater, “Design of a secure timestamping service with minimal trust requirements,”
《在最小化信任的基础上设计一种时间戳服务器》In 20th Symposium on Information Theory in the Benelux, May 1999.
S. Haber, W.S. Stornetta, “How to time-stamp a digital document,”
《怎样为电子文件添加时间戳》 In Journal of Cryptology, vol 3, no 2, pages 99-111, 1991.
D. Bayer, S. Haber, W.S. Stornetta, “Improving the efficiency and reliability of digital time-stamping,”
《提升电子时间戳的效率和可靠性》 In Sequences II: Methods in Communication, Security and Computer Science, pages 329-334, 1993.
S. Haber, W.S. Stornetta, “Secure names for bit-strings,”
《比特字串的安全命名》In Proceedings of the 4th ACM Conference on Computer and Communications Security, pages 28-35, April 1997.
A. Back（亚当.巴克）, “Hashcash – a denial of service counter-measure,”
《哈希现金——拒绝服务式攻击的克制方法》 http://www.hashcash.org/papers/hashcash.pdf, 2002.
R.C. Merkle, “Protocols for public key cryptosystems,”
《公钥密码系统的协议》 In Proc. 1980 Symposium on Security and Privacy, IEEE Computer Society, pages 122-133, April 1980.
W. Feller, “An introduction to probability theory and its applications,”
《概率学理论与应用导论》1957.

小龙博客摘抄自网络，喜欢请到1234xl.com关注小龙，谢谢！