中本聪的比特币白皮书译稿(未完待续)
翻译:杨怀玉
picture come from web
比特币:点对点电子现金系统
作 者:中本聪
电子邮箱:satoshin@gmx.com
网 址:www.bitcoin.org
【摘要】
纯粹的点对点电子现金改进版,必须支持一方直接发送给另外一方的在线支付方式,而无须通过任何金融机构。“数字签名”提供了部分解决方案,但如果还是必须由一个被信任的第三方来防止“双重支付”,则丧失了其关键价值。我们提出的 “双重支付”问题解决方案是使用“点对点”网络。此网络使用hashing(哈希)” 将交易打上“时间戳”,以此将所有交易合并为一个不间断的基于哈希的“工作量证明”链条,形成的记录不可更改——除非重建“工作量证明”。不仅仅最长的链条用于被见证的事件系列之证明,另一方面,该证明亦来自最大规模的CPU能量池。只要不是为节点所控制的占比较大的CPU能量协同一致攻击该网络,那么网络将生成最长的,超过攻击者的链条。此网络本身只需极少的基础设施。信息尽最大努力进行广播,节点可以随意离开或重新加入网络,并承认最长的“工作量证明”链条作为该节点离线期间所发生所有交易的证明。
picture come from web
一、导言
互联网商业,逐渐发展成为几乎完全借助作为被信任第三方的金融机构来处理电子支付业务。然而,该系统即使目前运转良好,足以应付大多数交易业务,但它还是受困于其固有的“基于信任模式”缺陷的问题。(互联网商业中,)“完全不可逆交易” 并非真正可行,原因是会导致金融机构不能避免地卷入争端的调解。这种调解成本导致的交易成本增加,限制了可实现交易的最小规模,同时断绝了日常小额交易的可能性,而且还有一种更为广义的成本,即为不可逆服务而设计出来的不可逆支付能力将会减弱。伴随着(交易)撤销可能性的是信任需求扩张。(由于交易可能单方面撤销,)商人们必须对他们的顾客保持戒备,由此,为了获取更多的信息不断烦扰顾客,(即使该信息量)远超他们所需。甚至无可奈何地接受一定程度上的欺诈。(现实中),人们使用物理货币时,这些成本与支付的不确定能够避免,但(在互联网商业中),没有商家会通过一种没有信任方的信息渠道进行支付。
因此,一种以建立在密码学基础上的证明来替代信任的电子支付系统,就很有必要,该系统允许任何有交易意愿的双方直接相互交易,而不需要一个被信任的第三方。在计算上不可能撤销的交易将保护卖方不被诈骗,常规的第三方中间商亦能够轻松地实现对买方的保护。这篇论文里,我们提出一种双重支付问题解决方案,就是使用一种点对点分布式时间戳服务器,以生成可计算的、按时间的前后顺序排列的交易序列证明。只要诚实的节点共同控制的CPU算力,比协同操作的攻击者节点集团更多,这个系统就是安全的。
picture come from web
二、交易
我们规定电子货币等同于数字签名链。每一位所有者转移其电子货币给下一位,通过数字签署一个哈希,这个哈希是前一个交易的,和下一个所有者的公钥,和加在电子货币的末端。收款人能够通过核对签名来证明该链所有权。
问题当然就是收款人不能核实某个(货币)所有者没有“双重支付”该币。普通的解决方案是引入一个被信任的中心权威(机构),或铸币厂,以核对每一笔交易是否双重支付。每笔交易完成后,货币必须回收到铸币厂以发行新币,而且仅铸币厂发行的货币能够被信任不会“双重支付”。此方案的问题是整个货币系统的命运依赖于公司来运行铸币厂,导致每一笔交易不得不通过他们,就好象一家银行。我们需要一种方式,来帮助收款人知晓前任所有者没有签署任何更早的交易。为了我们的目的,最早的一笔交易是重要的,这样我们不必担心后来者试图“双重支付”。证实一笔交易是否存在的唯一方式,就是使得所有的交易都是可知的。在基于铸币厂的模式里,铸币厂是所有交易的知情者,而且清楚哪一笔最先到达。没有一个被信任方情况下,要达到这一点,交易必须公开广播,如此,则我们需要一个系统,该系统可使参与者对他们接收到(交易)顺序的单一历史达成共识。收款人需要证明每一笔交易的时点,大多数节点承认该交易为最先被接收的交易。
picture come from web
三、时间戳服务器
我们提出的解决方案始于一种时间戳服务器。时间戳服务器通过从被时间戳记的项目区块中提取哈希并广泛地传播该哈希来运转,类似在报纸上(广告)或在全球新闻网络发邮件。该时间戳验证数据在某一时点确实存在,显然,目的是加入到哈希中。每一个时间戳都包括前一个被加入到哈希中的时间戳,形成一个链条,因为每一条追加的时间戳补充其前一个时间戳。
picture come from web
四、工作量证明
要在点对点的基础上构建一个分布式时间戳服务器,我们将需要用到与亚当•贝克创造的“哈希现金”类似的“工作量证明”系统,而不是报纸或全球新闻网络邮件。在进行哈希计算时,该“工作量证明”引入对于某一个值的检索工作,比如运行SHA-256,该哈希值从某一数量的0字符开始。其(检索工作)所需的平均工作量是所需0字符数量的指数,而(检索工作结果)则能通过仅仅执行一次哈希计算来检验。
对于我们的时间戳网络,我们在区块中(增补)某一随机数,(通过哈希计算,搜索)给定的区块哈希值所需的零字符串,直到找到一个值为止,以构建“工作量证明”机制。只要CPU(尽可能多的)算力被消耗在满足“工作量证明”机制上,则区块不能被修改,除非重新进行(所有)工作。由于下一区块链接其后,修改区块的工作量必须包括重建其后面的所有区块。
“工作量证明”机制也解决了代理作出大多数判断的人选确定问题。如果该“大多数”建立在“一个IP地址一张选票”的基础上,它将被破坏,因为每一个人都能够分配到很多IP。“工作量证明”实质上是“一个CPU一张选票”。最长的链条代表大多数判断,因为该链条拥有尝试投入进来的最大量“工作量证明”。如果CPU算力的大多数由诚实的节点控制,诚实的链条将以超过其他与之竞争链条的速度快速生长。为改变一个已完成区块,一个攻击者将被迫重建区块“工作量证明”,以及所有后接区块,然后追上,超过诚实节点的工作量。我们稍后将提及,由于随后区块持续增加,一个稍慢的攻击者追上的概率以指数级减少。
随着时间的推移,计算机硬件速度的持续加快和运行节点的兴趣变化无常,为了应对上述情况,“工作量证明”机制的难度通过一种以设定每一小时产生区块的平均数量为目标的动态平均来调节,如果(区块)增长太快,难度将增加。
picture come from web
五、网络
运行网络的步骤如下所示:
1)新的交易向所有的节点广播。
2)每一个节点将新的交易纳入一个区块。
3)每一个节点努力为自己区块寻找一个具有一定难度的“工作量证明”。
4)当一个节点找到了“工作量证明”,它向所有节点广播该区块。
5)当且仅当区块里面的所有交易有效且之前从未发生时,(其他的)节点才接受该区块。
6)节点通过追加链条中的下一区块的工作以表示其对区块的接受,使用该被接受区块的哈希作为(下一区块的)前置哈希。
节点总是把最长的链条视为正确,并将持续延长该链条。如果两个节点在同一时点广播的下一区块描述并不一致,一些节点会率先接受其中一个或另一个区块。在此情况下,他们工作于率先被他们接受的区块,但保存另外分叉以防其变得更长。当下一个“工作量证明”被找到,以及一个分叉变得更长时,这种“平局”将被打破;工作在其他分叉上的节点最后将转到这个较长的区块。
新交易的广播并非一定需要到达所有的节点。只要他们到达多数节点,他们将在短时间内被纳入一个区块。区块广播亦对缺失的信息具有容错功能。如果一个节点没有收到某个区块,它将在接收下一区块,且意识到缺失了一个区块时,提出(相应)请求。
picture come from web
六、激励机制
根据规则,区块里的第一笔交易是一笔特殊交易,该交易产生一枚归属于区块创造者的新币。 这将增加节点支持网络的激励,并且提供一种方式来开始货币分配并进入流通,因此这是一种没有中心机构的发行方式。这种新货币数额持续稳定的增长类似于黄金矿工耗费资源来增加黄金流通。. 就我们来说,这类资源就是被耗费CPU时间和电力。
此类激励亦可见于交易费用。如果一笔交易的输出值低于其输入值, 其差额就是交易费,用以增加控制交易区块的激励价值。一旦一个预先设定的货币数量已经(全部)进入流通,该激励则全部转变为以交易费用(激励),并可完全地免除通货膨胀。
该激励还能有助于促使节点保持诚实。如果一个贪婪的攻击者有能力比诚实节点组织更多CPU算力,他将被迫进行选择,是通过欺诈以偷回其支付的款项(译者注:即双重支付攻击),还是通过(获取)生成的新货币。他应当会发现,按照规则行事更加有利可图,这样的规则有利于他比其他联合起来的每一个人获取更多的新货币,亦优于破坏系统以及损害自己拥有财富的有效性。
(original 原文)
1. Introduction
Commerce on the Internet has come to rely almost exclusively on financial institutions serving as trusted third parties to process electronic payments. While the system works well enough for most transactions, it still suffers from the inherent weaknesses of the trust based model. Completely non-reversible transactions are not really possible, since financial institutions cannot avoid mediating di-sputes. The cost of mediation increases transaction costs, limiting the minimum practical transact-tion size and cutting off the possibility for small casual transactions, and there is a broader cost in the loss of ability to make non-reversible payments for nonreversible services. With the possibility of reversal, the need for trust spreads. Merchants must be wary of their customers, hassling them for more information than they would otherwise need. A certain percentage of fraud is accepted as unavoidable. These costs and payment uncertainties can be avoided in person by using physical currency, but no mechanism exists to make payments over a communications channel without a tr-usted party.
What is needed is an electronic payment system based on cryptographic proof instead of trust, al-lowing any two willing parties to transact directly with each other without the need for a trusted third party. Transactions that are computationally impractical to reverse would protect sellers from fraud, and routine escrow mechanisms could easily be implemented to protect buyers. In this paper, we propose a solution to the double-spending problem using a peer-to-peer distributed timestamp ser-ver to generate computational proof of the chronological order of transactions. The system is sec-ure as long as honest nodes collectively control more CPU power than any cooperating group of at-tacker nodes.
2. Transactions
We define an electronic coin as a chain of digital signatures. Each owner transfers the coin to the next by digitally signing a hash of the previous transaction and the public key of the next owner and adding these to the end of the coin. A payee can verify the signatures to verify the chain of owner-ship.
The problem of course is the payee can’t verify that one of the owners did not double-spend the coin. A common solution is to introduce a trusted central authority, or mint, that checks every tran-saction for double spending. After each transaction, the coin must be returned to the mint to issue a new coin, and only coins issued directly from the mint are trusted not to be double-spent. The pro-blem with this solution is that the fate of the entire money system depends on the company running the mint, with every transaction having to go through them, just like a bank. We need a way for the payee to know that the previous owners did not sign any earlier transactions. For our purposes, the earliest transaction is the one that counts, so we don’t care about later attempts to double-spend. The only way to confirm the absence of a transaction is to be aware of all transactions. In the mint based model, the mint was aware of all transactions and decided which arrived first. To accomplish this without a trusted party, transactions must be publicly announced [1], and we need a system for participants to agree on a single history of the order in which they were received. The payee needs proof that at the time of each transaction, the majority of nodes agreed it was the first received
3. Timestamp Server
The solution we propose begins with a timestamp server. A timestamp server works by taking a hash of a block of items to be timestamped and widely publishing the hash, such as in a newspaper or Usenet post [2-5]. The timestamp proves that the data must have existed at the time, obviously, in order to get into the hash. Each timestamp includes the previous timestamp in its hash, forming a chain, with each additional timestamp reinforcing the ones before it.
4. Proof-of-Work
To implement a distributed timestamp server on a peer-to-peer basis, we will need to use a proof-of-work system similar to Adam Back’s Hashcash [6], rather than newspaper or Usenet posts. The proof-of-work involves scanning for a value that when hashed, such as with SHA-256, the hash be-gins with a number of zero bits. The average work required is exponential in the number of zero bits required and can be verified by executing a single hash.
For our timestamp network, we implement the proof-of-work by incrementing a nonce in the block until a value is found that gives the block’s hash the required zero bits. Once the CPU effort has been expended to make it satisfy the proof-of-work, the block cannot be changed without redoing the work. As later blocks are chained after it, the work to change the block would include redoing all the blocks after it.
The proof-of-work also solves the problem of determining representation in majority decision mak-ing. If the majority were based on one-IP-address-one-vote, it could be subverted by anyone able to allocate many IPs. Proof-of-work is essentially one-CPU-one-vote. The majority decision is repr-esented by the longest chain, which has the greatest proof-of-work effort invested in it. If a majority of CPU power is controlled by honest nodes, the honest chain will grow the fastest and outpace any competing chains. To modify a past block, an attacker would have to redo the proof-of-work of the block and all blocks after it and then catch up with and surpass the work of the honest nodes. We will show later that the probability of a slower attacker catching up diminishes exponentially as sub-sequent blocks are added.
To compensate for increasing hardware speed and varying interest in running nodes over time, the proof-of-work difficulty is determined by a moving average targeting an average number of blocks per hour. If they’re generated too fast, the difficulty increases.
5. Network
The steps to run the network are as follows:
1)New transactions are broadcast to all nodes.
2) Each node collects new transactions into a block.
3) Each node works on finding a difficult proof-of-work for its block.
4) When a node finds a proof-of-work, it broadcasts the block to all nodes.
5) Nodes accept the block only if all transactions in it are valid and not already spent.
6) Nodes express their acceptance of the block by working on creating the next block in the chain, using the hash of the accepted block as the previous hash.
Nodes always consider the longest chain to be the correct one and will keep working on extending it. If two nodes broadcast different versions of the next block simultaneously, some nodes may receive one or the other first. In that case, they work on the first one they received, but save the other branch in case it becomes longer. The tie will be broken when the next proof-of-work is found and one branch becomes longer; the nodes that were working on the other branch will then switch to the longer one.
New transaction broadcasts do not necessarily need to reach all nodes. As long as they reach many nodes, they will get into a block before long. Block broadcasts are also tolerant of dropped messages. If a node does not receive a block, it will request it when it receives the next block and realizes it missed one
6. Incentive
By convention, the first transaction in a block is a special transaction that starts a new coin owned by the creator of the block. This adds an incentive for nodes to support the network, and provides a way to initially distribute coins into circulation, since there is no central authority to issue them. The steady addition of a constant of amount of new coins is analogous to gold miners expending resources to add gold to circulation. In our case, it is CPU time and electricity that is expended.
The incentive can also be funded with transaction fees. If the output value of a transaction is less than its input value, the difference is a transaction fee that is added to the incentive value of the block containing the transaction. Once a predetermined number of coins have entered circulation, the incentive can transition entirely to transaction fees and be completely inflation free.
The incentive may help encourage nodes to stay honest If a greedy attacker is able to assemble more CPU power than all the honest nodes, he would have to choose between using it to defraud people by stealing back his payments, or using it to generate new coins. He ought to find it more profitable to play by the rules, such rules that favour him with more new coins than everyone else combined, than to undermine the system and the validity of his own wealth.
