atc:比特币白皮书（英文版）

比特币白皮书

Bitcoin:APeer-to-PeerElectronicCashSystem

SatoshiNakamoto

satoshin@gmx.com

www.bitcoin.org

Abstract

Bitcoin:APeer-to-PeerElectronicCashSystem

SatoshiNakamoto

satoshin@gmx.com

www.bitcoin.org

1.Introduction

CommerceontheInternethascometorelyalmostexclusivelyonfinancialinstitutionsservingastrustedthirdpartiestoprocesselectronicpayments.Whilethesystemworkswellenoughformosttransactions,itstillsuffersfromtheinherentweaknessesofthetrustbasedmodel.Completelynon-reversibletransactionsarenotreallypossible,sincefinancialinstitutionscannotavoidmediatingdisputes.Thecostofmediationincreasestransactioncosts,limitingtheminimumpracticaltransactionsizeandcuttingoffthepossibilityforsmallcasualtransactions,andthereisabroadercostinthelossofabilitytomakenon-reversiblepaymentsfornonreversibleservices.Withthepossibilityofreversal,theneedfortrustspreads.Merchantsmustbewaryoftheircustomers,hasslingthemformoreinformationthantheywouldotherwiseneed.Acertainpercentageoffraudisacceptedasunavoidable.Thesecostsandpaymentuncertaintiescanbeavoidedinpersonbyusingphysicalcurrency,butnomechanismexiststomakepaymentsoveracommunicationschannelwithoutatrustedparty.

Whatisneededisanelectronicpaymentsystembasedoncryptographicproofinsteadoftrust,allowinganytwowillingpartiestotransactdirectlywitheachotherwithouttheneedforatrustedthirdparty.Transactionsthatarecomputationallyimpracticaltoreversewouldprotectsellersfromfraud,androutineescrowmechanismscouldeasilybeimplementedtoprotectbuyers.Inthispaper,weproposeasolutiontothedouble-spendingproblemusingapeer-to-peerdistributedtimestampservertogeneratecomputationalproofofthechronologicalorderoftransactions.ThesystemissecureaslongashonestnodescollectivelycontrolmoreCPUpowerthananycooperatinggroupofattackernodes.

2.Transactions

Wedefineanelectroniccoinasachainofdigitalsignatures.Eachownertransfersthecointothenextbydigitallysigningahashoftheprevioustransactionandthepublickeyofthenextownerandaddingthesetotheendofthecoin.Apayeecanverifythesignaturestoverifythechainofownership.

Galaxy将以6500万美元收购比特币矿企Argo的Helios设施，并向其提供3500万美元贷款:12月28日消息，比特币矿企 Argo Blockchain 同意向 Galaxy Digital 以 6500 万美元价格出售其位于德州的 Helios 采矿设施，以避免破产。同时，Argo Blockchain 还将获得 Galaxy Digital 提供的 3500 万美元救助贷款，该笔贷款以前者的采矿设备为担保。

此前报道，12 月 13 日，Argo Blockchain 向伦敦证券交易平台提交文件，称正在就出售其部分资产并进行设备融资交易进行高级谈判，以加强其资产负债表并提高流动性。[2022/12/28 22:12:25]

Theproblemofcourseisthepayeecan'tverifythatoneoftheownersdidnotdouble-spendthecoin.Acommonsolutionistointroduceatrustedcentralauthority,ormint,thatcheckseverytransactionfordoublespending.Aftereachtransaction,thecoinmustbereturnedtotheminttoissueanewcoin,andonlycoinsissueddirectlyfromthemintaretrustednottobedouble-spent.Theproblemwiththissolutionisthatthefateoftheentiremoneysystemdependsonthecompanyrunningthemint,witheverytransactionhavingtogothroughthem,justlikeabank.

Weneedawayforthepayeetoknowthatthepreviousownersdidnotsignanyearliertransactions.Forourpurposes,theearliesttransactionistheonethatcounts,sowedon'tcareaboutlaterattemptstodouble-spend.Theonlywaytoconfirmtheabsenceofatransactionistobeawareofalltransactions.Inthemintbasedmodel,themintwasawareofalltransactionsanddecidedwhicharrivedfirst.Toaccomplishthiswithoutatrustedparty,transactionsmustbepubliclyannounced,andweneedasystemforparticipantstoagreeonasinglehistoryoftheorderinwhichtheywerereceived.Thepayeeneedsproofthatatthetimeofeachtransaction,themajorityofnodesagreeditwasthefirstreceived.

3.TimestampServer

Thesolutionweproposebeginswithatimestampserver.Atimestampserverworksbytakingahashofablockofitemstobetimestampedandwidelypublishingthehash,suchasinanewspaperorUsenetpost.Thetimestampprovesthatthedatamusthaveexistedatthetime,obviously,inordertogetintothehash.Eachtimestampincludestheprevioustimestampinitshash,formingachain,witheachadditionaltimestampreinforcingtheonesbeforeit.

4.Proof-of-Work

Toimplementadistributedtimestampserveronapeer-to-peerbasis,wewillneedtouseaproofof-worksystemsimilartoAdamBack'sHashcash,ratherthannewspaperorUsenetposts.Theproof-of-workinvolvesscanningforavaluethatwhenhashed,suchaswithSHA-256,thehashbeginswithanumberofzerobits.Theaverageworkrequiredisexponentialinthenumberofzerobitsrequiredandcanbeverifiedbyexecutingasinglehash.

七个拉丁美洲国家的政界人士表示对比特币感兴趣:自从萨尔瓦多总统纳伊布·布克勒上周六在迈阿密举行的2021年比特币会议上宣布他将让比特币成为该国的法定货币以来，其他七个拉丁美洲国家的政界人士也表示他们对比特币感兴趣。其中有巴拉圭众议员Carlitos Rejala、巴拿马国会议员Gabriel Silva、阿根廷内乌肯省代表Francisco Sánchez、巴西Rio Grande Do Sul的立法大会选举成员Fábio Maia Ostermann、哥伦比亚总统顾问兼数字经济部副部长Jehudi Castro Sierra、墨西哥新莱昂州多数党参议员Indira Kempis Martinez和厄瓜多尔经济包容性副部长Julio Eduardo Clavijo Acosta等。(cryptoglobe)[2021/6/9 23:22:38]

Forourtimestampnetwork,weimplementtheproof-of-workbyincrementinganonceintheblockuntilavalueisfoundthatgivestheblock'shashtherequiredzerobits.OncetheCPUefforthasbeenexpendedtomakeitsatisfytheproof-of-work,theblockcannotbechangedwithoutredoingthework.Aslaterblocksarechainedafterit,theworktochangetheblockwouldincluderedoingalltheblocksafterit.

Theproof-of-workalsosolvestheproblemofdeterminingrepresentationinmajoritydecisionmaking.Ifthemajoritywerebasedonone-IP-address-one-vote,itcouldbesubvertedbyanyoneabletoallocatemanyIPs.Proof-of-workisessentiallyone-CPU-one-vote.Themajoritydecisionisrepresentedbythelongestchain,whichhasthegreatestproofof-workeffortinvestedinit.IfamajorityofCPUpoweriscontrolledbyhonestnodes,thehonestchainwillgrowthefastestandoutpaceanycompetingchains.Tomodifyapastblock,anattackerwouldhavetoredotheproof-ofworkoftheblockandallblocksafteritandthencatchupwithandsurpasstheworkofthehonestnodes.Wewillshowlaterthattheprobabilityofaslowerattackercatchingupdiminishesexponentiallyassubsequentblocksareadded.

Tocompensateforincreasinghardwarespeedandvaryinginterestinrunningnodesovertime,theproof-of-workdifficultyisdeterminedbyamovingaveragetargetinganaveragenumberofblocksperhour.Ifthey'regeneratedtoofast,thedifficultyincreases.

5.Network

Thestepstorunthenetworkareasfollows:

1)Newtransactionsarebroadcasttoallnodes.

2)Eachnodecollectsnewtransactionsintoablock.

3)Eachnodeworksonfindingadifficultproof-of-workforitsblock.

4)Whenanodefindsaproof-of-work,itbroadcaststheblocktoallnodes.

5)Nodesaccepttheblockonlyifalltransactionsinitarevalidandnotalreadyspent.

6)Nodesexpresstheiracceptanceoftheblockbyworkingoncreatingthenextblockinthechain,usingthehashoftheacceptedblockastheprevioushash.

声音 | Blockstream CSO：很快就可以在Liquid和闪电网络之间进行比特币资产交换:区块链技术公司Blockstream的CSO Samson Mow发推特称，人们很快就可以在资产发布平台Liquid和闪电网络（LN）之间进行比特币资产交换。LiquidNetwork是连接所有与BTC兼容应用的桥梁。[2019/7/18]

Nodesalwaysconsiderthelongestchaintobethecorrectoneandwillkeepworkingonextendingit.Iftwonodesbroadcastdifferentversionsofthenextblocksimultaneously,somenodesmayreceiveoneortheotherfirst.Inthatcase,theyworkonthefirstonetheyreceived,butsavetheotherbranchincaseitbecomeslonger.Thetiewillbebrokenwhenthenextproofof-workisfoundandonebranchbecomeslonger;thenodesthatwereworkingontheotherbranchwillthenswitchtothelongerone.

Newtransactionbroadcastsdonotnecessarilyneedtoreachallnodes.Aslongastheyreachmanynodes,theywillgetintoablockbeforelong.Blockbroadcastsarealsotolerantofdroppedmessages.Ifanodedoesnotreceiveablock,itwillrequestitwhenitreceivesthenextblockandrealizesitmissedone.

6.Incentive

Byconvention,thefirsttransactioninablockisaspecialtransactionthatstartsanewcoinownedbythecreatoroftheblock.Thisaddsanincentivefornodestosupportthenetwork,andprovidesawaytoinitiallydistributecoinsintocirculation,sincethereisnocentralauthoritytoissuethem.Thesteadyadditionofaconstantofamountofnewcoinsisanalogoustogoldminersexpendingresourcestoaddgoldtocirculation.Inourcase,itisCPUtimeandelectricitythatisexpended.

Theincentivecanalsobefundedwithtransactionfees.Iftheoutputvalueofatransactionislessthanitsinputvalue,thedifferenceisatransactionfeethatisaddedtotheincentivevalueoftheblockcontainingthetransaction.Onceapredeterminednumberofcoinshaveenteredcirculation,theincentivecantransitionentirelytotransactionfeesandbecompletelyinflationfree.

Theincentivemayhelpencouragenodestostayhonest.IfagreedyattackerisabletoassemblemoreCPUpowerthanallthehonestnodes,hewouldhavetochoosebetweenusingittodefraudpeoplebystealingbackhispayments,orusingittogeneratenewcoins.Heoughttofinditmoreprofitabletoplaybytherules,suchrulesthatfavourhimwithmorenewcoinsthaneveryoneelsecombined,thantounderminethesystemandthevalidityofhisownwealth.

7.ReclaimingDiskSpace

Oncethelatesttransactioninacoinisburiedunderenoughblocks,thespenttransactionsbeforeitcanbediscardedtosavediskspace.Tofacilitatethiswithoutbreakingtheblock'shash,transactionsarehashedinaMerkleTree,withonlytherootincludedintheblock'shash.Oldblockscanthenbecompactedbystubbingoffbranchesofthetree.Theinteriorhashesdonotneedtobestored.

行情 | 比特币价格涨幅超过1.2%:根据huobipro数据显示，目前比特币价格1小时内从6189.94美元上涨至6268.06美元，涨幅超过1.2%。[2018/8/15]

Ablockheaderwithnotransactionswouldbeabout80bytes.Ifwesupposeblocksaregeneratedevery10minutes,80bytes*6*24*365=4.2MBperyear.Withcomputersystemstypicallysellingwith2GBofRAMasof2008,andMoore'sLawpredictingcurrentgrowthof1.2GBperyear,storageshouldnotbeaproblemeveniftheblockheadersmustbekeptinmemory.

8.SimplifiedPaymentVerification

Itispossibletoverifypaymentswithoutrunningafullnetworknode.Auseronlyneedstokeepacopyoftheblockheadersofthelongestproof-of-workchain,whichhecangetbyqueryingnetworknodesuntilhe'sconvincedhehasthelongestchain,andobtaintheMerklebranchlinkingthetransactiontotheblockit'stimestampedin.Hecan'tcheckthetransactionforhimself,butbylinkingittoaplaceinthechain,hecanseethatanetworknodehasacceptedit,andblocksaddedafteritfurtherconfirmthenetworkhasacceptedit.

Assuch,theverificationisreliableaslongashonestnodescontrolthenetwork,butismorevulnerableifthenetworkisoverpoweredbyanattacker.Whilenetworknodescanverifytransactionsforthemselves,thesimplifiedmethodcanbefooledbyanattacker'sfabricatedtransactionsforaslongastheattackercancontinuetooverpowerthenetwork.Onestrategytoprotectagainstthiswouldbetoacceptalertsfromnetworknodeswhentheydetectaninvalidblock,promptingtheuser'ssoftwaretodownloadthefullblockandalertedtransactionstoconfirmtheinconsistency.Businessesthatreceivefrequentpaymentswillprobablystillwanttoruntheirownnodesformoreindependentsecurityandquickerverification.

9.CombiningandSplittingValue

Althoughitwouldbepossibletohandlecoinsindividually,itwouldbeunwieldytomakeaseparatetransactionforeverycentinatransfer.Toallowvaluetobesplitandcombined,transactionscontainmultipleinputsandoutputs.Normallytherewillbeeitherasingleinputfromalargerprevioustransactionormultipleinputscombiningsmalleramounts,andatmosttwooutputs:oneforthepayment,andonereturningthechange,ifany,backtothesender.

Itshouldbenotedthatfan-out,whereatransactiondependsonseveraltransactions,andthosetransactionsdependonmanymore,isnotaproblemhere.Thereisnevertheneedtoextractacompletestandalonecopyofatransaction'shistory.

美国经济研究所：比特币价格随相关新闻波动:美国经济研究所（AIER）的研究人员与密苏里大学合作研究比特币的价格是否被少数交易者操纵，他们的最终结论是：比特币几次最大的价格波动与加密货币相关的重要新闻事件同时发生， 这表明加密货币市场并不完全由操纵者或少数交易者的行为驱动。这篇论文参考了2016 年初至2017年11月份的将近两年的比特币价格变化，重点关注每日最大价格变动。其中有许多次在广泛讨论的加密货币相关新闻公布后，比特币价格紧跟着变动。比如，去年9月下旬摩根大通CEO杰米·戴蒙（Jamie Dimon）对于比特币发表的差评似乎让比特币市场在两天之内下跌了三十多个百分点。[2018/1/30]

10.Privacy

Thetraditionalbankingmodelachievesalevelofprivacybylimitingaccesstoinformationtothepartiesinvolvedandthetrustedthirdparty.Thenecessitytoannouncealltransactionspubliclyprecludesthismethod,butprivacycanstillbemaintainedbybreakingtheflowofinformationinanotherplace:bykeepingpublickeysanonymous.Thepubliccanseethatsomeoneissendinganamounttosomeoneelse,butwithoutinformationlinkingthetransactiontoanyone.Thisissimilartothelevelofinformationreleasedbystockexchanges,wherethetimeandsizeofindividualtrades,the"tape",ismadepublic,butwithouttellingwhothepartieswere.

Asanadditionalfirewall,anewkeypairshouldbeusedforeachtransactiontokeepthemfrombeinglinkedtoacommonowner.Somelinkingisstillunavoidablewithmulti-inputtransactions,whichnecessarilyrevealthattheirinputswereownedbythesameowner.Theriskisthatiftheownerofakeyisrevealed,linkingcouldrevealothertransactionsthatbelongedtothesameowner.

11.Calculations

Weconsiderthescenarioofanattackertryingtogenerateanalternatechainfasterthanthehonestchain.Evenifthisisaccomplished,itdoesnotthrowthesystemopentoarbitrarychanges,suchascreatingvalueoutofthinairortakingmoneythatneverbelongedtotheattacker.Nodesarenotgoingtoacceptaninvalidtransactionaspayment,andhonestnodeswillneveracceptablockcontainingthem.Anattackercanonlytrytochangeoneofhisowntransactionstotakebackmoneyherecentlyspent.

TheracebetweenthehonestchainandanattackerchaincanbecharacterizedasaBinomialRandomWalk.Thesuccesseventisthehonestchainbeingextendedbyoneblock,increasingitsleadby+1,andthefailureeventistheattacker'schainbeingextendedbyoneblock,reducingthegapby-1.

TheprobabilityofanattackercatchingupfromagivendeficitisanalogoustoaGambler'sRuinproblem.Supposeagamblerwithunlimitedcreditstartsatadeficitandplayspotentiallyaninfinitenumberoftrialstotrytoreachbreakeven.Wecancalculatetheprobabilityheeverreachesbreakeven,orthatanattackerevercatchesupwiththehonestchain,asfollows:

Givenourassumptionthatp>q,theprobabilitydropsexponentiallyasthenumberofblockstheattackerhastocatchupwithincreases.Withtheoddsagainsthim,ifhedoesn'tmakealuckylungeforwardearlyon,hischancesbecomevanishinglysmallashefallsfurtherbehind.

Wenowconsiderhowlongtherecipientofanewtransactionneedstowaitbeforebeingsufficientlycertainthesendercan'tchangethetransaction.Weassumethesenderisanattackerwhowantstomaketherecipientbelievehepaidhimforawhile,thenswitchittopaybacktohimselfaftersometimehaspassed.Thereceiverwillbealertedwhenthathappens,butthesenderhopesitwillbetoolate.

Thereceivergeneratesanewkeypairandgivesthepublickeytothesendershortlybeforesigning.Thispreventsthesenderfrompreparingachainofblocksaheadoftimebyworkingonitcontinuouslyuntilheisluckyenoughtogetfarenoughahead,thenexecutingthetransactionatthatmoment.Oncethetransactionissent,thedishonestsenderstartsworkinginsecretonaparallelchaincontaininganalternateversionofhistransaction.

Therecipientwaitsuntilthetransactionhasbeenaddedtoablockandzblockshavebeenlinkedafterit.Hedoesn'tknowtheexactamountofprogresstheattackerhasmade,butassumingthehonestblockstooktheaverageexpectedtimeperblock,theattacker'spotentialprogresswillbeaPoissondistributionwithexpectedvalue:

Togettheprobabilitytheattackercouldstillcatchupnow,wemultiplythePoissondensityforeachamountofprogresshecouldhavemadebytheprobabilityhecouldcatchupfromthatpoint:

Rearrangingtoavoidsummingtheinfinitetailofthedistribution...

ConvertingtoCcode...

#includedoubleAttackerSuccessProbability(doubleq,intz)

{

doublep=1.0-q;

doublelambda=z*(q/p);

doublesum=1.0;

inti,k;

for(k=0;k<=z;k++)

{

doublepoisson=exp(-lambda);

for(i=1;i<=k;i++)

poisson*=lambda/i;

sum-=poisson*(1-pow(q/p,z-k));

}

returnsum;

}

Runningsomeresults,wecanseetheprobabilitydropoffexponentiallywithz.

q=0.1

z=0P=1.0000000

z=1P=0.2045873

z=2P=0.0509779

z=3P=0.0131722

z=4P=0.0034552

z=5P=0.0009137

z=6P=0.0002428

z=7P=0.0000647

z=8P=0.0000173

z=9P=0.0000046

z=10P=0.0000012

q=0.3

z=0P=1.0000000

z=5P=0.1773523

z=10P=0.0416605

z=15P=0.0101008

z=20P=0.0024804

z=25P=0.0006132

z=30P=0.0001522

z=35P=0.0000379

z=40P=0.0000095

z=45P=0.0000024

z=50P=0.0000006

SolvingforPlessthan0.1%...

P<0.001

q=0.10z=5

q=0.15z=8

q=0.20z=11

q=0.25z=15

q=0.30z=24

q=0.35z=41

q=0.40z=89

q=0.45z=340

12.Conclusion

Wehaveproposedasystemforelectronictransactionswithoutrelyingontrust.Westartedwiththeusualframeworkofcoinsmadefromdigitalsignatures,whichprovidesstrongcontrolofownership,butisincompletewithoutawaytopreventdouble-spending.Tosolvethis,weproposedapeer-to-peernetworkusingproof-of-worktorecordapublichistoryoftransactionsthatquicklybecomescomputationallyimpracticalforanattackertochangeifhonestnodescontrolamajorityofCPUpower.Thenetworkisrobustinitsunstructuredsimplicity.Nodesworkallatoncewithlittlecoordination.Theydonotneedtobeidentified,sincemessagesarenotroutedtoanyparticularplaceandonlyneedtobedeliveredonabesteffortbasis.Nodescanleaveandrejointhenetworkatwill,acceptingtheproof-ofworkchainasproofofwhathappenedwhiletheyweregone.TheyvotewiththeirCPUpower,expressingtheiracceptanceofvalidblocksbyworkingonextendingthemandrejectinginvalidblocksbyrefusingtoworkonthem.Anyneededrulesandincentivescanbeenforcedwiththisconsensusmechanism.

References

W.Dai,"b-money,"http://www.weidai.com/bmoney.txt,1998.

H.Massias,X.S.Avila,andJ.-J.Quisquater,"Designofasecuretimestampingservicewithminimal

trustrequirements,"In20thSymposiumonInformationTheoryintheBenelux,May1999.

S.Haber,W.S.Stornetta,"Howtotime-stampadigitaldocument,"InJournalofCryptology,vol3,no

2,pages99-111,1991.

D.Bayer,S.Haber,W.S.Stornetta,"Improvingtheefficiencyandreliabilityofdigitaltime-stamping,"

InSequencesII:MethodsinCommunication,SecurityandComputerScience,pages329-334,1993.

S.Haber,W.S.Stornetta,"Securenamesforbit-strings,"InProceedingsofthe4thACMConference

onComputerandCommunicationsSecurity,pages28-35,April1997.

A.Back,"Hashcash-adenialofservicecounter-measure,"

http://www.hashcash.org/papers/hashcash.pdf,2002.

R.C.Merkle,"Protocolsforpublickeycryptosystems,"InProc.1980SymposiumonSecurityand

Privacy,IEEEComputerSociety,pages122-133,April1980.

W.Feller,"Anintroductiontoprobabilitytheoryanditsapplications,"1957.

沙棘财经是沙棘传媒旗下专注大数据、人工智能、区块链、币圈的深度报道的垂直自媒体。微信公众号：shaji-media

标签：atcCPUtronatc币是什么币CPU币CPU价格tron币是什么币

比特币最新价格热门资讯